Icesword traverses the process through the pspcidtable table, which is not exported by ntoskrnl.exe. This involves how to locate
Pspcidtable. Icesword searches for feature strings to locate pspcidtalbe. pspcidtable is a handle_talbe structure.
The pspcidtalbe variable is referenced in the pslookupprocessbyprocessid function. Icesword from the first dozens of bytes of the pslookupprocessbyprocessid Function
Search for the pspcidtalbe variable. It cannot be debugged in icesword. Even the breakpoint debugging under the windbg, SoftICE, and syser debugger cannot be broken.
Of course, you cannot use the debugger for debugging, because icesword.exe will repeatedly reset the interrupt handler functions of int 1 and INT 3 in a timer. Set
Default handler in Windows ntoskrnl.exe. Even if you use the hardware breakpoint register, it does not work. Some people will say that since it is set to Windows ntoskrnl.exe
The default processing function in can use windbg dual-machine debugging. icesword is also processed, icesword will use the kddebuggerenabled variable to determine whether to allow the kernel
Debugging. If debugging is allowed,. icesword will call the kddisabledebugger function to disable kernel debugging.Part 1
(The writing is too fine, because it is afraid of being used by the rootkit author. Therefore, the first part is removed. If necessary, contact me separately) Write Part 2 Here, by the way, two anti-debugging traps encountered in the analysis of icesword are listed here. I hope the author will forgive me. . Text: 000xxxf0 mov [EBP + iocontrolcode], eax
. Text: 000xxxf3 mov eax, [esp + 5ch-6ch]; reverse debugging code
. Text: 000xxxf7 push eax
. Text: 000xxxf8 mov eax, [esp + 60h-6ch]
. Text: 000 xxxfc pop EBX
. Text: 000 xxxfd CMP eax, EBX
. Text: 000 xxxff JZ short loc_1240b; jump if not debugged
. Text: 000xxx01 mov eax, 200 edbh
. Text: 000xxx06 not eax
. Text: 000xxx08 push eax
. Text: 000xxx09 pop EDI
. Text: 000xxx0a stosd . Text: 000xxxf3 mov eax, [esp + 5ch + 6ch] When the command is executed in one step or the breakpoint is set on the command, because when the debugger pops up on this command
The stack of the program to be debugged is used to save eflags, Cs, and EIP. (If int 1 or INT 3 is used to process functions, this problem can be solved by the task gate .) For example, when the Code executes this command
ESP = 805e4320h after executing this command is the value of eax for [esp + 5ch-6ch] Would = [ESP-10h] = [805e4320h-10h] = [805e4310h.
When you run the. Text: 000xxxf8 mov eax and [esp + 60h-6ch] commands in one step, esp = 805e432ch thinks that an eax is added to the stack, So ESP = 805e432ch,
After executing the. Text: 000xxxf8 mov eax and [esp + 60h-6ch] commands, eax = [esp + 60h-6ch] = [esp-CH] = [805e432ch-ch] = [805e4310h]
If the value of the same address is read without debugging, the two values should be the same, that is, the comparison results of the. Text: 000 xxxfd CMP eax and EBX commands.
It should be the same. This command. Text: 000 xxxff JZ short loc_1240b is directly redirected.
If it is debugged by the debugger,. Text: 000 xxxff JZ short loc_1240b will not jump. If the current code is not redirected, the current ETHREAD of the system will be overwritten.
Pointer. Next, calling many system functions will cause the system to crash and crash into the system module. This will mislead you in locating errors. Haha . Text: 000xxx68 Push 1; Alignment
. Text: 000xxx6a push 40 h; Length
. Text: 000xxx6c push currenteprocessobject; Address
. Text: 000xxx72 call DS: probeforread Here, we intentionally make an exception to achieve the jump. If you execute a single step in the. Text: 000xxx72 call DS: probeforread command, the debugger will fly,
That is to say, the system exits from the debugger and does not continue tracking.
Part 3 Next, after we find the pspcidtable variable in our pspcidtable, The pspcidtable [handle table of this handle_table stores pointers of all processes and thread objects.
PID (process ID) and threadid (thread ID) Are indexes in the handle table. This handle_table does not belong to any process, nor is it linked to the handle_table chain. Global Variables
Pspcidtable is a pointer to this handle_table. This handle_table is also different from other handle_table, that is, in its handle_table_entry
The first 32bit put is the Object Body pointer (of course, the conversion is required) rather than the object header pointer (the object pointer is the Object Body pointer).] ([] Is not written on the Internet.
Here, I would like to thank the author of the article "jiurl is playing with Win2k process thread handle_table": jiurl)
We need to figure out a way to traverse the pspcidtable handle table to traverse all processes in the system. Icesword uses the public ntoskrnl.exe to traverse the table.
Exenumhandletable. Icesword locates the exenumhandletable function exported by ntoskrnl.exe.
This function is an undisclosed function.
The original form of this function may be void stdcall exenumhandletable (Pulong handletable, pvoid callback, pvoid Param, phandle handle optional ); The Pulong handletable parameter can be used as the parameter using pspcidtable.
The pvoid callback type is bool (* exenumhandletablecallback) (handle_talbe_entry *, dword pid, pvoid PARAM) function pointer.
The pvoid Param parameter is the parameter sent to the callback function.
The phandle handle optional parameter has not been fully understood yet. I can't use him, so I don't care about him. When the exenumhandletable function is called, the function calls a callback function every time it is enumerated to a handle in the table. When the returned value of the callback function is 0, continue to enumerate the handle table. If 1 is returned, stop enumeration. |
