的範圍大小爲917851
外面824985
在改變ntdll(默認情況下!chkimg不檢查可寫的部分,以便輸出seesm suspicous
使用chkimg -d
它應該告訴你在哪裏原始文件從一個就是內存
或強制命令掃描模塊NTDLL與chkimg -d ntdll
不同的地方
你不能假設一臺機器是基於一個可能可能已損壞轉儲malwared
的dumpwrite路徑可以有BSOD和腐敗轉儲可以寫
檢查與chkimg -db可以顯示在區域中的所有零它是過程中出現問題檢查
我假設你有一個內核完全轉儲
orginal file address xxxxxxxx 60 90 cc
memory file 00 00 00
上面可以chkimg輸出表現出這種巨大的差異
lkd> !chkimg nt -d
80501bc8-80501bcb 4 bytes - nt!KiServiceTable+24
[ ec cb 60 80:a0 9a 3e a9 ]
80501bf0-80501bf3 4 bytes - nt!KiServiceTable+4c (+0x28)
[ 44 c9 5c 80:7e a5 3e a9 ]
80501c08-80501c0b 4 bytes - nt!KiServiceTable+64 (+0x18)
[ ba 1c 5b 80:5d e8 42 a9 ]
有可能只覆蓋被標記IMAGE_SCN_MEM_WRITE
寫入任何二進制的部分其他部分將生成訪問衝突 和chkimg,除非被迫不將這些部分與屬性在pe標頭中進行比較,因此查詢中顯示的內容在沒有允許或不期望修改的地方。
這裏,需要一個DLL名稱,並嘗試示例代碼寫入到.data段
#include <windows.h>
#include <stdio.h>
int main (int argc,char *argv[]) {
UNREFERENCED_PARAMETER(argc);
HMODULE hMod = LoadLibrary(argv[1]);
if (hMod) {
PIMAGE_DOS_HEADER doshead = (PIMAGE_DOS_HEADER) hMod;
DWORD ntoffset = doshead->e_lfanew + (DWORD)hMod;
DWORD datsecoffset = ntoffset + sizeof(IMAGE_NT_HEADERS);
PIMAGE_NT_HEADERS nthead = (PIMAGE_NT_HEADERS)(ntoffset);
DWORD totsections = nthead->FileHeader.NumberOfSections;
for (DWORD i = 0 ; i< totsections ; i++) {
PIMAGE_SECTION_HEADER sechead = (PIMAGE_SECTION_HEADER)
(datsecoffset + i * sizeof(IMAGE_SECTION_HEADER));
if((sechead->Characteristics & IMAGE_SCN_MEM_WRITE) ==
IMAGE_SCN_MEM_WRITE) {
CONSOLE_SCREEN_BUFFER_INFO csbiInfo;
HANDLE out = GetStdHandle(STD_OUTPUT_HANDLE);
GetConsoleScreenBufferInfo(out, &csbiInfo);
WORD oldcolor = csbiInfo.wAttributes;
SetConsoleTextAttribute(out,10);
printf(
"Module %p Section %s is writable trying to write\n",
hMod,sechead->Name);
for(DWORD j = sechead->VirtualAddress ;
j < sechead->VirtualAddress + sechead->SizeOfRawData ;
j++) {
BYTE Inbyte = *(BYTE *) ((BYTE *)hMod + j);
*(BYTE *) ((BYTE *)hMod + j) = Inbyte;
}
printf(
"Module %p Section %s is written to successfully\n",
hMod,sechead->Name);
SetConsoleTextAttribute(
GetStdHandle(STD_OUTPUT_HANDLE),oldcolor);
} else {
printf(
"Module %p Section %s is not writable skipping\n",
hMod,sechead->Name);
}
}
return 0;
}
}
輸出上hexedited DLL和NTDLL下面
:\>xxd -s +0x3c -l 4 -g 4 sec_attr_mod_dll.dll
000003c: b0000000 ....
:\>set /a 0xb0 + 0xf8 + 0x24
460
:\>xxd -s +460 -l 4 -g 4 sec_attr_mod_dll.dll & xxd -s +500 -l 4 -g 4 sec_attr_m
od_dll.dll & xxd -s +540 -l 4 -g 4 sec_attr_mod_dll.dll & xxd -s +580 -l 4 -g 4
sec_attr_mod_dll.dll
00001cc: 400000c0 @...
00001f4: 400000c0 @...
000021c: 400000c0 @...
0000244: 400000c2 @...
:\>w2dl.exe sec_attr_mod_dll.dll
Module 10000000 Section .text is writable trying to write
Module 10000000 Section .text is written to successfully
Module 10000000 Section .rdata is writable trying to write
Module 10000000 Section .rdata is written to successfully
Module 10000000 Section .data is writable trying to write
Module 10000000 Section .data is written to successfully
Module 10000000 Section .reloc is writable trying to write
Module 10000000 Section .reloc is written to successfully
:\>w2dl.exe ntdll.dll
Module 7C900000 Section .text is not writable skipping
Module 7C900000 Section .data is writable trying to write
Module 7C900000 Section .data is written to successfully
Module 7C900000 Section .rsrc is not writable skipping
Module 7C900000 Section .reloc is not writable skipping
:\>
什麼樣的崩潰呢?難道是DLL的內存被覆蓋,例如由緩衝區溢出? – 2014-09-22 19:53:34
緩衝區溢出可能會破壞進程內存中加載的ntdll.dll映像嗎?我相信這樣的嘗試會因訪問衝突而失敗。 – vkrzv 2014-09-22 20:09:21
你說得對,當然這個DLL頁面應該是PAGE_READONLY。 – 2014-09-22 21:44:04