- 注册时间
- 2011-8-8
- 最后登录
- 1970-1-1
该用户从未签到
|
保护就好像 一条路的某一点上设置了一个关卡,要绕过的最好办法就是 走自己的路,不走它的路就能避免被检测到, 而自己写相应的内核函数,也就相当于自己新建了一条路。
下边看看 自己自写 内核API
//用自己的系统提取代码修改才能用哟,直接用我的代码可能会蓝屏的,即使同是XP系统 由于文件版本不同也可能有差异
#include <ntddk.h>
int pfun=0;
int nt_ExRaiseDatatypeMisalignment=0x8060bb68;
int nt_MmUserProbeAddress=0x80559a54;
int nt_PsProcessType =0x8055b2d8;
int nt_SeCreateAccessState =0x805e8112;
int nt_SeSinglePrivilegeCheck =0x805ef058;
int nt_ObOpenObjectByName=0x805b1ffa;
int nt_SeDeleteAccessState=0x805e7ed4;
int nt_PsLookupProcessThreadByCid =0x805ca34e;
int nt_PsLookupProcessByProcessId =0x805ca40a;
int nt_ObOpenObjectByPointer=0x805b23ca; //MyObOpenObjectByPointer
int nt_ObfDereferenceObject=0x80523b92;
int nt_ObReferenceObjectByPointer=0x805238ec;
int nt_ObpCreateHandle =0x805b3d4c;
void MyObOpenObjectByPointer(void);
void InitApi(void)
{
//初始化
nt_ObOpenObjectByPointer=(int)MyObOpenObjectByPointer; //MyObOpenObjectByPointer
}
__declspec(naked) void MyObOpenObjectByPointer(void)
{
_asm {
// kd> u nt!ObOpenObjectByPointer l 60
// nt!ObOpenObjectByPointer:
// 805b23ca 8bff mov edi,edi
mov edi,edi
// 805b23cc 55 push ebp
push ebp
// 805b23cd 8bec mov ebp,esp
mov ebp,esp
// 805b23cf 81ec94000000 sub esp,94h
sub esp,94h
// 805b23d5 53 push ebx
push ebx
// 805b23d6 8b5d08 mov ebx,dword ptr [ebp+8]
mov ebx,dword ptr [ebp+8]
// 805b23d9 56 push esi
push esi
// 805b23da 57 push edi
push edi
// 805b23db ff751c push dword ptr [ebp+1Ch]
push dword ptr [ebp+1Ch]
// 805b23de 33ff xor edi,edi
xor edi,edi
// 805b23e0 ff7518 push dword ptr [ebp+18h]
push dword ptr [ebp+18h]
// 805b23e3 897dfc mov dword ptr [ebp-4],edi
mov dword ptr [ebp-4],edi
// 805b23e6 57 push edi
push edi
// 805b23e7 53 push ebx
push ebx
// 805b23e8 e8ff14f7ff call nt!ObReferenceObjectByPointer (805238ec)
call nt_ObReferenceObjectByPointer
// 805b23ed 8bf0 mov esi,eax
mov esi,eax
// 805b23ef 3bf7 cmp esi,edi
cmp esi,edi
// 805b23f1 0f8c84000000 jl nt!ObOpenObjectByPointer+0xb1 (805b247b)
jl L805b247b
// 805b23f7 8b4510 mov eax,dword ptr [ebp+10h]
mov eax,dword ptr [ebp+10h]
// 805b23fa 3bc7 cmp eax,edi
cmp eax,edi
// 805b23fc 7528 jne nt!ObOpenObjectByPointer+0x5c (805b2426)
jne L805b2426
// 805b23fe 8b43f0 mov eax,dword ptr [ebx-10h]
mov eax,dword ptr [ebx-10h]
// 805b2401 83c068 add eax,68h
add eax,68h
// 805b2404 50 push eax
push eax
// 805b2405 ff7514 push dword ptr [ebp+14h]
push dword ptr [ebp+14h]
// 805b2408 8d45e0 lea eax,[ebp-20h]
lea eax,[ebp-20h]
// 805b240b 50 push eax
push eax
// 805b240c 8d856cffffff lea eax,[ebp-94h]
lea eax,[ebp-94h]
// 805b2412 50 push eax
push eax
// 805b2413 e8fa5c0300 call nt!SeCreateAccessState (805e8112)
call nt_SeCreateAccessState
// 805b2418 3bc7 cmp eax,edi
cmp eax,edi
// 805b241a 7d04 jge nt!ObOpenObjectByPointer+0x56 (805b2420)
jge L805b2420
// 805b241c 8bf0 mov esi,eax
mov esi,eax
// 805b241e eb2c jmp nt!ObOpenObjectByPointer+0x82 (805b244c)
jmp L805b244c
L805b2420:
// 805b2420 8d856cffffff lea eax,[ebp-94h]
lea eax,[ebp-94h]
L805b2426:
// 805b2426 8b4bf0 mov ecx,dword ptr [ebx-10h]
mov ecx,dword ptr [ebx-10h]
// 805b2429 8945fc mov dword ptr [ebp-4],eax
mov dword ptr [ebp-4],eax
// 805b242c 8b450c mov eax,dword ptr [ebp+0Ch]
mov eax,dword ptr [ebp+0Ch]
// 805b242f 854164 test dword ptr [ecx+64h],eax
test dword ptr [ecx+64h],eax
// 805b2432 7421 je nt!ObOpenObjectByPointer+0x8b (805b2455)
je L805b2455
// 805b2434 8d856cffffff lea eax,[ebp-94h]
lea eax,[ebp-94h]
// 805b243a 3945fc cmp dword ptr [ebp-4],eax
cmp dword ptr [ebp-4],eax
// 805b243d 7508 jne nt!ObOpenObjectByPointer+0x7d (805b2447)
jne L805b2447
// 805b243f ff75fc push dword ptr [ebp-4]
push dword ptr [ebp-4]
// 805b2442 e88d5a0300 call nt!SeDeleteAccessState (805e7ed4)
call nt_SeDeleteAccessState
L805b2447:
// 805b2447 be0d0000c0 mov esi,0C000000Dh
mov esi,0C000000Dh
L805b244c:
// 805b244c 8bcb mov ecx,ebx
mov ecx,ebx
// 805b244e e83f17f7ff call nt!ObfDereferenceObject (80523b92)
call nt_ObfDereferenceObject
// 805b2453 eb3e jmp nt!ObOpenObjectByPointer+0xc9 (805b2493)
jmp L805b2493
L805b2455:
// 805b2455 8d4d08 lea ecx,[ebp+8]
lea ecx,[ebp+8]
// 805b2458 51 push ecx
push ecx
// 805b2459 57 push edi
push edi
// 805b245a ff751c push dword ptr [ebp+1Ch]
push dword ptr [ebp+1Ch]
// 805b245d 57 push edi
push edi
// 805b245e 50 push eax
push eax
// 805b245f 57 push edi
push edi
// 805b2460 ff75fc push dword ptr [ebp-4]
push dword ptr [ebp-4]
// 805b2463 ff7518 push dword ptr [ebp+18h]
push dword ptr [ebp+18h]
// 805b2466 53 push ebx
push ebx
// 805b2467 6a01 push 1
push 1
// 805b2469 e8de180000 call nt!ObpCreateHandle (805b3d4c)
call nt_ObpCreateHandle
// 805b246e 8bf0 mov esi,eax
mov esi,eax
// 805b2470 3bf7 cmp esi,edi
cmp esi,edi
// 805b2472 7d28 jge nt!ObOpenObjectByPointer+0xd2 (805b249c)
jge L805b249c
// 805b2474 8bcb mov ecx,ebx
mov ecx,ebx
// 805b2476 e81717f7ff call nt!ObfDereferenceObject (80523b92)
call nt_ObfDereferenceObject
L805b247b:
// 805b247b 8b4520 mov eax,dword ptr [ebp+20h]
mov eax,dword ptr [ebp+20h]
// 805b247e 8938 mov dword ptr [eax],edi
mov dword ptr [eax],edi
L805b2480:
// 805b2480 8d856cffffff lea eax,[ebp-94h]
lea eax,[ebp-94h]
// 805b2486 3945fc cmp dword ptr [ebp-4],eax
cmp dword ptr [ebp-4],eax
// 805b2489 7508 jne nt!ObOpenObjectByPointer+0xc9 (805b2493)
jne L805b2493
// 805b248b ff75fc push dword ptr [ebp-4]
push dword ptr [ebp-4]
// 805b248e e8415a0300 call nt!SeDeleteAccessState (805e7ed4)
call nt_SeDeleteAccessState
L805b2493:
// 805b2493 5f pop edi
pop edi
// 805b2494 8bc6 mov eax,esi
mov eax,esi
// 805b2496 5e pop esi
pop esi
// 805b2497 5b pop ebx
pop ebx
// 805b2498 c9 leave
leave
// 805b2499 c21c00 ret 1Ch
ret 1Ch
L805b249c:
// 805b249c 8b4520 mov eax,dword ptr [ebp+20h]
mov eax,dword ptr [ebp+20h]
// 805b249f 8b4d08 mov ecx,dword ptr [ebp+8]
mov ecx,dword ptr [ebp+8]
// 805b24a2 8908 mov dword ptr [eax],ecx
mov dword ptr [eax],ecx
// 805b24a4 ebda jmp nt!ObOpenObjectByPointer+0xb6 (805b2480)
jmp L805b2480
// 805b24a6 cc int 3
int 3
// 805b24a7 cc int 3
int 3
// 805b24a8 cc int 3
int 3
// 805b24a9 cc int 3
int 3
// 805b24aa cc int 3
int 3
// 805b24ab cc int 3
int 3
}
}
void __declspec(naked) MyNtOpenProcess(void)
{
__asm
{
//kd> u NtOpenProcess l 100
//nt!NtOpenProcess:
// 805c2316 68c4000000 push 0C4h
push 0C4h
// 805c231b 68b0aa4d80 push offset nt!FsRtlLegalAnsiCharacterArray+0x2010 (804daab0)
push 0x804daab0
// 805c2320 e81b6cf7ff call nt!wctomb+0x45 (80538f40)
mov pfun,0x80538f40
call pfun
// 805c2325 33f6 xor esi,esi
xor esi,esi
// 805c2327 8975d4 mov dword ptr [ebp-2Ch],esi
mov dword ptr [ebp-2Ch],esi
// 805c232a 33c0 xor eax,eax
xor eax,eax
// 805c232c 8d7dd8 lea edi,[ebp-28h]
lea edi,[ebp-28h]
// 805c232f ab stos dword ptr es:[edi]
stos dword ptr es:[edi]
// 805c2330 64a124010000 mov eax,dword ptr fs:[00000124h]
mov eax,dword ptr fs:[00000124h]
// 805c2336 8a8040010000 mov al,byte ptr [eax+140h]
mov al,byte ptr [eax+140h]
// 805c233c 8845cc mov byte ptr [ebp-34h],al
mov byte ptr [ebp-34h],al
// 805c233f 84c0 test al,al
test al,al
// 805c2341 0f848f000000 je nt!NtOpenProcess+0xc0 (805c23d6)
je L805c23d6
// 805c2347 8975fc mov dword ptr [ebp-4],esi
mov dword ptr [ebp-4],esi
// 805c234a a1549a5580 mov eax,dword ptr [nt!MmUserProbeAddress (80559a54)]
mov eax,dword ptr [ 0x80559a54]
// 805c234f 8b4d08 mov ecx,dword ptr [ebp+8]
mov ecx,dword ptr [ebp+8]
// 805c2352 3bc8 cmp ecx,eax
cmp ecx,eax
// 805c2354 7202 jb nt!NtOpenProcess+0x42 (805c2358)
jb L805c2358;
// 805c2356 8930 mov dword ptr [eax],esi
mov dword ptr [eax],esi
L805c2358:
// 805c2358 8b01 mov eax,dword ptr [ecx]
mov eax,dword ptr [ecx]
// 805c235a 8901 mov dword ptr [ecx],eax
mov dword ptr [ecx],eax
// 805c235c 8b5d10 mov ebx,dword ptr [ebp+10h]
mov ebx,dword ptr [ebp+10h]
// 805c235f f6c303 test bl,3
test bl,3
// 805c2362 7405 je nt!NtOpenProcess+0x53 (805c2369)
je L805c2369;
// 805c2364 e8ff970400 call nt!ExRaiseDatatypeMisalignment (8060bb68)
call nt_ExRaiseDatatypeMisalignment;
L805c2369:
// 805c2369 a1549a5580 mov eax,dword ptr [nt!MmUserProbeAddress (80559a54)]
mov eax,dword ptr [nt_MmUserProbeAddress]
// 805c236e 3bd8 cmp ebx,eax
cmp ebx,eax
// 805c2370 7207 jb nt!NtOpenProcess+0x63 (805c2379)
jb L805c2379;
// 805c2372 8930 mov dword ptr [eax],esi
mov dword ptr [eax],esi
// 805c2374 a1549a5580 mov eax,dword ptr [nt!MmUserProbeAddress (80559a54)]
mov eax,dword ptr [nt_MmUserProbeAddress ]
L805c2379:
// 805c2379 397308 cmp dword ptr [ebx+8],esi
cmp dword ptr [ebx+8],esi
// 805c237c 0f9545e6 setne byte ptr [ebp-1Ah]
setne byte ptr [ebp-1Ah]
// 805c2380 8b4b0c mov ecx,dword ptr [ebx+0Ch]
mov ecx,dword ptr [ebx+0Ch]
// 805c2383 894dc8 mov dword ptr [ebp-38h],ecx
mov dword ptr [ebp-38h],ecx
// 805c2386 8b4d14 mov ecx,dword ptr [ebp+14h]
mov ecx,dword ptr [ebp+14h]
// 805c2389 3bce cmp ecx,esi
cmp ecx,esi
// 805c238b 7429 je nt!NtOpenProcess+0xa0 (805c23b6)
je L805c23b6
// 805c238d f6c103 test cl,3
test cl,3
// 805c2390 740d je nt!NtOpenProcess+0x89 (805c239f)
je L805c239f;
// 805c2392 e8d1970400 call nt!ExRaiseDatatypeMisalignment (8060bb68)
call nt_ExRaiseDatatypeMisalignment;
// 805c2397 a1549a5580 mov eax,dword ptr [nt!MmUserProbeAddress (80559a54)]
mov eax,dword ptr [nt_MmUserProbeAddress]
// 805c239c 8b4d14 mov ecx,dword ptr [ebp+14h]
mov ecx,dword ptr [ebp+14h]
L805c239f:
// 805c239f 3bc8 cmp ecx,eax
cmp ecx,eax
// 805c23a1 7202 jb nt!NtOpenProcess+0x8f (805c23a5)
jb L805c23a5;
// 805c23a3 8930 mov dword ptr [eax],esi
mov dword ptr [eax],esi
L805c23a5:
// 805c23a5 8b01 mov eax,dword ptr [ecx]
mov eax,dword ptr [ecx]
// 805c23a7 8945d4 mov dword ptr [ebp-2Ch],eax
mov dword ptr [ebp-2Ch],eax
// 805c23aa 8b4104 mov eax,dword ptr [ecx+4]
mov eax,dword ptr [ecx+4]
// 805c23ad 8945d8 mov dword ptr [ebp-28h],eax
mov dword ptr [ebp-28h],eax
// 805c23b0 c645e701 mov byte ptr [ebp-19h],1
mov byte ptr [ebp-19h],1
// 805c23b4 eb04 jmp nt!NtOpenProcess+0xa4 (805c23ba)
jmp L805c23ba;
L805c23b6:
// 805c23b6 c645e700 mov byte ptr [ebp-19h],0
mov byte ptr [ebp-19h],0
L805c23ba:
// 805c23ba 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
or dword ptr [ebp-4],0FFFFFFFFh
// 805c23be eb42 jmp nt!NtOpenProcess+0xec (805c2402)
jmp L805c2402;
// 805c23c0 8b45ec mov eax,dword ptr [ebp-14h]
mov eax,dword ptr [ebp-14h]
// 805c23c3 8b00 mov eax,dword ptr [eax]
mov eax,dword ptr [eax]
// 805c23c5 8b00 mov eax,dword ptr [eax]
mov eax,dword ptr [eax]
// 805c23c7 8945c4 mov dword ptr [ebp-3Ch],eax
mov dword ptr [ebp-3Ch],eax
// 805c23ca 33c0 xor eax,eax
xor eax,eax
// 805c23cc 40 inc eax
inc eax
// 805c23cd c3 ret
ret
// 805c23ce 8b45c4 mov eax,dword ptr [ebp-3Ch]
mov eax,dword ptr [ebp-3Ch]
// 805c23d1 e9b0010000 jmp nt!NtOpenProcess+0x270 (805c2586)
jmp L805c2586;
L805c23d6:
// 805c23d6 8b5d10 mov ebx,dword ptr [ebp+10h]
mov ebx,dword ptr [ebp+10h]
// 805c23d9 397308 cmp dword ptr [ebx+8],esi
cmp dword ptr [ebx+8],esi
// 805c23dc 0f9545e6 setne byte ptr [ebp-1Ah]
setne byte ptr [ebp-1Ah]
// 805c23e0 8b430c mov eax,dword ptr [ebx+0Ch]
mov eax,dword ptr [ebx+0Ch]
// 805c23e3 8945c8 mov dword ptr [ebp-38h],eax
mov dword ptr [ebp-38h],eax
// 805c23e6 8b4514 mov eax,dword ptr [ebp+14h]
mov eax,dword ptr [ebp+14h]
// 805c23e9 3bc6 cmp eax,esi
cmp eax,esi
// 805c23eb 7411 je nt!NtOpenProcess+0xe8 (805c23fe)
je L805c23fe;
// 805c23ed 8b08 mov ecx,dword ptr [eax]
mov ecx,dword ptr [eax]
// 805c23ef 894dd4 mov dword ptr [ebp-2Ch],ecx
mov dword ptr [ebp-2Ch],ecx
// 805c23f2 8b4004 mov eax,dword ptr [eax+4]
mov eax,dword ptr [eax+4]
// 805c23f5 8945d8 mov dword ptr [ebp-28h],eax
mov dword ptr [ebp-28h],eax
// 805c23f8 c645e701 mov byte ptr [ebp-19h],1
mov byte ptr [ebp-19h],1
// 805c23fc eb04 jmp nt!NtOpenProcess+0xec (805c2402)
jmp L805c2402;
L805c23fe:
// 805c23fe c645e700 mov byte ptr [ebp-19h],0
mov byte ptr [ebp-19h],0
L805c2402:
// 805c2402 807de600 cmp byte ptr [ebp-1Ah],0
cmp byte ptr [ebp-1Ah],0
// 805c2406 740a je nt!NtOpenProcess+0xfc (805c2412)
je L805c2412;
// 805c2408 807de700 cmp byte ptr [ebp-19h],0
cmp byte ptr [ebp-19h],0
// 805c240c 0f857d010000 jne nt!NtOpenProcess+0x279 (805c258f)
jne L805c258f
L805c2412:
// 805c2412 a1d8b25580 mov eax,dword ptr [nt!PsProcessType (8055b2d8)]
mov eax,dword ptr [nt_PsProcessType]
// 805c2417 83c068 add eax,68h
add eax,68h
// 805c241a 50 push eax
push eax
// 805c241b ff750c push dword ptr [ebp+0Ch]
push dword ptr [ebp+0Ch]
// 805c241e 8d852cffffff lea eax,[ebp-0D4h]
lea eax,[ebp-0D4h]
// 805c2424 50 push eax
push eax
// 805c2425 8d8548ffffff lea eax,[ebp-0B8h]
lea eax,[ebp-0B8h]
// 805c242b 50 push eax
push eax
// 805c242c e8e15c0200 call nt!SeCreateAccessState (805e8112)
call nt_SeCreateAccessState
// 805c2431 3bc6 cmp eax,esi
cmp eax,esi
// 805c2433 0f8c5b010000 jl nt!NtOpenProcess+0x27e (805c2594)
jl L805c2594;
// 805c2439 ff75cc push dword ptr [ebp-34h]
push dword ptr [ebp-34h]
// 805c243c ff35a0186780 push dword ptr [nt!SeSystemDefaultDacl+0xa4 (806718a0)]
push dword ptr [0x806718a0]
// 805c2442 ff359c186780 push dword ptr [nt!SeSystemDefaultDacl+0xa0 (8067189c)]
push dword ptr [0x8067189c]
// 805c2448 e80bcc0200 call nt!SeSinglePrivilegeCheck (805ef058)
call nt_SeSinglePrivilegeCheck;
// 805c244d 84c0 test al,al
test al,al
// 805c244f 7425 je nt!NtOpenProcess+0x160 (805c2476)
je L805c2476
// 805c2451 8b8558ffffff mov eax,dword ptr [ebp-0A8h]
mov eax,dword ptr [ebp-0A8h]
// 805c2457 a900000002 test eax,2000000h
test eax,2000000h
// 805c245c 740c je nt!NtOpenProcess+0x154 (805c246a)
je L805c246a
// 805c245e 818d5cffffffff0f1f00 or dword ptr [ebp-0A4h],1F0FFFh
or dword ptr [ebp-0A4h],1F0FFFh
// 805c2468 eb06 jmp nt!NtOpenProcess+0x15a (805c2470)
jmp L805c2470
L805c246a:
// 805c246a 09855cffffff or dword ptr [ebp-0A4h],eax
or dword ptr [ebp-0A4h],eax
L805c2470:
// 805c2470 89b558ffffff mov dword ptr [ebp-0A8h],esi
mov dword ptr [ebp-0A8h],esi
L805c2476:
// 805c2476 807de600 cmp byte ptr [ebp-1Ah],0
cmp byte ptr [ebp-1Ah],0
// 805c247a 745e je nt!NtOpenProcess+0x1c4 (805c24da)
je L805c24da
// 805c247c 8d45e0 lea eax,[ebp-20h]
lea eax,[ebp-20h]
// 805c247f 50 push eax
push eax
// 805c2480 56 push esi
push esi
// 805c2481 56 push esi
push esi
// 805c2482 8d8548ffffff lea eax,[ebp-0B8h]
lea eax,[ebp-0B8h]
// 805c2488 50 push eax
push eax
// 805c2489 ff75cc push dword ptr [ebp-34h]
push dword ptr [ebp-34h]
// 805c248c ff35d8b25580 push dword ptr [nt!PsProcessType (8055b2d8)]
push dword ptr [nt_PsProcessType ]
// 805c2492 53 push ebx
push ebx
// 805c2493 e862fbfeff call nt!ObOpenObjectByName (805b1ffa)
call nt_ObOpenObjectByName //此函数也容易被挂勾,最好也重写它 命名为Mynt_ObOpenObjectByName 此处修改为 call Mynt_ObOpenObjectByName
// 805c2498 8bf8 mov edi,eax
mov edi,eax
// 805c249a 8d8548ffffff lea eax,[ebp-0B8h]
lea eax,[ebp-0B8h]
// 805c24a0 50 push eax
push eax
// 805c24a1 e82e5a0200 call nt!SeDeleteAccessState (805e7ed4)
call nt_SeDeleteAccessState;
// 805c24a6 3bfe cmp edi,esi
cmp edi,esi
// 805c24a8 7c13 jl nt!NtOpenProcess+0x1a7 (805c24bd)
jl 0x805c24bd
// 805c24aa c745fc01000000 mov dword ptr [ebp-4],1
mov dword ptr [ebp-4],1
L805c24b1:
// 805c24b1 8b45e0 mov eax,dword ptr [ebp-20h]
mov eax,dword ptr [ebp-20h]
// 805c24b4 8b4d08 mov ecx,dword ptr [ebp+8]
mov ecx,dword ptr [ebp+8]
// 805c24b7 8901 mov dword ptr [ecx],eax
mov dword ptr [ecx],eax
// 805c24b9 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
or dword ptr [ebp-4],0FFFFFFFFh
L805c24bd:
// 805c24bd 8bc7 mov eax,edi
mov eax,edi
// 805c24bf e9d0000000 jmp nt!NtOpenProcess+0x27e (805c2594)
jmp L805c2594
// 805c24c4 8b45ec mov eax,dword ptr [ebp-14h]
mov eax,dword ptr [ebp-14h]
// 805c24c7 8b00 mov eax,dword ptr [eax]
mov eax,dword ptr [eax]
// 805c24c9 8b00 mov eax,dword ptr [eax]
mov eax,dword ptr [eax]
// 805c24cb 8945c0 mov dword ptr [ebp-40h],eax
mov dword ptr [ebp-40h],eax
// 805c24ce 33c0 xor eax,eax
xor eax,eax
// 805c24d0 40 inc eax
inc eax
// 805c24d1 c3 ret
ret
// 805c24d2 8b45c0 mov eax,dword ptr [ebp-40h]
mov eax,dword ptr [ebp-40h]
// 805c24d5 e9ac000000 jmp nt!NtOpenProcess+0x270 (805c2586)
jmp L805c2586
L805c24da:
// 805c24da 807de700 cmp byte ptr [ebp-19h],0
cmp byte ptr [ebp-19h],0
// 805c24de 0f84ab000000 je nt!NtOpenProcess+0x279 (805c258f)
je 0x805c258f
// 805c24e4 8975d0 mov dword ptr [ebp-30h],esi
mov dword ptr [ebp-30h],esi
// 805c24e7 3975d8 cmp dword ptr [ebp-28h],esi
cmp dword ptr [ebp-28h],esi
// 805c24ea 7425 je nt!NtOpenProcess+0x1fb (805c2511)
je L805c2511
// 805c24ec 8d45d0 lea eax,[ebp-30h]
lea eax,[ebp-30h]
// 805c24ef 50 push eax
push eax
// 805c24f0 8d45dc lea eax,[ebp-24h]
lea eax,[ebp-24h]
// 805c24f3 50 push eax
push eax
// 805c24f4 8d45d4 lea eax,[ebp-2Ch]
lea eax,[ebp-2Ch]
// 805c24f7 50 push eax
push eax
// 805c24f8 e8517e0000 call nt!PsLookupProcessThreadByCid (805ca34e)
call nt_PsLookupProcessThreadByCid
L805c24fd:
// 805c24fd 8bf8 mov edi,eax
mov edi,eax
// 805c24ff 3bfe cmp edi,esi
cmp edi,esi
// 805c2501 7d1c jge nt!NtOpenProcess+0x209 (805c251f)
jge 0x805c251f
// 805c2503 8d8548ffffff lea eax,[ebp-0B8h]
lea eax,[ebp-0B8h]
// 805c2509 50 push eax
push eax
// 805c250a e8c5590200 call nt!SeDeleteAccessState (805e7ed4)
call nt_SeDeleteAccessState
// 805c250f ebac jmp nt!NtOpenProcess+0x1a7 (805c24bd)
jmp L805c24bd
L805c2511:
// 805c2511 8d45dc lea eax,[ebp-24h]
lea eax,[ebp-24h]
// 805c2514 50 push eax
push eax
// 805c2515 ff75d4 push dword ptr [ebp-2Ch]
push dword ptr [ebp-2Ch]
// 805c2518 e8ed7e0000 call nt!PsLookupProcessByProcessId (805ca40a)
call nt_PsLookupProcessByProcessId
// 805c251d ebde jmp nt!NtOpenProcess+0x1e7 (805c24fd)
jmp L805c24fd
// 805c251f 8d45e0 lea eax,[ebp-20h]
lea eax,[ebp-20h]
// 805c2522 50 push eax
push eax
// 805c2523 ff75cc push dword ptr [ebp-34h]
push dword ptr [ebp-34h]
// 805c2526 ff35d8b25580 push dword ptr [nt!PsProcessType (8055b2d8)]
push dword ptr [nt_PsProcessType ]
// 805c252c 56 push esi
push esi
// 805c252d 8d8548ffffff lea eax,[ebp-0B8h]
lea eax,[ebp-0B8h]
// 805c2533 50 push eax
push eax
// 805c2534 ff75c8 push dword ptr [ebp-38h]
push dword ptr [ebp-38h]
// 805c2537 ff75dc push dword ptr [ebp-24h]
push dword ptr [ebp-24h]
// 805c253a e88bfefeff call nt!ObOpenObjectByPointer (805b23ca)
call nt_ObOpenObjectByPointer
// 805c253f 8bf8 mov edi,eax
mov edi,eax
// 805c2541 8d8548ffffff lea eax,[ebp-0B8h]
lea eax,[ebp-0B8h]
// 805c2547 50 push eax
push eax
// 805c2548 e887590200 call nt!SeDeleteAccessState (805e7ed4)
call nt_SeDeleteAccessState
// 805c254d 8b4dd0 mov ecx,dword ptr [ebp-30h]
mov ecx,dword ptr [ebp-30h]
// 805c2550 3bce cmp ecx,esi
cmp ecx,esi
// 805c2552 7405 je nt!NtOpenProcess+0x243 (805c2559)
je L805c2559
// 805c2554 e83916f6ff call nt!ObfDereferenceObject (80523b92)
call nt_ObfDereferenceObject
L805c2559:
// 805c2559 8b4ddc mov ecx,dword ptr [ebp-24h]
mov ecx,dword ptr [ebp-24h]
// 805c255c e83116f6ff call nt!ObfDereferenceObject (80523b92)
call nt_ObfDereferenceObject
// 805c2561 3bfe cmp edi,esi
cmp edi,esi
// 805c2563 0f8c54ffffff jl nt!NtOpenProcess+0x1a7 (805c24bd)
jl L805c24bd
// 805c2569 c745fc02000000 mov dword ptr [ebp-4],2
mov dword ptr [ebp-4],2
// 805c2570 e93cffffff jmp nt!NtOpenProcess+0x19b (805c24b1)
jmp L805c24b1
// 805c2575 8b45ec mov eax,dword ptr [ebp-14h]
mov eax,dword ptr [ebp-14h]
// 805c2578 8b00 mov eax,dword ptr [eax]
mov eax,dword ptr [eax]
// 805c257a 8b00 mov eax,dword ptr [eax]
mov eax,dword ptr [eax]
// 805c257c 8945bc mov dword ptr [ebp-44h],eax
mov dword ptr [ebp-44h],eax
// 805c257f 33c0 xor eax,eax
xor eax,eax
// 805c2581 40 inc eax
inc eax
// 805c2582 c3 ret
ret
// 805c2583 8b45bc mov eax,dword ptr [ebp-44h]
mov eax,dword ptr [ebp-44h]
L805c2586:
// 805c2586 8b65e8 mov esp,dword ptr [ebp-18h]
mov esp,dword ptr [ebp-18h]
// 805c2589 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
or dword ptr [ebp-4],0FFFFFFFFh
// 805c258d eb05 jmp nt!NtOpenProcess+0x27e (805c2594)
jmp L805c2594
L805c258F:
// 805c258f b8300000c0 mov eax,0C0000030h
mov eax,0C0000030h
L805c2594:
// 805c2594 e8e269f7ff call nt!wctomb+0x80 (80538f7b)
mov pfun,0x80538f7b
call pfun
// 805c2599 c21000 ret 10h
ret 10h
// 805c259c cc int 3
int 3
// 805c259d cc int 3
int 3
// 805c259e cc int 3
int 3
// 805c259f cc int 3
int 3
// 805c25a0 cc int 3
int 3
// 805c25a1 cc int 3
int 3
// nt!NtOpenThread:
// 805c25a2 68c0000000 push 0C0h
// 805c25a7 68d8aa4d80 push offset n
}
} |
|
发表于 2013-6-30 15:50:04
