关于nt!PsSystemDllBase（XP）

今天逆向一个内核函数时，看到这样一句话：

mov     eax,dword ptr [nt!PsSystemDllBase (8055b280)]

于是，意识到应该是一个全局的指针，到底是谁的呢？

kd> dd nt!PsSystemDllBase
8055b280 7c920000 00000000 00000000 00000000
8055b290 00000000 00000000 8052897c 00000000
8055b2a0 00000000 00000000 81f36868 81f36868
8055b2b0 00000000 00000000 00000000 00000000
8055b2c0 00000001 f8af9d50 00000000 00040001
8055b2d0 00000000 8055b2d4 8055b2d4 00000000
8055b2e0 821b9ad0 00000001 00000000 00000000
8055b2f0 00000000 00000000 00000000 00000000

7c920000

这不是ntdll.dll加载地址吗？

为了得到验证，

kd> dd 7c920000
7c920000 00905a4d 00000003 00000004 0000ffff
7c920010 000000b8 00000000 00000040 00000000
7c920020 00000000 00000000 00000000 00000000
7c920030 00000000 00000000 00000000 000000d0
7c920040 0eba1f0e cd09b400 4c01b821 685421cd
7c920050 70207369 72676f72 63206d61 6f6e6e61
7c920060 65622074 6e757220 206e6920 20534f44
7c920070 65646f6d 0a0d0d2e 00000024 00000000

这不是PE文件头吗？

于是之，

kd> da 7c920000 

7c920000 "MZ."

kd> !dh 7c920000

File Type: DLL
FILE HEADER VALUES
14C machine (i386)
4 number of sections
4D00F2A7 time date stamp Thu Dec 09 23:15:51 2010

0 file pointer to symbol table
0 number of symbols
E0 size of optional header
210E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
DLL

OPTIONAL HEADER VALUES
10B magic #
7.10 linker version
7D000 size of code
15A00 size of initialized data
0 size of uninitialized data
12AFC address of entry point
1000 base of code
----- new -----
7c920000 image base
1000 section alignment
200 file alignment
3 subsystem (Windows CUI)
5.01 operating system version
5.01 image version
4.10 subsystem version
96000 size of image
400 size of headers
9A8E1 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
0 DLL characteristics
3400 [ 9A5E] address [size] of Export Directory
0 [ 0] address [size] of Import Directory
83000 [ F7E4] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
93000 [ 2EEC] address [size] of Base Relocation Directory
7DED4 [ 38] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
512D0 [ 40] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
0 [ 0] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory

SECTION HEADER #1
.text name
7CF32 virtual size
1000 virtual address
7D000 size of raw data
400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
(no align specified)
Execute Read

Debug Directories(2)
Type Size Address Pointer
Can't read debug dir

SECTION HEADER #2
.data name
4A20 virtual size
7E000 virtual address
3200 size of raw data
7D400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
(no align specified)
Read Write

SECTION HEADER #3
.rsrc name
F7E4 virtual size
83000 virtual address
F800 size of raw data
80600 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
(no align specified)
Read Only

SECTION HEADER #4
.reloc name
2EEC virtual size
93000 virtual address
3000 size of raw data
8FE00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only

正是NTDLL.DLL

结论：

  nt!PsSystemDllBase正是NTDLL.DLL加载到内存的地址。