rootkit 直接访问硬件之[三].docx

标 题:【原创】rootkit 直接访问硬件之三作 者:combojiang时 间:2008-03-28,17:21:40链 接:/showthread.php?t=62081关于ring3直接访问硬件的办法，前面已经介绍了2篇，本篇算是结束篇了。篇幅较长，大家慢慢阅读。高手飘过。基本上我们能依据8条保护规则来进行访问的情况都概括了。还是跟前面一样，我们先贴出保护规则来。(1)若CPLdt_ktssnt!_KTSS+0x000Backlink:Uint2B+0x002Reserved0:Uint2B+0x004Esp0:Uint4B+0x008Ss0:Uint2B+0x00aReserved1:Uint2B+0x00cNotUsed1:4Uint4B+0x01cCR3:Uint4B+0x020Eip:Uint4B+0x024EFlags:Uint4B+0x028Eax:Uint4B+0x02cEcx:Uint4B+0x030Edx:Uint4B+0x034Ebx:Uint4B+0x038Esp:Uint4B+0x03cEbp:Uint4B+0x040Esi:Uint4B+0x044Edi:Uint4B+0x048Es:Uint2B+0x04aReserved2:Uint2B+0x04cCs:Uint2B+0x04eReserved3:Uint2B+0x050Ss:Uint2B+0x052Reserved4:Uint2B+0x054Ds:Uint2B+0x056Reserved5:Uint2B+0x058Fs:Uint2B+0x05aReserved6:Uint2B+0x05cGs:Uint2B+0x05eReserved7:Uint2B+0x060LDT:Uint2B+0x062Reserved8:Uint2B+0x064Flags:Uint2B+0x066IoMapBase:Uint2B+0x068IoMaps:1_KiIoAccessMap+0x208cIntDirectionMap:32UCharlkddt_KiIoAccessMapnt!_KiIoAccessMap+0x000DirectionMap:32UChar+0x020IoMap:8196UChar其中的IoMapBase就是I/O许可位图的在TSS段中的偏移位置。也就是说在TSS段中从这个位置开始就是I/O许可位图了。另外在这个结构中还有IoMaps.IoMap一项,这是个长度为8196字节的数组。在Windows32位操作系统中，端口是由word类型来描述的，也就是说最大端口数量就是65536，即64k.由于每个端口使用一个bit位来描述，因此64k的端口占用字节数就是65536/8=8192字节。因此，我们完全可以使用IoMaps.IoMap8196作为我们I/O许可位图区域。从结构上看，IoMaps.IoMap位于tss段偏移0x88位置处。也就是说，如果我们把I/O许可位图放到IoMaps.IoMap中，然后让IoMapBase和进程中的IopmOffset指向这个位置就行了。这个是我们的整体思路。windows提供以下三个内核函数：BOOLEANKe386QueryIoAccessMap(ULONGMapNumber,PKIO_ACCESS_MAPIoAccessMap);BOOLEANKe386SetIoAccessMap(ULONGMapNumber,PKIO_ACCESS_MAPIoAccessMap);BOOLEANKe386IoSetAccessProcess(PKPROCESSProcess,ULONGMapNumber);其中第一个函数，是查询端口访问许可用的。第二个，第三个函数是用于设置tssI/O许可位图的,我们可以分析下第二、第三个函数，来验证下我们的思路。lkduKe386SetIoAccessMapL30nt!Ke386SetIoAccessMap:804f80fe8bffmovedi,edi804f810055pushebp804f81018becmovebp,esp804f810357pushedi804f81048b7d08movedi,dwordptrebp+8804f810783ff01cmpedi,1804f810a7759jant!Ke386SetIoAccessMap+0x67(804f8165)804f810c85fftestedi,edi804f810e7455jent!Ke386SetIoAccessMap+0x67(804f8165)804f811053pushebx804f811156pushesi804f8112ff158c864d80calldwordptrnt!_imp_KeRaiseIrqlToSynchLevel(804d868c)804f81188ad8movbl,al804f811a3ea120f0dfffmoveax,dwordptrds:FFDFF020h804f81208bd0movedx,eax804f8122b800f0dfffmoveax,0FFDFF000h804f812769ff24200000imuledi,edi,2024h;edi=2024h804f812d8b4040moveax,dwordptreax+40h804f81308b750cmovesi,dwordptrebp+0Ch804f81338dbc0764e0ffffleaedi,edi+eax-1F9Ch804f813ab900080000movecx,800h;这里奇怪，IOPM数组总长为2000h。为什么拷贝一部分？804f813ff3a5repmovsdwordptres:edi,dwordptresi804f81418b4204moveax,dwordptredx+4;eax=CurrentThread804f81448b4844movecx,dwordptreax+44h;ecx=CurrentProcess804f8147b800f0dfffmoveax,0FFDFF000h804f814c668b4930movcx,wordptrecx+30h;cx=IopmOffset804f81508b4040moveax,dwordptreax+40h;tss804f815366894866movwordptreax+66h,cx804f81578acbmovcl,bl804f8159ff151c874d80calldwordptrnt!_imp_KfLowerIrql(804d871c)804f815f5epopesi804f8160b001moval,1804f81625bpopebx804f8163eb02jmpnt!Ke386SetIoAccessMap+0x69(804f8167)804f816532c0xoral,al804f81675fpopedi804f81685dpopebp804f8169c20800ret8804f816cccint3804f816dccint3804f816eccint3804f816fccint3804f8170ccint3上述代码中的一些重要偏移值解释如下：1。0FFDFF000h对应于KPCR,用WINDBG看lkd!PCRKPCRforProcessor0atffdff000:Major1Minor1NtTib.ExceptionList:b2616c7cNtTib.StackBase:b2616df0NtTib.StackLimit:b2614000NtTib.SubSystemTib:00000000NtTib.Version:00000000NtTib.UserPointer:00000000NtTib.SelfTib:7ffde000SelfPcr:ffdff000Prcb:ffdff120Irql:00000000IRR:00000000IDR:ffffffffInterruptMode:00000000IDT:8003f400GDT:8003f000TSS:80042000CurrentThread:88fb6da8NextThread:00000000IdleThread:80552d20DpcQueue:2。看KPCR结构，ds:FFDFF020h对应于Prcb，KPCR偏移0x40位置对应于TSSlkddt_kpcrnt!_KPCR+0x000NtTib:_NT_TIB+0x01cSelfPcr:Ptr32_KPCR+0x020Prcb:Ptr32_KPRCB+0x024Irql:UChar+0x028IRR:Uint4B+0x02cIrrActive:Uint4B+0x030IDR:Uint4B+0x034KdVersionBlock:Ptr32Void+0x038IDT:Ptr32_KIDTENTRY+0x03cGDT:Ptr32_KGDTENTRY+0x040TSS:Ptr32_KTSS+0x044MajorVersion:Uint2B+0x046MinorVersion:Uint2B+0x048SetMember:Uint4B+0x04cStallScaleFactor:Uint4B+0x050DebugActive:UChar+0x051Number:UChar+0x052Spare0:UChar+0x053SecondLevelCacheAssociativity:UChar+0x054VdmAlert:Uint4B+0x058KernelReserved:14Uint4B+0x090SecondLevelCacheSize:Uint4B+0x094HalReserved:16Uint4B+0x0d4InterruptMode:Uint4B+0x0d8Spare1:UChar+0x0dcKernelReserved2:17Uint4B+0x120PrcbData:_KPRCB3。看tss结构，偏移0x88处对应于IoMaps0.IoMap,偏移0x66处，对应IoMapBase。lkddt_ktssnt!_KTSS+0x000Backlink:Uint2B+0x002Reserved0:Uint2B+0x004Esp0:Uint4B+0x008Ss0:Uint2B+0x00aReserved1:Uint2B+0x00cNotUsed1:4Uint4B+0x01cCR3:Uint4B+0x020Eip:Uint4B+0x024EFlags:Uint4B+0x028Eax:Uint4B+0x02cEcx:Uint4B+0x030Edx:Uint4B+0x034Ebx:Uint4B+0x038Esp:Uint4B+0x03cEbp:Uint4B+0x040Esi:Uint4B+0x044Edi:Uint4B+0x048Es:Uint2B+0x04aReserved2:Uint2B+0x04cCs:Uint2B+0x04eReserved3:Uint2B+0x050Ss:Uint2B+0x052Reserved4:Uint2B+0x054Ds:Uint2B+0x056Reserved5:Uint2B+0x058Fs:Uint2B+0x05aReserved6:Uint2B+0x05cGs:Uint2B+0x05eReserved7:Uint2B+0x060LDT:Uint2B+0x062Reserved8:Uint2B+0x064Flags:Uint2B+0x066IoMapBase:Uint2B+0x068IoMaps:1_KiIoAccessMap+0x208cIntDirectionMap:32UCharlkddt_KiIoAccessMapnt!_KiIoAccessMap+0x000DirectionMap:32UChar+0x020IoMap:8196UChar4。Prcb对应的_KPRCB，其偏移0x4字节对应于CurrentThreadlkddt_KPRCBntdll!_KPRCB+0x000MinorVersion:Uint2B+0x002MajorVersion:Uint2B+0x004CurrentThread:Ptr32_KTHREAD+0x008NextThread:Ptr32_KTHREAD+0x00cIdleThread:Ptr32_KTHREAD+0x010Number:Char+0x011Reserved:Char+0x012BuildType:Uint2B+0x014SetMember:Uint4B+0x018CpuType:Char+0x019CpuID:Char+0x01aCpuStep:Uint2B+0x01cProcessorState:_KPROCESSOR_STATE+0x33cKernelReserved:16Uint4B+0x37cHalReserved:16Uint4B+0x3bcPrcbPad0:92UChar+0x418LockQueue:16_KSPIN_LOCK_QUEUE+0x498PrcbPad1:8UChar+0x4a0NpxThread:Ptr32_KTHREAD+0x4a4InterruptCount:Uint4B+0x4a8KernelTime:Uint4B+0x4acUserTime:Uint4B+0x4b0DpcTime:Uint4B+0x4b4DebugDpcTime:Uint4B+0x4b8InterruptTime:Uint4B+0x4bcAdjustDpcThreshold:Uint4B+0x4c0PageColor:Uint4B+0x4c4SkipTick:Uint4B+0x4c8MultiThreadSetBusy:UChar+0x4c9Spare2:3UChar+0x4ccParentNode:Ptr32_KNODE+0x4d0MultiThreadProcessorSet:Uint4B+0x4d4MultiThreadSetMaster:Ptr32_KPRCB+0x4d8ThreadStartCount:2Uint4B+0x4e0CcFastReadNoWait:Uint4B+0x4e4CcFastReadWait:Uint4B+0x4e8CcFastReadNotPossible:Uint4B+0x4ecCcCopyReadNoWait:Uint4B+0x4f0CcCopyReadWait:Uint4B+0x4f4CcCopyReadNoWaitMiss:Uint4B+0x4f8KeAlignmentFixupCount:Uint4B+0x4fcKeContextSwitches:Uint4B+0x500KeDcacheFlushCount:Uint4B+0x504KeExceptionDispatchCount:Uint4B+0x508KeFirstLevelTbFills:Uint4B+0x50cKeFloatingEmulationCount:Uint4B+0x510KeIcacheFlushCount:Uint4B+0x514KeSecondLevelTbFills:Uint4B+0x518KeSystemCalls:Uint4B+0x51cSpareCounter0:1Uint4B+0x520PPLookasideList:16_PP_LOOKASIDE_LIST+0x5a0PPNPagedLookasideList:32_PP_LOOKASIDE_LIST+0x6a0PPPagedLookasideList:32_PP_LOOKASIDE_LIST+0x7a0PacketBarrier:Uint4B+0x7a4ReverseStall:Uint4B+0x7a8IpiFrame:Ptr32Void+0x7acPrcbPad2:52UChar+0x7e0CurrentPacket:3Ptr32Void+0x7ecTargetSet:Uint4B+0x7f0WorkerRoutine:Ptr32void+0x7f4IpiFrozen:Uint4B+0x7f8PrcbPad3:40UChar+0x820RequestSummary:Uint4B+0x824SignalDone:Ptr32_KPRCB+0x828PrcbPad4:56UChar+0x860DpcListHead:_LIST_ENTRY+0x868DpcStack:Ptr32Void+0x86cDpcCount:Uint4B+0x870DpcQueueDepth:Uint4B+0x874DpcRoutineActive:Uint4B+0x878DpcInterruptRequested:Uint4B+0x87cDpcLastCount:Uint4B+0x880DpcRequestRate:Uint4B+0x884MaximumDpcQueueDepth:Uint4B+0x888MinimumDpcRate:Uint4B+0x88cQuantumEnd:Uint4B+0x890PrcbPad5:16UChar+0x8a0DpcLock:Uint4B+0x8a4PrcbPad6:28UChar+0x8c0CallDpc:_KDPC+0x8e0ChainedInterruptList:Ptr32Void+0x8e4LookasideIrpFloat:Int4B+0x8e8SpareFields0:6Uint4B+0x900VendorString:13UChar+0x90dInitialApicId:UChar+0x90eLogicalProcessorsPerPhysicalProcessor:UChar+0x910MHz:Uint4B+0x914FeatureBits:Uint4B+0x918UpdateSignature:_LARGE_INTEGER+0x920NpxSaveArea:_FX_SAVE_AREA+0xb30PowerState:_PROCESSOR_POWER_STATE5。CurrentThread偏移0x44处对应于ApcState.Process,即当前进程。lkddt_kthreadntdll!_KTHREAD+0x000Header:_DISPATCHER_HEADER+0x010MutantListHead:_LIST_ENTRY+0x018InitialStack:Ptr32Void+0x01cStackLimit:Ptr32Void+0x020Teb:Ptr32Void+0x024TlsArray:Ptr32Void+0x028KernelStack:Ptr32Void+0x02cDebugActive:UChar+0x02dState:UChar+0x02eAlerted:2UChar+0x030Iopl:UChar+0x031NpxState:UChar+0x032Saturation:Char+0x033Priority:Char+0x034ApcState:_KAPC_STATE+0x04cContextSwitches:Uint4B+0x050IdleSwapBlock:UChar+0x051Spare0:3UChar+0x054WaitStatus:Int4B+0x058WaitIrql:UChar+0x059WaitMode:Char+0x05aWaitNext:UChar+0x05bWaitReason:UChar+0x05cWaitBlockList:Ptr32_KWAIT_BLOCK+0x060WaitListEntry:_LIST_ENTRY+0x060SwapListEntry:_SINGLE_LIST_ENTRY+0x068WaitTime:Uint4B+0x06cBasePriority:Char+0x06dDecrementCount:UChar+0x06ePriorityDecrement:Char+0x06fQuantum:Char+0x070WaitBlock:4_KWAIT_BLOCK+0x0d0LegoData:Ptr32Void+0x0d4KernelApcDisable:Uint4B+0x0d8UserAffinity:Uint4B+0x0dcSystemAffinityActive:UChar+0x0ddPowerState:UChar+0x0deNpxIrql:UChar+0x0dfInitialNode:UChar+0x0e0ServiceTable:Ptr32Void+0x0e4Queue:Ptr32_KQUEUE+0x0e8ApcQueueLock:Uint4B+0x0f0Timer:_KTIMER+0x118QueueListEntry:_LIST_ENTRY+0x120SoftAffinity:Uint4B+0x124Affinity:Uint4B+0x128Preempted:UChar+0x129ProcessReadyQueue:UChar+0x12aKernelStackResident:UChar+0x12bNextProcessor:UChar+0x12cCallbackStack:Ptr32Void+0x130Win32Thread:Ptr32Void+0x134TrapFrame:Ptr32_KTRAP_FRAME+0x138ApcStatePointer:2Ptr32_KAPC_STATE+0x140PreviousMode:Char+0x141EnableStackSwap:UChar+0x142LargeStack:UChar+0x143ResourceIndex:UChar+0x144KernelTime:Uint4B+0x148UserTime:Uint4B+0x14cSavedApcState:_KAPC_STATE+0x164Alertable:UChar+0x165ApcStateIndex:UChar+0x166ApcQueueable:UChar+0x167AutoAlignment:UChar+0x168StackBase:Ptr32Void+0x16cSuspendApc:_KAPC+0x19cSuspendSemaphore:_KSEMAPHORE+0x1b0ThreadListEntry:_LIST_ENTRY+0x1b8FreezeCount:Char+0x1b9SuspendCount:Char+0x1baIdealProcessor:UChar+0x1bbDisableBoost:UCharlkddt_KAPC_STATEntdll!_KAPC_STATE+0x000ApcListHead:2_LIST_ENTRY+0x010Process:Ptr32_KPROCESS+0x014KernelApcInProgress:UChar+0x015KernelApcPending:UChar+0x016UserApcPending:UChar6。在Process偏移0x30处，对应于IopmOffset。lkddt_KPROCESSntdll!_KPROCESS+0x000Header:_DISPATCHER_HEADER+0x010ProfileListHead:_LIST_ENTRY+0x018DirectoryTableBase:2Uint4B+0x020LdtDescriptor:_KGDTENTRY+0x028Int21Descriptor:_KIDTENTRY+0x030IopmOffset:Uint2B+0x032Iopl:UChar+0x033Unused:UChar+0x034ActiveProcessors:Uint4B+0x038KernelTime:Uint4B+0x03cUserTime:Uint4B+0x040ReadyListHead:_LIST_ENTRY+0x048SwapListEntry:_SINGLE_LIST_ENTRY+0x04cVdmTrapcHandler:Ptr32Void+0x050ThreadListHead:_LIST_ENTRY+0x058ProcessLock:Uint4B+0x05cAffinity:Uint4B+0x060StackCount:Uint2B+0x062BasePriority:Char+0x063ThreadQuantum:Char+0x064AutoAlignment:UChar+0x065State:UChar+0x066ThreadSeed:UChar+0x067DisableBoost:UChar+0x068PowerState:UChar+0x069DisableQuantum:UChar+0x06aIdealNode:UChar+0x06bFlags:_KEXECUTE_OPTIONS+0x06bExecuteOptions:UChar了解了关键的值，我们把这段汇编代码还原为c的代码如下：BOOLEANKe386SetIoAccessMap(ULONGMapNumber,PKIO_ACCESS_MAPIoAccessMap)KIRQLoldIrql;if(MapNumber1)|(MapNumber=0)returnFALSE;oldIrql=KeRaiseIrqlToSynchLevel();PKPCRKiPcr=(PKPCR)0xffdff000;void*pIOPM=&(KiPcr-TSS-IoMaps0.IoMap);memcpy(pIOPM,IoAccessMap,0x800);KiPcr-TSS-IoMapBase=PsGetCurrentProcess()-IopmOffset;KfLowerIrql(oldIrql);returnTRUE;lkduKe386IoSetAccessProcessl30nt!Ke386IoSetAccessProcess:804f81d48bffmovedi,edi804f81d655pushebp804f81d78becmovebp,esp804f81d956pushesi804f81da8b750cmovesi,dwordptrebp+0Ch/参数2804f81dd83fe01cmpesi,1804f81e07604jbent!Ke386IoSetAccessProcess+0x12(804f81e6)/小于等于1804f81e232c0xoral,al804f81e4eb48jmpnt!Ke386IoSetAccessProcess+0x5a(804f822e)/大于1804f81e685f6testesi,esi804f81e87507jnen