64位CreateProcess逆向:(二)0环下参数的整合即创建进程的整体流程

转载:https://bbs.pediy.com/thread-207683.htm

 

点击下面进入总目录:
64位Windows创建64位进程逆向分析(总目录)

在上一篇文章中,我们介绍了CreateProcess在3环的整个流程。在其中特别提到,当操作系统由3环切换到0环,是由NtCreateUserProcess完成所有关键工作的。
    在这篇文章中,我们将会介绍0环函数NtCreateUserProcess的整体流程。

准备工作
    我们分析64位的Windows 7发现,其3环切换0环所用的特权指令是syscall(而不是sysenter),不过,他们两者的区别主要只在兼容模式是否有效上,与我们分析CreateProcess关系不大。不过,0环3环的切换,是既重要又基础的概念,对于还没概念的朋友,可以先查阅下Intel手册或者相关书籍。


    NtCreateUserProcess是一个复杂的函数,如果想在成千上万行的汇编代码中不迷失自己的目标,就要把握好它的核心,在此,我们提前强调三个结构体:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
struct _PPROCESS_CREATE_INFO
{
  QWORD cb;//结构体大小
  QWORD UnKown;
  DWORD Flags2;
  BYTE  UnKown;
  WORD ImageCharacteristics;
  DWORD DesiredAccess; //3环下会赋值,0环下赋值给CREATEPROCESSCONTEXT的成员DesiredAccess
  QWORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
  DWORD UnKown;
  BYTE UnKown;
  DWORD Flags;
  PVOID* CurrentPeb;
  PVOID* ParentProcessPeb;
  QWORD UnKown;
  DWORD UnKown;
  BYTE UnKown;
};

_PPROCESS_CREATE_INFO是NtCreateUserProcess的带出参数,进程创建完成(或失败)后,它其中的内容就会填充相关信息,因此关注它,可以得到回溯到进程创建后的关键信息。
//CREATEPROCESSCONTEXT注释版
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
struct CREATEPROCESSCONTEXT
{
  /*
  标志位  主要在PspAllocateProcess中使用
  */
  DWORD Flags;
  /*
  标志位:
  */
  BYTE Flags2;
  BYTE UnKown;
  /*
  镜像特征,由SECTION_IMAGE_INFORMATION结构ImageCharacteristics成员而来
  */
  WORD ImageCharacteristics;
  /*
  指向CLIENT_ID结构体的指针,CLIENT_ID定义如下:
  typedef struct _CLIENT_ID
  {
     HANDLE PID;
     HANDLE TID;
  } CLIENT_ID, *PCLIENT_ID;
  */
  CLIENT_ID* pClient_ID;
  /*
  指向TEB结构体的指针
  */
  TEB* pTeb;
  /*
  指向_SECTION_IMAGE_INFORMATION结构体的指针,该成员由最后一个参数传入,其属性值为6.
  */
  SECTION_IMAGE_INFORMATION *pSectionImageInfo;
  /*
  指向CREATEINFO结构体的指针,该结构体由PspCaptureCreateInfo函数负责初始化.
  */
  CREATEINFO *pCreateInfo;
  /*
  SECTION_IMAGE_INFORMATION结构体,这是即将创建进程的可执行文件映射到内存后的内存对象.
  */
  SECTION_IMAGE_INFORMATION SectionImageInfo;
  /*
  父进程句柄,由最后一个参数传入,其属性值为0x60000.
  */
  HANDLE hParentProcess;
  /*
  新进程的EPROCESS指针.
  */
  EPROCESS* pEprocess;
  /*
  调试对象的句柄,如果调用CreateProcess时创建选项中带有调试标志,则由最后一个参数会传入调试对象的句柄,将会保持到这个成员里面来.
  */
  HANDLE DebugObjectHandle;
  /*
  令牌对象句柄,由最后一个参数会传入,属性值0x60002.
  */
  HANDLE hSeTokenObject;
  DWORD DesiredAccess;
  /*
  文件句柄,新进程可执行文件的文件句柄.
  */
  HANDLE FileHandle;
  /*
  文件对象,新进程可执行文件的文件对象
  */
  FILE_OBJECT* pFileObject;
  /*
  新进程加载到内存后的内存对象.
  */
  HANDLE SectionHandle;
  HANDLE KeyHandle;
  SECTION_OBJECT* pSectionObject;
  /*
  _RTL_USER_PROCESS_PARAMETERS结构体指针.
  */
  PVOID pRtlUserProcessParameter;
  PVOID pBackupRtlUserProcessParameter;
  DWORD UnKown;
  /*
  PspWow64SetupUserProcessAddressSpace函数内赋值,具体含义不太清楚
  */
  DWORD UnKown;
  /*
  新进程可执行文件全路径
  */
  UNICODE_STRING FileName;
  /*
  优先级
  */
  BYTE PriorityClass;
  /*
  该成员会负责给新进程EPROCESS.Pcb.Flags.
  */
  BYTE EprocessFlags;
  /*
  作为查询全局表KeNodeBlock的下标
  */
  WORD KnodeIndex;
  /*
  全局表KiProcessorNumberToIndexMappingTable的表项
  */
  DWORD Mapping;
  QWORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
  DWORD UnKown;
  DWORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
  DWORD UnKown;
  /*
  由最后一个参数传入,其属性值为0x20009.
  */
  DWORD DefaultHardErrorProcessing;
  QWORD UnKown;
  /*
  和全局变量KiActiveGroups作比较
  */
  WORD ActiveGroupCount;
  WORD UnKown;
  WORD UnKown;
  WORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
};

//CREATEPROCESSCONTEXT无注释版
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
struct CREATEPROCESSCONTEXT
{
  DWORD Flags;
  BYTE Flags2;
  BYTE UnKown;
  WORD ImageCharacteristics;
  CLIENT_ID* pClient_ID;
  TEB* pTeb;
  SECTION_IMAGE_INFORMATION *pSectionImageInfo;
  CREATEINFO *pCreateInfo;
  SECTION_IMAGE_INFORMATION SectionImageInfo;
  HANDLE hParentProcess;
  EPROCESS* pEprocess;
  HANDLE DebugObjectHandle;
  HANDLE hSeTokenObject;
  DWORD DesiredAccess;
  HANDLE FileHandle;
  FILE_OBJECT* pFileObject;
  HANDLE SectionHandle;
  HANDLE KeyHandle;
  SECTION_OBJECT* pSectionObject;
  PVOID pRtlUserProcessParameter;
  PVOID pBackupRtlUserProcessParameter;
  DWORD UnKown;
  DWORD UnKown;
  UNICODE_STRING FileName;
  BYTE PriorityClass;
  BYTE EprocessFlags;
  WORD KnodeIndex;
  DWORD Mapping;
  QWORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
  DWORD UnKown;
  DWORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
  DWORD UnKown;
  DWORD DefaultHardErrorProcessing;
  QWORD UnKown;
  WORD ActiveGroupCount;
  WORD UnKown;
  WORD UnKown;
  WORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
  QWORD UnKown;
};

简单说,这个结构体代表了整个新进程,因此与进程有关的几乎所有信息,都在其中,如文件映像信息、线程信息等。夸张一点讲,这个结构体贯穿了整个创建进程的过程,弄明白它,就弄明白了操作系统如何创建进程。
1
2
3
4
5
6
7
8
struct ALL_ACCESS_STATE  //为结构体ACCESS_STATE的扩展版本
{
  ACCESS_STATE AssedAccessState;//具体可查看MSDN
  BYTE AuxData[216];
  DWORD HandleAttributes;
  DWORD AcessMode;
  QWORD hProcess;
};

接下来,我们正式来看NtCreateUserProcess所做的工作。
NtCreateUserProcess
NtCreateUserProcess的函数原型如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
void NtCreateUserProcess(
          //传出新进程句柄
OUT PHANDLE ProcessHandle,
//传出新进程主线程句柄
OUT PHANDLE ThreadHandle,
//当前进程对新进程操作权限描述, 一般是MAXIMUM_ALLOWED, 无限制
IN ACCESS_MASK ProcessDesiredAccess,
//当前进程对新线程的操作权限描述, 一般是 MAXIMUM_ALLOWED
IN ACCESS_MASK ThreadDesiredAccess, //
//进程对象属性, 可空
IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, //线程对象属性, 可为空  
IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, //新进程创建标志
IN ULONG CreateProcessFlags,
//新线程创建标志
IN ULONG CreateThreadFlags, 
//进程创建的相关参数信息,包括待启动进程的映像路径,命令参数,环境
//行变量串等信息
IN PRTL_USER_PROCESS_PARAMETERS ProcessParameters, 
//传出一些基本信息, 比如新进程的PEB
OUT  PPROCESS_CREATE_INFO CreateInfo,
//传入参数, 保存了一些信息. 比如程序路径 父进程PID等
IN PNT_PROC_THREAD_ATTRIBUTE_LIST AttributeList);

从文末附上的整体流程图可以看出,NtCreateUserProcess内部的模块化是做的挺好的,由多个函数完成各自的任务。因此,我们除了梳理NtCreateUserProcess的流程外,就是逐个解剖NtCreateUserProcess所调用的函数。在这篇文章中,我们将详细介绍PspBuildCreateProcessContext、PspCaptureCreateInfo、PspCaptureProcessParameters三个功能函数。

NtCreateUserProcess流程
初始化

在一开始,NtCreateUserProcess会做一些初始化的工作,具体是:
  将参数ThreadDesiredAccess、ProcessDesiredAccess、ThreadHandle、ProcessHandle、ProcessObjectAttributes、ThreadObjectAttributes、ProcessParameters保存到局部变量中。
  将句柄变量var_Context(新线程环境)初始化为0.
  检查参数ThreadHandle、ProcessHandle地址是否小于MmUserProbeAddress(是否小于系统地址),不是则将其设置为MmUserProbeAddress。
  检查参数ProcessObjectAttributes地址是否对齐,不对齐则调用ExRaiseDatatypeMisalignment触发STATUS_DATATYPE_MISALIGNMENT异常。
  检查参数ProcessObjectAttributes地址是否小于MmUserProbeAddress(是否小于系统地址),不是则将其设置为MmUserProbeAddress。
  用参数ProcessObjectAttributes.Attributes初始化var_AccessState1.HandleAttributes,var_AccessState1后面将作为创建新进程句柄的参数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
000000014031D745                 mov     [rsp+0B28h+var_ThreadDesiredAccess], r9d ; ThreadDesiredAccess
000000014031D74A                 mov     [rsp+0B28h+var_ProcessDesiredAccess], r8d ; ProcessDesiredAccess
000000014031D74F                 mov     [rsp+0B28h+var_ThreadHandle], rdx ; ThreadHandle
000000014031D757                 mov     [rsp+0B28h+var_ProcessHandle], rcx ; ProcessHandle
000000014031D75F                 mov     rsi, [rsp+0B28h+ProcessObjectAttributes] ; ProcessObjectAttributes
000000014031D767                 mov     [rsp+0B28h+var_ProcessObjectAttributes], rsi
000000014031D76F                 mov     rax, [rsp+0B28h+ThreadObjectAttributes] ; ThreadObjectAttributes
000000014031D777                 mov     [rsp+0B28h+var_ThreadObjectAttributes], rax ; ThreadFlags
000000014031D77F                 mov     rax, [rsp+0B28h+ProcessParameters] ; ProcessParameters
000000014031D787                 mov     [rsp+0B28h+var_ProcessParameters], rax
000000014031D78F                 mov     r12, [rsp+0B28h+CreateInfo] ; CreateInfo
000000014031D797                 mov     rdi, [rsp+0B28h+AttributeList] ; AttributeList
000000014031D79F                 xor     ebx, ebx
000000014031D7A1                 mov     [rsp+130h], rbx
000000014031D7A9                 xor     edx, edx        ; Val
000000014031D7AB                 lea     r8d, [rbx+38h]  ; Size
000000014031D7AF                 lea     rcx, [rsp+0B28h+Dst] ; Dst
000000014031D7B7                 call    memset
000000014031D7BC                 mov     [rsp+0B28h+var_Context.P1Home], rbx
000000014031D7C4                 xor     edx, edx        ; Val
000000014031D7C6                 mov     r8d, 4C8h       ; Size
000000014031D7CC                 lea     rcx, [rsp+0B28h+var_Context.P2Home] ; Dst
000000014031D7D4                 call    memset          ; memset(&Context.P2Home,0,sizeof(Context) - 4);
000000014031D7D9                 mov     r14, gs:188h
000000014031D7E2                 mov     [rsp+0B28h+var_Ethread], r14
000000014031D7EA                 mov     r15, [r14+_ETHREAD.Tcb.ApcState.ApcState.Process]
000000014031D7EE                 mov     [rsp+0B28h+var_TempProcess], r15
000000014031D7F3                 mov     r13b, [r14+_ETHREAD.Tcb.PreviousMode]
000000014031D7FA                 mov     [rsp+0B28h+var_PreviousMode], r13b
000000014031D7FF                 mov     edx, dword ptr [rsp+0B28h+CreateProcessFlags] ; ProcessFlags


以及:
初始化var_CreateProcessContext(见上文的结构体介绍)为0。
1
2
3
4
000000014031D8E1                 xor     edx, edx        ; Val
000000014031D8E3                 mov     r8d, 150h       ; Size
000000014031D8E9                 lea     rcx, [rsp+0B28h+var_CreateProcessContext] ; Dst
000000014031D8F1                 call    memset          ; memset(&CreateProcessContext,0,sizeof(CreateProcessContext));


调用PspBuildCreateProcessContext解析参数AttributeList到var_CreateProcessContext中。(具体看之后的函数分析)
000000014031D8FB                 lea     r9, [rsp+0B28h+var_CreateProcessContext] ; 参数pCreateProcessContext
1
2
3
4
5
6
7
8
9
000000014031D903                 xor     r8d, r8d        ; 参数Unkown=0
000000014031D906                 mov     dl, r13b        ; 参数PreviousMode
000000014031D909                 mov     rcx, rdi        ; 参数AttributeList
000000014031D90C                 call    PspBuildCreateProcessContext ;
000000014031D90C                                         ; PspBuildCreateProcessContext(
000000014031D90C                                         ;     AttributeList,
000000014031D90C                                         ;     PreviousMode,
000000014031D90C                                         ;     Unkown=0,
000000014031D90C                                         ;     pCreateProcessContext);


调用PspCaptureCreateInfo解析参数CreateInfo到var_CreateProcessContext中。(具体看之后的函数分析) 
1
2
3
4
5
6
7
8
000000014031D938                 lea     r8, [rsp+0B28h+var_CreateProcessContext] ; 参数pCreateProcessContext
000000014031D940                 mov     rdx, r12        ; 参数pCreateInfo
000000014031D943                 mov     cl, r13b        ; 参数AccessMode
000000014031D946                 call    PspCaptureCreateInfo ;
000000014031D946                                         ; PspCaptureCreateInfo(
000000014031D946                                         ;     AccessMode,
000000014031D946                                         ;     pCreateInfo,
000000014031D946                                         ;     CreateProcessContext);


接着:会根据CreateProcessContext.Flags的标志状态来选择父进程。在后续函数PspAllocateProcess中我们会看到,新进程在一定条件下,是可以获取父进程的section的,因此此处的判断很必要。
如果CreateProcessContext.Flags&1的结果为假,则调用ObReferenceObjectByHandle获取CreateProcessContext.hProcess进程对象。这样就保证了无论如何新进程是有父进程的。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
000000014031D955                 mov     ecx, [rsp+0B28h+var_CreateProcessContext.Flags]
000000014031D95C                 mov     r12d, 1
000000014031D962                 test    r12b, cl
000000014031D965                 jz      short loc_14031D9C8 ; if(CreateProcessContext.Flags&1)
000000014031D965                                         ;          ParentEProcess=CurrentProcess
000000014031D965                                         ; 如果CreateProcessContext.Flags&1为真,则父进程为当前进程
000000014031D965                                         ; 否则父进程为参数AttributeList中指定的进程
000000014031D967                 mov     [rsp+28h], rbx  ; 参数HandleInformation
000000014031D96C                 lea     rax, [rsp+0B28h+var_Eprocess]
000000014031D974                 mov     [rsp+20h], rax  ; 参数pEprocess
000000014031D979                 mov     r9b, r13b       ; 参数AccessMode
000000014031D97C                 mov     r8, cs:PsProcessType ; 参数ObjectType
000000014031D983                 lea     edx, [r12+7Fh]  ; 参数DesiredAccess
000000014031D988                 mov     rcx, [rsp+0B28h+var_CreateProcessContext.hParentProcess] ; Handle
000000014031D990                 call    ObReferenceObjectByHandle ;
000000014031D990                                         ; ObReferenceObjectByHandle(
000000014031D990                                         ;     CreateProcessContext.hParentProcess,
000000014031D990                                         ;     DesiredAccess,
000000014031D990                                         ;     PsProcessType,
000000014031D990                                         ;     AccessMode,
000000014031D990                                         ;     pEprocess,
000000014031D990                                         ;     HandleInformation);


创建文件映射对象
我们知道,代码最开始保存在PE文件中的,而最终执行前CPU是从内存中读取的,那么操作系统一定有一个步骤,实现了(磁盘上的)文件到内存中的加载。这一步就是在NtCreateUserProcess初始化完成后开始做的。

具体而言:
调用ZwOpenFile打开新进程可执行文件,并根据打开的文件句柄获取文件对象:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
000000014031DA18                 mov     [rsp+0B28h+var_ObjectAttributes.Length], 30h
000000014031DA23                 mov     [rsp+0B28h+var_ObjectAttributes.RootDirectory], rbx
000000014031DA2B                 or      eax, 240h
000000014031DA30                 mov     [rsp+0B28h+var_ObjectAttributes.Attributes], eax
000000014031DA37                 lea     rax, [rsp+0B28h+var_CreateProcessContext.FileName]
000000014031DA3F                 mov     [rsp+0B28h+var_ObjectAttributes.ObjectName], rax
000000014031DA47                 mov     [rsp+0B28h+var_ObjectAttributes.SecurityDescriptor], rbx
000000014031DA4F                 mov     [rsp+0B28h+var_ObjectAttributes.SecurityQualityOfService], rbx
000000014031DA57                 mov     edx, [rsp+0B28h+var_CreateProcessContext.DesiredAccess]
000000014031DA5E                 or      edx, 100020h    ; 参数DesiredAccess
000000014031DA64                 mov     dword ptr [rsp+28h], 60h ; 参数OpenOptions
000000014031DA6C                 mov     dword ptr [rsp+20h], 5 ; 参数ShareAccess
000000014031DA74                 lea     r9, [rsp+0B28h+var_IoStatusBlock] ; 参数IoStatusBlock
000000014031DA7C                 lea     r8, [rsp+0B28h+var_ObjectAttributes] ; 参数ObjectAttributes
000000014031DA84                 lea     rcx, [rsp+0B28h+var_CreateProcessContext.FileHandle] ; 参数FileHandle
000000014031DA8C                 call    ZwOpenFile      ; ZwOpenFile(CreateProcessContext.FileHandle,
000000014031DA8C                                         ;     DesiredAccess,
000000014031DA8C                                         ;     ObjectAttributes,
000000014031DA8C                                         ;     IoStatusBlock,
000000014031DA8C                                         ;     ShareAccess,
000000014031DA8C                                         ;     OpenOptions);
000000014031DA91                 mov     edi, eax
000000014031DA93                 cmp     eax, ebx
000000014031DA95                 jge     short loc_14031DAD4
000000014031DA97                 cmp     [rsp+0B28h+var_CreateProcessContext.DesiredAccess], ebx
000000014031DA9E                 jz      short loc_14031DAD4
000000014031DAA0                 mov     dword ptr [rsp+28h], 60h ; 参数OpenOptions
000000014031DAA8                 mov     dword ptr [rsp+20h], 5 ; 参数ShareAccess
000000014031DAB0                 lea     r9, [rsp+0B28h+var_IoStatusBlock] ; 参数IoStatusBlock
000000014031DAB8                 lea     r8, [rsp+0B28h+var_ObjectAttributes] ; 参数ObjectAttributes
000000014031DAC0                 mov     edx, 100020h    ; 参数DesiredAccess
000000014031DAC5                 lea     rcx, [rsp+0B28h+var_CreateProcessContext.FileHandle] ; 参数FileHandle
000000014031DACD                 call    ZwOpenFile      ; ZwOpenFile(CreateProcessContext.FileHandle,
000000014031DACD                                         ;     DesiredAccess,
000000014031DACD                                         ;     ObjectAttributes,
000000014031DACD                                         ;     IoStatusBlock,
000000014031DACD                                         ;     ShareAccess,
000000014031DACD                                         ;     OpenOptions);
000000014031DAD2                 mov     edi, eax
000000014031DAD4
000000014031DAD4 loc_14031DAD4:                          ; CODE XREF: NtCreateUserProcess+375j
000000014031DAD4                                         ; NtCreateUserProcess+37Ej
000000014031DAD4                 cmp     edi, ebx
000000014031DAD6                 jge     short loc_14031DAF8
000000014031DAD8                 mov     [rsp+0B28h+var_CreateProcessContext.FileHandle], rbx
000000014031DAE0                 xor     r8d, r8d
000000014031DAE3                 lea     rdx, [rsp+0B28h+var_CreateProcessContext]
000000014031DAEB                 mov     ecx, r12d
000000014031DAEE                 call    PspUpdateCreateInfo
000000014031DAF3                 jmp     loc_14031E1D8   ; 打开文件失败
000000014031DAF8 ; ---------------------------------------------------------------------------
000000014031DAF8
000000014031DAF8 loc_14031DAF8:                          ; CODE XREF: NtCreateUserProcess+3B6j
000000014031DAF8                 mov     [rsp+0B28h+var_B00], rbx ; 参数HandleInformation
000000014031DAFD                 lea     rax, [rsp+0B28h+var_File]
000000014031DB05                 mov     [rsp+20h], rax  ; 参数pFile
000000014031DB0A                 xor     r9d, r9d        ; 参数AccessMode
000000014031DB0D                 mov     r8, cs:IoFileObjectType ; 参数ObjectType
000000014031DB14                 mov     edx, 100020h    ; 参数DesiredAccess
000000014031DB19                 mov     rcx, [rsp+0B28h+var_CreateProcessContext.FileHandle] ; 参数Handle
000000014031DB21                 call    ObReferenceObjectByHandle ;
000000014031DB21                                         ; ObReferenceObjectByHandle(
000000014031DB21                                         ;     CreateProcessContext.FileHandle,
000000014031DB21                                         ;     DesiredAccess,
000000014031DB21                                         ;     IoFileObjectType,
000000014031DB21                                         ;     AccessMode,
000000014031DB21                                         ;     pFile,
000000014031DB21                                         ;     HandleInformation);
000000014031DB26                 mov     edi, eax
000000014031DB28                 mov     rax, [rsp+0B28h+var_File]
000000014031DB30                 mov     [rsp+0B28h+var_CreateProcessContext.FileObject], rax
000000014031DB38                 cmp     edi, ebx
000000014031DB3A                 jge     short loc_14031DB49
000000014031DB3C                 mov     [rsp+0B28h+var_CreateProcessContext.FileObject], rbx
000000014031DB44                 jmp     loc_14031E1D8   ; 获取文件对象失败


调用ZwCreateSection通过文件句柄创建文件映像:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
000000014031DB60                 mov     rax, [rsp+0B28h+var_CreateProcessContext.FileHandle]
000000014031DB68                 mov     [rsp+30h], rax  ; 参数FileHandle
000000014031DB6D                 mov     [rsp+28h], ecx  ; 参数AllocationAttributes
000000014031DB71                 mov     dword ptr [rsp+20h], 10h ; 参数SectionPageProtection
000000014031DB79                 xor     r9d, r9d        ; 参数MaximumSize
000000014031DB7C                 lea     r8, [rsp+0B28h+var_ObjectAttributes] ; 参数ObjectAttributes
000000014031DB84                 mov     edx, 0F001Fh    ; 参数DesiredAccess
000000014031DB89                 lea     rcx, [rsp+0B28h+var_CreateProcessContext.SectionHandle] ; 参数SectionHandle
000000014031DB91                 call    ZwCreateSection ; ZwCreateSection(SectionHandle,
000000014031DB91                                         ;     DesiredAccess,
000000014031DB91                                         ;     ObjectAttributes,
000000014031DB91                                         ;     MaximumSize,
000000014031DB91                                         ;     SectionPageProtection,
000000014031DB91                                         ;     AllocationAttributes,
000000014031DB91                                         ;     CreateProcessContext.FileHandle);
000000014031DBBD                 mov     [rsp+28h], rbx  ; 参数HandleInformation
000000014031DBC2                 lea     rax, [rsp+0B28h+var_SectionObject]
000000014031DBCA                 mov     [rsp+20h], rax  ; 参数SectionObject
000000014031DBCF                 xor     r9d, r9d        ; 参数AccessMode
000000014031DBD2                 mov     r8, cs:MmSectionObjectType ; 参数ObjectType
000000014031DBD9                 lea     edx, [r9+8]     ; 参数DesiredAccess
000000014031DBDD                 mov     rcx, [rsp+0B28h+var_CreateProcessContext.SectionHandle] ; 参数Handle
000000014031DBE5                 call    ObReferenceObjectByHandle ;
000000014031DBE5                                         ; ObReferenceObjectByHandle(
000000014031DBE5                                         ;     CreateProcessContext.SectionHandle,
000000014031DBE5                                         ;     DesiredAccess,
000000014031DBE5                                         ;     MmSectionObjectType,
000000014031DBE5                                         ;     AccessMode,
000000014031DBE5                                         ;     pSectionObject,
000000014031DBE5                                         ;     HandleInformation);
000000014031DBEA                 mov     edi, eax
000000014031DBEC                 mov     rax, [rsp+0B28h+var_SectionObject]
000000014031DBF4                 mov     [rsp+0B28h+var_CreateProcessContext.SectionObject], rax
000000014031DBFC                 cmp     edi, ebx
000000014031DBFE                 jge     short loc_14031DC0D
000000014031DC00                 mov     [rsp+0B28h+var_CreateProcessContext.SectionObject], rbx
000000014031DC08                 jmp     loc_14031E1D8   ; 获取进程文件映像对象失败


此处使用的ZwOpenFile、与ZwCreateSection都是WDK文档中公开的函数,ZwOpenFile顾名思义就不用多说了,ZwCreateSection则类似于3环的CreateFileMapping,ZwCreateSection创建的Section Objects,既可用于进程间共享信息,又可用于文件映射,更具体的可以参考WDK文档。
不过,在ZwCreateSection存在以下调用关系:

而其中的MiVerifyImageHeader就是PE检查,对64位PE格式感兴趣的朋友,一定不能放过。我们将会在下一篇文章中,详细介绍MiVerifyImageHeader,并献上攻防实例。

将参数整合到CREATEPROCESSCONTEXT结构体中

如果文件映像对象Section不为空,则调用PspCaptureProcessParameters将参数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
ProcessParameters中的信息保存到CreateProcessContext中:
000000014031DC25                 cmp     rax, rbx
000000014031DC28                 jz      short loc_14031DC7E ; if(CreateProcessContext.SectionObject==NULL)
000000014031DC2A                 bt      [r15+_EPROCESS.Flags2], 0Bh
000000014031DC33                 jb      short loc_14031DC46 ; 参数pCreateProcessContext
000000014031DC35                 cmp     esi, ebx
000000014031DC37                 jz      short loc_14031DC46 ; 参数pCreateProcessContext
000000014031DC39                 cmp     r13b, bl
000000014031DC3C                 jz      short loc_14031DC46 ; 参数pCreateProcessContext
000000014031DC3E                 or      [rsp+0B28h+var_CreateProcessContext.Flags2], 10h
000000014031DC46
000000014031DC46 loc_14031DC46:                          ; CODE XREF: NtCreateUserProcess+513j
000000014031DC46                                         ; NtCreateUserProcess+517j
000000014031DC46                                         ; NtCreateUserProcess+51Cj
000000014031DC46                 lea     r8, [rsp+0B28h+var_CreateProcessContext] ; 参数pCreateProcessContext
000000014031DC4E                 mov     rdx, [rsp+0B28h+var_ProcessParameters] ; 参数ProcessParameters
000000014031DC56                 mov     cl, r13b        ; 参数PreviousMode
000000014031DC59                 call    PspCaptureProcessParameters ; //初始化pRtlUserProcessParameter
000000014031DC59                                         ; PspCaptureProcessParameters(
000000014031DC59                                         ;     PreviousMode,
000000014031DC59                                         ;     ProcessParameters,
000000014031DC59                                         ;     pCreateProcessContext);
000000014031DC5E                 mov     edi, eax
000000014031DC60                 cmp     eax, ebx
000000014031DC62                 jge     short loc_14031DC71
000000014031DC64                 and     [rsp+0B28h+var_CreateProcessContext.Flags2], 0FBh
000000014031DC6C                 jmp     loc_14031E1D8   ; PspCaptureProcessParameters执行失败


关于PspCaptureProcessParameters内部的具体分析见本贴最后部分。

接着,调用PspAllocateProcess创建进程:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
000000014031DD27                 lea     rax, [rsp+0B28h+var_pTempNewEprocess] ; 参数pNewProcess
000000014031DD2C                 mov     [rsp+40h], rax
000000014031DD31                 lea     rax, [rsp+0B28h+var_AA0] ; 参数Unkown
000000014031DD39                 mov     [rsp+38h], rax
000000014031DD3E                 lea     rax, [rsp+0B28h+var_CreateProcessContext] ; 参数CreateProcessContext
000000014031DD46                 mov     [rsp+30h], rax
000000014031DD4B                 mov     eax, dword ptr [rsp+0B28h+CreateProcessFlags] ; 参数ProcessFlags
000000014031DD52                 mov     [rsp+28h], eax
000000014031DD56                 mov     rax, [rsp+0B28h+var_CreateProcessContext.hSeTokenObject] ; 参数hSeTokenObject
000000014031DD5E                 mov     [rsp+20h], rax
000000014031DD63                 mov     r9, [rsp+0B28h+var_CreateProcessContext.SectionObject] ; 参数SectionObject
000000014031DD6B                 mov     r8, [rsp+0B28h+var_ProcessObjectAttributes] ; 参数ProcessObjectAttributes
000000014031DD73                 mov     dl, r13b        ; 参数PreviousMode
000000014031DD76                 mov     rcx, qword ptr [rsp+0B28h+var_pProcess] ; 参数ParentEProcess
000000014031DD7E                 call    PspAllocateProcess ;
000000014031DD7E                                         ; PspAllocateProcess(
000000014031DD7E                                         ;     ParentEProcess,
000000014031DD7E                                         ;     PreviousMode,
000000014031DD7E                                         ;     ProcessObjectAttributes,
000000014031DD7E                                         ;     SectionObject,
000000014031DD7E                                         ;     hSeTokenObject,
000000014031DD7E                                         ;     ProcessFlags,
000000014031DD7E                                         ;     CreateProcessContext,
000000014031DD7E                                         ;     Unkown,
000000014031DD7E                                         ;     pNewProcess);


然后调用PspCreateUserContext创建新进程主线程运行环境:
000000014031DDB6                 mov     dword ptr [rsp+0B28h+var_B08], ebx
000000014031DDBA                 mov     r8, [rsp+0B28h+var_CreateProcessContext.SectionImageInfo.TransferAddress] ; 参数TransferAddress
000000014031DDC2                 mov     rdx, cs:PspUserThreadStart ; 参数StartAddress
000000014031DDC9                 lea     rcx, [rsp+0B28h+var_Context] ; 参数Context
000000014031DDD1                 call    PspCreateUserContext ;
000000014031DDD1                                         ; PspCreateUserContext(
000000014031DDD1                                         ;     Context,
000000014031DDD1                                         ;     StartAddress,
000000014031DDD1                                         ;     TransferAddress,
000000014031DDD1                                         ;     Peb);

另外,从我们的流程图很容易看出,若Section Object为空的话,也并不意味着创建进程失败,系统会PspGetContextThreadInternal获取当前线程环境(此系列的后续文章会剖析它),之后的流程与Section不为空类似,不再详述。

总之,当得到了线程Context之后,系统会调用PspAllocateThread创建、初始化线程:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
000000014031DCE8                 mov     [rsp+0B28h+var_Context.ContextFlags], 10001Bh
000000014031DCF3                 mov     [rsp+20h], r12b ; 参数dwOne=1
000000014031DCF8                 mov     r9b, r12b       ; 参数isSystemThread=1
000000014031DCFB                 xor     r8d, r8d        ; 参数AccessMode=0
000000014031DCFE                 lea     rdx, [rsp+0B28h+var_Context] ; 参数pContext
000000014031DD06                 mov     rcx, r14        ; 参数Ethread
000000014031DD09                 call    PspGetContextThreadInternal ;
000000014031DD09                                         ; PspGetContextThreadInternal(
000000014031DD09                                         ;     Ethread,
000000014031DD09                                         ;     pContext,
000000014031DD09                                         ;     AccessMode,
000000014031DD09                                         ;     isSystemThread,
000000014031DD09                                         ;     dwOne);
 
000000014031DE77                 mov     [rsp+0B28h+var_AccessStateExpand], eax
000000014031DE7B                 lea     rax, [rsp+0B28h+var_AccessState2]
000000014031DE83                 mov     [rsp+58h], rax  ; 参数pNewAccessState
000000014031DE88                 mov     [rsp+50h], r14  ; 参数unknow
000000014031DE8D                 lea     rax, [rsp+0B28h+var_pThread]
000000014031DE95                 mov     [rsp+48h], rax  ; 参数pptrEthread
000000014031DE9A                 lea     rax, [rsp+6Ch]  ; 参数pProcessFlag
000000014031DE9F                 mov     [rsp+40h], rax  ; __int64
000000014031DEA4                 mov     [rsp+38h], rbx  ; 参数StartContext
000000014031DEA9                 mov     [rsp+30h], rbx  ; 参数StartRoutine
000000014031DEAE                 lea     rax, [rsp+0B28h+var_Inital_teb] ; 参数pInitTeb
000000014031DEB6                 mov     [rsp+28h], rax  ; __int64
000000014031DEBB                 lea     rax, [rsp+0B28h+var_Context]
000000014031DEC3                 mov     [rsp+20h], rax  ; 参数Context
000000014031DEC8                 lea     r9, [rsp+0B28h+var_CreateProcessContext] ; __int64
000000014031DED0                 mov     r8b, r13b       ; 参数AccessMode
000000014031DED3                 mov     rdx, [rsp+0B28h+var_ThreadObjectAttributes] ; __int64
000000014031DEDB                 mov     rcx, rsi        ; 参数newProcess
000000014031DEDE                 call    PspAllocateThread ;
000000014031DEDE                                         ; PspAllocateThread(
000000014031DEDE                                         ;     newProcess,
000000014031DEDE                                         ;     ObjectAttributes,
000000014031DEDE                                         ;     AccessMode,
000000014031DEDE                                         ;     CreateProcessContext,
000000014031DEDE                                         ;     context,
000000014031DEDE                                         ;     pInitTeb,
000000014031DEDE                                         ;     StartRoutine,
000000014031DEDE                                         ;     StartContext,
000000014031DEDE                                         ;     ptrProcessFlag,
000000014031DEDE                                         ;     pptrEthread,
000000014031DEDE                                         ;     mydiy,
000000014031DEDE                                         ;     pNewAccessState);


新的进程及它的主线程就已经创建,只等ResumeThread(这个被放在3环),程序开始执行代码。

进程链表、线程链表的更新
在3环下编程,我们通常不大关心对方进程的信息,因为进程的内存是隔离的(想关心也关心不了)。但是,少数情况下,我们还是可以利用进程间通讯或者注入的手段,获取到对方进程中的信息。
比如简单的SendMessage就可以在进程间通讯。
那么深入一点点,就自然可以提出一个问题:既然进程间是隔离的,为什么SendMessage这样的API可以跨进程通讯呢?
深入一点点,可以自然得到一个答案的方向:说明Windows操作系统本身,记录了所有进程的信息,以及各个进程之间的关系,使得各进程在操作系统那个层次,被组织到了一起。
而这些进程被组织的具体细节,就藏在了NtCreateUserPorcess接下来调用的函数中:

操作系统用链表的结构保存所有进程的EPROCESS结构体。

NtCreateUserPorcess通过调用PspInsertProcess将新进程加入到那个全局链表中。
关于PspInsertProcess的具体剖析,此系列的后续文章会介绍。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
000000014031DFC8                 lea     rdx, [rsp+0B28h+var_AccessState1]
000000014031DFD0                 mov     [rsp+40h], rdx  ; 参数AccessState
000000014031DFD5                 mov     [rsp+38h], rax  ; 参数enumType
000000014031DFDA                 mov     [rsp+30h], r15d ; 参数unKnownFlag
000000014031DFDF                 mov     rax, [rsp+0B28h+var_CreateProcessContext.DebugObjectHandle]
000000014031DFE7                 mov     [rsp+28h], rax  ; 参数DebugObjectHandle
000000014031DFEC                 mov     [rsp+20h], ebx  ; 参数JobMemberLevel
000000014031DFF0                 mov     r9d, dword ptr [rsp+0B28h+CreateProcessFlags] ; 参数ProcessFlags
000000014031DFF8                 mov     r8d, ecx        ; 参数ProcessDesiredAccess
000000014031DFFB                 mov     rdx, qword ptr [rsp+0B28h+var_pProcess] ; 参数ParentEProcess
000000014031E003                 mov     rcx, rsi        ; 参数Eprocess
000000014031E006                 call    PspInsertProcess ;
000000014031E006                                         ; PspInsertProcess(
000000014031E006                                         ;     Eprocess,
000000014031E006                                         ;     ParentEProcess,
000000014031E006                                         ;     AccessMode,
000000014031E006                                         ;     ProcessFlags,
000000014031E006                                         ;     JobMemberLevel,
000000014031E006                                         ;     DebugObjectHandle,
000000014031E006                                         ;     unKnownFlag,
000000014031E006                                         ;     enumType,
000000014031E006                                         ;     AccessState);


在调用PspInsertProcess失败后会调用PspDoHandleSweepSingle。
1
2
3
4
5
000000014031E09E                 jge     short loc_14031E0B0 ; 如果PspInsertProcess执行失败
000000014031E0A0                 mov     rcx, rsi        ; 参数Eprocess
000000014031E0A3                 call    PspDoHandleSweepSingle ; PspDoHandleSweepSingle(Eprocess);
000000014031E0A8                 mov     edi, r13d
000000014031E0AB                 jmp     loc_14031E1C1


又因为进程与线程是一对多关系,每一个进程也对应着一个链表,该链表中保存着这个进程的所有线程信息。
所以,NtCreateUserPorcess会调用PspInsertThread将新进程的主线程加入进程的线程链表中。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
000000014031E00E                 mov     rcx, [rsp+0B28h+var_CreateProcessContext.pClient_ID]
000000014031E016                 mov     [rsp+50h], rcx  ; 参数pClient_ID
000000014031E01B                 mov     rax, [rsp+0B28h+var_ThreadHandle]
000000014031E023                 mov     [rsp+48h], rax  ; 参数pThreadHandle
000000014031E028                 mov     [rsp+40h], rbx  ; 参数
000000014031E02D                 lea     rax, [rsp+0B28h+var_AccessState2]
000000014031E035                 mov     [rsp+38h], rax  ; 参数NewAccessState
000000014031E03A                 lea     rax, [rsp+0B28h+var_CreateProcessContext]
000000014031E042                 mov     [rsp+30h], rax  ; 参数pCreateProcessContext
000000014031E047                 mov     [rsp+28h], r14  ; 参数
000000014031E04C                 mov     dword ptr [rsp+0B28h+var_B08], edi
000000014031E050                 lea     r9, [rsp+0B28h+var_AccessStateExpand] ; 参数pProcessFlag
000000014031E055                 lea     r8, [rsp+0B28h+var_Inital_teb] ; 参数pInital_teb
000000014031E05D                 mov     rdx, rsi        ; 参数pEprocess
000000014031E060                 mov     r14, [rsp+0B28h+var_pThread] ; 参数pThread
000000014031E068                 mov     rcx, r14
000000014031E06B                 call    PspInsertThread ;
000000014031E06B                                         ; PspInsertProcess(
000000014031E06B                                         ;     pThread,
000000014031E06B                                         ;     pEprocess,
000000014031E06B                                         ;     pInital_teb,
000000014031E06B                                         ;     ProcessFlags,
000000014031E06B                                         ;     pClient_ID,
000000014031E06B                                         ;     pThreadHandle,
000000014031E06B                                         ;     unknow,
000000014031E06B                                         ;     NewAccessState,
000000014031E06B                                         ;     CreateProcessContext,
000000014031E06B                                         ;     );


在调用PspInsertThread失败后会调用SeDeleteAccessState并接着调用PsTerminateProcess结束新进程。
1
2
3
4
5
6
7
8
9
000000014031E1A6                 lea     rcx, [rsp+0B28h+var_AccessState1] ; 参数AccessState
000000014031E1AE                 call    SeDeleteAccessState ; SeDeleteAccessState(pAccessState);
000000014031E1B3                 cmp     edi, ebx
000000014031E1B5                 jge     short loc_14031E1C1
000000014031E1B7                 mov     edx, edi        ; 参数ExitStatus
000000014031E1B9                 mov     rcx, rsi        ; 参数NewProcess
000000014031E1BC                 call    PsTerminateProcess ; PsTerminateProcess(
000000014031E1BC                                         ;     NewProcess,
000000014031E1BC                                         ;     ExitStatus);


交付APC
异步过程调用(APC)是Windows提出的一种调用机制。对于有些函数调用,可能耗时比较多,而我们又希望调用完后函数能够立即返回,那么就适合用APC。
APC的原理:对于需要使用APC的地方,一般,用户(程序员)会多传入一个函数指针,专有名词成为ApcRoutine,对于这样的调用,就是异步的了(即用户调用后立即返回),而当任务真正执行完毕,用户传入的ApcRoutine函数指针会被调用。类似我们传入了一个回调函数,响应任务完成的时机。
它在Windows中应用很多,比如写文件时系统调用NtWriteFile().
NtWriteFile声明如下
1
2
3
4
5
6
7
8
9
10
11
NTSTATUS NtWriteFile (
    __in HANDLE FileHandle,
    __in_opt HANDLE Event,
    __in_opt PIO_APC_ROUTINE ApcRoutine,
    __in_opt PVOID ApcContext,
    __out PIO_STATUS_BLOCK IoStatusBlock,
    __in_bcount(Length) PVOID Buffer,
    __in ULONG Length,
    __in_opt PLARGE_INTEGER ByteOffset,
    __in_opt PULONG Key
)。

可以看到NtWriteFile有使用APC。
不过在此处,我们只要知道NtCreateUserPorcess会有APC检查和交付步骤就可以了,以后遇到会继续深入介绍:
KiCheckForKernelApcDelivery交付当前线程APC:
1
2
3
4
5
6
7
8
9
000000014031E072                 mov     rcx, [rsp+0B28h+var_Ethread]
000000014031E07A                 add     [rcx+_ETHREAD.Tcb.___u22.__s5.KernelApcDisable], r12w
000000014031E082                 jnz     short loc_14031E09B
000000014031E084                 lea     rax, [rcx+_ETHREAD.Tcb.ApcState]
000000014031E088                 cmp     [rax], rax
000000014031E08B                 jz      short loc_14031E09B
000000014031E08D                 cmp     [rcx+_ETHREAD.Tcb.___u22.__s5.SpecialApcDisable], bx
000000014031E094                 jnz     short loc_14031E09B
000000014031E096                 call    KiCheckForKernelApcDelivery


接着,就是一些检查、释放资源类的扫尾工作了

总之,若一切顺利,会调用PspUpdateCreateInfo将进程创建信息保存到传出参数CreateInfo中:
1
2
3
4
5
6
7
000000014031E131                 mov     r8, rsi         ; 参数Eprocess
000000014031E134                 lea     rdx, [rsp+0B28h+var_CreateProcessContext] ; 参数pCreateProcessContext
000000014031E13C                 mov     ecx, 6          ; 参数
000000014031E141                 call    PspUpdateCreateInfo ; PspUpdateCreateInfo(
000000014031E141                                         ;         dwEmCode,
000000014031E141                                         ;         pCreateProcessContext,
000000014031E141                                         ;         Eprocess);


若不顺利,会调用PspDoHandleSweepSingle或者PsTerminateProcess结束新进程:
1
2
3
4
5
000000014031E1B7                 mov     edx, edi        ; 参数ExitStatus
000000014031E1B9                 mov     rcx, rsi        ; 参数NewProcess
000000014031E1BC                 call    PsTerminateProcess ; PsTerminateProcess(
000000014031E1BC                                         ;     NewProcess,
000000014031E1BC                                         ;     ExitStatus);


最后,会调用PspDeleteCreateProcessContext清理CreateProcessContext,释放资源。


PspBuildCreateProcessContext剖析
函数原型:
1
2
3
4
5
6
7
8
9
PspBuildCreateProcessContext(
      //属性列表
IN  PNT_PROC_THREAD_ATTRIBUTE_LIST AtributeList, 
//访问模式,表明调用来自用户态,还是内核态
IN  BYTE                           AccessMode,
//未知
IN  DWORD                Unknown,
//创建进程上下文
OUT CreateProcessContext             pCreateProcessContext)

函数功能:将参数AttributeList中信息保存到CreateProcessContext中。参数AttributeList为变长数组_NT_PROC_THREAD_ATTRIBUTE_LIST类型,定义如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
typedef struct _NT_PROC_THREAD_ATTRIBUTE_ENTRY 
{
//PROC_THREAD_ATTRIBUTE_XXX,参见MSDN中UpdateProcThreadAttribute
//的说明
ULONG_PTR Attribute;   
//Value的大小 
SIZE_T Size;            
//保存4字节数据(比如一个Handle)或数据指针
ULONG_PTR Value;    
//总是0,可能是用来返回数据给调用者
ULONG Unknown;      
} PROC_THREAD_ATTRIBUTE_ENTRY, *PPROC_THREAD_ATTRIBUTE_ENTRY;
typedef struct _NT_PROC_THREAD_ATTRIBUTE_LIST 
{
//结构总大小
    SIZE_T  Length;       
    PROC_THREAD_ATTRIBUTE_ENTRY Entry[1];
} NT_PROC_THREAD_ATTRIBUTE_LIST,*PNT_PROC_THREAD_ATTRIBUTE_LIST;


函数流程概要:
1、  循环从AttributeList中取出PROC_THREAD_ATTRIBUTE_ENTRY对象。
2、  根据PROC_THREAD_ATTRIBUTE_ENTRY对象的属性Attribute,判断大小Size是否正确,若正确则将值Value保存到CreateProcessContext相应的成员中。
函数流程图:

函数细节:
1、检查参数,主要检查AttributeList的长度和地址:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
00000001403661CC                 mov     rax, [rbx+_NT_PROC_THREAD_ATTRIBUTE_LIST.Length]
00000001403661CF                 mov     [rsp+128h+Length], rax
00000001403661D4                 cmp     rax, 28h
00000001403661D8                 jb      loc_140366763   ; if(AttributeList.Length<28h)
00000001403661DE                 cmp     r8b, sil        ; if(PreviousMode==0)
00000001403661E1                 jz      short loc_14036621A ; 取出AttributeList长度
00000001403661E3                 add     rax, 0FFFFFFFFFFFFFFD8h
00000001403661E7                 cmp     rax, rsi
00000001403661EA                 jz      short loc_14036621A ; if(AttributeList.Length==28h)
00000001403661EC                 test    r15b, bl
00000001403661EF                 jnz     loc_14036676D   ; 检查地址是否对齐
00000001403661F5                 mov     rdx, [rsp+128h+Length]
00000001403661FA                 add     rdx, rbx
00000001403661FD                 mov     rcx, cs:MmUserProbeAddress
0000000140366204                 cmp     rdx, rcx
0000000140366207                 ja      loc_140366773
000000014036620D                 lea     rax, [rbx+28h]
0000000140366211                 cmp     rdx, rax
0000000140366214                 jb      loc_140366773


2、循环取出数组元素:
1
2
3
4
5
6
7
8
9
0000000140366230                 shr     [rsp+128h+Length], 5
0000000140366236                 add     rbx, 8          ; 第一个元素
000000014036623A                 mov     [rsp+128h+Entry], rbx
 
000000014036632F                 add     rbx, 20h        ; +=sizeof(_NT_PROC_THREAD_ATTRIBUTE_ENTRY)
0000000140366333                 mov     [rsp+128h+Entry], rbx
0000000140366338                 dec     [rsp+128h+Length] ; AttributeList.Length--;
000000014036633D                 mov     r8b, [rsp+128h+PreviousMode]
0000000140366345                 jmp     loc_14036624C


3、循环中间判断Entry的属性Attribute:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
0000000140366298                 cmp     rax, 60010h     ; if(Attribute>60010h)
000000014036629E                 ja      loc_140366EE0
00000001403662A4                 cmp     eax, 2000Bh     ; if(Attribute>2000Bh)
00000001403662A9                 ja      loc_14036669B
00000001403662AF                 cmp     eax, 2000Bh     ; if(Attribute==2000Bh)
00000001403662B4                 jz      loc_1403669C5
00000001403662BA                 sub     eax, 6          ;  if(Attribute==6)
00000001403662BD                 jz      loc_140366454
00000001403662C3                 sub     eax, 0FFFDh     ; if(Attribute!=10003)
00000001403662C8                 jnz     loc_14036636A
 
000000014036669B                 sub     eax, 2000Dh
00000001403666A0                 jz      loc_140366E53   ; if(Attribute==2000Dh)
00000001403666A6                 sub     eax, 0FFFFh
00000001403666AB                 jz      loc_140366D6B   ; if(Attribute==3000Ch)
00000001403666B1                 sub     eax, 2
00000001403666B4                 jz      loc_140366C8A   ; if(Attribute==3000Eh)
00000001403666BA                 sub     eax, 1
00000001403666BD                 jz      loc_140366B44   ; if(Attribute==3000Fh)
00000001403666C3                 sub     eax, 2FFF1h
00000001403666C8                 jz      loc_140366B1F   ; if(Attribute==60000h)
00000001403666CE                 sub     eax, 1
00000001403666D1                 jz      loc_140366AFA   ;  if(Attribute==60001h)
00000001403666D7                 sub     eax, 1
00000001403666DA                 jnz     loc_140366A99   ;  if(Attribute!=60002h)
 
0000000140366593                 sub     eax, 2
0000000140366596                 jz      loc_140366861   ; if(Attribute==20007h)
000000014036659C                 sub     eax, 1
000000014036659F                 jz      loc_14036670A   ; if(Attribute==20008h)
00000001403665A5                 sub     eax, 1
00000001403665A8                 jz      loc_1403667F8   ; if(Attribute==20009h)
00000001403665AE                 sub     eax, 1
00000001403665B1                 jnz     loc_140366EE0   ; if(Attribute!=2000Ah)
000000014036636A                 sub     eax, 1
000000014036636D                 jz      loc_1403664F1   ;  if(Attribute==10004)
0000000140366373                 sub     eax, 10001h
0000000140366378                 jnz     loc_140366593   ;  if(Attribute!=20005)


4、根据属性Attribute检查值Value大小是否正确:
1
2
3
4
5
6
7
8
000000014036637E                 mov     rdi, [rbx+_NT_PROC_THREAD_ATTRIBUTE_ENTRY.Size]
0000000140366382                 mov     [rsp+128h+var_D0], rdi
0000000140366387                 cmp     rdi, rsi
000000014036638A                 jz      loc_140366961
0000000140366390                 test    dil, 1
0000000140366394                 jnz     loc_140366961
000000014036639A                 cmp     rdi, 0FFFFh
00000001403663A1                 ja      loc_140366961


5、将Value保存到CreateProcessContext相应的成员中, ProcessCreateContext中的各成员的内容,由AttributeList中的Attribute的值决定,已经分析出的对应关系如下:


PspCaptureCreateInfo剖析
函数原型:
1
2
3
4
5
6
7
8
NTSTATUS NTAPI PspCaptureCreateInfo(
          //访问模式
          IN  BYTE            AccessMode,
          //进程创建信息结构体
          IN  PPROCESS_CREATE_INFO CreateInfo,
    //创建进程上下文
IN  CreateProcessContext*    pCreateProcessContext
)


函数功能:将CreateInfo的0x11(Flags2)偏移处进行运算后赋值给pCreateProcessContext的成员Flag2,将CreateInfo的0x13偏移处(ImageCharacteristics)赋值给pCreateProcessContext的成员ImageCharacteristics,将第二个参数CreateInfo的地址给pCreateProcessContext的成员pCreateInfo。
函数流程图:


关键代码实现:
1
2
3
4
5
6
7
      pCreateProcessContext->UnKown_1 &= 0xFCu;
      pCreateProcessContext->UnKown_1 |= (pCreateInfo->UnKown0 & 3) & 3;
      pCreateProcessContext->DesiredAccess = pCreateInfo->DesiredAccess;
      pCreateProcessContext->Flags2 ^= (pCreateProcessContext->Flags2 ^ 2 * pCreateInfo->Flags2) & 2;
      pCreateProcessContext->Flags2 ^= (pCreateProcessContext->Flags2 ^ 16 * pCreateInfo->Flags2) & 0x20;
      pCreateProcessContext->ImageCharacteristics = pCreateInfo->ImageCharacteristics;
      pCreateProcessContext->pCreateInfo = pCreateInfo;


PspCaptureProcessParameters剖析
函数原型:
1
2
3
4
5
6
7
8
NTSTATUS  PspCaptureProcessParameters(
//访问模式,表明调用来自用户态,还是内核态
IN  _MODE AccessMode,
// 此结构体包含了创建进程指定的STARTINFO结构中的信息
IN  PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
// 传入传出结构体指针, 存放进程创建过程中一些句柄 内核对象
IN OUT PCREATEPROCESSCONTEXT  pCreateProcessContext
);

函数功能:
检查ProcessParameters参数中的unicode字符串是否为有效的,并且申请新的内存将字符串复制到申请的空间中,把新申请的内存地址保存在pCreateProcessContext->pProcessParamers中后返回。
主要流程: 
判断accessMode是userMode还是kernelMode
若为kernelMode则设置Flags2为0FBh,且pCreateProcessContext->pProcessParamers = ProcessParameters 赋值完成后直接返回,函数结束。
若为userMode则先检查ProcessParameters参数中的unicode字符串是否有效,之后计算空间大小,申请新内存,将参数的unicode保存到新内存中,最后将内存地址赋值给pCreateProcessContext->pProcessParamers,函数结束。
流程图:

细节:
1、  判断accessMode是userMode还是kernelMode。
1
2
000000014031F83C                 cmp     cl, bl          ; if (accessMode != KernelMode)
000000014031F83E                 jz      loc_1403C9EF2


2、  若是kernelMode跳走,并且直接给pCreateProcessContext->Flags2和pCreateProcessContext->pProcessParameters赋值,完成后函数退出
1
2
00000001403C9EF2                 and     [r8+CreateProcessContext.Flags2], 0FBh
00000001403C9EF7                 mov     [r8+CreateProcessContext.PRTL_USER_PROCESS_PARAMETERS], rdx  //参数2直接给CreateProcessContext->PRTL_USER_PROCESS_PARAMETERS


3、  若是UserMode 则先用PspCaptureAndValidateUnicodeString检测字符串有效性并获取字符串的unicode_string结构,保存在局部变量中
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
000000014031F8F1                 lea     rcx, [r12+_RTL_USER_PROCESS_PARAMETERS.CurrentDirectory] ; src
000000014031F8F6                 lea     rdx, [rsp+118h+CurrentDirectory] ; dst
000000014031F8FB                 call    PspCaptureAndValidateUnicodeString
000000014031F900                 cmp     eax, ebx
000000014031F902                 jl      loc_14031FC9F
000000014031F908                 mov     eax, 208h
000000014031F90D                 cmp     [rsp+118h+CurrentDirectory.Length], ax
000000014031F912                 jnb     loc_1403C9F3E
000000014031F918                 mov     [rsp+118h+CurrentDirectory.MaximumLength], ax
000000014031F91D                 lea     rcx, [r12+_RTL_USER_PROCESS_PARAMETERS.DllPath]
000000014031F922                 lea     rdx, [rsp+118h+dllPath]
000000014031F927                 call    PspCaptureAndValidateUnicodeString
000000014031F92C                 cmp     eax, ebx
000000014031F92E                 jl      loc_14031FC9F
000000014031F934
000000014031F934 loc_14031F934:                          ; CODE XREF: PspCaptureProcessParameters+AA721j
000000014031F934                 lea     rcx, [r12+_RTL_USER_PROCESS_PARAMETERS.ImagePathName]
000000014031F939                 lea     rdx, [rsp+118h+ImagePathName]
000000014031F941                 call    PspCaptureAndValidateUnicodeString
000000014031F946                 cmp     eax, ebx
000000014031F948                 jl      loc_14031FC9F
000000014031F94E                 lea     rcx, [r12+_RTL_USER_PROCESS_PARAMETERS.CommandLine]
000000014031F953                 lea     rdx, [rsp+118h+CommandLine]
000000014031F95B                 call    PspCaptureAndValidateUnicodeString
000000014031F960                 cmp     eax, ebx
000000014031F962                 jl      loc_14031FC9F
000000014031F968                 lea     rcx, [r12+_RTL_USER_PROCESS_PARAMETERS.WindowTitle]
000000014031F970                 lea     rdx, [rsp+118h+WindowTitle]
000000014031F978                 call    PspCaptureAndValidateUnicodeString
000000014031F97D                 cmp     eax, ebx
000000014031F97F                 jl      loc_14031FC9F
000000014031F985                 lea     rcx, [r12+_RTL_USER_PROCESS_PARAMETERS.DesktopInfo]
000000014031F98D                 lea     rdx, [rsp+118h+DesktopInfo]
000000014031F995                 call    PspCaptureAndValidateUnicodeString
000000014031F99A                 cmp     eax, ebx
000000014031F99C                 jl      loc_14031FC9F
000000014031F9A2                 lea     rcx, [r12+_RTL_USER_PROCESS_PARAMETERS.ShellInfo]
000000014031F9AA                 lea     rdx, [rsp+118h+ShellInfo]
000000014031F9B2                 call    PspCaptureAndValidateUnicodeString


4、  之后计算空间,调用ExAllocatePoolWithQuotaTag申请内存
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
000000014031F9E4                 mov     r15, [rsp+118h+RuntimeData.Buffer]
000000014031F9E9                 cmp     r15, rbx
000000014031F9EC                 jnz     loc_1403C9F70
000000014031F9F2                 movzx   r14d, [rsp+118h+RuntimeData.Length]
000000014031F9F8                 cmp     r14w, bx
000000014031F9FC                 jnz     loc_1403C9F66
000000014031FA02                 mov     [rsp+118h+RuntimeData.MaximumLength], bx
000000014031FA07
000000014031FA07 loc_14031FA07:                          ; CODE XREF: PspCaptureProcessParameters+AA749j
000000014031FA07                                         ; PspCaptureProcessParameters+AA7ABj
000000014031FA07                 movzx   ecx, [rsp+118h+var_4E]
000000014031FA0F                 movzx   eax, [rsp+118h+var_6E]
000000014031FA17                 add     rcx, rax
000000014031FA1A                 movzx   eax, [rsp+118h+var_7E]
000000014031FA22                 add     rcx, rax
000000014031FA25                 movzx   eax, [rsp+118h+var_5E]
000000014031FA2D                 add     rcx, rax
000000014031FA30                 movzx   eax, [rsp+118h+var_8E]
000000014031FA38                 add     rcx, rax
000000014031FA3B                 movzx   eax, [rsp+118h+dllPath.MaximumLength]
000000014031FA40                 add     rcx, rax
000000014031FA43                 movzx   eax, [rsp+118h+RuntimeData.MaximumLength]
000000014031FA48                 add     rcx, rax
000000014031FA4B                 movzx   eax, [rsp+118h+CurrentDirectory.MaximumLength]
000000014031FA50                 lea     rcx, [rcx+rax+401h]
000000014031FA58                 and     rcx, 0FFFFFFFFFFFFFFFEh
000000014031FA5C                 mov     [rsp+118h+var_C8], rcx
000000014031FA61                 mov     [rsp+118h+var_B0], rcx
000000014031FA66                 mov     rax, [rsp+118h+EnvironmentSize]
000000014031FA6B                 lea     rdx, [rcx+rax]  ; NumberOfBytes
000000014031FA6F                 cmp     rdx, rcx
000000014031FA72                 jb      loc_1403C9FD1
000000014031FA78                 mov     [rsp+118h+var_A8], rdx
000000014031FA7D                 mov     esi, ebx


5、  通过PspCopyUnicodeString拷贝参数里的字符串到申请的空间中
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
000000014031FB09                 lea     rdx, [rdi+_RTL_USER_PROCESS_PARAMETERS.CurrentDirectory]
000000014031FB0D                 lea     r8, [rsp+118h+Dst]
000000014031FB15                 lea     rcx, [rsp+118h+CurrentDirectory] ; src
000000014031FB1A                 call    PspCopyUnicodeString
000000014031FB1F                 mov     esi, eax
000000014031FB21                 cmp     eax, ebx
000000014031FB23                 jl      loc_1403CA0AC
000000014031FB29                 lea     rdx, [rdi+_RTL_USER_PROCESS_PARAMETERS.DllPath]
000000014031FB2D                 lea     r8, [rsp+118h+Dst]
000000014031FB35                 lea     rcx, [rsp+118h+dllPath]
000000014031FB3A                 call    PspCopyUnicodeString
000000014031FB3F                 mov     esi, eax
000000014031FB41                 cmp     eax, ebx
000000014031FB43                 jl      loc_1403CA0AC
000000014031FB49                 lea     rdx, [rdi+_RTL_USER_PROCESS_PARAMETERS.ImagePathName]
000000014031FB4D                 lea     r8, [rsp+118h+Dst]
000000014031FB55                 lea     rcx, [rsp+118h+ImagePathName]
000000014031FB5D                 call    PspCopyUnicodeString
000000014031FB62                 mov     esi, eax
000000014031FB64                 cmp     eax, ebx
000000014031FB66                 jl      loc_1403CA0AC
000000014031FB6C                 lea     rdx, [rdi+_RTL_USER_PROCESS_PARAMETERS.CommandLine]
000000014031FB70                 lea     r8, [rsp+118h+Dst]
000000014031FB78                 lea     rcx, [rsp+118h+CommandLine]
000000014031FB80                 call    PspCopyUnicodeString
000000014031FB85                 mov     esi, eax
000000014031FB87                 cmp     eax, ebx
000000014031FB89                 jl      loc_1403CA0AC
000000014031FB8F                 lea     rdx, [rdi+_RTL_USER_PROCESS_PARAMETERS.WindowTitle]
000000014031FB96                 lea     r8, [rsp+118h+Dst]
000000014031FB9E                 lea     rcx, [rsp+118h+WindowTitle]
000000014031FBA6                 call    PspCopyUnicodeString
000000014031FBAB                 mov     esi, eax
000000014031FBAD                 cmp     eax, ebx
000000014031FBAF                 jl      loc_1403CA0AC
000000014031FBB5                 lea     rdx, [rdi+_RTL_USER_PROCESS_PARAMETERS.DesktopInfo]
000000014031FBBC                 lea     r8, [rsp+118h+Dst]
000000014031FBC4                 lea     rcx, [rsp+118h+DesktopInfo]
000000014031FBCC                 call    PspCopyUnicodeString
000000014031FBD1                 mov     esi, eax
000000014031FBD3                 cmp     eax, ebx
000000014031FBD5                 jl      loc_1403CA0AC
000000014031FBDB                 lea     rdx, [rdi+_RTL_USER_PROCESS_PARAMETERS.ShellInfo] ; Src
000000014031FBE2                 lea     r8, [rsp+118h+Dst] ; Dst
000000014031FBEA                 lea     rcx, [rsp+118h+ShellInfo] ; Size
000000014031FBF2                 call    PspCopyUnicodeString


6、最后设置Flages2和pProcessParameters并退出
1
2
3
4
5
6
7
000000014031FC91                 or      [r13+CreateProcessContext.Flags2], 4
000000014031FC96                 mov     [r13+CreateProcessContext.PRTL_USER_PROCESS_PARAMETERS], rdi
000000014031FC9D                 xor     eax, eax
000000014031FC9F                 add     rsp, 0E0h
000000014031FCA6                 pop     r15
000000014031FCA8                 pop     r14
000000014031FCAA                 pop     r13


posted @ 2019-07-04 17:24  狂客  阅读(1388)  评论(0编辑  收藏  举报