WinDbg use practice 1_ use WinDbg debug anti-virus software pop-up windows

1 pop-up windows implemented via Kifastcallentry or regular SSDT hooks

2 File filter driver causes pop-up windows

!process 0 0//List all processes

. reload
!process fffffa800a04b3a0 f//List all stack backtracking for the specified process

!IRP//If it is because the release of sensitive files by the pop-up window Use this command to observe the IRP

!fileobj//parsing the file name inside the IRP

3 Sensitive registry writes pop-up windows that cause registry callbacks

If we don't know if we're releasing sensitive files or writing sensitive registries,

List all the handle of a process see handle count If count is small, prove it.

!handle 0 7 86a94270 (this is the eprocess of the sensitive process)

The main analysis of this article is the use of Test_reg write sensitive registry caused by the killing of soft pop windows

!process 0 0
PROCESS fffffa800a04b3a0
Sessionid:1 cid:0d0c peb:7efdf000 parentcid:0960
dirbase:24000000 objecttable:fffff8a00189fbf0 handlecount:254.
Image:LiveUpdate360.exe

. reload
!process fffffa800a04b3a0 F
List all stack backtracking we can see a lot of threads proving that this pop-up is not due to a process callback, and if it's the process callback pop-up, the window will pop up when the first thread is created.

First put the complete stack

1THREAD fffffa800a09e060 Cid 0ec0.0d70 teb:000000007ef97000 win32thread:fffff900c06b4260 WAIT: (delayexecution) KernelMode non-alertable2 fffff88003b0f200 synchronizationevent3 Not impersonating4 DeviceMap fffff8a0010c49805 owning Process fffffa8009c10b30 Image:test_reg.exe6Attached Process N/a image:n/A7Wait Start TickCount475720Ticks:655(0:xx:xx:10.218)8Context Switch Count217Idealprocessor:0LargeStack9Usertimexx:xx:00.000TenKerneltimexx:xx:00.015 OneWin32 Start Address0x00000000004051a7 A Stack Init fffff88003b0fc70 current Fffff88003b0ef20 -Base fffff88003b10000 Limit fffff88003b08000 Call0 -Priority OneBasepriority8Unusualboost0Foregroundboost2Iopriority2Pagepriority5 thechild-SP retaddr Call Site -fffff880 ' 03b0ef60 fffff800 ' 03e8f992 nt! kiswapcontext+0x7a -fffff880 ' 03b0f0a0 fffff800 ' 03e921af nt! kicommitthreadwait+0x1d2 -fffff880 ' 03b0f130 fffff880 ' 040239d9 nt! kewaitforsingleobject+0x19f +fffff880 ' 03b0f1d0 fffff880 ' 04024c9b 360fsflt+0x1f9d9 -fffff880 ' 03b0f250 fffff880 ' 04026adb 360fsflt+0x20c9b +fffff880 ' 03b0f2f0 fffff800 '04230100360fsflt+0x22adb Afffff880 ' 03b0f320 fffff800 ' 040ea16d nt! cmpcallcallbacks+0x1c0 atfffff880 ' 03b0f3f0 fffff800 ' 04184d38 nt!?? :: Nngakegl:: 'string'+0x2d3bd -fffff880 ' 03b0f6f0 fffff800 ' 04185f56 nt! obplookupobjectname+0x588 -fffff880 ' 03b0f7e0 fffff800 ' 0413d8f8 nt! obopenobjectbyname+0x306 -fffff880 ' 03b0f8b0 fffff800 ' 0413e19e nt! cmcreatekey+0x2e1 -fffff880 ' 03b0fa20 fffff800 ' 03e898d3 nt! ntcreatekey+0x2e -fffff880 ' 03b0fa7000000000' 76e314ea nt! Kisystemservicecopyend+0x13(trapframe @ fffff880 ' 03b0fae0) in 00000000' 0448e69800000000`00000000 0x76e314ea -  to If we take _object_attributes out of Cmcreatekey, there's only so much involved in the stack operation. +  -page:fffff80004180614 -8B C4 mov rax, RSP thepage:fffff80004180617 4C the  +  -mov [rax+18h], R8 *page:fffff8000418061b -  the  -  ,mov [rax+8], RCX $page:fffff8000418061f -Push RBXPanax Notoginsengpage:fffff80004180620 AboutPush RSI -page:fffff80004180621 $Push Rdi thepage:fffff80004180622 A  WuPush R12 +page:fffff80004180624 A  -Push R13 Apage:fffff80004180626 A  AboutPush R14 thepage:fffff80004180628 A  $Push R15 +page:fffff8000418062a - BayiEC -  on xx xxSub RSP, 130h - page:fffff80004180631 4D 8B E8 mov r13, R8 $  $ parameter passing is such that more than four parameters -  -  the Zwcreatekey ( - Out phandle Keyhandle,Wuyi in Access_mask desiredaccess, the in Pobject_attributes objectattributes, - in ULONG Titleindex, Wu in punicode_string Class OPTIONAL, - in ULONG createoptions, About Out pulong disposition OPTIONAL $ ); -  -  - Stack Disposition A Stack createoptions + Stack Class the R9 Titleindex - R8 Objectattributes $ RDX desiredaccess the RCX Keyhandle the  thefffff880 ' 03b0f8b0 fffff800 ' 0413e19e nt! cmcreatekey+0x2e1 thefffff880 ' 03b0fa20 fffff800 ' 03e898d3 nt! ntcreatekey+0x2e -fffff880 ' 03b0fa7000000000' 76e314ea nt! Kisystemservicecopyend+0x13(trapframe @ fffff880 ' 03b0fae0) in  the  the And then you can see which registry was pop-up window. AboutDT _object_attributes poi (fffff880 ' 03b0f8b0+ the+7*8+ -) the  theThis piece is fffff880 ' 03b0fa20-8+ -

Summarize:

Grasping the difficulty 1:windbg command

Difficulty 2:x64 The following parameters are passed with four parameters passed through the register, how to find out the parameters we need from the assembly code.

Here we need to find out from the _object_attributes the sensitive registry key value we wrote, which key value caused the kill soft pop-up window

WinDbg use practice 1_ use WinDbg debug anti-virus software pop-up windows