键鼠栈回溯过检测

正常HID键鼠调用堆栈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
0: kd> k
 # Child-SP          RetAddr               Call Site
00 fffff805`434a2f98 fffff805`486e113a     mouclass!MouseClassServiceCallback
01 fffff805`434a2fa0 fffff805`486c3aa8     vmusbmouse+0x113a			//忽略这个虚拟机鼠标过滤驱动
02 fffff805`434a2fe0 fffff805`40824e6e     mouhid!MouHid_ReadComplete+0x758
03 fffff805`434a3080 fffff805`40824d37     nt!IopfCompleteRequest+0x11e
04 fffff805`434a3170 fffff805`4868aef5     nt!IofCompleteRequest+0x17
05 fffff805`434a31a0 fffff805`4868a7ed     HIDCLASS!HidpDistributeInterruptReport+0x3f5
06 fffff805`434a32a0 fffff805`40824e6e     HIDCLASS!HidpInterruptReadComplete+0x37d
07 fffff805`434a3340 fffff805`40824d37     nt!IopfCompleteRequest+0x11e
08 fffff805`434a3430 fffff805`41cc811a     nt!IofCompleteRequest+0x17
09 (Inline Function) --------`--------     Wdf01000!FxIrp::CompleteRequest+0x13 [minkernel\wdf\framework\shared\inc\private\km\FxIrpKm.hpp @ 75] 
0a fffff805`434a3460 fffff805`41cc5bbf     Wdf01000!FxRequest::CompleteInternal+0x23a [minkernel\wdf\framework\shared\core\fxrequest.cpp @ 869] 
0b (Inline Function) --------`--------     Wdf01000!FxRequest::Complete+0x31 [minkernel\wdf\framework\shared\inc\private\common\FxRequest.hpp @ 805] 
0c fffff805`434a34f0 fffff805`4476cb4d     Wdf01000!imp_WdfRequestComplete+0x8f [minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 436] 
0d fffff805`434a3550 fffff805`4476ca11     USBXHCI!Bulk_Transfer_CompleteCancelable+0xc9
0e fffff805`434a35b0 fffff805`4476c800     USBXHCI!Bulk_ProcessTransferEventWithED1+0x1fd
0f fffff805`434a3660 fffff805`44767101     USBXHCI!Bulk_EP_TransferEventHandler+0x10
10 fffff805`434a3690 fffff805`44766c35     USBXHCI!Endpoint_TransferEventHandler+0xb1
11 fffff805`434a36f0 fffff805`4476690c     USBXHCI!Interrupter_DeferredWorkProcessor+0x315
12 fffff805`434a37f0 fffff805`41cc38f6     USBXHCI!Interrupter_WdfEvtInterruptDpc+0xc
13 (Inline Function) --------`--------     Wdf01000!FxInterrupt::DpcHandler+0x6e [minkernel\wdf\framework\shared\irphandlers\pnp\km\interruptobjectkm.cpp @ 75] 
14 fffff805`434a3820 fffff805`4083989e     Wdf01000!FxInterrupt::_InterruptDpcThunk+0xa6 [minkernel\wdf\framework\shared\irphandlers\pnp\km\interruptobjectkm.cpp @ 410] 
15 fffff805`434a3860 fffff805`40838b84     nt!KiExecuteAllDpcs+0x30e
16 fffff805`434a39d0 fffff805`40a01b3e     nt!KiRetireDpcList+0x1f4
17 fffff805`434a3c60 00000000`00000000     nt!KiIdleLoop+0x9e

0: kd> k
 # Child-SP          RetAddr               Call Site
00 fffffa8f`09075e68 fffff805`486c3aa8     mouclass!MouseClassServiceCallback
01 fffffa8f`09075e70 fffff805`40824e6e     mouhid!MouHid_ReadComplete+0x758
02 fffffa8f`09075f10 fffff805`409fe97f     nt!IopfCompleteRequest+0x11e
03 fffffa8f`09076000 00000000`00000000     nt!NtContinueEx+0x29f

1: kd> k
 # Child-SP          RetAddr               Call Site
00 fffffa8f`08a4be68 fffff805`486c3aa8     mouclass!MouseClassServiceCallback
01 fffffa8f`08a4be70 fffff805`40824e6e     mouhid!MouHid_ReadComplete+0x758
02 fffffa8f`08a4bf10 fffff805`409fe97f     nt!IopfCompleteRequest+0x11e
03 fffffa8f`08a4c000 fffff805`40fb7094     nt!NtContinueEx+0x29f
04 fffffa8f`08a4c140 fffff805`409916db     nt!ExAllocatePoolWithTag+0x64
05 fffffa8f`08a4c190 fffff805`4088a265     nt!HalpHvCounterQueryCounter+0x1b
06 fffffa8f`08a4c1c0 ffffe7e9`24639329     nt!KeQueryPerformanceCounter+0xd5
07 fffffa8f`08a4c1f0 ffffe7e9`24639008     win32kbase!EtwTraceAcquiredExclusiveUserCrit+0x299
08 fffffa8f`08a4c3f0 ffffe7e9`246374ee     win32kbase!EnterCrit+0x1f8
09 fffffa8f`08a4c510 ffffe7e9`249dba1d     win32kbase!ThreadUnlock1+0x6e
0a fffffa8f`08a4c540 ffffe7e9`249354b4     win32kfull!SfnINOUTLPPOINT5+0x31d
0b fffffa8f`08a4c690 ffffe7e9`249350a2     win32kfull!xxxSendMessageToClient+0x114
0c fffffa8f`08a4c750 fffff805`40c09b41     win32kfull!xxxSendTransformableMessageTimeout+0x282
0d fffffa8f`08a4c8a0 fffff805`4081aa60     nt!IopFreeMiniCompletionPacket+0x21
0e fffffa8f`08a4c8d0 fffff805`40c09d1f     nt!IoRemoveIoCompletion+0x1b0
0f fffffa8f`08a4ca00 fffff805`40a0f9b5     nt!NtRemoveIoCompletionEx+0x13f
10 fffffa8f`08a4cb40 80000000`00000000     nt!KiSystemServiceCopyEnd+0x25
11 d8000000`00000000 00000000`00000000     0x80000000`00000000
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
ObjSurface : FFFF928D54037B70
gMouseObject.mouse_device=FFFFA606D8D92C00
gMouseObject.service_callback=FFFFF805444D4BE0
[+] MouHid_ReadComplete:fffff805486c3350
[+] returnAddr:FFFFF805409FE97F
[+] MouCallBackAddr:FFFFF805486C3A72
[+] g_target_routine:FFFFF80540824E5B

0: kd> k
 # Child-SP          RetAddr               Call Site
00 fffffa8f`08ad0e68 fffff805`486c3aa8     mouclass!MouseClassServiceCallback
01 fffffa8f`08ad0e70 fffff805`40824e6e     mouhid!MouHid_ReadComplete+0x758
02 fffffa8f`08ad0f10 fffff805`409fe97f     nt!IopfCompleteRequest+0x11e
03 fffffa8f`08ad1000 270a0bd3`69052a0b     nt!NtContinueEx+0x29f
04 fffffa8f`08ad1140 00f00e05`8c40051b     0x270a0bd3`69052a0b
05 fffffa8f`08ad1148 0706695c`13112443     0x00f00e05`8c40051b
06 fffffa8f`08ad1150 12502e24`052d0528     0x0706695c`13112443
07 fffffa8f`08ad1158 5953352b`aa1efb4e     0x12502e24`052d0528
08 fffffa8f`08ad1160 4d3bee59`4c6e3bee     0x5953352b`aa1efb4e
09 fffffa8f`08ad1168 46634768`2d573a3d     0x4d3bee59`4c6e3bee
0a fffffa8f`08ad1170 655e063f`7e0a2490     0x46634768`2d573a3d
0b fffffa8f`08ad1178 19065706`7d063a06     0x655e063f`7e0a2490
0c fffffa8f`08ad1180 0000f048`1f202478     0x19065706`7d063a06
0d fffffa8f`08ad1188 13097d46`1a19290d     0x0000f048`1f202478
0e fffffa8f`08ad1190 0577304b`3f6ea007     0x13097d46`1a19290d
0f fffffa8f`08ad1198 dd4c090e`40050674     0x0577304b`3f6ea007
10 fffffa8f`08ad11a0 1f052c06`687a6f05     0xdd4c090e`40050674
11 fffffa8f`08ad11a8 19834305`85051a05     0x1f052c06`687a6f05
12 fffffa8f`08ad11b0 39062770`4c053e05     0x19834305`85051a05
13 fffffa8f`08ad11b8 2814394e`88783f7f     0x39062770`4c053e05
14 fffffa8f`08ad11c0 7c1e5258`15061853     0x2814394e`88783f7f
15 fffffa8f`08ad11c8 4a1f00f0`30586946     0x7c1e5258`15061853
16 fffffa8f`08ad11d0 272c177e`10063706     0x4a1f00f0`30586946
17 fffffa8f`08ad11d8 3978362a`1b40162c     0x272c177e`10063706
18 fffffa8f`08ad11e0 053e05e2`7809390f     0x3978362a`1b40162c
19 fffffa8f`08ad11e8 30053e21`5a7b683c     0x053e05e2`7809390f
1a fffffa8f`08ad11f0 05198140`05702f05     0x30053e21`5a7b683c
1b fffffa8f`08ad11f8 51052527`483c053e     0x05198140`05702f05
1c fffffa8f`08ad1200 9419fa19`3c253c2c     0x51052527`483c053e
1d fffffa8f`08ad1208 ee22821a`10fd4f4e     0x9419fa19`3c253c2c
1e fffffa8f`08ad1210 33221c1f`0000f01c     0xee22821a`10fd4f4e
1f fffffa8f`08ad1218 6f374a5b`2d051b09     0x33221c1f`0000f01c
20 fffffa8f`08ad1220 2f062006`6f7c2a06     0x6f374a5b`2d051b09
21 fffffa8f`08ad1228 24051021`bb4c05ca     0x2f062006`6f7c2a06
22 fffffa8f`08ad1230 176318ab`29442f3a     0x24051021`bb4c05ca
23 fffffa8f`08ad1238 051ef706`340587b5     0x176318ab`29442f3a
24 fffffa8f`08ad1240 43062eb1`a2063823     0x051ef706`340587b5
25 fffffa8f`08ad1248 4b360e38`e0195e16     0x43062eb1`a2063823
26 fffffa8f`08ad1250 6d4a0681`00f03f06     0x4b360e38`e0195e16
27 fffffa8f`08ad1258 14820518`401413f8     0x6d4a0681`00f03f06
28 fffffa8f`08ad1260 ad067d05`13051428     0x14820518`401413f8
29 fffffa8f`08ad1268 a75c7e19`f3310f07     0xad067d05`13051428
2a fffffa8f`08ad1270 13181364`4e056e06     0xa75c7e19`f3310f07
2b fffffa8f`08ad1278 48151905`10290a76     0x13181364`4e056e06
2c fffffa8f`08ad1280 812c1a18`a8730a15     0x48151905`10290a76
2d fffffa8f`08ad1288 6419508f`6e494b27     0x812c1a18`a8730a15
2e fffffa8f`08ad1290 06ee0a2d`176400f0     0x6419508f`6e494b27
2f fffffa8f`08ad1298 19fe12f1`58a3101d     0x06ee0a2d`176400f0
30 fffffa8f`08ad12a0 534fa452`dd744e6a     0x19fe12f1`58a3101d
31 fffffa8f`08ad12a8 2a055005`754a0564     0x534fa452`dd744e6a
32 fffffa8f`08ad12b0 241413f6`3615f04e     0x2a055005`754a0564
33 fffffa8f`08ad12b8 f01a183f`1f091e56     0x241413f6`3615f04e
34 fffffa8f`08ad12c0 069bc806`50050000     0xf01a183f`1f091e56
35 fffffa8f`08ad12c8 052a365a`066506d1     0x069bc806`50050000
36 fffffa8f`08ad12d0 ff13fdbc`4818062e     0x052a365a`066506d1
37 fffffa8f`08ad12d8 1af85a1a`1e0e0629     0xff13fdbc`4818062e
38 fffffa8f`08ad12e0 1810f497`433f573e     0x1af85a1a`1e0e0629
39 fffffa8f`08ad12e8 1c0d00f0`060ff795     0x1810f497`433f573e
3a fffffa8f`08ad12f0 1f300590`8836066f     0x1c0d00f0`060ff795
3b fffffa8f`08ad12f8 211b192d`1c051271     0x1f300590`8836066f
3c fffffa8f`08ad1300 131c2005`121a25ee     0x211b192d`1c051271
3d fffffa8f`08ad1308 11742229`1b25ee21     0x131c2005`121a25ee
3e fffffa8f`08ad1310 fffff7d3`c0016b70     0x11742229`1b25ee21
3f fffffa8f`08ad1318 fffff805`409916db     0xfffff7d3`c0016b70
40 fffffa8f`08ad1320 fffff805`4088a265     nt!HalpHvCounterQueryCounter+0x1b
41 fffffa8f`08ad1350 ffffe7e9`24639329     nt!KeQueryPerformanceCounter+0xd5
42 fffffa8f`08ad1380 ffffe7e9`24639008     win32kbase!EtwTraceAcquiredExclusiveUserCrit+0x299
43 fffffa8f`08ad1580 ffffe7e9`24940544     win32kbase!EnterCrit+0x1f8
44 fffffa8f`08ad16a0 ffffe7e9`249354b4     win32kfull!SfnDWORD+0x304
45 fffffa8f`08ad17b0 ffffe7e9`249350a2     win32kfull!xxxSendMessageToClient+0x114
46 fffffa8f`08ad1870 ffffe7e9`24938af0     win32kfull!xxxSendTransformableMessageTimeout+0x282
47 fffffa8f`08ad19c0 ffffe7e9`24943ca8     win32kfull!xxxSendMessage+0x2c
48 fffffa8f`08ad1a20 ffffe7e9`24943c59     win32kfull!SmartObjStackRefBase<tagMENU>::~SmartObjStackRefBase<tagMENU>+0x40
49 fffffa8f`08ad1a50 ffffe7e9`24949774     win32kfull!SmartObjStackRef<tagMENU>::~SmartObjStackRef<tagMENU>+0x9
4a fffffa8f`08ad1a80 00000000`00000000     win32kfull!xxxRealDefWindowProc+0xfc
0: kd> u HalpHvCounterQueryCounter
nt!HalpHvCounterQueryCounter:
fffff805`409916c0 4883ec28        sub     rsp,28h
fffff805`409916c4 488b05f57a9600  mov     rax,qword ptr [nt!HalpHvTimerApi (fffff805`412f91c0)]
fffff805`409916cb 4885c0          test    rax,rax
fffff805`409916ce 0f84e8aa1000    je      nt!HalpHvCounterQueryCounter+0x10aafc (fffff805`40a9c1bc)
fffff805`409916d4 33c9            xor     ecx,ecx
fffff805`409916d6 e895540700      call    nt!guard_dispatch_icall (fffff805`40a06b70)
fffff805`409916db 4883c428        add     rsp,28h
fffff805`409916df c3              ret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
1: kd> r
rax=fffffa8f066d6820 rbx=ffffa606dd09e000 rcx=ffffa606d8d92c00
rdx=fffffa8f066d6808 rsi=fffffa8f066d6890 rdi=fffffa8f066d6820
rip=fffff8055f162628 rsp=fffffa8f066d67e0 rbp=fffffa8f066d6a60
 r8=fffffa8f066d6820  r9=fffffa8f066d6800 r10=20756f4d64624b65
r11=ffffa606d772a2a0 r12=ffff928d5175e820 r13=ffffffff800029bc
r14=0000000000000000 r15=ffffa606df438a10
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040286
SimpleDriver!KbdMou::SafeSendMouseInput+0x48:
fffff805`5f162628 e8eee9ffff      call    SimpleDriver!AsmCopMouseCall (fffff805`5f16101b)

1: kd> r
rax=fffffa8f066d6820 rbx=ffffa606dd09e000 rcx=ffffa606d8d92c00
rdx=fffffa8f066d6808 rsi=fffffa8f066d6890 rdi=fffffa8f066d6820
rip=fffff8055f16101b rsp=fffffa8f066d67d8 rbp=fffffa8f066d6a60
 r8=fffffa8f066d6820  r9=fffffa8f066d6800 r10=20756f4d64624b65
r11=ffffa606d772a2a0 r12=ffff928d5175e820 r13=ffffffff800029bc
r14=0000000000000000 r15=ffffa606df438a10
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040286
SimpleDriver!AsmCopMouseCall:
fffff805`5f16101b 55              push    rbp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
AsmCopMouseCall PROC
    sub		rsp, 1000h
    mov		rdi, rsp					; DriverExtension

    lea		rax, LABEL_CALLRET
    push	rax
;-----------------------------
    push    rbp
    push    rbx
    push    rsi
    push    rdi
    push    r12
    push    r13
    push    r14
    push    r15
    mov     rbp, rsp
    sub     rsp, 58h
;-----------------------------
    mov		rax, [MouseClassServiceCallback]
    mov		[rdi+0E8h], rax				;
    mov     [rdi+0E0h], rcx				; DeviceObject

    mov		rbx, rdi					; Save rdi
    lea     rdi, [rdi+160h]				; InputDataStart
    mov     rsi, rdx					; pInputData
    mov     ecx, 18h
    rep movs byte ptr [rdi], byte ptr [rsi]		; rep movsb
    mov		rdi, rbx					; Restore rdi

    mov     [rbp-014h], r9				; &Consumed

    mov		rax, cr8
    mov		byte ptr [rbp+50h], al		; bypass IoAllocateErrorLogEntry
    mov		rax, 0
    mov     [rbp+58h], rax				; bypass jump up

    jmp		[MouHid_CopAddress]
    ;-----------------------------
    ;add     rsp, 58h
    ;pop     r15
    ;pop     r14
    ;pop     r13
    ;pop     r12
    ;pop     rdi
    ;pop     rsi
    ;pop     rbx
    ;pop     rbp
    ;ret
LABEL_CALLRET:
    add		rsp, 1000h
    ret
AsmCopMouseCall ENDP
内核
#分页 #汇编 #内核 #驱动 #键鼠
键鼠栈回溯过检测
https://rogxo.github.io/2023/08/10/2023-08-10-键鼠栈回溯过检测/
作者
Rogxo
发布于
2023年8月10日
许可协议
CC BY-NC-SA 4.0