[ Windows 10 x64中的RFG(Return Flow Guard)技术研究 ]3

如果开启RFG保护的进程UserFsBase就会指向一个具体的地址值，当然这个地址值并不代表该区域一定会被映射。

3）“影子栈”的内存布局 

   在Win10 Insider Preview14986的版本中KiSwapThreadControlStack并没有被调用，直到15002版本后才被调用。我们可以通过
分析一下14986和15002，15016这几个不同的版本看到“影子栈”在设计上的变化。在14986版本中，我们以分析svchost进程为例来说明
“影子栈”指向的具体地址（Edge在该版本中没开启RFG）。

   通过KiSwapThreadControlStack和PspAllocateThread的分析我们可以确定“影子栈”区域的值是通过MmSwapThreadControlStack
函数来获得。在MmSwapThreadControlStack内部我们可以知道“影子栈”的地址值的来源于进程的eprocess.vadroot结构里面标记的栈信息。

   在MmSwapThreadControlStack中，通过解析进程vadroot树得到了“影子栈”的内存区域。win10已经更新对应的vadroot结构，但可能因为MS
符号没有完全给出，我进行查询的时候是存在问题的。但其中的逻辑可以很清楚的看出，现在，我们也可以明确的回答问题3，那就是“影子栈”的随机性由
win10内存管理机制设计的随机性来保证，鉴于x64平台的巨大地址空间，猜测出“影子栈”的难度还是很大的。

   这里面我们需要清楚就是ethread.UsFsBase的概念其实就是“影子栈”基址与“真实栈”基址的diff差值。Fs的值就是ethread.UsFsBase的值。
对于任意一个开启RFG保护的进程，所有线程的UsFsBase都是同一个值。用户态fs:[rsp]指令“透明的”计算了“影子栈”的地址，即
影子栈地址区域 = ethread.UsFsBase+ rsp = diff + rsp ； 
为什么我称之为区域呢 ？ 因为随着真实栈的rsp的值不同对应“影子栈”的值也不同。“影子栈”基址值存在的vadroot树当中。

Vadroot->_RTL_AVL_TREE->
	_RTL_BALANCED_NODE->
		_MMVAD_SHORT->_
			MI_VAD_EVENT_BLOCK->
				_MI_RFG_PROTECTED_STACK (包含了“影子栈”的具体信息)

这里我们可以看到ControlStackBase就是“影子栈”的基地址。
kd> dt _MI_RFG_PROTECTED_STACK
nt!_MI_RFG_PROTECTED_STACK
   +0x000 ControlStackBase : Ptr64 Void
   +0x008 ControlStackVad  : Ptr64 _MMVAD_SHORT
   +0x010 Busy             : Int4B

通过调试我们就可以获得svchost进程的“影子栈”的区域了，见图2

"Process:"	"svchost.exe"
"PID:"	"3596"

"Type"	"Size"	"Committed"	"Private"	"Total WS"	"Private WS"	"Shareable WS"	"Shared WS"	"Locked WS"	"Blocks"	"Largest"	
"Total"	"2,684,450,952"	"63,752"	"4,368"	"14,904"	"2,932"	"11,972"	"11,280"	""	"541"	""
"Image"	"44,936"	"44,936"	"1,476"	"11,888"	"1,088"	"10,800"	"10,128"	""	"331"	"7,136"
"Mapped File"	"4,104"	"4,104"	""	"384"	""	"384"	"384"	""	"4"	"3,292"
"Shareable"	"2,147,508,760"	"11,756"	""	"780"	""	"780"	"760"	""	"83"	"2,147,483,648"
"Heap"	"3,220"	"768"	"704"	"700"	"696"	"4"	"4"	""	"29"	"1,024"
"Managed Heap"	""	""	""	""	""	""	""	""	""	""
"Stack"	"13,312"	"664"	"664"	"176"	"176"	""	""	""	"45"	"1,024"
-----------------------------
"Private Data"	"536,873,168"	"812"	"812"	"264"	"260"	"4"	"4"	""	"49"	"536,870,912"
-----------------------------
"Page Table"	"712"	"712"	"712"	"712"	"712"	""	""	""	""	""
"Unusable"	"2,740"	""	""	""	""	""	""	""	""	"60"
"Free"	"134,754,503,168"	""	""	""	""	""	""	""	"54"	"133,102,038,528"

 
--------------------------------------------------
 "0000018000000000"	"Private Data"	"536,870,912"	"664"	"664"	"124"	"124"	""	""	""	"31"	"Read/Write"	""
--------------------------------------------------
"  0000018000000000"	"Private Data"	"279,882,192"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BAA74000"	"Private Data"	"48"	"48"	"48"	"16"	"16"	""	""	""	""	"Read/Write"	""
"  000001C2BAA80000"	"Private Data"	"5,588"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BAFF5000"	"Private Data"	"44"	"44"	"44"	"20"	"20"	""	""	""	""	"Read/Write"	""
"  000001C2BB000000"	"Private Data"	"980"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BB0F5000"	"Private Data"	"44"	"44"	"44"	"4"	"4"	""	""	""	""	"Read/Write"	""
"  000001C2BB100000"	"Private Data"	"980"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BB1F5000"	"Private Data"	"44"	"44"	"44"	"20"	"20"	""	""	""	""	"Read/Write"	""
"  000001C2BB200000"	"Private Data"	"980"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BB2F5000"	"Private Data"	"44"	"44"	"44"	"8"	"8"	""	""	""	""	"Read/Write"	""
"  000001C2BB300000"	"Private Data"	"2,004"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BB4F5000"	"Private Data"	"44"	"44"	"44"	"16"	"16"	""	""	""	""	"Read/Write"	""
"  000001C2BB500000"	"Private Data"	"980"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BB5F5000"	"Private Data"	"44"	"44"	"44"	"16"	"16"	""	""	""	""	"Read/Write"	""
"  000001C2BB600000"	"Private Data"	"980"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BB6F5000"	"Private Data"	"44"	"44"	"44"	"4"	"4"	""	""	""	""	"Read/Write"	""
"  000001C2BB700000"	"Private Data"	"2,004"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BB8F5000"	"Private Data"	"44"	"44"	"44"	"4"	"4"	""	""	""	""	"Read/Write"	""
"  000001C2BB900000"	"Private Data"	"980"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BB9F5000"	"Private Data"	"44"	"44"	"44"	"4"	"4"	""	""	""	""	"Read/Write"	""
"  000001C2BBA00000"	"Private Data"	"2,004"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BBBF5000"	"Private Data"	"44"	"44"	"44"	"4"	"4"	""	""	""	""	"Read/Write"	""
"  000001C2BBC00000"	"Private Data"	"980"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BBCF5000"	"Private Data"	"44"	"44"	"44"	"8"	"8"	""	""	""	""	"Read/Write"	""
"  000001C2BBD00000"	"Private Data"	"468"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BBD75000"	"Private Data"	"44"	"44"	"44"	""	""	""	""	""	""	"Read/Write"	""
"  000001C2BBD80000"	"Private Data"	"980"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BBE75000"	"Private Data"	"44"	"44"	"44"	""	""	""	""	""	""	"Read/Write"	""
"  000001C2BBE80000"	"Private Data"	"980"	""	""	""	""	""	""	""	""	"Reserved"	""
"  000001C2BBF75000"	"Private Data"	"44"	"44"	"44"	""	""	""	""	""	""	"Read/Write"	""
"  000001C2BBF80000"	"Private Data"	"256,967,168"	""	""	""	""	""	""	""	""	"Reserved"	""
"00007FFFFFFE0000"	"Private Data"	"64"	""	""	""	""	""	""	""	"1"	"Reserved"	""

                    （图2）