标题: 在内核态查看用户态进程加载的dll
创建: 2017-11-23 16:13 更新: 2018-01-23 11:00 链接: https://scz.617.cn/windows/201711231613.txt
1) lmuf 2) 遍历三条链表 3) 用dx遍历链表 4) dx内置模块列表 5) !dlls 6) !peb 7) !vad
在kd中查看某一确定用户态进程加载的dll,这不是什么刚需,甚至可以说是一个伪 需求。我只是用这个做引子,介绍一些windbg命令。
1) lmuf
最简单的办法,切换到目标进程,然后:
kd> .reload /user
kd> lmuf
start end module name
...
00007ffa332a0000 00007ffa
3334e000 KERNEL32 C:\WINDOWS\System32\KERNEL32.DLL
00007ffa33530000 00007ffa
33710000 ntdll C:\WINDOWS\SYSTEM32\ntdll.dll
2) 遍历三条链表
shellcode常用办法,遍历三条链表。
kd> dt nt!_PEB_LDR_DATA @@(@$peb->Ldr)
+0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x0000029e5b632490 - 0x0000029e
5fea8ba0 ]
+0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x0000029e5b6324a0 - 0x0000029e
5fea8bb0 ]
+0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x0000029e5b632320 - 0x0000029e
5fea8bc0 ]
kd> dt nt!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY
+0x010 InMemoryOrderLinks : _LIST_ENTRY
+0x020 InInitializationOrderLinks : _LIST_ENTRY
+0x030 DllBase : Ptr64 Void
+0x038 EntryPoint : Ptr64 Void
+0x040 SizeOfImage : Uint4B
+0x048 FullDllName : _UNICODE_STRING
按加载顺序遍历:
!list -t nt!_LIST_ENTRY.Flink -x "r $t0=@@(#CONTAINING_RECORD(@$extret,nt!_LDR_DATA_TABLE_ENTRY,InLoadOrderLinks));r @$t0,@$extret;dt -io nt!_LDR_DATA_TABLE_ENTRY DllBase FullDllName @$t0" @@(@$peb->Ldr->InLoadOrderModuleList.Flink)
notepad.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll ADVAPI32.dll msvcrt.dll ...
按"初始化顺序"前向遍历链表时,第一个结点对应ntdll.dll。按"加载顺序"、 "内存顺序"前向遍历,第一个结点对应EXE,第二个结点才对应ntdll.dll。 "初始化顺序"要少一个结点。
"!list"不支持后向遍历,或者说它无法用Blink遍历。
3) 用dx遍历链表
其实也是遍历链表,只不过我演示一下用dx遍历。
dx -g Debugger.Utility.Collections.FromListEntry(@$peb->Ldr->InLoadOrderModuleList,"nt!_LDR_DATA_TABLE_ENTRY","InLoadOrderLinks").Select(o=>new{DllBase=o._LDR_DATA_TABLE_ENTRY::DllBase,FullDllName=o._LDR_DATA_TABLE_ENTRY::FullDllName}),0x1000
================================================================================================ = = DllBase = FullDllName = ================================================================================================ = [0x0] - 0x7ff61fde0000 - "C:\WINDOWS\system32\notepad.exe" = = [0x1] - 0x7ffa33530000 - "C:\WINDOWS\SYSTEM32\ntdll.dll" = = [0x2] - 0x7ffa332a0000 - "C:\WINDOWS\System32\KERNEL32.DLL" = = [0x3] - 0x7ffa2ff40000 - "C:\WINDOWS\System32\KERNELBASE.dll" = = [0x4] - 0x7ffa32bd0000 - "C:\WINDOWS\System32\ADVAPI32.dll" = = [0x5] - 0x7ffa331d0000 - "C:\WINDOWS\System32\msvcrt.dll" = ... = [0x72] - 0x7ffa2bf10000 - "C:\WINDOWS\SYSTEM32\winmmbase.dll" = = [0x73] - 0x7ffa16380000 - "C:\WINDOWS\system32\NetworkExplorer.dll" = ================================================================================================
4) dx内置模块列表
dx有内置的模块列表支持,不需要遍历链表:
dx -g @$curprocess.Modules.Where(o=>o.BaseAddress<0xf000000000000000).Select(o=>new{BaseAddress=o.BaseAddress,Name=o.Name}),0x1000
================================================================================================ = = BaseAddress = Name = ================================================================================================ = [0x0] - 0x6ef10000 - C:\WINDOWS\System32\vmhgfs.dll = = [0x1] - 0x7ff61fde0000 - C:\WINDOWS\system32\notepad.exe = ... = [0x70] - 0x7ffa331d0000 - C:\WINDOWS\System32\msvcrt.dll = = [0x71] - 0x7ffa33280000 - C:\WINDOWS\System32\imagehlp.dll = = [0x72] - 0x7ffa332a0000 - C:\WINDOWS\System32\KERNEL32.DLL = = [0x73] - 0x7ffa33530000 - C:\WINDOWS\SYSTEM32\ntdll.dll = ================================================================================================
看这个输出,应该是按照加载基址升序排列。
5) !dlls
windbg有个!dlls扩展命令
按加载顺序遍历:
!dlls -l
按内存顺序遍历:
!dlls -m
按初始化顺序遍历:
!dlls -i
输出形如:
0x29e5b632490: C:\WINDOWS\system32\notepad.exe
Base 0x7ff61fde0000 EntryPoint 0x7ff61fdf93e0 Size 0x00041000 DdagNode 0x29e5b6325c0
Flags 0x0000a2cc TlsIndex 0x00000000 LoadCount 0xffffffff NodeRefCount 0x00000000
0x29e5b632300: C:\WINDOWS\SYSTEM32\ntdll.dll
Base 0x7ffa33530000 EntryPoint 0x00000000 Size 0x001e0000 DdagNode 0x29e5b632430
Flags 0x0000a2c4 TlsIndex 0x00000000 LoadCount 0xffffffff NodeRefCount 0x00000000
0x29e5b632950: C:\WINDOWS\System32\KERNEL32.DLL
Base 0x7ffa332a0000 EntryPoint 0x7ffa332b2070 Size 0x000ae000 DdagNode 0x29e5b632a80
Flags 0x000ca2cc TlsIndex 0x00000000 LoadCount 0xffffffff NodeRefCount 0x00000000
不管哪种顺序遍历,打头的地址指向nt!_LDR_DATA_TABLE_ENTRY结构。
Flags的部分宏定义:
/ * public\sdk\inc\ntldr.h(wrk12) * * Private flags for loader data table entries /
define LDRP_STATIC_LINK 0x00000002
define LDRP_IMAGE_DLL 0x00000004
define LDRP_LOAD_IN_PROGRESS 0x00001000
define LDRP_UNLOAD_IN_PROGRESS 0x00002000
define LDRP_ENTRY_PROCESSED 0x00004000
define LDRP_ENTRY_INSERTED 0x00008000
define LDRP_CURRENT_LOAD 0x00010000
define LDRP_FAILED_BUILTIN_LOAD 0x00020000
define LDRP_DONT_CALL_FOR_THREADS 0x00040000
define LDRP_PROCESS_ATTACH_CALLED 0x00080000
define LDRP_DEBUG_SYMBOLS_LOADED 0x00100000
define LDRP_IMAGE_NOT_AT_BASE 0x00200000
define LDRP_COR_IMAGE 0x00400000
define LDRP_COR_OWNS_UNMAP 0x00800000
define LDRP_SYSTEM_MAPPED 0x01000000
define LDRP_IMAGE_VERIFYING 0x02000000
define LDRP_DRIVER_DEPENDENT_DLL 0x04000000
define LDRP_ENTRY_NATIVE 0x08000000
define LDRP_REDIRECTED 0x10000000
define LDRP_NON_PAGED_DEBUG_INFO 0x20000000
define LDRP_MM_LOADED 0x40000000
define LDRP_COMPAT_DATABASE_PROCESSED 0x80000000
6) !peb
windbg有个!peb扩展命令
kd> !peb @$peb PEB at 000000dec74c4000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: No ImageBaseAddress: 00007ff61fde0000 Ldr 00007ffa3368f3a0 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 0000029e5b632320 . 0000029e5fea8bc0 Ldr.InLoadOrderModuleList: 0000029e5b632490 . 0000029e5fea8ba0 Ldr.InMemoryOrderModuleList: 0000029e5b6324a0 . 0000029e5fea8bb0 Base TimeStamp Module 7ff61fde0000 a0c4ceab Jun 22 12:48:43 2055 C:\WINDOWS\system32\notepad.exe 7ffa33530000 493793ea Dec 04 16:25:14 2008 C:\WINDOWS\SYSTEM32\ntdll.dll 7ffa332a0000 0c2cf900 Jun 22 14:45:20 1976 C:\WINDOWS\System32\KERNEL32.DLL 7ffa2ff40000 4736733c Nov 11 11:13:00 2007 C:\WINDOWS\System32\KERNELBASE.dll ... 7ffa16380000 e153aa25 Oct 17 11:04:05 2089 C:\WINDOWS\system32\NetworkExplorer.dll ... ImageFile: 'C:\WINDOWS\system32\notepad.exe' ...
kd> .shell -ci "!peb @$peb" findstr /i /c:".dll" kd> .shell -ci "!peb @$peb" find /i ".dll"
7) !vad
kd> !process -1 1 PROCESS ffffd60ee57655c0 SessionId: 1 Cid: 118c Peb: f129f18000 ParentCid: 15fc DirBase: 3b039000 ObjectTable: ffffe7845843d840 HandleCount: 18. Image: mspaint.exe VadRoot ffffd60ee54d3c70 Vads 15 Clone 0 Private 64. Modified 1. Locked 0. ...
kd> .shell -ci "!vad 0xffffd60ee54d3c70" findstr Mapped ffffd60ee53a7a20 1 2cdaae30 2cdaae3f 0 Mapped READWRITE Pagefile section, shared commit 0 ffffd60ee52923d0 2 2cdaceb0 2cdacf74 0 Mapped READONLY \Windows\System32\locale.nls ffffd60ee45531c0 2 2cdacfb0 2cdacfbd 0 Mapped READONLY \Windows\System32\en-US\mspaint.exe.mui ffffd60ee5315de0 2 2cdad000 2cdad010 0 Mapped READONLY \Windows\System32\C_1256.NLS ffffd60ee483f360 2 2cdaefb0 2cdaefb6 0 Mapped READONLY \Windows\Registration\R00000000000d.clb ffffd60ee458e440 4 2cdb0830 2cdb19ef 0 Mapped READONLY \Windows\Fonts\StaticCache.dat ffffd60ee672e010 2 7ff910c70 7ff910e4f 13 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll