所以之前有人问过这个问题:
它有两个答案,一个说这只是检查我们是在 32 位还是 64 位窗口中的一种方法!
如果这是实际答案,那么为什么我们需要在 64 位应用程序中检查我们是否在 32 位系统中!如果它在 32 位系统中,它甚至不会启动,并且此检查不会在 32 位版本的应用程序上发生
如果另一个答案是真的,那么我找不到关于这个地址和“虚拟化安全”之间关系的任何明确信息,有人可以详细说明一下吗?为什么会发生这种检查?:
test byte ptr ds:7FFE0308h, 1
jnz short loc_a
syscall
retn
在内核初始化期间 ntKiSystemCallSelector 从 LOADER_PARAMETER_BLOCK 初始化
0: kd> dt nt!_LOADER_PARAMETER_BLOCK Extension->VsmConfigured
+0x0f0 Extension :
+0x074 VsmConfigured : Pos 8, 1 Bit
如果 SystemCallSelector 设置为 True
KUSER_SHARED_DATA->SystemCall 也设置为 true 并且使用 int 2E 否则使用 syscall
IsVsmConfigured = Loader_Param_Block->Extension->_bitfield_116;
if ((IsVsmConfigured & 8) != 0) {
_KiBootDebuggerActive = 1;
IsVsmConfigured = Loader_Param_Block->Extension->_bitfield_116;
}
if ((IsVsmConfigured >> 8 & 1) != 0) {
_KiSystemCallSelector = 1;
}
KiInitializeIdt(lVar7,0);
HalInitializeBios(0xffffffff,Loader_Param_Block);
InbvDriverInitialize(0xffffffff,Loader_Param_Block,0);
基于扩展->VsmConfigured kuser->SysstemCall 设置
if (((param_5 == 0) &&
(local_2a0 = param_1, local_280 = param_3, local_278 = param_2, local_270 = param_2,
local_268 = param_4, HvlPhase0Initialize(param_6), _KiSystemCallSelector == 1)) &&
((HvlEnlightenments & 0x80000) != 0)) {
_kuser->SystemCall = 1;
}
窗口详细信息
C:\>wmic os get Caption,OsArchitecture,Version /format:list
Caption=Microsoft Windows 10 Pro
OSArchitecture=64-bit
Version=10.0.17763
全局 KiSystemCallSelector 的详细信息及其在 ntkrnlmp 模块中的用法
0: kd> x /v /t nt!*ki*sys*sel*
pub global fffff805`4fa23164 0 <NoType> nt!KiSystemCallSelector = <no type information>
0: kd> lm m nt
Browse full module list
start end module name
fffff805`4f016000 fffff805`4fa87000 nt (pdb symbols)
\ntkrnlmp.pdb\9A729548AB1A93E90D0A48528CE30B7A1\ntkrnlmp.pdb
0: kd> # *nt!KiSystemCallSelector* fffff805`4f016000 l?(fffff805`4fa87000-fffff805`4f016000)
nt!KiInitializeBootStructures+0x224:
f805`4f5865a4 44892db9cb4900 mov dword ptr [nt!KiSystemCallSelector (f805`4fa23164)],r13d
nt!KiInitializeKernel+0x5be:
f805`4f587e6e 443935efb24900 cmp dword ptr [nt!KiSystemCallSelector (f805`4fa23164)],r14d
nt!KiInitializeIdt+0x169:
f805`4f58954d 833d109c490001 cmp dword ptr [nt!KiSystemCallSelector (f805`4fa23164)],1
搜索命中的前后反汇编
0: kd> ub fffff805`4f5865a4
nt!KiInitializeBootStructures+0x206:
f805`4f586586 488b96f0000000 mov rdx,qword ptr [rsi+0F0h] <<<<;LPARMBLOCK->Extension
f805`4f58658d 8b4274 mov eax,dword ptr [rdx+74h] <<<<;LPARMEXT->@#74
f805`4f586590 a808 testal,8
f805`4f586592 740a je nt!KiInitializeBootStructures+0x21e (fffff805`4f58659e)
f805`4f586594 44892d81d04900 mov dword ptr [nt!KiBootDebuggerActive (f805`4fa2361c)],r13d
f805`4f58659b 8b4274 mov eax,dword ptr [rdx+74h]
f805`4f58659e 0fbae008 bt eax,8 <<<< bittesting bit 8
f805`4f5865a2 7307 jae nt!KiInitializeBootStructures+0x22b (fffff805`4f5865ab)
0: kd> $$ rsi = LOADER_PARAMETER_BLOCK
0: kd> dt nt!_LOADER_PARAMETER_BLOCK -y Exten
+0x0f0 Extension : Ptr64 _LOADER_PARAMETER_EXTENSION
0: kd> dt nt!_LOADER_PARAMETER_EXTENSION -y vsm
+0x074 VsmConfigured : Pos 8, 1 Bit
0: kd> $$ r13d = 1
0: kd> u fffff805`4f5865a4
nt!KiInitializeBootStructures+0x224:
;set if vsmConfigured
f805`4f5865a4 44892db9cb4900 mov dword ptr [nt!KiSystemCallSelector (f805`4fa23164)],r13d
f805`4f5865ab 33d2 xor edx,edx
f805`4f5865ad 498bcf mov rcx,r15
f805`4f5865b0 e82f2e0000 call nt!KiInitializeIdt (fffff805`4f5893e4)
f805`4f5865b5 83cbff or ebx,0FFFFFFFFh
f805`4f5865b8 488bd6 mov rdx,rsi
f805`4f5865bb 8bcb mov ecx,ebx
ntKiSystemStartup 调用 nt!KiInitializeKernel post nt!KiInitializeBootStructures 再次使用这个全局变量
0: kd> uf /c nt!KiSystemStartup
nt!KiSystemStartup (fffff805`4f57c010)
nt!KiSystemStartup+0x2d (fffff805`4f57c03d):
call to nt!KdInitSystem (fffff805`4f92d140)
nt!KiSystemStartup+0x14b (fffff805`4f57c15b):
call to nt!KiInitializeBootStructures (fffff805`4f586380)
nt!KiSystemStartup+0x167 (fffff805`4f57c177):
call to nt!KdInitSystem (fffff805`4f92d140)
nt!KiSystemStartup+0x17e (fffff805`4f57c18e):
call to nt!KiInitializeXSave (fffff805`4f589850)
nt!KiSystemStartup+0x204 (fffff805`4f57c214):
call to nt!KiInitializeKernel (fffff805`4f5878b0)
nt!KiSystemStartup+0x284 (fffff805`4f57c294):
call to nt!KiIdleLoop (fffff805`4f1cd920)
nt!KiInitializeKernel 的反汇编
0: kd> u fffff805`4f587e6e
nt!KiInitializeKernel+0x5be:
f805`4f587e6e 443935efb24900 cmp dword ptr [nt!KiSystemCallSelector (f805`4fa23164)],r14d
f805`4f587e75 0f85affaffff jne nt!KiInitializeKernel+0x7a (f805`4f58792a)
f805`4f587e7b e902660000 jmp nt!KiInitializeKernel+0x6bd2 (fffff805`4f58e482) <<<<---
0: kd> u fffff805`4f58e482 <<<<----
nt!KiInitializeKernel+0x6bd2:
f805`4f58e482 f70550aefcff00000800 test dword ptr [nt!HvlEnlightenments (f805`4f5592dc)],80000h
f805`4f58e48c 0f849894ffff je nt!KiInitializeKernel+0x7a (f805`4f58792a)
f805`4f58e492 418bc6 mov eax,r14d
f805`4f58e495 a30803000080f7ffff mov dword ptr [FFFFF78000000308h],eax <<<<<------
f805`4f58e49e e98794ffff jmp nt!KiInitializeKernel+0x7a (f805`4f58792a)
地址FFFFF78000000308h是KUSER_SHARED_MAP的一部分
0: kd> dt nt!_KUSER_SHARED_DATA -y SystemCall fffff78000000000
+0x308 SystemCall : 0 <<<<
+0x30c SystemCallPad0 : 0
+0x310 SystemCallPad : [2] 0