安全之路 -- WH_KEYBOARD和WH_KEYBOARD_LL 键盘钩子在堆栈调用上的情况 


// Firse I used WH_KEYBOARD sample to test and set BreakPoint ...

kd> kvn
 # ChildEBP RetAddr  Args to Child              
00 b1f69cfc bf8529e4 0012fcb8 b1f69d64 00000000 win32k!GetHmodTableIndex (FPO: [Non-Fpo])
01 b1f69d20 bf852813 10000000 0012fcb8 00000000 win32k!zzzSetWindowsHookEx+0x136 (FPO: [Non-Fpo])
02 b1f69d44 8053e638 10000000 0012fcb8 00000000 win32k!NtUserSetWindowsHookEx+0x3e (FPO: [Non-Fpo])
03 b1f69d44 7c92e4f4 10000000 0012fcb8 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1f69d64)
04 0012fc94 77d28207 77d281f2 10000000 0012fcb8 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
05 0012fcc8 77d281ac 10000000 0012fcf0 00000000 USER32!NtUserSetWindowsHookEx+0xc
06 0012fefc 77d31229 00000003 10001130 10000000 USER32!SetWindowsHookExAW+0x55 (FPO: [Non-Fpo])
07 0012ff18 10001451 00000003 10001130 10000000 USER32!SetWindowsHookExA+0x18 (FPO: [Non-Fpo])
08 0012ff2c 0040104f 004011d4 00400000 00000000 Test!StartHook+0x21 (FPO: [0,0,0]) 
WARNING: Stack unwind information not available. Following frames may be wrong.
09 0012ffc0 7c817067 0007da50 7c92d950 7ffd5000 Test_exe+0x104f
0a 0012fff0 00000000 0040123f 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

kd> dt _UNICODE_STRING 0012fcb8
Test!_UNICODE_STRING
 "C:\Documents and Settings\Administrator\Desktop\Test.dll"
   +0x000 Length           : 0x66
   +0x002 MaximumLength    : 0x68
   +0x004 Buffer           : 0x0012fcf0  "C:\Documents and Settings\Administrator\Desktop\Test.dll"

kd> db 0012fcf0 
0012fcf0  43 00 3a 00 5c 00 44 00-6f 00 63 00 75 00 6d 00  C.:.\.D.o.c.u.m.
0012fd00  65 00 6e 00 74 00 73 00-20 00 61 00 6e 00 64 00  e.n.t.s. .a.n.d.
0012fd10  20 00 53 00 65 00 74 00-74 00 69 00 6e 00 67 00   .S.e.t.t.i.n.g.
0012fd20  73 00 5c 00 41 00 64 00-6d 00 69 00 6e 00 69 00  s.\.A.d.m.i.n.i.
0012fd30  73 00 74 00 72 00 61 00-74 00 6f 00 72 00 5c 00  s.t.r.a.t.o.r.\.
0012fd40  4c 68 62 97 5c 00 54 00-65 00 73 00 74 00 2e 00  Lhb.\.T.e.s.t...
0012fd50  64 00 6c 00 6c 00 00 00-00 00 00 00 00 00 00 00  d.l.l...........
0012fd60  00 50 fd 7f 65 00 73 00-74 00 2e 00 00 50 fd 7f  .P..e.s.t....P..

kd> bp win32k!AddHmodDependency
WARNING: Software breakpoints on session addresses can cause bugchecks.
Use hardware execution breakpoints (ba e) if possible.

kd> g
Breakpoint 1 hit
win32k!AddHmodDependency:
bf852b45 8bff            mov     edi,edi

kd> kvn
 # ChildEBP RetAddr  Args to Child              
00 b1f69cfc bf8529fa 00000002 b1f69d64 00000000 win32k!AddHmodDependency (FPO: [Non-Fpo])
01 b1f69d20 bf852813 10000000 0012fcb8 00000000 win32k!zzzSetWindowsHookEx+0x15a (FPO: [Non-Fpo])
02 b1f69d44 8053e638 10000000 0012fcb8 00000000 win32k!NtUserSetWindowsHookEx+0x3e (FPO: [Non-Fpo])
03 b1f69d44 7c92e4f4 10000000 0012fcb8 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1f69d64)
04 0012fc94 77d28207 77d281f2 10000000 0012fcb8 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
05 0012fcc8 77d281ac 10000000 0012fcf0 00000000 USER32!NtUserSetWindowsHookEx+0xc
06 0012fefc 77d31229 00000003 10001130 10000000 USER32!SetWindowsHookExAW+0x55 (FPO: [Non-Fpo])
07 0012ff18 10001451 00000003 10001130 10000000 USER32!SetWindowsHookExA+0x18 (FPO: [Non-Fpo])
08 0012ff2c 0040104f 004011d4 00400000 00000000 Test!StartHook+0x21 (FPO: [0,0,0])
WARNING: Stack unwind information not available. Following frames may be wrong.
09 0012ffc0 7c817067 0007da50 7c92d950 7ffd5000 Test_exe+0x104f
0a 0012fff0 00000000 0040123f 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

kd> bp nt!KeUserModeCallback
WARNING: Software breakpoints on session addresses can cause bugchecks.
Use hardware execution breakpoints (ba e) if possible.

kd> g
Breakpoint 1 hit
nt!KeUserModeCallback:
80597fe6 6a30            push    30h

kd> kvn
# ChildEBP  RetAddr  Args to Child
00 b28e2760 bf8b18db 00000042 b28e27cc 00000090 nt!KeUserModeCallback (FPO: [Non-Fpo])
01 b28e29e8 bf8b19e6 b28e2a04 00000000 00000000 win32k!ClientLoadLibrary+0xb2 (FPO: [Non-Fpo])
02 b28e2c18 bf83c87e 00000003 e1c65d20 b28e2d14 win32k!xxxLoadHmodIndex+0x86 (FPO: [Non-Fpo])
03 b28e2c84 bf83c8d5 036cbeb0 00000000 00000001 win32k!xxxCallHook2+0x19b (FPO: [Non-Fpo])
04 b28e2ca0 bf801ad6 00000000 00000001 00000002 win32k!xxxCallHook+0x26 (FPO: [Non-Fpo])
05 b28e2ce8 bf8036ec b28e2d14 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x264 (FPO: [Non-Fpo])
06 b28e2d48 8053e638 0007fde8 00000000 00000000 win32k!NtUserPeekMessage+0x40 (FPO: [Non-Fpo])
07 b28e2d48 7c92e4f4 0007fde8 00000000 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28e2d64)
08 0007fce0 77d193e9 77d193a8 0007fde8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
09 0007fd0c 77d2a43b 0007fde8 00000000 00000000 USER32!NtUserPeekMessage+0xc
0a 0007fd38 00402702 0007fde8 00000000 00000000 USER32!PeekMessageA+0xeb (FPO: [Non-Fpo])
0b 0007ff1c 00402fa9 00400000 00000000 000a2331 ctfmon!WinMain+0x1ec (FPO: [Non-Fpo])
0c 0007ffc0 7c817067 00340032 00390030 7ffd7000 ctfmon!WinMainCRTStartup+0x174 (FPO: [Non-Fpo])
0d 0007fff0 00000000 00402e35 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

kd> db b28e27cc L 100
b28e27cc 90 00 00 00 68 00 00 00-01 00 00 00 5c 28 8e b2 ....h.......\(..
b28e27dc 24 00 00 00 00 00 00 00-66 00 68 00 28 00 00 00 $.......f.h.(...
b28e27ec 00 00 00 00 1c 00 00 00-43 00 3a 00 5c 00 44 00 ........C.:.\.D.
b28e27fc 6f 00 63 00 75 00 6d 00-65 00 6e 00 74 00 73 00 o.c.u.m.e.n.t.s.
b28e280c 20 00 61 00 6e 00 64 00-20 00 53 00 65 00 74 00 .a.n.d. .S.e.t.
b28e281c 74 00 69 00 6e 00 67 00-73 00 5c 00 41 00 64 00 t.i.n.g.s.\.A.d.
b28e282c 6d 00 69 00 6e 00 69 00-73 00 74 00 72 00 61 00 m.i.n.i.s.t.r.a.
b28e283c 74 00 6f 00 72 00 5c 00-4c 68 62 97 5c 00 54 00 t.o.r.\.Lhb.\.T.
b28e284c 65 00 73 00 74 00 2e 00-64 00 6c 00 6c 00 00 00 e.s.t...d.l.l...
b28e285c 78 28 8e b2 02 00 00 00-02 00 00 00 00 21 01 00 x(...........!..
b28e286c 88 28 8e b2 fc b2 7d f8-02 00 00 00 02 00 fb 81 .(....}.........
b28e287c 02 00 fb 81 a0 4d 1e 82-cc ab 7d f8 84 20 00 00 .....M....}.. ..
b28e288c a0 4d 1e 82 d5 a4 7d f8-70 a4 c6 81 50 34 0f 82 .M....}.p...P4..
b28e289c bc 28 8e b2 7c 59 2a f8-48 a4 c6 81 00 00 00 00 .(..|Y*.H.......
b28e28ac 98 8c 01 82 78 a4 c6 81-9c 3d 01 82 07 ff ff 01 ....x....=......
b28e28bc 00 00 00 00 2e 00 00 00-1c 29 8e b2 00 00 00 00 .........)......

kd> g
Breakpoint 1 hit
win32k!fnHkINLPMSG:
bf85316d 6a50            push    50h

kd> kvn
 # ChildEBP RetAddr  Args to Child              
00 b229a6d8 bf852419 00030000 00000001 b229a7cc win32k!fnHkINLPMSG (FPO: [Non-Fpo])
01 b229a718 bf83c702 74691351 00000000 00000001 win32k!xxxHkCallHook+0x30f (FPO: [Non-Fpo])
02 b229a790 bf8f631a 036a50a0 00000000 00000001 win32k!xxxCallHook2+0x25d (FPO: [Non-Fpo])
03 b229a7ac bf8e3174 00000000 00000001 00000000 win32k!xxxCallNextHookEx+0x2d (FPO: [Non-Fpo])
04 b229a800 bf8f6297 00000003 00000000 00000001 win32k!NtUserfnHkINLPMSG+0x3a (FPO: [Non-Fpo])
05 b229a81c 8053e638 00000000 00000001 0012fe78 win32k!NtUserCallNextHookEx+0xa5 (FPO: [Non-Fpo])
06 b229a81c 7c92e4f4 00000000 00000001 0012fe78 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b229a834)
07 0012fc54 77d3e1ad 77d3e18a 00000000 00000001 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
08 0012fc7c 10001416 00000000 00000000 00000001 user32!NtUserCallNextHookEx+0xc
09 0012fdf8 77d2b317 00030000 00000001 0012fe78 Test!KeyHookProc+0x2e6 (FPO: [Uses EBP] [3,77,0])
0a 0012fe60 00000000 00030000 00000001 10001130 user32!CallHookWithSEH+0x21 (FPO: [Non-Fpo])

// Then I switch to WH_KEYBOARD_LL sample and set breanpoint ...

kd> kv
#  ChildEBP RetAddr  Args to Child
00 0012fe4c 77d31923 00000000 00000100 0012fec4 Test!LowLevelKbHookRoutine (FPO: [3,0,0])
01 0012fe80 77d58d78 000d0000 00000100 0012fec4 USER32!DispatchHookA+0x101 (FPO: [Non-Fpo])
02 0012fea4 7c92e453 0012feb4 00000024 000d0000 USER32!__fnHkINLPKBDLLHOOKSTRUCT+0x24 (FPO: [Non-Fpo])
03 0012fea4 80500690 0012feb4 00000024 000d0000 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
04 b2862ac8 8059806d b2862b78 b2862b74 b2862b70 nt!KiCallUserMode+0x4 (FPO: [2,3,4])
05 b2862b24 bf92b13a 0000002d b2862b4c 00000024 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
06 b2862b98 bf8522f2 000d0000 00000100 b2862c74 win32k!fnHkINLPKBDLLHOOKSTRUCT+0x52 (FPO: [Non-Fpo])
07 b2862bd0 bf83c702 00401000 00000000 00000100 win32k!xxxHkCallHook+0x396 (FPO: [Non-Fpo])
08 b2862c48 bf841ae4 316b17e8 00000000 00000100 win32k!xxxCallHook2+0x25d (FPO: [Non-Fpo])
09 b2862cb0 bf801eda e187eeb0 b2862d64 0012fef0 win32k!xxxReceiveMessage+0x1ba (FPO: [Non-Fpo])
0a b2862cec bf819e6c b2862d18 000020c8 00000012 win32k!xxxRealInternalGetMessage+0x1d7 (FPO: [Non-Fpo])
0b b2862d4c 8053e638 0012ff18 00000000 00000012 win32k!NtUserGetMessage+0x27 (FPO: [Non-Fpo])
0c b2862d4c 7c92e4f4 0012ff18 00000000 00000012 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2862d64)
0d 0012fea4 7c92e453 0012feb4 00000024 000d0000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0e 0012fed4 77d191be 77d2776b 0012ff18 00000000 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
0f 0012fefc 00401117 0012ff18 00000000 00000012 USER32!NtUserGetMessage+0xc
10 0012ff30 004012ba 00400000 00000000 00152348 Test!WinMain+0x47 (FPO: [4,7,0])
11 0012ffc0 7c817067 0007d868 7c92d950 7ffdc000 Test!__tmainCRTStartup+0x113 (FPO: [Non-Fpo])
12 0012fff0 00000000 00401325 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

 

 

 

 

 

 

posted @ 2022-04-08 03:51  倚剑问天  阅读(237)  评论(0编辑  收藏  举报