命令
.for(r $t0=nt!PspLoadImageNotifyRoutine;poi(@$t0)!=0; r $t0=@$t0 8){r $t1=poi(@$t0)&0FFFFFFFFFFFFFFF0h;.printf "pCallback=0x%p pFunc=0x%p\n",@$t1 8,poi(@$t1 8);!address poi(@$t1 8); .echo =======================================} 第一次进来,fffff8075eeb92d4是360flt注册的回调 0: kd> r rax=0000000000000000 rbx=0000000000000000 rcx=fffff8075eeb92d4 rdx=0000000000000000 rsi=ffff850cd54199d0 rdi=ffff850cd54199d0 rip=fffff80759f81d60 rsp=ffffe00444006728 rbp=0000000000000000 r8=000000000000082f r9=000000000000002f r10=fffff80759b26db0 r11=0000000000000000 r12=0000000000000001 r13=ffffffff8000018c r14=0000000000000000 r15=ffff9988d7dd7b00 ExAllocateCallBack 申请回调地址 0: kd> db ffff9988d7de8990 L200 申请成功后,写入回调函数ffff9988d7de8990 8的位置 回调数组位置: nt!PspLoadImageNotifyRoutine == fffff8075a4ebee0 0: kd> dps fffff8075a4ebee0 fffff807`5a4ebee0 ffff9988`d7a09fdf fffff807`5a4ebee8 00000000`00000000 fffff807`5a4ebef0 00000000`00000000 fffff807`5a4ebef8 00000000`00000000 fffff807`5a4ebf00 00000000`00000000 fffff807`5a4ebf08 00000000`00000000 fffff807`5a4ebf10 00000000`00000000 fffff807`5a4ebf18 00000000`00000000 fffff807`5a4ebf20 00000000`00000000 fffff807`5a4ebf28 00000000`00000000 fffff807`5a4ebf30 00000000`00000000 fffff807`5a4ebf38 00000000`00000000 fffff807`5a4ebf40 00000000`00000000 fffff807`5a4ebf48 00000000`00000000 fffff807`5a4ebf50 00000000`00000000 fffff807`5a4ebf58 00000000`00000000 将回调地址 与0FFFFFFFFFFFFFFF0h 运算 windbg .for命令遍历Win10所有注册通知回调 0: kd> .for(r $t0=nt!PspLoadImageNotifyRoutine;poi(@$t0)!=0; r $t0=@$t0 8){r $t1=poi(@$t0)&0FFFFFFFFFFFFFFF0h;.printf "pCallback=0x%p pFunc=0x%p\n",@$t1 8,poi(@$t1 8);!address poi(@$t1 8); .echo =======================================} pCallback=0xffff9988d7a09fd8 pFunc=0xfffff8075d563798 Usage: Module Base Address: fffff807`5d550000 End Address: fffff807`5d57b000 Region Size: 00000000`0002b000 VA Type: BootLoaded Module name: DsArk64.sys Module path: [\SystemRoot\System32\drivers\DsArk64.sys] ======================================= pCallback=0xffff9988d7de8998 pFunc=0xfffff8075eeb92d4 Usage: Module Base Address: fffff807`5ee70000 End Address: fffff807`5ef42000 Region Size: 00000000`000d2000 VA Type: BootLoaded Module name: 360FsFlt.sys Module path: [\SystemRoot\system32\DRIVERS\360FsFlt.sys] ======================================= pCallback=0xffff9988d75d99a8 pFunc=0xfffff8075f801a7c Usage: Module Base Address: fffff807`5f800000 End Address: fffff807`5f8d1000 Region Size: 00000000`000d1000 VA Type: BootLoaded Module name: 360Hvm64.sys Module path: [\SystemRoot\System32\Drivers\360Hvm64.sys] ======================================= pCallback=0xffff9988d75d9978 pFunc=0xfffff807601beb20 Usage: Module Base Address: fffff807`601a0000 End Address: fffff807`601ee000 Region Size: 00000000`0004e000 VA Type: BootLoaded Module name: ahcache.sys Module path: [\SystemRoot\system32\DRIVERS\ahcache.sys] ======================================= pCallback=0xffff9988d75d99d8 pFunc=0xfffff8075fc25a98 Usage: Module Base Address: fffff807`5fc20000 End Address: fffff807`5fc75000 Region Size: 00000000`00055000 VA Type: BootLoaded Module name: 360qpesv64.sys Module path: [\SystemRoot\system32\DRIVERS\360qpesv64.sys] =======================================