C,迭代优化CFG图。 static bool simplifyFunctionCFG(Function &F, const TargetTransformInfo &TTI, const SimplifyCFGOptions &Options) { bool EverChanged = removeUnreachableBlocks(F); EverChanged |= mergeEmptyReturnBlocks(F); EverChanged |= iterativelySimplifyCFG(F, TTI, Options); // If neither pas...
在间接调用之前,目标地址传给_guard_check_icall函数,在其中实现CFG。在没有CFG支持的Windows中,这个函数不做任何事。在Windows 10中,有了CFG的支持,它指向ntdll!LdrpValidateUserCallTarget函数。这个函数使用目标地址作为参数,并且做了以下事情: 1. 访问一个bitmap(称为CFGBitmap),其表示在进程空间内所有函数的起...
NdrServerCall2调用VirtualProtect,并修改RPCRT4!__guard_check_icall_fptr的内存属性为PAGE_EXECUTE_READWRITE。 2)将保存在rpcrt4!__guard_check_icall_fptr中的指针ntdll!LdrpValidateUserCallTarget替换为ntdll!KiFastSystemCallRet,以干掉rpcrt4.dll中的CFG检查。 3)恢复RPCRT4!__guard_check_icall_fptr的...
进程创建过程将在用户模式下调用LdrpCfgProcessLoadConfig。 图19 – 在这个函数中,它将修改_guard_check_icall的值指向LdrpValidateUserCallTarget 7. 在所有的准备都完成后,如果间接调用的目标地址相关的位在CFGBitmap中不是“1”,将触发CFG。进程将采取行动处理这个异常。处理函数是RtlpHandleInvalidUserCallTarget。
If you want the project to inform the menu controller that the current debug target has changed by some other mechanism than the user making a selection with the menu controller, then the project can call UpdateDebugTargets to tell the menu control to update its state at th...
可以看到 _guard_check_icall_fptr 程序实际调用了ValidateUserCallTarget函数 系统:Windows 10 1909 编译器:VS 2019 win32 release版 movedx,dword ptrds:[77D112F8] // 获得CFGBitMapBase地址moveax,ecx // ecx = 要调用的函数地址shreax,8 // 取函数地址的前24位作为 OFFSETmovedx,dword ptrds:[edx...
tCfgCallTargetInfo.Flags to CFG_CALL_TARGET_VALID (0x1) Once all of our parameters have been set correctly we will make the following call: ntdll!NtSetInformationVirtualMemory( hProcess, VmCfgCallTargetInformation, 0x1, &tMemoryPageEntry, &tVmInformation, sizeof(tVmInformation) // == 0x10 ...
IVsDebugTargetSelectionService IVsDefaultToolboxTabState IVsDeferredDocView IVsDeferredSaveProject IVsDependency IVsDependencyProvider IVsDeployableProjectCfg IVsDeployableProjectCfg2 IVsDeployDependency IVsDeployDependency2 IVsDeployStatusCallback IVsDesignerInfo IVsDesignTimeAssemblyRes...
使用伪造的RPC_MESSAGE和rpcrt4!NdrserverCall2调用VirtualProtect,并将rpcrt4!__guard_check_icall_fptr的内存属性修改为PAGE_EXECUTE_READWRITE 将保存在rpcrt4!__guard_check_icall_fptr中的指针ntdll!LdrpValidateUserCallTarget替换为ntdll!KiFastSystemCallRet,以杀死rpcrt4.dll中的CFG检查 ...
IVsDebugTargetSelectionService IVsDefaultToolboxTabState IVsDeferredDocView IVsDeferredSaveProject IVsDependency IVsDependencyProvider IVsDeployableProjectCfg IVsDeployableProjectCfg2 IVsDeployDependency IVsDeployDependency2 IVsDeployStatusCallback IVsDesignerInfo IVsDesignTimeAssemblyResolution IVsDesi...