|
|
|
[分享]PsLookupProcessByProcessId执行流程学习笔记
贴上代码,以供研究,XP SP2 lkd> x *!PsLookupProcessByProcessId 805d2966 nt!PsLookupProcessByProcessId = <no type information> lkd> uf 805d2966 nt!PsLookupProcessByProcessId: 805d2966 8bff mov edi,edi 805d2968 55 push ebp 805d2969 8bec mov ebp,esp 805d296b 53 push ebx 805d296c 56 push esi 805d296d 64a124010000 mov eax,dword ptr fs:[00000124h] 805d2973 ff7508 push dword ptr [ebp+8] 805d2976 8bf0 mov esi,eax 805d2978 ff8ed4000000 dec dword ptr [esi+0D4h] 805d297e ff35c0385680 push dword ptr [nt!PspCidTable (805638c0)] 805d2984 e801ad0300 call nt!ExMapHandleToPointer (8060d68a) 805d2989 8bd8 mov ebx,eax 805d298b 85db test ebx,ebx 805d298d c745080d0000c0 mov dword ptr [ebp+8],0C000000Dh 805d2994 7432 je nt!PsLookupProcessByProcessId+0x62 (805d29c8) nt!PsLookupProcessByProcessId+0x30: 805d2996 57 push edi 805d2997 8b3b mov edi,dword ptr [ebx] 805d2999 803f03 cmp byte ptr [edi],3 805d299c 751d jne nt!PsLookupProcessByProcessId+0x55 (805d29bb) nt!PsLookupProcessByProcessId+0x38: 805d299e 83bfa401000000 cmp dword ptr [edi+1A4h],0 805d29a5 7414 je nt!PsLookupProcessByProcessId+0x55 (805d29bb) nt!PsLookupProcessByProcessId+0x41: 805d29a7 8bcf mov ecx,edi 805d29a9 e86e3ff5ff call nt!ObReferenceObjectSafe (8052691c) 805d29ae 84c0 test al,al 805d29b0 7409 je nt!PsLookupProcessByProcessId+0x55 (805d29bb) nt!PsLookupProcessByProcessId+0x4c: 805d29b2 8b450c mov eax,dword ptr [ebp+0Ch] 805d29b5 83650800 and dword ptr [ebp+8],0 805d29b9 8938 mov dword ptr [eax],edi nt!PsLookupProcessByProcessId+0x55: 805d29bb 53 push ebx 805d29bc ff35c0385680 push dword ptr [nt!PspCidTable (805638c0)] 805d29c2 e8dba60300 call nt!ExUnlockHandleTableEntry (8060d0a2) 805d29c7 5f pop edi nt!PsLookupProcessByProcessId+0x62: 805d29c8 ff86d4000000 inc dword ptr [esi+0D4h] 805d29ce 7513 jne nt!PsLookupProcessByProcessId+0x7d (805d29e3) nt!PsLookupProcessByProcessId+0x6a: 805d29d0 8d4634 lea eax,[esi+34h] 805d29d3 3900 cmp dword ptr [eax],eax 805d29d5 740c je nt!PsLookupProcessByProcessId+0x7d (805d29e3) nt!PsLookupProcessByProcessId+0x71: 805d29d7 b101 mov cl,1 805d29d9 c6464901 mov byte ptr [esi+49h],1 805d29dd ff150c914d80 call dword ptr [nt!_imp_HalRequestSoftwareInterrupt (804d910c)] nt!PsLookupProcessByProcessId+0x7d: 805d29e3 8b4508 mov eax,dword ptr [ebp+8] 805d29e6 5e pop esi 805d29e7 5b pop ebx 805d29e8 5d pop ebp 805d29e9 c20800 ret 8 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值