一、前言

  2018年元旦,出现的cpu的漏洞,可以在windows环三直接读取内核数据,windows对该漏洞提供补丁,补丁增加了一个页表,对应的内核处理也增加了,接下来我们看下补丁修复的表象以及对KeServiceDescriptorTable获取的变更。

  可参考https://bbs.kafan.cn/thread-2112833-1-1.html

  二、补丁修复

  采用的应该是类似LINUX下的KAISER技术,采用shadow 页表技术,R3,R0用不同的页表,内核地址在R3中只有极少数被映射,大部分都无效,R0中的都有效,并且R3地址也都能访问,只通过SMAP和SMEP来进行保护。

  1. 在KPROCESS结构体中增加了UserDirectoryTableBase用户页表指针, 新的UserDirectoryTableBase用来保存R3的CR3, 原来的DirectoryTableBase则为R0的CR3

  

  环三->内核的切换

  1. Msr[C0000082]-> KiSystemCall64Shadow
  2. KVASCODE: KiSystemCall64Shadow proc near ; DATA XREF: sub_14016C860+34o
  3. KVASCODE: ; KiInitializeBootStructures+288o
  4. KVASCODE: swapgs
  5. KVASCODE: mov gs:7010h, rsp
  6. KVASCODE:000000014029514C mov rsp, gs:7000h
  7. KVASCODE: bt dword ptr gs:7018h,
  8. KVASCODE:000000014029515F jb short loc_140295164
  9. KVASCODE: mov cr3, rsp
  10. KVASCODE:
  11. KVASCODE: loc_140295164: ; CODE XREF: KiSystemCall64Shadow+1Fj
  12. KVASCODE: mov rsp, gs:7008h

  内核->环三的切换

  1. KiSystemServiceExit-> KiKernelSysretExit
  2. KVASCODE:0000000140294C40 KiKernelSysretExit proc near ; CODE XREF: KiCallUserMode+1B6j
  3. KVASCODE:0000000140294C40 ; KiSystemServiceExit+222j ...
  4. KVASCODE:0000000140294C40 mov esp, gs:7018h
  5. KVASCODE:0000000140294C48 bt esp,
  6. KVASCODE:0000000140294C4C jb short loc_140294C84
  7. KVASCODE:0000000140294C4E mov rbp, gs:188h
  8. KVASCODE:0000000140294C57 mov rbp, [rbp+_ETHREAD.Tcb.Process]
  9. KVASCODE:0000000140294C5E mov rbp, [rbp+_KPROCESS.UserDirectoryTableBase]
  10. KVASCODE:0000000140294C65 bt ebp,
  11. KVASCODE:0000000140294C69 jnb short loc_140294C81
  12. KVASCODE:0000000140294C6B bt esp,
  13. KVASCODE:0000000140294C6F jb short loc_140294C78
  14. KVASCODE:0000000140294C71 bts rbp, 3Fh
  15. KVASCODE:0000000140294C76 jmp short loc_140294C81
  16. KVASCODE:0000000140294C78 ; ---------------------------------------------------------------------------
  17. KVASCODE:0000000140294C78
  18. KVASCODE:0000000140294C78 loc_140294C78: ; CODE XREF: KiKernelSysretExit+2Fj
  19. KVASCODE:0000000140294C78 and dword ptr gs:7018h, 0FFFFFFFEh
  20. KVASCODE:0000000140294C81
  21. KVASCODE:0000000140294C81 loc_140294C81: ; CODE XREF: KiKernelSysretExit+29j
  22. KVASCODE:0000000140294C81 ; KiKernelSysretExit+36j
  23. KVASCODE:0000000140294C81 mov cr3, rbp
  24. KVASCODE:0000000140294C84
  25. KVASCODE:0000000140294C84 loc_140294C84: ; CODE XREF: KiKernelSysretExit+Cj
  26. KVASCODE:0000000140294C84 mov rbp, r9
  27. KVASCODE:0000000140294C87 mov rsp, r8
  28. KVASCODE:0000000140294C8A swapgs
  29. KVASCODE:0000000140294C8D sysret
  30. KVASCODE:0000000140294C90 retn
  31. KVASCODE:0000000140294C90 KiKernelSysretExit endp

  查看进程中DirectoryTableBase和UserDirectoryTableBase值

  1. kd> dt _kprocess ffffa387efa55580
  2. ntdll!_KPROCESS
  3. +0x028 DirectoryTableBase : 0x31620002
  4. +0x278 UserDirectoryTableBase : 0x31aa0001

  我们查看UserDirectoryTableBase和DirectoryTableBase内容发现是一样的,因为这里面映射的都是R3的表象,而这些内容在两个表中都有映射

  1. kd> !dq 0x31aa0000
  2. #31aa0000 0a000000`3a487867 `
  3. #31aa0010 ` `
  4. #31aa0020 ` `
  5. #31aa0030 ` `
  6. #31aa0040 ` `
  7. #31aa0050 ` `
  8. #31aa0060 ` `
  9. #31aa0070 ` `
  10. kd> !dq 0x31620000
  11. # 0a000000`3a487867 `
  12. # ` `
  13. # ` `
  14. # ` `
  15. # ` `
  16. # ` `
  17. # ` `
  18. # ` `

  比较重要的nt!KiSystemCall64Shadow在两个表中都有映射,指向同一个物理地址

  1. kd> ? nt!kisystemcall64shadow
  2. Evaluate expression: - = fffff803`e851e140
  3. kd> !vtop 0x31aa0000 fffff803e851e140
  4. Amd64VtoP: Virt fffff803`e851e140, pagedir 31aa0000
  5. Amd64VtoP: PML4E 31aa0f80
  6. Amd64VtoP: PDPE
  7. Amd64VtoP: PDE 98a10
  8. Amd64VtoP: PTE c9f8f0
  9. Amd64VtoP: Mapped phys 2f1e140
  10. Virtual address fffff803e851e140 translates to physical address 2f1e140.
  11.  
  12. kd> !vtop 0x31620000 fffff803e851e140
  13. Amd64VtoP: Virt fffff803`e851e140, pagedir
  14. Amd64VtoP: PML4E 31620f80
  15. Amd64VtoP: PDPE e09078
  16. Amd64VtoP: PDE e0aa10
  17. Amd64VtoP: PTE e178f0
  18. Amd64VtoP: Mapped phys 2f1e140
  19. Virtual address fffff803e851e140 translates to physical address 2f1e140.

  我们再来看内核地址的映射情况

  1. kd> !pcr
  2. KPCR for Processor at fffff803e70f6000:
  3. Major Minor
  4. NtTib.ExceptionList: fffff803ea464fb0
  5. NtTib.StackBase: fffff803ea463000
  6. NtTib.StackLimit:
  7. NtTib.SubSystemTib: fffff803e70f6000
  8. NtTib.Version: 00000000e70f6180
  9. NtTib.UserPointer: fffff803e70f6870
  10. NtTib.SelfTib: 00000000002e7000
  11.  
  12. SelfPcr:
  13. Prcb: fffff803e70f6180
  14. Irql:
  15. IRR:
  16. IDR:
  17. InterruptMode:
  18. IDT:
  19. GDT:
  20. TSS:
  21.  
  22. CurrentThread: ffffa387ee521080
  23. NextThread:
  24. IdleThread: fffff803e86a1380
  25.  
  26. DpcQueue: Unable to read nt!_KDPC_DATA.DpcListHead.Flink @ fffff803e70f8f80
  1. kd> !vtop 0x31aa0000 fffff803e70f8f80
  2. Amd64VtoP: Virt fffff803`e70f8f80, pagedir 31aa0000
  3. Amd64VtoP: PML4E 31aa0f80
  4. Amd64VtoP: PDPE
  5. Amd64VtoP: PDE 989c0
  6. Amd64VtoP: PTE e1c7c0
  7. Amd64VtoP: zero PTE
  8. Virtual address fffff803e70f8f80 translation fails, error 0xD0000147.
  9.  
  10. kd> !vtop 0x31620000 fffff803e70f8f80
  11. Amd64VtoP: Virt fffff803`e70f8f80, pagedir
  12. Amd64VtoP: PML4E 31620f80
  13. Amd64VtoP: PDPE e09078
  14. Amd64VtoP: PDE e0a9c0
  15. Amd64VtoP: PTE e0d7c0
  16. Amd64VtoP: Mapped phys 1393f80
  17. Virtual address fffff803e70f8f80 translates to physical address 1393f80.

  可以看到地址fffff803e70f8f80只在R0被映射为物理地址,在R3没有映射。

 三、 msr[0xc0000082]变成了KiSystemCall64Shadow函数

  原来我们64位搜索KeServiceDescriptorTable是通过msr的0xc0000082获得KiSystemCall64字段, 但是现在msr[0xc0000082]变成了KiSystemCall64Shadow函数, 而且这个函数无法直接搜索到KeServiceDescriptorTable。

  1. : kd> rdmsr 0xc0000082
  2. msr[c0000082] = fffff806`0b134140
  3.  
  4. : kd> u fffff806`0b134140 l80
  5. nt!KiSystemCall64Shadow:
  6. fffff806`0b134140 0f01f8 swapgs
  7. fffff806`0b134143 mov qword ptr gs:[7010h],rsp
  8. fffff806`0b13414c 65488b242500700000 mov rsp,qword ptr gs:[7000h]
  9. fffff806`0b134155 650fba24251870000001 bt dword ptr gs:[7018h],
  10. fffff806`0b13415f jb nt!KiSystemCall64Shadow+0x24 (fffff806`0b134164)
  11. fffff806`0b134161 0f22dc mov cr3,rsp
  12. fffff806`0b134164 65488b242508700000 mov rsp,qword ptr gs:[7008h]
  13. nt!KiSystemCall64ShadowCommon:
  14. fffff806`0b13416d 6a2b push 2Bh
  15. fffff806`0b13416f 65ff342510700000 push qword ptr gs:[7010h]
  16. fffff806`0b134177 push r11
  17. fffff806`0b134179 6a33 push 33h
  18. fffff806`0b13417b push rcx
  19. fffff806`0b13417c 498bca mov rcx,r10
  20. fffff806`0b13417f 4883ec08 sub rsp,
  21. fffff806`0b134183 push rbp
  22. fffff806`0b134184 4881ec58010000 sub rsp,158h
  23. fffff806`0b13418b 488dac2480000000 lea rbp,[rsp+80h]
  24. fffff806`0b134193 48899dc0000000 mov qword ptr [rbp+0C0h],rbx
  25. fffff806`0b13419a 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi
  26. fffff806`0b1341a1 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi
  27. fffff806`0b1341a8 488945b0 mov qword ptr [rbp-50h],rax
  28. fffff806`0b1341ac 48894db8 mov qword ptr [rbp-48h],rcx
  29. fffff806`0b1341b0 488955c0 mov qword ptr [rbp-40h],rdx
  30. fffff806`0b1341b4 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
  31. fffff806`0b1341bd 488b8920020000 mov rcx,qword ptr [rcx+220h]
  32. fffff806`0b1341c4 488b8930080000 mov rcx,qword ptr [rcx+830h]
  33. fffff806`0b1341cb 6548890c2570020000 mov qword ptr gs:[270h],rcx
  34. fffff806`0b1341d4 658a0c2550080000 mov cl,byte ptr gs:[850h]
  35. fffff806`0b1341dc 65880c2551080000 mov byte ptr gs:[851h],cl
  36. fffff806`0b1341e4 658a0c2578020000 mov cl,byte ptr gs:[278h]
  37. fffff806`0b1341ec 65880c2552080000 mov byte ptr gs:[852h],cl
  38. fffff806`0b1341f4 650fb604257b020000 movzx eax,byte ptr gs:[27Bh]
  39. fffff806`0b1341fd 653804257a020000 cmp byte ptr gs:[27Ah],al
  40. fffff806`0b134205 je nt!KiSystemCall64ShadowCommon+0xab (fffff806`0b134218)
  41. fffff806`0b134207 658804257a020000 mov byte ptr gs:[27Ah],al
  42. fffff806`0b13420f b948000000 mov ecx,48h
  43. fffff806`0b134214 33d2 xor edx,edx
  44. fffff806`0b134216 0f30 wrmsr
  45. fffff806`0b134218 650fb6142578020000 movzx edx,byte ptr gs:[278h]
  46. fffff806`0b134221 f7c208000000 test edx,
  47. fffff806`0b134227 je nt!KiSystemCall64ShadowCommon+0xcf (fffff806`0b13423c)
  48. fffff806`0b134229 b801000000 mov eax,
  49. fffff806`0b13422e 33d2 xor edx,edx
  50. fffff806`0b134230 b949000000 mov ecx,49h
  51. fffff806`0b134235 0f30 wrmsr
  52. fffff806`0b134237 e93e010000 jmp nt!KiSystemCall64ShadowCommon+0x20d (fffff806`0b13437a)
  53. fffff806`0b13423c f7c202000000 test edx,
  54. fffff806`0b134242 0f842f010000 je nt!KiSystemCall64ShadowCommon+0x20a (fffff806`0b134377)
  55. fffff806`0b134248 65f604257902000004 test byte ptr gs:[279h],
  56. fffff806`0b134251 0f8520010000 jne nt!KiSystemCall64ShadowCommon+0x20a (fffff806`0b134377)
  57. fffff806`0b134257 e80e010000 call nt!KiSystemCall64ShadowCommon+0x1fd (fffff806`0b13436a)
  58. fffff806`0b13425c 4883c408 add rsp,
  59. fffff806`0b134260 e80e010000 call nt!KiSystemCall64ShadowCommon+0x206 (fffff806`0b134373)
  60. fffff806`0b134265 4883c408 add rsp,
  61. fffff806`0b134269 e8eeffffff call nt!KiSystemCall64ShadowCommon+0xef (fffff806`0b13425c)
  62. fffff806`0b13426e 4883c408 add rsp,
  63. fffff806`0b134272 e8eeffffff call nt!KiSystemCall64ShadowCommon+0xf8 (fffff806`0b134265)
  64. fffff806`0b134277 4883c408 add rsp,
  65. fffff806`0b13427b e8eeffffff call nt!KiSystemCall64ShadowCommon+0x101 (fffff806`0b13426e)
  66. fffff806`0b134280 4883c408 add rsp,
  67. fffff806`0b134284 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x10a (fffff806`0b134277)
  68. fffff806`0b134289 4883c408 add rsp,
  69. fffff806`0b13428d e8eeffffff call nt!KiSystemCall64ShadowCommon+0x113 (fffff806`0b134280)
  70. fffff806`0b134292 4883c408 add rsp,
  71. fffff806`0b134296 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x11c (fffff806`0b134289)
  72. fffff806`0b13429b 4883c408 add rsp,
  73. fffff806`0b13429f e8eeffffff call nt!KiSystemCall64ShadowCommon+0x125 (fffff806`0b134292)
  74. fffff806`0b1342a4 4883c408 add rsp,
  75. fffff806`0b1342a8 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x12e (fffff806`0b13429b)
  76. fffff806`0b1342ad 4883c408 add rsp,
  77. fffff806`0b1342b1 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x137 (fffff806`0b1342a4)
  78. fffff806`0b1342b6 4883c408 add rsp,
  79. fffff806`0b1342ba e8eeffffff call nt!KiSystemCall64ShadowCommon+0x140 (fffff806`0b1342ad)
  80. fffff806`0b1342bf 4883c408 add rsp,
  81. fffff806`0b1342c3 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x149 (fffff806`0b1342b6)
  82. fffff806`0b1342c8 4883c408 add rsp,
  83. fffff806`0b1342cc e8eeffffff call nt!KiSystemCall64ShadowCommon+0x152 (fffff806`0b1342bf)
  84. fffff806`0b1342d1 4883c408 add rsp,
  85. fffff806`0b1342d5 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x15b (fffff806`0b1342c8)
  86. fffff806`0b1342da 4883c408 add rsp,
  87. fffff806`0b1342de e8eeffffff call nt!KiSystemCall64ShadowCommon+0x164 (fffff806`0b1342d1)
  88. fffff806`0b1342e3 4883c408 add rsp,
  89. fffff806`0b1342e7 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x16d (fffff806`0b1342da)
  90. fffff806`0b1342ec 4883c408 add rsp,
  91. fffff806`0b1342f0 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x176 (fffff806`0b1342e3)
  92. fffff806`0b1342f5 4883c408 add rsp,
  93. fffff806`0b1342f9 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x17f (fffff806`0b1342ec)
  94. fffff806`0b1342fe 4883c408 add rsp,
  95. fffff806`0b134302 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x188 (fffff806`0b1342f5)
  96. fffff806`0b134307 4883c408 add rsp,
  97. fffff806`0b13430b e8eeffffff call nt!KiSystemCall64ShadowCommon+0x191 (fffff806`0b1342fe)
  98. fffff806`0b134310 4883c408 add rsp,
  99. fffff806`0b134314 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x19a (fffff806`0b134307)
  100. fffff806`0b134319 4883c408 add rsp,
  101. fffff806`0b13431d e8eeffffff call nt!KiSystemCall64ShadowCommon+0x1a3 (fffff806`0b134310)
  102. fffff806`0b134322 4883c408 add rsp,
  103. fffff806`0b134326 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x1ac (fffff806`0b134319)
  104. fffff806`0b13432b 4883c408 add rsp,
  105. fffff806`0b13432f e8eeffffff call nt!KiSystemCall64ShadowCommon+0x1b5 (fffff806`0b134322)
  106. fffff806`0b134334 4883c408 add rsp,
  107. fffff806`0b134338 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x1be (fffff806`0b13432b)
  108. fffff806`0b13433d 4883c408 add rsp,
  109. fffff806`0b134341 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x1c7 (fffff806`0b134334)
  110. fffff806`0b134346 4883c408 add rsp,
  111. fffff806`0b13434a e8eeffffff call nt!KiSystemCall64ShadowCommon+0x1d0 (fffff806`0b13433d)
  112. fffff806`0b13434f 4883c408 add rsp,
  113. fffff806`0b134353 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x1d9 (fffff806`0b134346)
  114. fffff806`0b134358 4883c408 add rsp,
  115. fffff806`0b13435c e8eeffffff call nt!KiSystemCall64ShadowCommon+0x1e2 (fffff806`0b13434f)
  116. fffff806`0b134361 4883c408 add rsp,
  117. fffff806`0b134365 e8eeffffff call nt!KiSystemCall64ShadowCommon+0x1eb (fffff806`0b134358)
  118. fffff806`0b13436a 4883c408 add rsp,
  119. fffff806`0b13436e e8eeffffff call nt!KiSystemCall64ShadowCommon+0x1f4 (fffff806`0b134361)
  120. fffff806`0b134373 4883c408 add rsp,
  121. fffff806`0b134377 0faee8 lfence
  122. fffff806`0b13437a 65c604255308000000 mov byte ptr gs:[853h],
  123. fffff806`0b134383 e9631ae9ff jmp nt!KiSystemServiceUser (fffff806`0afc5deb)
  124. fffff806`0b134388 c3 ret

  可以通过KiSystemServiceUser函数找到我们熟悉的KeServiceDescriptorTable

  1. : kd> u fffff806`0afc5deb l
  2. nt!KiSystemServiceUser:
  3. fffff806`0afc5deb c645ab02 mov byte ptr [rbp-55h],
  4. fffff806`0afc5def 65488b1c2588010000 mov rbx,qword ptr gs:[188h]
  5. fffff806`0afc5df8 0f0d8b90000000 prefetchw [rbx+90h]
  6. fffff806`0afc5dff 0fae5dac stmxcsr dword ptr [rbp-54h]
  7. fffff806`0afc5e03 650fae142580010000 ldmxcsr dword ptr gs:[180h]
  8. fffff806`0afc5e0c 807b0300 cmp byte ptr [rbx+],
  9. fffff806`0afc5e10 66c785800000000000 mov word ptr [rbp+80h],
  10. fffff806`0afc5e19 0f84a8000000 je nt!KiSystemServiceUser+0xdc (fffff806`0afc5ec7)
  11. fffff806`0afc5e1f f6430303 test byte ptr [rbx+],
  12. fffff806`0afc5e23 4c8945c8 mov qword ptr [rbp-38h],r8
  13. fffff806`0afc5e27 4c894dd0 mov qword ptr [rbp-30h],r9
  14. fffff806`0afc5e2b je nt!KiSystemServiceUser+0x47 (fffff806`0afc5e32)
  15. fffff806`0afc5e2d e84ef6feff call nt!KiSaveDebugRegisterState (fffff806`0afb5480)
  16. fffff806`0afc5e32 f6430304 test byte ptr [rbx+],
  17. fffff806`0afc5e36 742e je nt!KiSystemServiceUser+0x7b (fffff806`0afc5e66)
  18. fffff806`0afc5e38 4c8955e0 mov qword ptr [rbp-20h],r10
  19. fffff806`0afc5e3c 4c8955d8 mov qword ptr [rbp-28h],r10
  20. fffff806`0afc5e40 0f2945f0 movaps xmmword ptr [rbp-10h],xmm0
  21. fffff806`0afc5e44 0f294d00 movaps xmmword ptr [rbp],xmm1
  22. fffff806`0afc5e48 0f295510 movaps xmmword ptr [rbp+10h],xmm2
  23. fffff806`0afc5e4c 0f295d20 movaps xmmword ptr [rbp+20h],xmm3
  24. fffff806`0afc5e50 0f296530 movaps xmmword ptr [rbp+30h],xmm4
  25. fffff806`0afc5e54 0f296d40 movaps xmmword ptr [rbp+40h],xmm5
  26. fffff806`0afc5e58 fb sti
  27. fffff806`0afc5e59 488bcc mov rcx,rsp
  28. fffff806`0afc5e5c e80fcd6400 call nt!PsPicoSystemCallDispatch (fffff806`0b612b70)
  29. fffff806`0afc5e61 e99f040000 jmp nt!KiSystemServiceExitPico (fffff806`0afc6305)
  30. fffff806`0afc5e66 f6430380 test byte ptr [rbx+],80h
  31. fffff806`0afc5e6a je nt!KiSystemServiceUser+0xc9 (fffff806`0afc5eb4)
  32. fffff806`0afc5e6c b9020100c0 mov ecx,0C0000102h
  33. fffff806`0afc5e71 0f32 rdmsr
  34. fffff806`0afc5e73 48c1e220 shl rdx,20h
  35. fffff806`0afc5e77 480bc2 or rax,rdx
  36. fffff806`0afc5e7a 483b050fab1a00 cmp rax,qword ptr [nt!MmUserProbeAddress (fffff806`0b170990)]
  37. fffff806`0afc5e81 480f430507ab1a00 cmovae rax,qword ptr [nt!MmUserProbeAddress (fffff806`0b170990)]
  38. fffff806`0afc5e89 483983f0000000 cmp qword ptr [rbx+0F0h],rax
  39. fffff806`0afc5e90 je nt!KiSystemServiceUser+0xc9 (fffff806`0afc5eb4)
  40. fffff806`0afc5e92 488b93f0010000 mov rdx,qword ptr [rbx+1F0h]
  41. fffff806`0afc5e99 0fba6b7408 bts dword ptr [rbx+74h],
  42. fffff806`0afc5e9e 66ff8be6010000 dec word ptr [rbx+1E6h]
  43. fffff806`0afc5ea5 mov qword ptr [rdx+80h],rax
  44. fffff806`0afc5eac fb sti
  45. fffff806`0afc5ead e88e120000 call nt!KiUmsCallEntry (fffff806`0afc7140)
  46. fffff806`0afc5eb2 eb0b jmp nt!KiSystemServiceUser+0xd4 (fffff806`0afc5ebf)
  47. fffff806`0afc5eb4 f6430340 test byte ptr [rbx+],40h
  48. fffff806`0afc5eb8 je nt!KiSystemServiceUser+0xd4 (fffff806`0afc5ebf)
  49. fffff806`0afc5eba 0fba6b7410 bts dword ptr [rbx+74h],10h
  50. fffff806`0afc5ebf 4c8b45c8 mov r8,qword ptr [rbp-38h]
  51. fffff806`0afc5ec3 4c8b4dd0 mov r9,qword ptr [rbp-30h]
  52. fffff806`0afc5ec7 488b45b0 mov rax,qword ptr [rbp-50h]
  53. fffff806`0afc5ecb 488b4db8 mov rcx,qword ptr [rbp-48h]
  54. fffff806`0afc5ecf 488b55c0 mov rdx,qword ptr [rbp-40h]
  55. fffff806`0afc5ed3 fb sti
  56. fffff806`0afc5ed4 48898b88000000 mov qword ptr [rbx+88h],rcx
  57. fffff806`0afc5edb mov dword ptr [rbx+80h],eax
  58. fffff806`0afc5ee1 666666666666660f1f840000000000 nop word ptr [rax+rax]
  59. nt!KiSystemServiceStart:
  60. fffff806`0afc5ef0 4889a390000000 mov qword ptr [rbx+90h],rsp
  61. fffff806`0afc5ef7 8bf8 mov edi,eax
  62. fffff806`0afc5ef9 c1ef07 shr edi,
  63. fffff806`0afc5efc 83e720 and edi,20h
  64. fffff806`0afc5eff 25ff0f0000 and eax,0FFFh
  65. nt!KiSystemServiceRepeat:
  66. fffff806`0afc5f04 4c8d1575a93100 lea r10,[nt!KeServiceDescriptorTable (fffff806`0b2e0880)]
  67. fffff806`0afc5f0b 4c8d1d6e3a3000 lea r11,[nt!KeServiceDescriptorTableShadow (fffff806`0b2c9980)]
  68. fffff806`0afc5f12 f7437880000000 test dword ptr [rbx+78h],80h

  

  

CPU漏洞补丁修复导致KeServiceDescriptorTable获取变更的更多相关文章

  1. CPU漏洞补丁KB4056892 卸载及忽略办法

    2018.1.4微软发布了针对intel CPU漏洞的补丁 KB4056892 性能降低不说, 针对一般平民根本没多大意义, 另外还会导致一些软件无法正常使用, (我是使用蓝叠经典版, 启动就会蓝屏) ...

  2. ecshop 漏洞如何修复 补丁升级与安全修复详情

    目前ecshop漏洞大面积爆发,包括最新版的ecshop 3.0,ecshop 4.0,ecshop2.7.3全系列版本都存在着高危网站漏洞,导致网站被黑,被篡改,被挂马,许多商城系统深受其漏洞的攻击 ...

  3. 服务器cpu过高修复:操作系统内核bug导致

    服务器cpu过高修复:操作系统内核bug导致修改系统内核参数/etc/sysctl.conf添加下面2条参数:vm.dirty_background_ratio=5vm.dirty_ratio=10

  4. THINKPHP网站漏洞怎么修复解决

    THINKPHP漏洞修复,官方于近日,对现有的thinkphp5.0到5.1所有版本进行了升级,以及补丁更新,这次更新主要是进行了一些漏洞修复,最严重的就是之前存在的SQL注入漏洞,以及远程代码执行查 ...

  5. thinkphp漏洞如何修复

    THINKPHP漏洞修复,官方于近日,对现有的thinkphp5.0到5.1所有版本进行了升级,以及补丁更新,这次更新主要是进行了一些漏洞修复,最严重的就是之前存在的SQL注入漏洞,以及远程代码执行查 ...

  6. 【阿里聚安全·安全周刊】 全美警局已普遍拥有破解 iPhone 的能力 | 女黑客破解任天堂Switch,称硬件漏洞无法修复

    本周的七个关键词: 破解 iPhone丨 女黑客破解任天堂丨假的身份证 丨 扫黄打非丨华盛顿特区发现手机间谍设备 丨 Telegram被俄罗斯监管机构告上法庭丨价值5万美金的Firefox浏览器漏洞 ...

  7. MetInfo最新网站漏洞如何修复以及网站安全防护

    metinfo漏洞于2018年10月20号被爆出存在sql注入漏洞,可以直接拿到网站管理员的权限,网站漏洞影响范围较广,包括目前最新的metinfo版本都会受到该漏洞的攻击,该metinfo漏洞产生的 ...

  8. android提权漏洞CVE-2010-EASY修复【转】

    本文转载自: http://blog.csdn.net/lhj0711010212/article/details/9351131 android提权漏洞CVE-2010-EASY修复   linux ...

  9. Weblogic反序列化漏洞补丁更新解决方案

    Weblogic反序列化漏洞的解决方案基于网上给的方案有两种: 第一种方案如下 使用SerialKiller替换进行序列化操作的ObjectInputStream类; 在不影响业务的情况下,临时删除掉 ...

随机推荐

  1. [C#] ??雙問號的意思及用法

    int? x = null; int y = x ?? -1; 上面二行中,第一行是將x變數放入null,為什麼int能放null,可以參考另一篇文章http://charleslin74.pixne ...

  2. Ultimate guide to learning AngularJS in one day

    What is AngularJS? Angular is a client-side MVC/MVVM framework built in JavaScript, essential for mo ...

  3. ASP.NET2.0 Newtonsoft.Json 操作类分享

    JSON 是现在比较流行的数据交互格式,NET3.0+有自带类处理JSON,2.0的话需要借助Newtonsoft.Json来完成,不然自己写的话,很麻烦. 网上搜索下载 Newtonsoft.Jso ...

  4. js日期转换工具

    var dq = new Date();//定义当前时间var sDueDate = formatDate(dq);/调用日期转换方法 传入当前时间 //进行日期转换 function formatD ...

  5. GO学习笔记 - Go 只有一种循环结构—— for 循环。

    一,Go 只有一种循环结构—— for 循环. 官方教程:https://tour.go-zh.org/flowcontrol/1 Go 只有一种循环结构—— for 循环. 基本的 for 循环包含 ...

  6. DOS文件操作命令

    内部命令 COPY---文件固执命令 格式:COPY [源盘:][路径]<源文件名> [目标盘][路径]<目标文件名> 拷贝一个或多个文件到指定盘上 1)COPY是文件对文件的 ...

  7. 【OCP 12c】最新CUUG OCP-071考试题库(61题)

    61.(18-6) choose the best answer: View the Exhibit and examine the structure of the CUSTOMERS table. ...

  8. “全栈2019”Java第一百零二章:哪些作用域可以声明局部内部类?

    难度 初级 学习时间 10分钟 适合人群 零基础 开发语言 Java 开发环境 JDK v11 IntelliJ IDEA v2018.3 文章原文链接 "全栈2019"Java第 ...

  9. 如何给LOJ补全special judge

    首先你要会写一个叫$data.yml$的东西, 这里面记录了这道题的$subtask$计分策略 也告诉了评测姬这道题是提交答案还是$spj$还是交互题 那么,$YAML$语言是啥啊? 别问我,我也不会 ...

  10. [AIR] AS3操作文件时报SecurityError: fileWriteResource 错的解决方法

    在用File操作(移动,删除等)或者写入文件时,以下写法会报错 var file:File =File.applicationDirectory.resolvePath("1.swf&quo ...