KiSystemCall64 win10 21h2函数流程分析 3环到0环

0x00基本信息

系统：windows 10 21h2

工具：ida 7.7 , windbg 10

3环写一个win32k 函数看访问流程

0x01分析

例如：3环函数

FlattenPath(x)

会调用到 win32u.dll 的 NtGdiFlattenPath eax=12a0 ssdt 表的下标地址就是 2a0 就是他的映射地址

.text:0000000180006430                 public NtGdiFlattenPath

.text:0000000180006430 NtGdiFlattenPath proc near              ; DATA XREF: .rdata:000000018000CE4D↓o

.text:0000000180006430                                         ; .rdata:off_18000F178↓o ...

.text:0000000180006430                 mov     r10, rcx

.text:0000000180006433                 mov     eax, 12A0h

.text:0000000180006438                 test    byte ptr ds:7FFE0308h, 1

.text:0000000180006440                 jnz     short loc_180006445

.text:0000000180006442                 syscall                 ; Low latency system call

.text:0000000180006444                 retn

windbg查看rdmsr 看到KiSystemCall64 地址

rdmsr 0xC0000082

下断点注意不要在 KiSystemCall64 地址下断点会报错 3行汇编是堆栈切换不要下断点

.text:00000001404088C0 ; __unwind { // KiSystemServiceHandler

.text:00000001404088C0                 swapgs

.text:00000001404088C3                 mov     gs:10h, rsp

.text:00000001404088CC                 mov     rsp, gs:1A8h

.text:00000001404088D5                 push    2Bh ; '+'

可以在KiSystemCall64 偏移15位置下断点就可以断下

ba e1 KiSystemCall64+15

直接分析到 KiSystemServiceStart 取下标

.text:0000000140408C20 KiSystemServiceStart:                   ; DATA XREF: KiServiceInternal+5A↑o

.text:0000000140408C20                                         ; .data:0000000140C00340↓o

.text:0000000140408C20                 mov     [rbx+90h], rsp

.text:0000000140408C27                 mov     edi, eax

.text:0000000140408C29                 shr     edi, 7

.text:0000000140408C2C                 and     edi, 20h

.text:0000000140408C2F                 and     eax, 0FFFh      ; 取下标

获取FlattenPath 0环地址

.text:0000000140408C5E loc_140408C5E:                          ; CODE XREF: KiSystemCall64+389↑j

.text:0000000140408C5E                 cmp     eax, [r10+rdi+10h]

.text:0000000140408C63                 jnb     loc_140409195

.text:0000000140408C69                 mov     r10, [r10+rdi]

.text:0000000140408C6D                 movsxd  r11, dword ptr [r10+rax*4] ; 获取地址

.text:0000000140408D90 KiSystemServiceCopyEnd:                 ; CODE XREF: KiSystemCall64+413↑j

.text:0000000140408D90                                         ; DATA XREF: KiSystemServiceHandler+27↑o ...

.text:0000000140408D90                 test    cs:KiDynamicTraceMask, 1

.text:0000000140408D9A                 jnz     loc_140409233

.text:0000000140408DA0                 test    dword ptr cs:PerfGlobalGroupMask+8, 40h

.text:0000000140408DAA                 jnz     loc_1404092A7

.text:0000000140408DB0                 mov     rax, r10

.text:0000000140408DB3                 call    rax

.text:0000000140408DB5                 nop     dword ptr [rax]

call rax 下断点也可以直接下偏移断点

ba e1 KiSystemServiceCopyEnd+0x20

nt!_guard_retpoline_indirect_rax 跟进去

call    nt!_guard_retpoline_indirect_rax (fffff803`36c1b2e0)

继续f11 一个ret 返回就可以跳到 win32k!NtGdiFlattenPath:

fffff803`36c1b2ff e81c000000      call    nt!_guard_retpoline_indirect_rax+0x40 (fffff803`36c1b320)

这里的

ffffd004`2246b268 e833f00800      call    ffffd004`224fa2a0

也是直接f11 和上边一样

成功到实际汇编代码这就看到一个函数内核实现了可以分析调试了

win32kfull!NtGdiFlattenPath:

ffffd004`238dde70 4053            push    rbx

ffffd004`238dde72 4881ecb0000000  sub     rsp,0B0h

ffffd004`238dde79 488bd1          mov     rdx,rcx

ffffd004`238dde7c 488d4c2420      lea     rcx,[rsp+20h]

ffffd004`238dde81 e88e85dcff      call    win32kfull!DCOBJ::DCOBJ (ffffd004`236a6414)

ffffd004`238dde86 488b4c2420      mov     rcx,qword ptr [rsp+20h]

ffffd004`238dde8b 4885c9          test    rcx,rcx

ffffd004`238dde8e 7507            jne     win32kfull!NtGdiFlattenPath+0x27 (ffffd004`238dde97)

当然最方便的是 3环下断点直接步过到内核进行调试

bp win32kfull!NtGdiFlattenPath

记住要记载符号 win32kfull.sys 可以用.reload 命令