2. Tech
  3. Monitoring of thread scheduling

Monitoring of thread scheduling

xiaoxiao2021-03-06  45

It is mentioned that because there is no need for hard-coded scenarios without choosing SwapContex, then I want to use SwapContex, but I don't have to create hardcodes, but because I have other practices, Hook SwapContex is not implemented. It's rare to leave two days before, I wrote the effect.

First enter the 2000 SwapContext, see what it has made.

0008: 8040422C or Cl, Cl

0008: 8040422E MOV BYTE PTR ES: [ESI 2D], 02

0008: 80404233 Pushfd // ESP 4-> EFLAGS

0008: 80404234 MOV ECX, [EBX]

0008: 80404236 CMP DWORD PTR [EBX 0000080c], 00

0008: 8040423D PUSH ECX // ESP -> Exception List

0008: 8040423e jnz 80404338

0008: 80404244 MOV EBP, CR0

0008: 80404247 MOV EDX, EBP

0008: 80404249 MOV CL, [ESI 2C]

0008: 8040424c MOV [EBX 50], CL

0008: 8040424F CLI

0008: 80404250 MOV [EDI 28], ESP // The ESP is stored in KThread's kernelstack

0008: 80404253 MOV EAX, [ESI 18]

0008: 80404256 MOV ECX, [ESI 1C]

...

Obviously, the ESP 8 is the return address of the call SwapContex in Kiswapthread, which can be obtained by the SwapContex function address, but it is not necessary, and there is no need to hook this in Kiswapthread.

The following question is to find a non-current thread that KernelStack can access, this is easy. Sample Code Dischase (in 2000 / XP):

Pchar getSwapaddr ()

{

PCHAR RES = 0;

NTSTATUS STATUS;

Pethread thread;

IF (* ntbuildnumber <= 2195)

Status = pslookupthreadbythreadID ((pvoid) 4, & thread);

Else

Status = pslookupthreadbythreadID ((pvoid) 8, & thread);

IF (Nt_Success (status))

{

IF (MMisaddressValid (thread))

Res = (pchar) * Pulong (pchar (thread) 0x28);

IF (MMisaddressvalid (RES 8))

Res = (pchar) * Pulong (RES 8);

Else

RES = 0;

}

Return res;

}

PBYTE GOBACKADDR = 0;

__Declspec (naked) void hookswap ()

{

DBGPRINT ("% 08x / n", kegetCurrentThread ());

_ASM MOV EAX, GOBACKADDR

_ASM JMP EAX

}

Hookswapfunc ()

{

...

Pchar swapaddr = getSwapaddr ();

IF (swapaddr) gobackaddr = hookfunction (swapaddr, hookswap);

...

}

The specific implementation of the hookfunction code is naturally benevolent.

Here are some results:

4.343 Default Swapaddr = 80404141

4.343 Default 813b8c00

4.343 Default Fe995480

4.359 Default 81429660

4.359 Default 81429260

4.359 Default 805E5520

4.359 Default 813e15c0

4.359 Default 8139F500

4.359 Default 8139F260

4.375 Default 805E5520

4.375 Default 812EA140

4.390 Default 805E5520

4.390 Default 8139F500

4.390 Default 8139F260

4.406 Default 805E5520

4.422 Default 805E5520

4.422 Default Fe995480

4.422 Default Fe995480

4.422 Default Fe995480

4.422 Default 8139F500

4.422 Default 8139F260

4.422 Default 813A66E0

转载请注明原文地址:https://www.9cbs.com/read-75474.html

9cbs

New Post(0)