zoukankan      html  css  js  c++  java

  • 获取系统热键链表首地址 PHOT_KEY_ITEM gphkFirst 的方法

    有两种方法,各有优缺点
方法1:
最简单方法是利用windbg 本地内核调试
Ctrl + K 选择local -> 输入 !dskheap -> 在输入 x win32k!*gphk* 就是系统热键链表首地址
bf9b0bd8 win32k!gphkFirst
^^^^^^^^
在详细一点就要,windbg 本地内核调试命令窗口输入以下命令可以枚举系统热键

!dskheap;.printf "\n\n\n|No|ETHREAD |PWND    |Modifier|wFlags  |      VK| (hex)ID| (dec)ID|phkNext |EPROCESS|(dec)PID|   ImageFileName|\n";r $t0=1;r $t1=dwo(win32k!gphkFirst);.while(@$t1>0){.printf "|%2d",@$t0;.printf "|%08X|",@$t1;.printf "%08X|",dwo(@$t1+0n4);.printf  "%8X|",low(dwo(@$t1+0n8));.printf "%8X|",hi(dwo(@$t1+0n8));.printf "%8X|",dwo(@$t1+0n12);.printf "%8X|%8d|",dwo (@$t1+0n16),dwo(@$t1+0n16);.printf "%08X|",dwo(@$t1+0n20);.printf "%08X|",dwo(dwo(@$t1))+0x220;.printf "%8d|",poi(poi(dwo (dwo(@$t1))+0x220)+0x84);;.printf "%16ma|\n",poi(dwo(dwo(@$t1))+0x220)+0x174;r $t1=dwo(@$t1+0n20);r $t0=@$t0+1;}

|No|ETHREAD |PWND    |Modifier|wFlags  |      VK| (hex)ID| (dec)ID|phkNext |EPROCESS|(dec)PID|   ImageFileName|
| 1|E2834418|BBE68848|       6|       0|      C0|    C01A|   49178|E1D57370|8645ADB8|    1316|    explorer.exe|
| 2|E1D57370|BBE68848|       3|       0|      4A|       3|       3|E27C3918|8645ADB8|    1316|    explorer.exe|
| 3|E27C3918|BBE68848|       3|       0|      BD|       2|       2|E18923B8|8645ADB8|    1316|    explorer.exe|
| 4|E18923B8|BBE68848|       3|       0|      44|       1|       1|E295A118|8645ADB8|    1316|    explorer.exe|
| 5|E295A118|BBE68848|       3|       0|      49|       0|       0|E28D86F0|8645ADB8|    1316|    explorer.exe|
| 6|E28D86F0|BBE6A058|       2|       0|      1B|    F130|   61744|E2B7C800|86C13D40|    1316|    explorer.exe|
| 7|E2B7C800|BBE68848|       8|       0|      42|     1FF|     511|E2A19588|8645ADB8|    1316|    explorer.exe|
| 8|E2A19588|BBE68848|       8|       0|      44|     1FE|     510|E2A3A168|8645ADB8|    1316|    explorer.exe|
| 9|E2A3A168|BBE68848|       8|       0|      13|     1FD|     509|E1A0F4D0|8645ADB8|    1316|    explorer.exe|
|10|E1A0F4D0|BBE68848|       C|       0|       9|     1FC|     508|E28E04F0|8645ADB8|    1316|    explorer.exe|
|11|E28E04F0|BBE68848|       8|       0|       9|     1FB|     507|E28FF208|8645ADB8|    1316|    explorer.exe|
|12|E28FF208|BBE68848|       A|       0|      46|     1FA|     506|E28B8540|8645ADB8|    1316|    explorer.exe|
|13|E28B8540|BBE68848|       8|       0|      46|     1F9|     505|E2960190|8645ADB8|    1316|    explorer.exe|
|14|E2960190|BBE68848|       8|       0|      45|     1F8|     504|E1A9A4E8|8645ADB8|    1316|    explorer.exe|
|15|E1A9A4E8|BBE68848|       8|       0|      70|     1F7|     503|E1D239E8|8645ADB8|    1316|    explorer.exe|
|16|E1D239E8|BBE68848|       C|       0|      4D|     1F6|     502|E294BB38|8645ADB8|    1316|    explorer.exe|
|17|E294BB38|BBE68848|       8|       0|      4D|     1F5|     501|E296A468|8645ADB8|    1316|    explorer.exe|
|18|E296A468|BBE68848|       8|       0|      52|     1F4|     500|E2872E28|8645ADB8|    1316|    explorer.exe|
|19|E2872E28|BBE326C0|       8|       0|      55|       6|       6|E1FEC800|86C867A0|     576|    winlogon.exe|
|20|E1FEC800|BBE326C0|       8|       0|      4C|       5|       5|E1882610|86C867A0|     576|    winlogon.exe|
|21|E1882610|BBE326C0|       6|       0|      1B|       4|       4|E1817460|86C867A0|     576|    winlogon.exe|
|22|E1817460|BBE326C0|       3|    8000|      2E|       0|       0|E1A62308|86C867A0|     576|    winlogon.exe|
|23|E1A62308|00000001|       4|       0|      7B|FFFFFFFA|      -6|E187F350|86CE19F8|     552|       csrss.exe|
|24|E187F350|00000001|       0|       0|      7B|FFFFFFFB|      -5|E27DDC80|86CE19F8|     552|       csrss.exe|
|25|E27DDC80|00000001|       8|       0|       0|FFFFFFF9|      -7|00000000|86CE19F8|     552|       csrss.exe|

方法2:用户模式调试,虽然比较笨拙还凑合用...
    
win32k.sys不同版本首地址不同,如何查找这个地址?不做内核调试能不能查出来呢?
思路是把这个win32k.sys拷贝到新的文件,编写程序直接调用这个新文件来加载到内存进行调试

	// c:/windows/system32/win32k.sys 拷贝到程序目录下
	HINSTANCE  hwin32kDll = ::LoadLibrary( "./win32k.sys" );
	if(!hwin32kDll) return 0;
	ULONG offset = 0x00e30cdc - 0x00da0000; // ver 5.1.2600.6334 (xpsp_sp3_gdr.130104-0421)
                         ^^^^^^^^     ^^^^^^^^
	ULONG newAdd = (ULONG)hwin32kDll + offset;
	ULONG gphkFirst = *(ULONG*)( newAdd );
	char buf[100];
	sprintf(buf,"baseDLL = %08X offset = %08X phkFirst [%08X] = %08X",
		hwin32kDll,offset,newAdd,gphkFirst);
	MessageBox(0,buf,"gphkFirst",0);

然后用windbg调试,运行弹出对话框之后输入
--->xp-sp3
0:002> dd win32k
00da0000  00905a4d 00000003 00000004 0000ffff
^^^^^^^^
>uf win32k!FindHotKey
...
win32k!FindHotKey+0x7f:
00e30cdb a3d80b9bbf      mov     dword ptr ds:[BF9B0BD8h],eax
^^^^^^^^                                       ^^^^^^^^                                                 
...
这里的 BF9B0BD8 就是首地址

--->win8
0:003> dd win32k
00010000  00905a4d 00000003 00000004 0000ffff
00010010  000000b8 00000000 00000040 00000000

0:003> uf win32k!FindHotkey
win32k!FindHotKey+0x14:
000c2af2 0fb6c1          movzx   eax,cl
000c2af5 8b3485b0153100  mov     esi,dword ptr win32k!gphkHashTable (003115b0)[eax*4]
               ^^^^^^^^ 
0:003> dd win32k!gphkHashTable
003115b0  00000000 00000000 00000000 00000000
003115c0  00000000 00000000 00000000 00000000
  • 相关阅读:
    LeetCode(111) Minimum Depth of Binary Tree
    LeetCode(108) Convert Sorted Array to Binary Search Tree
    LeetCode(106) Construct Binary Tree from Inorder and Postorder Traversal
    LeetCode(105) Construct Binary Tree from Preorder and Inorder Traversal
    LeetCode(99) Recover Binary Search Tree
    【Android】通过经纬度查询城市信息
    【Android】自定义View
    【OpenStack Cinder】Cinder安装时遇到的一些坑
    【积淀】半夜突然有点想法
    【Android】 HttpClient 发送REST请求
  • 原文地址:https://www.cnblogs.com/nlsoft/p/2994615.html
Copyright © 2011-2022 走看看