CPU异常分析(以trap00为例)

Windows内核分析索引目录:https://www.cnblogs.com/onetrainee/p/11675224.html

CPU异常分析(以trap00为例)

一、CPU检测到除零异常的执行流程

CPU异常分析(以trap00为例)

 

二、Trap00 函数的分析

  当发生除零异常时,查IDT表会查到Trap00函数,该函数的目的是构建_KTRAP_FRAME结构,查错误码,之后调用 commonDispatchExcption进行封装。

  我们可能很奇怪,明明CPU检测到的错误,本身就在内核,还会有 _KTRAP_FRAME结构

  很简单,用户也会走这个函数,我们在反汇编代码分析时,发现其还有一条路线是处理用户层的,如果是用户层直接进来,当然要进行线程上下文切换。

  CPU异常分析(以trap00为例)

 

 

 三、CommonDispatchException函数

  该函数就是完成封装 _EXCEPTION_RECORD结构体,之后调用 _KiDispatchException来开始真正的派发函数。

  CPU异常分析(以trap00为例)

 

四、反汇编代码:

1. Trap00函数反汇编代码

 1 .text:00436650 _KiTrap00       proc near               ; DATA XREF: INIT:_IDT↓o
 2 .text:00436650
 3 .text:00436650 var_2           = word ptr -2
 4 .text:00436650 arg_4           = dword ptr  8
 5 .text:00436650
 6 .text:00436650 ; FUNCTION CHUNK AT .text:004363FB SIZE 00000013 BYTES
 7 .text:00436650
 8 .text:00436650                 push    0
 9 .text:00436652                 mov     [esp+4+var_2], 0
10 .text:00436659                 push    ebp
11 .text:0043665A                 push    ebx
12 .text:0043665B                 push    esi
13 .text:0043665C                 push    edi
14 .text:0043665D                 push    fs
15 .text:0043665F                 mov     ebx, 30h        ; 30这个值作为段选择子
16 .text:00436664                 mov     fs, bx
17 .text:00436667                 assume fs:nothing
18 .text:00436667                 mov     ebx, large fs:0
19 .text:0043666E                 push    ebx
20 .text:0043666F                 sub     esp, 4
21 .text:00436672                 push    eax
22 .text:00436673                 push    ecx
23 .text:00436674                 push    edx
24 .text:00436675                 push    ds
25 .text:00436676                 push    es
26 .text:00436677                 push    gs
27 .text:00436679                 mov     ax, 23h
28 .text:0043667D                 sub     esp, 30h
29 .text:00436680                 mov     ds, ax
30 .text:00436683                 assume ds:nothing
31 .text:00436683                 mov     es, ax
32 .text:00436686                 assume es:nothing
33 .text:00436686                 mov     ebp, esp        ; 从这里开始 ,EBP已经等于 Trap_Frame 结构,比如ebp+30为SegGs
34 .text:00436688                 test    [esp+_KTRAP_FRAME.EFlags], 20000h ; 判断 eflag 标准,是否是虚拟8086模式,如果是跳转下面函数
35 .text:00436690                 jnz     short V86_kit0_a ; 如果是虚拟8086,则继续填充_KTRAP_FRAME 结构
36 .text:00436692
37 .text:00436692 loc_436692:                             ; CODE XREF: V86_kit0_a+25↑j
38 .text:00436692                 mov     ecx, large fs:124h
39 .text:00436699                 cld
40 .text:0043669A                 and     [ebp+_KTRAP_FRAME.Dr7], 0
41 .text:0043669E                 test    byte ptr [ecx+3], 0DFh
42 .text:004366A2                 jnz     Dr_kit0_a
43 .text:004366A8
44 .text:004366A8 loc_4366A8:                             ; CODE XREF: Dr_kit0_a+D↑j
45 .text:004366A8                                         ; Dr_kit0_a+79↑j
46 .text:004366A8                 mov     ebx, [ebp+_TRAP_FRAME.Ebp] ; ebp
47 .text:004366AB                 mov     edi, [ebp+_KTRAP_FRAME._Eip] ; eip
48 .text:004366AE                 mov     [ebp+_KTRAP_FRAME.DbgArgPointer], edx
49 .text:004366B1                 mov     [ebp+_KTRAP_FRAME.DbgArgMark], 0BADB0D00h
50 .text:004366B8                 mov     [ebp+_KTRAP_FRAME.DbgEbp], ebx ; 保存堆栈
51 .text:004366BB                 mov     [ebp+_KTRAP_FRAME.DbgEip], edi ; 保存异常的EIP
52 .text:004366BE                 test    byte ptr [ebp+(_KTRAP_FRAME.EFlags+2)], 2
53 .text:004366C2                 jnz     short loc_436712
54 .text:004366C4                 test    byte ptr [ebp+_KTRAP_FRAME.SegCs], 1
55 .text:004366C8                 jnz     short loc_4366DB
56 .text:004366CA                 sti
57 .text:004366CB                 push    ebp
58 .text:004366CC                 push    0
59 .text:004366CE                 push    0
60 .text:004366D0                 push    0
61 .text:004366D2                 push    0
62 .text:004366D4                 push    7Fh
63 .text:004366D6                 call    _KeBugCheck2@24 ; KeBugCheck2(x,x,x,x,x,x)
64 .text:004366DB ; ---------------------------------------------------------------------------
65 .text:004366DB
66 .text:004366DB loc_4366DB:                             ; CODE XREF: _KiTrap00+78↑j
67 .text:004366DB                 cmp     word ptr [ebp+_KTRAP_FRAME.SegCs], 1Bh
68 .text:004366E0                 jnz     short loc_4366FF
69 .text:004366E2                 sti
70 .text:004366E3                 push    ebp             ; 将trap_frame压进去
71 .text:004366E4                 call    _Ki386CheckDivideByZeroTrap@4 ; 拿到除零异常的错误码
72 .text:004366E9                 mov     ebx, [ebp+_KTRAP_FRAME._Eip]
73 .text:004366EC                 jmp     loc_4363FB
74 .text:004366F1 ; ---------------------------------------------------------------------------
75 .text:004366F1
76 .text:004366F1 loc_4366F1:                             ; CODE XREF: _KiTrap00+C0↓j
77 .text:004366F1                                         ; _KiTrap00+CB↓j
78 .text:004366F1                 sti
79 .text:004366F2                 mov     ebx, [ebp+_KTRAP_FRAME._Eip]
80 .text:004366F5                 mov     eax, 0C0000094h
81 .text:004366FA                 jmp     loc_4363FB
82 .text:004366FF ; ---------------------------------------------------------------------------
83 .text:004366FF
84 .text:004366FF loc_4366FF:                             ; CODE XREF: _KiTrap00+90↑j
85 .text:004366FF                 mov     ebx, large fs:124h
86 .text:00436706                 mov     ebx, [ebx+50h]
87 .text:00436709                 cmp     dword ptr [ebx+148h], 0
88 .text:00436710                 jz      short loc_4366F1
89 .text:00436712
90 .text:00436712 loc_436712:                             ; CODE XREF: _KiTrap00+72↑j
91 .text:00436712                 push    0
92 .text:00436714                 call    _Ki386VdmReflectException_A@4 ; Ki386VdmReflectException_A(x)
93 .text:00436719                 or      al, al
94 .text:0043671B                 jz      short loc_4366F1
95 .text:0043671D                 jmp     Kei386EoiHelper@0 ; Kei386EoiHelper()
96 .text:0043671D _KiTrap00       endp

 

2.CommonDispatchException反汇编代码

 1 .text:0043641C CommonDispatchException proc near       ; CODE XREF: sub_43653F-142↑p
 2 .text:0043641C                                         ; sub_43653F-136↑p ...
 3 .text:0043641C
 4 .text:0043641C var_50          = dword ptr -50h
 5 .text:0043641C var_4C          = dword ptr -4Ch
 6 .text:0043641C var_48          = dword ptr -48h
 7 .text:0043641C var_44          = dword ptr -44h
 8 .text:0043641C var_40          = dword ptr -40h
 9 .text:0043641C var_3C          = byte ptr -3Ch
10 .text:0043641C
11 .text:0043641C                 sub     esp, 50h
12 .text:0043641F                 mov     [esp+_EXCEPTION_RECORD32.ExceptionCode], eax
13 .text:00436422                 xor     eax, eax
14 .text:00436424                 mov     [esp+_EXCEPTION_RECORD32.ExceptionFlags], eax
15 .text:00436428                 mov     [esp+_EXCEPTION_RECORD32.ExceptionRecord], eax
16 .text:0043642C                 mov     [esp+_EXCEPTION_RECORD32.ExceptionAddress], ebx
17 .text:00436430                 mov     [esp+_EXCEPTION_RECORD32.NumberParameters], ecx
18 .text:00436434                 cmp     ecx, 0          ; 判断是否存在参数
19 .text:00436437                 jz      short loc_436445 ; 如果存在参数,则进行赋值,否则直接跳过。
20 .text:00436439                 lea     ebx, [esp+_EXCEPTION_RECORD32.ExceptionInformation]
21 .text:0043643D                 mov     [ebx], edx
22 .text:0043643F                 mov     [ebx+4], esi
23 .text:00436442                 mov     [ebx+8], edi
24 .text:00436445
25 .text:00436445 loc_436445:                             ; CODE XREF: CommonDispatchException+1B↑j
26 .text:00436445                 mov     ecx, esp        ; 将 _EXCEPTION_RECORD 首地址放到 ecx 中
27 .text:00436447                 test    byte ptr [ebp+72h], 2
28 .text:0043644B                 jz      short loc_436454
29 .text:0043644D                 mov     eax, 0FFFFh
30 .text:00436452                 jmp     short loc_436457
31 .text:00436454 ; ---------------------------------------------------------------------------
32 .text:00436454
33 .text:00436454 loc_436454:                             ; CODE XREF: CommonDispatchException+2F↑j
34 .text:00436454                 mov     eax, [ebp+6Ch]
35 .text:00436457
36 .text:00436457 loc_436457:                             ; CODE XREF: CommonDispatchException+36↑j
37 .text:00436457                 and     eax, 1
38 .text:0043645A                 push    1               ; char
39 .text:0043645C                 push    eax             ; int
40 .text:0043645D                 push    ebp             ; BugCheckParameter3
41 .text:0043645E                 push    0               ; int
42 .text:00436460                 push    ecx             ; int
43 .text:00436461                 call    _KiDispatchException@20 ; KiDispatchException(x,x,x,x,x)
44 .text:00436466                 mov     esp, ebp
45 .text:00436468                 jmp     Kei386EoiHelper@0 ; Kei386EoiHelper()
46 .text:00436468 CommonDispatchException endp

 

上一篇:老码识途1之函数调用和局部变量


下一篇:Windows系统调用中API的3环部分(依据分析重写ReadProcessMemory函数)