win7 x64为例
nt!NtReadVirtualMemory ----- nt!MmCopyVirtualMemory
NTSTATUS
NTAPI
MmCopyVirtualMemory(IN PEPROCESS SourceProcess,
IN PVOID SourceAddress,
IN PEPROCESS TargetProcess,
OUT PVOID TargetAddress,
IN SIZE_T BufferSize,
IN KPROCESSOR_MODE PreviousMode,
OUT PSIZE_T ReturnSize
)
: kd> u nt!MmCopyVirtualMemory l100
nt!MmCopyVirtualMemory:
fffff800`0416b94c 4c8bdc mov r11,rsp
fffff800`0416b94f 4d894b20 mov qword ptr [r11+20h],r9
fffff800`0416b953 4d894318 mov qword ptr [r11+18h],r8
fffff800`0416b957 mov qword ptr [r11+10h],rdx
fffff800`0416b95b 49894b08 mov qword ptr [r11+],rcx
fffff800`0416b95f push rbx
fffff800`0416b960 push rsi
fffff800`0416b961 push rdi
fffff800`0416b962 push r12
fffff800`0416b964 push r13
fffff800`0416b966 push r14
fffff800`0416b968 push r15
fffff800`0416b96a 4881ec70030000 sub rsp,370h
fffff800`0416b971 4c8bf2 mov r14,rdx
fffff800`0416b974 488bb424d0030000 mov rsi,qword ptr [rsp+3D0h]
fffff800`0416b97c 33ff xor edi,edi
fffff800`0416b97e 483bf7 cmp rsi,rdi
fffff800`0416b981 0f846b2b0c00 je nt! ?? ::NNGAKEGL::`string'+0x4c290 (fffff800`0422e4f2)
fffff800`0416b987 488b8424e0030000 mov rax,qword ptr [rsp+3E0h]
fffff800`0416b98f 488938 mov qword ptr [rax],rdi
fffff800`0416b992 8d5f02 lea ebx,[rdi+2]
fffff800`0416b995 895c2430 mov dword ptr [rsp+30h],ebx
fffff800`0416b999 4889542468 mov qword ptr [rsp+68h],rdx
fffff800`0416b99e 4c894c2458 mov qword ptr [rsp+58h],r9
fffff800`0416b9a3 488bc6 mov rax,rsi
fffff800`0416b9a6 4889442438 mov qword ptr [rsp+38h],rax
fffff800`0416b9ab 4d8dbb18fdffff lea r15,[r11-2E8h]
fffff800`0416b9b2 4c897c2460 mov qword ptr [rsp+60h],r15
fffff800`0416b9b7 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff800`0416b9c0 48894c2470 mov qword ptr [rsp+70h],rcx
fffff800`0416b9c5 897c244c mov dword ptr [rsp+4Ch],edi
fffff800`0416b9c9 4c8be7 mov r12,rdi
fffff800`0416b9cc 48897c2440 mov qword ptr [rsp+40h],rdi
fffff800`0416b9d1 48897c2478 mov qword ptr [rsp+78h],rdi
fffff800`0416b9d6 897c2448 mov dword ptr [rsp+48h],edi
fffff800`0416b9da 4881fe00020000 cmp rsi,200h ;这里就是关键部分 rsi是读取大小 如果大于200字节 内核会执行内存映射 而不是直接复制R3内存 所以导致硬件断点无法断下
fffff800`0416b9e1 0f830a030000 jae nt!MmCopyVirtualMemory+0x3a5 (fffff800`0416bcf1)
fffff800`0416b9e7 83e3fd and ebx,0FFFFFFFDh
fffff800`0416b9ea 895c2430 mov dword ptr [rsp+30h],ebx
fffff800`0416b9ee 41bd00000100 mov r13d,10000h
fffff800`0416b9f4 493bf5 cmp rsi,r13
fffff800`0416b9f7 4c0f46ee cmovbe r13,rsi
fffff800`0416b9fb 4881fe00020000 cmp rsi,200h
fffff800`0416ba02 0f87f12a0c00 ja nt! ?? ::NNGAKEGL::`string'+0x4c297 (fffff800`0422e4f9)
fffff800`0416ba08 4c8da42470010000 lea r12,[rsp+170h]
fffff800`0416ba10 4c89642440 mov qword ptr [rsp+40h],r12
fffff800`0416ba15 483bc7 cmp rax,rdi
fffff800`0416ba18 0f8672020000 jbe nt!MmCopyVirtualMemory+0x344 (fffff800`0416bc90)
fffff800`0416ba1e 493bc5 cmp rax,r13
fffff800`0416ba21 4c0f42e8 cmovb r13,rax
fffff800`0416ba25 4c89ac2480000000 mov qword ptr [rsp+80h],r13
fffff800`0416ba2d 488d942488000000 lea rdx,[rsp+88h]
fffff800`0416ba35 488b8c24b0030000 mov rcx,qword ptr [rsp+3B0h]
fffff800`0416ba3d e8becdd8ff call nt!KeStackAttachProcess (fffff800`03ef8800)
fffff800`0416ba42 48897c2450 mov qword ptr [rsp+50h],rdi
fffff800`0416ba47 4c8b4c2468 mov r9,qword ptr [rsp+68h]
fffff800`0416ba4c 4d3bce cmp r9,r14
fffff800`0416ba4f 0f85f82a0c00 jne nt! ?? ::NNGAKEGL::`string'+0x4c2eb (fffff800`0422e54d)
fffff800`0416ba55 448a9424d8030000 mov r10b,byte ptr [rsp+3D8h]
fffff800`0416ba5d 443ad7 cmp r10b,dil
fffff800`0416ba60 742f je nt!MmCopyVirtualMemory+0x145 (fffff800`0416ba91)
fffff800`0416ba62 483bf7 cmp rsi,rdi
fffff800`0416ba65 7418 je nt!MmCopyVirtualMemory+0x133 (fffff800`0416ba7f)
fffff800`0416ba67 498d0436 lea rax,[r14+rsi]
fffff800`0416ba6b 488b0d8e85f9ff mov rcx,qword ptr [nt!MmUserProbeAddress (fffff800`04104000)]
fffff800`0416ba72 483bc1 cmp rax,rcx
fffff800`0416ba75 7705 ja nt!MmCopyVirtualMemory+0x130 (fffff800`0416ba7c)
fffff800`0416ba77 493bc6 cmp rax,r14
fffff800`0416ba7a 7303 jae nt!MmCopyVirtualMemory+0x133 (fffff800`0416ba7f)
fffff800`0416ba7c 408839 mov byte ptr [rcx],dil
fffff800`0416ba7f eb10 jmp nt!MmCopyVirtualMemory+0x145 (fffff800`0416ba91)
fffff800`0416ba81 8bf8 mov edi,eax
fffff800`0416ba83 8b5c2430 mov ebx,dword ptr [rsp+30h]
fffff800`0416ba87 4c8b642440 mov r12,qword ptr [rsp+40h]
fffff800`0416ba8c e946020000 jmp nt!MmCopyVirtualMemory+0x38b (fffff800`0416bcd7)
fffff800`0416ba91 448bc3 mov r8d,ebx
fffff800`0416ba94 41d1e8 shr r8d,1
fffff800`0416ba97 4183e001 and r8d,1
fffff800`0416ba9b 0f8570020000 jne nt!MmCopyVirtualMemory+0x3c5 (fffff800`0416bd11)
fffff800`0416baa1 488b442470 mov rax,qword ptr [rsp+70h]
fffff800`0416baa6 0fba684c07 bts dword ptr [rax+4Ch],7
fffff800`0416baab 410f92c6 setb r14b
fffff800`0416baaf 4488742434 mov byte ptr [rsp+34h],r14b
fffff800`0416bab4 443bc7 cmp r8d,edi
fffff800`0416bab7 7510 jne nt!MmCopyVirtualMemory+0x17d (fffff800`0416bac9)
fffff800`0416bab9 4d8bc5 mov r8,r13
fffff800`0416babc 498bd1 mov rdx,r9
fffff800`0416babf 498bcc mov rcx,r12
fffff800`0416bac2 e87929d5ff call nt!memcpy (fffff800`03ebe440)
fffff800`0416bac7 eb0e jmp nt!MmCopyVirtualMemory+0x18b (fffff800`0416bad7)
fffff800`0416bac9 4533c0 xor r8d,r8d
fffff800`0416bacc 418ad2 mov dl,r10b
fffff800`0416bacf 498bcf mov rcx,r15
fffff800`0416bad2 e81987d7ff call nt!MmProbeAndLockPages (fffff800`03ee41f0)
fffff800`0416bad7 8b54244c mov edx,dword ptr [rsp+4Ch]
fffff800`0416badb eb2b jmp nt!MmCopyVirtualMemory+0x1bc (fffff800`0416bb08)
fffff800`0416badd 8bd0 mov edx,eax
fffff800`0416badf 8944244c mov dword ptr [rsp+4Ch],eax
fffff800`0416bae3 33ff xor edi,edi
fffff800`0416bae5 488bb424d0030000 mov rsi,qword ptr [rsp+3D0h]
fffff800`0416baed 8b5c2430 mov ebx,dword ptr [rsp+30h]
fffff800`0416baf1 4c8b7c2460 mov r15,qword ptr [rsp+60h]
fffff800`0416baf6 4c8b642440 mov r12,qword ptr [rsp+40h]
fffff800`0416bafb 4c8bac2480000000 mov r13,qword ptr [rsp+80h]
fffff800`0416bb03 448a742434 mov r14b,byte ptr [rsp+34h]
fffff800`0416bb08 443af7 cmp r14b,dil
fffff800`0416bb0b 750a jne nt!MmCopyVirtualMemory+0x1cb (fffff800`0416bb17)
fffff800`0416bb0d 488b442470 mov rax,qword ptr [rsp+70h]
fffff800`0416bb12 0fba704c07 btr dword ptr [rax+4Ch],7
fffff800`0416bb17 3bd7 cmp edx,edi
fffff800`0416bb19 0f8c9a010000 jl nt!MmCopyVirtualMemory+0x36d (fffff800`0416bcb9)
fffff800`0416bb1f 448bf3 mov r14d,ebx
fffff800`0416bb22 41d1ee shr r14d,1
fffff800`0416bb25 4183e601 and r14d,1
fffff800`0416bb29 0f8536020000 jne nt!MmCopyVirtualMemory+0x419 (fffff800`0416bd65)
fffff800`0416bb2f 488d8c2488000000 lea rcx,[rsp+88h]
fffff800`0416bb37 e8d4c9d8ff call nt!KeUnstackDetachProcess (fffff800`03ef8510)
fffff800`0416bb3c 488d942488000000 lea rdx,[rsp+88h]
fffff800`0416bb44 488b8c24c0030000 mov rcx,qword ptr [rsp+3C0h]
fffff800`0416bb4c e8afccd8ff call nt!KeStackAttachProcess (fffff800`03ef8800)
fffff800`0416bb51 488b442468 mov rax,qword ptr [rsp+68h]
fffff800`0416bb56 483b8424b8030000 cmp rax,qword ptr [rsp+3B8h]
fffff800`0416bb5e 7550 jne nt!MmCopyVirtualMemory+0x264 (fffff800`0416bbb0)
fffff800`0416bb60 4038bc24d8030000 cmp byte ptr [rsp+3D8h],dil
fffff800`0416bb68 7446 je nt!MmCopyVirtualMemory+0x264 (fffff800`0416bbb0)
fffff800`0416bb6a 41b801000000 mov r8d,1
fffff800`0416bb70 488bd6 mov rdx,rsi
fffff800`0416bb73 488b8c24c8030000 mov rcx,qword ptr [rsp+3C8h]
fffff800`0416bb7b e8b03d0700 call nt!ProbeForWrite (fffff800`041df930)
fffff800`0416bb80 eb2e jmp nt!MmCopyVirtualMemory+0x264 (fffff800`0416bbb0)
fffff800`0416bb82 8bf8 mov edi,eax
fffff800`0416bb84 8b5c2430 mov ebx,dword ptr [rsp+30h]
fffff800`0416bb88 f6c302 test bl,2
fffff800`0416bb8b 7419 je nt!MmCopyVirtualMemory+0x25a (fffff800`0416bba6)
fffff800`0416bb8d 488b542460 mov rdx,qword ptr [rsp+60h]
fffff800`0416bb92 488b4c2450 mov rcx,qword ptr [rsp+50h]
fffff800`0416bb97 e8f0d9d7ff call nt!MmUnmapLockedPages (fffff800`03ee958c)
fffff800`0416bb9c 488b4c2460 mov rcx,qword ptr [rsp+60h]
fffff800`0416bba1 e83a9ed7ff call nt!MmUnlockPages (fffff800`03ee59e0)
fffff800`0416bba6 4c8b642440 mov r12,qword ptr [rsp+40h]
fffff800`0416bbab e927010000 jmp nt!MmCopyVirtualMemory+0x38b (fffff800`0416bcd7)
fffff800`0416bbb0 443bf7 cmp r14d,edi
fffff800`0416bbb3 7512 jne nt!MmCopyVirtualMemory+0x27b (fffff800`0416bbc7)
fffff800`0416bbb5 4d8bc5 mov r8,r13
fffff800`0416bbb8 498bd4 mov rdx,r12
fffff800`0416bbbb 488b4c2458 mov rcx,qword ptr [rsp+58h]
fffff800`0416bbc0 e87b28d5ff call nt!memcpy (fffff800`03ebe440)
fffff800`0416bbc5 eb12 jmp nt!MmCopyVirtualMemory+0x28d (fffff800`0416bbd9)
fffff800`0416bbc7 4d8bc5 mov r8,r13
fffff800`0416bbca 488b542450 mov rdx,qword ptr [rsp+50h]
fffff800`0416bbcf 488b4c2458 mov rcx,qword ptr [rsp+58h]
fffff800`0416bbd4 e86728d5ff call nt!memcpy (fffff800`03ebe440)
fffff800`0416bbd9 eb7b jmp nt!MmCopyVirtualMemory+0x30a (fffff800`0416bc56)
fffff800`0416bbdb 8b5c2430 mov ebx,dword ptr [rsp+30h]
fffff800`0416bbdf f6c302 test bl,2
fffff800`0416bbe2 7434 je nt!MmCopyVirtualMemory+0x2cc (fffff800`0416bc18)
fffff800`0416bbe4 4c8b7c2460 mov r15,qword ptr [rsp+60h]
fffff800`0416bbe9 498bd7 mov rdx,r15
fffff800`0416bbec 488b4c2450 mov rcx,qword ptr [rsp+50h]
fffff800`0416bbf1 e896d9d7ff call nt!MmUnmapLockedPages (fffff800`03ee958c)
fffff800`0416bbf6 498bcf mov rcx,r15
fffff800`0416bbf9 e8e29dd7ff call nt!MmUnlockPages (fffff800`03ee59e0)
fffff800`0416bbfe 83e3fd and ebx,0FFFFFFFDh
fffff800`0416bc01 895c2430 mov dword ptr [rsp+30h],ebx
fffff800`0416bc05 488d8c2488000000 lea rcx,[rsp+88h]
fffff800`0416bc0d e8fec8d8ff call nt!KeUnstackDetachProcess (fffff800`03ef8510)
fffff800`0416bc12 90 nop
fffff800`0416bc13 e996290c00 jmp nt! ?? ::NNGAKEGL::`string'+0x4c34c (fffff800`0422e5ae)
fffff800`0416bc18 488b8424d0030000 mov rax,qword ptr [rsp+3D0h]
fffff800`0416bc20 482b442438 sub rax,qword ptr [rsp+38h]
fffff800`0416bc25 488b8c24e0030000 mov rcx,qword ptr [rsp+3E0h]
fffff800`0416bc2d mov qword ptr [rcx],rax
fffff800`0416bc30 837c244801 cmp dword ptr [rsp+48h],
fffff800`0416bc35 jne nt!MmCopyVirtualMemory+0x2fb (fffff800`0416bc47)
fffff800`0416bc37 488b442478 mov rax,qword ptr [rsp+78h]
fffff800`0416bc3c 482b8424b8030000 sub rax,qword ptr [rsp+3B8h]
fffff800`0416bc44 mov qword ptr [rcx],rax
fffff800`0416bc47 bf0d000080 mov edi,8000000Dh
fffff800`0416bc4c 4c8b642440 mov r12,qword ptr [rsp+40h]
fffff800`0416bc51 e981000000 jmp nt!MmCopyVirtualMemory+0x38b (fffff800`0416bcd7)
fffff800`0416bc56 488d8c2488000000 lea rcx,[rsp+88h]
fffff800`0416bc5e e8adc8d8ff call nt!KeUnstackDetachProcess (fffff800`03ef8510)
fffff800`0416bc63 443bf7 cmp r14d,edi
fffff800`0416bc66 0f8529010000 jne nt!MmCopyVirtualMemory+0x449 (fffff800`0416bd95)
fffff800`0416bc6c 488b442438 mov rax,qword ptr [rsp+38h]
fffff800`0416bc71 492bc5 sub rax,r13
fffff800`0416bc74 mov qword ptr [rsp+38h],rax
fffff800`0416bc79 4c016c2468 add qword ptr [rsp+68h],r13
fffff800`0416bc7e 4c016c2458 add qword ptr [rsp+58h],r13
fffff800`0416bc83 4c8bb424b8030000 mov r14,qword ptr [rsp+3B8h]
fffff800`0416bc8b e985fdffff jmp nt!MmCopyVirtualMemory+0xc9 (fffff800`0416ba15)
fffff800`0416bc90 f6c301 test bl,
fffff800`0416bc93 0f8546290c00 jne nt! ?? ::NNGAKEGL::`string'+0x4c37d (fffff800`0422e5df)
fffff800`0416bc99 488b8424e0030000 mov rax,qword ptr [rsp+3E0h]
fffff800`0416bca1 488930 mov qword ptr [rax],rsi
fffff800`0416bca4 33c0 xor eax,eax
fffff800`0416bca6 4881c470030000 add rsp,370h
fffff800`0416bcad 415f pop r15
fffff800`0416bcaf 415e pop r14
fffff800`0416bcb1 415d pop r13
fffff800`0416bcb3 415c pop r12
fffff800`0416bcb5 5f pop rdi
fffff800`0416bcb6 5e pop rsi
fffff800`0416bcb7 5b pop rbx
fffff800`0416bcb8 c3 ret
fffff800`0416bcb9 f6c302 test bl,2
fffff800`0416bcbc 0f8598280c00 jne nt! ?? ::NNGAKEGL::`string'+0x4c2f8 (fffff800`0422e55a)
fffff800`0416bcc2 482b742438 sub rsi,qword ptr [rsp+38h]
fffff800`0416bcc7 488b8424e0030000 mov rax,qword ptr [rsp+3E0h]
fffff800`0416bccf mov qword ptr [rax],rsi
fffff800`0416bcd2 bf0d000080 mov edi,8000000Dh
fffff800`0416bcd7 488d8c2488000000 lea rcx,[rsp+88h]
fffff800`0416bcdf e82cc8d8ff call nt!KeUnstackDetachProcess (fffff800`03ef8510)
fffff800`0416bce4 f6c301 test bl,
fffff800`0416bce7 0f85e2280c00 jne nt! ?? ::NNGAKEGL::`string'+0x4c36d (fffff800`0422e5cf)
fffff800`0416bced 8bc7 mov eax,edi
fffff800`0416bcef ebb5 jmp nt!MmCopyVirtualMemory+0x35a (fffff800`0416bca6)
fffff800`0416bcf1 f6c302 test bl,2
fffff800`0416bcf4 0f84edfcffff je nt!MmCopyVirtualMemory+0x9b (fffff800`0416b9e7)
fffff800`0416bcfa 41bd00e00000 mov r13d,0E000h
fffff800`0416bd00 493bf5 cmp rsi,r13
fffff800`0416bd03 0f870cfdffff ja nt!MmCopyVirtualMemory+0xc9 (fffff800`0416ba15)
fffff800`0416bd09 4c8bee mov r13,rsi
fffff800`0416bd0c e904fdffff jmp nt!MmCopyVirtualMemory+0xc9 (fffff800`0416ba15)
fffff800`0416bd11 49893f mov qword ptr [r15],rdi
fffff800`0416bd14 418bd1 mov edx,r9d
fffff800`0416bd17 81e2ff0f0000 and edx,0FFFh
fffff800`0416bd1d 418bc5 mov eax,r13d
fffff800`0416bd20 25ff0f0000 and eax,0FFFh
fffff800`0416bd25 8d8c10ff0f0000 lea ecx,[rax+rdx+0FFFh]
fffff800`0416bd2c c1e90c shr ecx,0Ch
fffff800`0416bd2f 498bc5 mov rax,r13
fffff800`0416bd32 48c1e80c shr rax,0Ch
fffff800`0416bd36 6603c8 add cx,ax
fffff800`0416bd39 6683c106 add cx,6
fffff800`0416bd3d 66c1e103 shl cx,3
fffff800`0416bd41 6641894f08 mov word ptr [r15+8],cx
fffff800`0416bd46 6641897f0a mov word ptr [r15+0Ah],di
fffff800`0416bd4b 498bc1 mov rax,r9
fffff800`0416bd4e 482500f0ffff and rax,0FFFFFFFFFFFFF000h
fffff800`0416bd54 49894720 mov qword ptr [r15+20h],rax
fffff800`0416bd58 4189572c mov dword ptr [r15+2Ch],edx
fffff800`0416bd5c 45896f28 mov dword ptr [r15+28h],r13d
fffff800`0416bd60 e93cfdffff jmp nt!MmCopyVirtualMemory+0x155 (fffff800`0416baa1)
fffff800`0416bd65 c744242820000000 mov dword ptr [rsp+28h],20h
fffff800`0416bd6d 897c2420 mov dword ptr [rsp+20h],edi
fffff800`0416bd71 4533c9 xor r9d,r9d
fffff800`0416bd74 33d2 xor edx,edx
fffff800`0416bd76 458d4101 lea r8d,[r9+1]
fffff800`0416bd7a 498bcf mov rcx,r15
fffff800`0416bd7d e8be6fd7ff call nt!MmMapLockedPagesSpecifyCache (fffff800`03ee2d40)
fffff800`0416bd82 4889442450 mov qword ptr [rsp+50h],rax
fffff800`0416bd87 483bc7 cmp rax,rdi
fffff800`0416bd8a 0f859ffdffff jne nt!MmCopyVirtualMemory+0x1e3 (fffff800`0416bb2f)
fffff800`0416bd90 e9eb270c00 jmp nt! ?? ::NNGAKEGL::`string'+0x4c31e (fffff800`0422e580)
fffff800`0416bd95 498bd7 mov rdx,r15
狂客原创,转载请注明。侵权必究 作者:狂客 QQ:214109721