windows 10 compressed memory工具的使用
时间:2023-01-30 19:00:00
win10 压缩后的内存 windbg查找
抄袭自
- https://www-fireeye-com.translate.goog/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-two.html?_x_tr_sl=auto&_x_tr_tl=zh-CN&_x_tr_hl=zh-CN&_x_tr_pto=wapp
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/finding-evil-in-windows-10-compressed-memory-wp.pdf
- https://github.com/mandiant/win10_volatility
- https://www.blackhat.com/us-19/briefings/schedule/#paging-all-windows-geeks–finding-evil-in-windows–compressed-memory-15582
简介
笔记本电脑突然变蓝了。我以为我遇到了一个远程崩溃的软件。我以为机会来了,终于可以调试蓝屏了。我以为是smb蓝屏服务,接下来令人沮丧,没有定位到蓝屏的具体原因和过程,但是dmp信息指向了compressed,想了想,还是跟着看看相关的材料,现在只能用相关的工具,太菜,现在具体结构还没有弄清楚,这个先暂时结一下,以后考古再回头看。
准备材料
申请内存过大会导致前面内存块压缩的程序
win10_volatility 运行环境
内存申请程序
int main() { long long memsize = 0; memsize = FILE_SIZE; char* buf = new char[memsize]; cout <<"hello"; memcpy(buf,"hellworld,helloworld,hellworld,hellworld,hellworld,hellworld,hellworld",71); memset((char*)(buf 77), 'A', memsize); printf("memsize:4d MB\r\n", memsize / 1024 / 1024); printf("%llx", (char*)buf); while (true) { memsize = FILE_SIZE; char* sss = new char[memsize]; memset(sss, 'hihh', memsize); printf("memsize:4d MB\r\n", memsize / 1024 / 1024); printf("%llx", &sss); getchar(); } } 过程
借助虚拟机vmem,对着part2 和win10_volatility 虚拟机不知道偏移在哪里bug, 相同的内存镜像 , 第一次导出vmem偏移可以向上,第二次vmem如果没有偏移,工具找不到偏移,对上次vmem偏移,唯一的小问题是最终的计算region of compressed pages va每个系统的版本都不一样,可以参考 volatility 结构体的定义.在addrspces和windows下的win10_memcompression中
EXCEPTION_RECORD: ffff81823a10eeb8 -- (.exr 0xffff81823a10eeb8) ExceptionAddress: fffff80778522c60 (nt!RtlDecompressBufferXpressLz 0x0000000000000050) ExceptionCode: c0000006 (In-page I/O error) ExceptionFlags: 00000000 NumberParameters: 3 Parameter[0]: 0000000000000000 Parameter[1]: 00000174165d6f70//IO内存地址操作失败 Parameter[2]: 00000000c0000185//具体IO操作错误 Inpage operation failed at 00000174165d6f70, due to I/O error 00000000c0000185 不正确的终端或基础 SCSI 设备的电缆损坏,或两个设备试图使用相同的电缆 IRQ。 如果 I/O 状态为 C分页文件位于000185 SCSI 磁盘上(分页池),请检查磁盘电缆的连接情况 SCSI 终止是否有问题。 EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: 00000174165d6f70 11111111 11111111 10110011 10000000 11111100 1101110 00010000 00000000 ffffb380 fcde1000 CONTEXT: ffff81823a10e6f0 -- (.cxr 0xffff81823a10e6f0) rax=fffff80778522c10 rbx=ffffb380fcde1000 rcx=ffffb380fcde1000 rdx=ffffb380fcde1000 rsi=0000000000000002 rdi=00000174165d6f70 rip=fffff80778522c60 rsp=ffff81823a10f0f8 rbp=00000174165d6f26 r8=00000174165d6f70 r9=000000000000000c r10=ffffb380fcde1ea0 r11=00000174165d6f7c r12=ffff81823a10f368 r13=ffff8d09355dd000 r14=ffffb380fcde2000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00050246 nt!RtlDecompressBufferXpressLz+0x50: fffff807`78522c60 418b08 mov ecx,dword ptr [r8] ds:002b:00000174`165d6f70=???????? Resetting default scope ecx,edx,r8d,r9d, 2: kd> uf nt!RtlDecompressBufferXpressLz nt!RtlDecompressBufferXpressLz: fffff807`78522c10 48895c2408 mov qword ptr [rsp+8],rbx fffff807`78522c15 48896c2410 mov qword ptr [rsp+10h],rbp fffff807`78522c1a 4889742418 mov qword ptr [rsp+18h],rsi fffff807`78522c1f 48897c2420 mov qword ptr [rsp+20h],rdi fffff807`78522c24 4156 push r14 fffff807`78522c26 4157 push r15 fffff807`78522c28 488bd9 mov rbx,rcx fffff807`78522c2b 4183f905 cmp r9d,5 fffff807`78522c2f 0f829e030000 jb nt!RtlDecompressBufferXpressLz+0x3c3 (fffff807`78522fd3) Branch nt!RtlDecompressBufferXpressLz+0x25: fffff807`78522c35 448bf2 mov r14d,edx fffff807`78522c38 488bd1 mov rdx,rcx fffff807`78522c3b 4c03f1 add r14,rcx fffff807`78522c3e 458bd9 mov r11d,r9d fffff807`78522c41 4d03d8 add r11,r8 fffff807`78522c44 4533ff xor r15d,r15d fffff807`78522c47 4d8d96a0feffff lea r10,[r14-160h] fffff807`78522c4e 498d6baa lea rbp,[r11-56h] fffff807`78522c52 0f1f4000 nop dword ptr [rax] fffff807`78522c56 66660f1f840000000000 nop word ptr [rax+rax] nt!RtlDecompressBufferXpressLz+0x50: fffff807`78522c60 418b08 mov ecx,dword ptr [r8] bcdedit /debug on bcdedit /dbgsettings net hostip :xxx port :xxx key:xxxx.xxx.aaa.xxd STACK_TEXT: kb k Child-SP return adress 参数 ffff8182`3a10f0f8 fffff807`784d2530 : ffffb380`fcde1000 ffffb380`fcde1000 00000000`00000002 00000174`165d6f70 : nt!RtlDecompressBufferXpressLz+0x50 ffff8182`3a10f110 fffff807`7843b670 : 00000000`00000001 00000000`00000000 00000000`00000000 ffffafa4`3da5b7b5 : nt!RtlDecompressBufferEx+0x60 ffff8182`3a10f160 fffff807`7843b4fd : 00000000`00000004 fffff807`7843b8b6 00000000`00000000 00000000`00000001 : nt!ST_STORE<SM_TRAITS>::StDmSinglePageCopy+0x150 ffff8182`3a10f220 fffff807`7843be28 : 00000000`00000001 00000000`00016f70 ffff8d09`2f430000 ffff8d09`00001000 : nt!ST_STORE<SM_TRAITS>::StDmSinglePageTransfer+0xa5 ffff8182`3a10f270 fffff807`78539c1c : 00000000`ffffffff ffff8d09`355dd000 ffff8182`3a10f350 ffff8d09`2ec89250 : nt!ST_STORE<SM_TRAITS>::StDmpSinglePageRetrieve+0x180 ffff8182`3a10f310 fffff807`78539a69 : ffffb380`f5788730 00000000`00000001 00000000`00000000 00000000`00000000 : nt!ST_STORE<SM_TRAITS>::StDmPageRetrieve+0xc8 ffff8182`3a10f3c0 fffff807`78539921 : ffff8d09`2f430000 ffff8d09`2ec89250 ffff8d09`355dd000 ffff8d09`2f4319c0 : nt!SMKM_STORE<SM_TRAITS>::SmStDirectReadIssue+0x85 ffff8182`3a10f440 fffff807`78427328 : ffff8d09`471d1080 ffff8d09`2f430000 00000000`00000000 ffff8d09`4c7a3650 : nt!SMKM_STORE<SM_TRAITS>::SmStDirectReadCallout+0x21 ffff8182`3a10f470 fffff807`7853adf7 : fffff807`78539900 ffff8182`3a10f510 00000000`00000003 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x78 ffff8182`3a10f4e0 fffff807`7843634c : ffff8182`3a10f5e0 00000000`31526d73 00000000`000003ff fffff807`78f239c0 : nt!SMKM_STORE<SM_TRAITS>::SmStDirectRead+0xc7 ffff8182`3a10f5b0 fffff807`78435d80 : 00000000`0000000c 00000000`000003ff ffff8182`3a10f660 fffff807`78f239c0 : nt!SMKM_STORE<SM_TRAITS>::SmStWorkItemQueue+0x1ac ffff8182`3a10f600 fffff807`7853a057 : 00000000`0000000c 00000000`00000001 ffff8d09`2ec89250 ffff8d09`4c7a3650 : nt!SMKM_STORE_MGR<SM_TRAITS>::SmIoCtxQueueWork+0xc0 ffff8182`3a10f690 fffff807`785324cf : ffff8d09`00000001 ffff8d09`4c7a3710 00000000`00000000 ffff8d09`2f430000 : nt!SMKM_STORE_MGR<SM_TRAITS>::SmPageRead+0x167 ffff8182`3a10f700 fffff807`78532470 : 0000007f`00000100 00000000`00000000 ffff8182`3a10f958 fffff807`78473820 : nt!SmPageRead+0x33 ffff8182`3a10f750 fffff807`7847337d : 00000000`00000002 ffff8182`3a10f7e0 ffff8182`3a10f958 ffff8d09`4c7a3600 : nt!MiIssueHardFaultIo+0x10c ffff8182`3a10f7a0 fffff807`784a69c8 : 00000000`c0033333 00000000`00000001 0000028f`711013b8 00000000`00000000 : nt!MiIssueHardFault+0x29d ffff8182`3a10f860 fffff807`78605e5e : ffff8d09`471d1080 ffff8d09`00000000 ffff8182`3a10fa18 00000000`00000000 : nt!MmAccessFault+0x468 ffff8182`3a10fa00 00007ffc`12279ce4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x35e 000000ab`facfefc0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`12279ce4 dd fffff802`c560c4d8 l1 uf nt!MmStoreCheckPagfiles .for(r $t0=0;$t0<4;r $t0=$t0+1){ dt nt!_MMPAGING_FILE poi(fffff802`c560c4e0+$t0*8) PageFileName VirtualStorepageFile} !process 0 0 ConsoleApplication3.exe .process /i ffffcb80be6015c0 ;g;!pte 1f091c11040; 2008921a sGlobals root 1: kd> dq nt!SmGlobals +1b8 +8 1: kd> dd ffffa38c`38f35138 ffffa38c`38f35138 20039b6c 00030000 20039b6d 00030000 0: kd> dd ffffb609`65953ec8 ffffb609`65953ec8 200819be 00030000 200819bf 00030000 00030000 dq poi(poi(nt!SmGlobals +0*8) +0*28) 1: kd> dq poi(poi(nt!SmGlobals +0*8) +0*28) ffffb609`646f7000 00000080`00058800 00001ff8`00020000 ffffb609`646f7010 00000000`00000000 ffffb609`646f7000 dq poi(poi(poi(nt!SmGlobals +0*8) +0*28)+14*4) 1: kd> dd ffffa38c`388eaad8 ffffa38c`388eaad8 2008921a 00028645 2008921b 00028646 ffffa38c`388eaae8 2008921c 00028647 2008921d 00028648 chunk key 28645 dq poi(poi(nt!SmGlobals +0*8) +0*28)+218 9 1ff 18 ? 28645>9 0: kd> ? 28645>>9 Evaluate expression: 323 = 00000000`00000143 1: kd> ?(28645&1ff)*c Evaluate expression: 828 = 00000000`0000033c 1: kd> .formats 00000143 Evaluate expression: Hex: 00000000`00000143 Decimal: 323 Octal: 0000000000000000000503 Binary: 00000000 00000000 00000000 00000000 00000000 00000000 00000001 01000011 Chars: .......C Time: Thu Jan 1 08:05:23 1970 Float: low 4.52619e-043 high 0 Double: 1.59583e-321 i=8 j=43*2=86 dq poi(poi(nt!SmGlobals +0*8) +0*28)+110 x dq poi(poi(poi(poi(nt!SmGlobals +0*8) +0*28)+110+8*8)+8*86)+39c+18 offfset a8 18 0: kd> dq poi(poi(poi(poi(nt!SmGlobals +0*8) +0*28)+110+3*8)+8*2)+a8+18 ffffb609`65b450c0 00001edd`0006aa38 0006ab26`b7262557 0: kd> dd poi(poi(poi(poi(nt!SmGlobals +0*8) +0*28)+110+3*8)+8*2)+a8+18 ffffb609`65b450c0 0006aa38 00001edd b7262557 0006ab26 ffffb609`65b450d0 00001edd 17ecf2ce 0006ac14 00001edd 1: kd> dd poi(poi(poi(poi(nt!SmGlobals +0*8) +0*28)+110+8*8)+8*86)+33c+18 ffffa38c`388ef354 00b5073f 00001046 c7a81541 00b50744 00b5073f 00001046 cr3 c7a81541 dd poi(poi(nt!SmGlobals +0*8) +0*28)+378 0: kd> dd poi(poi(nt!SmGlobals +0*8) +0*28)+378 ffffb609`646f7378 00001fff 0000000d 00001fff 00000100 ?(b5073f&1fff)<<4 0: kd> ?(b5073f&1fff)<<4 Evaluate expression: 29680 = 00000000`000073f0 0: kd> ? b5073f>>d Evaluate expression: 1448 = 00000000`000005a8 ponit=5a8 pags=73f0 dq poi(poi(poi(nt!SmGlobals +0*8) +0*28)+1828)+8*5a8 ffffb609`645921a8 00000000`0073a380 00000000`00015693 !process 0 0 MemCompression .process /i ffffa38c3765f040 ; g; 1: kd> .process /i ffffbb068672e580 ;g;!pte 0x21a0201c040; You need to continue execution (press 'g' <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. Break instruction exception - code 80000003 (first chance) VA 0000021a0201c040 PXE at FFFF8341A0D06020 PPE at FFFF8341A0C04340 PDE at FFFF834180868080 PTE at FFFF83010D0100E0 contains 0000000000000000 contains 0000000000000000 not valid 0: kd> !pte 1c257b18040 VA 000001c257b18040 PXE at FFFF8341A0D06018 PPE at FFFF8341A0C03848 PDE at FFFF8341807095E8 PTE at FFFF8300E12BD8C0 contains 0A0000006A5CA867 contains 0A0000006A5CB867 contains 0A0000006A8ED867 contains 000EBAA700002094 pfn 6a5ca ---DA--UWEV pfn 6a5cb ---DA--UWEV pfn 6a8ed ---DA--UWEV not valid PageFile: 2 Offset: ebaa7 Protect: 4 - ReadWrite ----------------------------------------------------------------------------------start-------------------------------------- kd> .process /i ffffcb80be6015c0 ;g;!pte 1f091c11040; You need to continue execution (press 'g' <enter>) for the context to be switched. When the debugger breaks in again, you will be in the new process context. Break instruction exception - code 80000003 (first chance) VA 000001f091c11040 PXE at FFFFB3D9ECF67018 PPE at FFFFB3D9ECE03E10 PDE at FFFFB3D9C07C2470 PTE at FFFFB380F848E088 contains 0A0000001BCDA867 contains 0A0000001BCDB867 contains 0A00000049992867 contains 0003DD0400002084 pfn 1bcda ---DA--UWEV pfn 1bcdb ---DA--UWEV pfn 49992 ---DA--UWEV not valid PageFile: 2 Offset: 3dd04 Protect: 4 - ReadWrite 突然变化 ,不知道因为什么原因 kd> !pte 1f091c11040; VA 000001f091c11040 PXE at FFFFB3D9ECF67018 PPE at FFFFB3D9ECE03E10 PDE at FFFFB3D9C07C2470 PTE at FFFFB380F848E088 contains 0A0000001BCDA867 contains 0A0000001BCDB867 contains 00098573007D2084 pfn 1bcda ---DA--UWEV pfn 1bcdb ---DA--UWEV contains 00098573007D2084 not valid PageFile: 2 Offset: 98573 Protect: 4 - ReadWrite page key: 2003dd04 kd> dq nt!SmGlobals +1b8+8 fffff803`ee019b80 ffffcb80`c03c7000 00000000`0008ccab fffff803`ee019b90 00000000`00000000 fffff803`ee019b90 kd> dq ffffcb80`c03c7000 ffffcb80`c03c7000 00000000`00030005 ffffcb80`be69f000 ffffcb80`c03c7010 00000000`20020b6a ffffcb80`c03c6000 ffffcb80`c03c7020 00000000`2004066d ffffcb80`c0766000 ffffcb80`c03c7030 00000000`2006056a ffffcb80`c08c1000 ffffcb80`c03c7040 00000000`20082a4d ffffcb80`c0c15000 ffffcb80`c03c7050 00000000`2009f335 ffffcb80`c4313000 ffffcb80`c03c7060 00000000`00000000 00000000`00000000 ffffcb80`c03c7070 00000000`00000000 00000000`00000000 kd> dq ffffcb80`c03c6000 ffffcb80`c03c6000 00000000`000200dc ffffcb80`c03cd000 ffffcb80`c03c6010 00000000`20020f64 ffffcb80`c03d6000 ffffcb80`c03c6020 00000000`20021161 ffffcb80`c03db000 ffffcb80`c03c6030 00000000`2002135e ffffcb80`c03de000 ffffcb80`c03c6040 00000000`2002155b ffffcb80`c03e3000 ffffcb80`c03c6050 00000000`20021758 ffffcb80`c03e8000 ffffcb80`c03c6060 00000000`20021955 ffffcb80`c03ed000 ffffcb80`c03c6070 00000000`20021b52 ffffcb80`c03f3000 kd> dq ffffcb80`c03c6000 l200 .... ffffcb80`c03c6c60 00000000`2003d91c ffffcb80`c06fc000 ffffcb80`c03c6c70 00000000`2003daaf ffffcb80`c0704000 ffffcb80`c03c6c80 00000000`2003dcad ffffcb80`c0708000 ffffcb80`c03c6c90 00000000`2003dea9 ffffcb80`c070c000 kd> dq ffffcb80`c0708000 l100 ffffcb80`c0708000 00000000`010101ee ffffcb80`c070c000 ffffcb80`c0708010 00030000`2003dcad 00030000`2003dcae ffffcb80`c0708020 00030000`2003dcaf 00030000`2003dcb1 ....... ffffcb80`c0708258 00030000`2003dd04 00030000`2003dd05 ffffcb80`c0708268 00030000`2003dd06 00030000`2003dd07 ffffcb80`c0708278 00030000`2003dd08 00030000`2003dd09 smkm_store_index=0 kd> 元器件数据手册、IC替代型号,打造电子元器件IC百科大全!
