InfinityHook 核心原理 替换WmipLoggerContext[CLCK_INDEX]->GetCpuClock
原作者见 https://github.com/everdox/InfinityHook
from 6789base.sys version 5.12.0.4874
为节约版面以下只放关键内容
DriverEntry->InitializeInfinityHook()
启动两条线程,一条初始化infhook,一条保护infhook
__int64 InitializeInfinityHook()
{
HANDLE ThreadHandle; // [rsp+40h] [rbp-58h]
HANDLE Handle; // [rsp+48h] [rbp-50h]
OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+50h] [rbp-48h]
unsigned int v4; // [rsp+80h] [rbp-18h]
v4 = -1073741823;
ThreadHandle = 0i64;
ObjectAttributes.Length = 0;
memset(&ObjectAttributes.RootDirectory, 0, 0x28ui64);
if ( byte_3648C )
return 3221225473i64;
stru_365D0.Count = 1;
stru_365D0.Owner = 0i64;
stru_365D0.Contention = 0;
KeInitializeEvent(&stru_365D0.Event, SynchronizationEvent, 0);
sub_22980(&unk_36608);
KeInitializeEvent(&Event, NotificationEvent, 0);
byte_36938 = 1;
stru_36568.Count = 1;
stru_36568.Owner = 0i64;
stru_36568.Contention = 0;
KeInitializeEvent(&stru_36568.Event, SynchronizationEvent, 0);
ObjectAttributes.Length = 48;
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Attributes = 512;
ObjectAttributes.ObjectName = 0i64;
ObjectAttributes.SecurityDescriptor = 0i64;
ObjectAttributes.SecurityQualityOfService = 0i64;
v4 = PsCreateSystemThread(
&ThreadHandle,
0x1FFFFFu,
&ObjectAttributes,
0i64,
0i64,
(PKSTART_ROUTINE)InfinityHookInitThread,
0i64);
if ( !v4 )
ZwClose(ThreadHandle);
ObjectAttributes.Length = 48;
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Attributes = 512;
ObjectAttributes.ObjectName = 0i64;
ObjectAttributes.SecurityDescriptor = 0i64;
ObjectAttributes.SecurityQualityOfService = 0i64;
v4 = PsCreateSystemThread(
&Handle,
0x1FFFFFu,
&ObjectAttributes,
0i64,
0i64,
(PKSTART_ROUTINE)InitializeInfinityHookProtectThread,
0i64);
if ( !v4 )
{
ObReferenceObjectByHandle(Handle, 0x1FFFFFu, PsThreadType, 0, &g_ThreadObject, 0i64);
ZwClose(Handle);
}
return v4;
}
__int64 InitializeInfinityHook()
{
HANDLE ThreadHandle; // [rsp+40h] [rbp-58h]
HANDLE Handle; // [rsp+48h] [rbp-50h]
OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+50h] [rbp-48h]
unsigned int v4; // [rsp+80h] [rbp-18h]
v4 = -1073741823;
ThreadHandle = 0i64;
ObjectAttributes.Length = 0;
memset(&ObjectAttributes.RootDirectory, 0, 0x28ui64);
if ( byte_3648C )
return 3221225473i64;
stru_365D0.Count = 1;
stru_365D0.Owner = 0i64;
stru_365D0.Contention = 0;
KeInitializeEvent(&stru_365D0.Event, SynchronizationEvent, 0);
sub_22980(&unk_36608);
KeInitializeEvent(&Event, NotificationEvent, 0);
byte_36938 = 1;
stru_36568.Count = 1;
stru_36568.Owner = 0i64;
stru_36568.Contention = 0;
KeInitializeEvent(&stru_36568.Event, SynchronizationEvent, 0);
ObjectAttributes.Length = 48;
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Attributes = 512;
ObjectAttributes.ObjectName = 0i64;
ObjectAttributes.SecurityDescriptor = 0i64;
ObjectAttributes.SecurityQualityOfService = 0i64;
v4 = PsCreateSystemThread(
&ThreadHandle,
0x1FFFFFu,
&ObjectAttributes,
0i64,
0i64,
(PKSTART_ROUTINE)InfinityHookInitThread,
0i64);
if ( !v4 )
ZwClose(ThreadHandle);
ObjectAttributes.Length = 48;
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Attributes = 512;
ObjectAttributes.ObjectName = 0i64;
ObjectAttributes.SecurityDescriptor = 0i64;
ObjectAttributes.SecurityQualityOfService = 0i64;
v4 = PsCreateSystemThread(
&Handle,
0x1FFFFFu,
&ObjectAttributes,
0i64,
0i64,
(PKSTART_ROUTINE)InitializeInfinityHookProtectThread,
0i64);
if ( !v4 )
{
ObReferenceObjectByHandle(Handle, 0x1FFFFFu, PsThreadType, 0, &g_ThreadObject, 0i64);
ZwClose(Handle);
}
return v4;
}
__int64 InitializeInfinityHook()
{
HANDLE ThreadHandle; // [rsp+40h] [rbp-58h]
HANDLE Handle; // [rsp+48h] [rbp-50h]
OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+50h] [rbp-48h]
unsigned int v4; // [rsp+80h] [rbp-18h]
v4 = -1073741823;
ThreadHandle = 0i64;
ObjectAttributes.Length = 0;
memset(&ObjectAttributes.RootDirectory, 0, 0x28ui64);
if ( byte_3648C )
return 3221225473i64;
stru_365D0.Count = 1;
stru_365D0.Owner = 0i64;
stru_365D0.Contention = 0;
KeInitializeEvent(&stru_365D0.Event, SynchronizationEvent, 0);
sub_22980(&unk_36608);
KeInitializeEvent(&Event, NotificationEvent, 0);
byte_36938 = 1;
stru_36568.Count = 1;
stru_36568.Owner = 0i64;
stru_36568.Contention = 0;
KeInitializeEvent(&stru_36568.Event, SynchronizationEvent, 0);
ObjectAttributes.Length = 48;
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Attributes = 512;
ObjectAttributes.ObjectName = 0i64;
ObjectAttributes.SecurityDescriptor = 0i64;
ObjectAttributes.SecurityQualityOfService = 0i64;
v4 = PsCreateSystemThread(
&ThreadHandle,
0x1FFFFFu,
&ObjectAttributes,
0i64,
0i64,
(PKSTART_ROUTINE)InfinityHookInitThread,
0i64);
if ( !v4 )
ZwClose(ThreadHandle);
ObjectAttributes.Length = 48;
ObjectAttributes.RootDirectory = 0i64;
ObjectAttributes.Attributes = 512;
ObjectAttributes.ObjectName = 0i64;
ObjectAttributes.SecurityDescriptor = 0i64;
ObjectAttributes.SecurityQualityOfService = 0i64;
v4 = PsCreateSystemThread(
&Handle,
0x1FFFFFu,
&ObjectAttributes,
0i64,
0i64,
(PKSTART_ROUTINE)InitializeInfinityHookProtectThread,
0i64);
if ( !v4 )
{
ObReferenceObjectByHandle(Handle, 0x1FFFFFu, PsThreadType, 0, &g_ThreadObject, 0i64);
ZwClose(Handle);
}
return v4;
}
void __fastcall InfinityHookInitThread(PVOID StartContext)
{
__int64 _RAX; // rax
LARGE_INTEGER (*_RCX)(); // rcx
__int64 _RCX; // rcx
LARGE_INTEGER Interval; // [rsp+20h] [rbp-28h]
_QWORD *getCpuClock; // [rsp+28h] [rbp-20h]
int v6; // [rsp+30h] [rbp-18h]
v6 = -1073741823;
getCpuClock = 0i64;
Interval.QuadPart = -30000000i64;
while ( !LoadNtdll() )
KeDelayExecutionThread(0, 0, &Interval);
if ( (int)InitializeInfhookCore() >= 0 )
{
v6 = EnableEtwLogger();
if ( v6 >= 0 )
{
v6 = GetCkcl(2u, (_QWORD *)infhookCore + 90115);
if ( v6 >= 0 && *((_QWORD *)infhookCore + 90115) )
{
getCpuClock = (_QWORD *)(*((_QWORD *)infhookCore + 90115)
+ (unsigned int)OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK);
if ( (unsigned __int8)MmIsAddressValid(getCpuClock)
&& (unsigned __int8)MmIsAddressValid((char *)getCpuClock + 7) )
{
if ( *getCpuClock >= MmSystemRangeStart )
{
_RAX = *((_QWORD *)infhookCore + 90115) + (unsigned int)OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK;
_RCX = InternalGetCpuClock;
__asm { xchg rcx, [rax] }
*((_QWORD *)infhookCore + 90114) = _RCX;
v6 = 0;
}
else
{
v6 = 0xC0000001;
}
}
else
{
v6 = 0xC0000001;
}
}
else
{
v6 = 0xC0000001;
}
}
else
{
v6 = 0xC0000001;
}
}
else
{
v6 = 0xC0000001;
}
PsTerminateSystemThread(0);
}
void __fastcall InfinityHookInitThread(PVOID StartContext)
{
__int64 _RAX; // rax
LARGE_INTEGER (*_RCX)(); // rcx
__int64 _RCX; // rcx
LARGE_INTEGER Interval; // [rsp+20h] [rbp-28h]
_QWORD *getCpuClock; // [rsp+28h] [rbp-20h]
int v6; // [rsp+30h] [rbp-18h]
v6 = -1073741823;
getCpuClock = 0i64;
Interval.QuadPart = -30000000i64;
while ( !LoadNtdll() )
KeDelayExecutionThread(0, 0, &Interval);
if ( (int)InitializeInfhookCore() >= 0 )
{
v6 = EnableEtwLogger();
if ( v6 >= 0 )
{
v6 = GetCkcl(2u, (_QWORD *)infhookCore + 90115);
if ( v6 >= 0 && *((_QWORD *)infhookCore + 90115) )
{
getCpuClock = (_QWORD *)(*((_QWORD *)infhookCore + 90115)
+ (unsigned int)OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK);
if ( (unsigned __int8)MmIsAddressValid(getCpuClock)
&& (unsigned __int8)MmIsAddressValid((char *)getCpuClock + 7) )
{
if ( *getCpuClock >= MmSystemRangeStart )
{
_RAX = *((_QWORD *)infhookCore + 90115) + (unsigned int)OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK;
_RCX = InternalGetCpuClock;
__asm { xchg rcx, [rax] }
*((_QWORD *)infhookCore + 90114) = _RCX;
v6 = 0;
}
else
{
v6 = 0xC0000001;
}
}
else
{
v6 = 0xC0000001;
}
}
else
{
v6 = 0xC0000001;
}
}
else
{
v6 = 0xC0000001;
}
}
else
{
v6 = 0xC0000001;
}
PsTerminateSystemThread(0);
}
NTSTATUS __stdcall EnableEtwLogger()
{
NTSTATUS result; // eax
NTSTATUS v1; // [rsp+20h] [rbp-18h]
NTSTATUS v2; // [rsp+20h] [rbp-18h]
v1 = IfhpModifyTraceSettings(1);
if ( v1 >= 0 )
goto LABEL_9;
v2 = IfhpModifyTraceSettings(0);
if ( v2 < 0 )
return v2;
v1 = IfhpModifyTraceSettings(1);
if ( v1 >= 0 )
LABEL_9:
result = v1;
else
result = v1;
return result;
}
NTSTATUS __stdcall EnableEtwLogger()
{
NTSTATUS result; // eax
NTSTATUS v1; // [rsp+20h] [rbp-18h]
NTSTATUS v2; // [rsp+20h] [rbp-18h]
v1 = IfhpModifyTraceSettings(1);
if ( v1 >= 0 )
goto LABEL_9;
v2 = IfhpModifyTraceSettings(0);
if ( v2 < 0 )
return v2;
v1 = IfhpModifyTraceSettings(1);
if ( v1 >= 0 )
LABEL_9:
result = v1;
else
result = v1;
return result;
}
IfhModifyTraceSettings复制粘贴过于直球这里就不贴代码了,放个对比图:
主要流程:初始化infhookCore结构(应该是一个很大的结构体,具体成员就不逆了)
sub_2D210判断两个不明物体(无关紧要懒得逆)
寻找explorer.exe的PID
加载L"\\SystemRoot\\system32\\ntdll.dll"并搜索导出表,把nt函数全部保存进infhookcore里的一个表
NTSTATUS __stdcall InitializeInfhookCore()
{
LARGE_INTEGER Interval; // [rsp+20h] [rbp-28h]
NTSTATUS v2; // [rsp+28h] [rbp-20h]
UNICODE_STRING DestinationString; // [rsp+30h] [rbp-18h]
v2 = -1073741823;
Interval.QuadPart = -30000000i64;
if ( infhookCore && isZwTraceControlAvailable )
return 0;
while ( 1 )
{
if ( !infhookCore )
{
infhookCore = ExAllocatePoolWithTag(NonPagedPool, 720928ui64, 'hchk');
if ( !infhookCore )
{
v2 = -1073741670;
goto LABEL_26;
}
memset(infhookCore, 0, 0xB0020ui64);
}
if ( !*((_QWORD *)infhookCore + 90112) || !*((_QWORD *)infhookCore + 90113) )
{
v2 = sub_2D210((char *)infhookCore + 720896, (char *)infhookCore + 720904);
if ( v2 < 0 || !*((_QWORD *)infhookCore + 90112) || !*((_QWORD *)infhookCore + 90113) )
{
v2 = -1073741823;
goto LABEL_26;
}
}
RtlInitUnicodeString(&DestinationString, L"explorer.exe");
v2 = FindProcessByProcessName(&DestinationString, &g_ExplorerPID);
if ( v2 >= 0 )
{
if ( g_ExplorerPID )
break;
}
KeDelayExecutionThread(0, 0, &Interval);
}
v2 = LoadSSDTFunctionEntry();
if ( v2 >= 0 )
{
v2 = LoadOffsetsVars();
if ( v2 >= 0 )
{
v2 = LoadSSSDTFunctionEntry();
if ( v2 >= 0 )
{
byte_3648D = 1;
sub_2A640();
ZwTraceControl = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _QWORD))MakeZwTraceControl();
if ( ZwTraceControl )
{
isZwTraceControlAvailable = 1;
v2 = 0;
}
else
{
v2 = -1073741823;
}
}
else
{
v2 = -1073741823;
}
}
else
{
v2 = -1073741823;
}
}
else
{
v2 = -1073741823;
}
LABEL_26:
if ( v2 )
{
if ( infhookCore )
{
ExFreePoolWithTag(infhookCore, 0x6863686Bu);
infhookCore = 0i64;
}
}
return v2;
}
NTSTATUS __stdcall InitializeInfhookCore()
{
LARGE_INTEGER Interval; // [rsp+20h] [rbp-28h]
NTSTATUS v2; // [rsp+28h] [rbp-20h]
UNICODE_STRING DestinationString; // [rsp+30h] [rbp-18h]
v2 = -1073741823;
Interval.QuadPart = -30000000i64;
if ( infhookCore && isZwTraceControlAvailable )
return 0;
while ( 1 )
{
if ( !infhookCore )
{
infhookCore = ExAllocatePoolWithTag(NonPagedPool, 720928ui64, 'hchk');
if ( !infhookCore )
{
v2 = -1073741670;
goto LABEL_26;
}
memset(infhookCore, 0, 0xB0020ui64);
}
if ( !*((_QWORD *)infhookCore + 90112) || !*((_QWORD *)infhookCore + 90113) )
{
v2 = sub_2D210((char *)infhookCore + 720896, (char *)infhookCore + 720904);
if ( v2 < 0 || !*((_QWORD *)infhookCore + 90112) || !*((_QWORD *)infhookCore + 90113) )
{
v2 = -1073741823;
goto LABEL_26;
}
}
RtlInitUnicodeString(&DestinationString, L"explorer.exe");
v2 = FindProcessByProcessName(&DestinationString, &g_ExplorerPID);
if ( v2 >= 0 )
{
if ( g_ExplorerPID )
break;
}
KeDelayExecutionThread(0, 0, &Interval);
}
v2 = LoadSSDTFunctionEntry();
if ( v2 >= 0 )
{
v2 = LoadOffsetsVars();
if ( v2 >= 0 )
{
v2 = LoadSSSDTFunctionEntry();
if ( v2 >= 0 )
{
byte_3648D = 1;
sub_2A640();
ZwTraceControl = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _DWORD, _QWORD))MakeZwTraceControl();
if ( ZwTraceControl )
{
isZwTraceControlAvailable = 1;
v2 = 0;
}
else
{
v2 = -1073741823;
}
}
else
{
v2 = -1073741823;
}
}
else
{
v2 = -1073741823;
}
}
else
{
v2 = -1073741823;
}
LABEL_26:
if ( v2 )
{
if ( infhookCore )
{
ExFreePoolWithTag(infhookCore, 0x6863686Bu);
infhookCore = 0i64;
}
}
return v2;
}
根据系统版本加载一些偏移
NTSTATUS __stdcall LoadOffsetsVars()
{
NTSTATUS v1; // [rsp+20h] [rbp-18h]
unsigned int v2; // [rsp+24h] [rbp-14h]
v1 = 0;
v2 = GetBuildNumber();
if ( v2 > 14393 )
{
if ( v2 != 15063 && v2 != 16299 && v2 != 17134 && v2 != 17763 && v2 != 18362 )
goto LABEL_18;
LABEL_17:
LODWORD(OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK) = 40;
offset_SystemCallNumber = 0x80i64;
PerfGlobalGroupMask = GetPerfGlobalGroupMask();
goto LABEL_18;
}
switch ( v2 )
{
case 14393u:
goto LABEL_17;
case 610u:
LODWORD(OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK) = 24;
offset_SystemCallNumber = 0x1F8i64;
PerfGlobalGroupMask = GetPerfGlobalGroupMask2();
break;
case 620u:
LODWORD(OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK) = 40;
offset_SystemCallNumber = 0x80i64;
PerfGlobalGroupMask = GetPerfGlobalGroupMask3();
break;
case 630u:
case 10240u:
case 10586u:
goto LABEL_17;
}
LABEL_18:
if ( v2 > 18362 )
v1 = FindOffsetsFor18383();
return v1;
}
NTSTATUS __stdcall LoadOffsetsVars()
{
NTSTATUS v1; // [rsp+20h] [rbp-18h]
unsigned int v2; // [rsp+24h] [rbp-14h]
v1 = 0;
v2 = GetBuildNumber();
if ( v2 > 14393 )
{
if ( v2 != 15063 && v2 != 16299 && v2 != 17134 && v2 != 17763 && v2 != 18362 )
goto LABEL_18;
LABEL_17:
LODWORD(OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK) = 40;
offset_SystemCallNumber = 0x80i64;
PerfGlobalGroupMask = GetPerfGlobalGroupMask();
goto LABEL_18;
}
switch ( v2 )
{
case 14393u:
goto LABEL_17;
case 610u:
LODWORD(OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK) = 24;
offset_SystemCallNumber = 0x1F8i64;
PerfGlobalGroupMask = GetPerfGlobalGroupMask2();
break;
case 620u:
LODWORD(OFFSET_WMI_LOGGER_CONTEXT_CPU_CYCLE_CLOCK) = 40;
offset_SystemCallNumber = 0x80i64;
PerfGlobalGroupMask = GetPerfGlobalGroupMask3();
break;
case 630u:
case 10240u:
case 10586u:
goto LABEL_17;
}
LABEL_18:
if ( v2 > 18362 )
v1 = FindOffsetsFor18383();
return v1;
}
注意这里还会在KeReleaseSpinLock里面搜索PerfGlobalGroupMask
_int64 GetPerfGlobalGroupMask()
{
_BYTE *v1; // [rsp+20h] [rbp-38h]
unsigned int v2; // [rsp+28h] [rbp-30h]
__int64 v3; // [rsp+30h] [rbp-28h]
UNICODE_STRING DestinationString; // [rsp+40h] [rbp-18h]
v2 = 0;
v3 = 0i64;
RtlInitUnicodeString(&DestinationString, L"KeReleaseSpinLock");
v1 = MmGetSystemRoutineAddress(&DestinationString);
if ( !v1 )
return 0i64;
while ( v2 < 0xA )
{
if ( v1[v2] == 0x40
&& v1[v2 + 1] == 0x53
&& v1[v2 + 2] == 0x48
&& (unsigned __int8)v1[v2 + 3] == 0x83
&& (unsigned __int8)v1[v2 + 6] == 0xF6
&& v1[v2 + 7] == 5 )
{
v3 = (__int64)&v1[*(unsigned int *)&v1[v2 + 8] + 7];
if ( !(unsigned __int8)MmIsAddressValid(v3) || !(unsigned __int8)MmIsAddressValid(v3 + 15) )
return 0i64;
return v3;
}
++v2;
}
return v3;
}
_int64 GetPerfGlobalGroupMask()
{
_BYTE *v1; // [rsp+20h] [rbp-38h]
unsigned int v2; // [rsp+28h] [rbp-30h]
__int64 v3; // [rsp+30h] [rbp-28h]
UNICODE_STRING DestinationString; // [rsp+40h] [rbp-18h]
v2 = 0;
v3 = 0i64;
RtlInitUnicodeString(&DestinationString, L"KeReleaseSpinLock");
v1 = MmGetSystemRoutineAddress(&DestinationString);
if ( !v1 )
return 0i64;
while ( v2 < 0xA )
{
if ( v1[v2] == 0x40
&& v1[v2 + 1] == 0x53
&& v1[v2 + 2] == 0x48
&& (unsigned __int8)v1[v2 + 3] == 0x83
&& (unsigned __int8)v1[v2 + 6] == 0xF6
&& v1[v2 + 7] == 5 )
{
v3 = (__int64)&v1[*(unsigned int *)&v1[v2 + 8] + 7];
if ( !(unsigned __int8)MmIsAddressValid(v3) || !(unsigned __int8)MmIsAddressValid(v3 + 15) )
return 0i64;
return v3;
}
++v2;
}
return v3;
}
注意这个PerfGlobalGroupMask[2] & 0x40控制SYSTEM_CALL的etw记录是否开启
6789安全卫士为了不让自己的hook被关闭,会给这里监控并强制置位
LoadSSSDTFunctionEntry没什么可说的,和LoadSSDTFunctionEntry的唯一区别就是取entry之前先attach了explorer
从刚才获取的ssdt入口中取出ZwTraceControl(貌似6789安全卫士用的还是NtTraceControl?我没仔细看,但是如果是NtTraceControl的话我只能说这也太捞了吧,他不怕我蓝屏的吗?)
__int64 MakeZwTraceControl()
{
__int64 result; // rax
char *v1; // [rsp+20h] [rbp-18h]
v1 = FindZwForSSDT("NtTraceControl");
if ( v1 )
result = *((_QWORD *)v1 + 42);
else
result = 0i64;
return result;
}
__int64 MakeZwTraceControl()
{
__int64 result; // rax
char *v1; // [rsp+20h] [rbp-18h]
v1 = FindZwForSSDT("NtTraceControl");
if ( v1 )
result = *((_QWORD *)v1 + 42);
else
result = 0i64;
return result;
}
获取ClckLoggerContext,根据版本不同获取方法还不一样
NTSTATUS __fastcall GetCkcl(unsigned int type, _QWORD *clck)
{
NTSTATUS result; // eax
unsigned int v3; // [rsp+20h] [rbp-18h]
unsigned int typee; // [rsp+40h] [rbp+8h]
_QWORD *clck_1; // [rsp+48h] [rbp+10h]
clck_1 = clck;
typee = type;
v3 = GetBuildNumber();
if ( v3 <= 14393 )
{
if ( v3 != 14393 )
{
switch ( v3 )
{
case 610u:
return GetCkclWmiLoggerContext7601(typee, clck_1);
case 620u:
return GetCkclWmiLoggerContext9200(typee, clck_1);
case 630u:
return GetCkclWmiLoggerContext9600(typee, clck_1);
}
if ( v3 != 10240 && v3 != 10586 )
goto LABEL_19;
}
return GetCkclWmiLoggerContext(typee, clck_1);
}
if ( v3 == 15063 || v3 == 16299 || v3 == 17134 || v3 == 17763 || v3 == 18362 )
return GetCkclWmiLoggerContext(typee, clck_1);
LABEL_19:
if ( v3 <= 18362 )
result = 0xC0000001;
else
result = sub_2A0A0(typee, clck_1);
return result;
}
NTSTATUS __fastcall GetCkcl(unsigned int type, _QWORD *clck)
{
NTSTATUS result; // eax
unsigned int v3; // [rsp+20h] [rbp-18h]
unsigned int typee; // [rsp+40h] [rbp+8h]
_QWORD *clck_1; // [rsp+48h] [rbp+10h]
clck_1 = clck;
typee = type;
v3 = GetBuildNumber();
if ( v3 <= 14393 )
{
if ( v3 != 14393 )
{
switch ( v3 )
{
case 610u:
return GetCkclWmiLoggerContext7601(typee, clck_1);
case 620u:
return GetCkclWmiLoggerContext9200(typee, clck_1);
case 630u:
return GetCkclWmiLoggerContext9600(typee, clck_1);
}
if ( v3 != 10240 && v3 != 10586 )
goto LABEL_19;
}
return GetCkclWmiLoggerContext(typee, clck_1);
}
if ( v3 == 15063 || v3 == 16299 || v3 == 17134 || v3 == 17763 || v3 == 18362 )
return GetCkclWmiLoggerContext(typee, clck_1);
LABEL_19:
if ( v3 <= 18362 )
result = 0xC0000001;
else
result = sub_2A0A0(typee, clck_1);
return result;
}
7600 7601从EtwSendTraceBuffer里搜索WmipLoggerContext
9200(win8)9600(win8.1)也是同样的套路这里就不重复发了
win10上面使用经典的复制粘贴大法
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2020-3-26 13:16
被hzqst编辑
,原因: