查看kernelbase.dll的IMAGE_LOAD_CONFIG_DIRECTORY32结构,我看到以下内容:
compare_exchange_weak
`对于大多数系统DLL,看起来保留1字段设置为0x800。看起来这个字段的存在也会改变Ldrp的行为。有没有人知道这个字段是什么以及它中可能的标志值是什么?
答案 0 :(得分:1)
行。我已经弄清楚了。 IMAGE_LOAD_CONFIG_DIRECTORY32中的Reserved1字段现在用于控制依赖模块的加载方式。到目前为止,我在系统dll中找到的唯一值是0x0800。当存在此标志时,仅在系统目录中搜索相关模块。
如果您对细节感兴趣,请继续阅读。
ModLoad: 4ef80000 4f041000 C:\vlh\pplus\builds\2016.09.23\OciVOB\DevInstall_debug\x86\cache\$Pcrt4.dll
eax=00000000 ebx=00800000 ecx=01b6f6c1 edx=0000008c esi=00000000 edi=002e8000
eip=77e6de8c esp=01b6f9c4 ebp=01b6fa20 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!NtMapViewOfSection+0xc:
// Module $Pcrt4 being mapped
0:003> kbn
# ChildEBP RetAddr Args to Child
00 01b6f9c0 77e324c9 000000d8 ffffffff 0174d040 ntdll!NtMapViewOfSection+0xc // Arg3 - Pointer to DllBase in _LDR_DATA_TABLE_ENTRY (offset 18)
01 01b6fa20 77e3209a 01748590 00000000 0174d040 ntdll!LdrpMapViewOfSection+0x76
02 01b6fa70 77e31fc7 00008020 01b6fa8c 0174bf10 ntdll!LdrpMapImage+0x40
03 01b6fa90 77e2ef85 c0000135 0174d028 0174bf10 ntdll!LdrpMapDllWithSectionHandle+0x20
04 01b6fae8 77e2f21d 77f0eb60 0174bf10 00000000 ntdll!LdrpMapDllNtFileName+0xde
05 01b6fc94 77e31ebf 4a35c2d6 77f0eb60 0174bf30 ntdll!LdrpMapDllSearchPath+0x1e1
06 01b6fce4 77e34d09 01b6feac 01744d78 01746878 ntdll!LdrpProcessWork+0x84
07 01b6fcf4 77e37538 01b6feac 00000000 01744d78 ntdll!LdrpWorkCallback+0x59
08 01b6fde4 77e363b6 01b6feac 01744df0 4a35c1b2 ntdll!TppWorkpExecuteCallback+0x1e8
09 01b6ff80 75ca62c4 01745940 75ca62a0 48108a65 ntdll!TppWorkerThread+0x396
0a 01b6ff94 77e60609 01745940 4a35c1ee 00000000 KERNEL32!BaseThreadInitThunk+0x24
0b 01b6ffdc 77e605d4 ffffffff 77e82516 00000000 ntdll!__RtlUserThreadStart+0x2f
0c 01b6ffec 00000000 77e36020 01745940 00000000 ntdll!_RtlUserThreadStart+0x1b
0:003> !dlls 0x0174d028
0x0174d028: C:\vlh\pplus\builds\2016.09.23\OciVOB\DevInstall_debug\x86\cache\$Pcrt4.dll
Base 0x00000000 EntryPoint 0x00000000 Size 0x00000000 DdagNode 0x0174bfa8
Flags 0x00000064 TlsIndex 0x00000000 LoadCount 0x00000001 NodeRefCount 0x00000000
// ldrDataTableEntry before loadConfig was processed
0:003> dt _LDR_DATA_TABLE_ENTRY 0x0174d028
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x77f0ebec - 0x174cda0 ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x77f0ebf4 - 0x174cda8 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x018 DllBase : (null)
+0x01c EntryPoint : (null)
+0x020 SizeOfImage : 0
+0x024 FullDllName : _UNICODE_STRING "C:\vlh\pplus\builds\2016.09.23\OciVOB\DevInstall_debug\x86\cache\$Pcrt4.dll"
+0x02c BaseDllName : _UNICODE_STRING "$Pcrt4.dll"
+0x034 FlagGroup : [4] "d"
+0x034 Flags : 0x64
+0x034 PackagedBinary : 0y0
+0x034 MarkedForRemoval : 0y0
+0x034 ImageDll : 0y1
+0x034 LoadNotificationsSent : 0y0
+0x034 TelemetryEntryProcessed : 0y0
+0x034 ProcessStaticImport : 0y1
+0x034 InLegacyLists : 0y1
+0x034 InIndexes : 0y0
+0x034 ShimDll : 0y0
+0x034 InExceptionTable : 0y0
+0x034 ReservedFlags1 : 0y00
+0x034 LoadInProgress : 0y0
+0x034 LoadConfigProcessed : 0y0
+0x034 EntryProcessed : 0y0
+0x034 ProtectDelayLoad : 0y0
+0x034 ReservedFlags3 : 0y00
+0x034 DontCallForThreads : 0y0
+0x034 ProcessAttachCalled : 0y0
+0x034 ProcessAttachFailed : 0y0
+0x034 CorDeferredValidate : 0y0
+0x034 CorImage : 0y0
+0x034 DontRelocate : 0y0
+0x034 CorILOnly : 0y0
+0x034 ReservedFlags5 : 0y000
+0x034 Redirected : 0y0
+0x034 ReservedFlags6 : 0y00
+0x034 CompatDatabaseProcessed : 0y0
+0x038 ObsoleteLoadCount : 6
+0x03a TlsIndex : 0
+0x03c HashLinks : _LIST_ENTRY [ 0x77f0ea68 - 0x77f0ea68 ]
+0x044 TimeDateStamp : 0
+0x048 EntryPointActivationContext : (null)
+0x04c Lock : (null)
+0x050 DdagNode : 0x0174bfa8 _LDR_DDAG_NODE
+0x054 NodeModuleLink : _LIST_ENTRY [ 0x174bfa8 - 0x174bfa8 ]
+0x05c LoadContext : 0x0174bf10 _LDRP_LOAD_CONTEXT
+0x060 ParentDllBase : (null)
+0x064 SwitchBackContext : (null)
+0x068 BaseAddressIndexNode : _RTL_BALANCED_NODE
+0x074 MappingInfoIndexNode : _RTL_BALANCED_NODE
+0x080 OriginalBase : 0
+0x088 LoadTime : _LARGE_INTEGER 0x0
+0x090 BaseNameHashValue : 0xc03583f1
+0x094 LoadReason : 0 ( LoadReasonStaticDependency )
+0x098 ImplicitPathOptions : 0
+0x09c ReferenceCount : 2
+0x0a0 DependentLoadFlags : 0
// loadConfig Processing:
0:003> k
# ChildEBP RetAddr
00 01b6fa4c 77e3260f ntdll!LdrpCfgProcessLoadConfig+0x37
01 01b6fa78 77e31fe3 ntdll!LdrpProcessMappedModule+0x110
02 01b6fa90 77e2ef85 ntdll!LdrpMapDllWithSectionHandle+0x3c
03 01b6fae8 77e2f21d ntdll!LdrpMapDllNtFileName+0xde
04 01b6fc94 77e31ebf ntdll!LdrpMapDllSearchPath+0x1e1
05 01b6fce4 77e34d09 ntdll!LdrpProcessWork+0x84
06 01b6fcf4 77e37538 ntdll!LdrpWorkCallback+0x59
07 01b6fde4 77e363b6 ntdll!TppWorkpExecuteCallback+0x1e8
08 01b6ff80 75ca62c4 ntdll!TppWorkerThread+0x396
09 01b6ff94 77e60609 KERNEL32!BaseThreadInitThunk+0x24
0a 01b6ffdc 77e605d4 ntdll!__RtlUserThreadStart+0x2f
0b 01b6ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
ldrDataTableEntry.DependentLoadFlags = loadConfig.Reserved1;
// LdrpMapDllSearchPath looking at the ldrDataTableEntry.DependentLoadFlags
0:003> k
# ChildEBP RetAddr
00 01b6fc94 77e31ebf ntdll!LdrpMapDllSearchPath+0x259
01 01b6fce4 77e34d09 ntdll!LdrpProcessWork+0x84
02 01b6fcf4 77e37538 ntdll!LdrpWorkCallback+0x59
03 01b6fde4 77e363b6 ntdll!TppWorkpExecuteCallback+0x1e8
04 01b6ff80 75ca62c4 ntdll!TppWorkerThread+0x396
05 01b6ff94 77e60609 KERNEL32!BaseThreadInitThunk+0x24
06 01b6ffdc 77e605d4 ntdll!__RtlUserThreadStart+0x2f
07 01b6ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
LdrpMapDllSearchPath()
{
77e2f28f 8b91a0000000 mov edx,dword ptr [ecx+0A0h] // edx = ldrDataTableEntry.DependentLoadFlags;
77e2f295 85d2 test edx,edx // if(edx == 0) {
77e2f297 7520 jne ntdll!LdrpMapDllSearchPath+0x27d (77e2f2b9)
77e2f299 e90afeffff jmp ntdll!LdrpMapDllSearchPath+0x6c (77e2f0a8)
-----------------------------------------------------------------------------------------------------------------------------------
77e2f0a8 6a50 push 50h // memset(pathConfig, 0, sizeof(pathConfig);
77e2f0aa 52 push edx
77e2f0ab 8d842450010000 lea eax,[esp+150h]
77e2f0b2 50 push eax
77e2f0b3 e8d84e0400 call ntdll!memset (77e73f90)
77e2f0b8 83a4246001000000 and dword ptr [esp+160h],0
77e2f0c0 83c40c add esp,0Ch
77e2f0c3 83a4245801000000 and dword ptr [esp+158h],0
77e2f0cb 8b4b08 mov ecx,dword ptr [ebx+8]
// L1:
77e2f0ce 894c2424 mov dword ptr [esp+24h],ecx //
77e2f0d2 0fb6430c movzx eax,byte ptr [ebx+0Ch]
77e2f0d6 8d54241c lea edx,[esp+1Ch]
77e2f0da 52 push edx
77e2f0db 8d542413 lea edx,[esp+13h]
77e2f0df c1e803 shr eax,3
77e2f0e2 52 push edx
77e2f0e3 8d542418 lea edx,[esp+18h]
77e2f0e7 83e001 and eax,1
77e2f0ea 52 push edx
77e2f0eb 8d542434 lea edx,[esp+34h]
77e2f0ef 52 push edx
77e2f0f0 8d542450 lea edx,[esp+50h]
77e2f0f4 52 push edx
77e2f0f5 8d54244c lea edx,[esp+4Ch]
77e2f0f9 52 push edx
77e2f0fa 8bd1 mov edx,ecx
77e2f0fc 8bcb mov ecx,ebx
77e2f0fe 50 push eax
77e2f0ff e818100000 call ntdll!LdrpSearchPath (77e3011c) // LdrpSearchPath(...);
77e2f104 807c240f00 cmp byte ptr [esp+0Fh],0
77e2f109 8bf8 mov edi,eax
77e2f10b 0f85b9ae0500 jne ntdll!LdrpMapDllSearchPath+0x5af8e (77e89fca)
// ...
// }
-----------------------------------------------------------------------------------------------------------------------------------
// else {
77e2f2b9 8b4928 mov ecx,dword ptr [ecx+28h]
77e2f2bc 8d842448010000 lea eax,[esp+148h]
77e2f2c3 50 push eax
77e2f2c4 83ca01 or edx,1 // dependentLoadFlags |= 1;
77e2f2c7 e895090100 call ntdll!LdrpInitializeDllPath (77e3fc61) // LdrpInitializePath(...);
77e2f2cc 8d8c2448010000 lea ecx,[esp+148h]
77e2f2d3 e9f6fdffff jmp ntdll!LdrpMapDllSearchPath+0x92 (77e2f0ce) // goto L1;
// }
------------------------------------------------------------------------------------------------------------------------------------
}