软件调试 和 格蠹汇编 作者
WHO AM I 凡凡一书农 深居都市中 工作写代码 闲来爱捉虫 都言此道苦 我觉乐无穷 如不遇软件 此身何所用 张银奎 Raymond Zhang 格蠹老雷 软件调试 和 格蠹汇编 作者 http://advdbg.org http://weibo.com/dbgger 格友公众号
1993.7.27 NT 3.1 Windows NT 3.1 NT OS 1994.9.21 NT 3.5 Windows NT 3.5 Daytona 1995.5.30 NT 3.51 Windows NT 3.51 1996.7.29 NT 4.0 Windows NT 4.0 Cairo, SUR 2000.2.17 NT 5.0 Windows 2000 2001.10.25 NT 5.1 Windows XP Whistler 2003.4.24 NT 5.2 Server 2003 Whistler Srvr 2004.8.6 NT 5.1 Windows XP SP2 Springboard 2005.4.25 NT 5.2 Windows XP x64 2006.11.8 NT 6.0 Windows Vista Longhorn 2008.02.04 NT 6.0 Server 2008 2009.07.22 NT 6.1 Windows 7 Windows 7 2012.10.26 NT 6.2 Windows 8 2015.7.29 10.0.10240 Windows 10 Threshold 2016.8.2 10.0.14393 Windows 10 Redstone 1
系统支持进程 环境子系统服务进程 系统支持进程 服务管理器 服务 应用程序 Session Manager (SMSS.EXE) Windows Subsystem (CSRSS.EXE) OS/2 Subsystem (OS2SS.EXE) POSIX Subsystem (PSXSS.EXE) Logon Process (WinLogon.EXE) Local Security Authentication Server (LSASS.EXE) Service Control Manager (SERVICES.EXE) SvcHost.exe MDM.exe SpoolSv.exe Windows Subsystem DLL (KERNEL32.DLL, USER32.DLL, ADVAPI32.DLL, GDI32.DLL) ctfmon.exe MMC.exe Shell Application (Explorer.exe) NTDLL.DLL System Process 用户空间系统空间 System Thread 系统调用 系统服务分发例程 I/O Mgr I/O System PnP Mgr Power Mgr File and Device Drivers WMI Memory Mgr Object Mgr Process&Thread Mgr Kernel (NTOSKRNL.EXE) File Cache Mgr Configuration Mgr (Registry) Local Procedure Call Security Mgr Windows Subsystem Driver (USER, GDI) (Win32K.SYS) Graphics Drivers Hardware Abstraction Layer (HAL.DLL) Hardware 内核执行体 (executive)(ntoskrnl.exe) 可能运行的进程
Vista Win7 Win8 Win10 WDDM WDF UAC Session 0 MinWin ReadyBoost WDI WRE Metro WinRT KDNET KDUSB3 UWP IUM 内存压缩 WDDM2.0
SecureKernel.EXE
VM 0 VM App App 1 App App Windows XP... Linux VMM VMCS VMCS Shadow Shadow Shadow Shadow Page Page Table Page Table Page Table Table
与 Windows 10 和 Server 2016 对应的版本是 Hyper-V 5.0, 内建 VSM(VIRTUAL SECURE MODE) 支持
Ke 内核 Ob 对象管理器 Mm 内存管理器 Ps 进程管理器 Se 安全
EFI BootMgFW WinLoad OsLoader.exe WinLoad HvLoader.efi WinLoad OsLoader.exe WinLoad OsLoader.exe 加载 SecureKernel 加载 NT
HvlpLaunchHvLoader
HvlMain
kd> du r8 fffff800`5039ff90 "\Windows\system32\securekernel.e" fffff800`5039ffd0 "xe" kd> du r8 fffff800`503a14f0 "\Windows\system32\skci.dll" kd> du r8 fffff800`503a14f0 "\Windows\system32\cng.sys" fffff800`503a4250 "\Windows\System32\drivers\secure" fffff800`503a4290 "kernel.exe"
winload!blbdprint winload!blstatusprint winload!oslpvsmloadmodules winload!oslvsmsetup winload!oslpreparetarget winload!oslpmain winload!oslmain 0x0
权力隔离 Hypervisor 具有最高权利, 但是其职能单一, 逻辑很少, 攻击面小 虚拟机分区, 机器边界, 普通 OS 和安全 OS 运行在不同分区 角色隔离 IUM 运行在特别设计的安全内核之上, 不依赖普通内核 IUM 中的多个 Trustlet 相互隔离, 不可以相互访问
0000000140000000 image base 1000 section alignment 200 file alignment 1 subsystem (Native) 10.00 operating system version 10.00 image version 10.00 subsystem version 7F000 size of image 400 size of headers 7D069 checksum 0000000000080000 size of stack reserve 0000000000002000 size of stack commit 0000000000100000 size of heap reserve 0000000000001000 size of heap commit 160 DLL characteristics High entropy VA supported Dynamic base NX compatible 52150 [ 16E4] address [size] of Export Directory 53834 [ 50] address [size] of Import Directory 7D000 [ 410] address [size] of Resource Directory 60000 [ 2D9C] address [size] of Exception Directory 6D200 [ 2160] address [size] of Security Directory 7E000 [ 180] address [size] of Base Relocation Directory 4D5D0 [ 38] address [size] of Debug Directory 0 [ 0] address [size] of Description Directory 0 [ 0] address [size] of Special Directory
线性地址 31 Dir 21 11 Table Offset 0 页表,1024 个表项 (PTE) CR3 上面是以 4KB 内存页 ( 未启用 PAE) 为例 1024PDE*1024PTE=2 20 页 页目录,1024 个表项 (PDE)
Modified list Default Store
PROCESS ffffc483a8ca7040 SessionId: none Cid: 044c Peb: 00000000 ParentCid: 0004 DirBase: 82eac000 ObjectTable: ffff9d0dcb2b7780 HandleCount: 0. Image: MemCompression VadRoot ffffc483a18f7180 Vads 206 Clone 0 Private 6529. Modified 3441. Locked 0. DeviceMap 0000000000000000 Token ffff9d0dce53f2f0 ElapsedTime 03:00:46.311 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 4224 QuotaPoolUsage[NonPagedPool] 0 Working Set Sizes (now,min,max) (0, 0, 0) (0KB, 0KB, 0KB) PeakWorkingSetSize 0 VirtualSize 25 Mb PeakVirtualSize 27 Mb PageFaultCount 0 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 16 线程 :SmKmStoreHelperWorker 多个,SMKM_STORE<SM_TRAITS>::SmStReadThread 多个
SmFpInitialize SmFpPreAllocate SmFree SmGetRegistrationInfo SmGlobals SmGlobalsInitialize SmInitSystem SmInvalidPeristId SmIoRequestComplete SmIssueIo SMKM_STORE_MGR<SM_TRAITS>::SmEmptyQueueToStores SMKM_STORE_MGR<SM_TRAITS>::SmEmptyStores
1 2 3
0: kd>!memusage *** CacheSize too low - increasing to 128 MB Max cache size is : 134217728 bytes (0x20000 KB) Total memory in cache : 276575 bytes (0x10f KB) Number of regions cached: 719 1970 full reads broken into 2625 partial reads counts: 1582 cached/1043 uncached, 60.27% cached bytes : 140590 cached/230591 uncached, 37.88% cached ** Transition PTEs are implicitly decoded ** Prototype PTEs are implicitly decoded loading PFN database loading (11% complete)
*** Virtual Memory Usage *** Physical Memory: 1025089 ( 4100356 Kb) Page File: \??\C:\pagefile.sys Current: 1441792 Kb Free Space: 1441784 Kb Minimum: 1441792 Kb Maximum: 12582912 Kb Page File: \??\C:\swapfile.sys Current: 262144 Kb Free Space: 262136 Kb Minimum: 262144 Kb Maximum: 6150532 Kb
2: kd> lm vm lx* Browse full module list start end module name fffff808`d0fe0000 fffff808`d0fea000 lxss (deferred) Image path: \SystemRoot\system32\drivers\lxss.sys Image name: lxss.sys Browse all global symbols functions data Timestamp: Sat Jul 16 10:28:26 2016 (57899BCA) CheckSum: 0000F628 ImageSize: 0000A000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 fffff808`d0ff0000 fffff808`d10b6000 LXCORE (deferred) Image path: \SystemRoot\system32\drivers\LXCORE.SYS Image name: LXCORE.SYS Browse all global symbols functions data Timestamp: Sat Jul 16 10:20:02 2016 (578999D2) CheckSum: 000C59C5 ImageSize: 000C6000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Memory.dmp in KB % Compared to Complete Complete Dump: 16,683,673 Active Dump (no VMs): 1,586,493 10% Active Dump (VMs with 8GB RAM total): 1,629,497 10% Kernel Dump (VMs with 8GB RAM total) 582,261 3% Automatic Dump (VMs with 8GB RAM total) 587,941 4% https://blogs.msdn.microsoft.com/clustering/2015/05/18/windows-server-2016-failover-clustertroubleshooting-enhancements-active-dump/
Servicing option Version OS build Availability date Current Branch (CB) Current Branch (CB) Current Branch (CB) Latest revision date 1607 14393.351 8/2/2016 10/27/2016 1511 10586.633 11/12/2015 10/11/2016 1507 (RTM) 10240.17146 7/29/2015 10/11/2016 Microsoft recommends Current Branch for Business (CBB) Current Branch for Business (CBB) Long-Term Servicing Branch (LTSB) 1511 10586.633 4/8/2016 10/11/2016 1507 (RTM) 10240.17146 7/29/2015 10/11/2016 1507 (RTM) 10240.17146 7/29/2015 10/11/2016
https://technet.microsoft.com/en-us/itpro/windows/whats-new/index https://blogs.technet.microsoft.com/sebastianklenk/2015/05/12/brand-newwindows-10-content-from-microsoft-ignite/ http://advdbg.org