以x64/Win10为例,mspaint.exe进程空间中会出现:
C:\Windows\System32\locale.nls C:\Windows\System32\C_1250.NLS C:\Windows\System32\C_1251.NLS C:\Windows\System32\C_1253.NLS C:\Windows\System32\C_1254.NLS C:\Windows\System32\C_1256.NLS
C_*.NLS可能有出入,无关紧要。
之前在微博上请教过locale.nls的的映射路径,god_bless_me_pls、邱鹏先后给出nt!MmMapViewOfSection这个点。
假设知道locale.nls是通过如下路径映射进来的:
nt!MmMapViewOfSection nt!NtInitializeNlsFiles+0x118 nt!KiSystemServiceCopyEnd+0x13 ntdll!NtInitializeNlsFiles+0x14 ntdll!RtlGetLocaleFileMappingAddress+0x40 KERNELBASE!SetupMainNlsFiles+0x62 KERNELBASE!NlsProcessInitialize+0x35 KERNELBASE!BaseNlsDllInitialize+0x20 KERNELBASE!_KernelBaseBaseDllInitialize+0x3f6 KERNELBASE!KernelBaseDllInitialize+0xd ntdll!LdrpCallInitRoutine+0x6f ntdll!LdrpInitializeNode+0x15a ntdll!LdrpInitializeGraphRecurse+0x73 ntdll!LdrpInitializeGraphRecurse+0x99 ntdll!LdrpPrepareModuleForExecution+0xc5 ntdll!LdrpLoadDllInternal+0x19d ntdll!LdrpLoadDll+0x107 ntdll!LdrLoadDll+0x8c ntdll!LdrpInitializeProcess+0x19fc ntdll!_LdrpInitialize+0x4e393 ntdll!LdrpInitialize+0x3b ntdll!LdrInitializeThunk+0xe
提问,C_1256.NLS映射进来时,用户态调用栈回溯是什么?
问题本质是,如何设置断点尽快找到指定文件的映射路径。解决这个通用问题有助于提高生产力。可能有很多答案,找一个适用于自己所在上下文的就是。
2018-01-09 keenjoy95
本小节介绍keenjoy95如何拦截mspaint.exe进程空间中的C_*.NLS。
kd> !object \NLS Object: ffffe78452876490 Type: (ffffd60ee3e69f20) Directory ObjectHeader: ffffe78452876460 (new version) HandleCount: 0 PointerCount: 8 Directory Object: ffffe784528021b0 Name: NLS Hash Address Type Name ---- ------- ---- ---- 01 ffffe784583cb350 Section NlsSectionCP28591 08 ffffe78458eadf30 Section NlsSectionCP1254 09 ffffe78458dd1b70 Section NlsSectionCP1250 17 ffffe7845ae66310 Section NlsSectionCP1255 18 ffffe78458d2a8a0 Section NlsSectionCP1251 26 ffffe78458e50f20 Section NlsSectionCP1256 36 ffffe78458dd9550 Section NlsSectionCP1253
先用winobj看\NLS目录下Section对象的名字,形如”NlsSectionCP*”。在IDA中找到”\NLS\NlsSectionCP%d”,交叉引用nt!RtlpInitNlsSectionName,这个函数很简单,就是拼接SectionName。其父函数是nt!NtGetNlsSectionPtr,下面是其主要动作的逆向代码。
NTSTATUS NtGetNlsSectionPtr ( a1, unsigned int number, // rdx 比如1256 a3, a4, a5 ) { /* * SectionName最终形如"\NLS\NlsSectionCP1256",UNICODE_STRING */ RtlpInitNlsSectionName( x, number, x, x, &SectionName ); ObjectAttributes_0.Length = 0x30; ObjectAttributes_0.RootDirectory = 0; ObjectAttributes_0.Attributes = 0x2D0; ObjectAttributes_0.ObjectName = &SectionName; status = ZwOpenSection( &SectionHandle, 4, &ObjectAttributes_0 ); if ( !NT_SUCCESS( status ) ) { /* * FileName最终形如"\SystemRoot\System32\c_1256.nls",UNICODE_STRING */ RtlpInitNlsFileName( x, number, x, x, &FileName ); ObjectAttributes_1.Length = 0x30; ObjectAttributes_1.RootDirectory = 0; ObjectAttributes_1.Attributes = 0x240; ObjectAttributes_1.ObjectName = &FileName; ZwOpenFile( &FileHandle, 0x100000, &ObjectAttributes_1, x, 1, 0 ); ZwCreateSection( &SectionHandle, 4, &ObjectAttributes_0, 0, 2, 0x8000000, FileHandle ); ZwClose( FileHandle ); } ObReferenceObjectByHandle( SectionHandle, 0xF001F, MmSectionObjectType, 0, &Section, 0 ); ZwClose( SectionHandle ); MmMapViewOfSection ( Section, x, &BaseAddress, 0, 0, x, &ViewSize, 1, 0x400000, 2 ); ObfDereferenceObject( Section ); return( status ); }
为拦截C_1256.NLS的映射加载,设断:
bp nt!NtGetNlsSectionPtr ".if(@rdx!=0n1256){gc}" nt!NtGetNlsSectionPtr nt!KiSystemServiceCopyEnd+0x13 ntdll!NtGetNlsSectionPtr+0x14 KERNELBASE!GetCPHashNode+0xe1 KERNELBASE!NlsGetACPFromLocale+0x41 KERNELBASE!GetLocaleInfoA+0xb0 msvcrt!_report_rangecheckfailure+0x365 KERNELBASE!Internal_EnumSystemLocales+0x3b1 KERNELBASE!EnumSystemLocalesA+0x1b msvcrt!_report_rangecheckfailure+0x236 msvcrt!_get_qualified_locale+0x91 msvcrt!expandlocale+0x150 msvcrt!get_current_locale+0x46d msvcrt!setlocale+0xb8 msvcrt!wsetlocale+0xdb mspaint!CPBApp::OnLocaleChange+0x14d mspaint!CPBApp::InitInstance+0xf6 MFC42u!AfxWinMain+0x83 mspaint!__wmainCRTStartup+0x1c7 KERNEL32!BaseThreadInitThunk+0x14 ntdll!RtlUserThreadStart+0x21
这个趣味调试题没有所谓标准答案。主要是提醒大家,这是一个通用需求,如果你找到适合自己上下文的通用解决方案,将极大地提高生产力。
好吧,我对我司blog的编辑模板已经绝望了,无格式都做不到,自动删除打头空格。