分析kernel.dll函数CreateRemoteThread进0环
CreateRemoteThread
部分源码
push edi ; CreateSuspended lea ecx, [ebp+UserStack] push ecx ; UserStack lea ecx, [ebp+ThreadContext] push ecx ; ThreadContext lea ecx, [ebp+ClientId] push ecx ; ClientId mov esi, [ebp+ProcessHandle] push esi ; ProcessHandle push eax ; ObjectAttributes push 1F03FFh ; DesiredAccess lea eax, [ebp+ThreadHandle] push eax ; ThreadHandle call ds:NtCreateThread
查看ZwCreateThread函数
ZwCreateThread proc near mov eax, 35h ; NtCreateThread mov edx, 7FFE0300h call dword ptr [edx] retn 20h
发现其用了快速调用进入函数
0: kd> u 7c92e4f0 ntdll!KiFastSystemCall: 7c92e4f0 8bd4 mov edx,esp 7c92e4f2 0f34 sysenter
sysenter指令会使KiFastCallEntry被调用,从而进入0环代码,并保存3环的环境,然后再去找系统服务表,如下没有3环保存现场的代码,只有保存完后的代码
804de922 8bf8 mov edi,eax ;edi=系统调用号 804de924 c1ef08 shr edi,8 804de927 83e730 and edi,30h ;判断第12位是否为1,为1就是Win32k.sys,否则为Ntoskrl.dll ;edi=0x10||0x00 804de92a 8bcf mov ecx,edi ;ecx=edi&0x30 804de92c 03bee0000000 add edi,dword ptr [esi+0E0h] ;esi+0xe0=ServiceTable ;edi+=ServiceTable ; 系统服务表有 ServiceTable, Count, ServiceLimit 和 ArgmentTable 804de932 8bd8 mov ebx,eax ;ebx=系统调用号 804de934 25ff0f0000 and eax,0FFFh ;eax=偏移号 804de939 3b4708 cmp eax,dword ptr [edi+8] ; 804de93c 0f8330fdffff jae nt!KiBBTUnexpectedRange (804de672) ;调用号<=count 804de942 83f910 cmp ecx,10h ;是否为Win32k.sys 804de945 751b jne nt!KiFastCallEntry+0xcf (804de962) ; 804de947 648b0d18000000 mov ecx,dword ptr fs:[18h] ;ecx=_KPCR 804de94e 33db xor ebx,ebx ;ebx=0 804de950 0b99700f0000 or ebx,dword ptr [ecx+0F70h] ; 804de956 740a je nt!KiFastCallEntry+0xcf (804de962) 804de958 52 push edx ;指向第一个参数 804de959 50 push eax ;系统调用号 804de95a ff1568355680 call dword ptr [nt!KeGdiFlushUserBatch (80563568)] ; 804de960 58 pop eax 804de961 5a pop edx 804de962 64ff0538060000 inc dword ptr fs:[638h] ; 804de969 8bf2 mov esi,edx ;esi=arg[0] 804de96b 8b5f0c mov ebx,dword ptr [edi+0Ch] ;ebx=ServiceLimit 804de96e 33c9 xor ecx,ecx ;ecx=0 804de970 8a0c18 mov cl,byte ptr [eax+ebx] ;cl=arg_counts 804de973 8b3f mov edi,dword ptr [edi] ;edi=function addr table 804de975 8b1c87 mov ebx,dword ptr [edi+eax*4] ;ebx=function addr 804de978 2be1 sub esp,ecx ;提升堆栈 804de97a c1e902 shr ecx,2 ;乘以4 804de97d 8bfc mov edi,esp ;edi=esp,为参数获取堆栈空间 804de97f 3b35d48e5680 cmp esi,dword ptr [nt!MmUserProbeAddress (80568ed4)] ; 804de985 0f83a8010000 jae nt!KiSystemCallExit2+0x9f (804deb33) ; 804de98b f3a5 rep movs dword ptr es:[edi],dword ptr [esi] ;edi[0]=arg[0]... 804de98d ffd3 call ebx ;call eax+ebx 804de98f 8be5 mov esp,ebp 804de991 648b0d24010000 mov ecx,dword ptr fs:[124h] 804de998 8b553c mov edx,dword ptr [ebp+3Ch] 804de99b 899134010000 mov dword ptr [ecx+134h],edx
调用号为0x35,查看系统服务调用表
0: kd> dd KeServiceDescriptorTable 80563520 804e58a0 00000000 0000011c 805120bc 80563530 00000000 00000000 00000000 00000000 80563540 00000000 00000000 00000000 00000000 80563550 00000000 00000000 00000000 00000000
0: kd> dd 804e58a0 l 40 ReadVirtual: 804e5920 not properly sign extended 804e58a0 80591bfb 80585356 805e1f35 805dbc47 804e58b0 805e1fbc 80640cc2 80642e4b 80642e94 804e58c0 805835b2 80650bbb 8064047d 805e1787 804e58d0 8063878a 80586fa1 805e08e8 8062f432 804e58e0 805d9781 80571d45 805e8258 805e939e 804e58f0 804e5eb4 80650ba7 805cd537 804ed812 804e5900 805719b7 80570af2 805e1b65 80656cec 804e5910 805e0ff3 805887b7 80656f5b 80586563 804e5920 804e221d 8066239e 805aa76b 8057dd2d 804e5930 8065120c 8057d330 805db662 805d6cd6 804e5940 80638c31 80578925 805d7e7f 805803c0 804e5950 80589caa 805b5823 8059a02a 805b1470 804e5960 8058c7cd 8065182d 8056eb66 8057b9e4 804e5970 805e7e56 80587c43 80598cb2 805a7ada 804e5980 805ab552 80663519 80663673 8056fb07 804e5990 805ddc8b 80650ba7 805d64ac 80594334
发现其值为0x80587c43,查看其代码
80587c43 6a28 push 28h 80587c45 6870ad4f80 push offset nt!ObWatchHandles+0x674 (804fad70) 80587c4a e824c2f5ff call nt!_SEH_prolog (804e3e73) 80587c4f 8365fc00 and dword ptr [ebp-4],0 80587c53 64a124010000 mov eax,dword ptr fs:[00000124h] 80587c59 8945e0 mov dword ptr [ebp-20h],eax //当前线程的E_ETHREAD给ebp-0x20 80587c5c 80b84001000000 cmp byte ptr [eax+140h],0 80587c63 0f84452b0300 je nt!NtCreateThread+0xb5 (805ba7ae) //跳转到80587cdd处 80587c69 a1d48e5680 mov eax,dword ptr [nt!MmUserProbeAddress (80568ed4)] 80587c6e 8b4d08 mov ecx,dword ptr [ebp+8] //ecx=hProcess 80587c71 3bc8 cmp ecx,eax 80587c73 0f83d7e30700 jae nt!NtCreateThread+0x32 (80606050) //跳转到80587c79处 80587c79 8b01 mov eax,dword ptr [ecx] 80587c7b 8901 mov dword ptr [ecx],eax 80587c7d 8b5d18 mov ebx,dword ptr [ebp+18h] //ebx=lpParameter 80587c80 85db test ebx,ebx 80587c82 7423 je nt!NtCreateThread+0x66 (80587ca7) 80587c84 895ddc mov dword ptr [ebp-24h],ebx 80587c87 a1d48e5680 mov eax,dword ptr [nt!MmUserProbeAddress (80568ed4)] 80587c8c 3bd8 cmp ebx,eax 80587c8e 0f83c7e30700 jae nt!NtCreateThread+0x4f (8060605b) 80587c94 f6c303 test bl,3 80587c97 0f85c6e30700 jne nt!NtCreateThread+0x57 (80606063) 80587c9d 8a03 mov al,byte ptr [ebx] 80587c9f 8803 mov byte ptr [ebx],al 80587ca1 8a4304 mov al,byte ptr [ebx+4] 80587ca4 884304 mov byte ptr [ebx+4],al 80587ca7 837d1c00 cmp dword ptr [ebp+1Ch],0 80587cab 0f84f0e30700 je nt!NtCreateThread+0xaa (806060a1) 80587cb1 f6451c03 test byte ptr [ebp+1Ch],3 80587cb5 0f85b2e30700 jne nt!NtCreateThread+0x72 (8060606d) 80587cbb a1d48e5680 mov eax,dword ptr [nt!MmUserProbeAddress (80568ed4)] 80587cc0 39451c cmp dword ptr [ebp+1Ch],eax 80587cc3 0f83aee30700 jae nt!NtCreateThread+0x81 (80606077) 80587cc9 8b5d20 mov ebx,dword ptr [ebp+20h] 80587ccc f6c303 test bl,3 80587ccf 0f85b2e30700 jne nt!NtCreateThread+0x94 (80606087) 80587cd5 3bd8 cmp ebx,eax 80587cd7 0f83b9e30700 jae nt!NtCreateThread+0xa2 (80606096) //上面都是测试符号的 80587cdd 8b03 mov eax,dword ptr [ebx] 80587cdf 8945c8 mov dword ptr [ebp-38h],eax 80587ce2 8b4b04 mov ecx,dword ptr [ebx+4] 80587ce5 894dcc mov dword ptr [ebp-34h],ecx 80587ce8 33d2 xor edx,edx 80587cea 3bc2 cmp eax,edx 80587cec 750e jne nt!NtCreateThread+0xd7 (80587cfc) 80587cee 3bca cmp ecx,edx 80587cf0 750a jne nt!NtCreateThread+0xd7 (80587cfc) 80587cf2 6a05 push 5 80587cf4 59 pop ecx 80587cf5 8bf3 mov esi,ebx 80587cf7 8d7dc8 lea edi,[ebp-38h] 80587cfa f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 80587cfc 834dfcff or dword ptr [ebp-4],0FFFFFFFFh 80587d00 52 push edx 80587d01 52 push edx 80587d02 ff7524 push dword ptr [ebp+24h] 80587d05 8d45c8 lea eax,[ebp-38h] 80587d08 50 push eax //lpThreadId 80587d09 ff751c push dword ptr [ebp+1Ch] //dwCreationFlags 80587d0c ff7518 push dword ptr [ebp+18h] //lpParameter 80587d0f 52 push edx //0 80587d10 ff7514 push dword ptr [ebp+14h] //lpStartAddress 80587d13 ff7510 push dword ptr [ebp+10h] //dwStackSize 80587d16 ff750c push dword ptr [ebp+0Ch] //lpThreadAttributes 80587d19 ff7508 push dword ptr [ebp+8] //hProcess 80587d1c e830e4feff call nt!PspCreateThread (80576151) 80587d21 e888c1f5ff call nt!_SEH_epilog (804e3eae) 80587d26 c22000 ret 20h
