NtQueryVirtualMemory  Processhandle=0xffffffff MemoryInformationCalss=0

不知道它有和意图！

我最近绕过了这个 保护的所有内核动手脚的地方，但是只要用od附加，就会被弹框，然后电脑重启。于是在内核写了个函数，打印此保护壳，到底都在调用些什么函数!

另外附上此保护调用的大部分内核函数：
pid=6068, num=165(0xa5) FunAddr=806186ae NtQueryPerformanceCounter
pid=6068, num=59(0x3b) FunAddr=80617052                //NtDelayExecution
pid=6068, num=271(0x10f) FunAddr=805c16c4        //NtWaitForSingleObject
pid=6068, num=270(0x10e) FunAddr=805c17ae        //NtWaitForMultipleObjects
pid=6068, num=66(0x42) FunAddr=8057a24a                //NtDeviceIoControlFile
pid=6068, num=188(0xbc) FunAddr=80618036        //NtReleaseMutant

pid=6068, num=173(0xad) FunAddr=806120b8        //NtQuerySystemInformation
pid=6068, num=278(0x116) FunAddr=80505ae8        NtYieldExecution

pid=6068, num=59(0x3b) FunAddr=80617052                //NtDelayExecution

pid=6068, num=154(0x9a) FunAddr=805cdf5e                //NtQueryInformationProcess
pid=6068, num=186(0xba) FunAddr=805b528c                //NtReadVirtualMemory
pid=6068, num=219(0xdb) FunAddr=8060fa80                //NtSetEvent

pid=6068, num=24(0x18) FunAddr=8060f5de                //NtClearEvent
pid=6068, num=178(0xb2) FunAddr=805b9c38  //NtQueryVirtualMemory                                // ssdt hooked

pid=6068, num=155(0x9b) FunAddr=805ccb8c        NtQueryInformationThread
pid=6068, num=206(0xce) FunAddr=805d5984        //NtResumeThread
pid=6068, num=244(0xf4) FunAddr=80539d72   NtSetTimer

pid=6068, num=32(0x20) FunAddr=80545e7c                //NtContinue
pid=6068, num=25(0x19) FunAddr=805bd4fa                NtClose
pid=6068, num=180(0xb4) FunAddr=805d2240        //NtQueueApcThread
pid=6068, num=190(0xbe) FunAddr=80579eda        NtRemoveIoCompletion
pid=6068, num=32(0x20) FunAddr=80545e7c
pid=6068, num=108(0x6c) FunAddr=805b3004        NtMapViewOfSection

pid=6068, num=254(0xfe) FunAddr=805d58be        //NtSuspendThread
pid=6068, num=267(0x10b) FunAddr=805b3e12        NtUnmapViewOfSection
pid=6068, num=23(0x17) FunAddr=80539be2                NtCancelTimer
pid=6068, num=232(0xe8) FunAddr=80579e78  NtSetIoCompletion

pid=6068, num=122(0x7a) FunAddr=805cc40a        NtOpenProcess
pid=6068, num=137(0x89) FunAddr=805b93e8                //NtProtectVirtualMemory
pid=6068, num=277(0x115) FunAddr=805b5396        //NtWriteVirtualMemory
pid=6068, num=78(0x4e) FunAddr=805b7814                //NtFlushInstructionCache
pid=6068, num=174(0xae) FunAddr=80613878  NtQuerySystemTime
pid=6068, num=163(0xa3) FunAddr=805c6296 NtQueryObject
pid=6068, num=127(0x7f) FunAddr=805c4baa NtOpenSymbolicLinkObject
pid=6068, num=113(0x71) FunAddr=805bf57c        //NtOpenDirectoryObject
pid=6068, num=83(0x53) FunAddr=805b3f7c NtFreeVirtualMemory
pid=6068, num=17(0x11) FunAddr=805a9a9e NtAllocateVirtualMemory
pid=6068, num=170(0xaa) FunAddr=805c4c4a NtQuerySymbolicLinkObject

pid=6068, num=139(0x8b) FunAddr=80577ed6 NtQueryAttributesFile

pid=6068, num=35(0x23) FunAddr=8060f62e        //NtCreateEvent
pid=6068, num=37(0x25) FunAddr=8057a084        NtCreateFile                        ssdt hooked
pid=6068, num=116(0x74) FunAddr=8057b182 NtOpenFile                                ssdt hooked
pid=6068, num=128(0x80) FunAddr=805cc696 NtOpenThread               
pid=6068, num=114(0x72) FunAddr=8060f72e NtOpenEvent

pid=6068, num=220(0xdc) FunAddr=8060fb4a NtSetEventBoostPriority
pid=6068, num=50(0x32) FunAddr=805ac3ac NtCreateSection
pid=6068, num=119(0x77) FunAddr=80625b84 NtOpenKey
pid=6068, num=177(0xb1) FunAddr=806229ea NtQueryValueKey

pid=6068, num=143(0x8f) FunAddr=806113d8 NtQueryDefaultLocale
pid=6068, num=129(0x81) FunAddr=805ee74e NtOpenThreadToken
pid=6068, num=183(0xb7) FunAddr=8057d48a NtReadFile
pid=6068, num=224(0xe0) FunAddr=8057c010 NtSetInformationFile

pid=6068, num=151(0x97) FunAddr=8057ba1e NtQueryInformationFile

pid=6068, num=145(0x91) FunAddr=8057ae64 NtQueryDirectoryFile                ssdt hooked
pid=6068, num=228(0xe4) FunAddr=805cee54 NtSetInformationProcess

[课程]Linux pwn 探索篇！