能力值:
( LV2,RANK:10 )
|
-
-
2 楼
u nt!NtCreateProcess
nt!NtCreateProcess:
805c8420 8bff mov edi,edi
805c8422 55 push ebp
805c8423 8bec mov ebp,esp
805c8425 33c0 xor eax,eax
805c8427 f6451c01 test byte ptr [ebp+1Ch],1
805c842b 7401 je nt!NtCreateProcess+0xe (805c842e)
805c842d 40 inc eax
805c842e f6452001 test byte ptr [ebp+20h],1
805c8432 7403 je nt!NtCreateProcess+0x17 (805c8437)
805c8434 83c802 or eax,2
805c8437 807d1800 cmp byte ptr [ebp+18h],0
805c843b 7403 je nt!NtCreateProcess+0x20 (805c8440)
805c843d 83c804 or eax,4
805c8440 6a00 push 0
805c8442 ff7524 push dword ptr [ebp+24h]
805c8445 ff7520 push dword ptr [ebp+20h]
805c8448 ff751c push dword ptr [ebp+1Ch]
805c844b 50 push eax
805c844c ff7514 push dword ptr [ebp+14h]
805c844f ff7510 push dword ptr [ebp+10h]
805c8452 ff750c push dword ptr [ebp+0Ch]
805c8455 ff7508 push dword ptr [ebp+8]
805c8458 e80dffffff call nt!NtCreateProcessEx (805c836a)
805c845d 5d pop ebp
805c845e c22000 ret 20h
NtCreateProcess只是对参数进行了一下校验,然后就call NtCreateProcessEX函数了,所以真正的实现在后面的函数中,InlineHook失败,是不是你并没有实现原函数前面的5个字节(xp下)的内容?
|
|
|