元始天尊 发表于 2015-10-5 22:15:30

KeUserModeCallback表

        关于KeUserModeCallback可以看到有很多文章,第一次接触也是在之前逆向发现的,是ring0调用ring3的一种方式,过称引用一篇文章里的:
nt!KeUserModeCallback -> nt!KiCallUserMode -> nt!KiServiceExit -> ntdll!KiUserCallbackDispatcher -> 回调函数 -> int2B -> nt!KiCallbackReturn -> nt!KeUserModeCallback

每个系统的表不一样:
xpx86
kd> dt _PEB 7ffd8000
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0 ''
   +0x003 SpareBool      : 0 ''
   +0x004 Mutant         : 0xffffffff Void
   +0x008 ImageBaseAddress : 0x01000000 Void
   +0x00c Ldr            : 0x00191e90 _PEB_LDR_DATA
   +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null)
   +0x018 ProcessHeap      : 0x00090000 Void
   +0x01c FastPebLock      : 0x7c9a0600 _RTL_CRITICAL_SECTION
   +0x020 FastPebLockRoutine : 0x7c921000 Void
   +0x024 FastPebUnlockRoutine : 0x7c9210e0 Void
   +0x028 EnvironmentUpdateCount : 1
   +0x02c KernelCallbackTable : 0x77d12970 Void
USER32!__fnCOPYDATA
USER32!__fnCOPYGLOBALDATA
USER32!__fnDWORD
USER32!__fnNCDESTROY
USER32!__fnDWORDOPTINLPMSG
USER32!__fnINOUTDRAG
USER32!__fnGETTEXTLENGTHS
USER32!__fnINCNTOUTSTRING
USER32!__fnINCNTOUTSTRINGNULL
USER32!__fnINLPCOMPAREITEMSTRUCT
USER32!__fnINLPCREATESTRUCT
USER32!__fnINLPDELETEITEMSTRUCT
USER32!__fnINLPDRAWITEMSTRUCT
USER32!__fnINLPHELPINFOSTRUCT
USER32!__fnINLPHELPINFOSTRUCT
USER32!__fnINLPMDICREATESTRUCT
USER32!__fnINOUTLPMEASUREITEMSTRUCT
USER32!__fnINLPWINDOWPOS
USER32!__fnINOUTLPPOINT5
USER32!__fnINOUTLPSCROLLINFO
USER32!__fnINOUTLPRECT
USER32!__fnINOUTNCCALCSIZE
USER32!__fnINOUTLPSCROLLINFO
USER32!__fnINPAINTCLIPBRD
USER32!__fnINSIZECLIPBRD
USER32!__fnINDESTROYCLIPBRD
USER32!__fnINSTRINGNULL
USER32!__fnINSTRINGNULL
USER32!__fnINDEVICECHANGE
USER32!__fnINOUTNEXTMENU
USER32!__fnLOGONNOTIFY
USER32!__fnOPTOUTLPDWORDOPTOUTLPDWORD
USER32!__fnOPTOUTLPDWORDOPTOUTLPDWORD
USER32!__fnOUTDWORDINDWORD
USER32!__fnOUTLPRECT
USER32!__fnINCNTOUTSTRINGNULL
USER32!__fnINLPHELPINFOSTRUCT
USER32!__fnINCNTOUTSTRINGNULL
USER32!__fnSENTDDEMSG
USER32!__fnINOUTSTYLECHANGE
USER32!__fnHkINDWORD
USER32!__fnHkINLPCBTACTIVATESTRUCT
USER32!__fnHkINLPCBTCREATESTRUCT
USER32!__fnHkINLPDEBUGHOOKSTRUCT
USER32!__fnHkINLPMOUSEHOOKSTRUCTEX
USER32!__fnHkINLPKBDLLHOOKSTRUCT
USER32!__fnHkINLPMSLLHOOKSTRUCT
USER32!__fnHkINLPMSG
USER32!__fnHkINLPRECT
USER32!__fnHkOPTINLPEVENTMSG
USER32!__ClientCopyDDEIn1
USER32!__ClientCopyDDEIn2
USER32!__ClientCopyDDEOut1
USER32!__ClientCopyDDEOut2
USER32!__ClientCopyImage
USER32!__ClientEventCallback
USER32!__ClientFindMnemChar
USER32!__ClientFontSweep
USER32!__ClientFreeDDEHandle
USER32!__ClientFreeLibrary
USER32!__ClientGetCharsetInfo
USER32!__ClientGetDDEFlags
USER32!__ClientGetDDEHookData
USER32!__ClientGetListboxString
USER32!__ClientGetMessageMPH
USER32!__ClientLoadImage
USER32!__ClientLoadLibrary
USER32!__ClientLoadMenu
USER32!__ClientLoadLocalT1Fonts
USER32!__ClientLoadRemoteT1Fonts
USER32!__ClientPSMTextOut
USER32!__ClientLpkDrawTextEx
USER32!__ClientExtTextOutW
USER32!__ClientGetTextExtentPointW
USER32!__ClientCharToWchar
USER32!__ClientAddFontResourceW
USER32!__ClientThreadSetup
USER32!__ClientDeliverUserApc
USER32!__ClientNoMemoryPopup
USER32!__ClientMonitorEnumProc
USER32!__ClientCallWinEventProc
USER32!__ClientWaitMessageExMPH
USER32!__ClientWOWGetProcModule
USER32!__ClientWOWTask16SchedNotify
USER32!__ClientImmLoadLayout
USER32!__ClientImmProcessKey
USER32!__fnIMECONTROL
USER32!__fnINWPARAMDBCSCHAR
USER32!__fnGETTEXTLENGTHS
USER32!__fnINLPKDRAWSWITCHWND
USER32!__ClientLoadStringW
USER32!__ClientLoadOLE
USER32!__ClientRegisterDragDrop
USER32!__ClientRevokeDragDrop
USER32!__fnINOUTMENUGETOBJECT
USER32!__ClientPrinterThunk
USER32!__fnOUTLPCOMBOBOXINFO
USER32!__fnOUTLPSCROLLBARINFO

windows本身也通过这种方式从内核调用应用层api
页: [1]
查看完整版本: KeUserModeCallback表