簡單看一下 微軟新出的核心頁表隔離補丁
KiEnableKvaShadowing由KiInitializeBootStructures和KxInitializeProcessorState呼叫,應該只初始化一次
signed __int64 __fastcall KiEnableKvaShadowing(__int64 a1, __int64 a2)
{
__int64 v3; // rdx@3
__int64 v4; // rcx@3
__int64 v5; // r8@3
char v6; // al@4
signed __int64 v7; // r9@8
signed __int64 v8; // r10@8
signed __int64 v9; // rdx@8
signed __int64 v10; // rcx@10
unsigned __int64 v15; // rax@14
__int64 v16; // rdx@15
signed __int64 result; // rax@21
_RBX = a1;
if ( !(unsigned __int8)KiIsKvaShadowDisabled() )
{
if ( (unsigned __int8)KiIsKvaLeakSimulated() )
{
v6 = 1;
KiKvaLeakageSimulate = 1;
}
else
{
v6 = KiKvaLeakageSimulate;
}
if ( !KiKvaLeakage && !v6 )
return 1i64;
*(_QWORD *)(v4 + 28288) = __readcr3();
v7 = v3 + 4132;
v8 = 7i64;
*(_QWORD *)(v3 + 4216) = *(_QWORD *)(v3 + 4100);
*(_QWORD *)(v3 + 4100) = v3 + 16896;
v9 = v3 + 17376;
do
{
if ( *(_QWORD *)v7 )
{
v10 = *(_QWORD *)v7 - 32i64;
*(_QWORD *)v9 = _RBX - 384;
*(_QWORD *)(v9 + 8) = v10;
*(_QWORD *)v10 = v9;
*(_QWORD *)v7 = v9;
}
v9 += 512i64;
v7 += 8i64;
--v8;
}
while ( v8 );
if ( *(_DWORD *)(_RBX + 36) )
{
result = KiShadowProcessorAllocation(_RBX, v5);
if ( !(_DWORD)result )
return result;
*(_DWORD *)(_RBX + 28312) |= 2u;
goto LABEL_23;
}
KiInitializeIdt(v5, 1);
*(_BYTE *)(*(_QWORD *)(*MK_FP(__GS__, 392i64) + 184i64) + 703i64) = 1;
byte_1403BFBFF = 1;
KiSetAddressPolicy(_CF, _ZF, _SF, _OF, 1);
if ( *(_QWORD *)(_RBX + 25192) & 0x40000000000i64 )
{
v15 = __readcr4() & 0xFFFFFFFFFFFFFF7Fui64;
_bittestandset(&v15, 0x11u);
__writecr4(v15);
__writecr3(__readcr3() | 2);
KiFlushPcid = 1;
}
HvlRescindEnlightenments(0x40000000000i64, -129i64);
KiKvaShadow = 1;
if ( KiFlushPcid )
{
if ( *(_BYTE *)(_RBX + 1597) != 1 )
{
LABEL_20:
KiKvaShadowMode = 1;
LABEL_23:
if ( KiFlushPcid )
__asm { lock bts qword ptr [rbx+6E80h], 3Fh }
return 1i64;
}
}
else if ( *(_BYTE *)(_RBX + 1597) != 1 )
{
KiKvaShadowMode = 2;
return 1i64;
}
__writecr4(v16 & __readcr4());
goto LABEL_20;
}
KiIsKvaShadowConfigDisabled = 1;
return 1i64;
}
signed __int64 __fastcall KiShadowProcessorAllocation(__int64 a1, __int64 a2)
{
__int64 v2; // rsi@1
__int64 v3; // rdi@1
signed int v5; // ebx@4
__int64 v6; // rax@6
__int64 v7; // rax@6
unsigned int v8; // edx@6
v2 = a2;
v3 = a1;
if ( !KiKvaShadow )
return 1i64;
if ( MmCreateShadowMapping(a2, 20480i64) )
{
v5 = 0;
if ( MmCreateShadowMapping(v3 + 28288, 4096i64) )
{
v5 = 1;
if ( *(_DWORD *)(v3 + 36) )
return 1i64;
LODWORD(v6) = RtlImageNtHeader(0x140000000i64);
LODWORD(v7) = RtlSectionTableFromVirtualAddress(
v6,
0x140000000i64,
(unsigned int)KiDivideErrorFaultShadow - 0x40000000);
v8 = *(_DWORD *)(v7 + 16);
if ( *(_DWORD *)(v7 + 8) > v8 )
v8 = *(_DWORD *)(v7 + 8);
if ( MmCreateShadowMapping(*(_DWORD *)(v7 + 12) + 0x140000000i64, (v8 + 4095) & 0xFFFFF000) )
return 1i64;
}
MmDeleteShadowMapping(v2, 20480i64);
if ( v5 )
MmDeleteShadowMapping(v3 + 28288, 4096i64);
}
return 0i64;
}
似乎是把KiDivideErrorFaultShadow 所在的section這幾塊核心記憶體單獨拿出來建立了對映
剛好這一塊都是idt和syscall/sysenter的入口,在KVASCODE 這個section裡
當然IDT要用shadow的那份
KiInitializeIdt(v5, TRUE);
第二個引數應該就是是否使用shadow idt
然後根據cpu是否有flushpcid功能(KiFlushPcid)選擇shadow的方式KiKvaShadowMode = 1 or 2?
然後看一下sysenter的入口,核心頁表應該是被放在了gs:7000h裡面,太簡單了不做分析,jmp後的流程和以前老Systemcall是一樣的
隨便挑了箇中斷分析了下
然後是AttachProcess的時候也加了一些特技(以前就一句writecr3)
void __fastcall KiLoadDirectoryTableBase(PEPROCESS ProcessObj, unsigned __int64 DirTableBase)
{
unsigned __int64 NewCr3; // rbx@1
unsigned __int64 v3; // rax@2
bool v4; // zf@2
bool v5; // sf@2
unsigned __int64 v6; // rcx@10
unsigned __int64 v7; // rax@11
NewCr3 = DirTableBase;
if ( KiKvaShadow )
{
v3 = DirTableBase;
v4 = (DirTableBase & 2) == 0;
v5 = (DirTableBase & 2 & 0x80u) != 0i64;
if ( DirTableBase & 2 )
{
v3 = DirTableBase | 0x8000000000000000ui64;
v4 = (DirTableBase | 0x8000000000000000ui64) == 0;
v5 = ((DirTableBase | 0x8000000000000000ui64) & 0x8000000000000000ui64) != 0i64;
}
*MK_FP(__GS__, 28672i64) = v3;
KiSetAddressPolicy(0, v4, v5, 0, ProcessObj->Pcb.AddressPolicy);
}
if ( HvlEnlightenments & 1 )
HvlSwitchVirtualAddressSpace(NewCr3);
else
__writecr3(NewCr3);
if ( KiKvaShadow && !KiFlushPcid )
{
v6 = __readcr4();
if ( v6 & 0x20080 )
{
v7 = v6;
_bittestandcomplement(&v7, 7u);
__writecr4(v7);
__writecr4(v6);
}
else
{
__writecr3(__readcr3());
}
}
}
Detach的時候也是直接呼叫的KiLoadDriectoryTableBase,被內聯了
暫時就先看這麼多,如果還有新的歡迎補充
作者:看雪論壇 hzqst
原文連結:https://bbs.pediy.com/thread-223805.htm
相關文章
- 微軟重大補丁(轉)微軟
- 核心補丁熱更新ceph核心模組
- IEIFRAM漏洞的簡單分析和臨時補丁(轉)
- 拋棄XP,微軟今起推送Win7/Win8.1核心補丁微軟Win7
- 核心介面隔離,要做哪些事情?
- 微軟Win7核心補丁失效?使用者:藍色畫面依舊微軟Win7
- 在RHAS2.1上打9205的補丁簡單總結!
- 微軟修復Bug的補丁產生了新的Bug微軟
- Linux 4.1核心熱補丁成功實踐Linux
- 怎樣為linux核心打補丁(轉)Linux
- 【補丁】Oracle補丁的知識及術語Oracle
- Oracle的補丁Oracle
- 近期微軟將釋出三個關鍵補丁微軟
- Oracle補丁集的補丁號Patch ID/Number速查Oracle
- Linux核心搶佔補丁的基本原理(轉)Linux
- 【opatch】Oracle打補丁工具opatch簡介Oracle
- win10核心隔離關閉不了怎麼解決 win10核心隔離無法關閉處理方法Win10
- WSUS Offline Update離線補丁升級工具
- 微軟的一個補丁,讓所有的應用當機,可怕微軟
- 5月13日微軟補丁日變成“裸奔日”微軟
- oracle 補丁Oracle
- 模組化單體應用的資料隔離
- 12. Oracle版本、補丁及升級——12.2. 補丁及補丁集Oracle
- Torvalds給Linux核心打補丁抵禦病毒(轉)Linux
- 【Java面試】請你簡單說一下Mysql的事務隔離級別Java面試MySql
- 離開頁面前,如何防止表單資料丟失?
- windows10系統如何關閉核心隔離功能Windows
- 核心頁表除錯除錯
- Linux穩定版核心撤回嚴重影響效能的Spectre補丁Linux
- 微軟11月補丁日,修復12個關鍵漏洞微軟
- 修復Windows漏洞 微軟預釋出11個補丁(轉)Windows微軟
- 微軟新補丁跟谷歌較勁? 系統“慢得像牛”微軟谷歌
- Oracle補丁術語介紹 PSU CPU補丁Oracle
- 怎麼樣安裝AIX 補丁或者補丁集AI
- Oracle的OPatch補丁更新Oracle
- Oracle EBS APP & DB 打補丁過程簡述OracleAPP
- PHP補丁[LAMP]PHPLAMP
- 軟體補丁