{"id":305,"date":"2022-08-24T23:34:06","date_gmt":"2022-08-25T07:34:06","guid":{"rendered":"https:\/\/www.qiuqiuren.club\/?p=305"},"modified":"2024-08-02T20:58:10","modified_gmt":"2024-08-03T04:58:10","slug":"%e9%a9%b1%e5%8a%a8%e7%9b%b8%e5%85%b3%e9%9b%b6%e7%a2%8e%e4%bf%a1%e6%81%af","status":"publish","type":"post","link":"https:\/\/www.qiuqiuren.club\/?p=305","title":{"rendered":"\u9a71\u52a8\u76f8\u5173\u96f6\u788e\u4fe1\u606f"},"content":{"rendered":"<h1>\u9a71\u52a8\u76f8\u5173\u96f6\u788e\u4fe1\u606f<\/h1>\n<h2>r0\u8c03r3<\/h2>\n<h3>KeUserModeCallback<\/h3>\n<p>\u6ca1\u6709\u6253\u7834r0\u548cr3\u7684\u8fb9\u754c\uff0c\u76ee\u6807\u51fd\u6570\u8fd8\u662f\u5728r3\u3002<\/p>\n<p><a href=\"https:\/\/blog.51cto.com\/u_15127614\/3256433\">https:\/\/blog.51cto.com\/u_15127614\/3256433<\/a><\/p>\n<p><a href=\"https:\/\/cloud.tencent.com\/developer\/article\/1540508\">https:\/\/cloud.tencent.com\/developer\/article\/1540508<\/a><\/p>\n<pre><code class=\"language-c\">NTSTATUS KeUserModeCallback (\n       IN ULONG ApiNumber,\n       IN PVOID   InputBuffer,\n       IN ULONG InputLength,\n       OUT PVOID *OutputBuffer,\n       IN PULONG OutputLength\n       );<\/code><\/pre>\n<h2>r0\u548cr3\u7684\u901a\u4fe1<\/h2>\n<p>\u6b63\u5e38\u7684\u8def\u5f84\u662fdeviceiocontrol<\/p>\n<p>\u4e5f\u53ef\u4ee5\u8ba9\u5185\u6838hook\u76f8\u5173\u51fd\u6570\uff0c\u7136\u540er3\u901a\u8fc7api\u7684\u8c03\u7528\u4e0e\u5185\u6838\u6c9f\u901a<\/p>\n<h3>xKdEnumerateDebuggingDevicesg\u548cNtConvertBetweenAuxiliaryCounterAndPerformanceCounter<\/h3>\n<p>\u4f8b\u5982\u5728\u5185\u6838\u4fee\u6539xKdEnumerateDebuggingDevices\u51fa\u7684\u51fd\u6570\u6307\u9488\uff0c\u7136\u540er3\u8c03\u7528ntdll.NtConvertBetweenAuxiliaryCounterAndPerformanceCounter\u3002 \u8c03\u7528\u8be5\u51fd\u6570\u8fdb\u5165\u5185\u6838\u540e\uff0c\u5bf9\u5e94\u5185\u6838\u5386\u7a0b\u4f1a\u8c03\u7528xKdEnumerateDebuggingDevices\u7684\u51fd\u6570\uff0c\u4ece\u800c\u5185\u6838\u4ee3\u7801\u6216\u8005\u6267\u884c\u6743\uff0c\u5e76\u4e14\u83b7\u5f97\u51fd\u6570\u53c2\u6570\u3002<\/p>\n<p>\u8be6\u60c5\u53ef\u89c1https:\/\/back.engineering\/08\/06\/2020\/ \u6216\u8005 <a href=\"https:\/\/github.com\/btbd\/modmap\">https:\/\/github.com\/btbd\/modmap<\/a><\/p>\n<pre><code class=\"language-c\">__int64 __fastcall NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(char a1, unsigned __int64 a2, _QWORD *a3, _QWORD *a4)\n{\n  _QWORD *v4; \/\/ rbx\n  _QWORD *v5; \/\/ rdi\n  char v6; \/\/ si\n  __int64 v7; \/\/ r14\n  __int64 (__fastcall *v8)(); \/\/ rax\n  unsigned int v9; \/\/ ecx\n  __int64 (__fastcall *v10)(); \/\/ rax\n  __int64 v12; \/\/ [rsp+20h] [rbp-28h]\n  __int64 v13; \/\/ [rsp+28h] [rbp-20h]\n  __int64 v14; \/\/ [rsp+30h] [rbp-18h]\n\n  v4 = a4;\n  v5 = a3;\n  v6 = a1;\n  if ( KeGetCurrentThread()-&gt;PreviousMode )\n  {\n    if ( a2 &amp; 3 )\n      ExRaiseDatatypeMisalignment();\n    if ( a2 + 8 &gt; 0x7FFFFFFF0000i64 || a2 + 8 &lt; a2 )\n      MEMORY[0x7FFFFFFF0000] = 0;\n    v7 = *(_QWORD *)a2;\n    v14 = *(_QWORD *)a2;\n    ProbeForWrite(a3, 8ui64, 4u);\n    if ( v4 )\n      ProbeForWrite(v4, 8ui64, 4u);\n    v8 = off_140398A08[0];\n    if ( !v6 )\n      v8 = off_140398A00[0]; \/\/ this pointer gets swapped to the address of the manually mapped function hook handler.\n    v9 = ((__int64 (__fastcall *)(__int64, __int64 *, __int64 *))v8)(v7, &amp;v12, &amp;v13);\n    if ( (v9 &amp; 0x80000000) == 0 )\n    {\n      *v5 = v12;\n      if ( v4 )\n        *v4 = v13;\n    }\n  }\n  else\n  {\n    v10 = off_140398A08[0];\n    if ( !a1 )\n      v10 = off_140398A00[0];\n    v9 = ((__int64 (__fastcall *)(_QWORD, _QWORD *, _QWORD *))v10)(*(_QWORD *)a2, a3, a4);\n  }\n  return v9;\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u9a71\u52a8\u76f8\u5173\u96f6\u788e\u4fe1\u606f r0\u8c03r3 KeUserModeCallback \u6ca1\u6709\u6253\u7834r0\u548cr3\u7684\u8fb9\u754c\uff0c\u76ee\u6807\u51fd\u6570\u8fd8\u662f\u5728r<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,2],"tags":[],"class_list":["post-305","post","type-post","status-publish","format-standard","hentry","category-9","category-2"],"_links":{"self":[{"href":"https:\/\/www.qiuqiuren.club\/index.php?rest_route=\/wp\/v2\/posts\/305"}],"collection":[{"href":"https:\/\/www.qiuqiuren.club\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qiuqiuren.club\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qiuqiuren.club\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qiuqiuren.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=305"}],"version-history":[{"count":0,"href":"https:\/\/www.qiuqiuren.club\/index.php?rest_route=\/wp\/v2\/posts\/305\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.qiuqiuren.club\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qiuqiuren.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qiuqiuren.club\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}