找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 3853|回复: 0

KeUserModeCallback表

[复制链接]
发表于 2015-10-5 22:15:30 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有账号?立即注册→加入我们

×
        关于KeUserModeCallback可以看到有很多文章,第一次接触也是在之前逆向发现的,是ring0调用ring3的一种方式,过称引用一篇文章里的:
nt!KeUserModeCallback -> nt!KiCallUserMode -> nt!KiServiceExit -> ntdll!KiUserCallbackDispatcher -> 回调函数 -> int2B -> nt!KiCallbackReturn -> nt!KeUserModeCallback

每个系统的表不一样:
xpx86
kd> dt _PEB 7ffd8000
ntdll!_PEB
   +0x000 InheritedAddressSpace : 0 ''
   +0x001 ReadImageFileExecOptions : 0 ''
   +0x002 BeingDebugged    : 0 ''
   +0x003 SpareBool        : 0 ''
   +0x004 Mutant           : 0xffffffff Void
   +0x008 ImageBaseAddress : 0x01000000 Void
   +0x00c Ldr              : 0x00191e90 _PEB_LDR_DATA
   +0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS
   +0x014 SubSystemData    : (null)
   +0x018 ProcessHeap      : 0x00090000 Void
   +0x01c FastPebLock      : 0x7c9a0600 _RTL_CRITICAL_SECTION
   +0x020 FastPebLockRoutine : 0x7c921000 Void
   +0x024 FastPebUnlockRoutine : 0x7c9210e0 Void
   +0x028 EnvironmentUpdateCount : 1
   +0x02c KernelCallbackTable : 0x77d12970 Void
USER32!__fnCOPYDATA
USER32!__fnCOPYGLOBALDATA
USER32!__fnDWORD
USER32!__fnNCDESTROY
USER32!__fnDWORDOPTINLPMSG
USER32!__fnINOUTDRAG
USER32!__fnGETTEXTLENGTHS
USER32!__fnINCNTOUTSTRING
USER32!__fnINCNTOUTSTRINGNULL
USER32!__fnINLPCOMPAREITEMSTRUCT
USER32!__fnINLPCREATESTRUCT
USER32!__fnINLPDELETEITEMSTRUCT
USER32!__fnINLPDRAWITEMSTRUCT
USER32!__fnINLPHELPINFOSTRUCT
USER32!__fnINLPHELPINFOSTRUCT
USER32!__fnINLPMDICREATESTRUCT
USER32!__fnINOUTLPMEASUREITEMSTRUCT
USER32!__fnINLPWINDOWPOS
USER32!__fnINOUTLPPOINT5
USER32!__fnINOUTLPSCROLLINFO
USER32!__fnINOUTLPRECT
USER32!__fnINOUTNCCALCSIZE
USER32!__fnINOUTLPSCROLLINFO
USER32!__fnINPAINTCLIPBRD
USER32!__fnINSIZECLIPBRD
USER32!__fnINDESTROYCLIPBRD
USER32!__fnINSTRINGNULL
USER32!__fnINSTRINGNULL
USER32!__fnINDEVICECHANGE
USER32!__fnINOUTNEXTMENU
USER32!__fnLOGONNOTIFY
USER32!__fnOPTOUTLPDWORDOPTOUTLPDWORD
USER32!__fnOPTOUTLPDWORDOPTOUTLPDWORD
USER32!__fnOUTDWORDINDWORD
USER32!__fnOUTLPRECT
USER32!__fnINCNTOUTSTRINGNULL
USER32!__fnINLPHELPINFOSTRUCT
USER32!__fnINCNTOUTSTRINGNULL
USER32!__fnSENTDDEMSG
USER32!__fnINOUTSTYLECHANGE
USER32!__fnHkINDWORD
USER32!__fnHkINLPCBTACTIVATESTRUCT
USER32!__fnHkINLPCBTCREATESTRUCT
USER32!__fnHkINLPDEBUGHOOKSTRUCT
USER32!__fnHkINLPMOUSEHOOKSTRUCTEX
USER32!__fnHkINLPKBDLLHOOKSTRUCT
USER32!__fnHkINLPMSLLHOOKSTRUCT
USER32!__fnHkINLPMSG
USER32!__fnHkINLPRECT
USER32!__fnHkOPTINLPEVENTMSG
USER32!__ClientCopyDDEIn1
USER32!__ClientCopyDDEIn2
USER32!__ClientCopyDDEOut1
USER32!__ClientCopyDDEOut2
USER32!__ClientCopyImage
USER32!__ClientEventCallback
USER32!__ClientFindMnemChar
USER32!__ClientFontSweep
USER32!__ClientFreeDDEHandle
USER32!__ClientFreeLibrary
USER32!__ClientGetCharsetInfo
USER32!__ClientGetDDEFlags
USER32!__ClientGetDDEHookData
USER32!__ClientGetListboxString
USER32!__ClientGetMessageMPH
USER32!__ClientLoadImage
USER32!__ClientLoadLibrary
USER32!__ClientLoadMenu
USER32!__ClientLoadLocalT1Fonts
USER32!__ClientLoadRemoteT1Fonts
USER32!__ClientPSMTextOut
USER32!__ClientLpkDrawTextEx
USER32!__ClientExtTextOutW
USER32!__ClientGetTextExtentPointW
USER32!__ClientCharToWchar
USER32!__ClientAddFontResourceW
USER32!__ClientThreadSetup
USER32!__ClientDeliverUserApc
USER32!__ClientNoMemoryPopup
USER32!__ClientMonitorEnumProc
USER32!__ClientCallWinEventProc
USER32!__ClientWaitMessageExMPH
USER32!__ClientWOWGetProcModule
USER32!__ClientWOWTask16SchedNotify
USER32!__ClientImmLoadLayout
USER32!__ClientImmProcessKey
USER32!__fnIMECONTROL
USER32!__fnINWPARAMDBCSCHAR
USER32!__fnGETTEXTLENGTHS
USER32!__fnINLPKDRAWSWITCHWND
USER32!__ClientLoadStringW
USER32!__ClientLoadOLE
USER32!__ClientRegisterDragDrop
USER32!__ClientRevokeDragDrop
USER32!__fnINOUTMENUGETOBJECT
USER32!__ClientPrinterThunk
USER32!__fnOUTLPCOMBOBOXINFO
USER32!__fnOUTLPSCROLLBARINFO

windows本身也通过这种方式从内核调用应用层api
回复

使用道具 举报

本版积分规则

QQ|Archiver|小黑屋|技术宅的结界 ( 滇ICP备16008837号 )|网站地图

GMT+8, 2024-11-22 13:16 , Processed in 0.030409 second(s), 22 queries , Gzip On.

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表