Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Kernel Debugging in Practice
Дальше: Loading Drivers
that kernel code is only accessible from user space via the SYSCALL, SYSENTER, or INT 0x2E instructions. Modern versions of Windows use the SYSENTER instruction, which gets instructions from a function code stored in register EAX. shows the code from ntdll.dll, which implements the NtCreateFile function and must handle the transitions from user space to kernel space that happen every time NtCreateFile is called., the stack pointer is saved in EDX, and then the sysenter instruction is called. The value in EAX is the function number for NtCreateFile, which will be used as an index into the SSDT when the code enters the kernel. Specifically, the address at offset 0x25 ❶ in the SSDT will be called in kernel mode. shows a few entries in the SSDT with the entry for NtCreateFile shown at offset 25. is a shortened version of the SSDT.. In the kernel, the modules listed are all drivers. We find the driver that contains the address 0xf7ad94a4, and we see that it is within the driver called Rootkit. is an assembly listing for code that hooks the SSDT. shows the hook function. shows a normal IDT, wherein all of the interrupts go to well-known drivers that are signed by Microsoft.Example 10-17. A sample IDT
kd> !idt 37: 806cf728 hal!PicSpuriousService37 3d: 806d0b70 hal!HalpApcInterrupt 41: 806d09cc hal!HalpDispatchInterrupt 50: 806cf800 hal!HalpApicRebootService 62: 8298b7e4 atapi!IdePortInterrupt (KINTERRUPT 8298b7a8) 63: 826ef044 NDIS!ndisMIsr (KINTERRUPT 826ef008) 73: 826b9044 portcls!CKsShellRequestor::`vector deleting destructor'+0x26 (KINTERRUPT 826b9008) USBPORT!USBPORT_InterruptService (KINTERRUPT 826df008) 82: 82970dd4 atapi!IdePortInterrupt (KINTERRUPT 82970d98) 83: 829e8044 SCSIPORT!ScsiPortInterrupt (KINTERRUPT 829e8008) 93: 826c315c i8042prt!I8042KeyboardInterruptService (KINTERRUPT 826c3120) a3: 826c2044 i8042prt!I8042MouseInterruptService (KINTERRUPT 826c2008) b1: 829e5434 ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 829e53f8) b2: 826f115c serial!SerialCIsrSw (KINTERRUPT 826f1120) c1: 806cf984 hal!HalpBroadcastCallService d1: 806ced34 hal!HalpClockInterrupt e1: 806cff0c hal!HalpIpiHandler e3: 806cfc70 hal!HalpLocalApicErrorService fd: 806d0464 hal!HalpProfileInterrupt fe: 806d0604 hal!HalpPerfInterrupt
Interrupts going to unnamed, unsigned, or suspicious drivers could indicate a rootkit or other malicious software.
Назад: Kernel Debugging in Practice
Дальше: Loading Drivers
Войти в систему
Войти с помощью соц. сетей:
sysenter instruction is called. The value in EAX is the function number for NtCreateFile, which will be used as an index into the SSDT when the code enters the kernel. Specifically, the address at offset 0x25 ❶ in the SSDT will be called in kernel mode. shows a few entries in the SSDT with the entry for NtCreateFile shown at offset 25. is a shortened version of the SSDT.
. In the kernel, the modules listed are all drivers. We find the driver that contains the address 0xf7ad94a4, and we see that it is within the driver called
Rootkit. is an assembly listing for code that hooks the SSDT.
shows the hook function.
shows a normal IDT, wherein all of the interrupts go to well-known drivers that are signed by Microsoft.
Example 10-17. A sample IDT
kd> !idt 37: 806cf728 hal!PicSpuriousService37 3d: 806d0b70 hal!HalpApcInterrupt 41: 806d09cc hal!HalpDispatchInterrupt 50: 806cf800 hal!HalpApicRebootService 62: 8298b7e4 atapi!IdePortInterrupt (KINTERRUPT 8298b7a8) 63: 826ef044 NDIS!ndisMIsr (KINTERRUPT 826ef008) 73: 826b9044 portcls!CKsShellRequestor::`vector deleting destructor'+0x26 (KINTERRUPT 826b9008) USBPORT!USBPORT_InterruptService (KINTERRUPT 826df008) 82: 82970dd4 atapi!IdePortInterrupt (KINTERRUPT 82970d98) 83: 829e8044 SCSIPORT!ScsiPortInterrupt (KINTERRUPT 829e8008) 93: 826c315c i8042prt!I8042KeyboardInterruptService (KINTERRUPT 826c3120) a3: 826c2044 i8042prt!I8042MouseInterruptService (KINTERRUPT 826c2008) b1: 829e5434 ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 829e53f8) b2: 826f115c serial!SerialCIsrSw (KINTERRUPT 826f1120) c1: 806cf984 hal!HalpBroadcastCallService d1: 806ced34 hal!HalpClockInterrupt e1: 806cff0c hal!HalpIpiHandler e3: 806cfc70 hal!HalpLocalApicErrorService fd: 806d0464 hal!HalpProfileInterrupt fe: 806d0604 hal!HalpPerfInterrupt
Interrupts going to unnamed, unsigned, or suspicious drivers could indicate a rootkit or other malicious software.
Назад: Kernel Debugging in Practice
Дальше: Loading Drivers
Войти в систему
Войти с помощью соц. сетей: