- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
很久没有发帖子了~~~上次一个哥们 一字节anti callbacks 其实还有更多地方哦~
~~
但是这样 还是不够的
这次 一字节 anti 创建进程线程回调~~~
pspexitthread:
loc_140355BB8:
xor r8d, r8d
xor edx, edx
mov rcx, rdi
call EtwTraceThread
mov [rsp+0F8h+arg_8], sil
mov byte ptr [rsp+0F8h+arg_10], sil
mov [rsp+0F8h+Object], rsi
mov [rdi+378h], ebx
or rax, 0FFFFFFFFFFFFFFFFh
add [rdi+1C4h], ax
mov eax, csspNotifyEnableMask
mov r13d, 8
test r13b, al
jnz loc_14033B3EB
pspexitprocess
dec word ptr [rdi+1C4h]
mov ebp, csspNotifyEnableMask
mov eax, csspNotifyEnableMask
shr bpl, 2
and bpl, r14b
test al, 2
jz loc_1403BD6B6
先看一下 上面的反汇编代码
windbg 动态调试 的值 为
kd> dq PspNotifyEnableMask
fffff800`03e824e000000000`00000007 00000000`00000000
fffff800`03e824f000000000`00000000 00000000`00000000
fffff800`03e82500fffff8a0`0008ef5f 00000000`00000000
fffff800`03e8251000000000`00000000 00000000`00000000
fffff800`03e8252000000000`00000000 00000000`00000000
fffff800`03e8253000000000`00000000 00000000`00000000
fffff800`03e8254000000000`00000001 00000000`00000000
fffff800`03e8255000000000`00000000 00000000`00000000
so :*(ULONG32*)PspNotifyEnableMask=NULL; |
|