有人可以解释 Windows ZwMapViewOfSection 系统调用,以便菜鸟(我)可以理解吗? [英] Can someone explain the Windows ZwMapViewOfSection system call so that a noob (me) can understand?
问题描述
我正在调查由在沙箱中运行的恶意软件发出的一组 Windows API 系统调用,以便我能够了解其恶意意图.不幸的是,我很难理解文档中描述的 ZwMapViewOfSection 函数:https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-zwmapviewofsection
I'm investigating a set of Windows API system calls made by a piece of malware running in a sandbox so that I can understand its malicious intent. Unfortunately, I'm struggling to understand the ZwMapViewOfSection function described in documentation: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-zwmapviewofsection
现在,我明白这个函数与页表中物理内存到虚拟内存的映射有关.除此之外,我发现文档晦涩难懂,对初学者不友好.我也很困惑为什么他们将物理内存块称为部分"而不是帧"(如果这确实是他们所指的 - 我不清楚).任何人都可以提供有关此系统调用及其一般作用的更直观的解释吗?这是对程序的常见系统调用还是仅限于恶意软件?谢谢.
Now, I do understand that this function is related to the mapping of physical memory to virtual memory in a page table. Apart from that, I find the documentation arcane and not friendly to beginners. I am also confused why they are calling blocks of physical memory "sections" rather than "frames" (if that is what they are indeed referring to -- its not clear to me). Can anyone provide a more intuitive explanation about this system call and what it does in general? Is this a common system call for programs or is it limited to malware? Thank You.
推荐答案
据我所知,你必须打开文件并获取一个文件句柄,然后用 CreateFileMapping 映射它,它将调用 NtCreateSection,后者调用 MmCreateSection.如果第一次映射文件,则首先创建新的段对象和控制区域,然后取决于是为数据、图像还是页面文件支持的部分创建 MiCreateDataFileMap、MiCreateImageFileMap 或 MiCreatePagingFileMap 被调用.
As far as I understand it, you have to open the file and acquire a file handle which you then map with CreateFileMapping, which will call NtCreateSection, which calls MmCreateSection. If the file is mapped for the first time a new segment object and control area are created first then depending on whether the section is created for a data, image or page-file backed MiCreateDataFileMap, MiCreateImageFileMap or MiCreatePagingFileMap is called.
MiCreateDataFileMap 设置子节对象和节对象.在正常情况下只创建一个小节,但在某些特殊情况下多个使用小节,例如如果文件很大.对于数据文件,子节对象字段 SubsectionBase 留空.相反,段对象的 SegmentPteTemplate 字段已正确设置,可在必要时用于创建 PPTE.这会推迟 PPTE 的创建,直到第一次映射视图,以避免在映射非常大的数据文件时浪费内存.请注意,PPTE 是用作原型 PTE 的 PTE,但 _MMPTE_PROTOTYPE 是指向原型的 PTE.
MiCreateDataFileMap sets up the subsection object and section object. In the normal case only one subsection is created, but under some special conditions multiple subsections are used, e.g. if the file is very large. For data files, the subsection object field SubsectionBase is left blank. Instead the SegmentPteTemplate field of the segment object is setup properly which can be used to create the PPTEs when necessary. This defers the creation of PPTEs until a view is mapped for the first time which avoids wasting memory when very large data files are mapped. Note a PPTE is a PTE that is serving as a prototype PTE, but an _MMPTE_PROTOTYPE is a PTE that is pointing to a prototype.
MiCreateImageFileMap 创建节对象并加载指定文件的 PE 标头并对其进行验证,然后为 PE 标头创建一个子节,为每个 PE 节创建一个子节.如果映射了一个非常小的图像文件,则只为整个文件创建一个子部分.除了小节之外,还为每个小节创建了相关的 PPTE,并根据相关 PE 节的保护设置设置了它们的页面保护标志.当视图被映射和访问时,这些 PPTE 将用作构建真实 PTE 的模板.
MiCreateImageFileMap creates the section object and loads the PE header of the specified file and verifies it then one subsection is created for the PE header and one for each PE section. If a very small image file is mapped then only one subsection is created for the complete file. Besides the subsections also the related PPTEs for each of them are created and their page protection flags are set according to the protection settings of the related PE section. These PPTEs will be used as a template for building the real PTEs when a view is mapped and accessed.
创建节后,可以通过从中创建视图来将其映射到地址空间.传递给 CreateFileMapping 的 flProtect 指定了部分对象的保护.对象的所有映射视图必须与此保护兼容.您将 dwMaximumSizeLow 和 dwMaximumSizeHigh 指定为 0,以便 dwMaximumSizeHigh 自动设置为文件的长度.
After a section is created it can be mapped into the address space by creating a view from it. The flProtect passed to CreateFileMapping specifies the protection of the section object. All mapped views of the object must be compatible with this protection. You specify dwMaximumSizeLow and dwMaximumSizeHigh to be 0 in order for dwMaximumSizeHigh to be set to the length of the file automatically.
然后将返回的部分对象句柄传递给 MapViewOfFile,后者将调用 NtMapViewOfSection,后者调用 MmMapViewOfSegment,后者调用 MmCreateMemoryArea,这是视图被映射到进程的 VAD 的地方,保护 dwDesiredAccess 提供给 MapViewOfFile,作为所有的保护类型VAD 条目涵盖的 PTE.MapViewOfFile 中的 dwNumberOfBytesToMap = 0 和 dwFileOffsetLow = 0 映射整个文件.
You then pass the returned section object handle to MapViewOfFile, which will calls NtMapViewOfSection on it, which calls MmMapViewOfSegment, which calls MmCreateMemoryArea, which is where the view is mapped into the VAD of the process with the protection dwDesiredAccess supplied to MapViewOfFile, which serves as the protection type for all PTEs that the VAD entry covers. dwNumberOfBytesToMap = 0 and dwFileOffsetLow = 0 in MapViewOfFile maps the whole file.
当一个视图被映射时,我相信所有的 PTE 都指向原型 PTE 并得到 PPTE 的保护.对于图像文件,PPTEs 已经被初始化为 subsection PTEs.对于数据文件,视图的 PPTE 需要初始化为小节 PTE.现在已创建视图的 VAD 条目.VAD 条目保护并不总是反映它所涵盖的 PTE 的保护,因为它可以涵盖多个小节和这些小节中的多个块.
When a view is mapped, I believe that all of the PTEs are made to point to the prototype PTEs and are given the protection of the PPTE. For an image file, the PPTEs have already been initialised to subsection PTEs. For a data file, the PPTEs for the view need to be initialised to subsection PTEs. The VAD entry for the view is now created. The VAD entry protection isn't always reflective of the protection of the PTEs it covers, because it can cover multiple subsections and multiple blocks within those subsections.
第一次实际访问映射中的地址时,子节原型 PTE 按需填充,分配的物理页填充该范围的 I/O 写入,进程 PTE 填充相同的地址.对于图像,在创建子节时已经填充了 PPTE 以及从图像中的节头特征派生的保护信息,它只是用该地址和其中的保护信息填充 PTE.
The first time an address in the mapping is actually accessed, the subsection prototype PTE is filled in on demand with the allocated physical page filled with the I/O write for that range and the process PTE is filled in with that same address. For an image, the PPTE was already filled in when the subsections were created along with protection information derived from the section header characteristics in the image, and it just fills in the PTE with that address and the protection information in it.
当PTE从进程工作集中剪裁出来时,工作集管理器访问PFN定位PPTE地址,减少共享计数,并将PPTE地址插入到PTE中.
When the PTE is trimmed from the process working set, the working set manager accesses the PFN to locate the PPTE address, decreases the share count, and it inserts the PPTE address into the PTE.
我不确定何时会出现 VAD PTE(原型位和原型地址为 0xFFFFFFFF0000 并且无效).我原以为 PPTE 总是在它们的虚拟地址中,并且可以在创建 VAD 条目后立即指向.
I'm not sure when a VAD PTE (which have a prototype bit and prototype address of 0xFFFFFFFF0000 and is not valid) occurs. I would have thought the PPTEs are always there at their virtual address and can be pointed to as soon as the VAD entry is created.
这篇关于有人可以解释 Windows ZwMapViewOfSection 系统调用,以便菜鸟(我)可以理解吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
