nt!NtOpenProcess:
80573d76 68c4000000 push 0C4h
80573d7b 6810b44e80 push offset nt!ObReferenceObjectByPointer+0x127 (804eb410)
80573d80 e8b6f6f6ff call nt!CIsqrt+0x2da (804e343b)
80573d85 33f6 xor esi,esi
80573d87 8975d4 mov dword ptr [ebp-2Ch],esi
80573d8a 33c0 xor eax,eax
80573d8c 8d7dd8 lea edi,[ebp-28h]
80573d8f ab stos dword ptr es:[edi]
80573d90 64a124010000 mov eax,dword ptr fs:[00000124h]
80573d96 8a8040010000 mov al,byte ptr [eax+140h]
80573d9c 8845cc mov byte ptr [ebp-34h],al
80573d9f 84c0 test al,al
80573da1 0f84d8870600 je nt!ObSetSecurityDescriptorInfo+0x115 (805dc57f)
80573da7 8975fc mov dword ptr [ebp-4],esi
80573daa a1b4005680 mov eax,dword ptr [nt!MmUserProbeAddress (805600b4)]
80573daf 8b4d08 mov ecx,dword ptr [ebp+8]
80573db2 3bc8 cmp ecx,eax
80573db4 0f8384490800 jae nt!IoCheckFunctionAccess+0x1759d (805f873e)
80573dba 8b01 mov eax,dword ptr [ecx]
80573dbc 8901 mov dword ptr [ecx],eax
80573dbe 8b5d10 mov ebx,dword ptr [ebp+10h]
80573dc1 f6c303 test bl,3
80573dc4 0f857b490800 jne nt!IoCheckFunctionAccess+0x175a4 (805f8745)
80573dca a1b4005680 mov eax,dword ptr [nt!MmUserProbeAddress (805600b4)]
80573dcf 3bd8 cmp ebx,eax
80573dd1 0f8378490800 jae nt!IoCheckFunctionAccess+0x175ae (805f874f)
80573dd7 397308 cmp dword ptr [ebx+8],esi
80573dda 0f9545e6 setne byte ptr [ebp-1Ah]
80573dde 8b4b0c mov ecx,dword ptr [ebx+0Ch]
80573de1 894dc8 mov dword ptr [ebp-38h],ecx
80573de4 8b4d14 mov ecx,dword ptr [ebp+14h]
80573de7 3bce cmp ecx,esi
80573de9 0f84ebe70200 je nt!ObMakeTemporaryObject+0x4a8 (805a25da)
80573def f6c103 test cl,3
80573df2 0f8563490800 jne nt!IoCheckFunctionAccess+0x175ba (805f875b)
80573df8 3bc8 cmp ecx,eax
80573dfa 0f836d490800 jae nt!IoCheckFunctionAccess+0x175cc (805f876d)
80573e00 8b01 mov eax,dword ptr [ecx]
80573e02 8945d4 mov dword ptr [ebp-2Ch],eax
80573e05 8b4104 mov eax,dword ptr [ecx+4]
80573e08 8945d8 mov dword ptr [ebp-28h],eax
80573e0b c645e701 mov byte ptr [ebp-19h],1
80573e0f 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
80573e13 807de600 cmp byte ptr [ebp-1Ah],0
80573e17 0f8577490800 jne nt!IoCheckFunctionAccess+0x175f3 (805f8794)
80573e1d a158185680 mov eax,dword ptr [nt!PsProcessType (80561858)]
80573e22 83c068 add eax,68h
80573e25 50 push eax
80573e26 ff750c push dword ptr [ebp+0Ch]
80573e29 8d852cffffff lea eax,[ebp-0D4h]
80573e2f 50 push eax
80573e30 8d8548ffffff lea eax,[ebp-0B8h]
80573e36 50 push eax
80573e37 e88507ffff call nt!SeCreateAccessState (805645c1)
80573e3c 3bc6 cmp eax,esi
80573e3e 0f8cac000000 jl nt!NtOpenProcess+0x17a (80573ef0)
80573e44 ff75cc push dword ptr [ebp-34h]
80573e47 ff357ce66880 push dword ptr [nt!SeSystemDefaultDacl+0x9c (8068e67c)]
80573e4d ff3578e66880 push dword ptr [nt!SeSystemDefaultDacl+0x98 (8068e678)]
80573e53 e8b4feffff call nt!SeSinglePrivilegeCheck (80573d0c)
80573e58 84c0 test al,al
80573e5a 0f85c57d0100 jne nt!RtlNtStatusToDosError+0x7b (8058bc25)
80573e60 807de600 cmp byte ptr [ebp-1Ah],0
80573e64 0f8548490800 jne nt!IoCheckFunctionAccess+0x17611 (805f87b2)
80573e6a 807de700 cmp byte ptr [ebp-19h],0
80573e6e 0f8478e70200 je nt!ObMakeTemporaryObject+0x4ba (805a25ec)
80573e74 8975d0 mov dword ptr [ebp-30h],esi
80573e77 3975d8 cmp dword ptr [ebp-28h],esi
80573e7a 0f8588c90100 jne nt!NtAdjustPrivilegesToken+0xc07 (80590808)
80573e80 8d45dc lea eax,[ebp-24h]
80573e83 50 push eax
80573e84 ff75d4 push dword ptr [ebp-2Ch]
80573e87 e871000000 call nt!PsLookupProcessByProcessId (80573efd)
80573e8c 8bf8 mov edi,eax
80573e8e 3bfe cmp edi,esi
80573e90 0f8c33e70200 jl nt!ObMakeTemporaryObject+0x497 (805a25c9)
80573e96 8d45e0 lea eax,[ebp-20h]
80573e99 50 push eax
80573e9a ff75cc push dword ptr [ebp-34h]
80573e9d ff3558185680 push dword ptr [nt!PsProcessType (80561858)]
80573ea3 56 push esi
80573ea4 8d8548ffffff lea eax,[ebp-0B8h]
80573eaa 50 push eax
80573eab ff75c8 push dword ptr [ebp-38h]
80573eae ff75dc push dword ptr [ebp-24h]
80573eb1 e87c8dffff call nt!ObOpenObjectByPointer (8056cc32)
80573eb6 8bf8 mov edi,eax
80573eb8 8d8548ffffff lea eax,[ebp-0B8h]
80573ebe 50 push eax
80573ebf e85a07ffff call nt!SeDeleteAccessState (8056461e)
80573ec4 8b4dd0 mov ecx,dword ptr [ebp-30h]
80573ec7 3bce cmp ecx,esi
80573ec9 0f854fc90100 jne nt!NtAdjustPrivilegesToken+0xc1d (8059081e)
80573ecf 8b4ddc mov ecx,dword ptr [ebp-24h]
80573ed2 e87961f6ff call nt!ObfDereferenceObject (804da050)
80573ed7 3bfe cmp edi,esi
80573ed9 7c13 jl nt!NtOpenProcess+0x178 (80573eee)
80573edb c745fc02000000 mov dword ptr [ebp-4],2
80573ee2 8b45e0 mov eax,dword ptr [ebp-20h]
80573ee5 8b4d08 mov ecx,dword ptr [ebp+8]
80573ee8 8901 mov dword ptr [ecx],eax
80573eea 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
80573eee 8bc7 mov eax,edi
80573ef0 e881f5f6ff call nt!CIsqrt+0x315 (804e3476)
80573ef5 c21000 ret 10h
80573ef8 90 nop
80573ef9 90 nop
80573efa 90 nop
80573efb 90 nop
80573efc 90 nop
此为函数ntopenprocess,我想知道如何计算出这个函数的长度,别人计算的长度是0x184,我有用80573efc-80573d76+1但是得到的却是0x187,而用80573ef5-80573d76+3却等于0x182, b+`qGJrej
请问0x184是如何得来的? ;w7s>(ITZ
而那篇ntopenprocess长度的文章是: vRh)o1u)
http://bbs.pediy.com/showthread.php?t=85491&highlight=DNF+Inline+%E7%BB%95%E8%BF%87+Hook
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课