{"id":740,"date":"2022-10-12T14:10:24","date_gmt":"2022-10-12T06:10:24","guid":{"rendered":"http:\/\/www.aqwu.net\/wp\/?p=740"},"modified":"2022-10-12T14:10:24","modified_gmt":"2022-10-12T06:10:24","slug":"ppldump-%e7%9a%84%e7%bb%88%e7%bb%93","status":"publish","type":"post","link":"https:\/\/www.aqwu.net\/wp\/?p=740","title":{"rendered":"PPLdump \u7684\u7ec8\u7ed3"},"content":{"rendered":"\n

\u524d\u51e0\u5929\uff0c GitHub \u4e0a\u7684PPLdump\u51fa\u73b0\u4e86\u4e00\u4e2a<\/a>issue<\/a>\uff0c\u6307\u51fa\u5b83\u4e0d\u518d\u9002\u7528\u4e8e Windows 10 21H2 Build 19044.1826\u3002\u8d77\u521d\u6211\u6301\u6000\u7591\u6001\u5ea6\uff0c\u6240\u4ee5\u6211\u542f\u52a8\u4e86\u4e00\u4e2a\u65b0\u7684\u865a\u62df\u673a\u5e76\u5f00\u59cb\u8c03\u67e5\u3002\u8fd9\u662f\u6211\u53d1\u73b0\u7684\u2026\u2026<\/p>\n\n\n\n

\u539f\u6587\u94fe\u63a5\uff1ahttps:\/\/itm4n.github.io\/the-end-of-ppldump\/<\/p>\n\n\n\n

\u7b80\u800c\u8a00\u4e4b PPLdump<\/a><\/h2>\n\n\n\n

\u5982\u679c\u60a8\u6b63\u5728\u9605\u8bfb\u672c\u6587\uff0c\u6211\u4f1a\u5047\u8bbe\u60a8\u5df2\u7ecf\u77e5\u9053 PPLdump \u662f\u4ec0\u4e48\u4ee5\u53ca\u5b83\u7684\u4f5c\u7528\u3002\u4f46\u4ee5\u9632\u4e07\u4e00\uff0c\u8fd9\u91cc\u6709\u4e00\u4e2a\u975e\u5e38\u7b80\u77ed\u7684\u603b\u7ed3\u3002<\/p>\n\n\n\n

PPLdump<\/a>\u662f\u4e00\u4e2a\u7528 C\/C++ \u7f16\u5199\u7684\u5de5\u5177\uff0c\u5b83\u5b9e\u73b0\u4e86\u4e00\u4e2a\u7528\u6237\u6001\u6f0f\u6d1e\u5229\u7528\uff0c\u4ee5\u7ba1\u7406\u5458\u8eab\u4efd\u5c06\u4efb\u610f\u4ee3\u7801\u6ce8\u5165 PPL\u3002\u8fd9\u9879\u6280\u672f\u662f Alex Ionescu \u548c James Forshaw \u5bf9\u53d7\u4fdd\u62a4\u8fdb\u7a0b\uff08PPs \u548c PPLs\uff09\u8fdb\u884c\u7684\u6df1\u5165\u7814\u7a76\u7684\u4f17\u591a\u53d1\u73b0\u4e4b\u4e00\u3002<\/p>\n\n\n\n

\u63d0\u9192\u4e00\u4e0b\uff0c\u5b83\u7684\u5de5\u4f5c\u539f\u7406\u662f\u8fd9\u6837\u7684\uff1a<\/p>\n\n\n\n

  1. \u8c03\u7528APIDefineDosDevice<\/code>\u4ee5\u8bf1\u4f7f CSRSS \u670d\u52a1\u521b\u5efa\\KnownDlls<\/code>\u6307\u5411\u4efb\u610f\u4f4d\u7f6e\u7684\u7b26\u53f7\u94fe\u63a5\u3002<\/li>
  2. \u521b\u5efa\u4e00\u4e2a\u65b0\u7684 Section \u5bf9\u8c61\uff08\u7531\u524d\u9762\u7684\u7b26\u53f7\u94fe\u63a5\u6307\u5411\uff09\u6765\u6258\u7ba1\u5305\u542b\u6211\u4eec\u8981\u6ce8\u5165\u7684\u4ee3\u7801\u7684\u81ea\u5b9a\u4e49 DLL \u7684\u5185\u5bb9\u3002<\/li>
  3. \u7531\u4f5c\u4e3a PPL \u8fd0\u884c\u7684\u53ef\u6267\u884c\u6587\u4ef6\u5bfc\u5165\u7684 DLL \u88ab\u52ab\u6301\uff0c\u6211\u4eec\u7684\u4ee3\u7801\u88ab\u6267\u884c\u3002<\/li><\/ol>\n\n\n\n

    \u8fd9\u91cc\u8981\u8bb0\u4f4f\u7684\u6700\u91cd\u8981\u7684\u4e8b\u60c5\u662f\uff0c\u6574\u4e2a\u6f0f\u6d1e\u5229\u7528\u4f9d\u8d56\u4e8e PPL \u4e2d\u5b58\u5728<\/em>\u4f46\u4e0d\u5b58\u5728\u4e8e PP \u4e2d\u7684\u5f31\u70b9\u3002\u5b9e\u9645\u4e0a\uff0cPPL \u53ef\u4ee5\u4ece\\KnownDlls<\/code>\u76ee\u5f55<\/em>\u52a0\u8f7d DLL \uff0c\u800c PP \u603b\u662f\u4ece\u78c1\u76d8\u52a0\u8f7d DLL\u3002\u8fd9\u662f\u4e00\u4e2a\u5173\u952e\u7684\u533a\u522b\uff0c\u56e0\u4e3a\u53ea\u6709\u5728\u6700\u521d\u4ece\u78c1\u76d8\u8bfb\u53d6 DLL \u4ee5\u521b\u5efa\u65b0\u7684 Section \u5bf9\u8c61\u65f6\u624d\u4f1a\u68c0\u67e5 DLL \u7684\u6570\u5b57\u7b7e\u540d\u3002\u6620\u5c04\u5230Process\u7684\u865a\u62df\u5730\u5740\u7a7a\u95f4\u65f6\uff0c\u4e8b\u540e\u4e0d\u68c0\u67e5\u3002<\/p>\n\n\n\n

    \u6784\u5efa 19044.1826 \u53d1\u751f\u4e86\u4ec0\u4e48\uff1f<\/a><\/h2>\n\n\n\n

    PPLdump \u7684\u8c03\u8bd5\u8f93\u51fa\u5df2\u5728 GitHub\u95ee\u9898<\/a>\u4e2d\u63d0\u4f9b\uff0c\u4f46\u6211\u5728\u5e26\u6709 2022 \u5e74 7 \u6708\u66f4\u65b0\u5305\uff08Windows 10 21H2 Build 19044.1826\uff09\u7684 Windows 10 VM \u4e2d\u590d\u5236\u4e86\u5b83\u3002<\/p>\n\n\n\n

    c:\\Temp\\PPLdump.exe -d lsass lsass.dmp\n[lab-admin] [*] Found a process with name 'lsass' and PID 740\n[DEBUG][lab-admin] Check requirements\n[DEBUG][lab-admin] Target process protection level: 4 - PsProtectedSignerLsa-Light\n[lab-admin] [*] Requirements OK\n[...]\n '\\KernelObjects\\EventAggregation.dll'\n[lab-admin] [*] DefineDosDevice OK\n[...]\n[DEBUG][SYSTEM] Check whether the symbolic link was really created in '\\KnownDlls\\'\n '\\KernelObjects\\EventAggregation.dll'\n[...]\n[DEBUG][SYSTEM] Create protected process with command line: C:\\WINDOWS\\system32\\services.exe 740 \"lsass.dmp\" 2f2e0a5f-40d4-4034-ba27-81498c6869b -d\n[SYSTEM] [*] Started protected process, waiting...\n[DEBUG][SYSTEM] Unmap section '\\KernelObjects\\EventAggregation.dll'...\n[DEBUG][SYSTEM] Process exit code: 0\n[-] The DLL was not loaded. :\/<\/code><\/pre>\n\n\n\n
    \u603b\u7684\u6765\u8bf4\uff0c\u8f93\u51fa\u770b\u8d77\u6765\u76f8\u5f53\u4e0d\u9519\uff0c\u7b26\u53f7\u94fe\u63a5\u88ab\u6b63\u786e\u521b\u5efa\uff0c\\KnownDlls<\/code>\u6240\u4ee5\u4e4d\u4e00\u770b\uff0c\u8fd9\u4e2aDefineDosDevice<\/code>\u6280\u5de7\u4ecd\u7136\u53ef\u4ee5\u6b63\u5e38\u5de5\u4f5c\u3002\u8fd9\u53ef\u4ee5\u901a\u8fc7 WinObj \u8f7b\u677e\u786e\u8ba4\uff0c\u56e0\u4e3a\u5982\u679c\u4e0d\u80fd\u5728\u201cWindows TCB\u201d\u7ea7\u522b\u6267\u884c PPL \u4e2d\u7684\u4ee3\u7801\uff0c\u5c31\u65e0\u6cd5\u5220\u9664\u7b26\u53f7\u94fe\u63a5\u3002<\/p>\n\n\n\n
    \"WinObj<\/a><\/figure>\n\n\n\n
    \u7136\u540e\u4f7f\u7528\u6211\u4eec\u81ea\u5b9a\u4e49 DLL \u7684\u5185\u5bb9\u521b\u5efa\u4e00\u4e2a\u65b0\u90e8\u5206\uff0c\u4f46\u8be5\u5de5\u5177[-] The DLL was not loaded.<\/code>\u5728\u5c1d\u8bd5\u52ab\u6301\u540e\u6700\u7ec8\u5931\u8d25\u5e76\u51fa\u73b0\u9519\u8bef\uff0c\u8be5\u9519\u8befEventAggregation.dll<\/code>\u901a\u5e38\u7531services.exe<\/code>.<\/p>\n\n\n\n
    \u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u663e\u800c\u6613\u89c1\u7684\u505a\u6cd5\u662f\u542f\u52a8 Process Monitor\uff0c\u770b\u770b\u6211\u4eec\u662f\u5426\u80fd\u53d1\u73b0\u4efb\u4f55\u770b\u8d77\u6765\u4e0d\u6b63\u786e\u7684\u5730\u65b9\u3002<\/p>\n\n\n\n
    \"\u4f7f\u7528\u8fdb\u7a0b\u76d1\u89c6\u5668\u8fdb\u884c<\/a><\/figure>\n\n\n\n
    \u4ece\u6700\u521d\u7684\u4e8b\u4ef6\u4e2d\uff0c\u6211\u4eec\u5df2\u7ecf\u53ef\u4ee5\u770b\u5230\u67d0\u4e9b\u4e8b\u60c5\u5e76\u6ca1\u6709\u6309\u8ba1\u5212\u8fdb\u884c\u3002\u7531\u4e8eservices.exe<\/code>\u4f5c\u4e3a PPL \u6267\u884c\uff0c\u6211\u4eec\u4e0d\u5e94\u8be5\u5728 DLL \u4e0a\u770b\u5230\u4efb\u4f55\u6587\u4ef6\u64cd\u4f5c\uff08\u4f8b\u5982<\/em> CreateFile<\/code>\u6216CreateFileMapping<\/code>\uff09kernel32.dll<\/code>\uff0cKernelBase.dll<\/code>\u56e0\u4e3a\u8fd9\u4e9b\u662f\u5df2\u77e5\u7684 DLL<\/strong>\u3002\u76f8\u53cd\uff0c\u5b83\u4eec\u5e94\u8be5\u76f4\u63a5\u4ece\u5404\u81ea\u7684\u90e8\u5206\\KnownDlls\\kernel32.dll<\/code>\u548c\\KnownDlls\\kernelbase.dll<\/code>.<\/p>\n\n\n\n
    \u7ed3\u8bba\u662f PPL \u73b0\u5728\u770b\u8d77\u6765\u5c31\u50cf PP \u4e00\u6837\uff0c\u56e0\u6b64\u4e0d\u518d\u4f9d\u8d56\u4e8eKnown DLL<\/em>\u3002<\/p>\n\n\n\n
    NTDLL \u4e2d\u7684\u8865\u4e01\uff1f<\/a><\/h2>\n\n\n\n
    PPL \u6d41\u7a0b\u7684\u521b\u5efa\u65b9\u5f0f\u663e\u7136\u53d1\u751f\u4e86\u4e00\u4e9b\u53d8\u5316\u3002\u6211\u5df2\u7ecf\u77e5\u9053\u53bb\u54ea\u91cc\u770b\uff0c\u4f46\u4e3a\u4e86\u8fd9\u7bc7\u6587\u7ae0\uff0c\u6211\u5c06\u901a\u8fc7\u4e8c\u8fdb\u5236\u5dee\u5f02\u4ee5\u6b63\u786e\u7684\u65b9\u5f0f\u505a\u5230\u8fd9\u4e00\u70b9\u3002<\/p>\n\n\n\n
    \u6211\u9996\u5148\u5728 Winbindex \u4e0a\u83b7\u5f97\u4e86 Windows 10 21H2 \u7684\u6700\u540e\u4e24\u4e2a\u7248\u672c\uff0c\u5e76<\/a>ntdll.dll<\/code>\u4f7f\u7528Windows SDK\u4e0b\u8f7d\u4e86\u516c\u5171\u7b26\u53f7\u3002<\/a>symchk.exe<\/code><\/p>\n\n\n\n
    \"\u8981\u6bd4\u8f83\u7684<\/a><\/figure>\n\n\n\n
    \"C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64\\symchk.exe\" \/s srv*C:\\symbols*https:\/\/msdl.microsoft.com\/download\/symbols C:\\Temp\\ntdll_*.dll\n\nSYMCHK: FAILED files = 0\nSYMCHK: PASSED + IGNORED files = 2<\/code><\/pre>\n\n\n\n
    \u5728\u52a0\u8f7d\u6587\u4ef6\u5e76\u5206\u6790\u5b83\u4eec\u4e4b\u540e\uff0c\u6211\u53ea\u662f\u4f7f\u7528 Ghidra \u7684BinDiff \u6269\u5c55\u6765<\/a>\u4ee5\u9002\u5f53\u7684\u683c\u5f0f\u5bfc\u51fa\u7ed3\u679c\u3002<\/p>\n\n\n\n
    \"Ghidra<\/a><\/figure>\n\n\n\n
    \u7136\u540e\u53ef\u4ee5\u5c06\u4e24\u4e2a\u201cBinExport\u201d\u6587\u4ef6\u5bfc\u5165 BinDiff \u4ee5\u6bd4\u8f83\u4e24\u4e2a\u7248\u672c\u7684ntdll.dll<\/code>. \u901a\u8fc7\u201c\u76f8\u4f3c\u5ea6\u201d\u5bf9\u51fd\u6570\u8fdb\u884c\u6392\u5e8f\uff0c\u6211\u4eec\u53ef\u4ee5\u7acb\u5373\u770b\u5230 7 \u4e2a\u51fd\u6570\u6709\u4e00\u4e9b\u7ec6\u5fae\u7684\u5dee\u5f02\uff0c\u4f46\u5176\u4e2d\u4e00\u4e2a\u975e\u5e38\u7a81\u51fa\uff1aLdrpInitializeProcess<\/code>. \u8fd9\u6b63\u662f\u6211\u671f\u671b\u627e\u5230\u4e00\u4e9b\u53d8\u5316\u7684\u5730\u65b9\u3002<\/p>\n\n\n\n
    \"BinDiff<\/a><\/figure>\n\n\n\n
    \u6211\u4eec\u8fd8\u53ef\u4ee5\u770b\u5230\u6709\u4e00\u4e2a\u4e0d\u5339\u914d\u7684\u529f\u80fd\uff0c\u5b83\u662f\u5728\u6700\u65b0\u7248\u672c\u4e2d\u6dfb\u52a0\u7684\uff1aFeature_Servicing_2206c_38427506__private_IsEnabled<\/code>.<\/p>\n\n\n\n
    \"BinDiff<\/a><\/figure>\n\n\n\n
    \u52a0\u8f7d\u7a0b\u5e8f\u4e2d\u5df2\u77e5\u7684 DLL \u5904\u7406<\/a><\/h2>\n\n\n\n
    \u6700\u521d\uff0c\u5f53\u521b\u5efa\u4e00\u4e2a\u65b0\u8fdb\u7a0b\u65f6\uff0c\u53ea\u52a0\u8f7d NTDLL\u3002\u5728 NTDLL \u4e2d\u5b9e\u73b0\u7684\u56fe\u50cf\u52a0\u8f7d\u5668<\/em>\u8d1f\u8d23\u52a0\u8f7d\u5176\u4ed6 DLL\uff08\u4ee5\u53ca\u8bb8\u591a\u5176\u4ed6\u4e8b\u60c5\uff09\u3002\u8981\u786e\u5b9a\u5b83\u662f\u5426\u5e94\u8be5\u4f7f\u7528\u5df2\u77e5 DLL \uff0c\u5b83\u53ea\u9700\u68c0\u67e5<\/em>\u8fdb\u7a0b\u73af\u5883\u5757<\/strong>( PEB<\/code>)\u4e2d\u7684\u51e0\u4e2a\u6807\u5fd7\u3002<\/p>\n\n\n\n
    \u6b64\u68c0\u67e5\u5728\u4ee5\u4e0b\u5c4f\u5e55\u622a\u56fe\uff08\u6784\u5efa\u7248\u672c10.0.19044.1741<\/code>\uff09\u4e2d\u7a81\u51fa\u663e\u793a\u3002<\/p>\n\n\n\n
    \"\u4fdd\u62a4\u6807\u5fd7\u68c0\u67e5\"\/<\/a><\/figure>\n\n\n\n
    \u8be5PEB<\/code>\u7ed3\u6784\u5df2\u90e8\u5206\u8bb0\u5f55\uff0c\u4f46\u6211\u4eec\u4e0d\u4f1a\u5728\u5b98\u65b9\u6587\u6863\u4e2d\u627e\u5230\u6211\u4eec\u9700\u8981\u7684\u4fe1\u606f\u3002\u53e6\u4e00\u65b9\u9762\uff0cProcess Hacker\u5305\u542b\u4e00\u4e2a\u66f4\u8be6\u7ec6\u7684\u5b9a\u4e49\u3002<\/em><\/p>\n\n\n\n
    \/\/ phnt\/include\/ntpebteb.h\ntypedef struct _PEB\n{\n    BOOLEAN InheritedAddressSpace;      \/\/ Byte at (byte*)peb+0\n    BOOLEAN ReadImageFileExecOptions;   \/\/ Byte at (byte*)peb+1\n    BOOLEAN BeingDebugged;              \/\/ Byte at (byte*)peb+2\n    union\n    {\n        BOOLEAN BitField;               \/\/ Byte at (byte*)peb+3\n        struct\n        {\n            BOOLEAN ImageUsesLargePages : 1;\n            BOOLEAN IsProtectedProcess : 1;\n            BOOLEAN IsImageDynamicallyRelocated : 1;\n            BOOLEAN SkipPatchingUser32Forwarders : 1;\n            BOOLEAN IsPackagedProcess : 1;\n            BOOLEAN IsAppContainer : 1;\n            BOOLEAN IsProtectedProcessLight : 1;\n            BOOLEAN IsLongPathAwareProcess : 1;\n        };\n    };\n    \/\/ ...\n}<\/code><\/pre>\n\n\n\n
    \u5728\u504f\u79fb\u91cf 3 \u5904\uff08peb + 3<\/code>\u5728if<\/code>\u8bed\u53e5\u4e2d\uff09\uff0c\u6211\u4eec\u53ef\u4ee5\u627e\u5230\u4e00\u4e2a\u5305\u542b\u4e00\u7ec4 8 \u4f4d\u6807\u5fd7\u7684\u5b57\u8282\u503c\u3002\u6700\u4f4e\u6709\u6548\u4f4d\u4fdd\u5b58ImageUsesLargePages<\/code>\u6807\u5fd7\u7684\u503c\uff0c\u800c\u6700\u9ad8\u6709\u6548\u4f4d\u4fdd\u5b58IsLongPathAwareProcess<\/code>\u6807\u5fd7\u7684\u503c\u3002<\/p>\n\n\n\n
    \"\u4f4d\u57df\"\/<\/a><\/figure>\n\n\n\n
    \u6709\u4e86\u8fd9\u4e9b\u77e5\u8bc6\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u5c06\u4ee3\u7801\u7ffb\u8bd1*(byte *)(peb + 3)<\/code>\u6210peb->BitField<\/code>. \u7136\u540e\uff0c\u8be5\u503c0x42<\/code>\u662f\u4e00\u4e2a\u63a9\u7801\uff0c\u5141\u8bb8\u52a0\u8f7d\u7a0b\u5e8f\u9694\u79bb\u548c\u68c0\u67e5\u6807\u5fd7IsProtectedProcess<\/code>\u548cIsProtectedProcessLight<\/code>. \u56e0\u6b64\uff0c\u53cd\u7f16\u8bd1\u540e\u7684\u4ee3\u7801if ((*(byte *)(peb + 3) & 0x42) == 2)<\/code>\u53ef\u4ee5\u89e3\u91ca\u5982\u4e0b\u3002<\/p>\n\n\n\n
    if (peb->IsProtectedProcess && !peb->IsProtectedProcessLight) {\n    \/\/ Do NOT use Known DLLs\n} else {\n    \/\/ Use Known DLLs\n}<\/code><\/pre>\n\n\n\n
    \u6362\u53e5\u8bdd\u8bf4\uff0c\u53ea\u6709\u5f53<\/strong>\u8fdb\u7a0b\u662fPP\u65f6\uff0c <\/strong>Known DLL<\/em>\u624d\u4f1a\u88ab\u5ffd\u7565\uff0c\u56e0\u6b64PPL<\/strong>\u7684\u884c\u4e3a\u5c31\u50cf\u6b63\u5e38\u8fdb\u7a0b\u4e00\u6837\u3002\u8fd9\u662f\u5bf9\u6211\u4eec\u5df2\u7ecf\u77e5\u9053\u7684\u5185\u5bb9\u7684\u786e\u8ba4\uff0c\u6240\u4ee5\u8ba9\u6211\u4eec\u627e\u51fa\u6784\u5efa\u7248\u672c\u4e2d\u7684\u53d8\u5316\u3002<\/strong><\/strong><\/strong>10.0.19044.1806<\/code><\/p>\n\n\n\n
    \u5982\u679c\u6211\u4eec\u641c\u7d22\u540c\u4e00\u884c\u4ee3\u7801\uff0c\u6211\u4eec\u4f1a\u7acb\u5373\u610f\u8bc6\u5230\u8fd8\u6709\u4e00\u4e2a\u989d\u5916\u7684\u68c0\u67e5\u53d6\u51b3\u4e8eFeature_Servicing_2206c_38427506__private_IsEnabled()<\/code>. \u591a\u4e48\u5de7\u5408\uff01<\/p>\n\n\n\n
    \"Ghidra<\/a><\/figure>\n\n\n\n
    \u5728\u8be5else<\/code>\u5757\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u4ee5\u4e0b\u68c0\u67e5\u3002<\/p>\n\n\n\n
    \"Ghidra<\/a><\/figure>\n\n\n\n
    \u56e0\u6b64\uff0cGhidra \u751f\u6210\u7684\u53cd\u7f16\u8bd1\u4ee3\u7801\u53ef\u4ee5\u603b\u7ed3\u5982\u4e0b\u3002<\/p>\n\n\n\n
    bool bFeatureEnabled = Feature_Servicing_2206c_38427506__private_IsEnabled();\nif (bFeatureEnabled == 0) {\n    if ((*(byte *)(peb + 3) & 0x42) != 2) {\n        \/\/ Use Known DLLs\n    } else {\n        \/\/ Do NOT use Known DLLs\n    }\n} else {\n    if ((*(byte *)(peb + 3) & 2) != 0) {\n        \/\/ Do NOT use Known DLLs\n    } else {\n        \/\/ Use Known DLLs\n    }\n}<\/code><\/pre>\n\n\n\n
    \u5982\u679c\u6211\u4eec\u5e94\u7528\u6211\u4e4b\u524d\u8be6\u8ff0\u7684\u76f8\u540c\u903b\u8f91\uff0c\u6211\u4eec\u53ef\u4ee5\u5c06\u4e0a\u9762\u7684\u4ee3\u7801\u7ffb\u8bd1\u6210\u8fd9\u4e2a\u66f4\u6613\u8bfb\u7684\u7248\u672c\u3002<\/p>\n\n\n\n
    bool bFeatureEnabled = Feature_Servicing_2206c_38427506__private_IsEnabled();\nif (bFeatureEnabled == FALSE) {\n    if (peb->IsProtectedProcess && !peb->IsProtectedProcessLight) {\n        \/\/ Do NOT use Known DLLs\n    } else {\n        \/\/ Use Known DLLs\n    }\n} else {\n    if (peb->IsProtectedProcess) {\n        \/\/ Do NOT use Known DLLs\n    } else {\n        \/\/ Use Known DLLs\n    }\n}<\/code><\/pre>\n\n\n\n
    \u8865\u4e01\u73b0\u5728\u770b\u8d77\u6765\u5f88\u6e05\u6670\u3002\u9996\u5148\uff0c\u68c0\u67e5\u201c\u529f\u80fd\u670d\u52a1<\/em>\u201d\u503c\u3002\u5982\u679c\u7981\u7528\u6b64\u529f\u80fd\uff0c\u52a0\u8f7d\u7a0b\u5e8f\u4f1a\u9000\u56de\u5230\u4ee5\u524d\u7248\u672c\u7684\u4ee3\u7801\uff0c\u56e0\u6b64 PPL \u4f1a\u52a0\u8f7dKnown DLL<\/em>\u3002\u53e6\u4e00\u65b9\u9762\uff0c\u5982\u679c\u542f\u7528\u6b64\u529f\u80fd\uff0c\u52a0\u8f7d\u7a0b\u5e8f\u53ea\u9700\u68c0\u67e5\u6807\u5fd7\u662f\u5426peb->IsProtectedProcess<\/code>\u5df2\u8bbe\u7f6e\u3002\u56e0\u6b64\uff0c\u53d7\u4fdd\u62a4\u7684\u8fdb\u7a0b<\/em>\uff08\u65e0\u8bba\u662f PP \u8fd8\u662f PPL\uff09\u90fd\u4e0d\u4f1a\u4f7f\u7528Known DLLs<\/em>\u3002<\/p>\n\n\n\n
    \u88c5\u8f7d\u673a\u4e2d\u7684\u65b0\u68c0\u67e5<\/a><\/h2>\n\n\n\n
    \u5728\u4e0a\u4e00\u90e8\u5206\u4e2d\uff0c\u6211\u4eec\u770b\u5230 \u7684\u7ed3\u679cFeature_Servicing_2206c_38427506__private_IsEnabled()<\/code>\u51b3\u5b9a\u4e86\u52a0\u8f7d\u5668\u5c06\u4f7f\u7528\u7684\u6709\u5173\u53d7\u4fdd\u62a4\u8fdb\u7a0b<\/em>\u548c\u5df2\u77e5 DLL<\/em>\u7684\u903b\u8f91\u3002\u4e4d\u4e00\u770b\uff0c\u8fd9\u4e2a\u51fd\u6570\u4f3c\u4e4e\u5e76\u4e0d\u590d\u6742\uff0c\u6240\u4ee5\u8ba9\u6211\u4eec\u770b\u770b\u6211\u4eec\u80fd\u4ece\u4e2d\u5b66\u5230\u4ec0\u4e48\u3002<\/p>\n\n\n\n
    \"Ghidra<\/a><\/figure>\n\n\n\n
    \u6839\u636e Ghidra \u751f\u6210\u7684\u53cd\u7f16\u8bd1\u4ee3\u7801\uff0c\u8be5\u51fd\u6570\u4f3c\u4e4e\u9996\u5148\u68c0\u7d22\u5168\u5c40\u53d8\u91cf\u7684\u503cFeature_Servicing_2206c_38427506__private_featureState<\/code>\uff0c\u5982\u679c\u5c1a\u672a\u521d\u59cb\u5316\uff0c\u5219\u5bf9\u5176\u8fdb\u884c\u521d\u59cb\u5316\uff0c\u7136\u540e\u8fd4\u56de\u5176\u7b2c\u56db\u4f4d ( uVar1 >> 3 & 1<\/code>) \u7684\u503c\u3002<\/p>\n\n\n\n
    DWORD Feature_Servicing_2206c_38427506__private_IsEnabled() {\n    DWORD dwFeatureServicingState;\n    BOOL bIsEnabled;\n    \n    dwFeatureServicingState = Feature_Servicing_2206c_38427506__private_featureState;\n    if ((dwFeatureServicingState & 1) == 0) {\n        \/\/ The global variable is not yet initialized, initialize it.\n        dwFeatureServicingState = wil_details_FeatureStateCache_ReevaluateCachedFeatureEnabledState(...);\n    }\n    \n    \/\/ Extract the fourth bit\n    bIsEnabled = dwFeatureServicingState >> 3 & 1;\n\n    \/\/ ...\n\n    return bIsEnabled;\n}<\/code><\/pre>\n\n\n\n
    \u56e0\u6b64\uff0c\u770b\u8d77\u6765\u5168\u5c40\u53d8\u91cfFeature_Servicing_..._featureState<\/code>\u5305\u542b\u4e00\u7ec4\u4f4d\u6807\u5fd7\uff0c\u7528\u4e8e\u786e\u5b9a\u662f\u5426\u542f\u7528\u4e86\u7279\u5b9a\u529f\u80fd\u3002\u501f\u52a9\u51e0\u884c C\/C++ \u548c\u8c03\u8bd5\u5668\uff0c\u6211\u4eec\u53ef\u4ee5\u5f88\u5bb9\u6613\u5730\u9a8c\u8bc1\u8fd9\u4e00\u70b9\u3002<\/p>\n\n\n\n
    #include <iostream>\n#include <Windows.h>\n\ntypedef UINT(NTAPI* _FeatureIsEnabled)();\n\nint wmain(int argc, wchar_t* argv[])\n{\n    DWORD dwOffsetFeatureIsEnabled      = 0x0009b360;\n    DWORD dwOffsetFeatureServicingState = 0x0016d288;\n    PDWORD pFeatureServicingState       = NULL;\n\n    _FeatureIsEnabled FeatureIsEnabled  = NULL;\n    BOOL bFeatureIsEnabled              = FALSE;\n\n    \/\/ Get NTDLL base address\n    HMODULE ntdll = LoadLibraryW(L\"ntdll.dll\");\n    \/\/ Calculate address of Feature_Servicing_..._featureState\n    pFeatureServicingState = (PDWORD)((PBYTE)ntdll + dwOffsetFeatureServicingState);\n    \/\/ Calculate address of Feature_Servicing_..._IsEnabled()\n    FeatureIsEnabled = (_FeatureIsEnabled)((PBYTE)ntdll + dwOffsetFeatureIsEnabled);\n\n    wprintf(L\"Feature_Servicing_2206c_38427506__private_featureState: 0x%08x\\r\\n\", *pFeatureServicingState);\n\n    bFeatureIsEnabled = FeatureIsEnabled();\n    wprintf(L\"Feature enabled: %d\\r\\n\", bFeatureIsEnabled);\n\n    wprintf(L\"----\\r\\n\");\n\n    wprintf(L\"Setting the fourth bit to 0\\r\\n\");\n    *pFeatureServicingState = *pFeatureServicingState & 0xfffffff7;\n\n    wprintf(L\"Feature_Servicing_2206c_38427506__private_featureState: 0x%08x\\r\\n\", *pFeatureServicingState);\n\n    bFeatureIsEnabled = FeatureIsEnabled();\n    wprintf(L\"Feature enabled: %d\\r\\n\", bFeatureIsEnabled);\n\n    return 0;\n}<\/code><\/pre>\n\n\n\n
    \u8fd0\u884c\u4e0a\u9762\u7684\u4ee3\u7801\u4f1a\u4ea7\u751f\u4ee5\u4e0b\u8f93\u51fa\u3002<\/p>\n\n\n\n
    C:\\Temp\\FeatureServicing.exe\nFeature_Servicing_2206c_38427506__private_featureState: 0x0000001b\nFeature enabled: 1\n----\nSetting the fourth bit to 0\nFeature_Servicing_2206c_38427506__private_featureState: 0x00000013\nFeature enabled: 0<\/code><\/pre>\n\n\n\n
    Feature_Servicing_..._featureState<\/code>is\u7684\u503c0x0000001b<\/code>\uff0c\u8f6c\u6362\u4e3a0001 1011<\/code>\u4e8c\u8fdb\u5236\u3002\u7b2c\u56db\u4f4d\u88ab\u8bbe\u7f6e\uff0c\u8fd4\u56de\u503c\u4e3a1<\/code>. 1111 0111<\/code>\u5728\u7b2c\u4e8c\u90e8\u5206\u4e2d\uff0c\u6211\u4f7f\u7528\u63a9\u7801\uff08\u5373<\/em> \uff09\u4f7f\u7528\u6309\u4f4d\u4e0e\u64cd\u4f5c\u624b\u52a8\u53d6\u6d88\u8bbe\u7f6e\u7b2c\u56db\u4f4d0xf7<\/code>\u3002\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u8fd4\u56de\u503c\u4e3a0<\/code>\uff0c\u8fd9\u503e\u5411\u4e8e\u8bc1\u5b9e\u6211\u5bf9\u4ee3\u7801\u7684\u89e3\u91ca\u3002<\/p>\n\n\n\n
    \u6700\u540e\uff0c\u4e3a\u4e86\u66f4\u597d\u7684\u8861\u91cf\uff0c\u6211\u4eec\u8fd8\u53ef\u4ee5\u624b\u52a8\u8bbe\u7f6eFeature_Servicing_..._featureState<\/code>to\u7684\u503c0<\/code>\u5e76\u68c0\u67e5\u8fd4\u56de\u7684\u503cwil_..._ReevaluateCachedFeatureEnabledState(...)<\/code>\u4ee5\u786e\u4fdd\u5b83\u662f0x1b<\/code>.<\/p>\n\n\n\n
    \"WinDbg<\/a><\/figure>\n\n\n\n
    \u8fd4\u56de\u503c\uff08\u89c1RAX<\/code>\uff09\u5b9e\u9645\u4e0a\u662f0x7ff700000000001b<\/code>\u4f46EAX<\/code>\u5bc4\u5b58\u5668\uff08\u5373<\/em>\u524d32\u4f4dRAX<\/code>\uff09\u7528\u4e8e\u4ee5\u4e0b\u64cd\u4f5c\uff08mov ebx,eax<\/code>\uff09\u6240\u4ee5\u6709\u6548\u503c\u786e\u5b9e\u662f0x0000001b<\/code>\u3002<\/p>\n\n\n\n
    \u7ed3\u8bba<\/a><\/h2>\n\n\n\n
    \u6211\u4e0d\u786e\u5b9a\u662f\u4ec0\u4e48\u4fc3\u4f7f\u5fae\u8f6f\u9996\u5148\u533a\u5206\u5173\u4e8e\u5df2\u77e5 DLL<\/em>\u7684 PP \u548c PPL\u3002\u4e5f\u8bb8\u8fd9\u662f\u4e00\u4e2a\u6027\u80fd\u95ee\u9898\uff0c\u6211\u4e0d\u77e5\u9053\u3002\u65e0\u8bba\u5982\u4f55\uff0c\u4ed6\u4eec\u5df2\u7ecf\u610f\u8bc6\u5230\u4e86\u8fd9\u4e2a\u6f5c\u5728\u7684\u5f31\u70b9\uff0c\u5426\u5219\u6211\u731c\u4ed6\u4eec\u4e0d\u4f1a\u5bf9 PP \u7834\u4f8b\u3002\u95ee\u9898\u662f\uff0c\u8fd9\u4e2a\u5b89\u5168\u6f0f\u6d1e\u73b0\u5728\u5df2\u7ecf\u4fee\u8865\uff0c\u8fd9\u662f\u5411\u524d\u8fc8\u51fa\u7684\u4e00\u5927\u6b65\u3002\u6211\u559c\u6b22\u8ba4\u4e3a\u6211\u5728\u8fd9\u4e2a\u53d8\u5316\u4e2d\u626e\u6f14\u4e86\u4e00\u4e2a\u5c0f\u89d2\u8272\uff0c\u5c3d\u7ba1\u6211\u5b8c\u5168\u77e5\u9053\u6240\u6709\u7684\u5de5\u4f5c\u90fd\u5df2\u7ecf\u7531 Alex \u548c James \u5b8c\u6210\u3002<\/p>\n\n\n\n
    \u603b\u4e4b\uff0c\u8fd9\u786e\u5b9e\u662f\u201c PPLdump \u7684\u7ec8\u7ed3<\/em>\u201d\u3002\u7136\u800c\uff0c\u8fd9\u4e2a\u5de5\u5177\u53ea\u5229\u7528\u4e86 PPL \u7684\u4e00\u4e2a\u5f31\u70b9\uff0c\u4f46\u6211\u4eec\u53ef\u80fd\u4ecd\u7136\u53ef\u4ee5\u5229\u7528\u5176\u4ed6\u51e0\u4e2a\u7528\u6237\u7a7a\u95f4\u95ee\u9898\u3002\u6240\u4ee5\uff0c\u4ece\u6211\u7684\u89d2\u5ea6\u6765\u770b\uff0c\u8fd9\u4e5f\u662f\u4e00\u4e2a\u5f00\u59cb\u7814\u7a76\u53e6\u4e00\u4e2a\u65c1\u8def\u7684\u673a\u4f1a\u2026\u2026<\/p>\n\n\n\n
    \u94fe\u63a5\u548c\u8d44\u6e90<\/a><\/h2>\n\n\n\n