win7 x64为例
nt!NtReadVirtualMemory ----- nt!MmCopyVirtualMemory
NTSTATUS
NTAPI
MmCopyVirtualMemory(IN PEPROCESS SourceProcess,
IN PVOID SourceAddress,
IN PEPROCESS TargetProcess,
OUT PVOID TargetAddress,
IN SIZE_T BufferSize,
IN KPROCESSOR_MODE PreviousMode,
OUT PSIZE_T ReturnSize
)
1 1: kd> u nt!MmCopyVirtualMemory l100 2 nt!MmCopyVirtualMemory: 3 fffff800`0416b94c 4c8bdc mov r11,rsp 4 fffff800`0416b94f 4d894b20 mov qword ptr [r11+20h],r9 5 fffff800`0416b953 4d894318 mov qword ptr [r11+18h],r8 6 fffff800`0416b957 49895310 mov qword ptr [r11+10h],rdx 7 fffff800`0416b95b 49894b08 mov qword ptr [r11+8],rcx 8 fffff800`0416b95f 53 push rbx 9 fffff800`0416b960 56 push rsi 10 fffff800`0416b961 57 push rdi 11 fffff800`0416b962 4154 push r12 12 fffff800`0416b964 4155 push r13 13 fffff800`0416b966 4156 push r14 14 fffff800`0416b968 4157 push r15 15 fffff800`0416b96a 4881ec70030000 sub rsp,370h 16 fffff800`0416b971 4c8bf2 mov r14,rdx 17 fffff800`0416b974 488bb424d0030000 mov rsi,qword ptr [rsp+3D0h] 18 fffff800`0416b97c 33ff xor edi,edi 19 fffff800`0416b97e 483bf7 cmp rsi,rdi 20 fffff800`0416b981 0f846b2b0c00 je nt! ?? ::NNGAKEGL::`string'+0x4c290 (fffff800`0422e4f2) 21 fffff800`0416b987 488b8424e0030000 mov rax,qword ptr [rsp+3E0h] 22 fffff800`0416b98f 488938 mov qword ptr [rax],rdi 23 fffff800`0416b992 8d5f02 lea ebx,[rdi+2] 24 fffff800`0416b995 895c2430 mov dword ptr [rsp+30h],ebx 25 fffff800`0416b999 4889542468 mov qword ptr [rsp+68h],rdx 26 fffff800`0416b99e 4c894c2458 mov qword ptr [rsp+58h],r9 27 fffff800`0416b9a3 488bc6 mov rax,rsi 28 fffff800`0416b9a6 4889442438 mov qword ptr [rsp+38h],rax 29 fffff800`0416b9ab 4d8dbb18fdffff lea r15,[r11-2E8h] 30 fffff800`0416b9b2 4c897c2460 mov qword ptr [rsp+60h],r15 31 fffff800`0416b9b7 65488b0c2588010000 mov rcx,qword ptr gs:[188h] 32 fffff800`0416b9c0 48894c2470 mov qword ptr [rsp+70h],rcx 33 fffff800`0416b9c5 897c244c mov dword ptr [rsp+4Ch],edi 34 fffff800`0416b9c9 4c8be7 mov r12,rdi 35 fffff800`0416b9cc 48897c2440 mov qword ptr [rsp+40h],rdi 36 fffff800`0416b9d1 48897c2478 mov qword ptr [rsp+78h],rdi 37 fffff800`0416b9d6 897c2448 mov dword ptr [rsp+48h],edi 38 fffff800`0416b9da 4881fe00020000 cmp rsi,200h ;这里就是关键部分 rsi是读取大小 如果大于200字节 内核会执行内存映射 而不是直接复制R3内存 所以导致硬件断点无法断下 39 fffff800`0416b9e1 0f830a030000 jae nt!MmCopyVirtualMemory+0x3a5 (fffff800`0416bcf1) 40 fffff800`0416b9e7 83e3fd and ebx,0FFFFFFFDh 41 fffff800`0416b9ea 895c2430 mov dword ptr [rsp+30h],ebx 42 fffff800`0416b9ee 41bd00000100 mov r13d,10000h 43 fffff800`0416b9f4 493bf5 cmp rsi,r13 44 fffff800`0416b9f7 4c0f46ee cmovbe r13,rsi 45 fffff800`0416b9fb 4881fe00020000 cmp rsi,200h 46 fffff800`0416ba02 0f87f12a0c00 ja nt! ?? ::NNGAKEGL::`string'+0x4c297 (fffff800`0422e4f9) 47 fffff800`0416ba08 4c8da42470010000 lea r12,[rsp+170h] 48 fffff800`0416ba10 4c89642440 mov qword ptr [rsp+40h],r12 49 fffff800`0416ba15 483bc7 cmp rax,rdi 50 fffff800`0416ba18 0f8672020000 jbe nt!MmCopyVirtualMemory+0x344 (fffff800`0416bc90) 51 fffff800`0416ba1e 493bc5 cmp rax,r13 52 fffff800`0416ba21 4c0f42e8 cmovb r13,rax 53 fffff800`0416ba25 4c89ac2480000000 mov qword ptr [rsp+80h],r13 54 fffff800`0416ba2d 488d942488000000 lea rdx,[rsp+88h] 55 fffff800`0416ba35 488b8c24b0030000 mov rcx,qword ptr [rsp+3B0h] 56 fffff800`0416ba3d e8becdd8ff call nt!KeStackAttachProcess (fffff800`03ef8800) 57 fffff800`0416ba42 48897c2450 mov qword ptr [rsp+50h],rdi 58 fffff800`0416ba47 4c8b4c2468 mov r9,qword ptr [rsp+68h] 59 fffff800`0416ba4c 4d3bce cmp r9,r14 60 fffff800`0416ba4f 0f85f82a0c00 jne nt! ?? ::NNGAKEGL::`string'+0x4c2eb (fffff800`0422e54d) 61 fffff800`0416ba55 448a9424d8030000 mov r10b,byte ptr [rsp+3D8h] 62 fffff800`0416ba5d 443ad7 cmp r10b,dil 63 fffff800`0416ba60 742f je nt!MmCopyVirtualMemory+0x145 (fffff800`0416ba91) 64 fffff800`0416ba62 483bf7 cmp rsi,rdi 65 fffff800`0416ba65 7418 je nt!MmCopyVirtualMemory+0x133 (fffff800`0416ba7f) 66 fffff800`0416ba67 498d0436 lea rax,[r14+rsi] 67 fffff800`0416ba6b 488b0d8e85f9ff mov rcx,qword ptr [nt!MmUserProbeAddress (fffff800`04104000)] 68 fffff800`0416ba72 483bc1 cmp rax,rcx 69 fffff800`0416ba75 7705 ja nt!MmCopyVirtualMemory+0x130 (fffff800`0416ba7c) 70 fffff800`0416ba77 493bc6 cmp rax,r14 71 fffff800`0416ba7a 7303 jae nt!MmCopyVirtualMemory+0x133 (fffff800`0416ba7f) 72 fffff800`0416ba7c 408839 mov byte ptr [rcx],dil 73 fffff800`0416ba7f eb10 jmp nt!MmCopyVirtualMemory+0x145 (fffff800`0416ba91) 74 fffff800`0416ba81 8bf8 mov edi,eax 75 fffff800`0416ba83 8b5c2430 mov ebx,dword ptr [rsp+30h] 76 fffff800`0416ba87 4c8b642440 mov r12,qword ptr [rsp+40h] 77 fffff800`0416ba8c e946020000 jmp nt!MmCopyVirtualMemory+0x38b (fffff800`0416bcd7) 78 fffff800`0416ba91 448bc3 mov r8d,ebx 79 fffff800`0416ba94 41d1e8 shr r8d,1 80 fffff800`0416ba97 4183e001 and r8d,1 81 fffff800`0416ba9b 0f8570020000 jne nt!MmCopyVirtualMemory+0x3c5 (fffff800`0416bd11) 82 fffff800`0416baa1 488b442470 mov rax,qword ptr [rsp+70h] 83 fffff800`0416baa6 0fba684c07 bts dword ptr [rax+4Ch],7 84 fffff800`0416baab 410f92c6 setb r14b 85 fffff800`0416baaf 4488742434 mov byte ptr [rsp+34h],r14b 86 fffff800`0416bab4 443bc7 cmp r8d,edi 87 fffff800`0416bab7 7510 jne nt!MmCopyVirtualMemory+0x17d (fffff800`0416bac9) 88 fffff800`0416bab9 4d8bc5 mov r8,r13 89 fffff800`0416babc 498bd1 mov rdx,r9 90 fffff800`0416babf 498bcc mov rcx,r12 91 fffff800`0416bac2 e87929d5ff call nt!memcpy (fffff800`03ebe440) 92 fffff800`0416bac7 eb0e jmp nt!MmCopyVirtualMemory+0x18b (fffff800`0416bad7) 93 fffff800`0416bac9 4533c0 xor r8d,r8d 94 fffff800`0416bacc 418ad2 mov dl,r10b 95 fffff800`0416bacf 498bcf mov rcx,r15 96 fffff800`0416bad2 e81987d7ff call nt!MmProbeAndLockPages (fffff800`03ee41f0) 97 fffff800`0416bad7 8b54244c mov edx,dword ptr [rsp+4Ch] 98 fffff800`0416badb eb2b jmp nt!MmCopyVirtualMemory+0x1bc (fffff800`0416bb08) 99 fffff800`0416badd 8bd0 mov edx,eax 100 fffff800`0416badf 8944244c mov dword ptr [rsp+4Ch],eax 101 fffff800`0416bae3 33ff xor edi,edi 102 fffff800`0416bae5 488bb424d0030000 mov rsi,qword ptr [rsp+3D0h] 103 fffff800`0416baed 8b5c2430 mov ebx,dword ptr [rsp+30h] 104 fffff800`0416baf1 4c8b7c2460 mov r15,qword ptr [rsp+60h] 105 fffff800`0416baf6 4c8b642440 mov r12,qword ptr [rsp+40h] 106 fffff800`0416bafb 4c8bac2480000000 mov r13,qword ptr [rsp+80h] 107 fffff800`0416bb03 448a742434 mov r14b,byte ptr [rsp+34h] 108 fffff800`0416bb08 443af7 cmp r14b,dil 109 fffff800`0416bb0b 750a jne nt!MmCopyVirtualMemory+0x1cb (fffff800`0416bb17) 110 fffff800`0416bb0d 488b442470 mov rax,qword ptr [rsp+70h] 111 fffff800`0416bb12 0fba704c07 btr dword ptr [rax+4Ch],7 112 fffff800`0416bb17 3bd7 cmp edx,edi 113 fffff800`0416bb19 0f8c9a010000 jl nt!MmCopyVirtualMemory+0x36d (fffff800`0416bcb9) 114 fffff800`0416bb1f 448bf3 mov r14d,ebx 115 fffff800`0416bb22 41d1ee shr r14d,1 116 fffff800`0416bb25 4183e601 and r14d,1 117 fffff800`0416bb29 0f8536020000 jne nt!MmCopyVirtualMemory+0x419 (fffff800`0416bd65) 118 fffff800`0416bb2f 488d8c2488000000 lea rcx,[rsp+88h] 119 fffff800`0416bb37 e8d4c9d8ff call nt!KeUnstackDetachProcess (fffff800`03ef8510) 120 fffff800`0416bb3c 488d942488000000 lea rdx,[rsp+88h] 121 fffff800`0416bb44 488b8c24c0030000 mov rcx,qword ptr [rsp+3C0h] 122 fffff800`0416bb4c e8afccd8ff call nt!KeStackAttachProcess (fffff800`03ef8800) 123 fffff800`0416bb51 488b442468 mov rax,qword ptr [rsp+68h] 124 fffff800`0416bb56 483b8424b8030000 cmp rax,qword ptr [rsp+3B8h] 125 fffff800`0416bb5e 7550 jne nt!MmCopyVirtualMemory+0x264 (fffff800`0416bbb0) 126 fffff800`0416bb60 4038bc24d8030000 cmp byte ptr [rsp+3D8h],dil 127 fffff800`0416bb68 7446 je nt!MmCopyVirtualMemory+0x264 (fffff800`0416bbb0) 128 fffff800`0416bb6a 41b801000000 mov r8d,1 129 fffff800`0416bb70 488bd6 mov rdx,rsi 130 fffff800`0416bb73 488b8c24c8030000 mov rcx,qword ptr [rsp+3C8h] 131 fffff800`0416bb7b e8b03d0700 call nt!ProbeForWrite (fffff800`041df930) 132 fffff800`0416bb80 eb2e jmp nt!MmCopyVirtualMemory+0x264 (fffff800`0416bbb0) 133 fffff800`0416bb82 8bf8 mov edi,eax 134 fffff800`0416bb84 8b5c2430 mov ebx,dword ptr [rsp+30h] 135 fffff800`0416bb88 f6c302 test bl,2 136 fffff800`0416bb8b 7419 je nt!MmCopyVirtualMemory+0x25a (fffff800`0416bba6) 137 fffff800`0416bb8d 488b542460 mov rdx,qword ptr [rsp+60h] 138 fffff800`0416bb92 488b4c2450 mov rcx,qword ptr [rsp+50h] 139 fffff800`0416bb97 e8f0d9d7ff call nt!MmUnmapLockedPages (fffff800`03ee958c) 140 fffff800`0416bb9c 488b4c2460 mov rcx,qword ptr [rsp+60h] 141 fffff800`0416bba1 e83a9ed7ff call nt!MmUnlockPages (fffff800`03ee59e0) 142 fffff800`0416bba6 4c8b642440 mov r12,qword ptr [rsp+40h] 143 fffff800`0416bbab e927010000 jmp nt!MmCopyVirtualMemory+0x38b (fffff800`0416bcd7) 144 fffff800`0416bbb0 443bf7 cmp r14d,edi 145 fffff800`0416bbb3 7512 jne nt!MmCopyVirtualMemory+0x27b (fffff800`0416bbc7) 146 fffff800`0416bbb5 4d8bc5 mov r8,r13 147 fffff800`0416bbb8 498bd4 mov rdx,r12 148 fffff800`0416bbbb 488b4c2458 mov rcx,qword ptr [rsp+58h] 149 fffff800`0416bbc0 e87b28d5ff call nt!memcpy (fffff800`03ebe440) 150 fffff800`0416bbc5 eb12 jmp nt!MmCopyVirtualMemory+0x28d (fffff800`0416bbd9) 151 fffff800`0416bbc7 4d8bc5 mov r8,r13 152 fffff800`0416bbca 488b542450 mov rdx,qword ptr [rsp+50h] 153 fffff800`0416bbcf 488b4c2458 mov rcx,qword ptr [rsp+58h] 154 fffff800`0416bbd4 e86728d5ff call nt!memcpy (fffff800`03ebe440) 155 fffff800`0416bbd9 eb7b jmp nt!MmCopyVirtualMemory+0x30a (fffff800`0416bc56) 156 fffff800`0416bbdb 8b5c2430 mov ebx,dword ptr [rsp+30h] 157 fffff800`0416bbdf f6c302 test bl,2 158 fffff800`0416bbe2 7434 je nt!MmCopyVirtualMemory+0x2cc (fffff800`0416bc18) 159 fffff800`0416bbe4 4c8b7c2460 mov r15,qword ptr [rsp+60h] 160 fffff800`0416bbe9 498bd7 mov rdx,r15 161 fffff800`0416bbec 488b4c2450 mov rcx,qword ptr [rsp+50h] 162 fffff800`0416bbf1 e896d9d7ff call nt!MmUnmapLockedPages (fffff800`03ee958c) 163 fffff800`0416bbf6 498bcf mov rcx,r15 164 fffff800`0416bbf9 e8e29dd7ff call nt!MmUnlockPages (fffff800`03ee59e0) 165 fffff800`0416bbfe 83e3fd and ebx,0FFFFFFFDh 166 fffff800`0416bc01 895c2430 mov dword ptr [rsp+30h],ebx 167 fffff800`0416bc05 488d8c2488000000 lea rcx,[rsp+88h] 168 fffff800`0416bc0d e8fec8d8ff call nt!KeUnstackDetachProcess (fffff800`03ef8510) 169 fffff800`0416bc12 90 nop 170 fffff800`0416bc13 e996290c00 jmp nt! ?? ::NNGAKEGL::`string'+0x4c34c (fffff800`0422e5ae) 171 fffff800`0416bc18 488b8424d0030000 mov rax,qword ptr [rsp+3D0h] 172 fffff800`0416bc20 482b442438 sub rax,qword ptr [rsp+38h] 173 fffff800`0416bc25 488b8c24e0030000 mov rcx,qword ptr [rsp+3E0h] 174 fffff800`0416bc2d 488901 mov qword ptr [rcx],rax 175 fffff800`0416bc30 837c244801 cmp dword ptr [rsp+48h],1 176 fffff800`0416bc35 7510 jne nt!MmCopyVirtualMemory+0x2fb (fffff800`0416bc47) 177 fffff800`0416bc37 488b442478 mov rax,qword ptr [rsp+78h] 178 fffff800`0416bc3c 482b8424b8030000 sub rax,qword ptr [rsp+3B8h] 179 fffff800`0416bc44 488901 mov qword ptr [rcx],rax 180 fffff800`0416bc47 bf0d000080 mov edi,8000000Dh 181 fffff800`0416bc4c 4c8b642440 mov r12,qword ptr [rsp+40h] 182 fffff800`0416bc51 e981000000 jmp nt!MmCopyVirtualMemory+0x38b (fffff800`0416bcd7) 183 fffff800`0416bc56 488d8c2488000000 lea rcx,[rsp+88h] 184 fffff800`0416bc5e e8adc8d8ff call nt!KeUnstackDetachProcess (fffff800`03ef8510) 185 fffff800`0416bc63 443bf7 cmp r14d,edi 186 fffff800`0416bc66 0f8529010000 jne nt!MmCopyVirtualMemory+0x449 (fffff800`0416bd95) 187 fffff800`0416bc6c 488b442438 mov rax,qword ptr [rsp+38h] 188 fffff800`0416bc71 492bc5 sub rax,r13 189 fffff800`0416bc74 4889442438 mov qword ptr [rsp+38h],rax 190 fffff800`0416bc79 4c016c2468 add qword ptr [rsp+68h],r13 191 fffff800`0416bc7e 4c016c2458 add qword ptr [rsp+58h],r13 192 fffff800`0416bc83 4c8bb424b8030000 mov r14,qword ptr [rsp+3B8h] 193 fffff800`0416bc8b e985fdffff jmp nt!MmCopyVirtualMemory+0xc9 (fffff800`0416ba15) 194 fffff800`0416bc90 f6c301 test bl,1 195 fffff800`0416bc93 0f8546290c00 jne nt! ?? ::NNGAKEGL::`string'+0x4c37d (fffff800`0422e5df) 196 fffff800`0416bc99 488b8424e0030000 mov rax,qword ptr [rsp+3E0h] 197 fffff800`0416bca1 488930 mov qword ptr [rax],rsi 198 fffff800`0416bca4 33c0 xor eax,eax 199 fffff800`0416bca6 4881c470030000 add rsp,370h 200 fffff800`0416bcad 415f pop r15 201 fffff800`0416bcaf 415e pop r14 202 fffff800`0416bcb1 415d pop r13 203 fffff800`0416bcb3 415c pop r12 204 fffff800`0416bcb5 5f pop rdi 205 fffff800`0416bcb6 5e pop rsi 206 fffff800`0416bcb7 5b pop rbx 207 fffff800`0416bcb8 c3 ret 208 fffff800`0416bcb9 f6c302 test bl,2 209 fffff800`0416bcbc 0f8598280c00 jne nt! ?? ::NNGAKEGL::`string'+0x4c2f8 (fffff800`0422e55a) 210 fffff800`0416bcc2 482b742438 sub rsi,qword ptr [rsp+38h] 211 fffff800`0416bcc7 488b8424e0030000 mov rax,qword ptr [rsp+3E0h] 212 fffff800`0416bccf 488930 mov qword ptr [rax],rsi 213 fffff800`0416bcd2 bf0d000080 mov edi,8000000Dh 214 fffff800`0416bcd7 488d8c2488000000 lea rcx,[rsp+88h] 215 fffff800`0416bcdf e82cc8d8ff call nt!KeUnstackDetachProcess (fffff800`03ef8510) 216 fffff800`0416bce4 f6c301 test bl,1 217 fffff800`0416bce7 0f85e2280c00 jne nt! ?? ::NNGAKEGL::`string'+0x4c36d (fffff800`0422e5cf) 218 fffff800`0416bced 8bc7 mov eax,edi 219 fffff800`0416bcef ebb5 jmp nt!MmCopyVirtualMemory+0x35a (fffff800`0416bca6) 220 fffff800`0416bcf1 f6c302 test bl,2 221 fffff800`0416bcf4 0f84edfcffff je nt!MmCopyVirtualMemory+0x9b (fffff800`0416b9e7) 222 fffff800`0416bcfa 41bd00e00000 mov r13d,0E000h 223 fffff800`0416bd00 493bf5 cmp rsi,r13 224 fffff800`0416bd03 0f870cfdffff ja nt!MmCopyVirtualMemory+0xc9 (fffff800`0416ba15) 225 fffff800`0416bd09 4c8bee mov r13,rsi 226 fffff800`0416bd0c e904fdffff jmp nt!MmCopyVirtualMemory+0xc9 (fffff800`0416ba15) 227 fffff800`0416bd11 49893f mov qword ptr [r15],rdi 228 fffff800`0416bd14 418bd1 mov edx,r9d 229 fffff800`0416bd17 81e2ff0f0000 and edx,0FFFh 230 fffff800`0416bd1d 418bc5 mov eax,r13d 231 fffff800`0416bd20 25ff0f0000 and eax,0FFFh 232 fffff800`0416bd25 8d8c10ff0f0000 lea ecx,[rax+rdx+0FFFh] 233 fffff800`0416bd2c c1e90c shr ecx,0Ch 234 fffff800`0416bd2f 498bc5 mov rax,r13 235 fffff800`0416bd32 48c1e80c shr rax,0Ch 236 fffff800`0416bd36 6603c8 add cx,ax 237 fffff800`0416bd39 6683c106 add cx,6 238 fffff800`0416bd3d 66c1e103 shl cx,3 239 fffff800`0416bd41 6641894f08 mov word ptr [r15+8],cx 240 fffff800`0416bd46 6641897f0a mov word ptr [r15+0Ah],di 241 fffff800`0416bd4b 498bc1 mov rax,r9 242 fffff800`0416bd4e 482500f0ffff and rax,0FFFFFFFFFFFFF000h 243 fffff800`0416bd54 49894720 mov qword ptr [r15+20h],rax 244 fffff800`0416bd58 4189572c mov dword ptr [r15+2Ch],edx 245 fffff800`0416bd5c 45896f28 mov dword ptr [r15+28h],r13d 246 fffff800`0416bd60 e93cfdffff jmp nt!MmCopyVirtualMemory+0x155 (fffff800`0416baa1) 247 fffff800`0416bd65 c744242820000000 mov dword ptr [rsp+28h],20h 248 fffff800`0416bd6d 897c2420 mov dword ptr [rsp+20h],edi 249 fffff800`0416bd71 4533c9 xor r9d,r9d 250 fffff800`0416bd74 33d2 xor edx,edx 251 fffff800`0416bd76 458d4101 lea r8d,[r9+1] 252 fffff800`0416bd7a 498bcf mov rcx,r15 253 fffff800`0416bd7d e8be6fd7ff call nt!MmMapLockedPagesSpecifyCache (fffff800`03ee2d40) 254 fffff800`0416bd82 4889442450 mov qword ptr [rsp+50h],rax 255 fffff800`0416bd87 483bc7 cmp rax,rdi 256 fffff800`0416bd8a 0f859ffdffff jne nt!MmCopyVirtualMemory+0x1e3 (fffff800`0416bb2f) 257 fffff800`0416bd90 e9eb270c00 jmp nt! ?? ::NNGAKEGL::`string'+0x4c31e (fffff800`0422e580) 258 fffff800`0416bd95 498bd7 mov rdx,r15
狂客原创,转载请注明。侵权必究 作者:狂客 QQ:214109721