标题: 在kd中对NTSTATUS溯源

https://scz.617.cn/windows/201707140000.txt

以0xC00000A5(STATUS_BAD_IMPERSONATION_LEVEL)为例，假设源头在nt模块中，找出 nt模块中所有会返回该值的地方。

没太大意思，直接用IDA反汇编ntkrnlmp.exe来得更快，仅仅是演示几条windbg基础命令。

Tracking an NTSTATUS to its Source - SNoone [2017-07-14] http://www.osr.com/blog/2017/07/14/tracking-ntstatus-source/

kd> lm m nt Browse full module list start end module name fffff80001855000 fffff80001e3c000 nt

kd> s -d fffff80001855000 fffff80001e3c000 0xc00000a5 fffff8000194eb08 c00000a5 63e9c032 41fff2a8 85144e8b ....2..c...A.N.. fffff80001b67f10 c00000a5 0000c4e9 02f98300 3b411f75 ............u.A; fffff80001b67f34 c00000a5 0000a0e9 54894800 8d485024 .........H.T$PH. fffff80001b68220 c00000a5 909090c3 90909090 45c88b4d ............M..E fffff80001c1d180 c00000a5 244c8d48 5222e870 c38bfff4 ....H.L$p."R.... fffff80001cf5618 c00000a5 244c8d48 cd8ae878 c38bffe6 ....H.L$x.......

kd> s -d fffff80001855001 fffff80001e3c000 0xc00000a5 fffff80001856f71 c00000a5 030563e9 0079bb00 59e9c000 .....c....y....Y fffff800018d71fd c00000a5 fffb28e9 8b4865ff 01882504 .....(...eH..%.. fffff80001b23265 c00000a5 07f6a2e9 03416600 ce50e9c3 .........fA...P. fffff80001c09be1 c00000a5 f8294ee9 009ab8ff 44e9c000 .....N)........D fffff800`01c1c7b1 c00000a5 24b48a44 00000090 f7ef8be9 ....D..$........

kd> s -d fffff80001855002 fffff80001e3c000 0xc00000a5 fffff80001c1c60a c00000a5 8b480ceb eb68244c 4c8b4805 ......H.L$h..H.L fffff80001c1c636 c00000a5 f3b412e9 ac8b4cff 0000e024 .........L..$...

kd> s -d fffff80001855003 fffff80001e3c000 0xc00000a5 fffff80001b79e9f c00000a5 8b486eeb 48202454 30244c8b .....nH.T$ H.L$0 fffff80001b89b03 c00000a5 909081eb 90909090 c48b4890 .............H.. fffff80001bc1c8b c00000a5 246c8944 e9ff3330 0003cf0e ....D.l$03...... fffff80001cf4e7f c00000a5 8b481aeb 0180248c 3b480000 ......H..$....H;

"-d"搜索时只能搜1/4的空间，为了全覆盖到，必须调整起始地址，但那样还不如直接"-b"搜索。

不知为何，下面这个比上面4个快多了，数量级的快；而且fffff800`01a5b380这个地址上面4个未命中，应该由第1个"-d"命中的。

kd> s -b fffff80001855000 fffff80001e3c000 a5 00 00 c0 fffff80001856f71 a5 00 00 c0 e9 63 05 03-00 bb 79 00 00 c0 e9 59 .....c....y....Y fffff800018d71fd a5 00 00 c0 e9 28 fb ff-ff 65 48 8b 04 25 88 01 .....(...eH..%.. fffff8000194eb08 a5 00 00 c0 32 c0 e9 63-a8 f2 ff 41 8b 4e 14 85 ....2..c...A.N.. fffff80001a5b380 a5 00 00 c0 00 00 00 00-00 00 00 00 00 00 00 00 ................ fffff80001b23265 a5 00 00 c0 e9 a2 f6 07-00 66 41 03 c3 e9 50 ce .........fA...P. fffff80001b67f10 a5 00 00 c0 e9 c4 00 00-00 83 f9 02 75 1f 41 3b ............u.A; fffff80001b67f34 a5 00 00 c0 e9 a0 00 00-00 48 89 54 24 50 48 8d .........H.T$PH. fffff80001b68220 a5 00 00 c0 c3 90 90 90-90 90 90 90 4d 8b c8 45 ............M..E fffff80001b79e9f a5 00 00 c0 eb 6e 48 8b-54 24 20 48 8b 4c 24 30 .....nH.T$ H.L$0 fffff80001b89b03 a5 00 00 c0 eb 81 90 90-90 90 90 90 90 48 8b c4 .............H.. fffff80001bc1c8b a5 00 00 c0 44 89 6c 24-30 33 ff e9 0e cf 03 00 ....D.l$03...... fffff80001c09be1 a5 00 00 c0 e9 4e 29 f8-ff b8 9a 00 00 c0 e9 44 .....N)........D fffff80001c1c60a a5 00 00 c0 eb 0c 48 8b-4c 24 68 eb 05 48 8b 4c ......H.L$h..H.L fffff80001c1c636 a5 00 00 c0 e9 12 b4 f3-ff 4c 8b ac 24 e0 00 00 .........L..$... fffff80001c1c7b1 a5 00 00 c0 44 8a b4 24-90 00 00 00 e9 8b ef f7 ....D..$........ fffff80001c1d180 a5 00 00 c0 48 8d 4c 24-70 e8 22 52 f4 ff 8b c3 ....H.L$p."R.... fffff80001cf4e7f a5 00 00 c0 eb 1a 48 8b-8c 24 80 01 00 00 48 3b ......H..$....H; fffff80001cf5618 a5 00 00 c0 48 8d 4c 24-78 e8 8a cd e6 ff 8b c3 ....H.L$x.......

fffff800`01a5b380这个地址很奇怪，反复测试中前述现象不变。后来注意到这个地址在"-d"时是全0，"-b"时才有"a5 00 00 c0"，似乎它是因为windbg命令而出现的。

kd> ln fffff800`01a5b380

(fffff800`01a5b380) nt!KdpMessageBuffer Exact matches: nt!KdpMessageBuffer =

从名字上看，应该是调试子系统的内部缓冲区。

另一个奇怪现象是，下面这条命令也很慢，无非多了一个[1]；而且这次没有命中 nt!KdpMessageBuffer。

kd> s -[1]b fffff80001855000 fffff80001e3c000 a5 00 00 c0 0xfffff80001856f71 0xfffff800018d71fd 0xfffff8000194eb08 0xfffff80001b23265 0xfffff80001b67f10 0xfffff80001b67f34 0xfffff80001b68220 0xfffff80001b79e9f 0xfffff80001b89b03 0xfffff80001bc1c8b 0xfffff80001c09be1 0xfffff80001c1c60a 0xfffff80001c1c636 0xfffff80001c1c7b1 0xfffff80001c1d180 0xfffff80001cf4e7f 0xfffff800`01cf5618

假设存在相应的mov指令:

kd> u fffff80001b67f10-1 l 2 nt!NtDuplicateToken+0x25f: fffff80001b67f0f b8a50000c0 mov eax,0C00000A5h fffff80001b67f14 e9c4000000 jmp nt!NtDuplicateToken+0x32d (fffff80001b67fdd)

kd> .foreach (hit {s -[1]b fffff80001855000 fffff80001e3c000 a5 00 00 c0}) {u ${hit}-1 l 2} ... nt!NtDuplicateToken+0x25f: fffff80001b67f0f b8a50000c0 mov eax,0C00000A5h fffff80001b67f14 e9c4000000 jmp nt!NtDuplicateToken+0x32d (fffff80001b67fdd) nt!NtDuplicateToken+0x283: fffff80001b67f33 b8a50000c0 mov eax,0C00000A5h fffff80001b67f38 e9a0000000 jmp nt!NtDuplicateToken+0x32d (fffff80001b67fdd) nt!SeValidateSecurityQos+0x1f: fffff80001b6821f b8a50000c0 mov eax,0C00000A5h fffff80001b68224 c3 ret nt!SeIsTokenAssignableToProcess+0x13e: fffff80001b79e9e b8a50000c0 mov eax,0C00000A5h fffff80001b79ea3 eb6e jmp nt!SeIsTokenAssignableToProcess+0x1b3 (fffff80001b79f13) nt!SepCreateClientSecurity+0xfa: fffff80001b89b02 b8a50000c0 mov eax,0C00000A5h fffff80001b89b07 eb81 jmp nt!SepCreateClientSecurity+0x82 (fffff80001b89a8a) nt!ObpCaptureObjectCreateInformation+0x238: fffff80001bc1c8a bda50000c0 mov ebp,0C00000A5h fffff80001bc1c8f 44896c2430 mov dword ptr [rsp+30h],r13d ... nt!NtOpenObjectAuditAlarm+0x12e: fffff80001cf4e7e bba50000c0 mov ebx,0C00000A5h fffff80001cf4e83 eb1a jmp nt!NtOpenObjectAuditAlarm+0x14f (fffff80001cf4e9f) nt!NtPrivilegeObjectAuditAlarm+0xd7: fffff80001cf5617 bba50000c0 mov ebx,0C00000A5h fffff800`01cf561c 488d4c2478 lea rcx,[rsp+78h]