NtQueryVirtualMemory Processhandle=0xffffffff MemoryInformationCalss=0
不知道它有和意图!
我最近绕过了这个 保护的所有内核动手脚的地方,但是只要用od附加,就会被弹框,然后电脑重启。于是在内核写了个函数,打印此保护壳,到底都在调用些什么函数!
另外附上此保护调用的大部分内核函数:
pid=6068, num=165(0xa5) FunAddr=806186ae NtQueryPerformanceCounter
pid=6068, num=59(0x3b) FunAddr=80617052 //NtDelayExecution
pid=6068, num=271(0x10f) FunAddr=805c16c4 //NtWaitForSingleObject
pid=6068, num=270(0x10e) FunAddr=805c17ae //NtWaitForMultipleObjects
pid=6068, num=66(0x42) FunAddr=8057a24a //NtDeviceIoControlFile
pid=6068, num=188(0xbc) FunAddr=80618036 //NtReleaseMutant
pid=6068, num=173(0xad) FunAddr=806120b8 //NtQuerySystemInformation
pid=6068, num=278(0x116) FunAddr=80505ae8 NtYieldExecution
pid=6068, num=59(0x3b) FunAddr=80617052 //NtDelayExecution
pid=6068, num=154(0x9a) FunAddr=805cdf5e //NtQueryInformationProcess
pid=6068, num=186(0xba) FunAddr=805b528c //NtReadVirtualMemory
pid=6068, num=219(0xdb) FunAddr=8060fa80 //NtSetEvent
pid=6068, num=24(0x18) FunAddr=8060f5de //NtClearEvent
pid=6068, num=178(0xb2) FunAddr=805b9c38 //NtQueryVirtualMemory // ssdt hooked
pid=6068, num=155(0x9b) FunAddr=805ccb8c NtQueryInformationThread
pid=6068, num=206(0xce) FunAddr=805d5984 //NtResumeThread
pid=6068, num=244(0xf4) FunAddr=80539d72 NtSetTimer
pid=6068, num=32(0x20) FunAddr=80545e7c //NtContinue
pid=6068, num=25(0x19) FunAddr=805bd4fa NtClose
pid=6068, num=180(0xb4) FunAddr=805d2240 //NtQueueApcThread
pid=6068, num=190(0xbe) FunAddr=80579eda NtRemoveIoCompletion
pid=6068, num=32(0x20) FunAddr=80545e7c
pid=6068, num=108(0x6c) FunAddr=805b3004 NtMapViewOfSection
pid=6068, num=254(0xfe) FunAddr=805d58be //NtSuspendThread
pid=6068, num=267(0x10b) FunAddr=805b3e12 NtUnmapViewOfSection
pid=6068, num=23(0x17) FunAddr=80539be2 NtCancelTimer
pid=6068, num=232(0xe8) FunAddr=80579e78 NtSetIoCompletion
pid=6068, num=122(0x7a) FunAddr=805cc40a NtOpenProcess
pid=6068, num=137(0x89) FunAddr=805b93e8 //NtProtectVirtualMemory
pid=6068, num=277(0x115) FunAddr=805b5396 //NtWriteVirtualMemory
pid=6068, num=78(0x4e) FunAddr=805b7814 //NtFlushInstructionCache
pid=6068, num=174(0xae) FunAddr=80613878 NtQuerySystemTime
pid=6068, num=163(0xa3) FunAddr=805c6296 NtQueryObject
pid=6068, num=127(0x7f) FunAddr=805c4baa NtOpenSymbolicLinkObject
pid=6068, num=113(0x71) FunAddr=805bf57c //NtOpenDirectoryObject
pid=6068, num=83(0x53) FunAddr=805b3f7c NtFreeVirtualMemory
pid=6068, num=17(0x11) FunAddr=805a9a9e NtAllocateVirtualMemory
pid=6068, num=170(0xaa) FunAddr=805c4c4a NtQuerySymbolicLinkObject
pid=6068, num=139(0x8b) FunAddr=80577ed6 NtQueryAttributesFile
pid=6068, num=35(0x23) FunAddr=8060f62e //NtCreateEvent
pid=6068, num=37(0x25) FunAddr=8057a084 NtCreateFile ssdt hooked
pid=6068, num=116(0x74) FunAddr=8057b182 NtOpenFile ssdt hooked
pid=6068, num=128(0x80) FunAddr=805cc696 NtOpenThread
pid=6068, num=114(0x72) FunAddr=8060f72e NtOpenEvent
pid=6068, num=220(0xdc) FunAddr=8060fb4a NtSetEventBoostPriority
pid=6068, num=50(0x32) FunAddr=805ac3ac NtCreateSection
pid=6068, num=119(0x77) FunAddr=80625b84 NtOpenKey
pid=6068, num=177(0xb1) FunAddr=806229ea NtQueryValueKey
pid=6068, num=143(0x8f) FunAddr=806113d8 NtQueryDefaultLocale
pid=6068, num=129(0x81) FunAddr=805ee74e NtOpenThreadToken
pid=6068, num=183(0xb7) FunAddr=8057d48a NtReadFile
pid=6068, num=224(0xe0) FunAddr=8057c010 NtSetInformationFile
pid=6068, num=151(0x97) FunAddr=8057ba1e NtQueryInformationFile
pid=6068, num=145(0x91) FunAddr=8057ae64 NtQueryDirectoryFile ssdt hooked
pid=6068, num=228(0xe4) FunAddr=805cee54 NtSetInformationProcess
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法