比如NtCreateProcessEx这个函数,内容如下
805c727c 6a0c push 0Ch
805c727e 68b8ae4d80 push offset nt!ObWatchHandles+0x684 (804daeb8)
805c7283 e81812f7ff call nt!_SEH_prolog (805384a0)
805c7288 64a124010000 mov eax,dword ptr fs:[00000124h]
805c728e 33d2 xor edx,edx
805c7290 389040010000 cmp byte ptr [eax+140h],dl
805c7296 7435 je nt!NtCreateProcessEx+0x51 (805c72cd)
805c7298 8955fc mov dword ptr [ebp-4],edx
805c729b 8b4d08 mov ecx,dword ptr [ebp+8]
805c729e a1b48f5580 mov eax,dword ptr [nt!MmUserProbeAddress (80558fb4)]
805c72a3 3bc8 cmp ecx,eax
805c72a5 7202 jb nt!NtCreateProcessEx+0x2d (805c72a9)
805c72a7 8910 mov dword ptr [eax],edx
805c72a9 8b01 mov eax,dword ptr [ecx]
805c72ab 8901 mov dword ptr [ecx],eax
805c72ad 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805c72b1 eb1d jmp nt!NtCreateProcessEx+0x54 (805c72d0)
805c72b3 8b45ec mov eax,dword ptr [ebp-14h]
805c72b6 8b00 mov eax,dword ptr [eax]
805c72b8 8b00 mov eax,dword ptr [eax]
805c72ba 8945e4 mov dword ptr [ebp-1Ch],eax
805c72bd 33c0 xor eax,eax
805c72bf 40 inc eax
805c72c0 c3 ret
805c72c1 8b65e8 mov esp,dword ptr [ebp-18h]
805c72c4 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805c72c8 8b45e4 mov eax,dword ptr [ebp-1Ch]
805c72cb eb2d jmp nt!NtCreateProcessEx+0x7e (805c72fa)
805c72cd 8b4d08 mov ecx,dword ptr [ebp+8]
....................................................end
这样HOOK函数哪个部位比较有优势,HOOK前面容易被恢复,HOOK后面没有先手控制权.请大家帮忙讲解下给点意见,如果可以的话就以这个函数实例讲解下,这样形象一点!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法