Windows 7/VISTA 64Bit 에 VS6 설치하는 방법
인스톨러가 MS JVM 설치 유무를 검사하는 것 같습니다.
그런데, 64Bit OS 에는 이 MS JVM 이 설치가 안되네요.
JVM 이 설치된 것 처럼 위장하기 위해서는
MSJAVA.DLL 파일을 시스템 디렉토리에 복사해주면됩니다.
저는, 인터넷에서 원본 파일을 구해보지는 않았으나
간단히 콘솔에서 0바이트 파일을 만들어 복사하는 것 만으로도
설치를 정상적으로 할 수 있었습니다.
끝.
VISTA64 SP1 SystemServiceTable
NTDLL 에서 추출한,
Vista x64 SP1 의 SystemServiceTable
|
Windows Server 2008 Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 6001.18304.amd64fre.vistasp1_gdr.090805-0102 0 ZwMapUserPhysicalPagesScatter 1 ZwWaitForSingleObject 2 ZwCallbackReturn 3 ZwReadFile 4 NtDeviceIoControlFile 5 ZwWriteFile 6 NtRemoveIoCompletion 7 NtReleaseSemaphore 8 NtReplyWaitReceivePort 9 NtReplyPort 0Ah NtSetInformationThread 0Bh ZwSetEvent 0Ch ZwClose 0Dh NtQueryObject 0Eh ZwQueryInformationFile 0Fh ZwOpenKey 10h ZwEnumerateValueKey 11h ZwFindAtom 12h ZwQueryDefaultLocale 13h NtQueryKey 14h NtQueryValueKey 15h NtAllocateVirtualMemory 16h NtQueryInformationProcess 17h ZwWaitForMultipleObjects32 18h NtWriteFileGather 19h ZwSetInformationProcess 1Ah NtCreateKey 1Bh ZwFreeVirtualMemory 1Ch ZwImpersonateClientOfPort 1Dh ZwReleaseMutant 1Eh ZwQueryInformationToken 1Fh ZwRequestWaitReplyPort 20h ZwQueryVirtualMemory 21h ZwOpenThreadToken 22h NtQueryInformationThread 23h ZwOpenProcess 24h NtSetInformationFile 25h ZwMapViewOfSection 26h ZwAccessCheckAndAuditAlarm 27h NtUnmapViewOfSection 28h ZwReplyWaitReceivePortEx 29h ZwTerminateProcess 2Ah NtSetEventBoostPriority 2Bh NtReadFileScatter 2Ch ZwOpenThreadTokenEx 2Dh ZwOpenProcessTokenEx 2Eh ZwQueryPerformanceCounter 2Fh ZwEnumerateKey 30h NtOpenFile 31h ZwDelayExecution 32h NtQueryDirectoryFile 33h ZwQuerySystemInformation 34h NtOpenSection 35h ZwQueryTimer 36h ZwFsControlFile 37h NtWriteVirtualMemory 38h ZwCloseObjectAuditAlarm 39h ZwDuplicateObject 3Ah NtQueryAttributesFile 3Bh NtClearEvent 3Ch ZwReadVirtualMemory 3Dh ZwOpenEvent 3Eh NtAdjustPrivilegesToken 3Fh ZwDuplicateToken 40h NtContinue 41h NtQueryDefaultUILanguage 42h ZwQueueApcThread 43h NtYieldExecution 44h NtAddAtom 45h NtCreateEvent 46h ZwQueryVolumeInformationFile 47h ZwCreateSection 48h ZwFlushBuffersFile 49h ZwApphelpCacheControl 4Ah NtCreateProcessEx 4Bh ZwCreateThread 4Ch ZwIsProcessInJob 4Dh ZwProtectVirtualMemory 4Eh ZwQuerySection 4Fh NtResumeThread 50h NtTerminateThread 51h NtReadRequestData 52h NtCreateFile 53h NtQueryEvent 54h ZwWriteRequestData 55h ZwOpenDirectoryObject 56h ZwAccessCheckByTypeAndAuditAlarm 57h NtQuerySystemTime 58h ZwWaitForMultipleObjects 59h ZwSetInformationObject 5Ah NtCancelIoFile 5Bh ZwTraceEvent 5Ch NtPowerInformation 5Dh NtSetValueKey 5Eh ZwCancelTimer 5Fh NtSetTimer 60h ZwAcceptConnectPort 61h NtAccessCheck 62h ZwAccessCheckByType 63h NtAccessCheckByTypeResultList 64h ZwAccessCheckByTypeResultListAndAuditAlarm 65h NtAccessCheckByTypeResultListAndAuditAlarmByHandle 66h NtAcquireCMFViewOwnership 67h ZwAddBootEntry 68h ZwAddDriverEntry 69h NtAdjustGroupsToken 6Ah ZwAlertResumeThread 6Bh NtAlertThread 6Ch NtAllocateLocallyUniqueId 6Dh NtAllocateUserPhysicalPages 6Eh ZwAllocateUuids 6Fh ZwAlpcAcceptConnectPort 70h ZwAlpcCancelMessage 71h ZwAlpcConnectPort 72h ZwAlpcCreatePort 73h NtAlpcCreatePortSection 74h NtAlpcCreateResourceReserve 75h ZwAlpcCreateSectionView 76h NtAlpcCreateSecurityContext 77h ZwAlpcDeletePortSection 78h ZwAlpcDeleteResourceReserve 79h ZwAlpcDeleteSectionView 7Ah ZwAlpcDeleteSecurityContext 7Bh ZwAlpcDisconnectPort 7Ch ZwAlpcImpersonateClientOfPort 7Dh ZwAlpcOpenSenderProcess 7Eh ZwAlpcOpenSenderThread 7Fh ZwAlpcQueryInformation 80h ZwAlpcQueryInformationMessage 81h ZwAlpcRevokeSecurityContext 82h NtAlpcSendWaitReceivePort 83h ZwAlpcSetInformation 84h ZwAreMappedFilesTheSame 85h ZwAssignProcessToJobObject 86h NtCancelDeviceWakeupRequest 87h ZwCancelIoFileEx 88h ZwCancelSynchronousIoFile 89h NtCommitComplete 8Ah ZwCommitEnlistment 8Bh ZwCommitTransaction 8Ch NtCompactKeys 8Dh ZwCompareTokens 8Eh NtCompleteConnectPort 8Fh ZwCompressKey 90h ZwConnectPort 91h NtCreateDebugObject 92h ZwCreateDirectoryObject 93h NtCreateEnlistment 94h NtCreateEventPair 95h ZwCreateIoCompletion 96h ZwCreateJobObject 97h ZwCreateJobSet 98h ZwCreateKeyTransacted 99h ZwCreateKeyedEvent 9Ah NtCreateMailslotFile 9Bh ZwCreateMutant 9Ch NtCreateNamedPipeFile 9Dh NtCreatePagingFile 9Eh NtCreatePort 9Fh NtCreatePrivateNamespace 0A0h NtCreateProcess 0A1h ZwCreateProfile 0A2h ZwCreateResourceManager 0A3h ZwCreateSemaphore 0A4h ZwCreateSymbolicLinkObject 0A5h NtCreateThreadEx 0A6h ZwCreateTimer 0A7h NtCreateToken 0A8h ZwCreateTransaction 0A9h NtCreateTransactionManager 0AAh NtCreateUserProcess 0ABh ZwCreateWaitablePort 0ACh NtCreateWorkerFactory 0ADh NtDebugActiveProcess 0AEh NtDebugContinue 0AFh ZwDeleteAtom 0B0h ZwDeleteBootEntry 0B1h NtDeleteDriverEntry 0B2h ZwDeleteFile 0B3h NtDeleteKey 0B4h NtDeleteObjectAuditAlarm 0B5h NtDeletePrivateNamespace 0B6h NtDeleteValueKey 0B7h ZwDisplayString 0B8h ZwEnumerateBootEntries 0B9h ZwEnumerateDriverEntries 0BAh NtEnumerateSystemEnvironmentValuesEx 0BBh ZwEnumerateTransactionObject 0BCh ZwExtendSection 0BDh NtFilterToken 0BEh ZwFlushInstallUILanguage 0BFh NtFlushInstructionCache 0C0h NtFlushKey 0C1h ZwFlushProcessWriteBuffers 0C2h ZwFlushVirtualMemory 0C3h NtFlushWriteBuffer 0C4h NtFreeUserPhysicalPages 0C5h ZwFreezeRegistry 0C6h ZwFreezeTransactions 0C7h ZwGetContextThread 0C8h NtGetCurrentProcessorNumber 0C9h NtGetDevicePowerState 0CAh ZwGetMUIRegistryInfo 0CBh ZwGetNextProcess 0CCh NtGetNextThread 0CDh ZwGetNlsSectionPtr 0CEh NtGetNotificationResourceManager 0CFh NtGetPlugPlayEvent 0D0h NtGetWriteWatch 0D1h ZwImpersonateAnonymousToken 0D2h ZwImpersonateThread 0D3h NtInitializeNlsFiles 0D4h ZwInitializeRegistry 0D5h NtInitiatePowerAction 0D6h ZwIsSystemResumeAutomatic 0D7h NtIsUILanguageComitted 0D8h ZwListenPort 0D9h ZwLoadDriver 0DAh ZwLoadKey 0DBh NtLoadKey2 0DCh ZwLoadKeyEx 0DDh NtLockFile 0DEh NtLockProductActivationKeys 0DFh NtLockRegistryKey 0E0h NtLockVirtualMemory 0E1h ZwMakePermanentObject 0E2h NtMakeTemporaryObject 0E3h ZwMapCMFModule 0E4h ZwMapUserPhysicalPages 0E5h ZwModifyBootEntry 0E6h NtModifyDriverEntry 0E7h NtNotifyChangeDirectoryFile 0E8h NtNotifyChangeKey 0E9h ZwNotifyChangeMultipleKeys 0EAh NtOpenEnlistment 0EBh NtOpenEventPair 0ECh ZwOpenIoCompletion 0EDh ZwOpenJobObject 0EEh NtOpenKeyTransacted 0EFh ZwOpenKeyedEvent 0F0h ZwOpenMutant 0F1h ZwOpenObjectAuditAlarm 0F2h ZwOpenPrivateNamespace 0F3h NtOpenProcessToken 0F4h ZwOpenResourceManager 0F5h NtOpenSemaphore 0F6h NtOpenSession 0F7h NtOpenSymbolicLinkObject 0F8h NtOpenThread 0F9h NtOpenTimer 0FAh ZwOpenTransaction 0FBh NtOpenTransactionManager 0FCh NtPlugPlayControl 0FDh NtPrePrepareComplete 0FEh ZwPrePrepareEnlistment 0FFh NtPrepareComplete 100h ZwPrepareEnlistment 101h ZwPrivilegeCheck 102h ZwPrivilegeObjectAuditAlarm 103h ZwPrivilegedServiceAuditAlarm 104h ZwPropagationComplete 105h ZwPropagationFailed 106h ZwPulseEvent 107h NtQueryBootEntryOrder 108h ZwQueryBootOptions 109h NtQueryDebugFilterState 10Ah NtQueryDirectoryObject 10Bh ZwQueryDriverEntryOrder 10Ch ZwQueryEaFile 10Dh NtQueryFullAttributesFile 10Eh NtQueryInformationAtom 10Fh NtQueryInformationEnlistment 110h NtQueryInformationJobObject 111h NtQueryInformationPort 112h NtQueryInformationResourceManager 113h NtQueryInformationTransaction 114h NtQueryInformationTransactionManager 115h NtQueryInformationWorkerFactory 116h ZwQueryInstallUILanguage 117h ZwQueryIntervalProfile 118h NtQueryIoCompletion 119h ZwQueryLicenseValue 11Ah NtQueryMultipleValueKey 11Bh NtQueryMutant 11Ch ZwQueryOpenSubKeys 11Dh ZwQueryOpenSubKeysEx 11Eh ZwQueryPortInformationProcess 11Fh ZwQueryQuotaInformationFile 120h ZwQuerySecurityObject 121h ZwQuerySemaphore 122h NtQuerySymbolicLinkObject 123h ZwQuerySystemEnvironmentValue 124h ZwQuerySystemEnvironmentValueEx 125h NtQueryTimerResolution 126h ZwRaiseException 127h NtRaiseHardError 128h ZwReadOnlyEnlistment 129h ZwRecoverEnlistment 12Ah ZwRecoverResourceManager 12Bh ZwRecoverTransactionManager 12Ch ZwRegisterProtocolAddressInformation 12Dh NtRegisterThreadTerminatePort 12Eh NtReleaseCMFViewOwnership 12Fh NtReleaseKeyedEvent 130h NtReleaseWorkerFactoryWorker 131h NtRemoveIoCompletionEx 132h NtRemoveProcessDebug 133h ZwRenameKey 134h ZwRenameTransactionManager 135h ZwReplaceKey 136h ZwReplacePartitionUnit 137h NtReplyWaitReplyPort 138h ZwRequestDeviceWakeup 139h ZwRequestPort 13Ah NtRequestWakeupLatency 13Bh ZwResetEvent 13Ch NtResetWriteWatch 13Dh NtRestoreKey 13Eh NtResumeProcess 13Fh ZwRollbackComplete 140h NtRollbackEnlistment 141h ZwRollbackTransaction 142h NtRollforwardTransactionManager 143h NtSaveKey 144h ZwSaveKeyEx 145h NtSaveMergedKeys 146h ZwSecureConnectPort 147h NtSetBootEntryOrder 148h ZwSetBootOptions 149h NtSetContextThread 14Ah NtSetDebugFilterState 14Bh NtSetDefaultHardErrorPort 14Ch NtSetDefaultLocale 14Dh ZwSetDefaultUILanguage 14Eh NtSetDriverEntryOrder 14Fh NtSetEaFile 150h ZwSetHighEventPair 151h ZwSetHighWaitLowEventPair 152h ZwSetInformationDebugObject 153h ZwSetInformationEnlistment 154h NtSetInformationJobObject 155h ZwSetInformationKey 156h NtSetInformationResourceManager 157h NtSetInformationToken 158h NtSetInformationTransaction 159h ZwSetInformationTransactionManager 15Ah ZwSetInformationWorkerFactory 15Bh NtSetIntervalProfile 15Ch ZwSetIoCompletion 15Dh ZwSetLdtEntries 15Eh NtSetLowEventPair 15Fh NtSetLowWaitHighEventPair 160h NtSetQuotaInformationFile 161h NtSetSecurityObject 162h ZwSetSystemEnvironmentValue 163h NtSetSystemEnvironmentValueEx 164h ZwSetSystemInformation 165h NtSetSystemPowerState 166h NtSetSystemTime 167h ZwSetThreadExecutionState 168h ZwSetTimerResolution 169h ZwSetUuidSeed 16Ah ZwSetVolumeInformationFile 16Bh ZwShutdownSystem 16Ch ZwShutdownWorkerFactory 16Dh NtSignalAndWaitForSingleObject 16Eh NtSinglePhaseReject 16Fh ZwStartProfile 170h ZwStopProfile 171h NtSuspendProcess 172h ZwSuspendThread 173h NtSystemDebugControl 174h NtTerminateJobObject 175h NtTestAlert 176h NtThawRegistry 177h NtThawTransactions 178h ZwTraceControl 179h ZwTranslateFilePath 17Ah ZwUnloadDriver 17Bh NtUnloadKey 17Ch NtUnloadKey2 17Dh NtUnloadKeyEx 17Eh ZwUnlockFile 17Fh NtUnlockVirtualMemory 180h NtVdmControl 181h NtWaitForDebugEvent 182h ZwWaitForKeyedEvent 183h ZwWaitForWorkViaWorkerFactory 184h ZwWaitHighEventPair 185h NtWaitLowEventPair 186h ZwWorkerFactoryWorkerReady |
64Bit OS 에서의 SYSCALL / SDT
Intel 의 32bit CPU / 최근의 OS 에서는
시스템 프로시져 호출을 위해 SYSENTER 명령을 사용합니다.
http://sysenter.tistory.com/entry/SYSENTER
AMD 에서는 SYSCALL 명령을 사용하구요...
그런데, 64비트에서는 x64 명령어셋에 대해 AMD 가 주도하다 보니,
SYSCALL 으로 통일되었나봅니다. 아닌가? ㅡㅡㅋ
어쨋든~
64bit VISTA 를 분석하다보니,
SYSENTER 가 아닌, SYSCALL 을 호출합니다.
AMD Processor 도 INTEL Processor 도 마찬가지입니다.
AMD 의 SYSCALL and SYSRET Instruction Specification 을 보면
SYSCALL/SYSRET Target Address Register (STAR) are copied into the EIP register.
(The STAR register is Model-Specific Register C000_0081h.
대충 보면, Instructuon Point 가 MSR C000_0081 에 지정되는것 같습니다.
아... 이것 때문에 삽질 겁나 했습니다.
인터넷 아무리 뒤져봐도, SYSCALL 은 MSR C000_0081h 로 나오는데...
잘은 모르지만, 이건 32Bit OS 일 때, 이야기인것 같습니다.
AMD BIOS and Kernel Developer’s Guide (BKDG) 를 확인하니,
Reset: X.
Bits Description
63:0 LSTAR: long mode target address. Read-write. Target address for 64-bit mode calling programs.
The address stored in this register must be in canonical form (if not canonical, a #GP fault occurs).
64Bit 모드에서는 MSR C000_0082 에 타겟 주소가 지정된다고 합니다.
하아... C000_0081 때문에, 하루를 삽질했는데...
뭐쨋든 확인해보면,
msr[c0000082] = fffff800`018aec00
0: kd> u fffff800`018aec00
nt!KiSystemCall64:
fffff800`018aec00 0f01f8 swapgs
fffff800`018aec03 654889242510000000 mov qword ptr gs:[10h],rsp
fffff800`018aec0c 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h]
fffff800`018aec15 6a2b push 2Bh
fffff800`018aec17 65ff342510000000 push qword ptr gs:[10h]
fffff800`018aec1f 4153 push r11
fffff800`018aec21 6a33 push 33h
fffff800`018aec23 51 push rcx
KiSystemCall64 의 주소가 지정되어있는 것을 알 수 있습니다.
ㅡㅡa
NT kernel 에서 KiFastCallEntry 가 안나오길래 의아했었는데,
64Bit 는 저 함수가 처리하나봅니다.
아, 32Bit Intel OS 에서는
ntdll 의 KiFastSystemCall 이라는 루틴을 통해서 커널모드로 들어가는데,
64Bit OS 에서는 이 루틴을 통하지 않습니다.
OpenProcess 를 통해 동작을 비교해보면,
32Bit Intel OS
↓
ntdll!ZwOpenProcess
↓
ntdll!KiFastSystemCall
↓
↓
nt!NtOpenProcess
64Bit OS
↓
ntdll!ZwOpenProcess
↓
↓
nt!NtOpenProcess
위와 같죠.
재밌는건..
64Bit 에서도 유저모드의 kernel32 모듈 이름이 동일합니다.
은근히... kernel64, user64 를 기대하기도 했는데 말이죠..
KiSystemCall64 의 심볼을 보면
KiSystemServiceStart 와 같은 이름을 볼 수 있는데,
구글링해보면, 이 함수가 시스템 서비스를 호출하는 본체로 설명되어있습니다.
정확히 본다면,
SDT 를 참조하는 부분은
nt!KiSystemServiceRepeat 이고,
실제 호출하는 부분은
nt!KiSystemServiceCopyEnd 입니다.흠.. 위의 두 심벌은 함수는 아닌것 같습니다. 스택 정리 관련 명령이 내부에 없어서...
GOTO 문에 사용된 심벌인가? ㅡㅡa 잘 모릅니다 저런거...
SDT 는...
fffff800`01a31980 fffff800`01860d00 nt!KiServiceTable
fffff800`01a31988 00000000`00000000
fffff800`01a31990 00000000`00000187
fffff800`01a31998 fffff800`0186193c nt!KiArgumentTable
fffff800`01a319a0 00000000`00000000
fffff800`01a319a8 00000000`00000000
fffff800`01a319b0 00000000`00000000
fffff800`01a319b8 00000000`00000000
fffff800`01a319c0 fffff800`01860d00 nt!KiServiceTable
fffff800`01a319c8 00000000`00000000
fffff800`01a319d0 00000000`00000187
fffff800`01a319d8 fffff800`0186193c nt!KiArgumentTable
fffff800`01a319e0 fffff960`00103100 win32k!W32pServiceTable
fffff800`01a319e8 00000000`00000000
fffff800`01a319f0 00000000`00000306
fffff800`01a319f8 fffff960`00104c3c win32k!W32pArgumentTable
32bit 에서 구했던 것 처럼 쉽게 확인 가능합니다.
ㅡㅡa 그런데, win32k!W32pServiceTable 이 바로 나오네요. 32도 그랬나? '.'?
서비스 테이블은
nt 함수들과 1:1 매칭이 되지 않습니다.
아마 패치가드인가 그것 때문인것 같은데
이게, 전체 모양이 다 안나오는게 아니라
fffff800`018b2d00 02780a00`03969f00
fffff800`018b2d08 02668005`fff69d00
fffff800`018b2d10 0289e905`029b2206
fffff800`018b2d18 02728700`026aeb01
fffff800`018b2d20 023a5e00`023a5c40
.....
fffff800`018b3908 fffff800`01c210c0 nt!NtWaitForDebugEvent
fffff800`018b3910 fffff800`01ad7658 nt!NtWaitForKeyedEvent
fffff800`018b3918 fffff800`018caabc nt!NtWaitForWorkViaWorkerFactory
fffff800`018b3920 fffff800`01c16a40 nt!NtWaitHighEventPair
fffff800`018b3928 fffff800`01c16ad0 nt!NtWaitLowEventPair
fffff800`018b3930 fffff800`018ed34c nt!NtWorkerFactoryWorkerReady
한, 반정도는 안나오고 나머지 반정도는 나오네요.
패치가드때문에, SDT 훅이 안된다고 하던데,
된다하더라도 저 숨은 Quad Word 의 비밀을 풀어야할 것 같습니다.
그나저나, SDT 훅이 안되니...
-_ㅡa 뭔 수로 후킹을 하지...
MSR 값 변조로 KiSystemCall 후킹, 아니면 CALL r10 후킹... 되려나...
Windows 커널 루틴 Prefix
Windows 의 커널 루틴 명명 규칙은 다음과 같다.
- prefix verb noun suffix
- 예제 : KeRevertToUserAffinityThreadEx
Windows 에서 사용되는 Kernel Prefix 의 종류는 다음과 같다.
|
Prefix |
Kernel-component |
|
Aux |
Auxiliary Library |
|
Clfs |
Common Log File System (CLFS) Library |
|
Cc |
Cache Manager |
|
Cm |
Configuration Manager |
|
Ex |
Executive Library |
|
Flt |
Filter Manager |
|
Hal |
Hardware Abstraction Layer (HAL) |
|
Io |
I/O Manager |
|
Ke |
Core Kernel Library |
|
Mm |
Memory Manager |
|
Nt |
User-mode Native Services |
|
Ob |
Object Manager |
|
Po |
Power Manager |
|
Ps |
Process and Thread Library |
|
Rtl |
Run-Time Library |
|
FsRtl |
File System Run-time Library |
|
Se |
Security Reference Monitor |
|
Wmi |
Windows Management Instrumentation Library |
|
Zw |
Kernel-mode wrappers for Native Services |
참조 :
http://blogs.msdn.com/wdkdocs/archive/2008/12/19/windows-kernel-routine-naming-conventions.aspx
