The Windows system implies a lot of internal data structures, which record all important information related to the system such as thread, process, kernel call, etc. Or the Dependency Walker, which is tested by Visual Studio, is just pointed out that the current Windows's build number (such as Softice can use the DW command to find the 0893h in my machine); the latter is the following data pointer structure: struct _ServiceDescriptorEntry {unsigned int * ServiceTableBase; unsigned int * ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char * ParamTableBase;} ServiceDescriptorTableEntry typical applications Regmon Mark Russinovich and Bryce Cogswell may specifically refer www.sysinternals.com herein. TEB (Thread Environment Block) is performed only in the Windows 2000 Server (Build 2195) of Intel i386. Teb is called Tib (Thread Information Block) in the Windows 9x series, she records important information about threads, each thread Corresponding to a TEB structure.
The format is as follows (taken from the Matt Pietrek Under the Hood column -MSJ 1996): typedef struct _TIB {PEXCEPTION_REGISTRATION_RECORD pvExcept; // 00h Head of exception record list PVOID pvStackUserTop; // 04h Top of user stack PVOID pvStackUserBase; // 08h Base of User stack union // 0ch (NT / WIN95 DIFMENCES) {struct // Win95 Fields {Word Pvtdb; // 0ch TDB Word Pvthunkss; // 0eh SS Selector Used For Thunking To 16 Bits DWORD UNKNOWN1; // 10H} Win95; Struct // WinNT fields {PVOID SubSystemTib; // 0Ch ULONG FiberData; // 10h} WINNT;} TIB_UNION1; PVOID pvArbitrary; // 14h Available for application use struct _tib * ptibSelf; // 18h Linear address of TIB structure union // 1Ch (NT / WIN95 DIFFERENCES) {struct // Win95 fields {Word Tibflags; // 1ch wo RD Win16MutexCount; // 1Eh DWORD DebugContext; // 20h DWORD pCurrentPriority; // 24h DWORD pvQueue; // 28h Message Queue selector} WIN95; struct // WinNT fields {DWORD unknown1; // 1Ch DWORD processID; // 20h DWORD threadID ; // 24h DWORD UNKNOWN2; // 28H} Winnt;} TIB_UNION2; PVOID * PVTLSARRAY; // 2ch thread local storage array UNION // 30h (NT / Win95 Difference) {struct // Win95 fields {pvoid * pprocess; // 30h Pointer to Owning Process Database} WIN95;} TIB_Union3;} TIB, * PTIB
2000 defined Windows DDK in as: typedef struct _NT_TIB {struct _EXCEPTION_REGISTRATION_RECORD * ExceptionList; PVOID StackBase; PVOID StackLimit; PVOID SubSystemTib; union {PVOID FiberData; ULONG Version;}; PVOID ArbitraryUserPointer; struct _NT_TIB * Self;} NT_TIB; Fortunately Windows When the process is transferred, when creating a thread, the operating system allocates TEB for each thread, and all the FS segment selector (I386) points to the TEB data of the current thread (only one thread in the single CPU machine at any time " In the execution), this provides us with a way to access TEB data. In fact, Windows is to provide information on your app through this method, let us look at an example! Everyone knows with the GetCurrentThreadID API to get the current thread ID, which is implemented as follows: GetCurrentThreadID: MOV Eax, FS: [0000000018]; 18h Linear Address of Tib Structure (TIB Structure Linear Address) MOV EAX, [ EAX 24]; 24h threadid ret; returning the value in Eax to the caller due to the TEB structure is too large, I now only talk about the offset for 00h struct _Exception_registration_record * ExceptionList, and combined with the CIH 1.3 source code Specific use. ExceptionList is mainly used to process SEH (Structured Exception Handling). If you add new _try, _except with _finally in the C language, it is recommended to see the << Advanced Windows NT >> or like Jeffery Richter. First, let us look at _EXCEPTION_REGISTRATION_RECORD structure, the CRT (C RunTime library) source code which is defined as follows: // Exsup.INC --- Microsoft Visual C CRT source files _EXCEPTION_REGISTRATION struc prev dd handler dd _EXCEPTION_REGISTRATION ends where prev Shi?? It is pointed to the front _Exception_registration, which forms a chain structure so that there is an exception_continue_search definition (see & T;
There is the following code at its entrance:..; ********************************************* *****************; * Ring3 Virus game initial program *; ********************* ******************************************** MYVIRUSTART:; RING3 code entry point Push EBP; ***** ***********************; * let's modify structured exception *; * handing, prevent exception error *; * occurrence Especially in nt. *; ********************************** Lea Eax, [ESP- 04H * 2]; assign 8 bytes in the stack _exception_registration structure; equivalent to the data based on the stack in C, that is, local variables (completed in the C compiler); so that EAX points to the pointer of _exception_registration, but at this time; _EXCEPTION_REGISTRATION structure is not initialization; specific implementation mechanism can read compilation principle books and Matt Pietrek master articles xor EBX, EBX; 0-> EBX XCHG EAX, FS: [EBX]; fs: [0] <-> eax; at this time EAX storage It is the original exception handling code, fs: [0] points to TEB; ExceptionList (fs points to teb, ExceptionList offset is 0, ie fs: [0]) CAL L @ 0 @ 0: POP EBX; This three line calculates the code entry. At this time, EBX is the address of @ 0 Lea ECX, StoptorUnviruscode- @ 0 [EBX] points to Push Ecx at your internal code; fill the _exception_registration structure Handler; When an exception occurs, the operating system will automatically call. At this time, the CIH code PUSH EAX; EAX is the original exception handling code; fill the prev of the _exception_registration structure structure structure, after which CIH call INT 3 makes the system abnormally, still You can enter your own code, which can be confirmed from the following annotations in the CIH source code:; ************************************** *******; * generate exception to get ring ing0 *; **************************************************** *** int hookexceptionNumber; generateException hookexceptionNumber is defined as 3,
This code will produce an exception, please refer to the CIH source code. Because the above code is abstract, I deliberately modified it to make it in order to understand (PE format can be executed directly under Windows): // Testcih.c There are any questions Contact Tsu00@263.net #include
EXCEPTION_DISPOSITION __cdecl _except_handler (// exception handler segment struct _EXCEPTION_RECORD * ExceptionRecord, void * EstablisherFrame, struct _CONTEXT * ContextRecord, void * DispatcherContext) {printf ( "CIH Run Here ... / n"); exit (0); // Since the stack has been disrupt, interested, you can recover it yourself, here I only exit} void main (void) {_ASM {Push EBP MOV EAX, ESP SUB EAX, 8 // These two lines equivalent to Lea EAX, [ESP-04H * 2] xor EBX, EBX XCHG EAX, FS: [EBX] Call Next Next: Pop EBX // This three lines are not really meaningful, just to compare the Lea ECX with CIH, _except_handler // _EXCEPT_HANDLER is set to exception handle PUSH ECX PUSH EAX} _ASM {MOV EAX, 0 MOV [EAX], 0 // happen to occur in the operation system call _except_handler}} _except_handler callback function protest can be referred to EXCPT.H in the main function The first _asm section is basically consistent with the CIH code discussed above, and the second _ASM segment tries to write the system to keep the memory address, an exception. Use Visual C to compile: C:> Cl Testcih.c C:> TestCIH CIH Run Here ... In Windows 2000, when running this code, the abnormal operating system will hand over the control to _except_handler, so CiH When the code is modified in the NT / 2000 environment (IDT area), it is not possible to protect his own purpose when the system is modified in the NT / 2000 environment, so that you can always understand the system security. Sufficient understanding, just like understanding the CIH virus, and the current information in this area is very small, this article is only in this regard, some of my own personal practices, wrong, it is inevitable. If you have any discovery, if you have more interest to this, please contact TSU00@263.net. Finally, thank you for your guidance and help! Reference: 1.jeffrey richter << Advanced Windows NT >> 2 .Matt pietrek << a Crash Course On The DePths of Win32 Structure Handling >> 3.CIH 1.3 Sourcecodes
