quinta-feira, 14 de julho de 2011

Pointers for User Shared Data

Just a quick flash on how to find the kernel and user address of the Shared User Data structure:
x nt!*shared*
8055c6e0 nt!MmSharedUserDataPte = 
805360d8 nt!ExAcquireSharedStarveExclusive = 
8056094c nt!MmTransitionSharedPagesPeak = 
...

dd 8055c6e0  l1
8055c6e0  e100b498

dt -r nt!_MMPTE e100b498
...
+0x000 Flush            : _HARDWARE_PTE
+0x000 Valid            : 0y1
+0x000 Write            : 0y0
+0x000 Owner            : 0y0
+0x000 WriteThrough     : 0y0
+0x000 CacheDisable     : 0y0
+0x000 Accessed         : 0y1
+0x000 Dirty            : 0y0
+0x000 LargePage        : 0y0
+0x000 Global           : 0y1
+0x000 CopyOnWrite      : 0y0
+0x000 Prototype        : 0y0
+0x000 reserved0        : 0y0
+0x000 PageFrameNumber  : 0y00...1000001 (0x41)
+0x000 reserved1        : 0y10...0000000 (0x2000000)
+0x000 LowPart          : 0x41121
+0x004 HighPart         : 0x80000000

!pfn 41
PFN 00000041 at address 81AE671C
flink       00000023  blink / share
count 0000003C  pteaddress C07FEF80
reference count 0001   Cached     color 0
restore pte 00000080
containing page        00074F  Active      P
Shared

!pte C07FEF80
  VA ffdf0000
PDE at 00000000C0603FF0    PTE at 00000000C07FEF80
contains 000000000074F163  contains 0000000000041163
pfn 74f        -G-DA--KWEV    pfn 41         -G-DA--KWEV

And here we've got the kernel address, we can dump the shared space by:
dt nt!_kuser_shared_data ffdf0000  (KERNEL MODE ADDR)
+0x000 TickCountLow     : 0x3f7443d
+0x004 TickCountMultiplier : 0xfa00000
+0x008 InterruptTime    : _KSYSTEM_TIME
+0x014 SystemTime       : _KSYSTEM_TIME
+0x020 TimeZoneBias     : _KSYSTEM_TIME
+0x02c ImageNumberLow   : 0x14c
+0x02e ImageNumberHigh  : 0x14c
+0x030 NtSystemRoot     : [260] 0x43
+0x238 MaxStackTraceDepth : 0
+0x23c CryptoExponent   : 0
+0x240 TimeZoneId       : 2
+0x244 Reserved2        : [8] 0
+0x264 NtProductType    : 1 ( NtProductWinNt )
+0x268 ProductTypeIsValid : 0x1 ''
+0x26c NtMajorVersion   : 5
+0x270 NtMinorVersion   : 1
+0x274 ProcessorFeatures : [64]  ""
+0x2b4 Reserved1        : 0x7ffeffff  (USER MODE ADDRESS: 0x7ffe0000)
....

As you can see the structure has a self reference pointer for user mode addressing. But we need to 64k realign it before using it because of its allocation size (see vmmap output figure), so:
?0x7ffeffff& (@@(~(0x10000-1)))
Evaluate expression: 2147414016 = 7ffe0000
Dumping it at this address we get the exact same content as before:
dt nt!_kuser_shared_data 0x7ffe0000 
+0x000 TickCountLow     : 0x3f7443d
+0x004 TickCountMultiplier : 0xfa00000
+0x008 InterruptTime    : _KSYSTEM_TIME
+0x014 SystemTime       : _KSYSTEM_TIME
+0x020 TimeZoneBias     : _KSYSTEM_TIME
+0x02c ImageNumberLow   : 0x14c
+0x02e ImageNumberHigh  : 0x14c
+0x030 NtSystemRoot     : [260] 0x43
+0x238 MaxStackTraceDepth : 0
+0x23c CryptoExponent   : 0
+0x240 TimeZoneId       : 2
+0x244 Reserved2        : [8] 0
+0x264 NtProductType    : 1 ( NtProductWinNt )
+0x268 ProductTypeIsValid : 0x1 ''
+0x26c NtMajorVersion   : 5
+0x270 NtMinorVersion   : 1
+0x274 ProcessorFeatures : [64]  ""
+0x2b4 Reserved1        : 0x7ffeffff
+0x2b8 Reserved3        : 0x80000000
+0x2bc TimeSlip         : 0
+0x2c0 AlternativeArchitecture : 0 ( StandardDesign )
+0x2c8 SystemExpirationDate : _LARGE_INTEGER 0x0
+0x2d0 SuiteMask        : 0x110
+0x2d4 KdDebuggerEnabled : 0 ''
+0x2d5 NXSupportPolicy  : 0x2 ''
+0x2d8 ActiveConsoleId  : 0
+0x2dc DismountCount    : 0
+0x2e0 ComPlusPackage   : 0xffffffff
+0x2e4 LastSystemRITEventTickCount : 0x3df72600
+0x2e8 NumberOfPhysicalPages : 0x3f73c
+0x2ec SafeBootMode     : 0 ''
+0x2f0 TraceLogging     : 0
+0x2f8 TestRetInstruction : 0xc3
+0x300 SystemCall       : 0x7c90e510
+0x304 SystemCallReturn : 0x7c90e514
+0x308 SystemCallPad    : [3] 0
+0x320 TickCount        : _KSYSTEM_TIME
+0x320 TickCountQuad    : 0
+0x330 Cookie           : 0xe066d175
The output from vmmap shows us the allocated size and the structure size of this special area:

Sem comentários: