其他分享
首页 > 其他分享> > 安全之路 -- WH_KEYBOARD和WH_KEYBOARD_LL 键盘钩子在堆栈调用上的情况

安全之路 -- WH_KEYBOARD和WH_KEYBOARD_LL 键盘钩子在堆栈调用上的情况

作者:互联网

kd> kv
#  ChildEBP RetAddr  Args to Child
00 0012fe4c 77d31923 00000000 00000100 0012fec4 Test!LowLevelKbHookRoutine (FPO: [3,0,0])
01 0012fe80 77d58d78 000d0000 00000100 0012fec4 USER32!DispatchHookA+0x101 (FPO: [Non-Fpo])
02 0012fea4 7c92e453 0012feb4 00000024 000d0000 USER32!__fnHkINLPKBDLLHOOKSTRUCT+0x24 (FPO: [Non-Fpo])
03 0012fea4 80500690 0012feb4 00000024 000d0000 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
04 b2862ac8 8059806d b2862b78 b2862b74 b2862b70 nt!KiCallUserMode+0x4 (FPO: [2,3,4])
05 b2862b24 bf92b13a 0000002d b2862b4c 00000024 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
06 b2862b98 bf8522f2 000d0000 00000100 b2862c74 win32k!fnHkINLPKBDLLHOOKSTRUCT+0x52 (FPO: [Non-Fpo])
07 b2862bd0 bf83c702 00401000 00000000 00000100 win32k!xxxHkCallHook+0x396 (FPO: [Non-Fpo])
08 b2862c48 bf841ae4 316b17e8 00000000 00000100 win32k!xxxCallHook2+0x25d (FPO: [Non-Fpo])
09 b2862cb0 bf801eda e187eeb0 b2862d64 0012fef0 win32k!xxxReceiveMessage+0x1ba (FPO: [Non-Fpo])
0a b2862cec bf819e6c b2862d18 000020c8 00000012 win32k!xxxRealInternalGetMessage+0x1d7 (FPO: [Non-Fpo])
0b b2862d4c 8053e638 0012ff18 00000000 00000012 win32k!NtUserGetMessage+0x27 (FPO: [Non-Fpo])
0c b2862d4c 7c92e4f4 0012ff18 00000000 00000012 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2862d64)
0d 0012fea4 7c92e453 0012feb4 00000024 000d0000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0e 0012fed4 77d191be 77d2776b 0012ff18 00000000 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
0f 0012fefc 00401117 0012ff18 00000000 00000012 USER32!NtUserGetMessage+0xc
10 0012ff30 004012ba 00400000 00000000 00152348 Test!WinMain+0x47 (FPO: [4,7,0])
11 0012ffc0 7c817067 0007d868 7c92d950 7ffdc000 Test!__tmainCRTStartup+0x113 (FPO: [Non-Fpo])
12 0012fff0 00000000 00401325 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

kd> kvn
# ChildEBP  RetAddr  Args to Child
00 b28e2760 bf8b18db 00000042 b28e27cc 00000090 nt!KeUserModeCallback (FPO: [Non-Fpo])
01 b28e29e8 bf8b19e6 b28e2a04 00000000 00000000 win32k!ClientLoadLibrary+0xb2 (FPO: [Non-Fpo])
02 b28e2c18 bf83c87e 00000003 e1c65d20 b28e2d14 win32k!xxxLoadHmodIndex+0x86 (FPO: [Non-Fpo])
03 b28e2c84 bf83c8d5 036cbeb0 00000000 00000001 win32k!xxxCallHook2+0x19b (FPO: [Non-Fpo])
04 b28e2ca0 bf801ad6 00000000 00000001 00000002 win32k!xxxCallHook+0x26 (FPO: [Non-Fpo])
05 b28e2ce8 bf8036ec b28e2d14 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x264 (FPO: [Non-Fpo])
06 b28e2d48 8053e638 0007fde8 00000000 00000000 win32k!NtUserPeekMessage+0x40 (FPO: [Non-Fpo])
07 b28e2d48 7c92e4f4 0007fde8 00000000 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28e2d64)
08 0007fce0 77d193e9 77d193a8 0007fde8 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
09 0007fd0c 77d2a43b 0007fde8 00000000 00000000 USER32!NtUserPeekMessage+0xc
0a 0007fd38 00402702 0007fde8 00000000 00000000 USER32!PeekMessageA+0xeb (FPO: [Non-Fpo])
0b 0007ff1c 00402fa9 00400000 00000000 000a2331 ctfmon!WinMain+0x1ec (FPO: [Non-Fpo])
0c 0007ffc0 7c817067 00340032 00390030 7ffd7000 ctfmon!WinMainCRTStartup+0x174 (FPO: [Non-Fpo])
0d 0007fff0 00000000 00402e35 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])

kd> db b28e27cc L 100
b28e27cc 90 00 00 00 68 00 00 00-01 00 00 00 5c 28 8e b2 ....h.......\(..
b28e27dc 24 00 00 00 00 00 00 00-66 00 68 00 28 00 00 00 $.......f.h.(...
b28e27ec 00 00 00 00 1c 00 00 00-43 00 3a 00 5c 00 44 00 ........C.:.\.D.
b28e27fc 6f 00 63 00 75 00 6d 00-65 00 6e 00 74 00 73 00 o.c.u.m.e.n.t.s.
b28e280c 20 00 61 00 6e 00 64 00-20 00 53 00 65 00 74 00 .a.n.d. .S.e.t.
b28e281c 74 00 69 00 6e 00 67 00-73 00 5c 00 41 00 64 00 t.i.n.g.s.\.A.d.
b28e282c 6d 00 69 00 6e 00 69 00-73 00 74 00 72 00 61 00 m.i.n.i.s.t.r.a.
b28e283c 74 00 6f 00 72 00 5c 00-4c 68 62 97 5c 00 54 00 t.o.r.\.Lhb.\.T.
b28e284c 65 00 73 00 74 00 2e 00-64 00 6c 00 6c 00 00 00 e.s.t...d.l.l...
b28e285c 78 28 8e b2 02 00 00 00-02 00 00 00 00 21 01 00 x(...........!..
b28e286c 88 28 8e b2 fc b2 7d f8-02 00 00 00 02 00 fb 81 .(....}.........
b28e287c 02 00 fb 81 a0 4d 1e 82-cc ab 7d f8 84 20 00 00 .....M....}.. ..
b28e288c a0 4d 1e 82 d5 a4 7d f8-70 a4 c6 81 50 34 0f 82 .M....}.p...P4..
b28e289c bc 28 8e b2 7c 59 2a f8-48 a4 c6 81 00 00 00 00 .(..|Y*.H.......
b28e28ac 98 8c 01 82 78 a4 c6 81-9c 3d 01 82 07 ff ff 01 ....x....=......
b28e28bc 00 00 00 00 2e 00 00 00-1c 29 8e b2 00 00 00 00 .........)......

 

标签:00,--,FPO,Non,WH,00000000,win32k,KEYBOARD,Fpo
来源: https://www.cnblogs.com/PeterZ1997/p/16115139.html