PAGE:005315DA   mov   eax, large fs:124h ; 得到当前线程  _KTHREAD 结构体的指针
PAGE:005315E0   xor   edx, edx
PAGE:005315E2   cmp   [eax+0D7h], dl ; 比较当前线程之前模式是否为0环，比较_KTHREAD->PreviousMode中的值
PAGE:005315E8   jz    short loc_53161F ; 之前运行模式在0环下，跳走
PAGE:005315EA   mov   [ebp+ms_exc.disabled], edx
PAGE:005315ED   mov   ecx, [ebp+ProcessHandle] ; 取得句柄值地址
PAGE:005315F0   mov   eax, _MmUserProbeAddress ; 获得允许的用户空间大小
PAGE:005315F5   cmp   ecx, eax ; 比较句柄地址是否超过用户空间大小
PAGE:005315F7   jb    short loc_5315FB
PAGE:005315F9   mov   [eax], edx
PAGE:005315FB
PAGE:005315FB loc_5315FB: ; CODE XREF: NtCreateProcessEx(x,x,x,x,x,x,x,x,x)+29 j
PAGE:005315FB   mov   eax, [ecx] 检测地址是否可读
PAGE:005315FD   mov   [ecx], eax ; 检测地址是否可写
PAGE:005315FF   or    [ebp+ms_exc.disabled], 0FFFFFFFFh

PAGE:005300DB   mov   eax, large fs:124h ;         得到 _KTHREAD 结构体指针
PAGE:005300E1   mov   [ebp+CurrentThread], eax ;   保存到局部变量 CurrentThread 中
PAGE:005300E4   mov   cl, [eax+_KTHREAD.___u33._s2.PreviousMode] ; 获得前一种运行模式
PAGE:005300EA   mov   byte ptr [ebp+PreviousMode], cl
PAGE:005300ED   mov   eax, [eax+_KTHREAD.___u6.ApcState.Process] ; 得到 _KPROCESS 结构体指针
PAGE:005300F0   mov   [ebp+CurrentProcess], eax

PAGE:0053010A   cmp   [ebp+ParentProcess], ebx ; 比较父进程句柄是否为0
PAGE:0053010D   jz    short loc_530161
PAGE:0053010F   push  ebx ; HandleInformation
PAGE:00530110   lea   eax, [ebp+ParentEPROCESS] ; 父进程 PEPROCESS
PAGE:00530116   push  eax ; Object
PAGE:00530117   push  [ebp+PreviousMode] ; AccessMode
PAGE:0053011A   push  _PsProcessType ; ObjectType
PAGE:00530120   push  PROCESS_CREATE_PROCESS ; DesiredAccess
PAGE:00530125   push  [ebp+ParentProcess] ; Handle
PAGE:00530128   call  _ObReferenceObjectByHandle@24 ; 根据父进程句柄获取其EPROCESS

PAGE:0053016B   mov   [ebp+Affinity], eax ; 可以运行在父进程job的各个处理器上
PAGE:0053016E   mov   eax, ds:_PsMinimumWorkingSet ; 设置工作集最小数
PAGE:00530173   mov   [ebp+WorkingSetMinimum], eax
PAGE:00530176   mov   eax, ds:_PsMaximumWorkingSet ; 设置工作集最大数
PAGE:0053017B   mov   [ebp+WorkingSetMaximum], eax

PAGE:00530181   push  eax ; Object
PAGE:00530182   push  ebx ; NonPagedPoolCharge
PAGE:00530183   push  ebx ; PagedPoolCharge
PAGE:00530184   push  278h ; ObjectBodySize
PAGE:00530189   push  ebx ; ParseContext
PAGE:0053018A   push  [ebp+PreviousMode] ; OwnershipMode
PAGE:0053018D   push  [ebp+ObjectAttributes] ; ObjectAttributes
PAGE:00530190   push  _PsProcessType ; ObjectType
PAGE:00530196   push  [ebp+PreviousMode] ; ProbeMode
PAGE:00530199   call  _ObCreateObject@36 ; 创建进程 _EPROCESS

PAGE:005301A8   mov   ecx, 9Eh ; <- 设置Process指向的EPROCESS结构为全0
PAGE:005301AD   xor   eax, eax
PAGE:005301AF   mov   ebx, [ebp+Process]
PAGE:005301B2   mov   edi, ebx
PAGE:005301B4   rep stosd ;  - >
PAGE:005301B6   and   dword ptr [ebx+_EPROCESS.RundownProtect.___u0], eax ; ExInitializeRundownProtection (&Process->RundownProtect);
PAGE:005301BC   and   [ebx+_EPROCESS.ProcessLock.___u0.Value], eax ; PspInitializeProcessLock (Process);
PAGE:005301BF   lea   eax, [ebx+_EPROCESS.ThreadListHead] ; <- 初始化EPROCESS线程链表头
PAGE:005301C5   mov   [eax+4], eax
PAGE:005301C8   mov   [eax], eax ;  - >
PAGE:005301CA   push  esi ; ParentProcess
PAGE:005301CB   push  ebx ; NewProcess
PAGE:005301CC   call  _PspInheritQuota@8 ; 继承资源配额
PAGE:005301D1   push  esi ; ParentProcess
PAGE:005301D2   push  ebx ; NewProcess
PAGE:005301D3   call  _ObInheritDeviceMap@8 ; 继承父进程的设备位图

PAGE:005301DC   mov   eax, [esi+_EPROCESS.DefaultHardErrorProcessing]
PAGE:005301E2   mov   [ebx+_EPROCESS.DefaultHardErrorProcessing], eax ; 子进程继承父进程的DefaultHardErrorProcessing
PAGE:005301E8   mov   eax, [esi+_EPROCESS.UniqueProcessId]
PAGE:005301EE   mov   [ebx+_EPROCESS.InheritedFromUniqueProcessId], eax ; 子进程继承父进程的InheritedFromUniqueProcessId

PAGE:00530211   push  0 ; HandleInformation
PAGE:00530213   lea   eax, [ebp+SectionObj]
PAGE:00530219   push  eax ; Object
PAGE:0053021A   push  [ebp+PreviousMode] ; AccessMode
PAGE:0053021D   push  _MmSectionObjectType ; ObjectType
PAGE:00530223   push  8 ; DesiredAccess
PAGE:00530225   push  [ebp+SectionHandle] ; Handle
PAGE:00530228   call  _ObReferenceObjectByHandle@24 ; 
PAGE:00530243   mov   eax, [ebp+SectionObject]
PAGE:00530246   mov   [ebx+_EPROCESS.SectionObject], eax

PAGE:0053024C   cmp   [ebp+DebugPort], 0 ; 调试端口句柄不为空，说明处于调试状态
PAGE:00530250   jz    DEBUGPORT_NULL
PAGE:00530256   push  0 ; HandleInformation
PAGE:00530258   lea   eax, [ebp+DebugPortObj]
PAGE:0053025B   push  eax ; Object
PAGE:0053025C   push  [ebp+PreviousMode] ; AccessMode
PAGE:0053025F   push  _DbgkDebugObjectType ; ObjectType
PAGE:00530265   push  2 ; DesiredAccess = DEBUG_PROCESS_ASSIGN
PAGE:00530267   push  [ebp+DebugPort] ; Handle
PAGE:0053026A   call  _ObReferenceObjectByHandle@24 ; 获取调试端口对象
PAGE:0053026F   mov   edi, eax
PAGE:00530271   test  edi, edi
PAGE:00530273   jl    exit_and_deref
PAGE:00530279   mov   eax, [ebp+DebugPortObj]
PAGE:0053027C   mov   [ebx+_EPROCESS.DebugPort], eax  ;初始化新进程调试端口

PAGE:00530297   cmp   [ebp+ExceptionPort], 0 ; 异常端口不为空获取异常端口对象
PAGE:0053029B   jz    short EXCEPTIONPORT_NULL
PAGE:0053029D   push  0 ; HandleInformation
PAGE:0053029F   lea   eax, [ebp+ExceptionPortObject]
PAGE:005302A2   push  eax ; Object
PAGE:005302A3   push  [ebp+PreviousMode] ; AccessMode
PAGE:005302A6   push  _LpcPortObjectType ; ObjectType
PAGE:005302AC   push  0 ; DesiredAccess
PAGE:005302AE   push  [ebp+ExceptionPort] ; Handle
PAGE:005302B1   call  _ObReferenceObjectByHandle@24 ; 获取异常端口对象
PAGE:005302B6   mov   edi, eax
PAGE:005302B8   test  edi, edi
PAGE:005302BA   jl    exit_and_deref
PAGE:005302C0   mov   eax, [ebp+ExceptionPortObject]
PAGE:005302C3   mov   [ebx+_EPROCESS.ExceptionPort], eax

PAGE:005302DE   lea   eax, [ebp+DirectoryTableBase]
PAGE:005302E1   push  eax ; DirectoryTableBase
PAGE:005302E2   push  ebx ; NewProcess
PAGE:005302E3   push  [ebp+WorkingSetMinimum] ; MinimumWorkingSetSize
PAGE:005302E6   call  _MmCreateProcessAddressSpace@12 ; 

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！