从Platform Builder来看Windows CE支持相当多CPU但现在市场上实际销售的PDA几乎全部采用ARM芯片arm是一个RISC构架的位微处理器它一次有个可见的寄存器rr其中rr是通用寄存器并可以做任何目的rr也是通用寄存器但是在切换到FIQ模式的时候使用它们的影子(shadow)寄存器最后这三个是特殊寄存器 r (sp) 堆栈指针 r (lr) 链接寄存器 r (pc/psr) 程序计数器/状态寄存器 IDAPro和调试器里都是用别名表示和其它RISC指令类似arm指令主要有分支(branch)指令载入和存储指令和其它指令等除了载入和存储指令其它指令都是不能直接操作内存的而且载入和存储指令操作的是字节类型那么内存地址必须要求字节对齐这也是RISC指令和CISC指令差异比较大的地方在操作字符串的时候相对就比较麻烦arm指令一个很有趣的地方就是可以直接修改访问pc寄存器这样如果写shellcode的话就不必象SPARC或PowerPC一样需要多条指令来定位自身 另外Windows CE默认使用的字节序是littleendian [ Windows CE核心结构 Windows CE是一个位的操作系统所以其虚拟内存的大小是GB(的次方)Windows CE把这GB虚拟内存空间分为低地址GB和高地址GB应用程序使用的地址空间是低地址GB高地址GB专供Windows CE内核使用在Windows CE 源码的PRIVATE/WINCEOS/COREOS/NK/INC/nkarmh头文件里有一些有趣的信息 /* High memory layout * * This structure is mapped in at the end of the GB virtual * address space * *xFFFD first level page table (uncached) (nd half is r/o) *xFFFD disabled for protection *xFFFE second level page tables (uncached) *xFFFE disabled for protection *xFFFF exception vectors *xFFFF not used (r/o) *xFFFF disabled for protection *xFFFF r/o (physical overlaps with vectors) *xFFFF Interrupt stack (k) *xFFFF r/o (physical overlaps with Abort stack & FIQ stack) *xFFFF disabled for protection *xFFFF r/o (physical memory overlaps with vectors & intr stack & FIQ stack) *xFFFF Abort stack (k bytes) *&n bsp; xFFFF disabled for protection *xFFFF r/o (physical memory overlaps with vectors & intr stack) *xFFFF FIQ stack ( bytes) *xFFFF r/o (physical memory overlaps with Abort stack) *xFFFF disabled *xFFFFC kernel stack *xFFFFC KDataStruct *xFFFFCC disabled for protection (nd level page table for xFFF) */ typedef struct arm_HIGH { ulongfirstPT[];// xFFFD: st level page table PAGETBLaPT[];// xFFFD: nd level page tables charreserved[xx*sizeof(PAGETBL)]; charexVectors[x];// xFFFF: exception vectors charreserved[xx]; charintrStack[x];// xFFFF: interrupt stack charreserved[xx]; charabortStack[x];// xFFFF: abort stack charreserved[xx]; charfiqStack[x];// xFFFF: FIQ stack charreserved[xCx]; charkStack[x];// xFFFFC: kernel stack struct KDataStruct kdata; & nbsp;// xFFFFC: kernel data page } arm_HIGH; 其中KDataStruct的结构非常重要而且有意思有些类似Win下的PEB结构定义了系统各种重要的信息 struct KDataStruct { LPDWORD lpvTls; /* x Current thread local storage pointer */ HANDLEahSys[NUM_SYS_HANDLES]; /* x If this moves change kapih */ // NUM_SYS_HANDLES == : PUBLIC/COMMON/SDK/INC/kfuncsh x SH_WIN x SH_CURTHREAD xc SH_CURPROC x SH_KWIN x SH_GDI x SH_WMGR xc SH_WNET x SH_COMM x SH_FILESYS_APIS x SH_SHELL xc SH_DEVMGR_APIS x SH_TAPI x SH_PATCHER xc SH_SERVICES charbResched; /* x reschedule flag */ charcNest;/* x kernel exception nesting */ charbPowerOff;/* x TRUE during power off processing */ charbProfileOn;&nb sp;/* x TRUE if profiling enabled */ ulong unused; /* x unused */ ulong rsvd;/* xc was DiffMSec */ PPROCESS pCurPrc; /* x ptr to current PROCESS struct */ PTHREAD pCurThd;/* x ptr to current THREAD struct */ DWORD dwKCRes;/* x*/ ulong handleBase; /* xc handle table base address */ PSECTION aSections[]; /* xa section table for virutal memory */ LPEVENT alpeIntrEvents[SYSINTR_MAX_DEVICES];/* xa */ LPVOIDalpvIntrData[SYSINTR_MAX_DEVICES];/* x */ ulong pAPIReturn; /* xa direct API return address for kernel mode */ uchar *pMap;/* xa ptr to MemoryMap array */ DWORD dwInDebugger; /* xa ! when in debugger */ PTHREAD pCurFPUOwner; /* xac current FPU owner */ PPROCESS pCpuASIDPrc; /* xb current ASID proc */ longnMemForPT;/* xb Memory used for PageTables */ longalPad[];/* xb padding */ DWORD aInfo[];/* x misc kernel info */ // PUBLIC/COMMON/OAK/INC/pkfuncsh xKINX_PROCARRAY address of process array xKINX_PAGESIZEsystem page size xKINX_PFN_SHIFT shift for page # in PTE xcKINX_PFN_MASKmask for page # in PTE xKINX_PAGEFREE# of free physical pages xKINX_SYSPAGES# of pages used by kernel xKINX_KHEAP ptr to kernel heap array xcKINX_SECTIONSptr to SectionTable array xKINX_MEMINFO ptr to system MemoryInfo struct xKINX_MODULES ptr to module list xKINX_DLL_LOW lower bound of DLL shared space xcKINX_NUMPAGEStotal # of RAM pages xKINX_PTOC&nb sp; ptr to ROM table of contents xKINX_KDATA_ADDRkernel mode version of KData xKINX_GWESHEAPINFOCurrent amount of gwes heap in use xcKINX_TIMEZONEBIASFast timezone bias info xKINX_PENDEVENTSbit mask for pending interrupt events xKINX_KERNRESERVE number of kernel reserved pages xKINX_API_MASKbit mask for registered api sets xcKINX_NLS_CPhiword OEM code page loword ANSI code page xKINX_NLS_SYSLOCDefault System locale xKINX_NLS_USERLOC Default User locale xKINX_HEAP_WASTEKernel heap wasted space xcKINX_DEBUGGERFor use by debugger for protocol communication xKINX_APISETS APIset pointers xKINX_MINPAGEFREE water mark of the minimum number of free pages xKINX_CELOGSTATUS CeLog status flags xcKINX_NKSECTION Address of NKSection xKINX_PWR_EVTSEvents to be set after power on xcKINX_NKSIG last entry of KINFO signature when NK is ready /* x interlocked api code */ /* x end */ } Win下可以通过PEB结构定位kerneldll的基址然后通过PE文件结构查找Windows API在Windows CE下coredlldll的作用相当于Win的kerneldll由于KDataStruct结构开始于xFFFFC偏移x的aInfo[KINX_MODULES]是一个指向模块链表的指针通过这个链表能否找到coredlldll模块呢?让我们来看一下模块的结构 // PRIVATE/WINCEOS/COREOS/NK/INC/kernelh typedef struct Module { |