首页
论坛
课程
招聘
[原创]无需硬编码搜索定位PspCidTable的方法
2021-12-2 17:23 8522

[原创]无需硬编码搜索定位PspCidTable的方法

2021-12-2 17:23
8522

分享一个win7~11(已测试) 都可以定位PspCidTable的方法

硬编码搜太烦人了所以研究了一下此方法

 

代码如下 就不多BB了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
#include <ntifs.h>
 
 
 
typedef struct _DBGKD_DEBUG_DATA_HEADER64 {
 
    //
    // Link to other blocks
    //
 
    LIST_ENTRY64 List;
 
    //
    // This is a unique tag to identify the owner of the block.
    // If your component only uses one pool tag, use it for this, too.
    //
 
    ULONG           OwnerTag;
 
    //
    // This must be initialized to the size of the data block,
    // including this structure.
    //
 
    ULONG           Size;
 
} DBGKD_DEBUG_DATA_HEADER64, * PDBGKD_DEBUG_DATA_HEADER64;
 
typedef struct _KDDEBUGGER_DATA64 {
 
    DBGKD_DEBUG_DATA_HEADER64 Header;
 
    //
    // Base address of kernel image
    //
 
    ULONG64   KernBase;
 
    //
    // DbgBreakPointWithStatus is a function which takes an argument
    // and hits a breakpoint.  This field contains the address of the
    // breakpoint instruction.  When the debugger sees a breakpoint
    // at this address, it may retrieve the argument from the first
    // argument register, or on x86 the eax register.
    //
 
    ULONG64   BreakpointWithStatus;       // address of breakpoint
 
    //
    // Address of the saved context record during a bugcheck
    //
    // N.B. This is an automatic in KeBugcheckEx's frame, and
    // is only valid after a bugcheck.
    //
 
    ULONG64   SavedContext;
 
    //
    // help for walking stacks with user callbacks:
    //
 
    //
    // The address of the thread structure is provided in the
    // WAIT_STATE_CHANGE packet.  This is the offset from the base of
    // the thread structure to the pointer to the kernel stack frame
    // for the currently active usermode callback.
    //
 
    USHORT  ThCallbackStack;            // offset in thread data
 
    //
    // these values are offsets into that frame:
    //
 
    USHORT  NextCallback;               // saved pointer to next callback frame
    USHORT  FramePointer;               // saved frame pointer
 
    //
    // pad to a quad boundary
    //
    USHORT  PaeEnabled : 1;
    USHORT  KiBugCheckRecoveryActive : 1; // Windows 10 Manganese Addition
    USHORT  PagingLevels : 4;
 
    //
    // Address of the kernel callout routine.
    //
 
    ULONG64   KiCallUserMode;             // kernel routine
 
    //
    // Address of the usermode entry point for callbacks.
    //
 
    ULONG64   KeUserCallbackDispatcher;   // address in ntdll
 
 
    //
    // Addresses of various kernel data structures and lists
    // that are of interest to the kernel debugger.
    //
 
    ULONG64   PsLoadedModuleList;
    ULONG64   PsActiveProcessHead;
    ULONG64   PspCidTable;
 
    ULONG64   ExpSystemResourcesList;
    ULONG64   ExpPagedPoolDescriptor;
    ULONG64   ExpNumberOfPagedPools;
 
    ULONG64   KeTimeIncrement;
    ULONG64   KeBugCheckCallbackListHead;
    ULONG64   KiBugcheckData;
 
    ULONG64   IopErrorLogListHead;
 
    ULONG64   ObpRootDirectoryObject;
    ULONG64   ObpTypeObjectType;
 
    ULONG64   MmSystemCacheStart;
    ULONG64   MmSystemCacheEnd;
    ULONG64   MmSystemCacheWs;
 
    ULONG64   MmPfnDatabase;
    ULONG64   MmSystemPtesStart;
    ULONG64   MmSystemPtesEnd;
    ULONG64   MmSubsectionBase;
    ULONG64   MmNumberOfPagingFiles;
 
    ULONG64   MmLowestPhysicalPage;
    ULONG64   MmHighestPhysicalPage;
    ULONG64   MmNumberOfPhysicalPages;
 
    ULONG64   MmMaximumNonPagedPoolInBytes;
    ULONG64   MmNonPagedSystemStart;
    ULONG64   MmNonPagedPoolStart;
    ULONG64   MmNonPagedPoolEnd;
 
    ULONG64   MmPagedPoolStart;
    ULONG64   MmPagedPoolEnd;
    ULONG64   MmPagedPoolInformation;
    ULONG64   MmPageSize;
 
    ULONG64   MmSizeOfPagedPoolInBytes;
 
    ULONG64   MmTotalCommitLimit;
    ULONG64   MmTotalCommittedPages;
    ULONG64   MmSharedCommit;
    ULONG64   MmDriverCommit;
    ULONG64   MmProcessCommit;
    ULONG64   MmPagedPoolCommit;
    ULONG64   MmExtendedCommit;
 
    ULONG64   MmZeroedPageListHead;
    ULONG64   MmFreePageListHead;
    ULONG64   MmStandbyPageListHead;
    ULONG64   MmModifiedPageListHead;
    ULONG64   MmModifiedNoWritePageListHead;
    ULONG64   MmAvailablePages;
    ULONG64   MmResidentAvailablePages;
 
    ULONG64   PoolTrackTable;
    ULONG64   NonPagedPoolDescriptor;
 
    ULONG64   MmHighestUserAddress;
    ULONG64   MmSystemRangeStart;
    ULONG64   MmUserProbeAddress;
 
    ULONG64   KdPrintCircularBuffer;
    ULONG64   KdPrintCircularBufferEnd;
    ULONG64   KdPrintWritePointer;
    ULONG64   KdPrintRolloverCount;
 
    ULONG64   MmLoadedUserImageList;
 
    // NT 5.1 Addition
 
    ULONG64   NtBuildLab;
    ULONG64   KiNormalSystemCall;
 
    // NT 5.0 hotfix addition
 
    ULONG64   KiProcessorBlock;
    ULONG64   MmUnloadedDrivers;
    ULONG64   MmLastUnloadedDriver;
    ULONG64   MmTriageActionTaken;
    ULONG64   MmSpecialPoolTag;
    ULONG64   KernelVerifier;
    ULONG64   MmVerifierData;
    ULONG64   MmAllocatedNonPagedPool;
    ULONG64   MmPeakCommitment;
    ULONG64   MmTotalCommitLimitMaximum;
    ULONG64   CmNtCSDVersion;
 
    // NT 5.1 Addition
 
    ULONG64   MmPhysicalMemoryBlock;
    ULONG64   MmSessionBase;
    ULONG64   MmSessionSize;
    ULONG64   MmSystemParentTablePage;
 
    // Server 2003 addition
 
    ULONG64   MmVirtualTranslationBase;
 
    USHORT    OffsetKThreadNextProcessor;
    USHORT    OffsetKThreadTeb;
    USHORT    OffsetKThreadKernelStack;
    USHORT    OffsetKThreadInitialStack;
 
    USHORT    OffsetKThreadApcProcess;
    USHORT    OffsetKThreadState;
    USHORT    OffsetKThreadBStore;
    USHORT    OffsetKThreadBStoreLimit;
 
    USHORT    SizeEProcess;
    USHORT    OffsetEprocessPeb;
    USHORT    OffsetEprocessParentCID;
    USHORT    OffsetEprocessDirectoryTableBase;
 
    USHORT    SizePrcb;
    USHORT    OffsetPrcbDpcRoutine;
    USHORT    OffsetPrcbCurrentThread;
    USHORT    OffsetPrcbMhz;
 
    USHORT    OffsetPrcbCpuType;
    USHORT    OffsetPrcbVendorString;
    USHORT    OffsetPrcbProcStateContext;
    USHORT    OffsetPrcbNumber;
 
    USHORT    SizeEThread;
 
    UCHAR     L1tfHighPhysicalBitIndex;  // Windows 10 19H1 Addition
    UCHAR     L1tfSwizzleBitIndex;       // Windows 10 19H1 Addition
 
    ULONG     Padding0;
 
    ULONG64   KdPrintCircularBufferPtr;
    ULONG64   KdPrintBufferSize;
 
    ULONG64   KeLoaderBlock;
 
    USHORT    SizePcr;
    USHORT    OffsetPcrSelfPcr;
    USHORT    OffsetPcrCurrentPrcb;
    USHORT    OffsetPcrContainedPrcb;
 
    USHORT    OffsetPcrInitialBStore;
    USHORT    OffsetPcrBStoreLimit;
    USHORT    OffsetPcrInitialStack;
    USHORT    OffsetPcrStackLimit;
 
    USHORT    OffsetPrcbPcrPage;
    USHORT    OffsetPrcbProcStateSpecialReg;
    USHORT    GdtR0Code;
    USHORT    GdtR0Data;
 
    USHORT    GdtR0Pcr;
    USHORT    GdtR3Code;
    USHORT    GdtR3Data;
    USHORT    GdtR3Teb;
 
    USHORT    GdtLdt;
    USHORT    GdtTss;
    USHORT    Gdt64R3CmCode;
    USHORT    Gdt64R3CmTeb;
 
    ULONG64   IopNumTriageDumpDataBlocks;
    ULONG64   IopTriageDumpDataBlocks;
 
    // Longhorn addition
 
    ULONG64   VfCrashDataBlock;
    ULONG64   MmBadPagesDetected;
    ULONG64   MmZeroedPageSingleBitErrorsDetected;
 
    // Windows 7 addition
 
    ULONG64   EtwpDebuggerData;
    USHORT    OffsetPrcbContext;
 
    // Windows 8 addition
 
    USHORT    OffsetPrcbMaxBreakpoints;
    USHORT    OffsetPrcbMaxWatchpoints;
 
    ULONG     OffsetKThreadStackLimit;
    ULONG     OffsetKThreadStackBase;
    ULONG     OffsetKThreadQueueListEntry;
    ULONG     OffsetEThreadIrpList;
 
    USHORT    OffsetPrcbIdleThread;
    USHORT    OffsetPrcbNormalDpcState;
    USHORT    OffsetPrcbDpcStack;
    USHORT    OffsetPrcbIsrStack;
 
    USHORT    SizeKDPC_STACK_FRAME;
 
    // Windows 8.1 Addition
 
    USHORT    OffsetKPriQueueThreadListHead;
    USHORT    OffsetKThreadWaitReason;
 
    // Windows 10 RS1 Addition
 
    USHORT    Padding1;
    ULONG64   PteBase;
 
    // Windows 10 RS5 Addition
 
    ULONG64   RetpolineStubFunctionTable;
    ULONG     RetpolineStubFunctionTableSize;
    ULONG     RetpolineStubOffset;
    ULONG     RetpolineStubSize;
 
    // Windows 10 Iron Addition
 
    USHORT OffsetEProcessMmHotPatchContext;
 
} KDDEBUGGER_DATA64, * PKDDEBUGGER_DATA64;
 
typedef struct _DBGKD_GET_VERSION64 {
    USHORT  MajorVersion;
    USHORT  MinorVersion;
    USHORT  ProtocolVersion;
    USHORT  Flags;
    USHORT  MachineType;
    UCHAR   MaxPacketType;
    UCHAR   MaxStateChange;
    UCHAR   MaxManipulate;
    UCHAR   Simulation;
    USHORT  Unused[1];
    ULONG64 KernBase;
    ULONG64 PsLoadedModuleList;
    PKDDEBUGGER_DATA64 DebuggerDataList;
} DBGKD_GET_VERSION64, * PDBGKD_GET_VERSION64;
 
 
typedef enum _SYSDBG_COMMAND {
    SysDbgQueryModuleInformation,
    SysDbgQueryTraceInformation,
    SysDbgSetTracepoint,
    SysDbgSetSpecialCall,
    SysDbgClearSpecialCalls,
    SysDbgQuerySpecialCalls,
    SysDbgBreakPoint,
    SysDbgQueryVersion,
    SysDbgReadVirtual,
    SysDbgWriteVirtual,
    SysDbgReadPhysical,
    SysDbgWritePhysical,
    SysDbgReadControlSpace,
    SysDbgWriteControlSpace,
    SysDbgReadIoSpace,
    SysDbgWriteIoSpace,
    SysDbgReadMsr,
    SysDbgWriteMsr,
    SysDbgReadBusData,
    SysDbgWriteBusData,
    SysDbgCheckLowMemory,
    SysDbgEnableKernelDebugger,
    SysDbgDisableKernelDebugger,
    SysDbgGetAutoKdEnable,
    SysDbgSetAutoKdEnable,
    SysDbgGetPrintBufferSize,
    SysDbgSetPrintBufferSize,
    SysDbgGetKdUmExceptionEnable,
    SysDbgSetKdUmExceptionEnable,
    SysDbgGetTriageDump,
    SysDbgGetKdBlockEnable,
    SysDbgSetKdBlockEnable,
} SYSDBG_COMMAND, * PSYSDBG_COMMAND;
 
NTKERNELAPI
NTSTATUS
KdSystemDebugControl(
    __in SYSDBG_COMMAND Command,
    __inout_bcount_opt(InputBufferLength) PVOID InputBuffer,
    __in ULONG InputBufferLength,
    __out_bcount(OutputBufferLength) PVOID OutputBuffer,
    __out_opt ULONG OutputBufferLength,
    __out_opt PULONG ReturnLength,
    __in KPROCESSOR_MODE PreviousMode
);
 
 
NTSTATUS DriverUnload(PDRIVER_OBJECT pDriver)
{
    return STATUS_SUCCESS;
}
 
 
VOID GetKdVersionBlock(PDBGKD_GET_VERSION64 KdVersionBlock)
{
    KdBreakPoint();
    KdSystemDebugControl
    (
        SysDbgQueryVersion,
        NULL,
        0,
        KdVersionBlock,
        sizeof(DBGKD_GET_VERSION64),
        NULL,
        UserMode
    );
}
 
 
/////////////////////////
//
//      通过KdSystemDebugControl定位KDDEBUGGER_DATA64
//    
//
//
 
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
    PDBGKD_GET_VERSION64 VersionBlock = ExAllocatePool(NonPagedPool, sizeof(DBGKD_GET_VERSION64));
    GetKdVersionBlock(VersionBlock);
    KDDEBUGGER_DATA64* KdDebugData64 = *(KDDEBUGGER_DATA64**)VersionBlock->DebuggerDataList;
    KdPrint(("PspCidTable:%p KernBase:%p", *(ULONG64*)KdDebugData64->PspCidTable, VersionBlock->KernBase));
    ExFreePool(VersionBlock);
    pDriver->DriverUnload = DriverUnload;
    return STATUS_SUCCESS;
}

【公告】欢迎大家踊跃尝试高研班11月试题,挑战自己的极限!

最后于 2021-12-2 18:32 被如梦而醉编辑 ,原因:
收藏
点赞0
打赏
分享
最新回复 (3)
雪    币: 1
活跃值: 活跃值 (877)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
tmflxw 活跃值 2021-12-2 17:49
2
0
那么问题来了,这个结构体是微软公开的吗
雪    币: 192
活跃值: 活跃值 (897)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
wem 活跃值 2021-12-2 22:19
3
0

可以用于win10隐藏进程吗?

触发pg吗?

最后于 2021-12-2 22:29 被wem编辑 ,原因:
雪    币: 5107
活跃值: 活跃值 (2420)
能力值: ( LV7,RANK:150 )
在线值:
发帖
回帖
粉丝
淡然他徒弟 活跃值 1 2021-12-3 00:03
4
0
mark
游客
登录 | 注册 方可回帖
返回