x86进程线程

发表于 2023-06-13 更新于 2024-04-21 分类于 Windows-Kernel

1、EPROCESS

进程结构，每个进程都有这样一个结构。EPROCESS中还有一个KPROCESS，其中EPROCESS被称为执行体,主要是给R3进行访问；KPROCESS才是真正的对象结构。

//0x2c0 bytes (sizeof)
struct _EPROCESS
{
    struct _KPROCESS Pcb;                                                   //0x0
    struct _EX_PUSH_LOCK ProcessLock;                                       //0x98
    union _LARGE_INTEGER CreateTime;                                        //0xa0
    union _LARGE_INTEGER ExitTime;                                          //0xa8
    struct _EX_RUNDOWN_REF RundownProtect;                                  //0xb0
    VOID* UniqueProcessId;                                                  //0xb4
    struct _LIST_ENTRY ActiveProcessLinks;                                  //0xb8
    ULONG ProcessQuotaUsage[2];                                             //0xc0
    ULONG ProcessQuotaPeak[2];                                              //0xc8
    volatile ULONG CommitCharge;                                            //0xd0
    struct _EPROCESS_QUOTA_BLOCK* QuotaBlock;                               //0xd4
    struct _PS_CPU_QUOTA_BLOCK* CpuQuotaBlock;                              //0xd8
    ULONG PeakVirtualSize;                                                  //0xdc
    ULONG VirtualSize;                                                      //0xe0
    struct _LIST_ENTRY SessionProcessLinks;                                 //0xe4
    VOID* DebugPort;                                                        //0xec
    union
    {
        VOID* ExceptionPortData;                                            //0xf0
        ULONG ExceptionPortValue;                                           //0xf0
        ULONG ExceptionPortState:3;                                         //0xf0
    };
    struct _HANDLE_TABLE* ObjectTable;                                      //0xf4
    struct _EX_FAST_REF Token;                                              //0xf8
    ULONG WorkingSetPage;                                                   //0xfc
    struct _EX_PUSH_LOCK AddressCreationLock;                               //0x100
    struct _ETHREAD* RotateInProgress;                                      //0x104
    struct _ETHREAD* ForkInProgress;                                        //0x108
    ULONG HardwareTrigger;                                                  //0x10c
    struct _MM_AVL_TABLE* PhysicalVadRoot;                                  //0x110
    VOID* CloneRoot;                                                        //0x114
    volatile ULONG NumberOfPrivatePages;                                    //0x118
    volatile ULONG NumberOfLockedPages;                                     //0x11c
    VOID* Win32Process;                                                     //0x120
    struct _EJOB* volatile Job;                                             //0x124
    VOID* SectionObject;                                                    //0x128
    VOID* SectionBaseAddress;                                               //0x12c
    ULONG Cookie;                                                           //0x130
    ULONG Spare8;                                                           //0x134
    struct _PAGEFAULT_HISTORY* WorkingSetWatch;                             //0x138
    VOID* Win32WindowStation;                                               //0x13c
    VOID* InheritedFromUniqueProcessId;                                     //0x140
    VOID* LdtInformation;                                                   //0x144
    VOID* VdmObjects;                                                       //0x148
    ULONG ConsoleHostProcess;                                               //0x14c
    VOID* DeviceMap;                                                        //0x150
    VOID* EtwDataSource;                                                    //0x154
    VOID* FreeTebHint;                                                      //0x158
    union
    {
        struct _HARDWARE_PTE PageDirectoryPte;                              //0x160
        ULONGLONG Filler;                                                   //0x160
    };
    VOID* Session;                                                          //0x168
    UCHAR ImageFileName[15];                                                //0x16c
    UCHAR PriorityClass;                                                    //0x17b
    struct _LIST_ENTRY JobLinks;                                            //0x17c
    VOID* LockedPagesList;                                                  //0x184
    struct _LIST_ENTRY ThreadListHead;                                      //0x188
    VOID* SecurityPort;                                                     //0x190
    VOID* PaeTop;                                                           //0x194
    volatile ULONG ActiveThreads;                                           //0x198
    ULONG ImagePathHash;                                                    //0x19c
    ULONG DefaultHardErrorProcessing;                                       //0x1a0
    LONG LastThreadExitStatus;                                              //0x1a4
    struct _PEB* Peb;                                                       //0x1a8
    struct _EX_FAST_REF PrefetchTrace;                                      //0x1ac
    union _LARGE_INTEGER ReadOperationCount;                                //0x1b0
    union _LARGE_INTEGER WriteOperationCount;                               //0x1b8
    union _LARGE_INTEGER OtherOperationCount;                               //0x1c0
    union _LARGE_INTEGER ReadTransferCount;                                 //0x1c8
    union _LARGE_INTEGER WriteTransferCount;                                //0x1d0
    union _LARGE_INTEGER OtherTransferCount;                                //0x1d8
    ULONG CommitChargeLimit;                                                //0x1e0
    volatile ULONG CommitChargePeak;                                        //0x1e4
    VOID* AweInfo;                                                          //0x1e8
    struct _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;      //0x1ec
    struct _MMSUPPORT Vm;                                                   //0x1f0
    struct _LIST_ENTRY MmProcessLinks;                                      //0x25c
    VOID* HighestUserAddress;                                               //0x264
    ULONG ModifiedPageCount;                                                //0x268
    union
    {
        ULONG Flags2;                                                       //0x26c
        struct
        {
            ULONG JobNotReallyActive:1;                                     //0x26c
            ULONG AccountingFolded:1;                                       //0x26c
            ULONG NewProcessReported:1;                                     //0x26c
            ULONG ExitProcessReported:1;                                    //0x26c
            ULONG ReportCommitChanges:1;                                    //0x26c
            ULONG LastReportMemory:1;                                       //0x26c
            ULONG ReportPhysicalPageChanges:1;                              //0x26c
            ULONG HandleTableRundown:1;                                     //0x26c
            ULONG NeedsHandleRundown:1;                                     //0x26c
            ULONG RefTraceEnabled:1;                                        //0x26c
            ULONG NumaAware:1;                                              //0x26c
            ULONG ProtectedProcess:1;                                       //0x26c
            ULONG DefaultPagePriority:3;                                    //0x26c
            ULONG PrimaryTokenFrozen:1;                                     //0x26c
            ULONG ProcessVerifierTarget:1;                                  //0x26c
            ULONG StackRandomizationDisabled:1;                             //0x26c
            ULONG AffinityPermanent:1;                                      //0x26c
            ULONG AffinityUpdateEnable:1;                                   //0x26c
            ULONG PropagateNode:1;                                          //0x26c
            ULONG ExplicitAffinity:1;                                       //0x26c
        };
    };
    union
    {
        ULONG Flags;                                                        //0x270
        struct
        {
            ULONG CreateReported:1;                                         //0x270
            ULONG NoDebugInherit:1;                                         //0x270
            ULONG ProcessExiting:1;                                         //0x270
            ULONG ProcessDelete:1;                                          //0x270
            ULONG Wow64SplitPages:1;                                        //0x270
            ULONG VmDeleted:1;                                              //0x270
            ULONG OutswapEnabled:1;                                         //0x270
            ULONG Outswapped:1;                                             //0x270
            ULONG ForkFailed:1;                                             //0x270
            ULONG Wow64VaSpace4Gb:1;                                        //0x270
            ULONG AddressSpaceInitialized:2;                                //0x270
            ULONG SetTimerResolution:1;                                     //0x270
            ULONG BreakOnTermination:1;                                     //0x270
            ULONG DeprioritizeViews:1;                                      //0x270
            ULONG WriteWatch:1;                                             //0x270
            ULONG ProcessInSession:1;                                       //0x270
            ULONG OverrideAddressSpace:1;                                   //0x270
            ULONG HasAddressSpace:1;                                        //0x270
            ULONG LaunchPrefetched:1;                                       //0x270
            ULONG InjectInpageErrors:1;                                     //0x270
            ULONG VmTopDown:1;                                              //0x270
            ULONG ImageNotifyDone:1;                                        //0x270
            ULONG PdeUpdateNeeded:1;                                        //0x270
            ULONG VdmAllowed:1;                                             //0x270
            ULONG CrossSessionCreate:1;                                     //0x270
            ULONG ProcessInserted:1;                                        //0x270
            ULONG DefaultIoPriority:3;                                      //0x270
            ULONG ProcessSelfDelete:1;                                      //0x270
            ULONG SetTimerResolutionLink:1;                                 //0x270
        };
    };
    LONG ExitStatus;                                                        //0x274
    struct _MM_AVL_TABLE VadRoot;                                           //0x278
    struct _ALPC_PROCESS_CONTEXT AlpcContext;                               //0x298
    struct _LIST_ENTRY TimerResolutionLink;                                 //0x2a8
    ULONG RequestedTimerResolution;                                         //0x2b0
    ULONG ActiveThreadsHighWatermark;                                       //0x2b4
    ULONG SmallestTimerResolution;                                          //0x2b8
    struct _PO_DIAG_STACK_RECORD* TimerResolutionStackRecord;               //0x2bc
};

Pcb：Kprocess结构体。内核成员，见下文。
ProcessLock：R3进程锁。修改EPROCESS结构存放锁结构，防止同时修改。改完了置0.
CreateTime：进程的创建时间。
ExitTime：进程的退出时间。
RundownProtect：进程锁。该字段置值后，进程无法被访问、打开、结束，相当于保护。但是会容易卡死。

阅读全文 »

x86系统调用

发表于 2023-06-06 更新于 2024-04-21 分类于 Windows-Kernel

1、R3进入R0

WindowsXp前R3进入R0都是依靠中断门(0x2E)进行提权，这种提权方式较为复杂，需要压入SS、CS、EIP、ESP等等一系列复杂操作。因此Xp后引入快速调用(FastCall)。

x86使用的是sysenter/sysreturn,x64是syscall/sysexit。

阅读全文 »

x64页表映射

发表于 2023-05-25 更新于 2024-04-21 分类于 Windows-Kernel

x64页表映射

微软设计了一种页表自映射的方式，提高了cpu工作的效率。正常情况下一个线性地址需要进行4次拆分.

而在表映射的作用下，可实现3次拆分即可。

原理

阅读全文 »

VMProtect分析-虚拟化流程

发表于 2023-01-05 更新于 2024-04-21 分类于 Anti

一、没有大炮我们自己造

首先编写一个简单的程序。

int main()
{
	int a = 1;
	a = a + 1;
	printf("%d\n",a);
	return 0;
}

编译后给程序添加vmp保护壳，这里选择的VMP版本为v3.5.0。

阅读全文 »

从零开始分析VAC

发表于 2023-01-03 更新于 2024-04-21 分类于 Anti

一、资料收集

国内:

CSGO辅助制作思路与VAC保护分析 - -Qfrost-

【CSGO游戏分析】VAC反作弊系统分析 - 哔哩哔哩 (bilibili.com)

国外：

How To Bypass VAC Valve Anti Cheat Info (guidedhacking.com)

代码:

danielkrupinski/VAC: Source code of Valve Anti-Cheat obtained from disassembly of compiled modules (github.com)

二、分析笔记

实验目标：CSGO

2.1 ARK分析

阅读全文 »

x86保护模式

发表于 2022-10-10 更新于 2023-04-12 分类于 Windows-Kernel

1、保护模式简介

CPU分有：实模式、保护模式、虚拟8086模式，大多数操作系统都运行在保护模式下。

保护模式主要是用来保护寄存器、数据结构、指令，实际上也就是保护寄存器，因为cpu的数据都存放在寄存器中。

保护模式的特点：段和页。

实模式：16位系统DOS，访问的都是物理地址，不安全。
保护模式：将物理地址隔阂后，使用一种线性的虚拟地址来访问，相对实模式来说比较安全。并用段和页的特点来维护虚拟地址。

阅读全文 »