-
-
[原创]64位CreateProcess逆向:(二)0环下参数的整合即创建进程的整体流程
-
发表于: 2016-2-6 22:47
-
点击下面进入总目录:
64位Windows创建64位进程逆向分析(总目录)
在上一篇文章中,我们介绍了CreateProcess在3环的整个流程。在其中特别提到,当操作系统由3环切换到0环,是由NtCreateUserProcess完成所有关键工作的。
在这篇文章中,我们将会介绍0环函数NtCreateUserProcess的整体流程。
准备工作
我们分析64位的Windows 7发现,其3环切换0环所用的特权指令是syscall(而不是sysenter),不过,他们两者的区别主要只在兼容模式是否有效上,与我们分析CreateProcess关系不大。不过,0环3环的切换,是既重要又基础的概念,对于还没概念的朋友,可以先查阅下Intel手册或者相关书籍。
NtCreateUserProcess是一个复杂的函数,如果想在成千上万行的汇编代码中不迷失自己的目标,就要把握好它的核心,在此,我们提前强调三个结构体:
struct _PPROCESS_CREATE_INFO
{
QWORD cb;//结构体大小
QWORD UnKown;
DWORD Flags2;
BYTE UnKown;
WORD ImageCharacteristics;
DWORD DesiredAccess; //3环下会赋值,0环下赋值给CREATEPROCESSCONTEXT的成员DesiredAccess
QWORD UnKown;
QWORD UnKown;
QWORD UnKown;
DWORD UnKown;
BYTE UnKown;
DWORD Flags;
PVOID* CurrentPeb;
PVOID* ParentProcessPeb;
QWORD UnKown;
DWORD UnKown;
BYTE UnKown;
};
struct CREATEPROCESSCONTEXT
{
/*
标志位 主要在PspAllocateProcess中使用
*/
DWORD Flags;
/*
标志位:
*/
BYTE Flags2;
BYTE UnKown;
/*
镜像特征,由SECTION_IMAGE_INFORMATION结构ImageCharacteristics成员而来
*/
WORD ImageCharacteristics;
/*
指向CLIENT_ID结构体的指针,CLIENT_ID定义如下:
typedef struct _CLIENT_ID
{
HANDLE PID;
HANDLE TID;
} CLIENT_ID, *PCLIENT_ID;
*/
CLIENT_ID* pClient_ID;
/*
指向TEB结构体的指针
*/
TEB* pTeb;
/*
指向_SECTION_IMAGE_INFORMATION结构体的指针,该成员由最后一个参数传入,其属性值为6.
*/
SECTION_IMAGE_INFORMATION *pSectionImageInfo;
/*
指向CREATEINFO结构体的指针,该结构体由PspCaptureCreateInfo函数负责初始化.
*/
CREATEINFO *pCreateInfo;
/*
SECTION_IMAGE_INFORMATION结构体,这是即将创建进程的可执行文件映射到内存后的内存对象.
*/
SECTION_IMAGE_INFORMATION SectionImageInfo;
/*
父进程句柄,由最后一个参数传入,其属性值为0x60000.
*/
HANDLE hParentProcess;
/*
新进程的EPROCESS指针.
*/
EPROCESS* pEprocess;
/*
调试对象的句柄,如果调用CreateProcess时创建选项中带有调试标志,则由最后一个参数会传入调试对象的句柄,将会保持到这个成员里面来.
*/
HANDLE DebugObjectHandle;
/*
令牌对象句柄,由最后一个参数会传入,属性值0x60002.
*/
HANDLE hSeTokenObject;
DWORD DesiredAccess;
/*
文件句柄,新进程可执行文件的文件句柄.
*/
HANDLE FileHandle;
/*
文件对象,新进程可执行文件的文件对象
*/
FILE_OBJECT* pFileObject;
/*
新进程加载到内存后的内存对象.
*/
HANDLE SectionHandle;
HANDLE KeyHandle;
SECTION_OBJECT* pSectionObject;
/*
_RTL_USER_PROCESS_PARAMETERS结构体指针.
*/
PVOID pRtlUserProcessParameter;
PVOID pBackupRtlUserProcessParameter;
DWORD UnKown;
/*
PspWow64SetupUserProcessAddressSpace函数内赋值,具体含义不太清楚
*/
DWORD UnKown;
/*
新进程可执行文件全路径
*/
UNICODE_STRING FileName;
/*
优先级
*/
BYTE PriorityClass;
/*
该成员会负责给新进程EPROCESS.Pcb.Flags.
*/
BYTE EprocessFlags;
/*
作为查询全局表KeNodeBlock的下标
*/
WORD KnodeIndex;
/*
全局表KiProcessorNumberToIndexMappingTable的表项
*/
DWORD Mapping;
QWORD UnKown;
QWORD UnKown;
QWORD UnKown;
QWORD UnKown;
DWORD UnKown;
DWORD UnKown;
QWORD UnKown;
QWORD UnKown;
DWORD UnKown;
/*
由最后一个参数传入,其属性值为0x20009.
*/
DWORD DefaultHardErrorProcessing;
QWORD UnKown;
/*
和全局变量KiActiveGroups作比较
*/
WORD ActiveGroupCount;
WORD UnKown;
WORD UnKown;
WORD UnKown;
QWORD UnKown;
QWORD UnKown;
QWORD UnKown;
};
struct CREATEPROCESSCONTEXT
{
DWORD Flags;
BYTE Flags2;
BYTE UnKown;
WORD ImageCharacteristics;
CLIENT_ID* pClient_ID;
TEB* pTeb;
SECTION_IMAGE_INFORMATION *pSectionImageInfo;
CREATEINFO *pCreateInfo;
SECTION_IMAGE_INFORMATION SectionImageInfo;
HANDLE hParentProcess;
EPROCESS* pEprocess;
HANDLE DebugObjectHandle;
HANDLE hSeTokenObject;
DWORD DesiredAccess;
HANDLE FileHandle;
FILE_OBJECT* pFileObject;
HANDLE SectionHandle;
HANDLE KeyHandle;
SECTION_OBJECT* pSectionObject;
PVOID pRtlUserProcessParameter;
PVOID pBackupRtlUserProcessParameter;
DWORD UnKown;
DWORD UnKown;
UNICODE_STRING FileName;
BYTE PriorityClass;
BYTE EprocessFlags;
WORD KnodeIndex;
DWORD Mapping;
QWORD UnKown;
QWORD UnKown;
QWORD UnKown;
QWORD UnKown;
DWORD UnKown;
DWORD UnKown;
QWORD UnKown;
QWORD UnKown;
DWORD UnKown;
DWORD DefaultHardErrorProcessing;
QWORD UnKown;
WORD ActiveGroupCount;
WORD UnKown;
WORD UnKown;
WORD UnKown;
QWORD UnKown;
QWORD UnKown;
QWORD UnKown;
};
struct ALL_ACCESS_STATE //为结构体ACCESS_STATE的扩展版本
{
ACCESS_STATE AssedAccessState;//具体可查看MSDN
BYTE AuxData[216];
DWORD HandleAttributes;
DWORD AcessMode;
QWORD hProcess;
};
void NtCreateUserProcess( //传出新进程句柄 OUT PHANDLE ProcessHandle, //传出新进程主线程句柄 OUT PHANDLE ThreadHandle, //当前进程对新进程操作权限描述, 一般是MAXIMUM_ALLOWED, 无限制 IN ACCESS_MASK ProcessDesiredAccess, //当前进程对新线程的操作权限描述, 一般是 MAXIMUM_ALLOWED IN ACCESS_MASK ThreadDesiredAccess, // //进程对象属性, 可空 IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, //线程对象属性, 可为空 IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, //新进程创建标志 IN ULONG CreateProcessFlags, //新线程创建标志 IN ULONG CreateThreadFlags, //进程创建的相关参数信息,包括待启动进程的映像路径,命令参数,环境 //行变量串等信息 IN PRTL_USER_PROCESS_PARAMETERS ProcessParameters, //传出一些基本信息, 比如新进程的PEB OUT PPROCESS_CREATE_INFO CreateInfo, //传入参数, 保存了一些信息. 比如程序路径 父进程PID等 IN PNT_PROC_THREAD_ATTRIBUTE_LIST AttributeList);
000000014031D745 mov [rsp+0B28h+var_ThreadDesiredAccess], r9d ; ThreadDesiredAccess 000000014031D74A mov [rsp+0B28h+var_ProcessDesiredAccess], r8d ; ProcessDesiredAccess 000000014031D74F mov [rsp+0B28h+var_ThreadHandle], rdx ; ThreadHandle 000000014031D757 mov [rsp+0B28h+var_ProcessHandle], rcx ; ProcessHandle 000000014031D75F mov rsi, [rsp+0B28h+ProcessObjectAttributes] ; ProcessObjectAttributes 000000014031D767 mov [rsp+0B28h+var_ProcessObjectAttributes], rsi 000000014031D76F mov rax, [rsp+0B28h+ThreadObjectAttributes] ; ThreadObjectAttributes 000000014031D777 mov [rsp+0B28h+var_ThreadObjectAttributes], rax ; ThreadFlags 000000014031D77F mov rax, [rsp+0B28h+ProcessParameters] ; ProcessParameters 000000014031D787 mov [rsp+0B28h+var_ProcessParameters], rax 000000014031D78F mov r12, [rsp+0B28h+CreateInfo] ; CreateInfo 000000014031D797 mov rdi, [rsp+0B28h+AttributeList] ; AttributeList 000000014031D79F xor ebx, ebx 000000014031D7A1 mov [rsp+130h], rbx 000000014031D7A9 xor edx, edx ; Val 000000014031D7AB lea r8d, [rbx+38h] ; Size 000000014031D7AF lea rcx, [rsp+0B28h+Dst] ; Dst 000000014031D7B7 call memset 000000014031D7BC mov [rsp+0B28h+var_Context.P1Home], rbx 000000014031D7C4 xor edx, edx ; Val 000000014031D7C6 mov r8d, 4C8h ; Size 000000014031D7CC lea rcx, [rsp+0B28h+var_Context.P2Home] ; Dst 000000014031D7D4 call memset ; memset(&Context.P2Home,0,sizeof(Context) - 4); 000000014031D7D9 mov r14, gs:188h 000000014031D7E2 mov [rsp+0B28h+var_Ethread], r14 000000014031D7EA mov r15, [r14+_ETHREAD.Tcb.ApcState.ApcState.Process] 000000014031D7EE mov [rsp+0B28h+var_TempProcess], r15 000000014031D7F3 mov r13b, [r14+_ETHREAD.Tcb.PreviousMode] 000000014031D7FA mov [rsp+0B28h+var_PreviousMode], r13b 000000014031D7FF mov edx, dword ptr [rsp+0B28h+CreateProcessFlags] ; ProcessFlags
000000014031D8E1 xor edx, edx ; Val 000000014031D8E3 mov r8d, 150h ; Size 000000014031D8E9 lea rcx, [rsp+0B28h+var_CreateProcessContext] ; Dst 000000014031D8F1 call memset ; memset(&CreateProcessContext,0,sizeof(CreateProcessContext));
000000014031D903 xor r8d, r8d ; 参数Unkown=0 000000014031D906 mov dl, r13b ; 参数PreviousMode 000000014031D909 mov rcx, rdi ; 参数AttributeList 000000014031D90C call PspBuildCreateProcessContext ; 000000014031D90C ; PspBuildCreateProcessContext( 000000014031D90C ; AttributeList, 000000014031D90C ; PreviousMode, 000000014031D90C ; Unkown=0, 000000014031D90C ; pCreateProcessContext);
000000014031D938 lea r8, [rsp+0B28h+var_CreateProcessContext] ; 参数pCreateProcessContext 000000014031D940 mov rdx, r12 ; 参数pCreateInfo 000000014031D943 mov cl, r13b ; 参数AccessMode 000000014031D946 call PspCaptureCreateInfo ; 000000014031D946 ; PspCaptureCreateInfo( 000000014031D946 ; AccessMode, 000000014031D946 ; pCreateInfo, 000000014031D946 ; CreateProcessContext);
000000014031D955 mov ecx, [rsp+0B28h+var_CreateProcessContext.Flags] 000000014031D95C mov r12d, 1 000000014031D962 test r12b, cl 000000014031D965 jz short loc_14031D9C8 ; if(CreateProcessContext.Flags&1) 000000014031D965 ; ParentEProcess=CurrentProcess 000000014031D965 ; 如果CreateProcessContext.Flags&1为真,则父进程为当前进程 000000014031D965 ; 否则父进程为参数AttributeList中指定的进程 000000014031D967 mov [rsp+28h], rbx ; 参数HandleInformation 000000014031D96C lea rax, [rsp+0B28h+var_Eprocess] 000000014031D974 mov [rsp+20h], rax ; 参数pEprocess 000000014031D979 mov r9b, r13b ; 参数AccessMode 000000014031D97C mov r8, cs:PsProcessType ; 参数ObjectType 000000014031D983 lea edx, [r12+7Fh] ; 参数DesiredAccess 000000014031D988 mov rcx, [rsp+0B28h+var_CreateProcessContext.hParentProcess] ; Handle 000000014031D990 call ObReferenceObjectByHandle ; 000000014031D990 ; ObReferenceObjectByHandle( 000000014031D990 ; CreateProcessContext.hParentProcess, 000000014031D990 ; DesiredAccess, 000000014031D990 ; PsProcessType, 000000014031D990 ; AccessMode, 000000014031D990 ; pEprocess, 000000014031D990 ; HandleInformation);
000000014031DA18 mov [rsp+0B28h+var_ObjectAttributes.Length], 30h 000000014031DA23 mov [rsp+0B28h+var_ObjectAttributes.RootDirectory], rbx 000000014031DA2B or eax, 240h 000000014031DA30 mov [rsp+0B28h+var_ObjectAttributes.Attributes], eax 000000014031DA37 lea rax, [rsp+0B28h+var_CreateProcessContext.FileName] 000000014031DA3F mov [rsp+0B28h+var_ObjectAttributes.ObjectName], rax 000000014031DA47 mov [rsp+0B28h+var_ObjectAttributes.SecurityDescriptor], rbx 000000014031DA4F mov [rsp+0B28h+var_ObjectAttributes.SecurityQualityOfService], rbx 000000014031DA57 mov edx, [rsp+0B28h+var_CreateProcessContext.DesiredAccess] 000000014031DA5E or edx, 100020h ; 参数DesiredAccess 000000014031DA64 mov dword ptr [rsp+28h], 60h ; 参数OpenOptions 000000014031DA6C mov dword ptr [rsp+20h], 5 ; 参数ShareAccess 000000014031DA74 lea r9, [rsp+0B28h+var_IoStatusBlock] ; 参数IoStatusBlock 000000014031DA7C lea r8, [rsp+0B28h+var_ObjectAttributes] ; 参数ObjectAttributes 000000014031DA84 lea rcx, [rsp+0B28h+var_CreateProcessContext.FileHandle] ; 参数FileHandle 000000014031DA8C call ZwOpenFile ; ZwOpenFile(CreateProcessContext.FileHandle, 000000014031DA8C ; DesiredAccess, 000000014031DA8C ; ObjectAttributes, 000000014031DA8C ; IoStatusBlock, 000000014031DA8C ; ShareAccess, 000000014031DA8C ; OpenOptions); 000000014031DA91 mov edi, eax 000000014031DA93 cmp eax, ebx 000000014031DA95 jge short loc_14031DAD4 000000014031DA97 cmp [rsp+0B28h+var_CreateProcessContext.DesiredAccess], ebx 000000014031DA9E jz short loc_14031DAD4 000000014031DAA0 mov dword ptr [rsp+28h], 60h ; 参数OpenOptions 000000014031DAA8 mov dword ptr [rsp+20h], 5 ; 参数ShareAccess 000000014031DAB0 lea r9, [rsp+0B28h+var_IoStatusBlock] ; 参数IoStatusBlock 000000014031DAB8 lea r8, [rsp+0B28h+var_ObjectAttributes] ; 参数ObjectAttributes 000000014031DAC0 mov edx, 100020h ; 参数DesiredAccess 000000014031DAC5 lea rcx, [rsp+0B28h+var_CreateProcessContext.FileHandle] ; 参数FileHandle 000000014031DACD call ZwOpenFile ; ZwOpenFile(CreateProcessContext.FileHandle, 000000014031DACD ; DesiredAccess, 000000014031DACD ; ObjectAttributes, 000000014031DACD ; IoStatusBlock, 000000014031DACD ; ShareAccess, 000000014031DACD ; OpenOptions); 000000014031DAD2 mov edi, eax 000000014031DAD4 000000014031DAD4 loc_14031DAD4: ; CODE XREF: NtCreateUserProcess+375j 000000014031DAD4 ; NtCreateUserProcess+37Ej 000000014031DAD4 cmp edi, ebx 000000014031DAD6 jge short loc_14031DAF8 000000014031DAD8 mov [rsp+0B28h+var_CreateProcessContext.FileHandle], rbx 000000014031DAE0 xor r8d, r8d 000000014031DAE3 lea rdx, [rsp+0B28h+var_CreateProcessContext] 000000014031DAEB mov ecx, r12d 000000014031DAEE call PspUpdateCreateInfo 000000014031DAF3 jmp loc_14031E1D8 ; 打开文件失败 000000014031DAF8 ; --------------------------------------------------------------------------- 000000014031DAF8 000000014031DAF8 loc_14031DAF8: ; CODE XREF: NtCreateUserProcess+3B6j 000000014031DAF8 mov [rsp+0B28h+var_B00], rbx ; 参数HandleInformation 000000014031DAFD lea rax, [rsp+0B28h+var_File] 000000014031DB05 mov [rsp+20h], rax ; 参数pFile 000000014031DB0A xor r9d, r9d ; 参数AccessMode 000000014031DB0D mov r8, cs:IoFileObjectType ; 参数ObjectType 000000014031DB14 mov edx, 100020h ; 参数DesiredAccess 000000014031DB19 mov rcx, [rsp+0B28h+var_CreateProcessContext.FileHandle] ; 参数Handle 000000014031DB21 call ObReferenceObjectByHandle ; 000000014031DB21 ; ObReferenceObjectByHandle( 000000014031DB21 ; CreateProcessContext.FileHandle, 000000014031DB21 ; DesiredAccess, 000000014031DB21 ; IoFileObjectType, 000000014031DB21 ; AccessMode, 000000014031DB21 ; pFile, 000000014031DB21 ; HandleInformation); 000000014031DB26 mov edi, eax 000000014031DB28 mov rax, [rsp+0B28h+var_File] 000000014031DB30 mov [rsp+0B28h+var_CreateProcessContext.FileObject], rax 000000014031DB38 cmp edi, ebx 000000014031DB3A jge short loc_14031DB49 000000014031DB3C mov [rsp+0B28h+var_CreateProcessContext.FileObject], rbx 000000014031DB44 jmp loc_14031E1D8 ; 获取文件对象失败
000000014031DB60 mov rax, [rsp+0B28h+var_CreateProcessContext.FileHandle] 000000014031DB68 mov [rsp+30h], rax ; 参数FileHandle 000000014031DB6D mov [rsp+28h], ecx ; 参数AllocationAttributes 000000014031DB71 mov dword ptr [rsp+20h], 10h ; 参数SectionPageProtection 000000014031DB79 xor r9d, r9d ; 参数MaximumSize 000000014031DB7C lea r8, [rsp+0B28h+var_ObjectAttributes] ; 参数ObjectAttributes 000000014031DB84 mov edx, 0F001Fh ; 参数DesiredAccess 000000014031DB89 lea rcx, [rsp+0B28h+var_CreateProcessContext.SectionHandle] ; 参数SectionHandle 000000014031DB91 call ZwCreateSection ; ZwCreateSection(SectionHandle, 000000014031DB91 ; DesiredAccess, 000000014031DB91 ; ObjectAttributes, 000000014031DB91 ; MaximumSize, 000000014031DB91 ; SectionPageProtection, 000000014031DB91 ; AllocationAttributes, 000000014031DB91 ; CreateProcessContext.FileHandle); 000000014031DBBD mov [rsp+28h], rbx ; 参数HandleInformation 000000014031DBC2 lea rax, [rsp+0B28h+var_SectionObject] 000000014031DBCA mov [rsp+20h], rax ; 参数SectionObject 000000014031DBCF xor r9d, r9d ; 参数AccessMode 000000014031DBD2 mov r8, cs:MmSectionObjectType ; 参数ObjectType 000000014031DBD9 lea edx, [r9+8] ; 参数DesiredAccess 000000014031DBDD mov rcx, [rsp+0B28h+var_CreateProcessContext.SectionHandle] ; 参数Handle 000000014031DBE5 call ObReferenceObjectByHandle ; 000000014031DBE5 ; ObReferenceObjectByHandle( 000000014031DBE5 ; CreateProcessContext.SectionHandle, 000000014031DBE5 ; DesiredAccess, 000000014031DBE5 ; MmSectionObjectType, 000000014031DBE5 ; AccessMode, 000000014031DBE5 ; pSectionObject, 000000014031DBE5 ; HandleInformation); 000000014031DBEA mov edi, eax 000000014031DBEC mov rax, [rsp+0B28h+var_SectionObject] 000000014031DBF4 mov [rsp+0B28h+var_CreateProcessContext.SectionObject], rax 000000014031DBFC cmp edi, ebx 000000014031DBFE jge short loc_14031DC0D 000000014031DC00 mov [rsp+0B28h+var_CreateProcessContext.SectionObject], rbx 000000014031DC08 jmp loc_14031E1D8 ; 获取进程文件映像对象失败
ProcessParameters中的信息保存到CreateProcessContext中: 000000014031DC25 cmp rax, rbx 000000014031DC28 jz short loc_14031DC7E ; if(CreateProcessContext.SectionObject==NULL) 000000014031DC2A bt [r15+_EPROCESS.Flags2], 0Bh 000000014031DC33 jb short loc_14031DC46 ; 参数pCreateProcessContext 000000014031DC35 cmp esi, ebx 000000014031DC37 jz short loc_14031DC46 ; 参数pCreateProcessContext 000000014031DC39 cmp r13b, bl 000000014031DC3C jz short loc_14031DC46 ; 参数pCreateProcessContext 000000014031DC3E or [rsp+0B28h+var_CreateProcessContext.Flags2], 10h 000000014031DC46 000000014031DC46 loc_14031DC46: ; CODE XREF: NtCreateUserProcess+513j 000000014031DC46 ; NtCreateUserProcess+517j 000000014031DC46 ; NtCreateUserProcess+51Cj 000000014031DC46 lea r8, [rsp+0B28h+var_CreateProcessContext] ; 参数pCreateProcessContext 000000014031DC4E mov rdx, [rsp+0B28h+var_ProcessParameters] ; 参数ProcessParameters 000000014031DC56 mov cl, r13b ; 参数PreviousMode 000000014031DC59 call PspCaptureProcessParameters ; //初始化pRtlUserProcessParameter 000000014031DC59 ; PspCaptureProcessParameters( 000000014031DC59 ; PreviousMode, 000000014031DC59 ; ProcessParameters, 000000014031DC59 ; pCreateProcessContext); 000000014031DC5E mov edi, eax 000000014031DC60 cmp eax, ebx 000000014031DC62 jge short loc_14031DC71 000000014031DC64 and [rsp+0B28h+var_CreateProcessContext.Flags2], 0FBh 000000014031DC6C jmp loc_14031E1D8 ; PspCaptureProcessParameters执行失败
000000014031DD27 lea rax, [rsp+0B28h+var_pTempNewEprocess] ; 参数pNewProcess 000000014031DD2C mov [rsp+40h], rax 000000014031DD31 lea rax, [rsp+0B28h+var_AA0] ; 参数Unkown 000000014031DD39 mov [rsp+38h], rax 000000014031DD3E lea rax, [rsp+0B28h+var_CreateProcessContext] ; 参数CreateProcessContext 000000014031DD46 mov [rsp+30h], rax 000000014031DD4B mov eax, dword ptr [rsp+0B28h+CreateProcessFlags] ; 参数ProcessFlags 000000014031DD52 mov [rsp+28h], eax 000000014031DD56 mov rax, [rsp+0B28h+var_CreateProcessContext.hSeTokenObject] ; 参数hSeTokenObject 000000014031DD5E mov [rsp+20h], rax 000000014031DD63 mov r9, [rsp+0B28h+var_CreateProcessContext.SectionObject] ; 参数SectionObject 000000014031DD6B mov r8, [rsp+0B28h+var_ProcessObjectAttributes] ; 参数ProcessObjectAttributes 000000014031DD73 mov dl, r13b ; 参数PreviousMode 000000014031DD76 mov rcx, qword ptr [rsp+0B28h+var_pProcess] ; 参数ParentEProcess 000000014031DD7E call PspAllocateProcess ; 000000014031DD7E ; PspAllocateProcess( 000000014031DD7E ; ParentEProcess, 000000014031DD7E ; PreviousMode, 000000014031DD7E ; ProcessObjectAttributes, 000000014031DD7E ; SectionObject, 000000014031DD7E ; hSeTokenObject, 000000014031DD7E ; ProcessFlags, 000000014031DD7E ; CreateProcessContext, 000000014031DD7E ; Unkown, 000000014031DD7E ; pNewProcess);
000000014031DCE8 mov [rsp+0B28h+var_Context.ContextFlags], 10001Bh 000000014031DCF3 mov [rsp+20h], r12b ; 参数dwOne=1 000000014031DCF8 mov r9b, r12b ; 参数isSystemThread=1 000000014031DCFB xor r8d, r8d ; 参数AccessMode=0 000000014031DCFE lea rdx, [rsp+0B28h+var_Context] ; 参数pContext 000000014031DD06 mov rcx, r14 ; 参数Ethread 000000014031DD09 call PspGetContextThreadInternal ; 000000014031DD09 ; PspGetContextThreadInternal( 000000014031DD09 ; Ethread, 000000014031DD09 ; pContext, 000000014031DD09 ; AccessMode, 000000014031DD09 ; isSystemThread, 000000014031DD09 ; dwOne); 000000014031DE77 mov [rsp+0B28h+var_AccessStateExpand], eax 000000014031DE7B lea rax, [rsp+0B28h+var_AccessState2] 000000014031DE83 mov [rsp+58h], rax ; 参数pNewAccessState 000000014031DE88 mov [rsp+50h], r14 ; 参数unknow 000000014031DE8D lea rax, [rsp+0B28h+var_pThread] 000000014031DE95 mov [rsp+48h], rax ; 参数pptrEthread 000000014031DE9A lea rax, [rsp+6Ch] ; 参数pProcessFlag 000000014031DE9F mov [rsp+40h], rax ; __int64 000000014031DEA4 mov [rsp+38h], rbx ; 参数StartContext 000000014031DEA9 mov [rsp+30h], rbx ; 参数StartRoutine 000000014031DEAE lea rax, [rsp+0B28h+var_Inital_teb] ; 参数pInitTeb 000000014031DEB6 mov [rsp+28h], rax ; __int64 000000014031DEBB lea rax, [rsp+0B28h+var_Context] 000000014031DEC3 mov [rsp+20h], rax ; 参数Context 000000014031DEC8 lea r9, [rsp+0B28h+var_CreateProcessContext] ; __int64 000000014031DED0 mov r8b, r13b ; 参数AccessMode 000000014031DED3 mov rdx, [rsp+0B28h+var_ThreadObjectAttributes] ; __int64 000000014031DEDB mov rcx, rsi ; 参数newProcess 000000014031DEDE call PspAllocateThread ; 000000014031DEDE ; PspAllocateThread( 000000014031DEDE ; newProcess, 000000014031DEDE ; ObjectAttributes, 000000014031DEDE ; AccessMode, 000000014031DEDE ; CreateProcessContext, 000000014031DEDE ; context, 000000014031DEDE ; pInitTeb, 000000014031DEDE ; StartRoutine, 000000014031DEDE ; StartContext, 000000014031DEDE ; ptrProcessFlag, 000000014031DEDE ; pptrEthread, 000000014031DEDE ; mydiy, 000000014031DEDE ; pNewAccessState);
000000014031DFC8 lea rdx, [rsp+0B28h+var_AccessState1] 000000014031DFD0 mov [rsp+40h], rdx ; 参数AccessState 000000014031DFD5 mov [rsp+38h], rax ; 参数enumType 000000014031DFDA mov [rsp+30h], r15d ; 参数unKnownFlag 000000014031DFDF mov rax, [rsp+0B28h+var_CreateProcessContext.DebugObjectHandle] 000000014031DFE7 mov [rsp+28h], rax ; 参数DebugObjectHandle 000000014031DFEC mov [rsp+20h], ebx ; 参数JobMemberLevel 000000014031DFF0 mov r9d, dword ptr [rsp+0B28h+CreateProcessFlags] ; 参数ProcessFlags 000000014031DFF8 mov r8d, ecx ; 参数ProcessDesiredAccess 000000014031DFFB mov rdx, qword ptr [rsp+0B28h+var_pProcess] ; 参数ParentEProcess 000000014031E003 mov rcx, rsi ; 参数Eprocess 000000014031E006 call PspInsertProcess ; 000000014031E006 ; PspInsertProcess( 000000014031E006 ; Eprocess, 000000014031E006 ; ParentEProcess, 000000014031E006 ; AccessMode, 000000014031E006 ; ProcessFlags, 000000014031E006 ; JobMemberLevel, 000000014031E006 ; DebugObjectHandle, 000000014031E006 ; unKnownFlag, 000000014031E006 ; enumType, 000000014031E006 ; AccessState);
000000014031E09E jge short loc_14031E0B0 ; 如果PspInsertProcess执行失败 000000014031E0A0 mov rcx, rsi ; 参数Eprocess 000000014031E0A3 call PspDoHandleSweepSingle ; PspDoHandleSweepSingle(Eprocess); 000000014031E0A8 mov edi, r13d 000000014031E0AB jmp loc_14031E1C1
000000014031E00E mov rcx, [rsp+0B28h+var_CreateProcessContext.pClient_ID] 000000014031E016 mov [rsp+50h], rcx ; 参数pClient_ID 000000014031E01B mov rax, [rsp+0B28h+var_ThreadHandle] 000000014031E023 mov [rsp+48h], rax ; 参数pThreadHandle 000000014031E028 mov [rsp+40h], rbx ; 参数 000000014031E02D lea rax, [rsp+0B28h+var_AccessState2] 000000014031E035 mov [rsp+38h], rax ; 参数NewAccessState 000000014031E03A lea rax, [rsp+0B28h+var_CreateProcessContext] 000000014031E042 mov [rsp+30h], rax ; 参数pCreateProcessContext 000000014031E047 mov [rsp+28h], r14 ; 参数 000000014031E04C mov dword ptr [rsp+0B28h+var_B08], edi 000000014031E050 lea r9, [rsp+0B28h+var_AccessStateExpand] ; 参数pProcessFlag 000000014031E055 lea r8, [rsp+0B28h+var_Inital_teb] ; 参数pInital_teb 000000014031E05D mov rdx, rsi ; 参数pEprocess 000000014031E060 mov r14, [rsp+0B28h+var_pThread] ; 参数pThread 000000014031E068 mov rcx, r14 000000014031E06B call PspInsertThread ; 000000014031E06B ; PspInsertProcess( 000000014031E06B ; pThread, 000000014031E06B ; pEprocess, 000000014031E06B ; pInital_teb, 000000014031E06B ; ProcessFlags, 000000014031E06B ; pClient_ID, 000000014031E06B ; pThreadHandle, 000000014031E06B ; unknow, 000000014031E06B ; NewAccessState, 000000014031E06B ; CreateProcessContext, 000000014031E06B ; );
000000014031E1A6 lea rcx, [rsp+0B28h+var_AccessState1] ; 参数AccessState 000000014031E1AE call SeDeleteAccessState ; SeDeleteAccessState(pAccessState); 000000014031E1B3 cmp edi, ebx 000000014031E1B5 jge short loc_14031E1C1 000000014031E1B7 mov edx, edi ; 参数ExitStatus 000000014031E1B9 mov rcx, rsi ; 参数NewProcess 000000014031E1BC call PsTerminateProcess ; PsTerminateProcess( 000000014031E1BC ; NewProcess, 000000014031E1BC ; ExitStatus);
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
