-
-
[求助]关于int1中断的疑惑
-
发表于: 2016-10-27 21:27
-
////////////////
是这样的 触发int1中断后会在栈里(sub rsp,(0x30或0x28))保存_KTRAP_FRAME+0x168后面的值才会进入KiDebugTrapOrFault处理函数 (应该是处理器自带的功能)
//测试的代码是
int 3 //触发后单步
nop
nop
nop
nop
nop
ret
....
1: (原始rsp)FFFFF88001FCB778, (原始rip)FFFFF8800C20F541
3: (进入KiDebugTrapOrFault时rsp)FFFFF88001FCB748 //相差0x30 保存了_KTRAP_FRAME+0x168后面的值 也就是说有一个空位并没用到 但改成相差0x28再把值打过去是不行的 必须是相差0x30 或者0x30以上
//但是下面的语句却变成相差0x28了 后面的语句改成30会出错 它是怎么确定这个值的?
1: (原始rsp)FFFFF88001FCB778, (原始rip)FFFFF8800C20F542
3: (进入KiDebugTrapOrFault时rsp)FFFFF88001FCB748 //相差0x30
//ret指令
1: (原始rsp)FFFFF88001FCB780, (原始rip)FFFFF8800C20F5D3
3: (进入KiDebugTrapOrFault时rsp)FFFFF88001FCB758 //变成相差0x28
(原始rsp)FFFFF88001FCB780, (原始rip)FFFFF8800C20F5D6
3: (进入KiDebugTrapOrFault时rsp)FFFFF88001FCB758 //也是相差0x28
(原始rsp)FFFFF88001FCB780, (原始rip)FFFFF8800C20F5DE
3: (进入KiDebugTrapOrFault时rsp) FFFFF88001FCB758 //也是相差0x28
nt!_KTRAP_FRAME
+0x000 P1Home : Uint8B
+0x008 P2Home : Uint8B
+0x010 P3Home : Uint8B
+0x018 P4Home : Uint8B
+0x020 P5 : Uint8B
+0x028 PreviousMode : Char
+0x029 PreviousIrql : UChar
+0x02a FaultIndicator : UChar
+0x02b ExceptionActive : UChar
+0x02c MxCsr : Uint4B
+0x030 Rax : Uint8B
+0x038 Rcx : Uint8B
+0x040 Rdx : Uint8B
+0x048 R8 : Uint8B
+0x050 R9 : Uint8B
+0x058 R10 : Uint8B
+0x060 R11 : Uint8B
+0x068 GsBase : Uint8B
+0x068 GsSwap : Uint8B
+0x070 Xmm0 : _M128A
+0x080 Xmm1 : _M128A
+0x090 Xmm2 : _M128A
+0x0a0 Xmm3 : _M128A
+0x0b0 Xmm4 : _M128A
+0x0c0 Xmm5 : _M128A
+0x0d0 FaultAddress : Uint8B
+0x0d0 ContextRecord : Uint8B
+0x0d0 TimeStampCKCL : Uint8B
+0x0d8 Dr0 : Uint8B
+0x0e0 Dr1 : Uint8B
+0x0e8 Dr2 : Uint8B
+0x0f0 Dr3 : Uint8B
+0x0f8 Dr6 : Uint8B
+0x100 Dr7 : Uint8B
+0x108 DebugControl : Uint8B
+0x110 LastBranchToRip : Uint8B
+0x118 LastBranchFromRip : Uint8B
+0x120 LastExceptionToRip : Uint8B
+0x128 LastExceptionFromRip : Uint8B
+0x108 LastBranchControl : Uint8B
+0x110 LastBranchMSR : Uint4B
+0x130 SegDs : Uint2B
+0x132 SegEs : Uint2B
+0x134 SegFs : Uint2B
+0x136 SegGs : Uint2B
+0x138 TrapFrame : Uint8B
+0x140 Rbx : Uint8B
+0x148 Rdi : Uint8B
+0x150 Rsi : Uint8B
+0x158 Rbp : Uint8B
+0x160 ErrorCode : Uint8B
+0x160 ExceptionFrame : Uint8B
+0x160 TimeStampKlog : Uint8B
+0x168 Rip : Uint8B //((rsp-0x30)+(8*0)+0) //Rip 指向下一步的rip
+0x170 SegCs : Uint2B //((rsp-0x30)+(8*1)+0) //CS
+0x172 Fill0 : UChar //((rsp-0x30)+(8*1)+2) //0
+0x173 Logging : UChar //((rsp-0x30)+(8*1)+3) //0
+0x174 Fill1 : [2] Uint2B //((rsp-0x30)+(8*1)+4) //0
+0x178 EFlags : Uint4B //((rsp-0x30)+(8*2)+0) //EFlags
+0x17c Fill2 : Uint4B //((rsp-0x30)+(8*2)+4) //0
+0x180 Rsp : Uint8B //((rsp-0x30)+(8*3)+0) //原始rsp
+0x188 SegSs : Uint2B //((rsp-0x30)+(8*4)+0) //SS
+0x18a Fill3 : Uint2B //((rsp-0x30)+(8*4)+2) //0
+0x18c CodePatchCycle : Int4B //((rsp-0x30)+(8*4)+4) //0
//((rsp-0x30)+(8*5)+0) //触发异常的rip
我疑惑的是它是怎么确定(0x30还是0x28?)我本来以为只是根据_KTRAP_FRAME+0x168后面的值跳出返回到原始代码而已 但是这个0x30还是0x28是不能随便改的
也不是不能改, 在0x30的时候可以改成sub rsp,30以上 但是如果本来是0x28的话改了就出错了 为什么
是这样的 触发int1中断后会在栈里(sub rsp,(0x30或0x28))保存_KTRAP_FRAME+0x168后面的值才会进入KiDebugTrapOrFault处理函数 (应该是处理器自带的功能)
//测试的代码是
int 3 //触发后单步
nop
nop
nop
nop
nop
ret
....
1: (原始rsp)FFFFF88001FCB778, (原始rip)FFFFF8800C20F541
3: (进入KiDebugTrapOrFault时rsp)FFFFF88001FCB748 //相差0x30 保存了_KTRAP_FRAME+0x168后面的值 也就是说有一个空位并没用到 但改成相差0x28再把值打过去是不行的 必须是相差0x30 或者0x30以上
//但是下面的语句却变成相差0x28了 后面的语句改成30会出错 它是怎么确定这个值的?
1: (原始rsp)FFFFF88001FCB778, (原始rip)FFFFF8800C20F542
3: (进入KiDebugTrapOrFault时rsp)FFFFF88001FCB748 //相差0x30
//ret指令
1: (原始rsp)FFFFF88001FCB780, (原始rip)FFFFF8800C20F5D3
3: (进入KiDebugTrapOrFault时rsp)FFFFF88001FCB758 //变成相差0x28
(原始rsp)FFFFF88001FCB780, (原始rip)FFFFF8800C20F5D6
3: (进入KiDebugTrapOrFault时rsp)FFFFF88001FCB758 //也是相差0x28
(原始rsp)FFFFF88001FCB780, (原始rip)FFFFF8800C20F5DE
3: (进入KiDebugTrapOrFault时rsp) FFFFF88001FCB758 //也是相差0x28
nt!_KTRAP_FRAME
+0x000 P1Home : Uint8B
+0x008 P2Home : Uint8B
+0x010 P3Home : Uint8B
+0x018 P4Home : Uint8B
+0x020 P5 : Uint8B
+0x028 PreviousMode : Char
+0x029 PreviousIrql : UChar
+0x02a FaultIndicator : UChar
+0x02b ExceptionActive : UChar
+0x02c MxCsr : Uint4B
+0x030 Rax : Uint8B
+0x038 Rcx : Uint8B
+0x040 Rdx : Uint8B
+0x048 R8 : Uint8B
+0x050 R9 : Uint8B
+0x058 R10 : Uint8B
+0x060 R11 : Uint8B
+0x068 GsBase : Uint8B
+0x068 GsSwap : Uint8B
+0x070 Xmm0 : _M128A
+0x080 Xmm1 : _M128A
+0x090 Xmm2 : _M128A
+0x0a0 Xmm3 : _M128A
+0x0b0 Xmm4 : _M128A
+0x0c0 Xmm5 : _M128A
+0x0d0 FaultAddress : Uint8B
+0x0d0 ContextRecord : Uint8B
+0x0d0 TimeStampCKCL : Uint8B
+0x0d8 Dr0 : Uint8B
+0x0e0 Dr1 : Uint8B
+0x0e8 Dr2 : Uint8B
+0x0f0 Dr3 : Uint8B
+0x0f8 Dr6 : Uint8B
+0x100 Dr7 : Uint8B
+0x108 DebugControl : Uint8B
+0x110 LastBranchToRip : Uint8B
+0x118 LastBranchFromRip : Uint8B
+0x120 LastExceptionToRip : Uint8B
+0x128 LastExceptionFromRip : Uint8B
+0x108 LastBranchControl : Uint8B
+0x110 LastBranchMSR : Uint4B
+0x130 SegDs : Uint2B
+0x132 SegEs : Uint2B
+0x134 SegFs : Uint2B
+0x136 SegGs : Uint2B
+0x138 TrapFrame : Uint8B
+0x140 Rbx : Uint8B
+0x148 Rdi : Uint8B
+0x150 Rsi : Uint8B
+0x158 Rbp : Uint8B
+0x160 ErrorCode : Uint8B
+0x160 ExceptionFrame : Uint8B
+0x160 TimeStampKlog : Uint8B
+0x168 Rip : Uint8B //((rsp-0x30)+(8*0)+0) //Rip 指向下一步的rip
+0x170 SegCs : Uint2B //((rsp-0x30)+(8*1)+0) //CS
+0x172 Fill0 : UChar //((rsp-0x30)+(8*1)+2) //0
+0x173 Logging : UChar //((rsp-0x30)+(8*1)+3) //0
+0x174 Fill1 : [2] Uint2B //((rsp-0x30)+(8*1)+4) //0
+0x178 EFlags : Uint4B //((rsp-0x30)+(8*2)+0) //EFlags
+0x17c Fill2 : Uint4B //((rsp-0x30)+(8*2)+4) //0
+0x180 Rsp : Uint8B //((rsp-0x30)+(8*3)+0) //原始rsp
+0x188 SegSs : Uint2B //((rsp-0x30)+(8*4)+0) //SS
+0x18a Fill3 : Uint2B //((rsp-0x30)+(8*4)+2) //0
+0x18c CodePatchCycle : Int4B //((rsp-0x30)+(8*4)+4) //0
//((rsp-0x30)+(8*5)+0) //触发异常的rip
我疑惑的是它是怎么确定(0x30还是0x28?)我本来以为只是根据_KTRAP_FRAME+0x168后面的值跳出返回到原始代码而已 但是这个0x30还是0x28是不能随便改的
也不是不能改, 在0x30的时候可以改成sub rsp,30以上 但是如果本来是0x28的话改了就出错了 为什么
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
int3中断是稳定在0x30的 改了也没事 只要_KTRAP_FRAME+0x168后面的值正确就行了 但是int1就不行了 莫名其妙 中断通道又不能调试
|
|
|
nt!KiDebugTrapOrFault:
fffff800`01a81a40 4883ec08 sub rsp,8 fffff800`01a81a44 55 push rbp fffff800`01a81a45 4881ec58010000 sub rsp,158h fffff800`01a81a4c 488dac2480000000 lea rbp,[rsp+80h] fffff800`01a81a54 c645ab01 mov byte ptr [rbp-55h],1 fffff800`01a81a58 488945b0 mov qword ptr [rbp-50h],rax fffff800`01a81a5c 48894db8 mov qword ptr [rbp-48h],rcx fffff800`01a81a60 488955c0 mov qword ptr [rbp-40h],rdx fffff800`01a81a64 4c8945c8 mov qword ptr [rbp-38h],r8 fffff800`01a81a68 4c894dd0 mov qword ptr [rbp-30h],r9 fffff800`01a81a6c 4c8955d8 mov qword ptr [rbp-28h],r10 fffff800`01a81a70 4c895de0 mov qword ptr [rbp-20h],r11 fffff800`01a81a74 f685f000000001 test byte ptr [rbp+0F0h],1 fffff800`01a81a7b 7464 je nt!KiDebugTrapOrFault+0xa1 (fffff800`01a81ae1) fffff800`01a81a7d 0f01f8 swapgs fffff800`01a81a80 654c8b142588010000 mov r10,qword ptr gs:[188h] fffff800`01a81a89 41f6420380 test byte ptr [r10+3],80h fffff800`01a81a8e 743c je nt!KiDebugTrapOrFault+0x8c (fffff800`01a81acc) fffff800`01a81a90 b9020100c0 mov ecx,0C0000102h fffff800`01a81a95 0f32 rdmsr fffff800`01a81a97 48c1e220 shl rdx,20h fffff800`01a81a9b 480bc2 or rax,rdx fffff800`01a81a9e 493982b8000000 cmp qword ptr [r10+0B8h],rax fffff800`01a81aa5 7425 je nt!KiDebugTrapOrFault+0x8c (fffff800`01a81acc) fffff800`01a81aa7 493982b0010000 cmp qword ptr [r10+1B0h],rax fffff800`01a81aae 741c je nt!KiDebugTrapOrFault+0x8c (fffff800`01a81acc) fffff800`01a81ab0 498b92b8010000 mov rdx,qword ptr [r10+1B8h] fffff800`01a81ab7 410fba6a4c0b bts dword ptr [r10+4Ch],0Bh fffff800`01a81abd 6641ff8ac4010000 dec word ptr [r10+1C4h] fffff800`01a81ac5 48898280000000 mov qword ptr [rdx+80h],rax fffff800`01a81acc 41f6420303 test byte ptr [r10+3],3 fffff800`01a81ad1 66c785800000000000 mov word ptr [rbp+80h],0 fffff800`01a81ada 7405 je nt!KiDebugTrapOrFault+0xa1 (fffff800`01a81ae1) fffff800`01a81adc e88f350000 call nt!KiSaveDebugRegisterState (fffff800`01a85070) fffff800`01a81ae1 fc cld fffff800`01a81ae2 0fae5dac stmxcsr dword ptr [rbp-54h] fffff800`01a81ae6 650fae142580010000 ldmxcsr dword ptr gs:[180h] fffff800`01a81aef 0f2945f0 movaps xmmword ptr [rbp-10h],xmm0 //检查了 发现是这句出问题了 这句在什么情况下会出问题啊 rbp的值没理由是错的啊 要是错上面就出错了  fffff800`01a81af3 0f294d00 movaps xmmword ptr [rbp],xmm1 fffff800`01a81af7 0f295510 movaps xmmword ptr [rbp+10h],xmm2 fffff800`01a81afb 0f295d20 movaps xmmword ptr [rbp+20h],xmm3 fffff800`01a81aff 0f296530 movaps xmmword ptr [rbp+30h],xmm4 fffff800`01a81b03 0f296d40 movaps xmmword ptr [rbp+40h],xmm5 fffff800`01a81b07 48f785f800000000020000 test qword ptr [rbp+0F8h],200h fffff800`01a81b12 7401 je nt!KiDebugTrapOrFault+0xd5 (fffff800`01a81b15) fffff800`01a81b14 fb sti fffff800`01a81b15 33d2 xor edx,edx fffff800`01a81b17 f785f800000000010000 test dword ptr [rbp+0F8h],100h fffff800`01a81b21 0f84a0000000 je nt!KiDebugTrapOrFault+0x187 (fffff800`01a81bc7) fffff800`01a81b27 65f604254a4d000002 test byte ptr gs:[4D4Ah],2 fffff800`01a81b30 0f8491000000 je nt!KiDebugTrapOrFault+0x187 (fffff800`01a81bc7) fffff800`01a81b36 f685f000000001 test byte ptr [rbp+0F0h],1 fffff800`01a81b3d 754f jne nt!KiDebugTrapOrFault+0x14e (fffff800`01a81b8e) fffff800`01a81b3f 0f21f8 mov rax,dr7 fffff800`01a81b42 66a90002 test ax,200h fffff800`01a81b46 747f je nt!KiDebugTrapOrFault+0x187 (fffff800`01a81bc7) fffff800`01a81b48 66a90001 test ax,100h fffff800`01a81b4c 7479 je nt!KiDebugTrapOrFault+0x187 (fffff800`01a81bc7) fffff800`01a81b4e 448b0533ac2300 mov r8d,dword ptr [nt!KiLastBranchTOSMSR (fffff800`01cbc788)] fffff800`01a81b55 450bc0 or r8d,r8d fffff800`01a81b58 7408 je nt!KiDebugTrapOrFault+0x122 (fffff800`01a81b62) fffff800`01a81b5a 418bc8 mov ecx,r8d fffff800`01a81b5d 0f32 rdmsr fffff800`01a81b5f 448bc0 mov r8d,eax fffff800`01a81b62 8b0da8a72300 mov ecx,dword ptr [nt!KiLastBranchFromBaseMSR (fffff800`01cbc310)] fffff800`01a81b68 4103c8 add ecx,r8d fffff800`01a81b6b 0f32 rdmsr fffff800`01a81b6d 448bc8 mov r9d,eax fffff800`01a81b70 48c1e220 shl rdx,20h fffff800`01a81b74 8b0d5aa82300 mov ecx,dword ptr [nt!KiLastBranchToBaseMSR (fffff800`01cbc3d4)] fffff800`01a81b7a 4c0bca or r9,rdx fffff800`01a81b7d 4103c8 add ecx,r8d fffff800`01a81b80 0f32 rdmsr fffff800`01a81b82 448bd0 mov r10d,eax fffff800`01a81b85 48c1e220 shl rdx,20h fffff800`01a81b89 4c0bd2 or r10,rdx fffff800`01a81b8c eb34 jmp nt!KiDebugTrapOrFault+0x182 (fffff800`01a81bc2) fffff800`01a81b8e 66f785800000000002 test word ptr [rbp+80h],200h fffff800`01a81b97 742e je nt!KiDebugTrapOrFault+0x187 (fffff800`01a81bc7) fffff800`01a81b99 66f785800000000001 test word ptr [rbp+80h],100h fffff800`01a81ba2 7423 je nt!KiDebugTrapOrFault+0x187 (fffff800`01a81bc7) fffff800`01a81ba4 4883a5a800000000 and qword ptr [rbp+0A8h],0 fffff800`01a81bac 4883a5a000000000 and qword ptr [rbp+0A0h],0 fffff800`01a81bb4 4c8b8d98000000 mov r9,qword ptr [rbp+98h] fffff800`01a81bbb 4c8b9590000000 mov r10,qword ptr [rbp+90h] fffff800`01a81bc2 ba02000000 mov edx,2 fffff800`01a81bc7 b904000080 mov ecx,80000004h fffff800`01a81bcc 81a5f8000000fffeffff and dword ptr [rbp+0F8h],0FFFFFEFFh fffff800`01a81bd6 4c8b85e8000000 mov r8,qword ptr [rbp+0E8h] fffff800`01a81bdd e89e250000 call nt!KiExceptionDispatch (fffff800`01a84180) fffff800`01a81be2 90 nop fffff800`01a81be3 666666666666660f1f840000000000 nop word ptr [rax+rax] fffff800`01a81bf2 6666666666660f1f840000000000 nop word ptr [rax+rax] |
|
|
找到原因了 movaps xmmword ptr [rbp-10h],xmm0 目的地址必须是16的倍数 不然就出错 上面说到的之所以有时差值为0x30 有时却是0x28 估计就是为了修正这个地方 坑爹的微软
|
|
|
|
