《软件调试》和《格蠹汇编》作者

WHO AM I

凡凡一书农，深居都市中

工作写代码，闲来爱捉虫

都言此道苦，我觉乐无穷

如不遇软件，此身何所用

张银奎，Raymond Zhang，格蠹老雷，《软件调试》和《格蠹汇编》作者

http://advdbg.org http://weibo.com/dbgger 格友公众号

1993.7.27 NT 3.1 Windows NT 3.1 NT OS

1994.9.21 NT 3.5 Windows NT 3.5 Daytona

1995.5.30 NT 3.51 Windows NT 3.51

1996.7.29 NT 4.0 Windows NT 4.0 Cairo, SUR

2000.2.17 NT 5.0 Windows 2000

2001.10.25 NT 5.1 Windows XP Whistler

2003.4.24 NT 5.2 Server 2003 Whistler Srvr

2004.8.6 NT 5.1 Windows XP SP2 Springboard

2005.4.25 NT 5.2 Windows XP x64

2006.11.8 NT 6.0 Windows Vista Longhorn

2008.02.04 NT 6.0 Server 2008

2009.07.22 NT 6.1 Windows 7 Windows 7

2012.10.26 NT 6.2 Windows 8

2015.7.29 10.0.10240 Windows 10 Threshold

2016.8.2 10.0.14393 Windows 10 Redstone 1

I/O System

WMIPower

Mgr

PnP MgrI/O Mgr

File and Device Drivers

Windows

Subsystem

Driver

(USER, GDI)(Win32K.SYS)

Graphics

Drivers

SvcHost.exe

用户空间

系统空间

NTDLL.DLL

Sessio

n M

anag

er

(SM

SS

.EX

E)

Win

dow

s Su

bsystem

(CS

RS

S.E

XE

)

Windows Subsystem DLL

(KERNEL32.DLL, USER32.DLL, ADVAPI32.DLL, GDI32.DLL)

Lo

gon

Pro

cess

(Win

Lo

gon

.EX

E)

Local S

ecurity

Authentication Server

(LS

AS

S.E

XE

)

Service C

on

trol

Manag

er

(SE

RV

ICE

S.E

XE

)

MDM.exe

SpoolSv.exe

ctfmon.exe

MMC.exe

Shell

Application

(Explorer.exe)

系统支持进程服务 应用程序

PO

SIX

Su

bsystem

(PS

XS

S.E

XE

)

OS

/2 S

ub

system

(OS

2S

S.E

XE

)

Hardware Abstraction Layer (HAL.DLL)

Hardware

Kernel (NTOSKRNL.EXE)

File C

ache Mgr

Co

nfigu

ration

Mg

r

(Registry)

Lo

cal Proced

ure

Call

Secu

rity Mgr

Object M

gr

Mem

ory

Mg

r

System Process

System Thread

系统调用

系统服务分发例程

环境子系统服务进程 服务管

理器

系统支

持进程

内核执行体(executive)(NTOSKRNL.EXE) 可能运行的进程

Pro

cess&T

hread

Mg

r

Vista

• WDDM

• WDF

• UAC

• Session 0

Win7

• MinWin

• ReadyBoost

• WDI

• WRE

Win8

• Metro

• WinRT

• KDNET

• KDUSB3

Win10

• UWP

• IUM

• 内存压缩

• WDDM2.0

SecureKernel.EXE

VM1VM0

Windows XP ... Linux

VMM

App App App App

VMCS

VMCS

Shadow

Page Table

Shadow

Page Table

Shadow

Page Table

Shadow

Page Table

• 与Windows 10和Server 2016对应的版本是Hyper-V 5.0，内建VSM（VIRTUAL SECURE MODE）支持

Ke 内核 Ob 对象管理器 Mm 内存管理器 Ps 进程管理器 Se 安全

WinLoad –

HvLoader.efi

WinLoad –

OsLoader.exeBootMgFWEFI

WinLoad –

OsLoader.exe

•加载NT

WinLoad –

OsLoader.exe

•加载SecureKernel

HvlpLaunchHvLoader

HvlMain

kd> dU r8

fffff800`5039ff90 "\Windows\system32\securekernel.e"

fffff800`5039ffd0 "xe"

kd> dU r8

fffff800`503a14f0 "\Windows\system32\skci.dll"

kd> dU r8

fffff800`503a14f0 "\Windows\system32\cng.sys"

fffff800`503a4250 "\Windows\System32\drivers\secure"

fffff800`503a4290 "kernel.exe"

winload!BlBdPrint

winload!BlStatusPrint

winload!OslpVsmLoadModules

winload!OslVsmSetup

winload!OslPrepareTarget

winload!OslpMain

winload!OslMain

0x0

权力隔离

• Hypervisor具有最高权利，

但是其职能单一，逻辑很

少，攻击面小

•虚拟机分区，机器边界，

普通OS和安全OS运行在

不同分区

角色隔离

• IUM运行在特别设计的安

全内核之上，不依赖普通

内核

• IUM中的多个Trustlet相互

隔离，不可以相互访问

0000000140000000 image base

1000 section alignment

200 file alignment

1 subsystem (Native)

10.00 operating system version

10.00 image version

10.00 subsystem version

7F000 size of image

400 size of headers

7D069 checksum

0000000000080000 size of stack reserve

0000000000002000 size of stack commit

0000000000100000 size of heap reserve

0000000000001000 size of heap commit

160 DLL characteristics

High entropy VA supported

Dynamic base

NX compatible

52150 [ 16E4] address [size] of Export Directory

53834 [ 50] address [size] of Import Directory

7D000 [ 410] address [size] of Resource Directory

60000 [ 2D9C] address [size] of Exception Directory

6D200 [ 2160] address [size] of Security Directory

7E000 [ 180] address [size] of Base Relocation Directory

4D5D0 [ 38] address [size] of Debug Directory

0 [ 0] address [size] of Description Directory

0 [ 0] address [size] of Special Directory

0 [ 0] address [size] of Thread Storage Directory

……

• 上面是以4KB内存页(未启用PAE)为例

• 1024PDE*1024PTE=220页

…

CR3

Dir Offset

…

Table

0112131

页目录，1024个表项(PDE)

页表，1024个表项(PTE)线性地址

Modified list

Default Store

PROCESS ffffc483a8ca7040

SessionId: none Cid: 044c Peb: 00000000 ParentCid: 0004

DirBase: 82eac000 ObjectTable: ffff9d0dcb2b7780 HandleCount: 0.

Image: MemCompression

VadRoot ffffc483a18f7180 Vads 206 Clone 0 Private 6529. Modified 3441. Locked 0.

DeviceMap 0000000000000000

Token ffff9d0dce53f2f0

ElapsedTime 03:00:46.311

UserTime 00:00:00.000

KernelTime 00:00:00.000

QuotaPoolUsage[PagedPool] 4224

QuotaPoolUsage[NonPagedPool] 0

Working Set Sizes (now,min,max) (0, 0, 0) (0KB, 0KB, 0KB)

PeakWorkingSetSize 0

VirtualSize 25 Mb

PeakVirtualSize 27 Mb

PageFaultCount 0

MemoryPriority BACKGROUND

BasePriority 8

CommitCharge 16

线程：SmKmStoreHelperWorker多个，SMKM_STORE<SM_TRAITS>::SmStReadThread多个

SmFpInitialize

SmFpPreAllocate

SmFree

SmGetRegistrationInfo

SmGlobals

SmGlobalsInitialize

SmInitSystem

SmInvalidPeristId

SmIoRequestComplete

SmIssueIo

SMKM_STORE_MGR<SM_TRAITS>::SmEmptyQueueToStores

SMKM_STORE_MGR<SM_TRAITS>::SmEmptyStores

1

2

3

0: kd> !memusage

*** CacheSize too low - increasing to 128 MB

Max cache size is : 134217728 bytes (0x20000 KB)

Total memory in cache : 276575 bytes (0x10f KB)

Number of regions cached: 719

1970 full reads broken into 2625 partial reads

counts: 1582 cached/1043 uncached, 60.27% cached

bytes : 140590 cached/230591 uncached, 37.88% cached

** Transition PTEs are implicitly decoded

** Prototype PTEs are implicitly decoded

loading PFN database

loading (11% complete)

*** Virtual Memory Usage ***

Physical Memory: 1025089 ( 4100356 Kb)

Page File: \??\C:\pagefile.sys

Current: 1441792 Kb Free Space: 1441784 Kb

Minimum: 1441792 Kb Maximum: 12582912 Kb

Page File: \??\C:\swapfile.sys

Current: 262144 Kb Free Space: 262136 Kb

Minimum: 262144 Kb Maximum: 6150532 Kb

2: kd> lm vm lx*

Browse full module list

start end module name

fffff808`d0fe0000 fffff808`d0fea000 lxss (deferred)

Image path: \SystemRoot\system32\drivers\lxss.sys

Image name: lxss.sys

Browse all global symbols functions data

Timestamp: Sat Jul 16 10:28:26 2016 (57899BCA)

CheckSum: 0000F628

ImageSize: 0000A000

Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

fffff808`d0ff0000 fffff808`d10b6000 LXCORE (deferred)

Image path: \SystemRoot\system32\drivers\LXCORE.SYS

Image name: LXCORE.SYS

Browse all global symbols functions data

Timestamp: Sat Jul 16 10:20:02 2016 (578999D2)

CheckSum: 000C59C5

ImageSize: 000C6000

Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

https://blogs.msdn.microsoft.com/clustering/2015/05/18/windows-server-2016-failover-cluster-

troubleshooting-enhancements-active-dump/

Memory.dmpin KB

% Compared to Complete

Complete Dump: 16,683,673

Active Dump (no VMs): 1,586,493 10%

Active Dump (VMs with 8GB RAM total): 1,629,497 10%

Kernel Dump (VMs with 8GB RAM total) 582,261 3%

Automatic Dump (VMs with 8GB RAM total) 587,941 4%

Servicing option Version OS build Availability dateLatest revision

date

Current Branch

(CB)1607 14393.351 8/2/2016 10/27/2016

Microsoft

recommends

Current Branch

(CB)1511 10586.633 11/12/2015 10/11/2016

Current Branch

(CB)1507 (RTM) 10240.17146 7/29/2015 10/11/2016

Current Branch for

Business (CBB)1511 10586.633 4/8/2016 10/11/2016

Current Branch for

Business (CBB)1507 (RTM) 10240.17146 7/29/2015 10/11/2016

Long-Term

Servicing Branch

(LTSB)

1507 (RTM) 10240.17146 7/29/2015 10/11/2016

https://technet.microsoft.com/en-us/itpro/windows/whats-new/index

https://blogs.technet.microsoft.com/sebastianklenk/2015/05/12/brand-new-windows-10-content-from-microsoft-ignite/

http://advdbg.org