前几天收到一个蓝屏DUMP文件,运行我们的XX,然后运行IceSword必蓝,经分析发现了一个IceSword的BUG。由于此BUG的存在,在安装有卡巴2010的机器上运行IceSword有很大的可能蓝屏。
IceSword在启动时会检查SSDT中的NtDeviceIoControlFile有没有被Hook,如果被Hook过就首先将它恢复,但是在恢复此SSDT项时没有关写保护中断,引起ATTEMPTED_WRITE_TO_READONLY_MEMORY蓝屏。
存在问题的代码如下:
1: kd> u aa44baf7 L20
IsDrv122+0x1af7:
aa44baf7 fa cli
aa44baf8 50 push eax
aa44baf9 0f20c0 mov eax,cr0
aa44bafc 8945fc mov dword ptr [ebp-4],eax
aa44baff 25fffffeff and eax,0FFFEFFFFh
aa44bb04 0f22c0 mov cr0,eax
aa44bb07 58 pop eax
aa44bb08 be641446aa mov esi,offset IsDrv122+0x17464 (aa461464)
aa44bb0d a5 movs dword ptr es:[edi],dword ptr [esi]
aa44bb0e a5 movs dword ptr es:[edi],dword ptr [esi]
aa44bb0f a5 movs dword ptr es:[edi],dword ptr [esi]
aa44bb10 a5 movs dword ptr es:[edi],dword ptr [esi]
aa44bb11 50 push eax
aa44bb12 8b45fc mov eax,dword ptr [ebp-4]
aa44bb15 0f22c0 mov cr0,eax //这里作者将中断恢复了
aa44bb18 58 pop eax
aa44bb19 fb sti
aa44bb1a ff151ca344aa call dword ptr [IsDrv122+0x31c (aa44a31c)]
aa44bb20 e895feffff call IsDrv122+0x19ba (aa44b9ba) //作者在这里恢复NtDeviceIoControlFile Hook
aa44bb25 5f pop edi
aa44bb26 5e pop esi
aa44bb27 5b pop ebx
aa44bb28 c9 leave
aa44bb29 c3 ret
//---------------------------
1: kd> u aa44b9ba L20
IsDrv122+0x19ba:
aa44b9ba 55 push ebp
aa44b9bb 8bec mov ebp,esp
aa44b9bd 51 push ecx
aa44b9be 56 push esi
aa44b9bf 57 push edi
aa44b9c0 6a0f push 0Fh
aa44b9c2 e8a1fd0000 call IsDrv122+0x11768 (aa45b768)
aa44b9c7 8b0d2ca544aa mov ecx,dword ptr [IsDrv122+0x52c (aa44a52c)]
aa44b9cd 8b15f89a47aa mov edx,dword ptr [IsDrv122+0x2faf8 (aa479af8)]
aa44b9d3 c1e002 shl eax,2
aa44b9d6 8b09 mov ecx,dword ptr [ecx]
aa44b9d8 03c8 add ecx,eax
aa44b9da 8b0410 mov eax,dword ptr [eax+edx]
aa44b9dd 3901 cmp dword ptr [ecx],eax
aa44b9df 7408 je IsDrv122+0x19e9 (aa44b9e9)
aa44b9e1 8bd0 mov edx,eax
aa44b9e3 ff1534a544aa call dword ptr [IsDrv122+0x534 (aa44a534)] //调用Exfi386InterlockedExchangeUlong恢复SSDT
aa44b9e9 a1c41446aa mov eax,dword ptr [IsDrv122+0x174c4 (aa4614c4)]