能力值:
( LV2,RANK:10 )
|
-
-
2 楼
nt!PsLookupProcessByProcessId:
8446e9a3 8bff mov edi,edi
8446e9a5 55 push ebp
8446e9a6 8bec mov ebp,esp
8446e9a8 83ec0c sub esp,0Ch
8446e9ab 53 push ebx
8446e9ac 56 push esi
8446e9ad 648b3524010000 mov esi,dword ptr fs:[124h]
8446e9b4 33db xor ebx,ebx
8446e9b6 66ff8e84000000 dec word ptr [esi+84h]
8446e9bd 57 push edi
8446e9be ff7508 push dword ptr [ebp+8]
8446e9c1 8b3d14353584 mov edi,dword ptr [nt!TmEnlistmentObjectType+0xec8 (84353514)]
8446e9c7 e81757feff call nt!SeLocateProcessImageName+0x68f (844540e3)
8446e9cc 8bf8 mov edi,eax
8446e9ce 85ff test edi,edi
8446e9d0 747c je nt!PsLookupProcessByProcessId+0xab (8446ea4e)
8446e9d2 8b1f mov ebx,dword ptr [edi]
8446e9d4 8a03 mov al,byte ptr [ebx]
8446e9d6 247f and al,7Fh
8446e9d8 3c03 cmp al,3
8446e9da 750b jne nt!PsLookupProcessByProcessId+0x44 (8446e9e7)
8446e9dc 8bd3 mov edx,ebx
8446e9de e8534fe3ff call nt!ExDeleteResourceLite+0x117 (842a3936)
8446e9e3 84c0 test al,al
8446e9e5 7502 jne nt!PsLookupProcessByProcessId+0x46 (8446e9e9)
8446e9e7 33db xor ebx,ebx
8446e9e9 a114353584 mov eax,dword ptr [nt!TmEnlistmentObjectType+0xec8 (84353514)]
8446e9ee 33c9 xor ecx,ecx
8446e9f0 41 inc ecx
8446e9f1 f0090f lock or dword ptr [edi],ecx
8446e9f4 8d4818 lea ecx,[eax+18h]
8446e9f7 8745fc xchg eax,dword ptr [ebp-4]
8446e9fa 833900 cmp dword ptr [ecx],0
8446e9fd 7407 je nt!PsLookupProcessByProcessId+0x63 (8446ea06)
8446e9ff 33d2 xor edx,edx
8446ea01 e899d3e3ff call nt!ExfUnblockPushLock (842abd9f)
8446ea06 85db test ebx,ebx
8446ea08 7444 je nt!PsLookupProcessByProcessId+0xab (8446ea4e)
8446ea0a f7837002000000000004 test dword ptr [ebx+270h],4000000h
8446ea14 7538 jne nt!PsLookupProcessByProcessId+0xab (8446ea4e)
8446ea16 8dbb98000000 lea edi,[ebx+98h]
8446ea1c 8745f8 xchg eax,dword ptr [ebp-8]
8446ea1f 8b0f mov ecx,dword ptr [edi]
8446ea21 83e101 and ecx,1
8446ea24 8745f4 xchg eax,dword ptr [ebp-0Ch]
8446ea27 85c9 test ecx,ecx
8446ea29 740e je nt!PsLookupProcessByProcessId+0x96 (8446ea39)
8446ea2b 8bcf mov ecx,edi
8446ea2d e8a026e3ff call nt!ExfAcquirePushLockExclusive (842a10d2)
8446ea32 8bcf mov ecx,edi
8446ea34 e8086bebff call nt!ExfReleasePushLockExclusive (84325541)
8446ea39 f7837002000000000004 test dword ptr [ebx+270h],4000000h
8446ea43 7509 jne nt!PsLookupProcessByProcessId+0xab (8446ea4e)
8446ea45 8bcb mov ecx,ebx
8446ea47 e87789e1ff call nt!ObfDereferenceObject (842873c3)
8446ea4c 33db xor ebx,ebx
8446ea4e 66ff8684000000 inc word ptr [esi+84h]
8446ea55 0fb78684000000 movzx eax,word ptr [esi+84h]
8446ea5c 6685c0 test ax,ax
8446ea5f 7516 jne nt!PsLookupProcessByProcessId+0xd4 (8446ea77)
8446ea61 8d4640 lea eax,[esi+40h]
8446ea64 3900 cmp dword ptr [eax],eax
8446ea66 740f je nt!PsLookupProcessByProcessId+0xd4 (8446ea77)
8446ea68 6683be8600000000 cmp word ptr [esi+86h],0
8446ea70 7505 jne nt!PsLookupProcessByProcessId+0xd4 (8446ea77)
8446ea72 e82972dcff call nt!KiCheckForKernelApcDelivery (84235ca0)
8446ea77 85db test ebx,ebx
8446ea79 7409 je nt!PsLookupProcessByProcessId+0xe1 (8446ea84)
8446ea7b 8b450c mov eax,dword ptr [ebp+0Ch]
8446ea7e 8918 mov dword ptr [eax],ebx
8446ea80 33c0 xor eax,eax
8446ea82 eb05 jmp nt!PsLookupProcessByProcessId+0xe6 (8446ea89)
8446ea84 b80b0000c0 mov eax,0C000000Bh
8446ea89 5f pop edi
8446ea8a 5e pop esi
8446ea8b 5b pop ebx
8446ea8c c9 leave
8446ea8d c20800 ret 8
8446ea90 90 nop
8446ea91 90 nop
根本不知道哪个是PspCidTable
|
能力值:
( LV11,RANK:190 )
|
-
-
3 楼
下边的图是我从网上找的,虽然函数名字变了,但是原理都是一样的吧 
你这只是PDB中没有这个符号而已,或者根本就没有加载PDB
|
