-
-
[旧帖]
hook ZwTerminateThread,无信息被记录
0.00雪花
-
发表于:
2010-4-21 16:19
3250
-
[旧帖] hook ZwTerminateThread,无信息被记录
0.00雪花
在虚拟机中,打开记事本,关闭记事本得不到任何terminathread的信息记录,但是可以得到terminateprocess记录,不知为何
NTSTATUS NewZwTerminateThread( IN HANDLE ThreadHandle OPTIONAL, IN NTSTATUS ExitStatus )
{
NTSTATUS status;
CHAR name[MAXPROCNAMELEN];
PCHAR processname;
PETHREAD Thread;
PEPROCESS ThreadProcess;
CLIENT_ID Cid;
if (ThreadHandle)
{
if (ThreadHandle == ZwCurrentThread())
{
GetProcess(name);
status = ((ZWTERMINATETHREAD)OldZwTerminateThread)(ThreadHandle,ExitStatus);
LogRecord("%s\tNtTerminateThread-my last thread\t\t%s",name,"",ErrorString(status));
}
else
{
processname = ExAllocateFromPagedLookasideList(&FullPathLookaside);
if (processname)
{
ObReferenceObjectByHandle(ThreadHandle,0,NULL,KernelMode,&Thread,NULL);
Cid.UniqueProcess = (ULONG *)((BYTE *)Thread + 0x1ec); //xp 下
Cid.UniqueThread = (ULONG *)((BYTE *)Thread + 0x1f0);
if (Cid.UniqueProcess)
{
PsLookupProcessByProcessId(Cid.UniqueProcess,&ThreadProcess);
strcpy(processname,(char *)ThreadProcess + ProcessNameOffset);
ObDereferenceObject(ThreadProcess);
}
else
{
ThreadProcess = (char *)Thread + 0x220;
strcpy(processname,(char *)ThreadProcess + ProcessNameOffset);
}
ObDereferenceObject(Thread);
}
GetProcess(name);
status = ((ZWTERMINATETHREAD)OldZwTerminateThread)(ThreadHandle,ExitStatus);
LogRecord("%s\tNtTerminateThread\t%s:%d\t%s",name,processname,Cid.UniqueThread,ErrorString(status));
if(processname) ExFreeToPagedLookasideList(&FullPathLookaside,processname);
}
}
else
{
GetProcess(name);
status = ((ZWTERMINATETHREAD)OldZwTerminateThread)(ThreadHandle,ExitStatus);
LogRecord("%s\tNtTerminateThread-itself\t\t%s",name,"",ErrorString(status));
}
return status;
}
[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
