当我使用内核调试器在 windows 64 位系统上为 SYSCALL 在 IA32_LSTAR MSR 上设置断点时,为什么会出现 DoubleFault? (KVASCODE 部分)
Why do I get a DoubleFault when I set a break point on IA32_LSTAR MSR for SYSCALL on windows 64 bit with a kernel debugger? (KVASCODE section)
TLDR:为什么可以在 windows 内核 .text 部分而不是 KVAS 部分设置断点?
所以 afaik IA32_LSTAR 应该保存 KiSystemCall64/KiSystemCall64Shadow 的地址,所以就在对 ntdll 进行系统调用之前,我将其转储,并在跟踪时在其上设置断点 (KiSystemCall64Shadow) p 在 windbg 上我得到一个错误检查(DOUBLE_FAULT),这是为什么?
我应该提到整个过程都在 VM 中进行,因此我可以对应用程序进行内核调试
!analyze -v
的输出
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
BUGCHECK_CODE: 7f
BUGCHECK_P1: 8
BUGCHECK_P2: ffff8c81d09dce50
BUGCHECK_P3: 66011c9020
BUGCHECK_P4: fffff80216a05000
BAD_STACK_POINTER: ffff8c81d09dc558
PROCESS_NAME: notepad.exe
SYMBOL_NAME: nt!KiDoubleFaultAbort+2c3
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
调用堆栈:
kd> k
# Child-SP RetAddr Call Site
00 ffffbb81`a9bdc558 fffff803`80112b12 nt!DbgBreakPointWithStatus
01 ffffbb81`a9bdc560 fffff803`801120f6 nt!KiBugCheckDebugBreak+0x12
02 ffffbb81`a9bdc5c0 fffff803`7fff72b7 nt!KeBugCheck2+0x946
03 ffffbb81`a9bdccd0 fffff803`80009169 nt!KeBugCheckEx+0x107
04 ffffbb81`a9bdcd10 fffff803`80003f83 nt!KiBugCheckDispatch+0x69
05 ffffbb81`a9bdce50 fffff803`80005000 nt!KiDoubleFaultAbort+0x2c3
06 000000b9`51479010 fffff803`80005000 nt!KiPageFault
07 000000b9`51479040 fffff803`80005000 nt!KiPageFault
08 000000b9`51479070 fffff803`80005000 nt!KiPageFault
09 000000b9`514790a0 fffff803`80005000 nt!KiPageFault
0a 000000b9`514790d0 fffff803`80005000 nt!KiPageFault
0b 000000b9`51479100 fffff803`80005000 nt!KiPageFault
0c 000000b9`51479130 fffff803`80005000 nt!KiPageFault
0d 000000b9`51479160 fffff803`80005000 nt!KiPageFault
0e 000000b9`51479190 fffff803`80005000 nt!KiPageFault
0f 000000b9`514791c0 fffff803`80005000 nt!KiPageFault
10 000000b9`514791f0 fffff803`80005000 nt!KiPageFault
11 000000b9`51479220 fffff803`80005000 nt!KiPageFault
12 000000b9`51479250 fffff803`80005000 nt!KiPageFault
13 000000b9`51479280 fffff803`80005000 nt!KiPageFault
14 000000b9`514792b0 fffff803`80005000 nt!KiPageFault
15 000000b9`514792e0 fffff803`80005000 nt!KiPageFault
16 000000b9`51479310 fffff803`80005000 nt!KiPageFault
17 000000b9`51479340 fffff803`80005000 nt!KiPageFault
18 000000b9`51479370 fffff803`80005000 nt!KiPageFault
19 000000b9`514793a0 fffff803`80005000 nt!KiPageFault
1a 000000b9`514793d0 fffff803`80005000 nt!KiPageFault
1b 000000b9`51479400 fffff803`80005000 nt!KiPageFault
1c 000000b9`51479430 fffff803`80005000 nt!KiPageFault
1d 000000b9`51479460 fffff803`80005000 nt!KiPageFault
1e 000000b9`51479490 fffff803`80005000 nt!KiPageFault
1f 000000b9`514794c0 fffff803`80005000 nt!KiPageFault
20 000000b9`514794f0 fffff803`80005000 nt!KiPageFault
21 000000b9`51479520 fffff803`80005000 nt!KiPageFault
22 000000b9`51479550 fffff803`80005000 nt!KiPageFault
23 000000b9`51479580 fffff803`80005000 nt!KiPageFault
24 000000b9`514795b0 fffff803`80005000 nt!KiPageFault
25 000000b9`514795e0 fffff803`80005000 nt!KiPageFault
26 000000b9`51479610 fffff803`80005000 nt!KiPageFault
27 000000b9`51479640 fffff803`80005000 nt!KiPageFault
28 000000b9`51479670 fffff803`80005000 nt!KiPageFault
29 000000b9`514796a0 fffff803`80005000 nt!KiPageFault
2a 000000b9`514796d0 fffff803`80005000 nt!KiPageFault
2b 000000b9`51479700 fffff803`80005000 nt!KiPageFault
2c 000000b9`51479730 fffff803`80005000 nt!KiPageFault
2d 000000b9`51479760 fffff803`80005000 nt!KiPageFault
2e 000000b9`51479790 fffff803`80005000 nt!KiPageFault
2f 000000b9`514797c0 fffff803`80005000 nt!KiPageFault
30 000000b9`514797f0 fffff803`80005000 nt!KiPageFault
31 000000b9`51479820 fffff803`80005000 nt!KiPageFault
32 000000b9`51479850 fffff803`80005000 nt!KiPageFault
33 000000b9`51479880 fffff803`80005000 nt!KiPageFault
34 000000b9`514798b0 fffff803`80005000 nt!KiPageFault
35 000000b9`514798e0 fffff803`80005000 nt!KiPageFault
36 000000b9`51479910 fffff803`80005000 nt!KiPageFault
37 000000b9`51479940 fffff803`80005000 nt!KiPageFault
38 000000b9`51479970 fffff803`80005000 nt!KiPageFault
39 000000b9`514799a0 fffff803`80005000 nt!KiPageFault
3a 000000b9`514799d0 fffff803`80005000 nt!KiPageFault
3b 000000b9`51479a00 fffff803`80005000 nt!KiPageFault
3c 000000b9`51479a30 fffff803`80005000 nt!KiPageFault
3d 000000b9`51479a60 fffff803`80005000 nt!KiPageFault
3e 000000b9`51479a90 fffff803`80005000 nt!KiPageFault
3f 000000b9`51479ac0 fffff803`80005000 nt!KiPageFault
40 000000b9`51479af0 fffff803`80005000 nt!KiPageFault
41 000000b9`51479b20 fffff803`80005000 nt!KiPageFault
42 000000b9`51479b50 fffff803`80005000 nt!KiPageFault
43 000000b9`51479b80 fffff803`80005000 nt!KiPageFault
44 000000b9`51479bb0 fffff803`80005000 nt!KiPageFault
45 000000b9`51479be0 fffff803`80005000 nt!KiPageFault
46 000000b9`51479c10 fffff803`80005000 nt!KiPageFault
47 000000b9`51479c40 fffff803`80005000 nt!KiPageFault
48 000000b9`51479c70 fffff803`80005000 nt!KiPageFault
49 000000b9`51479ca0 fffff803`80005000 nt!KiPageFault
4a 000000b9`51479cd0 fffff803`80005000 nt!KiPageFault
4b 000000b9`51479d00 fffff803`80005000 nt!KiPageFault
4c 000000b9`51479d30 fffff803`80005000 nt!KiPageFault
4d 000000b9`51479d60 fffff803`80005000 nt!KiPageFault
4e 000000b9`51479d90 fffff803`80005000 nt!KiPageFault
4f 000000b9`51479dc0 fffff803`80005000 nt!KiPageFault
50 000000b9`51479df0 fffff803`80005000 nt!KiPageFault
51 000000b9`51479e20 fffff803`80005000 nt!KiPageFault
52 000000b9`51479e50 fffff803`80005000 nt!KiPageFault
53 000000b9`51479e80 fffff803`80005000 nt!KiPageFault
54 000000b9`51479eb0 fffff803`80005000 nt!KiPageFault
55 000000b9`51479ee0 fffff803`80005000 nt!KiPageFault
56 000000b9`51479f10 fffff803`80005000 nt!KiPageFault
57 000000b9`51479f40 fffff803`80005000 nt!KiPageFault
58 000000b9`51479f70 fffff803`80005000 nt!KiPageFault
59 000000b9`51479fa0 fffff803`80005000 nt!KiPageFault
5a 000000b9`51479fd0 fffff803`80005000 nt!KiPageFault
5b 000000b9`5147a000 fffff803`80005000 nt!KiPageFault
5c 000000b9`5147a030 fffff803`80005000 nt!KiPageFault
5d 000000b9`5147a060 fffff803`80005000 nt!KiPageFault
5e 000000b9`5147a090 fffff803`80005000 nt!KiPageFault
5f 000000b9`5147a0c0 fffff803`80005000 nt!KiPageFault
60 000000b9`5147a0f0 fffff803`80005000 nt!KiPageFault
61 000000b9`5147a120 fffff803`80005000 nt!KiPageFault
62 000000b9`5147a150 fffff803`80005000 nt!KiPageFault
63 000000b9`5147a180 fffff803`80005000 nt!KiPageFault
64 000000b9`5147a1b0 fffff803`80005000 nt!KiPageFault
65 000000b9`5147a1e0 fffff803`80005000 nt!KiPageFault
66 000000b9`5147a210 fffff803`80005000 nt!KiPageFault
67 000000b9`5147a240 fffff803`80005000 nt!KiPageFault
68 000000b9`5147a270 fffff803`80005000 nt!KiPageFault
69 000000b9`5147a2a0 fffff803`80005000 nt!KiPageFault
6a 000000b9`5147a2d0 fffff803`80005000 nt!KiPageFault
6b 000000b9`5147a300 fffff803`80005000 nt!KiPageFault
6c 000000b9`5147a330 fffff803`80005000 nt!KiPageFault
6d 000000b9`5147a360 fffff803`80005000 nt!KiPageFault
6e 000000b9`5147a390 fffff803`80005000 nt!KiPageFault
6f 000000b9`5147a3c0 fffff803`80005000 nt!KiPageFault
70 000000b9`5147a3f0 fffff803`80005000 nt!KiPageFault
71 000000b9`5147a420 fffff803`80005000 nt!KiPageFault
72 000000b9`5147a450 fffff803`80005000 nt!KiPageFault
73 000000b9`5147a480 fffff803`80005000 nt!KiPageFault
74 000000b9`5147a4b0 fffff803`80005000 nt!KiPageFault
75 000000b9`5147a4e0 fffff803`80005000 nt!KiPageFault
76 000000b9`5147a510 fffff803`80005000 nt!KiPageFault
77 000000b9`5147a540 fffff803`80005000 nt!KiPageFault
78 000000b9`5147a570 fffff803`80005000 nt!KiPageFault
79 000000b9`5147a5a0 fffff803`80005000 nt!KiPageFault
7a 000000b9`5147a5d0 fffff803`80005000 nt!KiPageFault
7b 000000b9`5147a600 fffff803`80005000 nt!KiPageFault
7c 000000b9`5147a630 fffff803`80005000 nt!KiPageFault
7d 000000b9`5147a660 fffff803`80005000 nt!KiPageFault
7e 000000b9`5147a690 fffff803`80005000 nt!KiPageFault
7f 000000b9`5147a6c0 fffff803`80005000 nt!KiPageFault
80 000000b9`5147a6f0 fffff803`80005000 nt!KiPageFault
81 000000b9`5147a720 fffff803`80005000 nt!KiPageFault
82 000000b9`5147a750 fffff803`80005000 nt!KiPageFault
83 000000b9`5147a780 fffff803`80005000 nt!KiPageFault
84 000000b9`5147a7b0 fffff803`80005000 nt!KiPageFault
85 000000b9`5147a7e0 fffff803`80005000 nt!KiPageFault
86 000000b9`5147a810 fffff803`80005000 nt!KiPageFault
87 000000b9`5147a840 fffff803`80005000 nt!KiPageFault
88 000000b9`5147a870 fffff803`80005000 nt!KiPageFault
89 000000b9`5147a8a0 fffff803`80005000 nt!KiPageFault
8a 000000b9`5147a8d0 fffff803`80005000 nt!KiPageFault
8b 000000b9`5147a900 fffff803`80005000 nt!KiPageFault
8c 000000b9`5147a930 fffff803`80005000 nt!KiPageFault
8d 000000b9`5147a960 fffff803`80005000 nt!KiPageFault
8e 000000b9`5147a990 fffff803`80005000 nt!KiPageFault
8f 000000b9`5147a9c0 fffff803`80005000 nt!KiPageFault
90 000000b9`5147a9f0 fffff803`80005000 nt!KiPageFault
91 000000b9`5147aa20 fffff803`80005000 nt!KiPageFault
92 000000b9`5147aa50 fffff803`80005000 nt!KiPageFault
93 000000b9`5147aa80 fffff803`80005000 nt!KiPageFault
94 000000b9`5147aab0 fffff803`80005000 nt!KiPageFault
95 000000b9`5147aae0 fffff803`80005000 nt!KiPageFault
96 000000b9`5147ab10 fffff803`80005000 nt!KiPageFault
97 000000b9`5147ab40 fffff803`80005000 nt!KiPageFault
98 000000b9`5147ab70 fffff803`80005000 nt!KiPageFault
99 000000b9`5147aba0 fffff803`80005000 nt!KiPageFault
9a 000000b9`5147abd0 fffff803`80005000 nt!KiPageFault
9b 000000b9`5147ac00 fffff803`80005000 nt!KiPageFault
9c 000000b9`5147ac30 fffff803`80005000 nt!KiPageFault
9d 000000b9`5147ac60 fffff803`80005000 nt!KiPageFault
9e 000000b9`5147ac90 fffff803`80005000 nt!KiPageFault
9f 000000b9`5147acc0 fffff803`80005000 nt!KiPageFault
a0 000000b9`5147acf0 fffff803`80005000 nt!KiPageFault
a1 000000b9`5147ad20 fffff803`80005000 nt!KiPageFault
a2 000000b9`5147ad50 fffff803`80005000 nt!KiPageFault
a3 000000b9`5147ad80 fffff803`80005000 nt!KiPageFault
a4 000000b9`5147adb0 fffff803`80005000 nt!KiPageFault
a5 000000b9`5147ade0 fffff803`80005000 nt!KiPageFault
a6 000000b9`5147ae10 fffff803`80005000 nt!KiPageFault
a7 000000b9`5147ae40 fffff803`80005000 nt!KiPageFault
a8 000000b9`5147ae70 fffff803`80005000 nt!KiPageFault
a9 000000b9`5147aea0 fffff803`80005000 nt!KiPageFault
aa 000000b9`5147aed0 fffff803`80005000 nt!KiPageFault
ab 000000b9`5147af00 fffff803`80005000 nt!KiPageFault
ac 000000b9`5147af30 fffff803`80005000 nt!KiPageFault
ad 000000b9`5147af60 fffff803`80005000 nt!KiPageFault
ae 000000b9`5147af90 fffff803`80005000 nt!KiPageFault
af 000000b9`5147afc0 fffff803`80005000 nt!KiPageFault
b0 000000b9`5147aff0 fffff803`80005000 nt!KiPageFault
b1 000000b9`5147b020 fffff803`80005000 nt!KiPageFault
b2 000000b9`5147b050 fffff803`80005000 nt!KiPageFault
b3 000000b9`5147b080 fffff803`80005000 nt!KiPageFault
b4 000000b9`5147b0b0 fffff803`80005000 nt!KiPageFault
b5 000000b9`5147b0e0 fffff803`80005000 nt!KiPageFault
b6 000000b9`5147b110 fffff803`80005000 nt!KiPageFault
b7 000000b9`5147b140 fffff803`80005000 nt!KiPageFault
b8 000000b9`5147b170 fffff803`80005000 nt!KiPageFault
b9 000000b9`5147b1a0 fffff803`80005000 nt!KiPageFault
ba 000000b9`5147b1d0 fffff803`80005000 nt!KiPageFault
bb 000000b9`5147b200 fffff803`80005000 nt!KiPageFault
bc 000000b9`5147b230 fffff803`80005000 nt!KiPageFault
bd 000000b9`5147b260 fffff803`80005000 nt!KiPageFault
be 000000b9`5147b290 fffff803`80005000 nt!KiPageFault
bf 000000b9`5147b2c0 fffff803`80005000 nt!KiPageFault
c0 000000b9`5147b2f0 fffff803`80005000 nt!KiPageFault
c1 000000b9`5147b320 fffff803`80005000 nt!KiPageFault
c2 000000b9`5147b350 fffff803`80005000 nt!KiPageFault
c3 000000b9`5147b380 fffff803`80005000 nt!KiPageFault
c4 000000b9`5147b3b0 fffff803`80005000 nt!KiPageFault
c5 000000b9`5147b3e0 fffff803`80005000 nt!KiPageFault
c6 000000b9`5147b410 fffff803`80005000 nt!KiPageFault
c7 000000b9`5147b440 fffff803`80005000 nt!KiPageFault
c8 000000b9`5147b470 fffff803`80005000 nt!KiPageFault
c9 000000b9`5147b4a0 fffff803`80005000 nt!KiPageFault
ca 000000b9`5147b4d0 fffff803`80005000 nt!KiPageFault
cb 000000b9`5147b500 fffff803`80005000 nt!KiPageFault
cc 000000b9`5147b530 fffff803`80005000 nt!KiPageFault
cd 000000b9`5147b560 fffff803`80005000 nt!KiPageFault
ce 000000b9`5147b590 fffff803`80005000 nt!KiPageFault
cf 000000b9`5147b5c0 fffff803`80005000 nt!KiPageFault
d0 000000b9`5147b5f0 fffff803`80005000 nt!KiPageFault
d1 000000b9`5147b620 fffff803`80005000 nt!KiPageFault
d2 000000b9`5147b650 fffff803`80005000 nt!KiPageFault
d3 000000b9`5147b680 fffff803`80005000 nt!KiPageFault
d4 000000b9`5147b6b0 fffff803`80005000 nt!KiPageFault
d5 000000b9`5147b6e0 fffff803`80005000 nt!KiPageFault
d6 000000b9`5147b710 fffff803`80005000 nt!KiPageFault
d7 000000b9`5147b740 fffff803`80005000 nt!KiPageFault
d8 000000b9`5147b770 fffff803`80005000 nt!KiPageFault
d9 000000b9`5147b7a0 fffff803`80005000 nt!KiPageFault
da 000000b9`5147b7d0 fffff803`80005000 nt!KiPageFault
db 000000b9`5147b800 fffff803`80005000 nt!KiPageFault
dc 000000b9`5147b830 fffff803`80005000 nt!KiPageFault
dd 000000b9`5147b860 fffff803`80005000 nt!KiPageFault
de 000000b9`5147b890 fffff803`80005000 nt!KiPageFault
df 000000b9`5147b8c0 fffff803`80005000 nt!KiPageFault
e0 000000b9`5147b8f0 fffff803`80005000 nt!KiPageFault
e1 000000b9`5147b920 fffff803`80005000 nt!KiPageFault
e2 000000b9`5147b950 fffff803`80005000 nt!KiPageFault
e3 000000b9`5147b980 fffff803`80005000 nt!KiPageFault
e4 000000b9`5147b9b0 fffff803`80005000 nt!KiPageFault
e5 000000b9`5147b9e0 fffff803`80005000 nt!KiPageFault
e6 000000b9`5147ba10 fffff803`80005000 nt!KiPageFault
e7 000000b9`5147ba40 fffff803`80005000 nt!KiPageFault
e8 000000b9`5147ba70 fffff803`80005000 nt!KiPageFault
e9 000000b9`5147baa0 fffff803`80005000 nt!KiPageFault
ea 000000b9`5147bad0 fffff803`80005000 nt!KiPageFault
eb 000000b9`5147bb00 fffff803`80005000 nt!KiPageFault
ec 000000b9`5147bb30 fffff803`80005000 nt!KiPageFault
ed 000000b9`5147bb60 fffff803`80005000 nt!KiPageFault
ee 000000b9`5147bb90 fffff803`80005000 nt!KiPageFault
ef 000000b9`5147bbc0 fffff803`80005000 nt!KiPageFault
f0 000000b9`5147bbf0 fffff803`80005000 nt!KiPageFault
f1 000000b9`5147bc20 fffff803`80005000 nt!KiPageFault
f2 000000b9`5147bc50 fffff803`80005000 nt!KiPageFault
f3 000000b9`5147bc80 fffff803`80005000 nt!KiPageFault
f4 000000b9`5147bcb0 fffff803`80005000 nt!KiPageFault
f5 000000b9`5147bce0 fffff803`80005000 nt!KiPageFault
f6 000000b9`5147bd10 fffff803`80005000 nt!KiPageFault
f7 000000b9`5147bd40 fffff803`80005000 nt!KiPageFault
f8 000000b9`5147bd70 fffff803`80005000 nt!KiPageFault
f9 000000b9`5147bda0 fffff803`80005000 nt!KiPageFault
fa 000000b9`5147bdd0 fffff803`80005000 nt!KiPageFault
fb 000000b9`5147be00 fffff803`80005000 nt!KiPageFault
fc 000000b9`5147be30 fffff803`80005000 nt!KiPageFault
fd 000000b9`5147be60 fffff803`80005000 nt!KiPageFault
fe 000000b9`5147be90 fffff803`80005000 nt!KiPageFault
ff 000000b9`5147bec0 fffff803`80005000 nt!KiPageFault
内核模式中断条目检查中断模式是用户还是内核,通过检查堆栈上 CS
的最低位 (CPL
) 并执行 SWAPGS
指令,以防万一中断来自用户模式。否则在 GS 中假定已经正确的值 - 在用户模式下 GS
指向 TEB
and in kernel mode to KPCR
。
的例子
KiDebugServiceTrapShadow
test byte ptr [rsp+8],1 ;; if (!(Cs & 1) )
je @@kernel_mode
swapgs ;; only in case Cs from user mode !
lfence
.... ; some code
jmp KiDebugServiceTrap(FFFFF80527807780)
@@kernel_mode:
lfence
jmp KiDebugServiceTrap(FFFFF80527807780)
和
KiDebugServiceTrap
inc qword ptr [rsp]
cmp word ptr [rsp+8],23h ;; Cs==23 ? this mean 32 bit code
jne @@64bit
and dword ptr [rsp+4],0 ;; zero high 32 bit of Rip for 32 bit code
@@64bit:
sub rsp,8
push rbp
sub rsp,158h
lea rbp,[rsp+80h]
mov byte ptr [rbp-55h],1
mov qword ptr [rbp-50h],rax
mov qword ptr [rbp-48h],rcx
mov qword ptr [rbp-40h],rdx
mov qword ptr [rbp-38h],r8
mov qword ptr [rbp-30h],r9
mov qword ptr [rbp-28h],r10
mov qword ptr [rbp-20h],r11
test byte ptr [rbp+0F0h],1 ;; if (Cs & 1) // (f0+80)-(158+8+8)==8 - Cs here
jne @@user_mode
lfence
test byte ptr gs:[278h],1 ;; assume that gs -> KPCR (KPCR.BpbCpuIdle checked)
jne @@1
lfence
jmp @@0
@@1:
movzx eax,byte ptr gs:[27Ah] ;; KPCR.BpbCurrentSpecCtrl
mov ecx,48h
xor edx,edx
wrmsr
jmp @@0
@@user_mode:
test byte ptr [KiKvaShadow],1
jne @@x
swapgs ;; !!!
@@x:
lfence
mov r10,qword ptr gs:[CurrentThread]
mov rcx,qword ptr gs:[CurrentThread]
....
所以错误的根源 - 已经从内核模式中断,但是 GS
值仍然来自用户模式 并且在这种情况下内核 不执行 SWAPGS但是使用当前的 GS 值(这对内核来说是错误的)并指向错误的结构 - 作为结果和页面错误并且 KiPageFault
已执行
再次出现 - swapgs
仅在故障来自用户模式时执行
KiPageFault
push rbp
sub rsp,158h
lea rbp,[rsp+80h]
mov byte ptr [rbp-55h],1
mov qword ptr [rbp-50h],rax
mov qword ptr [rbp-48h],rcx
mov qword ptr [rbp-40h],rdx
mov qword ptr [rbp-38h],r8
mov qword ptr [rbp-30h],r9
mov qword ptr [rbp-28h],r10
mov qword ptr [rbp-20h],r11
test byte ptr [rbp+0F0h],1 ;; if (Cs & 1)
jne @@user_mode
lfence
test byte ptr gs:[278h],1
jne FFFFF80527804B4F v
lfence
jmp @@0
@@1
movzx eax,byte ptr gs:[27Ah]
mov ecx,48h
xor edx,edx
wrmsr
jmp @@0
@@user_mode:
test byte ptr [KiKvaShadow],1
jne @@x
swapgs ;; !! only in case fault from user mode
lfence
mov r10,qword ptr gs:[CurrentThread]
作为结果 reqursive 故障(错误的内存访问)等等 - 直到堆栈 space 结束和最终的双重故障 - 请注意 Child-SP - 来自用户模式!在所有 nt!KiPageFault - 这是因为 syscall
没有将堆栈切换到内核并且需要手动执行此操作,并且中断也没有切换堆栈 - 因为它已经处于内核模式。并且仅当当前堆栈中没有 space 时 - 是双重故障和堆栈切换:
05 ffffbb81`a9bdce50 fffff803`80005000 nt!KiDoubleFaultAbort+0x2c3
06 000000b9`51479010 fffff803`80005000 nt!KiPageFault
b951479010
- 这仍然是用户模式堆栈值(分配堆栈区域的 b951479000
明显结束)并且 ffffbb81a9bdce50
已经是内核模式堆栈。
最后为 KiSystemCall64
编写代码
KiSystemCall64
swapgs
mov qword ptr gs:[UserRsp],rsp
mov rsp,qword ptr gs:[RspBase]
push 2Bh ;; user mode Ss
push qword ptr gs:[UserRsp]
push r11 ;; rflags
push 33h ;; user mode Cs for 64bit code
push rcx ;; rip from user mode
mov rcx,r10
sub rsp,8
push rbp
sub rsp,158h
lea rbp,[rsp+80h]
所以第一个字节 - 在 swapgs
之前并切换到内核堆栈 (mov rsp,qword ptr gs:[RspBase]
) 不是 bp 的有效位置 - 仅在此指令之后设置断点!
TLDR:为什么可以在 windows 内核 .text 部分而不是 KVAS 部分设置断点?
所以 afaik IA32_LSTAR 应该保存 KiSystemCall64/KiSystemCall64Shadow 的地址,所以就在对 ntdll 进行系统调用之前,我将其转储,并在跟踪时在其上设置断点 (KiSystemCall64Shadow) p 在 windbg 上我得到一个错误检查(DOUBLE_FAULT),这是为什么?
我应该提到整个过程都在 VM 中进行,因此我可以对应用程序进行内核调试
!analyze -v
的输出UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
BUGCHECK_CODE: 7f
BUGCHECK_P1: 8
BUGCHECK_P2: ffff8c81d09dce50
BUGCHECK_P3: 66011c9020
BUGCHECK_P4: fffff80216a05000
BAD_STACK_POINTER: ffff8c81d09dc558
PROCESS_NAME: notepad.exe
SYMBOL_NAME: nt!KiDoubleFaultAbort+2c3
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
调用堆栈:
kd> k
# Child-SP RetAddr Call Site
00 ffffbb81`a9bdc558 fffff803`80112b12 nt!DbgBreakPointWithStatus
01 ffffbb81`a9bdc560 fffff803`801120f6 nt!KiBugCheckDebugBreak+0x12
02 ffffbb81`a9bdc5c0 fffff803`7fff72b7 nt!KeBugCheck2+0x946
03 ffffbb81`a9bdccd0 fffff803`80009169 nt!KeBugCheckEx+0x107
04 ffffbb81`a9bdcd10 fffff803`80003f83 nt!KiBugCheckDispatch+0x69
05 ffffbb81`a9bdce50 fffff803`80005000 nt!KiDoubleFaultAbort+0x2c3
06 000000b9`51479010 fffff803`80005000 nt!KiPageFault
07 000000b9`51479040 fffff803`80005000 nt!KiPageFault
08 000000b9`51479070 fffff803`80005000 nt!KiPageFault
09 000000b9`514790a0 fffff803`80005000 nt!KiPageFault
0a 000000b9`514790d0 fffff803`80005000 nt!KiPageFault
0b 000000b9`51479100 fffff803`80005000 nt!KiPageFault
0c 000000b9`51479130 fffff803`80005000 nt!KiPageFault
0d 000000b9`51479160 fffff803`80005000 nt!KiPageFault
0e 000000b9`51479190 fffff803`80005000 nt!KiPageFault
0f 000000b9`514791c0 fffff803`80005000 nt!KiPageFault
10 000000b9`514791f0 fffff803`80005000 nt!KiPageFault
11 000000b9`51479220 fffff803`80005000 nt!KiPageFault
12 000000b9`51479250 fffff803`80005000 nt!KiPageFault
13 000000b9`51479280 fffff803`80005000 nt!KiPageFault
14 000000b9`514792b0 fffff803`80005000 nt!KiPageFault
15 000000b9`514792e0 fffff803`80005000 nt!KiPageFault
16 000000b9`51479310 fffff803`80005000 nt!KiPageFault
17 000000b9`51479340 fffff803`80005000 nt!KiPageFault
18 000000b9`51479370 fffff803`80005000 nt!KiPageFault
19 000000b9`514793a0 fffff803`80005000 nt!KiPageFault
1a 000000b9`514793d0 fffff803`80005000 nt!KiPageFault
1b 000000b9`51479400 fffff803`80005000 nt!KiPageFault
1c 000000b9`51479430 fffff803`80005000 nt!KiPageFault
1d 000000b9`51479460 fffff803`80005000 nt!KiPageFault
1e 000000b9`51479490 fffff803`80005000 nt!KiPageFault
1f 000000b9`514794c0 fffff803`80005000 nt!KiPageFault
20 000000b9`514794f0 fffff803`80005000 nt!KiPageFault
21 000000b9`51479520 fffff803`80005000 nt!KiPageFault
22 000000b9`51479550 fffff803`80005000 nt!KiPageFault
23 000000b9`51479580 fffff803`80005000 nt!KiPageFault
24 000000b9`514795b0 fffff803`80005000 nt!KiPageFault
25 000000b9`514795e0 fffff803`80005000 nt!KiPageFault
26 000000b9`51479610 fffff803`80005000 nt!KiPageFault
27 000000b9`51479640 fffff803`80005000 nt!KiPageFault
28 000000b9`51479670 fffff803`80005000 nt!KiPageFault
29 000000b9`514796a0 fffff803`80005000 nt!KiPageFault
2a 000000b9`514796d0 fffff803`80005000 nt!KiPageFault
2b 000000b9`51479700 fffff803`80005000 nt!KiPageFault
2c 000000b9`51479730 fffff803`80005000 nt!KiPageFault
2d 000000b9`51479760 fffff803`80005000 nt!KiPageFault
2e 000000b9`51479790 fffff803`80005000 nt!KiPageFault
2f 000000b9`514797c0 fffff803`80005000 nt!KiPageFault
30 000000b9`514797f0 fffff803`80005000 nt!KiPageFault
31 000000b9`51479820 fffff803`80005000 nt!KiPageFault
32 000000b9`51479850 fffff803`80005000 nt!KiPageFault
33 000000b9`51479880 fffff803`80005000 nt!KiPageFault
34 000000b9`514798b0 fffff803`80005000 nt!KiPageFault
35 000000b9`514798e0 fffff803`80005000 nt!KiPageFault
36 000000b9`51479910 fffff803`80005000 nt!KiPageFault
37 000000b9`51479940 fffff803`80005000 nt!KiPageFault
38 000000b9`51479970 fffff803`80005000 nt!KiPageFault
39 000000b9`514799a0 fffff803`80005000 nt!KiPageFault
3a 000000b9`514799d0 fffff803`80005000 nt!KiPageFault
3b 000000b9`51479a00 fffff803`80005000 nt!KiPageFault
3c 000000b9`51479a30 fffff803`80005000 nt!KiPageFault
3d 000000b9`51479a60 fffff803`80005000 nt!KiPageFault
3e 000000b9`51479a90 fffff803`80005000 nt!KiPageFault
3f 000000b9`51479ac0 fffff803`80005000 nt!KiPageFault
40 000000b9`51479af0 fffff803`80005000 nt!KiPageFault
41 000000b9`51479b20 fffff803`80005000 nt!KiPageFault
42 000000b9`51479b50 fffff803`80005000 nt!KiPageFault
43 000000b9`51479b80 fffff803`80005000 nt!KiPageFault
44 000000b9`51479bb0 fffff803`80005000 nt!KiPageFault
45 000000b9`51479be0 fffff803`80005000 nt!KiPageFault
46 000000b9`51479c10 fffff803`80005000 nt!KiPageFault
47 000000b9`51479c40 fffff803`80005000 nt!KiPageFault
48 000000b9`51479c70 fffff803`80005000 nt!KiPageFault
49 000000b9`51479ca0 fffff803`80005000 nt!KiPageFault
4a 000000b9`51479cd0 fffff803`80005000 nt!KiPageFault
4b 000000b9`51479d00 fffff803`80005000 nt!KiPageFault
4c 000000b9`51479d30 fffff803`80005000 nt!KiPageFault
4d 000000b9`51479d60 fffff803`80005000 nt!KiPageFault
4e 000000b9`51479d90 fffff803`80005000 nt!KiPageFault
4f 000000b9`51479dc0 fffff803`80005000 nt!KiPageFault
50 000000b9`51479df0 fffff803`80005000 nt!KiPageFault
51 000000b9`51479e20 fffff803`80005000 nt!KiPageFault
52 000000b9`51479e50 fffff803`80005000 nt!KiPageFault
53 000000b9`51479e80 fffff803`80005000 nt!KiPageFault
54 000000b9`51479eb0 fffff803`80005000 nt!KiPageFault
55 000000b9`51479ee0 fffff803`80005000 nt!KiPageFault
56 000000b9`51479f10 fffff803`80005000 nt!KiPageFault
57 000000b9`51479f40 fffff803`80005000 nt!KiPageFault
58 000000b9`51479f70 fffff803`80005000 nt!KiPageFault
59 000000b9`51479fa0 fffff803`80005000 nt!KiPageFault
5a 000000b9`51479fd0 fffff803`80005000 nt!KiPageFault
5b 000000b9`5147a000 fffff803`80005000 nt!KiPageFault
5c 000000b9`5147a030 fffff803`80005000 nt!KiPageFault
5d 000000b9`5147a060 fffff803`80005000 nt!KiPageFault
5e 000000b9`5147a090 fffff803`80005000 nt!KiPageFault
5f 000000b9`5147a0c0 fffff803`80005000 nt!KiPageFault
60 000000b9`5147a0f0 fffff803`80005000 nt!KiPageFault
61 000000b9`5147a120 fffff803`80005000 nt!KiPageFault
62 000000b9`5147a150 fffff803`80005000 nt!KiPageFault
63 000000b9`5147a180 fffff803`80005000 nt!KiPageFault
64 000000b9`5147a1b0 fffff803`80005000 nt!KiPageFault
65 000000b9`5147a1e0 fffff803`80005000 nt!KiPageFault
66 000000b9`5147a210 fffff803`80005000 nt!KiPageFault
67 000000b9`5147a240 fffff803`80005000 nt!KiPageFault
68 000000b9`5147a270 fffff803`80005000 nt!KiPageFault
69 000000b9`5147a2a0 fffff803`80005000 nt!KiPageFault
6a 000000b9`5147a2d0 fffff803`80005000 nt!KiPageFault
6b 000000b9`5147a300 fffff803`80005000 nt!KiPageFault
6c 000000b9`5147a330 fffff803`80005000 nt!KiPageFault
6d 000000b9`5147a360 fffff803`80005000 nt!KiPageFault
6e 000000b9`5147a390 fffff803`80005000 nt!KiPageFault
6f 000000b9`5147a3c0 fffff803`80005000 nt!KiPageFault
70 000000b9`5147a3f0 fffff803`80005000 nt!KiPageFault
71 000000b9`5147a420 fffff803`80005000 nt!KiPageFault
72 000000b9`5147a450 fffff803`80005000 nt!KiPageFault
73 000000b9`5147a480 fffff803`80005000 nt!KiPageFault
74 000000b9`5147a4b0 fffff803`80005000 nt!KiPageFault
75 000000b9`5147a4e0 fffff803`80005000 nt!KiPageFault
76 000000b9`5147a510 fffff803`80005000 nt!KiPageFault
77 000000b9`5147a540 fffff803`80005000 nt!KiPageFault
78 000000b9`5147a570 fffff803`80005000 nt!KiPageFault
79 000000b9`5147a5a0 fffff803`80005000 nt!KiPageFault
7a 000000b9`5147a5d0 fffff803`80005000 nt!KiPageFault
7b 000000b9`5147a600 fffff803`80005000 nt!KiPageFault
7c 000000b9`5147a630 fffff803`80005000 nt!KiPageFault
7d 000000b9`5147a660 fffff803`80005000 nt!KiPageFault
7e 000000b9`5147a690 fffff803`80005000 nt!KiPageFault
7f 000000b9`5147a6c0 fffff803`80005000 nt!KiPageFault
80 000000b9`5147a6f0 fffff803`80005000 nt!KiPageFault
81 000000b9`5147a720 fffff803`80005000 nt!KiPageFault
82 000000b9`5147a750 fffff803`80005000 nt!KiPageFault
83 000000b9`5147a780 fffff803`80005000 nt!KiPageFault
84 000000b9`5147a7b0 fffff803`80005000 nt!KiPageFault
85 000000b9`5147a7e0 fffff803`80005000 nt!KiPageFault
86 000000b9`5147a810 fffff803`80005000 nt!KiPageFault
87 000000b9`5147a840 fffff803`80005000 nt!KiPageFault
88 000000b9`5147a870 fffff803`80005000 nt!KiPageFault
89 000000b9`5147a8a0 fffff803`80005000 nt!KiPageFault
8a 000000b9`5147a8d0 fffff803`80005000 nt!KiPageFault
8b 000000b9`5147a900 fffff803`80005000 nt!KiPageFault
8c 000000b9`5147a930 fffff803`80005000 nt!KiPageFault
8d 000000b9`5147a960 fffff803`80005000 nt!KiPageFault
8e 000000b9`5147a990 fffff803`80005000 nt!KiPageFault
8f 000000b9`5147a9c0 fffff803`80005000 nt!KiPageFault
90 000000b9`5147a9f0 fffff803`80005000 nt!KiPageFault
91 000000b9`5147aa20 fffff803`80005000 nt!KiPageFault
92 000000b9`5147aa50 fffff803`80005000 nt!KiPageFault
93 000000b9`5147aa80 fffff803`80005000 nt!KiPageFault
94 000000b9`5147aab0 fffff803`80005000 nt!KiPageFault
95 000000b9`5147aae0 fffff803`80005000 nt!KiPageFault
96 000000b9`5147ab10 fffff803`80005000 nt!KiPageFault
97 000000b9`5147ab40 fffff803`80005000 nt!KiPageFault
98 000000b9`5147ab70 fffff803`80005000 nt!KiPageFault
99 000000b9`5147aba0 fffff803`80005000 nt!KiPageFault
9a 000000b9`5147abd0 fffff803`80005000 nt!KiPageFault
9b 000000b9`5147ac00 fffff803`80005000 nt!KiPageFault
9c 000000b9`5147ac30 fffff803`80005000 nt!KiPageFault
9d 000000b9`5147ac60 fffff803`80005000 nt!KiPageFault
9e 000000b9`5147ac90 fffff803`80005000 nt!KiPageFault
9f 000000b9`5147acc0 fffff803`80005000 nt!KiPageFault
a0 000000b9`5147acf0 fffff803`80005000 nt!KiPageFault
a1 000000b9`5147ad20 fffff803`80005000 nt!KiPageFault
a2 000000b9`5147ad50 fffff803`80005000 nt!KiPageFault
a3 000000b9`5147ad80 fffff803`80005000 nt!KiPageFault
a4 000000b9`5147adb0 fffff803`80005000 nt!KiPageFault
a5 000000b9`5147ade0 fffff803`80005000 nt!KiPageFault
a6 000000b9`5147ae10 fffff803`80005000 nt!KiPageFault
a7 000000b9`5147ae40 fffff803`80005000 nt!KiPageFault
a8 000000b9`5147ae70 fffff803`80005000 nt!KiPageFault
a9 000000b9`5147aea0 fffff803`80005000 nt!KiPageFault
aa 000000b9`5147aed0 fffff803`80005000 nt!KiPageFault
ab 000000b9`5147af00 fffff803`80005000 nt!KiPageFault
ac 000000b9`5147af30 fffff803`80005000 nt!KiPageFault
ad 000000b9`5147af60 fffff803`80005000 nt!KiPageFault
ae 000000b9`5147af90 fffff803`80005000 nt!KiPageFault
af 000000b9`5147afc0 fffff803`80005000 nt!KiPageFault
b0 000000b9`5147aff0 fffff803`80005000 nt!KiPageFault
b1 000000b9`5147b020 fffff803`80005000 nt!KiPageFault
b2 000000b9`5147b050 fffff803`80005000 nt!KiPageFault
b3 000000b9`5147b080 fffff803`80005000 nt!KiPageFault
b4 000000b9`5147b0b0 fffff803`80005000 nt!KiPageFault
b5 000000b9`5147b0e0 fffff803`80005000 nt!KiPageFault
b6 000000b9`5147b110 fffff803`80005000 nt!KiPageFault
b7 000000b9`5147b140 fffff803`80005000 nt!KiPageFault
b8 000000b9`5147b170 fffff803`80005000 nt!KiPageFault
b9 000000b9`5147b1a0 fffff803`80005000 nt!KiPageFault
ba 000000b9`5147b1d0 fffff803`80005000 nt!KiPageFault
bb 000000b9`5147b200 fffff803`80005000 nt!KiPageFault
bc 000000b9`5147b230 fffff803`80005000 nt!KiPageFault
bd 000000b9`5147b260 fffff803`80005000 nt!KiPageFault
be 000000b9`5147b290 fffff803`80005000 nt!KiPageFault
bf 000000b9`5147b2c0 fffff803`80005000 nt!KiPageFault
c0 000000b9`5147b2f0 fffff803`80005000 nt!KiPageFault
c1 000000b9`5147b320 fffff803`80005000 nt!KiPageFault
c2 000000b9`5147b350 fffff803`80005000 nt!KiPageFault
c3 000000b9`5147b380 fffff803`80005000 nt!KiPageFault
c4 000000b9`5147b3b0 fffff803`80005000 nt!KiPageFault
c5 000000b9`5147b3e0 fffff803`80005000 nt!KiPageFault
c6 000000b9`5147b410 fffff803`80005000 nt!KiPageFault
c7 000000b9`5147b440 fffff803`80005000 nt!KiPageFault
c8 000000b9`5147b470 fffff803`80005000 nt!KiPageFault
c9 000000b9`5147b4a0 fffff803`80005000 nt!KiPageFault
ca 000000b9`5147b4d0 fffff803`80005000 nt!KiPageFault
cb 000000b9`5147b500 fffff803`80005000 nt!KiPageFault
cc 000000b9`5147b530 fffff803`80005000 nt!KiPageFault
cd 000000b9`5147b560 fffff803`80005000 nt!KiPageFault
ce 000000b9`5147b590 fffff803`80005000 nt!KiPageFault
cf 000000b9`5147b5c0 fffff803`80005000 nt!KiPageFault
d0 000000b9`5147b5f0 fffff803`80005000 nt!KiPageFault
d1 000000b9`5147b620 fffff803`80005000 nt!KiPageFault
d2 000000b9`5147b650 fffff803`80005000 nt!KiPageFault
d3 000000b9`5147b680 fffff803`80005000 nt!KiPageFault
d4 000000b9`5147b6b0 fffff803`80005000 nt!KiPageFault
d5 000000b9`5147b6e0 fffff803`80005000 nt!KiPageFault
d6 000000b9`5147b710 fffff803`80005000 nt!KiPageFault
d7 000000b9`5147b740 fffff803`80005000 nt!KiPageFault
d8 000000b9`5147b770 fffff803`80005000 nt!KiPageFault
d9 000000b9`5147b7a0 fffff803`80005000 nt!KiPageFault
da 000000b9`5147b7d0 fffff803`80005000 nt!KiPageFault
db 000000b9`5147b800 fffff803`80005000 nt!KiPageFault
dc 000000b9`5147b830 fffff803`80005000 nt!KiPageFault
dd 000000b9`5147b860 fffff803`80005000 nt!KiPageFault
de 000000b9`5147b890 fffff803`80005000 nt!KiPageFault
df 000000b9`5147b8c0 fffff803`80005000 nt!KiPageFault
e0 000000b9`5147b8f0 fffff803`80005000 nt!KiPageFault
e1 000000b9`5147b920 fffff803`80005000 nt!KiPageFault
e2 000000b9`5147b950 fffff803`80005000 nt!KiPageFault
e3 000000b9`5147b980 fffff803`80005000 nt!KiPageFault
e4 000000b9`5147b9b0 fffff803`80005000 nt!KiPageFault
e5 000000b9`5147b9e0 fffff803`80005000 nt!KiPageFault
e6 000000b9`5147ba10 fffff803`80005000 nt!KiPageFault
e7 000000b9`5147ba40 fffff803`80005000 nt!KiPageFault
e8 000000b9`5147ba70 fffff803`80005000 nt!KiPageFault
e9 000000b9`5147baa0 fffff803`80005000 nt!KiPageFault
ea 000000b9`5147bad0 fffff803`80005000 nt!KiPageFault
eb 000000b9`5147bb00 fffff803`80005000 nt!KiPageFault
ec 000000b9`5147bb30 fffff803`80005000 nt!KiPageFault
ed 000000b9`5147bb60 fffff803`80005000 nt!KiPageFault
ee 000000b9`5147bb90 fffff803`80005000 nt!KiPageFault
ef 000000b9`5147bbc0 fffff803`80005000 nt!KiPageFault
f0 000000b9`5147bbf0 fffff803`80005000 nt!KiPageFault
f1 000000b9`5147bc20 fffff803`80005000 nt!KiPageFault
f2 000000b9`5147bc50 fffff803`80005000 nt!KiPageFault
f3 000000b9`5147bc80 fffff803`80005000 nt!KiPageFault
f4 000000b9`5147bcb0 fffff803`80005000 nt!KiPageFault
f5 000000b9`5147bce0 fffff803`80005000 nt!KiPageFault
f6 000000b9`5147bd10 fffff803`80005000 nt!KiPageFault
f7 000000b9`5147bd40 fffff803`80005000 nt!KiPageFault
f8 000000b9`5147bd70 fffff803`80005000 nt!KiPageFault
f9 000000b9`5147bda0 fffff803`80005000 nt!KiPageFault
fa 000000b9`5147bdd0 fffff803`80005000 nt!KiPageFault
fb 000000b9`5147be00 fffff803`80005000 nt!KiPageFault
fc 000000b9`5147be30 fffff803`80005000 nt!KiPageFault
fd 000000b9`5147be60 fffff803`80005000 nt!KiPageFault
fe 000000b9`5147be90 fffff803`80005000 nt!KiPageFault
ff 000000b9`5147bec0 fffff803`80005000 nt!KiPageFault
内核模式中断条目检查中断模式是用户还是内核,通过检查堆栈上 CS
的最低位 (CPL
) 并执行 SWAPGS
指令,以防万一中断来自用户模式。否则在 GS 中假定已经正确的值 - 在用户模式下 GS
指向 TEB
and in kernel mode to KPCR
。
KiDebugServiceTrapShadow
test byte ptr [rsp+8],1 ;; if (!(Cs & 1) )
je @@kernel_mode
swapgs ;; only in case Cs from user mode !
lfence
.... ; some code
jmp KiDebugServiceTrap(FFFFF80527807780)
@@kernel_mode:
lfence
jmp KiDebugServiceTrap(FFFFF80527807780)
和
KiDebugServiceTrap
inc qword ptr [rsp]
cmp word ptr [rsp+8],23h ;; Cs==23 ? this mean 32 bit code
jne @@64bit
and dword ptr [rsp+4],0 ;; zero high 32 bit of Rip for 32 bit code
@@64bit:
sub rsp,8
push rbp
sub rsp,158h
lea rbp,[rsp+80h]
mov byte ptr [rbp-55h],1
mov qword ptr [rbp-50h],rax
mov qword ptr [rbp-48h],rcx
mov qword ptr [rbp-40h],rdx
mov qword ptr [rbp-38h],r8
mov qword ptr [rbp-30h],r9
mov qword ptr [rbp-28h],r10
mov qword ptr [rbp-20h],r11
test byte ptr [rbp+0F0h],1 ;; if (Cs & 1) // (f0+80)-(158+8+8)==8 - Cs here
jne @@user_mode
lfence
test byte ptr gs:[278h],1 ;; assume that gs -> KPCR (KPCR.BpbCpuIdle checked)
jne @@1
lfence
jmp @@0
@@1:
movzx eax,byte ptr gs:[27Ah] ;; KPCR.BpbCurrentSpecCtrl
mov ecx,48h
xor edx,edx
wrmsr
jmp @@0
@@user_mode:
test byte ptr [KiKvaShadow],1
jne @@x
swapgs ;; !!!
@@x:
lfence
mov r10,qword ptr gs:[CurrentThread]
mov rcx,qword ptr gs:[CurrentThread]
....
所以错误的根源 - 已经从内核模式中断,但是 GS
值仍然来自用户模式 并且在这种情况下内核 不执行 SWAPGS但是使用当前的 GS 值(这对内核来说是错误的)并指向错误的结构 - 作为结果和页面错误并且 KiPageFault
已执行
再次出现 - swapgs
仅在故障来自用户模式时执行
KiPageFault
push rbp
sub rsp,158h
lea rbp,[rsp+80h]
mov byte ptr [rbp-55h],1
mov qword ptr [rbp-50h],rax
mov qword ptr [rbp-48h],rcx
mov qword ptr [rbp-40h],rdx
mov qword ptr [rbp-38h],r8
mov qword ptr [rbp-30h],r9
mov qword ptr [rbp-28h],r10
mov qword ptr [rbp-20h],r11
test byte ptr [rbp+0F0h],1 ;; if (Cs & 1)
jne @@user_mode
lfence
test byte ptr gs:[278h],1
jne FFFFF80527804B4F v
lfence
jmp @@0
@@1
movzx eax,byte ptr gs:[27Ah]
mov ecx,48h
xor edx,edx
wrmsr
jmp @@0
@@user_mode:
test byte ptr [KiKvaShadow],1
jne @@x
swapgs ;; !! only in case fault from user mode
lfence
mov r10,qword ptr gs:[CurrentThread]
作为结果 reqursive 故障(错误的内存访问)等等 - 直到堆栈 space 结束和最终的双重故障 - 请注意 Child-SP - 来自用户模式!在所有 nt!KiPageFault - 这是因为 syscall
没有将堆栈切换到内核并且需要手动执行此操作,并且中断也没有切换堆栈 - 因为它已经处于内核模式。并且仅当当前堆栈中没有 space 时 - 是双重故障和堆栈切换:
05 ffffbb81`a9bdce50 fffff803`80005000 nt!KiDoubleFaultAbort+0x2c3
06 000000b9`51479010 fffff803`80005000 nt!KiPageFault
b951479010
- 这仍然是用户模式堆栈值(分配堆栈区域的 b951479000
明显结束)并且 ffffbb81a9bdce50
已经是内核模式堆栈。
最后为 KiSystemCall64
KiSystemCall64
swapgs
mov qword ptr gs:[UserRsp],rsp
mov rsp,qword ptr gs:[RspBase]
push 2Bh ;; user mode Ss
push qword ptr gs:[UserRsp]
push r11 ;; rflags
push 33h ;; user mode Cs for 64bit code
push rcx ;; rip from user mode
mov rcx,r10
sub rsp,8
push rbp
sub rsp,158h
lea rbp,[rsp+80h]
所以第一个字节 - 在 swapgs
之前并切换到内核堆栈 (mov rsp,qword ptr gs:[RspBase]
) 不是 bp 的有效位置 - 仅在此指令之后设置断点!