枚举并删除系统上PsSetCreateThreadNotifyRoutine回调

DemonGan

发布日期: 2019-03-12 09:40:41 浏览量: 910
评分:
star star star star star star star star star star_border
*转载请注明来自write-bug.com

背景

我们学习内核 Rootkit 编程,那么肯定会接触到各种无 HOOK 回调函数的设置,这些回调函数都是官方为我们做好的接口,我们直接调用就好。这些回调使用方便,运行在底层,功能强大,而且非常稳定。很多杀软、游戏保护等就是设置这些回调,实现对计算机的监控的。

既然可以设置回调,自然也可以删除回调。如果是自己程序设置的回调,当然可以很容易删除。但是,我们要做的是要枚举系统上存在的回调,不管是不是自己程序创建的,然后,并对这些回调进行删除,使其失效。

本文要介绍的是枚举并删除系统上 PsSetCreateThreadNotifyRoutine 回调,支持 32 位和 64 位、Win7 到 Win10 全平台系统。现在,我把实现的过程和原理整理成文档,分享给大家。

实现原理

我们注册的线程回调,会存储在一个名为 PspCreateThreadNotifyRoutine 的数组里。 PspCreateThreadNotifyRoutine 可以理解成一个 PVOID 数组,它存储着系统里所有 PsSetCreateThreadNotifyRoutine 线程回调函数地址的加密地址。PspCreateThreadNotifyRoutine数组里的数据是加密的,要经过解密操作才可以获取正确的数据。

PspCreateThreadNotifyRoutine 数组地址的获取

我们借助 WinDbg 帮助我们逆向 PsSetCreateThreadNotifyRoutine 内核函数,在 Win10 之前的系统,即 Win7、Win8、Win8.1等系统下,我们可以直接通过在内核函数 PsSetCreateThreadNotifyRoutine 中扫描内存特征码,在 32 位系统下,可以直接定位得到数组 PspCreateThreadNotifyRoutine 的地址;在 64 位下,可以获取数组 PspCreateThreadNotifyRoutine 的偏移,从而根据偏移计算出地址。

其中,Win8.1 32 位下 PsSetCreateThreadNotifyRoutine 函数逆向代码:

  1. nt!PsSetCreateThreadNotifyRoutine+0x16:
  2. 8116e54e 53 push ebx
  3. 8116e54f 57 push edi
  4. 8116e550 bbc8640181 mov ebx,offset nt!PspCreateThreadNotifyRoutine (810164c8)
  5. 8116e555 33ff xor edi,edi

其中,Win8.1 64 位下 PsSetCreateThreadNotifyRoutine 函数逆向代码:

  1. nt!PsSetCreateThreadNotifyRoutine+0x1f:
  2. fffff800`c0ba5d13 488d0de6fedbff lea rcx,[nt!PspCreateThreadNotifyRoutine (fffff800`c0965c00)]
  3. fffff800`c0ba5d1a 4533c0 xor r8d,r8d

下面是总结的特征码:

Win7 win8.1 win10
32 位 BE BB E8/BF
64 位 488D0D 488D0D E9/488D0D

但是,在 Win10 系统上,我们需要先在 PsSetCreateThreadNotifyRoutine 函数中获取 PspSetCreateThreadNotifyRoutine 函数的偏移,再计算出地址;然后,根据内存特征码扫描 PspSetCreateThreadNotifyRoutine 函数的内存,在 32 位系统下,可直接获取 PspCreateThreadNotifyRoutine 数组的地址;在 64 位系统下,可以获取 PspCreateThreadNotifyRoutine 数组的偏移,然后计算出地址。

其中,Win10 64 位下 PsSetCreateThreadNotifyRoutine 函数逆向代码:

  1. nt!PsSetCreateThreadNotifyRoutine:
  2. fffff803`1bd332cc 33d2 xor edx,edx
  3. fffff803`1bd332ce e905010000 jmp nt!PspSetCreateThreadNotifyRoutine (fffff803`1bd333d8)

其中,Win10 64 位下 PspSetCreateThreadNotifyRoutine 函数逆向代码:

  1. nt!PspSetCreateThreadNotifyRoutine+0x2d:
  2. fffff803`1bd33405 488d0d740bdfff lea rcx,[nt!PspCreateThreadNotifyRoutine (fffff803`1bb23f80)]
  3. fffff803`1bd3340c 4533c0 xor r8d,r8d

总的来说,在 Win10 版本之前,直接通过扫描 PsSetCreateProcessNotifyRoutine 函数内存,就可获取 PspCreateProcessNotifyRoutine 地址;在 Win10 下获取 PspCreateProcessNotifyRoutine 地址可以分成两步:

  • 首先,通过扫描特征码,从 PsSetCreateProcessNotifyRoutine 函数中获取 PspSetCreateProcessNotifyRoutine 函数的地址。

  • 然后,通过扫描特征码,从 PspSetCreateProcessNotifyRoutine 函数中获取 PspCreateProcessNotifyRoutine 数组的地址。

那么,特征码的确定就变得至关重要了。

PspCreateThreadNotifyRoutine 里数据的解密

我们上面说,PspCreateThreadNotifyRoutine 里的数据是加密的,在 64 位系统和 32 位系统上的加密方式是不相同的,自然解密方式也不同。现在,我们分别介绍 32 位系统和 64 位系统下的解密方式。

对于 32 位系统来说:PspCreateThreadNotifyRoutine 是一个 4 字节无符号类型的数组,数组大小最大为 8。我们使用 PspCreateThreadNotifyRoutine[i] 表示数组中的值,那么,32 位系统下的解密方式为:

  • 首先,数组的值 PspCreateThreadNotifyRoutine[i] 位运算“与” 0xFFFFFFF8。

  • 然后,“与”运算之后的结果值再加上 4,结果就是一个存储着回调函数地址的地址。

对于 64 位系统来说:PspCreateThreadNotifyRoutine 是一个 8 字节无符号类型的数组,数组大小最大为 64。我们使用 PspCreateThreadNotifyRoutine[i] 表示数组中的值,那么,64 位系统下的解密方式为:

数组的值 PspCreateThreadNotifyRoutine[i] 位运算“与” 0xFFFFFFFFFFFFFFF8,结果就是一个存储着回调函数地址的地址。

删除回调

我们可以通过上述介绍的方法,枚举系统中的回调函数。那么,要删除回调函数可以有 3 种方式:

  • 可以直接调用 PsRemoveCreateThreadNotifyRoutine 函数,传入回调函数地址,即可删除回调。

  • 修改 PspCreateThreadNotifyRoutine 数组中的数据,使其指向我们自己定义的空回调函数地址。这样,当触发回调函数的时候,执行的是我们自己的空回调函数。

  • 修改回调函数的前几字节内存数据,写入直接返回指令 RET,不进行任何操作。

编码实现

遍历回调

  1. // 遍历回调
  2. BOOLEAN EnumNotifyRoutine()
  3. {
  4. ULONG i = 0;
  5. PVOID pPspCreateThreadNotifyRoutineAddress = NULL;
  6. PVOID pNotifyRoutineAddress = NULL;
  7. // 获取 PspCreateThreadNotifyRoutine 数组地址
  8. pPspCreateThreadNotifyRoutineAddress = GetPspCreateThreadNotifyRoutine();
  9. if (NULL == pPspCreateThreadNotifyRoutineAddress)
  10. {
  11. DbgPrint("GetPspCreateThreadNotifyRoutine Error!\n");
  12. return FALSE;
  13. }
  14. DbgPrint("pPspCreateThreadNotifyRoutineAddress=0x%p\n", pPspCreateThreadNotifyRoutineAddress);
  15. // 获取回调地址并解密
  16. #ifdef _WIN64
  17. for (i = 0; i < 64; i++)
  18. {
  19. pNotifyRoutineAddress = *(PVOID *)((PUCHAR)pPspCreateThreadNotifyRoutineAddress + sizeof(PVOID) * i);
  20. pNotifyRoutineAddress = (PVOID)((ULONG64)pNotifyRoutineAddress & 0xfffffffffffffff8);
  21. if (MmIsAddressValid(pNotifyRoutineAddress))
  22. {
  23. pNotifyRoutineAddress = *(PVOID *)pNotifyRoutineAddress;
  24. DbgPrint("[%d]ullNotifyRoutine=0x%p\n", i, pNotifyRoutineAddress);
  25. }
  26. }
  27. #else
  28. for (i = 0; i < 8; i++)
  29. {
  30. pNotifyRoutineAddress = *(PVOID *)((PUCHAR)pPspCreateThreadNotifyRoutineAddress + sizeof(PVOID) * i);
  31. pNotifyRoutineAddress = (PVOID)((ULONG)pNotifyRoutineAddress & 0xfffffff8);
  32. if (MmIsAddressValid(pNotifyRoutineAddress))
  33. {
  34. pNotifyRoutineAddress = *(PVOID *)((PUCHAR)pNotifyRoutineAddress + 4);
  35. DbgPrint("[%d]ullNotifyRoutine=0x%p\n", i, pNotifyRoutineAddress);
  36. }
  37. }
  38. #endif
  39. return TRUE;
  40. }

移除回调

  1. // 移除回调
  2. NTSTATUS RemoveNotifyRoutine(PVOID pNotifyRoutineAddress)
  3. {
  4. NTSTATUS status = PsRemoveCreateThreadNotifyRoutine((PCREATE_THREAD_NOTIFY_ROUTINE)pNotifyRoutineAddress);
  5. if (!NT_SUCCESS(status))
  6. {
  7. ShowError("PsRemoveCreateThreadNotifyRoutine", status);
  8. }
  9. return status;
  10. }

获取 PspCreateThreadNotifyRoutine 数组地址

  1. // 获取 PspCreateThreadNotifyRoutine 数组地址
  2. PVOID GetPspCreateThreadNotifyRoutine()
  3. {
  4. PVOID pPspCreateThreadNotifyRoutineAddress = NULL;
  5. RTL_OSVERSIONINFOW osInfo = { 0 };
  6. UCHAR pFirstSpecialData[50] = { 0 };
  7. ULONG ulFirstSpecialDataSize = 0;
  8. UCHAR pSecondSpecialData[50] = { 0 };
  9. ULONG ulSecondSpecialDataSize = 0;
  10. // 获取系统版本信息, 判断系统版本
  11. RtlGetVersion(&osInfo);
  12. if (6 == osInfo.dwMajorVersion)
  13. {
  14. if (1 == osInfo.dwMinorVersion)
  15. {
  16. // Win7
  17. #ifdef _WIN64
  18. // 64 位
  19. // 488D0D
  20. pFirstSpecialData[0] = 0x48;
  21. pFirstSpecialData[1] = 0x8D;
  22. pFirstSpecialData[2] = 0x0D;
  23. ulFirstSpecialDataSize = 3;
  24. #else
  25. // 32 位
  26. // BE
  27. pFirstSpecialData[0] = 0xBE;
  28. ulFirstSpecialDataSize = 1;
  29. #endif
  30. }
  31. else if (2 == osInfo.dwMinorVersion)
  32. {
  33. // Win8
  34. #ifdef _WIN64
  35. // 64 位
  36. #else
  37. // 32 位
  38. #endif
  39. }
  40. else if (3 == osInfo.dwMinorVersion)
  41. {
  42. // Win8.1
  43. #ifdef _WIN64
  44. // 64 位
  45. // 488D0D
  46. pFirstSpecialData[0] = 0x48;
  47. pFirstSpecialData[1] = 0x8D;
  48. pFirstSpecialData[2] = 0x0D;
  49. ulFirstSpecialDataSize = 3;
  50. #else
  51. // 32 位
  52. // BB
  53. pFirstSpecialData[0] = 0xBB;
  54. ulFirstSpecialDataSize = 1;
  55. #endif
  56. }
  57. }
  58. else if (10 == osInfo.dwMajorVersion)
  59. {
  60. // Win10
  61. #ifdef _WIN64
  62. // 64 位
  63. // E9
  64. pFirstSpecialData[0] = 0xE9;
  65. ulFirstSpecialDataSize = 1;
  66. // 488D0D
  67. pSecondSpecialData[0] = 0x48;
  68. pSecondSpecialData[1] = 0x8D;
  69. pSecondSpecialData[2] = 0x0D;
  70. ulSecondSpecialDataSize = 3;
  71. #else
  72. // 32 位
  73. // E8
  74. pFirstSpecialData[0] = 0xE8;
  75. ulFirstSpecialDataSize = 1;
  76. // BF
  77. pSecondSpecialData[0] = 0xBF;
  78. ulSecondSpecialDataSize = 1;
  79. #endif
  80. }
  81. // 根据特征码获取地址
  82. pPspCreateThreadNotifyRoutineAddress = SearchPspCreateThreadNotifyRoutine(pFirstSpecialData, ulFirstSpecialDataSize, pSecondSpecialData, ulSecondSpecialDataSize);
  83. return pPspCreateThreadNotifyRoutineAddress;
  84. }

根据特征码获取 PspCreateThreadNotifyRoutine 数组地址

  1. // 根据特征码获取 PspCreateThreadNotifyRoutine 数组地址
  2. PVOID SearchPspCreateThreadNotifyRoutine(PUCHAR pFirstSpecialData, ULONG ulFirstSpecialDataSize, PUCHAR pSecondSpecialData, ULONG ulSecondSpecialDataSize)
  3. {
  4. UNICODE_STRING ustrFuncName;
  5. PVOID pAddress = NULL;
  6. LONG lOffset = 0;
  7. PVOID pPsSetCreateThreadNotifyRoutine = NULL;
  8. PVOID pPspSetCreateThreadNotifyRoutineAddress = NULL;
  9. PVOID pPspCreateThreadNotifyRoutineAddress = NULL;
  10. // 先获取 PsSetCreateThreadNotifyRoutine 函数地址
  11. RtlInitUnicodeString(&ustrFuncName, L"PsSetCreateThreadNotifyRoutine");
  12. pPsSetCreateThreadNotifyRoutine = MmGetSystemRoutineAddress(&ustrFuncName);
  13. if (NULL == pPsSetCreateThreadNotifyRoutine)
  14. {
  15. ShowError("MmGetSystemRoutineAddress", 0);
  16. return pPspCreateThreadNotifyRoutineAddress;
  17. }
  18. // 然后, 对于非 Win10 系统, 则根据第一个特征码获取 PspCreateThreadNotifyRoutine 地址;
  19. // 对于 Win10 系统, 则需先根据第一个特征码获取获取 PspSetCreateThreadNotifyRoutine 地址,
  20. // 再根据第二个特征码获取 PspCreateThreadNotifyRoutine 地址.
  21. pAddress = SearchMemory(pPsSetCreateThreadNotifyRoutine,
  22. (PVOID)((PUCHAR)pPsSetCreateThreadNotifyRoutine + 0xFF),
  23. pFirstSpecialData, ulFirstSpecialDataSize);
  24. if (NULL == pAddress)
  25. {
  26. ShowError("SearchMemory1", 0);
  27. return pPspCreateThreadNotifyRoutineAddress;
  28. }
  29. // 无第二个特征码, 则非 Win10 系统
  30. if (0 == ulSecondSpecialDataSize)
  31. {
  32. // 获取 PspCreateThreadNotifyRoutine 地址
  33. #ifdef _WIN64
  34. // 64 位
  35. // 获取偏移数据, 并计算地址
  36. lOffset = *(PLONG)pAddress;
  37. pPspCreateThreadNotifyRoutineAddress = (PVOID)((PUCHAR)pAddress + sizeof(LONG) + lOffset);
  38. #else
  39. // 32 位
  40. pPspCreateThreadNotifyRoutineAddress = *(PVOID *)pAddress;
  41. #endif
  42. // 直接返回
  43. return pPspCreateThreadNotifyRoutineAddress;
  44. }
  45. // 存在第二个特征码, 即 Win10 系统
  46. // 获取偏移数据, 并计算地址
  47. lOffset = *(PLONG)pAddress;
  48. pPspSetCreateThreadNotifyRoutineAddress = (PVOID)((PUCHAR)pAddress + sizeof(LONG) + lOffset);
  49. // 最后, 查找 PspCreateThreadNotifyRoutine 地址
  50. pAddress = SearchMemory(pPspSetCreateThreadNotifyRoutineAddress,
  51. (PVOID)((PUCHAR)pPspSetCreateThreadNotifyRoutineAddress + 0xFF),
  52. pSecondSpecialData, ulSecondSpecialDataSize);
  53. if (NULL == pAddress)
  54. {
  55. ShowError("SearchMemory2", 0);
  56. return pPspCreateThreadNotifyRoutineAddress;
  57. }
  58. // 获取 PspCreateThreadNotifyRoutine 地址
  59. #ifdef _WIN64
  60. // 64 位先获取偏移, 再计算地址
  61. lOffset = *(PLONG)pAddress;
  62. pPspCreateThreadNotifyRoutineAddress = (PVOID)((PUCHAR)pAddress + sizeof(LONG) + lOffset);
  63. #else
  64. // 32 位直接获取地址
  65. pPspCreateThreadNotifyRoutineAddress = *(PVOID *)pAddress;
  66. #endif
  67. return pPspCreateThreadNotifyRoutineAddress;
  68. }

指定内存区域的特征码扫描

  1. // 指定内存区域的特征码扫描
  2. PVOID SearchMemory(PVOID pStartAddress, PVOID pEndAddress, PUCHAR pMemoryData, ULONG ulMemoryDataSize)
  3. {
  4. PVOID pAddress = NULL;
  5. PUCHAR i = NULL;
  6. ULONG m = 0;
  7. // 扫描内存
  8. for (i = (PUCHAR)pStartAddress; i < (PUCHAR)pEndAddress; i++)
  9. {
  10. // 判断特征码
  11. for (m = 0; m < ulMemoryDataSize; m++)
  12. {
  13. if (*(PUCHAR)(i + m) != pMemoryData[m])
  14. {
  15. break;
  16. }
  17. }
  18. // 判断是否找到符合特征码的地址
  19. if (m >= ulMemoryDataSize)
  20. {
  21. // 找到特征码位置, 获取紧接着特征码的下一地址
  22. pAddress = (PVOID)(i + ulMemoryDataSize);
  23. break;
  24. }
  25. }
  26. return pAddress;
  27. }

程序测试

在 Win7 32 位系统下,驱动程序正常执行:

在 Win8.1 32 位系统下,驱动程序正常执行:

在 Win10 32 位系统下,驱动程序正常执行:

在 Win7 64 位系统下,驱动程序正常执行:

在 Win8.1 64 位系统下,驱动程序正常执行:

在 Win10 64 位系统下,驱动程序正常执行:

总结

要理解清楚获取 PspCreateThreadNotifyRoutine 地址的流程,其中,不同系统的内存特征码是不同的,要注意区分。大家也不用记忆这些特征码,如果需要用到,可以随时使用 WinDbg 来进行逆向查看就好。

而且,不同位数系统中,对 PspCreateThreadNotifyRoutine 数组中的值解密方式也不相同,这个需要区分开来。

删除回调常用就有 3 种方式,自己根据需要选择一种使用即可。

参考

参考自《Windows黑客编程技术详解》一书

附录

Win7 32 位 PsSetCreateThreadNotifyRoutine

  1. lkd> uf PsSetCreateThreadNotifyRoutine
  2. nt!PsSetCreateThreadNotifyRoutine:
  3. 840f1dab 8bff mov edi,edi
  4. 840f1dad 55 push ebp
  5. 840f1dae 8bec mov ebp,esp
  6. 840f1db0 53 push ebx
  7. 840f1db1 57 push edi
  8. 840f1db2 33ff xor edi,edi
  9. 840f1db4 57 push edi
  10. 840f1db5 ff7508 push dword ptr [ebp+8]
  11. 840f1db8 e85c38ebff call nt!ExAllocateCallBack (83fa5619)
  12. 840f1dbd 8bd8 mov ebx,eax
  13. 840f1dbf 3bdf cmp ebx,edi
  14. 840f1dc1 7507 jne nt!PsSetCreateThreadNotifyRoutine+0x1f (840f1dca)
  15. nt!PsSetCreateThreadNotifyRoutine+0x18:
  16. 840f1dc3 b89a0000c0 mov eax,0C000009Ah
  17. 840f1dc8 eb2f jmp nt!PsSetCreateThreadNotifyRoutine+0x4e (840f1df9)
  18. nt!PsSetCreateThreadNotifyRoutine+0x1f:
  19. 840f1dca 56 push esi
  20. 840f1dcb bec031f583 mov esi,offset nt!PspCreateThreadNotifyRoutine (83f531c0)
  21. nt!PsSetCreateThreadNotifyRoutine+0x25:
  22. 840f1dd0 6a00 push 0
  23. 840f1dd2 8bcb mov ecx,ebx
  24. 840f1dd4 8bc6 mov eax,esi
  25. 840f1dd6 e86d38ebff call nt!ExCompareExchangeCallBack (83fa5648)
  26. 840f1ddb 84c0 test al,al
  27. 840f1ddd 7520 jne nt!PsSetCreateThreadNotifyRoutine+0x54 (840f1dff)
  28. nt!PsSetCreateThreadNotifyRoutine+0x34:
  29. 840f1ddf 83c704 add edi,4
  30. 840f1de2 83c604 add esi,4
  31. 840f1de5 81ff00010000 cmp edi,100h
  32. 840f1deb 72e3 jb nt!PsSetCreateThreadNotifyRoutine+0x25 (840f1dd0)
  33. nt!PsSetCreateThreadNotifyRoutine+0x42:
  34. 840f1ded 53 push ebx
  35. 840f1dee e818c5f9ff call nt!AlpcpFreeBuffer (8408e30b)
  36. 840f1df3 b89a0000c0 mov eax,0C000009Ah
  37. nt!PsSetCreateThreadNotifyRoutine+0x4d:
  38. 840f1df8 5e pop esi
  39. nt!PsSetCreateThreadNotifyRoutine+0x4e:
  40. 840f1df9 5f pop edi
  41. 840f1dfa 5b pop ebx
  42. 840f1dfb 5d pop ebp
  43. 840f1dfc c20400 ret 4
  44. nt!PsSetCreateThreadNotifyRoutine+0x54:
  45. 840f1dff 33c9 xor ecx,ecx
  46. 840f1e01 b8c032f583 mov eax,offset nt!PspCreateThreadNotifyRoutineCount (83f532c0)
  47. 840f1e06 41 inc ecx
  48. 840f1e07 f00fc108 lock xadd dword ptr [eax],ecx
  49. 840f1e0b a19830f583 mov eax,dword ptr [nt!PspNotifyEnableMask (83f53098)]
  50. 840f1e10 a808 test al,8
  51. 840f1e12 750a jne nt!PsSetCreateThreadNotifyRoutine+0x73 (840f1e1e)
  52. nt!PsSetCreateThreadNotifyRoutine+0x69:
  53. 840f1e14 b89830f583 mov eax,offset nt!PspNotifyEnableMask (83f53098)
  54. 840f1e19 f00fba2803 lock bts dword ptr [eax],3
  55. nt!PsSetCreateThreadNotifyRoutine+0x73:
  56. 840f1e1e 33c0 xor eax,eax
  57. 840f1e20 ebd6 jmp nt!PsSetCreateThreadNotifyRoutine+0x4d (840f1df8)

Win7 64 位 PsSetCreateThreadNotifyRoutine

  1. lkd> uf PsSetCreateThreadNotifyRoutine
  2. nt!PsSetCreateThreadNotifyRoutine:
  3. fffff800`0428dbe0 48895c2408 mov qword ptr [rsp+8],rbx
  4. fffff800`0428dbe5 57 push rdi
  5. fffff800`0428dbe6 4883ec20 sub rsp,20h
  6. fffff800`0428dbea 33d2 xor edx,edx
  7. fffff800`0428dbec e86faffeff call nt!ExAllocateCallBack (fffff800`04278b60)
  8. fffff800`0428dbf1 488bf8 mov rdi,rax
  9. fffff800`0428dbf4 4885c0 test rax,rax
  10. fffff800`0428dbf7 7507 jne nt!PsSetCreateThreadNotifyRoutine+0x20 (fffff800`0428dc00)
  11. nt!PsSetCreateThreadNotifyRoutine+0x19:
  12. fffff800`0428dbf9 b89a0000c0 mov eax,0C000009Ah
  13. fffff800`0428dbfe eb4a jmp nt!PsSetCreateThreadNotifyRoutine+0x6a (fffff800`0428dc4a)
  14. nt!PsSetCreateThreadNotifyRoutine+0x20:
  15. fffff800`0428dc00 33db xor ebx,ebx
  16. nt!PsSetCreateThreadNotifyRoutine+0x22:
  17. fffff800`0428dc02 488d0d5799d9ff lea rcx,[nt!PspCreateThreadNotifyRoutine (fffff800`04027560)]
  18. fffff800`0428dc09 4533c0 xor r8d,r8d
  19. fffff800`0428dc0c 488bd7 mov rdx,rdi
  20. fffff800`0428dc0f 488d0cd9 lea rcx,[rcx+rbx*8]
  21. fffff800`0428dc13 e83814f8ff call nt!ExCompareExchangeCallBack (fffff800`0420f050)
  22. fffff800`0428dc18 84c0 test al,al
  23. fffff800`0428dc1a 7511 jne nt!PsSetCreateThreadNotifyRoutine+0x4d (fffff800`0428dc2d)
  24. nt!PsSetCreateThreadNotifyRoutine+0x3c:
  25. fffff800`0428dc1c ffc3 inc ebx
  26. fffff800`0428dc1e 83fb40 cmp ebx,40h
  27. fffff800`0428dc21 72df jb nt!PsSetCreateThreadNotifyRoutine+0x22 (fffff800`0428dc02)
  28. nt!PsSetCreateThreadNotifyRoutine+0x43:
  29. fffff800`0428dc23 488bcf mov rcx,rdi
  30. fffff800`0428dc26 e825defeff call nt!IopDeallocateApc (fffff800`0427ba50)
  31. fffff800`0428dc2b ebcc jmp nt!PsSetCreateThreadNotifyRoutine+0x19 (fffff800`0428dbf9)
  32. nt!PsSetCreateThreadNotifyRoutine+0x4d:
  33. fffff800`0428dc2d f083052b9bd9ff01 lock add dword ptr [nt!PspCreateThreadNotifyRoutineCount (fffff800`04027760)],1
  34. fffff800`0428dc35 8b05a598d9ff mov eax,dword ptr [nt!PspNotifyEnableMask (fffff800`040274e0)]
  35. fffff800`0428dc3b a808 test al,8
  36. fffff800`0428dc3d 7509 jne nt!PsSetCreateThreadNotifyRoutine+0x68 (fffff800`0428dc48)
  37. nt!PsSetCreateThreadNotifyRoutine+0x5f:
  38. fffff800`0428dc3f f00fba2d9898d9ff03 lock bts dword ptr [nt!PspNotifyEnableMask (fffff800`040274e0)],3
  39. nt!PsSetCreateThreadNotifyRoutine+0x68:
  40. fffff800`0428dc48 33c0 xor eax,eax
  41. nt!PsSetCreateThreadNotifyRoutine+0x6a:
  42. fffff800`0428dc4a 488b5c2430 mov rbx,qword ptr [rsp+30h]
  43. fffff800`0428dc4f 4883c420 add rsp,20h
  44. fffff800`0428dc53 5f pop rdi
  45. fffff800`0428dc54 c3 ret

Win8.1 32 位 PsSetCreateThreadNotifyRoutine

  1. lkd> uf PsSetCreateThreadNotifyRoutine
  2. nt!PsSetCreateThreadNotifyRoutine:
  3. 8116e538 8bff mov edi,edi
  4. 8116e53a 55 push ebp
  5. 8116e53b 8bec mov ebp,esp
  6. 8116e53d 8b4d08 mov ecx,dword ptr [ebp+8]
  7. 8116e540 33d2 xor edx,edx
  8. 8116e542 56 push esi
  9. 8116e543 e80a040000 call nt!ExAllocateCallBack (8116e952)
  10. 8116e548 8bf0 mov esi,eax
  11. 8116e54a 85f6 test esi,esi
  12. 8116e54c 7444 je nt!PsSetCreateThreadNotifyRoutine+0x5a (8116e592)
  13. nt!PsSetCreateThreadNotifyRoutine+0x16:
  14. 8116e54e 53 push ebx
  15. 8116e54f 57 push edi
  16. 8116e550 bbc8640181 mov ebx,offset nt!PspCreateThreadNotifyRoutine (810164c8)
  17. 8116e555 33ff xor edi,edi
  18. nt!PsSetCreateThreadNotifyRoutine+0x1f:
  19. 8116e557 6a00 push 0
  20. 8116e559 8bd6 mov edx,esi
  21. 8116e55b 8bcb mov ecx,ebx
  22. 8116e55d e8f627d9ff call nt!ExCompareExchangeCallBack (80f00d58)
  23. 8116e562 84c0 test al,al
  24. 8116e564 0f84ff030a00 je nt! ?? ::NNGAKEGL::`string'+0x702ff (8120e969)
  25. nt!PsSetCreateThreadNotifyRoutine+0x32:
  26. 8116e56a 33c0 xor eax,eax
  27. 8116e56c b94c6c2f81 mov ecx,offset nt!PspCreateThreadNotifyRoutineCount (812f6c4c)
  28. 8116e571 40 inc eax
  29. 8116e572 f00fc101 lock xadd dword ptr [ecx],eax
  30. 8116e576 a1446c2f81 mov eax,dword ptr [nt!PspNotifyEnableMask (812f6c44)]
  31. 8116e57b a808 test al,8
  32. 8116e57d 750a jne nt!PsSetCreateThreadNotifyRoutine+0x51 (8116e589)
  33. nt!PsSetCreateThreadNotifyRoutine+0x47:
  34. 8116e57f b8446c2f81 mov eax,offset nt!PspNotifyEnableMask (812f6c44)
  35. 8116e584 f00fba2803 lock bts dword ptr [eax],3
  36. nt!PsSetCreateThreadNotifyRoutine+0x51:
  37. 8116e589 33c0 xor eax,eax
  38. nt!PsSetCreateThreadNotifyRoutine+0x53:
  39. 8116e58b 5f pop edi
  40. 8116e58c 5b pop ebx
  41. nt!PsSetCreateThreadNotifyRoutine+0x55:
  42. 8116e58d 5e pop esi
  43. 8116e58e 5d pop ebp
  44. 8116e58f c20400 ret 4
  45. nt!PsSetCreateThreadNotifyRoutine+0x5a:
  46. 8116e592 b89a0000c0 mov eax,0C000009Ah
  47. 8116e597 ebf4 jmp nt!PsSetCreateThreadNotifyRoutine+0x55 (8116e58d)
  48. nt! ?? ::NNGAKEGL::`string'+0x702ff:
  49. 8120e969 83c704 add edi,4
  50. 8120e96c 83c304 add ebx,4
  51. 8120e96f 81ff00010000 cmp edi,100h
  52. 8120e975 0f82dcfbf5ff jb nt!PsSetCreateThreadNotifyRoutine+0x1f (8116e557)
  53. nt! ?? ::NNGAKEGL::`string'+0x70311:
  54. 8120e97b 8bce mov ecx,esi
  55. 8120e97d e800fce8ff call nt!ExFreeCallBack (8109e582)
  56. 8120e982 b89a0000c0 mov eax,0C000009Ah
  57. 8120e987 e9fffbf5ff jmp nt!PsSetCreateThreadNotifyRoutine+0x53 (8116e58b)

Win8.1 64 位 PsSetCreateThreadNotifyRoutine

  1. lkd> uf PsSetCreateThreadNotifyRoutine
  2. Flow analysis was incomplete, some code may be missing
  3. nt!PsSetCreateThreadNotifyRoutine:
  4. fffff803`107a0cf4 48895c2408 mov qword ptr [rsp+8],rbx
  5. fffff803`107a0cf9 57 push rdi
  6. fffff803`107a0cfa 4883ec20 sub rsp,20h
  7. fffff803`107a0cfe 33d2 xor edx,edx
  8. fffff803`107a0d00 e8ab4ffdff call nt!ExAllocateCallBack (fffff803`10775cb0)
  9. fffff803`107a0d05 488bf8 mov rdi,rax
  10. fffff803`107a0d08 4885c0 test rax,rax
  11. fffff803`107a0d0b 0f8423560900 je nt! ?? ::NNGAKEGL::`string'+0x87734 (fffff803`10836334)
  12. nt!PsSetCreateThreadNotifyRoutine+0x1d:
  13. fffff803`107a0d11 33db xor ebx,ebx
  14. nt!PsSetCreateThreadNotifyRoutine+0x1f:
  15. fffff803`107a0d13 488d0de6fedbff lea rcx,[nt!PspCreateThreadNotifyRoutine (fffff803`10560c00)]
  16. fffff803`107a0d1a 4533c0 xor r8d,r8d
  17. fffff803`107a0d1d 488bd7 mov rdx,rdi
  18. fffff803`107a0d20 488d0cd9 lea rcx,[rcx+rbx*8]
  19. fffff803`107a0d24 e87707c1ff call nt!ExCompareExchangeCallBack (fffff803`103b14a0)
  20. fffff803`107a0d29 84c0 test al,al
  21. fffff803`107a0d2b 7427 je nt!PsSetCreateThreadNotifyRoutine+0x60 (fffff803`107a0d54)
  22. nt!PsSetCreateThreadNotifyRoutine+0x39:
  23. fffff803`107a0d2d f0ff051ca91800 lock inc dword ptr [nt!PspCreateThreadNotifyRoutineCount (fffff803`1092b650)]
  24. fffff803`107a0d34 8b05e2a31800 mov eax,dword ptr [nt!PspNotifyEnableMask (fffff803`1092b11c)]
  25. fffff803`107a0d3a a808 test al,8
  26. fffff803`107a0d3c 7509 jne nt!PsSetCreateThreadNotifyRoutine+0x53 (fffff803`107a0d47)
  27. nt!PsSetCreateThreadNotifyRoutine+0x4a:
  28. fffff803`107a0d3e f00fba2dd5a3180003 lock bts dword ptr [nt!PspNotifyEnableMask (fffff803`1092b11c)],3
  29. nt!PsSetCreateThreadNotifyRoutine+0x53:
  30. fffff803`107a0d47 33c0 xor eax,eax
  31. fffff803`107a0d49 488b5c2430 mov rbx,qword ptr [rsp+30h]
  32. fffff803`107a0d4e 4883c420 add rsp,20h
  33. fffff803`107a0d52 5f pop rdi
  34. fffff803`107a0d53 c3 ret
  35. nt!PsSetCreateThreadNotifyRoutine+0x60:
  36. fffff803`107a0d54 ffc3 inc ebx
  37. fffff803`107a0d56 83fb40 cmp ebx,40h
  38. fffff803`107a0d59 72b8 jb nt!PsSetCreateThreadNotifyRoutine+0x1f (fffff803`107a0d13)
  39. nt!PsSetCreateThreadNotifyRoutine+0x67:
  40. fffff803`107a0d5b e9ca550900 jmp nt! ?? ::NNGAKEGL::`string'+0x8772a (fffff803`1083632a)

Win10 32 位 PsSetCreateThreadNotifyRoutine

  1. kd> uf PsSetCreateThreadNotifyRoutine
  2. nt!PsSetCreateThreadNotifyRoutine:
  3. 81e1c7ce 8bff mov edi,edi
  4. 81e1c7d0 55 push ebp
  5. 81e1c7d1 8bec mov ebp,esp
  6. 81e1c7d3 8b4d08 mov ecx,dword ptr [ebp+8]
  7. 81e1c7d6 32d2 xor dl,dl
  8. 81e1c7d8 e813010000 call nt!PspSetCreateThreadNotifyRoutine (81e1c8f0)
  9. 81e1c7dd 5d pop ebp
  10. 81e1c7de c20400 ret 4
  11. kd> uf PspSetCreateThreadNotifyRoutine
  12. nt!PspSetCreateThreadNotifyRoutine:
  13. 81e1c8f0 8bff mov edi,edi
  14. 81e1c8f2 55 push ebp
  15. 81e1c8f3 8bec mov ebp,esp
  16. 81e1c8f5 51 push ecx
  17. 81e1c8f6 8ac2 mov al,dl
  18. 81e1c8f8 33d2 xor edx,edx
  19. 81e1c8fa 84c0 test al,al
  20. 81e1c8fc 8845ff mov byte ptr [ebp-1],al
  21. 81e1c8ff 53 push ebx
  22. 81e1c900 0f95c2 setne dl
  23. 81e1c903 e8b8010000 call nt!ExAllocateCallBack (81e1cac0)
  24. 81e1c908 8bd8 mov ebx,eax
  25. 81e1c90a 85db test ebx,ebx
  26. 81e1c90c 745a je nt!PspSetCreateThreadNotifyRoutine+0x78 (81e1c968)
  27. nt!PspSetCreateThreadNotifyRoutine+0x1e:
  28. 81e1c90e 56 push esi
  29. 81e1c90f 57 push edi
  30. 81e1c910 bf30dbcb81 mov edi,offset nt!PspCreateThreadNotifyRoutine (81cbdb30)
  31. 81e1c915 33f6 xor esi,esi
  32. nt!PspSetCreateThreadNotifyRoutine+0x27:
  33. 81e1c917 6a00 push 0
  34. 81e1c919 8bd3 mov edx,ebx
  35. 81e1c91b 8bcf mov ecx,edi
  36. 81e1c91d e8b21ed6ff call nt!ExCompareExchangeCallBack (81b7e7d4)
  37. 81e1c922 84c0 test al,al
  38. 81e1c924 7513 jne nt!PspSetCreateThreadNotifyRoutine+0x49 (81e1c939)
  39. nt!PspSetCreateThreadNotifyRoutine+0x36:
  40. 81e1c926 83c604 add esi,4
  41. 81e1c929 83c704 add edi,4
  42. 81e1c92c 81fe00010000 cmp esi,100h
  43. 81e1c932 72e3 jb nt!PspSetCreateThreadNotifyRoutine+0x27 (81e1c917)
  44. nt!PspSetCreateThreadNotifyRoutine+0x44:
  45. 81e1c934 e9671c0a00 jmp nt! ?? ::NNGAKEGL::`string'+0x69b94 (81ebe5a0)
  46. nt!PspSetCreateThreadNotifyRoutine+0x49:
  47. 81e1c939 807dff00 cmp byte ptr [ebp-1],0
  48. 81e1c93d 0f856f1c0a00 jne nt! ?? ::NNGAKEGL::`string'+0x69ba6 (81ebe5b2)
  49. nt!PspSetCreateThreadNotifyRoutine+0x53:
  50. 81e1c943 f0ff05d0bdff81 lock inc dword ptr [nt!PspCreateThreadNotifyRoutineCount (81ffbdd0)]
  51. 81e1c94a a1c4bdff81 mov eax,dword ptr [nt!PspNotifyEnableMask (81ffbdc4)]
  52. 81e1c94f a808 test al,8
  53. 81e1c951 7409 je nt!PspSetCreateThreadNotifyRoutine+0x6c (81e1c95c)
  54. nt!PspSetCreateThreadNotifyRoutine+0x63:
  55. 81e1c953 33c0 xor eax,eax
  56. nt!PspSetCreateThreadNotifyRoutine+0x65:
  57. 81e1c955 5f pop edi
  58. 81e1c956 5e pop esi
  59. nt!PspSetCreateThreadNotifyRoutine+0x67:
  60. 81e1c957 5b pop ebx
  61. 81e1c958 8be5 mov esp,ebp
  62. 81e1c95a 5d pop ebp
  63. 81e1c95b c3 ret
  64. nt!PspSetCreateThreadNotifyRoutine+0x6c:
  65. 81e1c95c b8c4bdff81 mov eax,offset nt!PspNotifyEnableMask (81ffbdc4)
  66. 81e1c961 f00fba2803 lock bts dword ptr [eax],3
  67. 81e1c966 ebeb jmp nt!PspSetCreateThreadNotifyRoutine+0x63 (81e1c953)
  68. nt!PspSetCreateThreadNotifyRoutine+0x78:
  69. 81e1c968 b89a0000c0 mov eax,0C000009Ah
  70. 81e1c96d ebe8 jmp nt!PspSetCreateThreadNotifyRoutine+0x67 (81e1c957)
  71. nt! ?? ::NNGAKEGL::`string'+0x69b94:
  72. 81ebe5a0 6a00 push 0
  73. 81ebe5a2 53 push ebx
  74. 81ebe5a3 e8783addff call nt!ExFreePoolWithTag (81c92020)
  75. 81ebe5a8 b89a0000c0 mov eax,0C000009Ah
  76. 81ebe5ad e9a3e3f5ff jmp nt!PspSetCreateThreadNotifyRoutine+0x65 (81e1c955)
  77. nt! ?? ::NNGAKEGL::`string'+0x69ba6:
  78. 81ebe5b2 f0ff05ccbdff81 lock inc dword ptr [nt!PspCreateThreadNotifyRoutineExCount (81ffbdcc)]
  79. 81ebe5b9 a1c4bdff81 mov eax,dword ptr [nt!PspNotifyEnableMask (81ffbdc4)]
  80. 81ebe5be a810 test al,10h
  81. 81ebe5c0 0f858de3f5ff jne nt!PspSetCreateThreadNotifyRoutine+0x63 (81e1c953)
  82. nt! ?? ::NNGAKEGL::`string'+0x69bba:
  83. 81ebe5c6 b8c4bdff81 mov eax,offset nt!PspNotifyEnableMask (81ffbdc4)
  84. 81ebe5cb f00fba2804 lock bts dword ptr [eax],4
  85. 81ebe5d0 e97ee3f5ff jmp nt!PspSetCreateThreadNotifyRoutine+0x63 (81e1c953)

Win10 64 位 PsSetCreateThreadNotifyRoutine

  1. kd> uf PsSetCreateThreadNotifyRoutine
  2. nt!PsSetCreateThreadNotifyRoutine:
  3. fffff800`a09a42cc 33d2 xor edx,edx
  4. fffff800`a09a42ce e905010000 jmp nt!PspSetCreateThreadNotifyRoutine (fffff800`a09a43d8)
  5. nt!PspSetCreateThreadNotifyRoutine:
  6. fffff800`a09a43d8 48895c2408 mov qword ptr [rsp+8],rbx
  7. fffff800`a09a43dd 4889742410 mov qword ptr [rsp+10h],rsi
  8. fffff800`a09a43e2 57 push rdi
  9. fffff800`a09a43e3 4883ec20 sub rsp,20h
  10. fffff800`a09a43e7 408af2 mov sil,dl
  11. fffff800`a09a43ea 33d2 xor edx,edx
  12. fffff800`a09a43ec 4084f6 test sil,sil
  13. fffff800`a09a43ef 0f95c2 setne dl
  14. fffff800`a09a43f2 e819020000 call nt!ExAllocateCallBack (fffff800`a09a4610)
  15. fffff800`a09a43f7 488bf8 mov rdi,rax
  16. fffff800`a09a43fa 4885c0 test rax,rax
  17. fffff800`a09a43fd 0f846b780900 je nt! ?? ::NNGAKEGL::`string'+0x674de (fffff800`a0a3bc6e)
  18. nt!PspSetCreateThreadNotifyRoutine+0x2b:
  19. fffff800`a09a4403 33db xor ebx,ebx
  20. nt!PspSetCreateThreadNotifyRoutine+0x2d:
  21. fffff800`a09a4405 488d0d740bdfff lea rcx,[nt!PspCreateThreadNotifyRoutine (fffff800`a0794f80)]
  22. fffff800`a09a440c 4533c0 xor r8d,r8d
  23. fffff800`a09a440f 488d0cd9 lea rcx,[rcx+rbx*8]
  24. fffff800`a09a4413 488bd7 mov rdx,rdi
  25. fffff800`a09a4416 e875ebbfff call nt!ExCompareExchangeCallBack (fffff800`a05a2f90)
  26. fffff800`a09a441b 84c0 test al,al
  27. fffff800`a09a441d 7435 je nt!PspSetCreateThreadNotifyRoutine+0x7c (fffff800`a09a4454)
  28. nt!PspSetCreateThreadNotifyRoutine+0x47:
  29. fffff800`a09a441f 4084f6 test sil,sil
  30. fffff800`a09a4422 0f8550780900 jne nt! ?? ::NNGAKEGL::`string'+0x674e8 (fffff800`a0a3bc78)
  31. nt!PspSetCreateThreadNotifyRoutine+0x50:
  32. fffff800`a09a4428 f0ff05a5491d00 lock inc dword ptr [nt!PspCreateThreadNotifyRoutineCount (fffff800`a0b78dd4)]
  33. fffff800`a09a442f 8b0503461d00 mov eax,dword ptr [nt!PspNotifyEnableMask (fffff800`a0b78a38)]
  34. fffff800`a09a4435 a808 test al,8
  35. fffff800`a09a4437 7509 jne nt!PspSetCreateThreadNotifyRoutine+0x6a (fffff800`a09a4442)
  36. nt!PspSetCreateThreadNotifyRoutine+0x61:
  37. fffff800`a09a4439 f00fba2df6451d0003 lock bts dword ptr [nt!PspNotifyEnableMask (fffff800`a0b78a38)],3
  38. nt!PspSetCreateThreadNotifyRoutine+0x6a:
  39. fffff800`a09a4442 33c0 xor eax,eax
  40. nt!PspSetCreateThreadNotifyRoutine+0x6c:
  41. fffff800`a09a4444 488b5c2430 mov rbx,qword ptr [rsp+30h]
  42. fffff800`a09a4449 488b742438 mov rsi,qword ptr [rsp+38h]
  43. fffff800`a09a444e 4883c420 add rsp,20h
  44. fffff800`a09a4452 5f pop rdi
  45. fffff800`a09a4453 c3 ret
  46. nt!PspSetCreateThreadNotifyRoutine+0x7c:
  47. fffff800`a09a4454 ffc3 inc ebx
  48. fffff800`a09a4456 83fb40 cmp ebx,40h
  49. fffff800`a09a4459 72aa jb nt!PspSetCreateThreadNotifyRoutine+0x2d (fffff800`a09a4405)
  50. nt!PspSetCreateThreadNotifyRoutine+0x83:
  51. fffff800`a09a445b e904780900 jmp nt! ?? ::NNGAKEGL::`string'+0x674d4 (fffff800`a0a3bc64)
  52. nt! ?? ::NNGAKEGL::`string'+0x674d4:
  53. fffff800`a0a3bc64 33d2 xor edx,edx
  54. fffff800`a0a3bc66 488bcf mov rcx,rdi
  55. fffff800`a0a3bc69 e89223c7ff call nt!ExFreePoolWithTag (fffff800`a06ae000)
  56. nt! ?? ::NNGAKEGL::`string'+0x674de:
  57. fffff800`a0a3bc6e b89a0000c0 mov eax,0C000009Ah
  58. fffff800`a0a3bc73 e9cc87f6ff jmp nt!PspSetCreateThreadNotifyRoutine+0x6c (fffff800`a09a4444)
  59. nt! ?? ::NNGAKEGL::`string'+0x674e8:
  60. fffff800`a0a3bc78 f0ff0551d11300 lock inc dword ptr [nt!PspCreateThreadNotifyRoutineExCount (fffff800`a0b78dd0)]
  61. fffff800`a0a3bc7f 8b05b3cd1300 mov eax,dword ptr [nt!PspNotifyEnableMask (fffff800`a0b78a38)]
  62. fffff800`a0a3bc85 a810 test al,10h
  63. fffff800`a0a3bc87 0f85b587f6ff jne nt!PspSetCreateThreadNotifyRoutine+0x6a (fffff800`a09a4442)
  64. nt! ?? ::NNGAKEGL::`string'+0x674fd:
  65. fffff800`a0a3bc8d f00fba2da2cd130004 lock bts dword ptr [nt!PspNotifyEnableMask (fffff800`a0b78a38)],4
  66. fffff800`a0a3bc96 e9a787f6ff jmp nt!PspSetCreateThreadNotifyRoutine+0x6a (fffff800`a09a4442)
上传的附件 cloud_download PsSetCreateThreadNotifyRoutine_Enum_Remove_Test.7z ( 11.18kb, 2次下载 )

发送私信

这一切都不是我的,但总有一天,会是我的

69
文章数
63
评论数
eject