windows x64 vista以下系统代码完整性校验分析
日期:2014-05-17 浏览次数:20957 次
windows x64 vista以上系统代码完整性校验分析
windows x64 vista以上系统代码完整性校验分析
2011年04月18日
.text:00000001400E63EE MiResolveTransitionFault mov eax, 0C0000428h
.text:00000001400E640D MiResolveTransitionFault mov eax, 0C0000428h
.text:00000001400E671C MiResolveProtoPteFault mov eax, 0C0000428h
PAGE:000000014039C6A8 SeValidateImageData mov eax, 0C0000428h
PAGE:00000001403BA850 SeValidateImageHeader mov eax, 0C0000428h
PAGE:00000001404EC7C7 PipCallDriverAddDeviceQueryRoutine cmp eax, 0C0000428h
PAGE:00000001404EC81D PipCallDriverAddDeviceQueryRoutine cmp ebx, 0C0000428h
PAGE:00000001404EC9FF PipCallDriverAddDeviceQueryRoutine cmp ebx, 0C0000428h
kd> kb
RetAddr : Args to Child : Call Site
fffff800`03f39534 : 00000000`00000024 00000000`01000000 fffffa80`090c29c0 00000000`00000000 : nt!SeValidateImageHeader+0x11
fffff800`0402c3c2 : fffffa80`08db3170 fffffa80`090c29c0 00000000`00000001 00000000`00000001 : nt!MiValidateImageHeader+0xa4
fffff800`03fbc893 : fffff880`0456d400 00000000`00000000 fffff880`0456d6b8 fffff880`0456d3f8 : nt! ?? ::NNGAKEGL::`string'+0x50c03
fffff800`03cce153 : fffffa80`06d67b60 fffff880`0456d658 fffff880`0456d448 00000000`00000000 : nt!NtCreateSection+0x162
fffff800`03cca6f0 : fffff800`040a7416 fffffa80`06d67b60 00000000`00000000 00000000`00f80076 : nt!KiSystemServiceCopyEnd+0x13
fffff800`040a7416 : fffffa80`06d67b60 00000000`00000000 00000000`00f80076 fffff8a0`019c3370 : nt!KiServiceLinkage
fffff800`040a77dc : ffffffff`80000844 00000000`00100000 fffff880`0456d8a0 00000000`00000000 : nt!MmCheckSystemImage+0x96
fffff800`040a79f7 : ffffffff`80000844 fffff800`00000001 fffff8a0`01553960 00000000`00000000 : nt!MiCreateSectionForDriver+0xcc
fffff800`040b329a : 00000000`00000000 fffff880`0456d9f8 fffffa80`06d67b60 00000000`00000000 : nt!MiObtainSectionForDriver+0xd7
fffff800`040b5ebd : fffff880`0456d9f8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MmLoadSystemImage+0x23a
fffff800`040b6875 : 00000000`00000001 00000000`00000000 00000000`00000000 fffff800`03ed2ee0 : nt!IopLoadDriver+0x44d
fffff800`03cdc161 : fffff800`00000000 ffffffff`80000838 fffff800`040b6820 00000000`00000000 : nt!IopLoadUnloadDriver+0x55
fffff800`03f72166 : f0d69f7c`0bc556a2 fffffa80`06d67b60 00000000`00000080 fffffa80`06d43400 : nt!ExpWorkerThread+0x111
fffff800`03cad486 : fffff800`03e47e80 fffffa80`06d67b60 fffffa80`06d67040 1aed37e5`683df1a6 : nt!PspSystemThreadStartup+0x5a
00000000`00000000 : fffff880`0456e000 fffff880`04568000 fffff880`0456d1e0 00000000`00000000 : nt!KxStartSystemThread+0x16
kd> kb
RetAddr : Args to Child &nb
windows x64 vista以上系统代码完整性校验分析
2011年04月18日
.text:00000001400E63EE MiResolveTransitionFault mov eax, 0C0000428h
.text:00000001400E640D MiResolveTransitionFault mov eax, 0C0000428h
.text:00000001400E671C MiResolveProtoPteFault mov eax, 0C0000428h
PAGE:000000014039C6A8 SeValidateImageData mov eax, 0C0000428h
PAGE:00000001403BA850 SeValidateImageHeader mov eax, 0C0000428h
PAGE:00000001404EC7C7 PipCallDriverAddDeviceQueryRoutine cmp eax, 0C0000428h
PAGE:00000001404EC81D PipCallDriverAddDeviceQueryRoutine cmp ebx, 0C0000428h
PAGE:00000001404EC9FF PipCallDriverAddDeviceQueryRoutine cmp ebx, 0C0000428h
kd> kb
RetAddr : Args to Child : Call Site
fffff800`03f39534 : 00000000`00000024 00000000`01000000 fffffa80`090c29c0 00000000`00000000 : nt!SeValidateImageHeader+0x11
fffff800`0402c3c2 : fffffa80`08db3170 fffffa80`090c29c0 00000000`00000001 00000000`00000001 : nt!MiValidateImageHeader+0xa4
fffff800`03fbc893 : fffff880`0456d400 00000000`00000000 fffff880`0456d6b8 fffff880`0456d3f8 : nt! ?? ::NNGAKEGL::`string'+0x50c03
fffff800`03cce153 : fffffa80`06d67b60 fffff880`0456d658 fffff880`0456d448 00000000`00000000 : nt!NtCreateSection+0x162
fffff800`03cca6f0 : fffff800`040a7416 fffffa80`06d67b60 00000000`00000000 00000000`00f80076 : nt!KiSystemServiceCopyEnd+0x13
fffff800`040a7416 : fffffa80`06d67b60 00000000`00000000 00000000`00f80076 fffff8a0`019c3370 : nt!KiServiceLinkage
fffff800`040a77dc : ffffffff`80000844 00000000`00100000 fffff880`0456d8a0 00000000`00000000 : nt!MmCheckSystemImage+0x96
fffff800`040a79f7 : ffffffff`80000844 fffff800`00000001 fffff8a0`01553960 00000000`00000000 : nt!MiCreateSectionForDriver+0xcc
fffff800`040b329a : 00000000`00000000 fffff880`0456d9f8 fffffa80`06d67b60 00000000`00000000 : nt!MiObtainSectionForDriver+0xd7
fffff800`040b5ebd : fffff880`0456d9f8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MmLoadSystemImage+0x23a
fffff800`040b6875 : 00000000`00000001 00000000`00000000 00000000`00000000 fffff800`03ed2ee0 : nt!IopLoadDriver+0x44d
fffff800`03cdc161 : fffff800`00000000 ffffffff`80000838 fffff800`040b6820 00000000`00000000 : nt!IopLoadUnloadDriver+0x55
fffff800`03f72166 : f0d69f7c`0bc556a2 fffffa80`06d67b60 00000000`00000080 fffffa80`06d43400 : nt!ExpWorkerThread+0x111
fffff800`03cad486 : fffff800`03e47e80 fffffa80`06d67b60 fffffa80`06d67040 1aed37e5`683df1a6 : nt!PspSystemThreadStartup+0x5a
00000000`00000000 : fffff880`0456e000 fffff880`04568000 fffff880`0456d1e0 00000000`00000000 : nt!KxStartSystemThread+0x16
kd> kb
RetAddr : Args to Child &nb
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
