查看原文
其他

关于黑客泄漏nvidia Windows显卡驱动代码分析

易中明 看雪学苑 2022-07-01


本文为看雪论坛优秀文章
看雪论坛作者ID:易中明


BTC挖矿让英伟达飞起来了,当然也与英伟达在并行计算机领域的强大技术能力有关。这次国外黑客把英伟达的代码公开给大家。让中国人有机会一睹英伟达的显卡驱动的芳容。

此贴就重点来研究一下英伟达windows驱动代码。显卡驱动对许多人来说还是比较神密的。首先做PC显卡的就那三家:nvidia,intel,amd。这就造成了windows显卡驱动几乎没什么人接触,研究。即使是做游戏辅助的人也很少观注显卡驱动本身。

本帖就以号称显卡技术巅峰的nvidia驱动为研究对象进行剖析,以此来抛砖引玉。

源代码下载链接就不提供了,大家可以自行谷歌,非常好找。

剖析的方式包括分析源代码,ida逆向binary驱动,windbg调试硬件,相互佐证代码的真实性。

如下图所示,为了安全起见,建议放在vmware虚拟机进行解压,分析,原因是黑客可能在某些脚本里植入有病毒(当然不去执行里面的代码是没问题的)。



第1步,先把代码载入source insight里。


第2步,找出驱动的入口点DriverEntry。




很明显代码是用C++编写,也用到了很多的类及模板。


初始化部分代码很长,分段分析。













现在来看一下最重要的函数DxgkInitialize的具体流程。





流程结束
 
现在来看一下nvdia真实显卡驱动的二进制分析。

配置好调试环境,用windbg连上。


定位驱动


4: kd> lm
start end module name
fffff8024b000000 fffff8024b01d000 NDProxy (deferred)
fffff8024b020000 fffff8024b048000 AgileVpn (deferred)
fffff8024b050000 fffff8024b071000 rasl2tp (deferred)
fffff8024b080000 fffff8024b0a1000 raspptp (deferred)
fffff8024b0b0000 fffff8024b0cc000 raspppoe (deferred)
fffff8024b0d0000 fffff8024b0df000 ndistapi (deferred)
fffff8024b0e0000 fffff8024b11b000 ndiswan (deferred)
fffff8024b120000 fffff8024b168000 winnat (deferred)
fffff8024b170000 fffff8024b18b000 WdNisDrv (deferred)
fffff8024b190000 fffff8024b1b6000 MpKslDrv (deferred)
fffff8024b1c0000 fffff8024b1cf000 terminpt (deferred)
fffff8024b1d0000 fffff8024b2a6000 peauth (deferred)
fffff8024b2b0000 fffff8024b2b9000 SangforDnsDrv (deferred)
fffff8024b2c0000 fffff8024b2cf000 SangforTcpDrv (deferred)
fffff8024b2d0000 fffff8024b2e5000 tcpipreg (deferred)
fffff8024b2f0000 fffff8024b3b7000 srv2 (deferred)
fffff8024b3c0000 fffff8024b3d2000 xlwfp (deferred)
fffff8024b3e0000 fffff8024b3fc000 rassstp (deferred)
fffff8024bec0000 fffff8024bec6000 hal (deferred)
fffff8024bed0000 fffff8024bf32000 kd_02_10ec (deferred)
fffff8024bf40000 fffff8024bf89000 kdcom (deferred)
fffff8024bf90000 fffff8024bfb7000 tm (deferred)
fffff8024bfc0000 fffff8024bfda000 PSHED (deferred)
fffff8024bfe0000 fffff8024bfeb000 BOOTVID (deferred)
fffff8024bff0000 fffff8024bffe000 cmimcext (deferred)
fffff8024c60e000 fffff8024d654000 nt (pdb symbols) C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\ntkrnlmp.pdb\118018959D8D7CA5AAB45B75AED5A9761\ntkrnlmp.pdb
fffff8024d800000 fffff8024d86b000 CLFS (deferred)
fffff8024d870000 fffff8024d984000 clipsp (deferred)
fffff8024d990000 fffff8024d9ff000 FLTMGR (deferred)
fffff8024da00000 fffff8024da29000 ksecdd (deferred)
fffff8024da30000 fffff8024da91000 msrpc (deferred)
fffff8024daa0000 fffff8024dab1000 werkernel (deferred)
fffff8024dac0000 fffff8024dacc000 ntosext (deferred)
fffff8024dad0000 fffff8024dbb5000 CI (deferred)
fffff8024dbc0000 fffff8024dc7b000 cng (deferred)
fffff8024dc80000 fffff8024dd21000 VerifierExt (deferred)
fffff8024dd30000 fffff8024de01000 Wdf01000 (deferred)
fffff8024de10000 fffff8024de23000 WDFLDR (deferred)
fffff8024de30000 fffff8024de3f000 SleepStudyHelper (deferred)
fffff8024de40000 fffff8024de51000 WppRecorder (deferred)
fffff8024de60000 fffff8024de86000 acpiex (deferred)
fffff8024de90000 fffff8024dee6000 mssecflt (deferred)
fffff8024def0000 fffff8024df0a000 SgrmAgent (deferred)
fffff8024df10000 fffff8024dfdc000 ACPI (deferred)
fffff8024dfe0000 fffff8024dfec000 WMILIB (deferred)
fffff8024dff0000 fffff8024dffb000 IntelTA (deferred)
fffff8024e020000 fffff8024e08b000 intelpep (deferred)
fffff8024e090000 fffff8024e0a7000 WindowsTrustedRT (deferred)
fffff8024e0b0000 fffff8024e0bb000 WindowsTrustedRTProxy (deferred)
fffff8024e0c0000 fffff8024e0d4000 pcw (deferred)
fffff8024e0e0000 fffff8024e0f9000 MSDMFilt (deferred)
fffff8024e100000 fffff8024e10b000 msisadrv (deferred)
fffff8024e110000 fffff8024e187000 pci (deferred)
fffff8024e190000 fffff8024e1a5000 vdrvroot (deferred)
fffff8024e1b0000 fffff8024e1df000 pdc (deferred)
fffff8024e1e0000 fffff8024e1f9000 CEA (deferred)
fffff8024e200000 fffff8024e231000 partmgr (deferred)
fffff8024e240000 fffff8024e2eb000 spaceport (deferred)
fffff8024e2f0000 fffff8024e309000 volmgr (deferred)
fffff8024e310000 fffff8024e373000 volmgrx (deferred)
fffff8024e380000 fffff8024e39e000 mountmgr (deferred)
fffff8024e3a0000 fffff8024e3d2000 storahci (deferred)
fffff8024e3e0000 fffff8024e494000 storport (deferred)
fffff8024e4a0000 fffff8024e4cd000 stornvme (deferred)
fffff8024e4d0000 fffff8024e4ec000 EhStorClass (deferred)
fffff8024e4f0000 fffff8024e50a000 fileinfo (deferred)
fffff8024e510000 fffff8024e550000 Wof (deferred)
fffff8024e560000 fffff8024e5ce000 WdFilter (deferred)
fffff8024e5d0000 fffff8024e8a9000 Ntfs (deferred)
fffff8024e8b0000 fffff8024e8bd000 Fs_Rec (deferred)
fffff8024e8c0000 fffff8024ea2f000 ndis (deferred)
fffff8024ea30000 fffff8024eac8000 NETIO (deferred)
fffff8024ead0000 fffff8024eb02000 ksecpkg (deferred)
fffff8024eb10000 fffff8024edfc000 tcpip (deferred)
fffff8024ee00000 fffff8024ee7f000 fwpkclnt (deferred)
fffff8024ee80000 fffff8024eeb0000 wfplwfs (deferred)
fffff8024eec0000 fffff8024eed0000 VmsProxy (deferred)
fffff8024eee0000 fffff8024ef04000 vmbkmclr (deferred)
fffff8024ef10000 fffff8024ef1f000 VmsProxyHNic (deferred)
fffff8024ef20000 fffff8024efe8000 fvevol (deferred)
fffff8024eff0000 fffff8024effb000 volume (deferred)
fffff8024f000000 fffff8024f06d000 volsnap (deferred)
fffff8024f070000 fffff8024f0c0000 rdyboost (deferred)
fffff8024f0d0000 fffff8024f0f6000 mup (deferred)
fffff8024f100000 fffff8024f112000 iorate (deferred)
fffff8024f140000 fffff8024f15c000 disk (deferred)
fffff8024f160000 fffff8024f1cc000 CLASSPNP (deferred)
fffff80264000000 fffff80264054000 srvnet (deferred)
fffff802640c0000 fffff802640f0000 cdrom (deferred)
fffff80264100000 fffff80264115000 filecrypt (deferred)
fffff80264120000 fffff8026412e000 tbs (deferred)
fffff80264130000 fffff8026413a000 Null (deferred)
fffff80264140000 fffff8026414a000 Beep (deferred)
fffff80264150000 fffff8026415d000 button (deferred)
fffff80264160000 fffff8026450a000 dxgkrnl (deferred)
fffff80264510000 fffff80264528000 watchdog (deferred)
fffff80264530000 fffff80264546000 BasicDisplay (deferred)
fffff80264550000 fffff80264561000 BasicRender (deferred)
fffff80264570000 fffff8026458c000 Npfs (deferred)
fffff80264590000 fffff802645a1000 Msfs (deferred)
fffff802645b0000 fffff802645ce000 CimFS (deferred)
fffff802645d0000 fffff802645f2000 tdx (deferred)
fffff80264600000 fffff80264610000 TDI (deferred)
fffff80264620000 fffff8026467c000 netbt (deferred)
fffff80264680000 fffff80264695000 afunix (deferred)
fffff802646a0000 fffff80264745000 afd (deferred)
fffff80264750000 fffff8026476a000 vwififlt (deferred)
fffff80264770000 fffff802648ef000 vfpext (deferred)
fffff802648f0000 fffff8026491b000 pacer (deferred)
fffff80264920000 fffff80264934000 ndiscap (deferred)
fffff80264940000 fffff80264954000 netbios (deferred)
fffff80264960000 fffff80264a01000 Vid (deferred)
fffff80264a10000 fffff80264a31000 winhvr (deferred)
fffff80264a40000 fffff80264a5c000 vbdenum (deferred)
fffff80264a60000 fffff80264adc000 rdbss (deferred)
fffff80264ae0000 fffff80264b77000 csc (deferred)
fffff80264b80000 fffff80264b8c000 XLGuard (deferred)
fffff80264b90000 fffff80264ba2000 nsiproxy (deferred)
fffff80264bb0000 fffff80264bbe000 npsvctrig (deferred)
fffff80264bc0000 fffff80264bd0000 mssmbios (deferred)
fffff80264be0000 fffff80264bea000 gpuenergydrv (deferred)
fffff80264bf0000 fffff80264c1c000 dfsc (deferred)
fffff80264c40000 fffff80264cac000 fastfat (deferred)
fffff80264cb0000 fffff80264cc7000 bam (deferred)
fffff80264cd0000 fffff80264d1e000 ahcache (deferred)
fffff80264d20000 fffff80264d68000 vmbusr (deferred)
fffff80264d70000 fffff80264d9a000 hvsocket (deferred)
fffff80264da0000 fffff80264f27000 HTTP (deferred)
fffff80264f30000 fffff80264f63000 mqac (deferred)
fffff80264f70000 fffff80264f97000 Ndu (deferred)
fffff80264fe0000 fffff80264ffe000 crashdmp (deferred)
fffff80265400000 fffff80265456000 msquic (deferred)
fffff80265460000 fffff802654f4000 mrxsmb (deferred)
fffff80265500000 fffff80265545000 mrxsmb20 (deferred)
fffff80265550000 fffff8026555d000 hvsocketcontrol (deferred)
fffff80265560000 fffff80265578000 lltdio (deferred)
fffff80265580000 fffff8026559b000 rspndr (deferred)
fffff802655a0000 fffff802655b8000 mslldp (deferred)
fffff802655c0000 fffff802655dd000 wanarp (deferred)
fffff802655e0000 fffff802655fa000 mpsdrv (deferred)
fffff80265600000 fffff80265623000 ctxusbmon (deferred)
fffff80265630000 fffff80265644000 mmcss (deferred)
fffff80265670000 fffff802658e0000 vmswitch (deferred)
fffff802658f0000 fffff802658fc000 SangforVnic (deferred)
fffff80265900000 fffff80265912000 CompositeBus (deferred)
fffff80265920000 fffff8026592d000 kdnic (pdb symbols) C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\sym\kdnic.pdb\903528AB60550849494D3C6B210229B31\kdnic.pdb
fffff80265930000 fffff80265945000 umbus (deferred)
fffff80265950000 fffff8026595c000 wmiacpi (deferred)
fffff80265960000 fffff802659e2000 cldflt (deferred)
fffff80268000000 fffff80268044000 ucx01000 (deferred)
fffff80268050000 fffff80268082000 iaLPSS2_I2C_TGL (deferred)
fffff80268090000 fffff802680aa000 SpbCx (deferred)
fffff802680b0000 fffff802680fc000 TeeDriverW10x64 (deferred)
fffff80268100000 fffff8026811c000 serial (deferred)
fffff80268120000 fffff8026812f000 serenum (deferred)
fffff80268130000 fffff8026813c000 acpitime (deferred)
fffff80268140000 fffff80268160000 iaLPSS2_GPIO2_TGL (deferred)
fffff80268170000 fffff802681a2000 msgpioclx (deferred)
fffff802681b0000 fffff802681f0000 intelppm (deferred)
fffff80268200000 fffff8026820b000 acpipagr (deferred)
fffff80268210000 fffff8026821e000 UEFI (deferred)
fffff80268220000 fffff80268257000 vpcivsp (deferred)
fffff80268260000 fffff80268292000 storvsp (deferred)
fffff802682a0000 fffff802682b0000 nvvad64v (deferred)
fffff802682c0000 fffff802682cf000 ksthunk (deferred)
fffff802682d0000 fffff802682dd000 NvModuleTracker (deferred)
fffff802682e0000 fffff802682f0000 nvvhci (deferred)
fffff80268300000 fffff80268309000 Synth3dVsp (deferred)
fffff80268310000 fffff8026831d000 NdisVirtualBus (deferred)
fffff80268320000 fffff8026832c000 swenum (deferred)
fffff80268330000 fffff8026833e000 rdpbus (deferred)
fffff80268340000 fffff8026836f000 rdpdr (deferred)
fffff80268370000 fffff80268397000 tsusbhub (deferred)
fffff802683a0000 fffff80268443000 UsbHub3 (deferred)
fffff80268450000 fffff8026845e000 USBD (deferred)
fffff80268460000 fffff80268483000 nvhda64v (deferred)
fffff80268490000 fffff80268aca000 RTKVHD64 (deferred)
fffff80268ad0000 fffff80268b03000 usbccgp (deferred)
fffff80268b10000 fffff80268b22000 hidusb (deferred)
fffff80268b30000 fffff80268b6f000 HIDCLASS (deferred)
fffff80268b70000 fffff80268b83000 HIDPARSE (deferred)
fffff80268b90000 fffff80268ba1000 kbdhid (deferred)
fffff80268bb0000 fffff80268bc4000 kbdclass (deferred)
fffff80268bd0000 fffff80268be0000 mouhid (deferred)
fffff80268bf0000 fffff80268c03000 mouclass (deferred)
fffff80268c10000 fffff80268c30000 WinUSB (deferred)
fffff80268c50000 fffff80268c5e000 dump_dumpstorport (deferred)
fffff80268c90000 fffff80268cbd000 dump_stornvme (deferred)
fffff80268ce0000 fffff80268cfd000 dump_dumpfve (deferred)
fffff80268d00000 fffff80268de1000 dxgmms2 (deferred)
fffff80268df0000 fffff80268e0b000 monitor (deferred)
fffff80268e10000 fffff80268e64000 WUDFRd (deferred)
fffff80268e70000 fffff80268e82000 IndirectKmd (deferred)
fffff80268e90000 fffff80268eae000 hvservice (deferred)
fffff80268eb0000 fffff80268ed5000 bowser (deferred)
fffff80268ee0000 fffff80268f16000 wcifs (deferred)
fffff80268f20000 fffff80268f2d000 rdpvideominiport (deferred)
fffff80268f30000 fffff80268f4a000 storqosflt (deferred)
fffff80268f50000 fffff80268f78000 bindflt (deferred)
fffff80268f80000 fffff80268f92000 condrv (deferred)
fffff80268fa0000 fffff8026b406000 nvlddmkm (deferred)
fffff8026b410000 fffff8026b435000 HDAudBus (deferred)
fffff8026b440000 fffff8026b4a6000 portcls (deferred)
fffff8026b4b0000 fffff8026b4d1000 drmk (deferred)
fffff8026b4e0000 fffff8026b556000 ks (deferred)
fffff8026b560000 fffff8026b5fe000 USBXHCI (deferred)
fffffe9dda800000 fffffe9ddaad3000 win32kbase (deferred)
fffffe9ddac40000 fffffe9ddacda000 win32k (deferred)
fffffe9ddbba0000 fffffe9ddbf56000 win32kfull (deferred)
fffffe9ddbfb0000 fffffe9ddbff9000 cdd (deferred)
 
Unloaded modules:
fffff80268eb0000 fffff80268eda000 luafv.sys
fffff80264010000 fffff8026401f000 dump_storport.sys
fffff80264050000 fffff8026407e000 dump_stornvme.sys
fffff802640a0000 fffff802640be000 dump_dumpfve.sys
fffff80268340000 fffff80268395000 WUDFRd.sys
fffff80264c20000 fffff80264c3c000 dam.sys
fffff8024e000000 fffff8024e011000 WdBoot.sys
fffff8024f120000 fffff8024f131000 hwpolicy.sys
fffff8024bc00000 fffff8024be90000 mcupdate.dll

4: kd> lmDvmnvlddmkm
 
Browse full module list
start end module name
fffff80268fa0000 fffff8026b406000 nvlddmkm (deferred)

# Image path: \SystemRoot\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_19c79fb6254e3b11\nvlddmkm.sys
Image name: nvlddmkm.sysBrowse all global symbols functions dataTimestamp: Tue Sep 14 07:52:22 2021 (613FE436)CheckSum: 023C784AImageSize: 02466000Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4Information from resource tables:

根据路径找到显卡驱动的位置,这个文件有足足36M,太庞大了,看来英伟达为了做好驱动也是下足了工夫。


载入IDA Pro开始分析。






以上分析可知这代码保真,没问题。


这代码的版权部分写着2022年,还是新鲜出炉的。真是个巨大的宝库。
现在知道了代码的套路,我们用windbg给显卡的中断设一个断点,启动渲染看一下效果。



看一下英伟达显卡的PCIe配置空间。

1、先确定总线地址(总线号.设备号.功能号)


windbg执行如下命令:






英伟达真是强,把微软干的事,他自己干了一遍。

综上:

1、代码是真实无误的。

2英伟达对驱动有着很高的追求(代码里有很多微软的影子,很明显有微软帮忙)。

3、代码对现有中国windows GPU驱动开发有着巨大的研究和学习价值,值得业内人士深挖。

4、驱动代码是研究英伟达显卡最好的的资料。

5、时机成熟可自行编译,调试。


以上分析是粗略分析,只是为了抛砖引玉,希望有更多的人来研究这份代码。
里面还有海量的信息供大家挖掘。相信可以找到很多有趣的信息。




看雪ID:易中明

https://bbs.pediy.com/user-home-625952.htm

*本文由看雪论坛 易中明 原创,转载请注明来自看雪社区



# 往期推荐

1.一个BLE智能手环的分析

2.VT虚拟化技术笔记

3.通过DWARF Expression将代码隐藏在栈展开过程中

4.x86-页式管理

5.HG532e漏洞复现(cve-2017-17215)

6.逆向某平台分析过程指导






球分享

球点赞

球在看



点击“阅读原文”,了解更多!

您可能也对以下帖子感兴趣

文章有问题?点此查看未经处理的缓存