x nt!*shared* 8055c6e0 nt!MmSharedUserDataPte =805360d8 nt!ExAcquireSharedStarveExclusive = 8056094c nt!MmTransitionSharedPagesPeak = ... dd 8055c6e0 l1 8055c6e0 e100b498 dt -r nt!_MMPTE e100b498 ... +0x000 Flush : _HARDWARE_PTE +0x000 Valid : 0y1 +0x000 Write : 0y0 +0x000 Owner : 0y0 +0x000 WriteThrough : 0y0 +0x000 CacheDisable : 0y0 +0x000 Accessed : 0y1 +0x000 Dirty : 0y0 +0x000 LargePage : 0y0 +0x000 Global : 0y1 +0x000 CopyOnWrite : 0y0 +0x000 Prototype : 0y0 +0x000 reserved0 : 0y0 +0x000 PageFrameNumber : 0y00...1000001 (0x41) +0x000 reserved1 : 0y10...0000000 (0x2000000) +0x000 LowPart : 0x41121 +0x004 HighPart : 0x80000000 !pfn 41 PFN 00000041 at address 81AE671C flink 00000023 blink / share count 0000003C pteaddress C07FEF80 reference count 0001 Cached color 0 restore pte 00000080 containing page 00074F Active P Shared !pte C07FEF80 VA ffdf0000 PDE at 00000000C0603FF0 PTE at 00000000C07FEF80 contains 000000000074F163 contains 0000000000041163 pfn 74f -G-DA--KWEV pfn 41 -G-DA--KWEV
And here we've got the kernel address, we can dump the shared space by:
dt nt!_kuser_shared_data ffdf0000 (KERNEL MODE ADDR) +0x000 TickCountLow : 0x3f7443d +0x004 TickCountMultiplier : 0xfa00000 +0x008 InterruptTime : _KSYSTEM_TIME +0x014 SystemTime : _KSYSTEM_TIME +0x020 TimeZoneBias : _KSYSTEM_TIME +0x02c ImageNumberLow : 0x14c +0x02e ImageNumberHigh : 0x14c +0x030 NtSystemRoot : [260] 0x43 +0x238 MaxStackTraceDepth : 0 +0x23c CryptoExponent : 0 +0x240 TimeZoneId : 2 +0x244 Reserved2 : [8] 0 +0x264 NtProductType : 1 ( NtProductWinNt ) +0x268 ProductTypeIsValid : 0x1 '' +0x26c NtMajorVersion : 5 +0x270 NtMinorVersion : 1 +0x274 ProcessorFeatures : [64] "" +0x2b4 Reserved1 : 0x7ffeffff (USER MODE ADDRESS: 0x7ffe0000) ....
As you can see the structure has a self reference pointer for user mode addressing. But we need to 64k realign it before using it because of its allocation size (see vmmap output figure), so:
?0x7ffeffff& (@@(~(0x10000-1))) Evaluate expression: 2147414016 = 7ffe0000Dumping it at this address we get the exact same content as before:
dt nt!_kuser_shared_data 0x7ffe0000
+0x000 TickCountLow : 0x3f7443d
+0x004 TickCountMultiplier : 0xfa00000
+0x008 InterruptTime : _KSYSTEM_TIME
+0x014 SystemTime : _KSYSTEM_TIME
+0x020 TimeZoneBias : _KSYSTEM_TIME
+0x02c ImageNumberLow : 0x14c
+0x02e ImageNumberHigh : 0x14c
+0x030 NtSystemRoot : [260] 0x43
+0x238 MaxStackTraceDepth : 0
+0x23c CryptoExponent : 0
+0x240 TimeZoneId : 2
+0x244 Reserved2 : [8] 0
+0x264 NtProductType : 1 ( NtProductWinNt )
+0x268 ProductTypeIsValid : 0x1 ''
+0x26c NtMajorVersion : 5
+0x270 NtMinorVersion : 1
+0x274 ProcessorFeatures : [64] ""
+0x2b4 Reserved1 : 0x7ffeffff
+0x2b8 Reserved3 : 0x80000000
+0x2bc TimeSlip : 0
+0x2c0 AlternativeArchitecture : 0 ( StandardDesign )
+0x2c8 SystemExpirationDate : _LARGE_INTEGER 0x0
+0x2d0 SuiteMask : 0x110
+0x2d4 KdDebuggerEnabled : 0 ''
+0x2d5 NXSupportPolicy : 0x2 ''
+0x2d8 ActiveConsoleId : 0
+0x2dc DismountCount : 0
+0x2e0 ComPlusPackage : 0xffffffff
+0x2e4 LastSystemRITEventTickCount : 0x3df72600
+0x2e8 NumberOfPhysicalPages : 0x3f73c
+0x2ec SafeBootMode : 0 ''
+0x2f0 TraceLogging : 0
+0x2f8 TestRetInstruction : 0xc3
+0x300 SystemCall : 0x7c90e510
+0x304 SystemCallReturn : 0x7c90e514
+0x308 SystemCallPad : [3] 0
+0x320 TickCount : _KSYSTEM_TIME
+0x320 TickCountQuad : 0
+0x330 Cookie : 0xe066d175
The output from vmmap shows us the allocated size and the structure size of this special area:
Sem comentários:
Enviar um comentário