r3下的程序开端口可以通过socket的相应api来下断点,查看相应的开端口的模块代码。
在r0下的端口是通过什么内核api打开的呢?如何才能找到开端口的模块相应代码呢?
如netbios所开端口139,445等端口都是system进程所打开,如何确定?
用进程管理器列出的堆栈
//tcp445
ntkrnlpa.exe!IoBuildPartialMdl+0xed
ntkrnlpa.exe!NtMakePermanentObject+0x11b2
ntkrnlpa.exe!ObOpenObjectByName+0xea
ntkrnlpa.exe!IoCreateDevice+0x745
ntkrnlpa.exe!IoCreateFile+0x8e
ntkrnlpa.exe!NtCreateFile+0x30
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74
ntkrnlpa.exe!ZwCreateFile+0x11
netbt.sys!NbtCreateAddressObjects+0x13e
netbt.sys!NbtCreateSmbDevice+0xc8
netbt.sys!DriverEntry+0x215
ntkrnlpa.exe!NtWriteFile+0x449f
ntkrnlpa.exe!IoReportHalResourceUsage+0x172c
//tcp139
ntkrnlpa.exe!IoBuildPartialMdl+0xed
360netmon.sys+0x14e4
ntkrnlpa.exe!IoBuildPartialMdl+0xed
HookTdi.sys+0x2e2a
HookTdi.sys+0x2f21
HookTdi.sys+0x191c
ntkrnlpa.exe!NtMakePermanentObject+0x11b2
ntkrnlpa.exe!ObOpenObjectByName+0xea
ntkrnlpa.exe!IoCreateDevice+0x745
ntkrnlpa.exe!IoCreateFile+0x8e
ntkrnlpa.exe!NtCreateFile+0x30
Hookport.sys+0x1ba8
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74
//udp137
ntkrnlpa.exe!IoBuildPartialMdl+0xed
360netmon.sys+0x14e4
ntkrnlpa.exe!IoBuildPartialMdl+0xed
HookTdi.sys+0x2e2a
HookTdi.sys+0x2f21
HookTdi.sys+0x191c
ntkrnlpa.exe!NtMakePermanentObject+0x11b2
ntkrnlpa.exe!ObOpenObjectByName+0xea
ntkrnlpa.exe!IoCreateDevice+0x745
ntkrnlpa.exe!IoCreateFile+0x8e
ntkrnlpa.exe!NtCreateFile+0x30
Hookport.sys+0x1ba8
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课