没有打破r0和r3的边界,目标函数还是在r3。
https://blog.51cto.com/u_15127614/3256433
https://cloud.tencent.com/developer/article/1540508
NTSTATUS KeUserModeCallback (
IN ULONG ApiNumber,
IN PVOID InputBuffer,
IN ULONG InputLength,
OUT PVOID *OutputBuffer,
IN PULONG OutputLength
);正常的路径是deviceiocontrol
也可以让内核hook相关函数,然后r3通过api的调用与内核沟通
例如在内核修改xKdEnumerateDebuggingDevices出的函数指针,然后r3调用ntdll.NtConvertBetweenAuxiliaryCounterAndPerformanceCounter。 调用该函数进入内核后,对应内核历程会调用xKdEnumerateDebuggingDevices的函数,从而内核代码或者执行权,并且获得函数参数。
详情可见https://back.engineering/08/06/2020/ 或者 https://github.com/btbd/modmap
__int64 __fastcall NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(char a1, unsigned __int64 a2, _QWORD *a3, _QWORD *a4)
{
_QWORD *v4; // rbx
_QWORD *v5; // rdi
char v6; // si
__int64 v7; // r14
__int64 (__fastcall *v8)(); // rax
unsigned int v9; // ecx
__int64 (__fastcall *v10)(); // rax
__int64 v12; // [rsp+20h] [rbp-28h]
__int64 v13; // [rsp+28h] [rbp-20h]
__int64 v14; // [rsp+30h] [rbp-18h]
v4 = a4;
v5 = a3;
v6 = a1;
if ( KeGetCurrentThread()->PreviousMode )
{
if ( a2 & 3 )
ExRaiseDatatypeMisalignment();
if ( a2 + 8 > 0x7FFFFFFF0000i64 || a2 + 8 < a2 )
MEMORY[0x7FFFFFFF0000] = 0;
v7 = *(_QWORD *)a2;
v14 = *(_QWORD *)a2;
ProbeForWrite(a3, 8ui64, 4u);
if ( v4 )
ProbeForWrite(v4, 8ui64, 4u);
v8 = off_140398A08[0];
if ( !v6 )
v8 = off_140398A00[0]; // this pointer gets swapped to the address of the manually mapped function hook handler.
v9 = ((__int64 (__fastcall *)(__int64, __int64 *, __int64 *))v8)(v7, &v12, &v13);
if ( (v9 & 0x80000000) == 0 )
{
*v5 = v12;
if ( v4 )
*v4 = v13;
}
}
else
{
v10 = off_140398A08[0];
if ( !a1 )
v10 = off_140398A00[0];
v9 = ((__int64 (__fastcall *)(_QWORD, _QWORD *, _QWORD *))v10)(*(_QWORD *)a2, a3, a4);
}
return v9;
}