标题: 在kd中对NTSTATUS溯源 https://scz.617.cn/windows/201707140000.txt 以0xC00000A5(STATUS_BAD_IMPERSONATION_LEVEL)为例,假设源头在nt模块中,找出 nt模块中所有会返回该值的地方。 没太大意思,直接用IDA反汇编ntkrnlmp.exe来得更快,仅仅是演示几条windbg基础 命令。 Tracking an NTSTATUS to its Source - SNoone [2017-07-14] http://www.osr.com/blog/2017/07/14/tracking-ntstatus-source/ kd> lm m nt Browse full module list start end module name fffff800`01855000 fffff800`01e3c000 nt kd> s -d fffff800`01855000 fffff800`01e3c000 0xc00000a5 fffff800`0194eb08 c00000a5 63e9c032 41fff2a8 85144e8b ....2..c...A.N.. fffff800`01b67f10 c00000a5 0000c4e9 02f98300 3b411f75 ............u.A; fffff800`01b67f34 c00000a5 0000a0e9 54894800 8d485024 .........H.T$PH. fffff800`01b68220 c00000a5 909090c3 90909090 45c88b4d ............M..E fffff800`01c1d180 c00000a5 244c8d48 5222e870 c38bfff4 ....H.L$p."R.... fffff800`01cf5618 c00000a5 244c8d48 cd8ae878 c38bffe6 ....H.L$x....... kd> s -d fffff800`01855001 fffff800`01e3c000 0xc00000a5 fffff800`01856f71 c00000a5 030563e9 0079bb00 59e9c000 .....c....y....Y fffff800`018d71fd c00000a5 fffb28e9 8b4865ff 01882504 .....(...eH..%.. fffff800`01b23265 c00000a5 07f6a2e9 03416600 ce50e9c3 .........fA...P. fffff800`01c09be1 c00000a5 f8294ee9 009ab8ff 44e9c000 .....N)........D fffff800`01c1c7b1 c00000a5 24b48a44 00000090 f7ef8be9 ....D..$........ kd> s -d fffff800`01855002 fffff800`01e3c000 0xc00000a5 fffff800`01c1c60a c00000a5 8b480ceb eb68244c 4c8b4805 ......H.L$h..H.L fffff800`01c1c636 c00000a5 f3b412e9 ac8b4cff 0000e024 .........L..$... kd> s -d fffff800`01855003 fffff800`01e3c000 0xc00000a5 fffff800`01b79e9f c00000a5 8b486eeb 48202454 30244c8b .....nH.T$ H.L$0 fffff800`01b89b03 c00000a5 909081eb 90909090 c48b4890 .............H.. fffff800`01bc1c8b c00000a5 246c8944 e9ff3330 0003cf0e ....D.l$03...... fffff800`01cf4e7f c00000a5 8b481aeb 0180248c 3b480000 ......H..$....H; "-d"搜索时只能搜1/4的空间,为了全覆盖到,必须调整起始地址,但那样还不如直 接"-b"搜索。 不知为何,下面这个比上面4个快多了,数量级的快;而且fffff800`01a5b380这个地 址上面4个未命中,应该由第1个"-d"命中的。 kd> s -b fffff800`01855000 fffff800`01e3c000 a5 00 00 c0 fffff800`01856f71 a5 00 00 c0 e9 63 05 03-00 bb 79 00 00 c0 e9 59 .....c....y....Y fffff800`018d71fd a5 00 00 c0 e9 28 fb ff-ff 65 48 8b 04 25 88 01 .....(...eH..%.. fffff800`0194eb08 a5 00 00 c0 32 c0 e9 63-a8 f2 ff 41 8b 4e 14 85 ....2..c...A.N.. fffff800`01a5b380 a5 00 00 c0 00 00 00 00-00 00 00 00 00 00 00 00 ................ fffff800`01b23265 a5 00 00 c0 e9 a2 f6 07-00 66 41 03 c3 e9 50 ce .........fA...P. fffff800`01b67f10 a5 00 00 c0 e9 c4 00 00-00 83 f9 02 75 1f 41 3b ............u.A; fffff800`01b67f34 a5 00 00 c0 e9 a0 00 00-00 48 89 54 24 50 48 8d .........H.T$PH. fffff800`01b68220 a5 00 00 c0 c3 90 90 90-90 90 90 90 4d 8b c8 45 ............M..E fffff800`01b79e9f a5 00 00 c0 eb 6e 48 8b-54 24 20 48 8b 4c 24 30 .....nH.T$ H.L$0 fffff800`01b89b03 a5 00 00 c0 eb 81 90 90-90 90 90 90 90 48 8b c4 .............H.. fffff800`01bc1c8b a5 00 00 c0 44 89 6c 24-30 33 ff e9 0e cf 03 00 ....D.l$03...... fffff800`01c09be1 a5 00 00 c0 e9 4e 29 f8-ff b8 9a 00 00 c0 e9 44 .....N)........D fffff800`01c1c60a a5 00 00 c0 eb 0c 48 8b-4c 24 68 eb 05 48 8b 4c ......H.L$h..H.L fffff800`01c1c636 a5 00 00 c0 e9 12 b4 f3-ff 4c 8b ac 24 e0 00 00 .........L..$... fffff800`01c1c7b1 a5 00 00 c0 44 8a b4 24-90 00 00 00 e9 8b ef f7 ....D..$........ fffff800`01c1d180 a5 00 00 c0 48 8d 4c 24-70 e8 22 52 f4 ff 8b c3 ....H.L$p."R.... fffff800`01cf4e7f a5 00 00 c0 eb 1a 48 8b-8c 24 80 01 00 00 48 3b ......H..$....H; fffff800`01cf5618 a5 00 00 c0 48 8d 4c 24-78 e8 8a cd e6 ff 8b c3 ....H.L$x....... fffff800`01a5b380这个地址很奇怪,反复测试中前述现象不变。后来注意到这个地 址在"-d"时是全0,"-b"时才有"a5 00 00 c0",似乎它是因为windbg命令而出现的。 kd> ln fffff800`01a5b380 (fffff800`01a5b380) nt!KdpMessageBuffer Exact matches: nt!KdpMessageBuffer = 从名字上看,应该是调试子系统的内部缓冲区。 另一个奇怪现象是,下面这条命令也很慢,无非多了一个[1];而且这次没有命中 nt!KdpMessageBuffer。 kd> s -[1]b fffff800`01855000 fffff800`01e3c000 a5 00 00 c0 0xfffff800`01856f71 0xfffff800`018d71fd 0xfffff800`0194eb08 0xfffff800`01b23265 0xfffff800`01b67f10 0xfffff800`01b67f34 0xfffff800`01b68220 0xfffff800`01b79e9f 0xfffff800`01b89b03 0xfffff800`01bc1c8b 0xfffff800`01c09be1 0xfffff800`01c1c60a 0xfffff800`01c1c636 0xfffff800`01c1c7b1 0xfffff800`01c1d180 0xfffff800`01cf4e7f 0xfffff800`01cf5618 假设存在相应的mov指令: kd> u fffff800`01b67f10-1 l 2 nt!NtDuplicateToken+0x25f: fffff800`01b67f0f b8a50000c0 mov eax,0C00000A5h fffff800`01b67f14 e9c4000000 jmp nt!NtDuplicateToken+0x32d (fffff800`01b67fdd) kd> .foreach (hit {s -[1]b fffff800`01855000 fffff800`01e3c000 a5 00 00 c0}) {u ${hit}-1 l 2} ... nt!NtDuplicateToken+0x25f: fffff800`01b67f0f b8a50000c0 mov eax,0C00000A5h fffff800`01b67f14 e9c4000000 jmp nt!NtDuplicateToken+0x32d (fffff800`01b67fdd) nt!NtDuplicateToken+0x283: fffff800`01b67f33 b8a50000c0 mov eax,0C00000A5h fffff800`01b67f38 e9a0000000 jmp nt!NtDuplicateToken+0x32d (fffff800`01b67fdd) nt!SeValidateSecurityQos+0x1f: fffff800`01b6821f b8a50000c0 mov eax,0C00000A5h fffff800`01b68224 c3 ret nt!SeIsTokenAssignableToProcess+0x13e: fffff800`01b79e9e b8a50000c0 mov eax,0C00000A5h fffff800`01b79ea3 eb6e jmp nt!SeIsTokenAssignableToProcess+0x1b3 (fffff800`01b79f13) nt!SepCreateClientSecurity+0xfa: fffff800`01b89b02 b8a50000c0 mov eax,0C00000A5h fffff800`01b89b07 eb81 jmp nt!SepCreateClientSecurity+0x82 (fffff800`01b89a8a) nt!ObpCaptureObjectCreateInformation+0x238: fffff800`01bc1c8a bda50000c0 mov ebp,0C00000A5h fffff800`01bc1c8f 44896c2430 mov dword ptr [rsp+30h],r13d ... nt!NtOpenObjectAuditAlarm+0x12e: fffff800`01cf4e7e bba50000c0 mov ebx,0C00000A5h fffff800`01cf4e83 eb1a jmp nt!NtOpenObjectAuditAlarm+0x14f (fffff800`01cf4e9f) nt!NtPrivilegeObjectAuditAlarm+0xd7: fffff800`01cf5617 bba50000c0 mov ebx,0C00000A5h fffff800`01cf561c 488d4c2478 lea rcx,[rsp+78h]