[求助]new blue pill代码求教？-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]new blue pill代码求教？

发表于: 2018-4-22 21:56 1712

[求助]new blue pill代码求教？

fastkb

2018-4-22 21:56

1712

有个函数看不大明白请教一下
NTSTATUS NTAPI MmMapGuestKernelPages (
)
{
PULONG64 Pml4e = (PULONG64) PML4_BASE;
PULONG64 Pdpe;
PULONG64 Pde;
ULONG uPml4eIndex, uPdpeIndex, uPdeIndex;

for (uPml4eIndex = 0x100; uPml4eIndex < 0x200; uPml4eIndex++)
    if (Pml4e[uPml4eIndex] & P_PRESENT) {

      Pdpe = (PULONG64) PDP_BASE + (uPml4eIndex << 9);      //这里实际就是 (LONG64)PDP_BASE + uPml4eIndex * 4K
      MmWalkGuestPageTable (Pdpe, 3);
    }

return STATUS_SUCCESS;
}

NTSTATUS NTAPI MmWalkGuestPageTable (
PULONG64 PageTable,
UCHAR bLevel
)
{
ULONG64 i;
PVOID VirtualAddress;
PUCHAR ShortPageVA;
PHYSICAL_ADDRESS PhysicalAddress;
PULONG64 LowerPageTable;

if (!MmIsAddressValid (PageTable))
    return STATUS_SUCCESS;

for (i = 0; i < 0x200; i++)

    if (PageTable[i] & P_PRESENT) {

      if (((bLevel == 2) && (PageTable[i] & P_LARGE)) || (bLevel == 1)) {

        if (bLevel == 1)
          VirtualAddress = (PVOID) (((LONGLONG) (&PageTable[i]) - PT_BASE) << 9);
        else
          VirtualAddress = (PVOID) (((LONGLONG) (&PageTable[i]) - PD_BASE) << 18);

        if ((LONGLONG) VirtualAddress & 0x0000800000000000)
          VirtualAddress = (PVOID) ((LONGLONG) VirtualAddress | 0xffff000000000000);

        PhysicalAddress.QuadPart = PageTable[i] & 0x000ffffffffff000;

        if ((ULONGLONG) VirtualAddress >= PT_BASE && (ULONGLONG) VirtualAddress < PML4_BASE + 0x1000)
          // guest pagetable stuff here - so don't map it
          continue;

        DbgPrint
          ("MmWalkGuestPageTable(): %sValid pl%d at 0x%p, index 0x%x, VA 0x%p, PA 0x%p %s\n",
           bLevel == 3 ? "   " : bLevel == 2 ? "      " : bLevel ==
           1 ? "         " : "", bLevel, &PageTable[i], i, VirtualAddress, PhysicalAddress.QuadPart, ((bLevel == 2)
                                                                                                      && (PageTable[i] &
                                                                                                          P_LARGE)) ?
           "LARGE" : "");

        if (bLevel == 2) {
          for (ShortPageVA = (PUCHAR) VirtualAddress + 0x0 * PAGE_SIZE;
               ShortPageVA < (PUCHAR) VirtualAddress + 0x200 * PAGE_SIZE;
               ShortPageVA += PAGE_SIZE, PhysicalAddress.QuadPart += PAGE_SIZE)
            MmCreateMapping (PhysicalAddress, ShortPageVA, FALSE);
        } else
          MmCreateMapping (PhysicalAddress, VirtualAddress, FALSE);
      }
     //上面那些大概能看明白这里很费解
   调用时MmWalkGuestPageTable(, 3)
    LowerPageTable 的值不是pde的第一个4K么
   调用时MmWalkGuestPageTable(, 3)
    LowerPageTable 的值不是pte的第一个4K么
每次调用都是这样这有什么用啊。
这里跟 MmMapGuestKernelPages（）里的 PDP_BASE 感觉没有关系呀

      if ((bLevel > 1) && !((bLevel == 2) && (PageTable[i] & P_LARGE))) {
        LowerPageTable = (PULONG64) (g_PageTableBases[bLevel - 2] + 8 * (i << (9 * (5 - bLevel))));
        MmWalkGuestPageTable (LowerPageTable, bLevel - 1);
      }
    }

return STATUS_SUCCESS;
}

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・0

免费・0

支持