nt!PspLocateInPEManifest:
fffff802`f143008c fff3 push rbx
fffff802`f143008e 4883ec60 sub rsp,60h
fffff802`f1430092 4883b91804000000 cmp qword ptr [rcx+418h],0
fffff802`f143009a 4c8b91b0030000 mov r10,qword ptr [rcx+3B0h]
fffff802`f14300a1 488bda
mov rbx,rdx
fffff802`f14300a4 0f85a2000000 jne nt!PspLocateInPEManifest+0xc0 (fffff802`f143014c)
fffff802`f14300aa 488364243800 and qword ptr [rsp+38h],0
fffff802`f14300b0 488364243000 and qword ptr [rsp+30h],0
fffff802`f14300b6 488364245000 and qword ptr [rsp+50h],0
fffff802`f14300bc 488364247000 and qword ptr [rsp+70h],0
fffff802`f14300c2 488d4c2470 lea rcx,[rsp+70h]
fffff802`f14300c7 41b930000000 mov r9d,30h
fffff802`f14300cd 48894c2428 mov qword ptr [rsp+28h],rcx
fffff802`f14300d2 488d8328010000 lea rax,[rbx+128h]
fffff802`f14300d9 488d542440 lea rdx,[rsp+40h]
fffff802`f14300de 458d41d3 lea r8d,[r9-2Dh]
fffff802`f14300e2 498bca mov rcx,r10
fffff802`f14300e5 48c744244018000000 mov qword ptr [rsp+40h],18h
fffff802`f14300ee 48c744244801000000 mov qword ptr [rsp+48h],1
fffff802`f14300f7 4889442420 mov qword ptr [rsp+20h],rax
fffff802`f14300fc e8bf5f0000 call nt!LdrResSearchResource (fffff802`f14360c0)
fffff802`f1430101 85c0 test eax,eax
fffff802`f1430103 782d js nt!PspLocateInPEManifest+0xa6 (fffff802`f1430132)
fffff802`f1430105 488b442470 mov rax,qword ptr [rsp+70h]
fffff802`f143010a b9ffffffff mov ecx,0FFFFFFFFh
fffff802`f143010f 483bc1 cmp rax,rcx
fffff802`f1430112 775a ja nt!PspLocateInPEManifest+0xe2 (fffff802`f143016e)
fffff802`f1430114 804b0820 or byte ptr [rbx+8],20h
fffff802`f1430118 898330010000 mov dword ptr [rbx+130h],eax
fffff802`f143011e 488b83c8000000 mov rax,qword ptr [rbx+0C8h] ds:002b:fffff880`082d8188=fffffa80190da010
fffff802`f1430125 0fba68080d bts dword ptr [rax+8],0Dh
fffff802`f143012a 33c0 xor eax,eax
fffff802`f143012c 4883c460 add rsp,60h
fffff802`f1430130 5b pop rbx
fffff802`f1430131 c3 ret
第一个参数rcx是eprocess结构体的指针,第二个参数rdx也指向一个结构体,但不知道是什么。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
