• 当前位置:首页>>编程开发A>>安全防御>>Windows CE初探
  • Windows CE初探
  • 创建时间:2004-11-05 更新时间:2004-12-06
    文章属性:原创
    文章提交:san (san_at_xfocus.org)

    整理:san
    创建:2004.10.17
    更新:2004.11.09

    --[ 1. ARM简介

    从Platform Builder来看,Windows CE支持相当多CPU,但现在市场上实际销售的PDA几乎全部采用ARM芯片。ARM是一个RISC构架的32位微处理器,它一次有16个可见的寄存器:r0-r15。其中r0-r7是通用寄存器并可以做任何目的;r8-r12也是通用寄存器,但是在切换到FIQ模式的时候,使用它们的影子(shadow)寄存器;最后这三个是特殊寄存器:

       r13 (sp)     -  堆栈指针
       r14 (lr)     -  链接寄存器
       r15 (pc/psr) -  程序计数器/状态寄存器

    IDAPro和调试器里都是用别名表示。和其它RISC指令类似,ARM指令主要有分支(branch)指令、载入和存储指令和其它指令等,除了载入和存储指令,其它指令都是不能直接操作内存的,而且载入和存储指令操作的是4字节类型,那么内存地址必须要求4字节对齐,这也是RISC指令和CISC指令差异比较大的地方,在操作字符串的时候相对就比较麻烦。ARM指令一个很有趣的地方就是可以直接修改访问pc寄存器,这样如果写shellcode的话就不必象SPARC或PowerPC一样需要多条指令来定位自身。

    另外Windows CE默认使用的字节序是little-endian。

    --[ 2. Windows CE核心结构

    Windows CE是一个32位的操作系统,所以其虚拟内存的大小是4GB(2的32次方)。Windows CE把这4GB虚拟内存空间分为低地址2GB和高地址2GB。应用程序使用的地址空间是低地址2GB,高地址2GB专供Windows CE内核使用。在Windows CE 3.0源码的PRIVATE/WINCEOS/COREOS/NK/INC/nkarm.h头文件里有一些有趣的信息:

    /* High memory layout
    *
    * This structure is mapped in at the end of the 4GB virtual
    * address space.
    *
    *  0xFFFD0000 - first level page table (uncached) (2nd half is r/o)
    *  0xFFFD4000 - disabled for protection
    *  0xFFFE0000 - second level page tables (uncached)
    *  0xFFFE4000 - disabled for protection
    *  0xFFFF0000 - exception vectors
    *  0xFFFF0400 - not used (r/o)
    *  0xFFFF1000 - disabled for protection
    *  0xFFFF2000 - r/o (physical overlaps with vectors)
    *  0xFFFF2400 - Interrupt stack (1k)
    *  0xFFFF2800 - r/o (physical overlaps with Abort stack & FIQ stack)
    *  0xFFFF3000 - disabled for protection
    *  0xFFFF4000 - r/o (physical memory overlaps with vectors & intr. stack & FIQ stack)
    *  0xFFFF4900 - Abort stack (2k - 256 bytes)
    *  0xFFFF5000 - disabled for protection
    *  0xFFFF6000 - r/o (physical memory overlaps with vectors & intr. stack)
    *  0xFFFF6800 - FIQ stack (256 bytes)
    *  0xFFFF6900 - r/o (physical memory overlaps with Abort stack)
    *  0xFFFF7000 - disabled
    *  0xFFFFC000 - kernel stack
    *  0xFFFFC800 - KDataStruct
    *  0xFFFFCC00 - disabled for protection (2nd level page table for 0xFFF00000)
    */

    typedef struct ARM_HIGH {
        ulong    firstPT[4096];        // 0xFFFD0000: 1st level page table
        PAGETBL    aPT[16];            // 0xFFFD4000: 2nd level page tables
        char    reserved2[0x20000-0x4000-16*sizeof(PAGETBL)];

        char    exVectors[0x400];    // 0xFFFF0000: exception vectors
        char    reserved3[0x2400-0x400];

        char    intrStack[0x400];    // 0xFFFF2400: interrupt stack
        char    reserved4[0x4900-0x2800];

        char    abortStack[0x700];    // 0xFFFF4900: abort stack
        char    reserved5[0x6800-0x5000];

        char    fiqStack[0x100];    // 0xFFFF6800: FIQ stack
        char    reserved6[0xC000-0x6900];

        char    kStack[0x800];        // 0xFFFFC000: kernel stack
        struct KDataStruct kdata;    // 0xFFFFC800: kernel data page
    } ARM_HIGH;

    其中KDataStruct的结构非常重要而且有意思,有些类似Win32下的PEB结构,定义了系统各种重要的信息:

    struct KDataStruct {
        LPDWORD lpvTls;         /* 0x000 Current thread local storage pointer */
        HANDLE  ahSys[NUM_SYS_HANDLES]; /* 0x004 If this moves, change kapi.h */
        // NUM_SYS_HANDLES == 32 : PUBLIC/COMMON/SDK/INC/kfuncs.h
            0x004 SH_WIN32
            0x008 SH_CURTHREAD
            0x00c SH_CURPROC
            0x010 SH_KWIN32
            0x044 SH_GDI
            0x048 SH_WMGR
            0x04c SH_WNET
            0x050 SH_COMM
            0x054 SH_FILESYS_APIS
            0x058 SH_SHELL
            0x05c SH_DEVMGR_APIS
            0x060 SH_TAPI
            0x064 SH_PATCHER
            0x06c SH_SERVICES

        char    bResched;       /* 0x084 reschedule flag */
        char    cNest;          /* 0x085 kernel exception nesting */
        char    bPowerOff;      /* 0x086 TRUE during "power off" processing */
        char    bProfileOn;     /* 0x087 TRUE if profiling enabled */
        ulong   unused;         /* 0x088 unused */
        ulong   rsvd2;          /* 0x08c was DiffMSec */
        PPROCESS pCurPrc;     
  • 上一篇:SYMANTEC防火墙内核堆栈溢出漏洞利用方法总结
    下一篇:Windows Xp Sp2溢出保护