跟踪ZwOpenFile的笔记,确定参数的传递方式是按照从右到左的方式入栈,和c的调用方式一样。
下断点ZwOpenFile中断后的堆栈如下:
nt!ZwOpenFile
nt!MmLoadSystemImage+0x266
nt!IopLoadDriver+0x370
nt!PipCallDriverAddDeviceQueryRoutine+0x235
nt!RtlpCallQueryRegistryRoutine+0x3b1
nt!RtlQueryRegistryValues+0x2a6
nt!PipCallDriverAddDevice+0x261
nt!PipProcessDevNodeTree+0x1a4
nt!PiProcessReenumeration+0x60
nt!PipDeviceActionWorker+0x166
nt!ExpWorkerThread+0x100
nt!PspSystemThreadStartup+0x34
nt!KiThreadStartup+0x16
下面我们来找出打开的文件名
kd> d esp //栈顶存放的返回地址
f9e9e668 87 43 5a 80 dc e7 e9 f9-20 00 00 00 7c e7 e9 f9 .CZ..... ...|...
f9e9e678 5c e7 e9 f9 05 00 00 00-00 00 00 00 20 b6 55 80 \........... .U.
f9e9e688 40 b6 55 80 00 00 00 00-e0 2e 00 e1 00 ee a7 e1 @.U.............
f9e9e698 e0 2e 00 e1 01 ee a7 e1-d4 1d 79 d3 36 50 56 80 ..........y.6PV.
f9e9e6a8 00 00 00 00 00 00 00 00-7c e6 e9 f9 00 00 00 00 ........|.......
f9e9e6b8 50 e7 e9 f9 90 34 4e 80-00 15 4f 80 ff ff ff ff P....4N...O.....
f9e9e6c8 1c e8 e9 f9 18 ee a7 e1-00 fb 56 80 18 ee a7 e1 ..........V.....
f9e9e6d8 00 ee a7 e1 60 e7 e9 f9-ca fc 56 80 7c e7 e9 f9 ....`.....V.|...
kd> u 0x805a4387 //确认一下,栈顶存放的返回地址
nt!MmLoadSystemImage+0x266:
805a4387 8945e0 mov dword ptr [ebp-20h],eax
805a438a 3bc6 cmp eax,esi
805a438c 0f8c8c040000 jl nt!MmLoadSystemImage+0x3a2 (805a481e)
805a4392 56 push esi
805a4393 ff75c8 push dword ptr [ebp-38h]
805a4396 e84d150000 call nt!MmCheckSystemImage (805a58e8)
805a439b 8945e0 mov dword ptr [ebp-20h],eax
805a439e 3d210200c0 cmp eax,0C0000221h
kd> d 0xf9e9e77c //ZwOpenFile的第三个参数IN POBJECT_ATTRIBUTES ObjectAttributes
f9e9e77c 18 00 00 00 00 00 00 00-98 e8 e9 f9 40 02 00 00 ............@...
f9e9e78c 00 00 00 00 00 00 00 00-f4 e7 e9 f9 30 bb 7b 81 ............0.{.
f9e9e79c e1 bb 54 80 50 c1 49 81-10 e7 46 81 ff ff ff ff ..T.P.I...F.....
f9e9e7ac f4 e7 e9 f9 00 00 00 00-78 0e 54 81 3a 00 3a 00 ........x.T.:.:.
f9e9e7bc 10 0c c8 e1 38 bb 54 80-00 00 00 00 00 00 00 00 ....8.T.........
f9e9e7cc 00 00 00 00 fe ff ff ff-00 00 00 00 00 e7 e9 f9 ................
f9e9e7dc 00 00 00 00 4e 00 50 00-10 0c c8 e1 14 00 14 00 ....N.P.........
f9e9e7ec 4a 0c c8 e1 ff ff ff ff-05 00 00 00 24 e8 e9 f9 J...........$...
kd> d 0xf9e9e898 // ObjectAttributes结构体的第三个成员是PUNICODE_STRING ObjectName;
f9e9e898 4e 00 50 00 10 0c c8 e1-00 00 00 00 00 01 00 00 N.P.............
f9e9e8a8 cc ed e9 f9 30 00 00 00-19 00 02 00 00 00 00 00 ....0...........
f9e9e8b8 64 ea e9 f9 f0 e8 e9 f9-00 00 00 00 c1 d8 4d 80 d.............M.
f9e9e8c8 08 00 00 00 46 02 00 00-34 69 5a 80 64 ea e9 f9 ....F...4iZ.d...
f9e9e8d8 03 00 00 00 00 00 00 00-18 e3 46 81 00 00 00 00 ..........F.....
f9e9e8e8 68 07 00 80 30 00 00 00-40 bb 00 00 38 e9 e9 f9 h...0...@...8...
f9e9e8f8 66 73 5c 80 70 07 00 80-00 00 00 00 00 e9 e9 f9 fs\.p...........
f9e9e908 28 e9 e9 f9 70 18 ac e1-b8 18 ac e1 0e 00 00 00 (...p...........
kd> d 0xe1c80c10 // UNICODE_STRING ObjectName.Buffer表示的文件名
e1c80c10 5c 00 53 00 79 00 73 00-74 00 65 00 6d 00 52 00 \.S.y.s.t.e.m.R.
e1c80c20 6f 00 6f 00 74 00 5c 00-73 00 79 00 73 00 74 00 o.o.t.\.s.y.s.t.
e1c80c30 65 00 6d 00 33 00 32 00-5c 00 64 00 72 00 69 00 e.m.3.2.\.d.r.i.
e1c80c40 76 00 65 00 72 00 73 00-5c 00 6b 00 6d 00 69 00 v.e.r.s.\.k.m.i.
e1c80c50 78 00 65 00 72 00 2e 00-73 00 79 00 73 00 00 00 x.e.r...s.y.s...
e1c80c60 0b 04 0f 0c 43 4d 44 61-01 00 1c 00 76 6b 03 00 ....CMDa....vk..
e1c80c70 4e 00 00 00 f8 75 0b 00-01 00 00 00 01 00 0b 00 N....u..........
e1c80c80 56 69 64 00 f8 74 0b 00-7b 00 36 00 35 00 46 00 Vid..t..{.6.5.F.