-
-
[求助]关于PsCreateSystemThread的一点问题
-
发表于:
2013-4-20 15:24
4759
-
[求助]关于PsCreateSystemThread的一点问题
NTSTATUS MyPsCreateSystemThread(
OUT PHANDLE ThreadHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle OPTIONAL,
OUT PCLIENT_ID ClientId OPTIONAL,
IN PKSTART_ROUTINE StartRoutine,
IN PVOID StartContext
)
{
NTSTATUS rc;
HANDLE PID;
PEPROCESS EP;
int a = 1292;
HANDLE MyPid;
KdPrint(("JmpAddress :0x%x",JmpAddress));
rc = (NTSTATUS)OriginalPsCreateSystemThread(ThreadHandle,DesiredAccess,ObjectAttributes,
ProcessHandle,ClientId,StartRoutine,StartContext);
if(ProcessHandle == NULL)
{
if(ClientId != NULL)
{
MyPid = (HANDLE)a;
KdPrint(("%d\n", (int)MyPid));
PID = ClientId->UniqueThread;
if (PID == MyPid)
{
ThreadHandle = NULL;
ClientId = NULL;
rc = STATUS_ACCESS_DENIED;
}
}
__asm
{
retn 0x10
}
}
return rc;
}
我想inline hook pscreatesystemthread 来阻止内核线程的自创建(循环创建用xt暂停不了) 这个思路可行吗 困惑中 求大牛指点一下 不胜感激
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法