-
-
[求助]求教一下内核地址到物理地址的转换
-
发表于: 2017-1-5 02:28
-
signed __int64 __fastcall MiGetPhysicalAddress(unsigned __int64 kAddress, signed __int64 *_out_PaAddress, UINT32 *a3)
{
signed __int64 v_PML4T; // r9@1
unsigned __int64 v4; // r10@1
unsigned __int64 v5; // rcx@3
signed __int64 v6; // rax@4
unsigned __int64 v8; // rcx@12
signed __int64 v9; // [sp+10h] [bp+8h]@6
*a3 = 0;
v_PML4T = (kAddress >> (3 * 9 + 12)) & 0x1FF;
v4 = kAddress;
if (*(UCHAR *)(8 * v_PML4T - 0x90482413000i64) & 1)
{
if (*(UCHAR *)(((kAddress >> 27) & 0x1FFFF8) - 0x90482600000i64) & 1)
{
v5 = *(UINT64 *)(((kAddress >> 18) & 0x3FFFFFF8) - 0x904C0000000i64);
if ((v5 & 0x81) == -127)
{
goto LABEL_4; //n
}
}
if (*(UCHAR *)(8 * v_PML4T - 0x90482413000i64) & 1)
{
if (*(UCHAR *)(((v4 >> 27) & 0x1FFFF8) - 0x90482600000i64) & 1)
{
DbgPrint2("1--:%p\n", (((v4 >> 18) & 0x3FFFFFF8) - 0x904C0000000i64)); //== FFFFF6FB7E2002A8
v5 = *(UINT64 *)(((v4 >> 18) & 0x3FFFFFF8) - 0x904C0000000i64);
if (v5 & 1)
{
DbgPrint("v5:%p\n", v5);
if ((v5 & 0x80u) != 0i64) //n
{
LABEL_4:
v6 = ((v5 >> 12) & 0xFFFFFFFFFi64) + ((v4 >> 12) & 0x1FF);
LABEL_5:
*a3 = 1;
LABEL_6:
v9 = v6 << 12;
DbgPrint("v9:%p\n", v9);
((PUINT32)&v9)[0] = (v4 & 0xFFF) + ((UINT32)v6 << 12); //offset
*_out_PaAddress = v9;
return 1i64;
}
DbgPrint2("2--:%p\n", ((v4 >> 9) & 0x7FFFFFFFF8i64) - 0x98000000000i64); //== FFFFF6FC40055038
v8 = *(UINT64 *)(((v4 >> 9) & 0x7FFFFFFFF8i64) - 0x98000000000i64);
if (v8 & 1) //y
{
v6 = (v8 >> 12) & 0xFFFFFFFFFi64;
if (!_bittest64((const signed __int64 *)&v8, 0xBu)) //n
{
goto LABEL_6;
}
DbgPrint("v6:%p\n", v6);
goto LABEL_5; //y
}
}
}
}
}
return 0i64;
}
__int64 __fastcall _MmGetPhysicalAddress(__int64 kAddress)
{
int v1; // eax@1
UINT32 v3; // [sp+38h] [bp+10h]@1
__int64 PaAddress; // [sp+40h] [bp+18h]@1
v1 = (INT32)MiGetPhysicalAddress(kAddress, &PaAddress, &v3);
return PaAddress & -(signed __int64)(v1 != 0);
}
这是IDA直接F5过来的 完全看不懂啊
{
signed __int64 v_PML4T; // r9@1
unsigned __int64 v4; // r10@1
unsigned __int64 v5; // rcx@3
signed __int64 v6; // rax@4
unsigned __int64 v8; // rcx@12
signed __int64 v9; // [sp+10h] [bp+8h]@6
*a3 = 0;
v_PML4T = (kAddress >> (3 * 9 + 12)) & 0x1FF;
v4 = kAddress;
if (*(UCHAR *)(8 * v_PML4T - 0x90482413000i64) & 1)
{
if (*(UCHAR *)(((kAddress >> 27) & 0x1FFFF8) - 0x90482600000i64) & 1)
{
v5 = *(UINT64 *)(((kAddress >> 18) & 0x3FFFFFF8) - 0x904C0000000i64);
if ((v5 & 0x81) == -127)
{
goto LABEL_4; //n
}
}
if (*(UCHAR *)(8 * v_PML4T - 0x90482413000i64) & 1)
{
if (*(UCHAR *)(((v4 >> 27) & 0x1FFFF8) - 0x90482600000i64) & 1)
{
DbgPrint2("1--:%p\n", (((v4 >> 18) & 0x3FFFFFF8) - 0x904C0000000i64)); //== FFFFF6FB7E2002A8
v5 = *(UINT64 *)(((v4 >> 18) & 0x3FFFFFF8) - 0x904C0000000i64);
if (v5 & 1)
{
DbgPrint("v5:%p\n", v5);
if ((v5 & 0x80u) != 0i64) //n
{
LABEL_4:
v6 = ((v5 >> 12) & 0xFFFFFFFFFi64) + ((v4 >> 12) & 0x1FF);
LABEL_5:
*a3 = 1;
LABEL_6:
v9 = v6 << 12;
DbgPrint("v9:%p\n", v9);
((PUINT32)&v9)[0] = (v4 & 0xFFF) + ((UINT32)v6 << 12); //offset
*_out_PaAddress = v9;
return 1i64;
}
DbgPrint2("2--:%p\n", ((v4 >> 9) & 0x7FFFFFFFF8i64) - 0x98000000000i64); //== FFFFF6FC40055038
v8 = *(UINT64 *)(((v4 >> 9) & 0x7FFFFFFFF8i64) - 0x98000000000i64);
if (v8 & 1) //y
{
v6 = (v8 >> 12) & 0xFFFFFFFFFi64;
if (!_bittest64((const signed __int64 *)&v8, 0xBu)) //n
{
goto LABEL_6;
}
DbgPrint("v6:%p\n", v6);
goto LABEL_5; //y
}
}
}
}
}
return 0i64;
}
__int64 __fastcall _MmGetPhysicalAddress(__int64 kAddress)
{
int v1; // eax@1
UINT32 v3; // [sp+38h] [bp+10h]@1
__int64 PaAddress; // [sp+40h] [bp+18h]@1
v1 = (INT32)MiGetPhysicalAddress(kAddress, &PaAddress, &v3);
return PaAddress & -(signed __int64)(v1 != 0);
}
这是IDA直接F5过来的 完全看不懂啊
|
|
|---|---|
|
|
|
|
|
抄完Wrk的了 转出来是0 可能是32位的关系吧
|
|
|
|
