Windbg查看WFP驱动callout

于 2021-06-03 20:11:41 发布
阅读量714 收藏
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/q6771020/article/details/117533668
版权
博客展示了一系列调试命令及结果,涉及NETIO模块的函数如FeInitCalloutTable、InitDefaultCallout等的反汇编,对内存地址的查看,如gWfpGlobal相关地址,还对特定内存区域进行池分析,以及对内存内容的循环查看,与网络和系统底层调试相关。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

kd> dp netio!gWfpGlobal L1
fffff801`96a63258 ffffe001`b9e025b0
kd> u netio!FeInitCalloutTable L10
NETIO!FeInitCalloutTable:
fffff801`96a22490 4053 push rbx
fffff801`96a22492 4883ec20 sub rsp,20h
fffff801`96a22496 488b05bb0d0400 mov rax,qword ptr [NETIO!gWfpGlobal (fffff801`96a63258)]
fffff801`96a2249d 33c9 xor ecx,ecx
fffff801`96a2249f ba57667043 mov edx,43706657h
fffff801`96a224a4 48898848010000 mov qword ptr [rax+148h],rcx
fffff801`96a224ab 48898850010000 mov qword ptr [rax+150h],rcx
fffff801`96a224b2 b900400100 mov ecx,14000h
fffff801`96a224b7 4c8b059a0d0400 mov r8,qword ptr [NETIO!gWfpGlobal (fffff801`96a63258)]
fffff801`96a224be 4981c050010000 add r8, 150h
fffff801`96a224c5 e8223dfeff call NETIO!WfpPoolAllocNonPaged (fffff801`96a061ec)
fffff801`96a224ca 488bd8 mov rbx,rax
 
kd> dps ffffe001`b9e025b0 + 0x150 L1
ffffe001`b9e02700 ffffe001`b9e07000
 
kd> !pool ffffe001`b9e07000
Pool page ffffe001b9e07000 region is Nonpaged pool
*ffffe001b9e07000 : large page allocation, tag is WfpC, size is 0x14000 bytes
Pooltag WfpC : WFP callouts, Binary : netio.sys
 
kd> u NETIO!InitDefaultCallout
NETIO!InitDefaultCallout:
fffff801`96a2251c 4053 push rbx
fffff801`96a2251e 4883ec20 sub rsp,20h
fffff801`96a22522 4c8d051f150400 lea r8,[NETIO!gFeCallout (fffff801`96a63a48)]
fffff801`96a22529 ba57667043 mov edx,43706657h
fffff801`96a2252e b950000000 mov ecx, 50h
fffff801`96a22533 e8b43cfeff call NETIO!WfpPoolAllocNonPaged HideDRV – Rootkit analysis
27
fffff801`96a22538 488bd8 mov rbx,rax
fffff801`96a2253b 4885c0 test rax,rax
 
kd> r $t0= ffffe001b9e07000 ; .for( r $t1=0; @$t1 < 0x30; r $t1=@$t1+1) {dps
@$t0+2*@$ptrsize L2; r $t0=@$t0+ 0x50 ;}
ffffe001`b9e07010 00000000`00000000
ffffe001`b9e07018 00000000`00000000
ffffe001`b9e07060 fffff801`971ab5c0 tcpip!IPSecInboundTransportFilterCalloutClassifyV4
ffffe001`b9e07068 fffff801`9712b060 tcpip!IPSecAleConnectCalloutNotify
ffffe001`b9e070b0 fffff801`971ab700 tcpip!IPSecInboundTransportFilterCalloutClassifyV6
ffffe001`b9e070b8 fffff801`9712b060 tcpip!IPSecAleConnectCalloutNotify
ffffe001`b9e07100 fffff801`971aaf70 tcpip!IPSecOutboundTransportFilterCalloutClassifyV4
ffffe001`b9e07108 fffff801`9712b060 tcpip!IPSecAleConnectCalloutNotify
ffffe001`b9e07150 fffff801`971b30d0 tcpip!IPSecOutboundTransportFilterCalloutClassifyV6
ffffe001`b9e07158 fffff801`9712b060 tcpip!IPSecAleConnectCalloutNotify
ffffe001`b9e071a0 fffff801`971b2990 tcpip!IPSecInboundTunnelFilterCalloutClassifyV4
ffffe001`b9e071a8 fffff801`9712b060 tcpip!IPSecAleConnectCalloutNotify
ffffe001`b9e071f0 fffff801`971b2a50 tcpip!IPSecInboundTunnelFilterCalloutClassifyV6
ffffe001`b9e071f8 fffff801`9712b060 tcpip!IPSecAleConnectCalloutNotify
[…]
ffffe001`b9e07c90 fffff801`97037500 tcpip!WfpAlepSetOptionsCalloutClassify
ffffe001`b9e07c98 fffff801`9707ce80 tcpip!FllAddGroup
ffffe001`b9e07ce0 00000000`00000000
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值