标题: 在内核态查看用户态进程加载的dll 创建: 2017-11-23 16:13 更新: 2018-01-23 11:00 链接: https://scz.617.cn/windows/201711231613.txt 1) lmuf 2) 遍历三条链表 3) 用dx遍历链表 4) dx内置模块列表 5) !dlls 6) !peb 7) !vad 在kd中查看某一确定用户态进程加载的dll,这不是什么刚需,甚至可以说是一个伪 需求。我只是用这个做引子,介绍一些windbg命令。 1) lmuf 最简单的办法,切换到目标进程,然后: kd> .reload /user kd> lmuf start end module name ... 00007ffa`332a0000 00007ffa`3334e000 KERNEL32 C:\WINDOWS\System32\KERNEL32.DLL 00007ffa`33530000 00007ffa`33710000 ntdll C:\WINDOWS\SYSTEM32\ntdll.dll 2) 遍历三条链表 shellcode常用办法,遍历三条链表。 kd> dt nt!_PEB_LDR_DATA @@(@$peb->Ldr) +0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x0000029e`5b632490 - 0x0000029e`5fea8ba0 ] +0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x0000029e`5b6324a0 - 0x0000029e`5fea8bb0 ] +0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x0000029e`5b632320 - 0x0000029e`5fea8bc0 ] kd> dt nt!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY +0x010 InMemoryOrderLinks : _LIST_ENTRY +0x020 InInitializationOrderLinks : _LIST_ENTRY +0x030 DllBase : Ptr64 Void +0x038 EntryPoint : Ptr64 Void +0x040 SizeOfImage : Uint4B +0x048 FullDllName : _UNICODE_STRING 按加载顺序遍历: !list -t nt!_LIST_ENTRY.Flink -x "r $t0=@@(#CONTAINING_RECORD(@$extret,nt!_LDR_DATA_TABLE_ENTRY,InLoadOrderLinks));r @$t0,@$extret;dt -io nt!_LDR_DATA_TABLE_ENTRY DllBase FullDllName @$t0" @@(@$peb->Ldr->InLoadOrderModuleList.Flink) notepad.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll ADVAPI32.dll msvcrt.dll ... 按"初始化顺序"前向遍历链表时,第一个结点对应ntdll.dll。按"加载顺序"、 "内存顺序"前向遍历,第一个结点对应EXE,第二个结点才对应ntdll.dll。 "初始化顺序"要少一个结点。 "!list"不支持后向遍历,或者说它无法用Blink遍历。 3) 用dx遍历链表 其实也是遍历链表,只不过我演示一下用dx遍历。 dx -g Debugger.Utility.Collections.FromListEntry(@$peb->Ldr->InLoadOrderModuleList,"nt!_LDR_DATA_TABLE_ENTRY","InLoadOrderLinks").Select(o=>new{DllBase=o._LDR_DATA_TABLE_ENTRY::DllBase,FullDllName=o._LDR_DATA_TABLE_ENTRY::FullDllName}),0x1000 ================================================================================================ = = DllBase = FullDllName = ================================================================================================ = [0x0] - 0x7ff61fde0000 - "C:\WINDOWS\system32\notepad.exe" = = [0x1] - 0x7ffa33530000 - "C:\WINDOWS\SYSTEM32\ntdll.dll" = = [0x2] - 0x7ffa332a0000 - "C:\WINDOWS\System32\KERNEL32.DLL" = = [0x3] - 0x7ffa2ff40000 - "C:\WINDOWS\System32\KERNELBASE.dll" = = [0x4] - 0x7ffa32bd0000 - "C:\WINDOWS\System32\ADVAPI32.dll" = = [0x5] - 0x7ffa331d0000 - "C:\WINDOWS\System32\msvcrt.dll" = ... = [0x72] - 0x7ffa2bf10000 - "C:\WINDOWS\SYSTEM32\winmmbase.dll" = = [0x73] - 0x7ffa16380000 - "C:\WINDOWS\system32\NetworkExplorer.dll" = ================================================================================================ 4) dx内置模块列表 dx有内置的模块列表支持,不需要遍历链表: dx -g @$curprocess.Modules.Where(o=>o.BaseAddress<0xf000000000000000).Select(o=>new{BaseAddress=o.BaseAddress,Name=o.Name}),0x1000 ================================================================================================ = = BaseAddress = Name = ================================================================================================ = [0x0] - 0x6ef10000 - C:\WINDOWS\System32\vmhgfs.dll = = [0x1] - 0x7ff61fde0000 - C:\WINDOWS\system32\notepad.exe = ... = [0x70] - 0x7ffa331d0000 - C:\WINDOWS\System32\msvcrt.dll = = [0x71] - 0x7ffa33280000 - C:\WINDOWS\System32\imagehlp.dll = = [0x72] - 0x7ffa332a0000 - C:\WINDOWS\System32\KERNEL32.DLL = = [0x73] - 0x7ffa33530000 - C:\WINDOWS\SYSTEM32\ntdll.dll = ================================================================================================ 看这个输出,应该是按照加载基址升序排列。 5) !dlls windbg有个!dlls扩展命令 按加载顺序遍历: !dlls -l 按内存顺序遍历: !dlls -m 按初始化顺序遍历: !dlls -i 输出形如: 0x29e5b632490: C:\WINDOWS\system32\notepad.exe Base 0x7ff61fde0000 EntryPoint 0x7ff61fdf93e0 Size 0x00041000 DdagNode 0x29e5b6325c0 Flags 0x0000a2cc TlsIndex 0x00000000 LoadCount 0xffffffff NodeRefCount 0x00000000 LDRP_LOAD_NOTIFICATIONS_SENT LDRP_IMAGE_DLL 0x29e5b632300: C:\WINDOWS\SYSTEM32\ntdll.dll Base 0x7ffa33530000 EntryPoint 0x00000000 Size 0x001e0000 DdagNode 0x29e5b632430 Flags 0x0000a2c4 TlsIndex 0x00000000 LoadCount 0xffffffff NodeRefCount 0x00000000 LDRP_IMAGE_DLL 0x29e5b632950: C:\WINDOWS\System32\KERNEL32.DLL Base 0x7ffa332a0000 EntryPoint 0x7ffa332b2070 Size 0x000ae000 DdagNode 0x29e5b632a80 Flags 0x000ca2cc TlsIndex 0x00000000 LoadCount 0xffffffff NodeRefCount 0x00000000 LDRP_LOAD_NOTIFICATIONS_SENT LDRP_IMAGE_DLL LDRP_DONT_CALL_FOR_THREADS LDRP_PROCESS_ATTACH_CALLED 不管哪种顺序遍历,打头的地址指向nt!_LDR_DATA_TABLE_ENTRY结构。 Flags的部分宏定义: -------------------------------------------------------------------------- /* * public\sdk\inc\ntldr.h(wrk12) * * Private flags for loader data table entries */ #define LDRP_STATIC_LINK 0x00000002 #define LDRP_IMAGE_DLL 0x00000004 #define LDRP_LOAD_IN_PROGRESS 0x00001000 #define LDRP_UNLOAD_IN_PROGRESS 0x00002000 #define LDRP_ENTRY_PROCESSED 0x00004000 #define LDRP_ENTRY_INSERTED 0x00008000 #define LDRP_CURRENT_LOAD 0x00010000 #define LDRP_FAILED_BUILTIN_LOAD 0x00020000 #define LDRP_DONT_CALL_FOR_THREADS 0x00040000 #define LDRP_PROCESS_ATTACH_CALLED 0x00080000 #define LDRP_DEBUG_SYMBOLS_LOADED 0x00100000 #define LDRP_IMAGE_NOT_AT_BASE 0x00200000 #define LDRP_COR_IMAGE 0x00400000 #define LDRP_COR_OWNS_UNMAP 0x00800000 #define LDRP_SYSTEM_MAPPED 0x01000000 #define LDRP_IMAGE_VERIFYING 0x02000000 #define LDRP_DRIVER_DEPENDENT_DLL 0x04000000 #define LDRP_ENTRY_NATIVE 0x08000000 #define LDRP_REDIRECTED 0x10000000 #define LDRP_NON_PAGED_DEBUG_INFO 0x20000000 #define LDRP_MM_LOADED 0x40000000 #define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000 -------------------------------------------------------------------------- 6) !peb windbg有个!peb扩展命令 kd> !peb @$peb PEB at 000000dec74c4000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: No ImageBaseAddress: 00007ff61fde0000 Ldr 00007ffa3368f3a0 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 0000029e5b632320 . 0000029e5fea8bc0 Ldr.InLoadOrderModuleList: 0000029e5b632490 . 0000029e5fea8ba0 Ldr.InMemoryOrderModuleList: 0000029e5b6324a0 . 0000029e5fea8bb0 Base TimeStamp Module 7ff61fde0000 a0c4ceab Jun 22 12:48:43 2055 C:\WINDOWS\system32\notepad.exe 7ffa33530000 493793ea Dec 04 16:25:14 2008 C:\WINDOWS\SYSTEM32\ntdll.dll 7ffa332a0000 0c2cf900 Jun 22 14:45:20 1976 C:\WINDOWS\System32\KERNEL32.DLL 7ffa2ff40000 4736733c Nov 11 11:13:00 2007 C:\WINDOWS\System32\KERNELBASE.dll ... 7ffa16380000 e153aa25 Oct 17 11:04:05 2089 C:\WINDOWS\system32\NetworkExplorer.dll ... ImageFile: 'C:\WINDOWS\system32\notepad.exe' ... kd> .shell -ci "!peb @$peb" findstr /i /c:".dll" kd> .shell -ci "!peb @$peb" find /i ".dll" 7) !vad kd> !process -1 1 PROCESS ffffd60ee57655c0 SessionId: 1 Cid: 118c Peb: f129f18000 ParentCid: 15fc DirBase: 3b039000 ObjectTable: ffffe7845843d840 HandleCount: 18. Image: mspaint.exe VadRoot ffffd60ee54d3c70 Vads 15 Clone 0 Private 64. Modified 1. Locked 0. ... kd> .shell -ci "!vad 0xffffd60ee54d3c70" findstr Mapped ffffd60ee53a7a20 1 2cdaae30 2cdaae3f 0 Mapped READWRITE Pagefile section, shared commit 0 ffffd60ee52923d0 2 2cdaceb0 2cdacf74 0 Mapped READONLY \Windows\System32\locale.nls ffffd60ee45531c0 2 2cdacfb0 2cdacfbd 0 Mapped READONLY \Windows\System32\en-US\mspaint.exe.mui ffffd60ee5315de0 2 2cdad000 2cdad010 0 Mapped READONLY \Windows\System32\C_1256.NLS ffffd60ee483f360 2 2cdaefb0 2cdaefb6 0 Mapped READONLY \Windows\Registration\R00000000000d.clb ffffd60ee458e440 4 2cdb0830 2cdb19ef 0 Mapped READONLY \Windows\Fonts\StaticCache.dat ffffd60ee672e010 2 7ff910c70 7ff910e4f 13 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll