枚举并删除系统上PsSetCreateProcessNotifyRoutine回调

DemonGan

发布日期: 2019-03-16 10:05:02 浏览量: 1769
评分:
star star star star star star star star star star_border
*转载请注明来自write-bug.com

背景

我们学习内核 Rootkit 编程,那么肯定会接触到各种无 HOOK 回调函数的设置,这些回调函数都是官方为我们做好的接口,我们直接调用就好。这些回调使用方便,运行在底层,功能强大,而且非常稳定。很多杀软、游戏保护等就是设置这些回调,实现对计算机的监控的。

既然可以设置回调,自然也可以删除回调。如果是自己程序设置的回调,当然可以很容易删除。但是,我们要做的是要枚举系统上存在的回调,不管是不是自己程序创建的,然后,并对这些回调进行删除,使其失效。

本文要介绍的是枚举并删除系统上 PsSetCreateProcessNotifyRoutine 回调,支持 32 位和 64 位、Win7 到 Win10 全平台系统。现在,我把实现的过程和原理整理成文档,分享给大家。

实现原理

我们注册的进程回调,会存储在一个名为 PspCreateProcessNotifyRoutine 的数组里。 PspCreateProcessNotifyRoutine 可以理解成一个 PVOID 数组,它存储着系统里所有 PsSetCreateProcessNotifyRoutine 进程回调函数地址的加密地址。PspCreateProcessNotifyRoutine数组里的数据是加密的,要经过解密操作才可以获取正确的数据。

PspCreateProcessNotifyRoutine 数组地址的获取

首先,我们需要获取 PspCreateProcessNotifyRoutine 的地址。我们可以借助 WinDbg 帮助我们进行内核调试,下面是我们借助 WinDbg 逆向 Win10 x64 内核函数 PspSetCreateProcessNotifyRoutine 的代码:

  1. nt!PspSetCreateProcessNotifyRoutine+0x4c:
  2. fffff801`54b3b57c 33ff xor edi,edi
  3. fffff801`54b3b57e 4c8d3dfb0bdfff lea r15,[nt!PspCreateProcessNotifyRoutine (fffff801`5492c180)]

我们从上面发现,函数中会调用到 PspCreateProcessNotifyRoutine 的地址。所以,在 64 位系统中,我们可以通过扫描内存特征码,从而获取数组PspCreateProcessNotifyRoutine 的 4 字节偏移,再计算出它的地址。在 32 位系统中,通过扫描内存特征码,就可以直接获取 PspCreateProcessNotifyRoutine 的地址了。注意的是:不同系统上,特征码也会不同。下面是我们总结的特征码:

Win7 win8.1 win10
32 位 C7450C B8 BB
64 位 4C8D35 4C8D3D 4C8D3D

其中,内核函数 PspSetCreateProcessNotifyRoutine 并不是导出函数,所以不能直接获取它的函数地址。使用WinDbg 逆向 PsSetCreateProcessNotifyRoutine 函数的代码如下(Win10 x64 系统):

  1. nt!PsSetCreateProcessNotifyRoutine:
  2. fffff800`042cb3c0 4533c0 xor r8d,r8d
  3. fffff800`042cb3c3 e9e8fdffff jmp nt!PspSetCreateProcessNotifyRoutine (fffff800`042cb1b0)

我们从上面代码发现,内核函数 PsSetCreateProcessNotifyRoutine 里会调用到内核函数 PspSetCreateProcessNotifyRoutine。所以,在 32 位和 64 位系统中,我们可以通过扫描内存特征码,从而获取 PspSetCreateProcessNotifyRoutine 的 4 字节偏移,再计算出它的地址。注意的是:不同系统上,特征码也会不同。下面是我们总结的特征码:

Win7 win8.1 win10
32 位 E8 E8 E8
64 位 E9 E9 E9

要就是说,获取 PspCreateProcessNotifyRoutine 地址可以分成两步:

  • 首先,通过扫描特征码,从 PsSetCreateProcessNotifyRoutine 函数中获取 PspSetCreateProcessNotifyRoutine 函数的地址

  • 然后,通过扫描特征码,从 PspSetCreateProcessNotifyRoutine 函数中获取 PspCreateProcessNotifyRoutine 数组的地址

那么,特征码的确定就变得至关重要了。

PspCreateProcessNotifyRoutine 里数据的解密

我们上面说,PspCreateProcessNotifyRoutine 里的数据是加密的,在 64 位系统和 32 位系统上的加密方式是不相同的,自然解密方式也不同。现在,我们分别介绍 32 位系统和 64 位系统下的解密方式。

对于 32 位系统来说:PspCreateProcessNotifyRoutine 是一个 4 字节无符号类型的数组,数组大小最大为 8。我们使用 PspCreateProcessNotifyRoutine[i] 表示数组中的值,那么,32 位系统下的解密方式为:

  • 首先,数组的值 PspCreateProcessNotifyRoutine[i] 位运算“与” 0xFFFFFFF8

  • 然后,“与”运算之后的结果值再加上 4,结果就是一个存储着回调函数地址的地址

对于 64 位系统来说:PspCreateProcessNotifyRoutine 是一个 8 字节无符号类型的数组,数组大小最大为 64。我们使用 PspCreateProcessNotifyRoutine[i] 表示数组中的值,那么,64 位系统下的解密方式为:

数组的值 PspCreateProcessNotifyRoutine[i] 位运算“与” 0xFFFFFFFFFFFFFFF8,结果就是一个存储着回调函数地址的地址。

删除回调

我们可以通过上述介绍的方法,枚举系统中的回调函数。那么,要删除回调函数可以有 3 种方式:

  • 可以直接调用 PsSetCreateProcessNotifyRoutine 函数,传入回调函数地址,并设置删除回调函数标志为 TRUE,即可删除回调

  • 修改 PspCreateProcessNotifyRoutine 数组中的数据,使其指向我们自己定义的空回调函数地址。这样,当触发回调函数的时候,执行的是我们自己的空回调函数

  • 修改回调函数的前几字节内存数据,写入直接返回指令 RET,不进行任何操作

编码实现

遍历回调

  1. // 遍历回调
  2. BOOLEAN EnumNotifyRoutine()
  3. {
  4. ULONG i = 0;
  5. PVOID pPspCreateProcessNotifyRoutineAddress = NULL;
  6. PVOID pNotifyRoutineAddress = NULL;
  7. // 获取 PspCreateProcessNotifyRoutine 数组地址
  8. pPspCreateProcessNotifyRoutineAddress = GetPspCreateProcessNotifyRoutine();
  9. if (NULL == pPspCreateProcessNotifyRoutineAddress)
  10. {
  11. DbgPrint("GetPspCreateProcessNotifyRoutine Error!\n");
  12. return FALSE;
  13. }
  14. DbgPrint("pPspCreateProcessNotifyRoutineAddress=0x%p\n", pPspCreateProcessNotifyRoutineAddress);
  15. // 获取回调地址并解密
  16. #ifdef _WIN64
  17. for (i = 0; i < 64; i++)
  18. {
  19. pNotifyRoutineAddress = *(PVOID *)((PUCHAR)pPspCreateProcessNotifyRoutineAddress + sizeof(PVOID) * i);
  20. pNotifyRoutineAddress = (PVOID)((ULONG64)pNotifyRoutineAddress & 0xfffffffffffffff8);
  21. if (MmIsAddressValid(pNotifyRoutineAddress))
  22. {
  23. pNotifyRoutineAddress = *(PVOID *)pNotifyRoutineAddress;
  24. DbgPrint("[%d]ullNotifyRoutine=0x%p\n", i, pNotifyRoutineAddress);
  25. }
  26. }
  27. #else
  28. for (i = 0; i < 8; i++)
  29. {
  30. pNotifyRoutineAddress = *(PVOID *)((PUCHAR)pPspCreateProcessNotifyRoutineAddress + sizeof(PVOID) * i);
  31. pNotifyRoutineAddress = (PVOID)((ULONG)pNotifyRoutineAddress & 0xfffffff8);
  32. if (MmIsAddressValid(pNotifyRoutineAddress))
  33. {
  34. pNotifyRoutineAddress = *(PVOID *)((PUCHAR)pNotifyRoutineAddress + 4);
  35. DbgPrint("[%d]ullNotifyRoutine=0x%p\n", i, pNotifyRoutineAddress);
  36. }
  37. }
  38. #endif
  39. return TRUE;
  40. }

移除回调

  1. // 移除回调
  2. NTSTATUS RemoveNotifyRoutine(PVOID pNotifyRoutineAddress)
  3. {
  4. NTSTATUS status = PsSetCreateProcessNotifyRoutine((PCREATE_PROCESS_NOTIFY_ROUTINE)pNotifyRoutineAddress, TRUE);
  5. if (!NT_SUCCESS(status))
  6. {
  7. ShowError("PsSetCreateProcessNotifyRoutine", status);
  8. }
  9. return status;
  10. }

获取 PspCreateProcessNotifyRoutine 数组地址

  1. // 获取 PspCreateProcessNotifyRoutine 数组地址
  2. PVOID GetPspCreateProcessNotifyRoutine()
  3. {
  4. PVOID pPspCreateProcessNotifyRoutineAddress = NULL;
  5. RTL_OSVERSIONINFOW osInfo = { 0 };
  6. UCHAR pFirstSpecialData[50] = { 0 };
  7. ULONG ulFirstSpecialDataSize = 0;
  8. UCHAR pSecondSpecialData[50] = { 0 };
  9. ULONG ulSecondSpecialDataSize = 0;
  10. // 获取系统版本信息, 判断系统版本
  11. RtlGetVersion(&osInfo);
  12. if (6 == osInfo.dwMajorVersion)
  13. {
  14. if (1 == osInfo.dwMinorVersion)
  15. {
  16. // Win7
  17. #ifdef _WIN64
  18. // 64 位
  19. // E9
  20. pFirstSpecialData[0] = 0xE9;
  21. ulFirstSpecialDataSize = 1;
  22. // 4C8D35
  23. pSecondSpecialData[0] = 0x4C;
  24. pSecondSpecialData[1] = 0x8D;
  25. pSecondSpecialData[2] = 0x35;
  26. ulSecondSpecialDataSize = 3;
  27. #else
  28. // 32 位
  29. // E8
  30. pFirstSpecialData[0] = 0xE8;
  31. ulFirstSpecialDataSize = 1;
  32. // C7450C
  33. pSecondSpecialData[0] = 0xC7;
  34. pSecondSpecialData[1] = 0x45;
  35. pSecondSpecialData[2] = 0x0C;
  36. ulSecondSpecialDataSize = 3;
  37. #endif
  38. }
  39. else if (2 == osInfo.dwMinorVersion)
  40. {
  41. // Win8
  42. #ifdef _WIN64
  43. // 64 位
  44. #else
  45. // 32 位
  46. #endif
  47. }
  48. else if (3 == osInfo.dwMinorVersion)
  49. {
  50. // Win8.1
  51. #ifdef _WIN64
  52. // 64 位
  53. // E9
  54. pFirstSpecialData[0] = 0xE9;
  55. ulFirstSpecialDataSize = 1;
  56. // 4C8D3D
  57. pSecondSpecialData[0] = 0x4C;
  58. pSecondSpecialData[1] = 0x8D;
  59. pSecondSpecialData[2] = 0x3D;
  60. ulSecondSpecialDataSize = 3;
  61. #else
  62. // 32 位
  63. // E8
  64. pFirstSpecialData[0] = 0xE8;
  65. ulFirstSpecialDataSize = 1;
  66. // B8
  67. pSecondSpecialData[0] = 0xB8;
  68. ulSecondSpecialDataSize = 1;
  69. #endif
  70. }
  71. }
  72. else if (10 == osInfo.dwMajorVersion)
  73. {
  74. // Win10
  75. #ifdef _WIN64
  76. // 64 位
  77. // E9
  78. pFirstSpecialData[0] = 0xE9;
  79. ulFirstSpecialDataSize = 1;
  80. // 4C8D3D
  81. pSecondSpecialData[0] = 0x4C;
  82. pSecondSpecialData[1] = 0x8D;
  83. pSecondSpecialData[2] = 0x3D;
  84. ulSecondSpecialDataSize = 3;
  85. #else
  86. // 32 位
  87. // E8
  88. pFirstSpecialData[0] = 0xE8;
  89. ulFirstSpecialDataSize = 1;
  90. // BB
  91. pSecondSpecialData[0] = 0xBB;
  92. ulSecondSpecialDataSize = 1;
  93. #endif
  94. }
  95. // 根据特征码获取地址
  96. pPspCreateProcessNotifyRoutineAddress = SearchPspCreateProcessNotifyRoutine(pFirstSpecialData, ulFirstSpecialDataSize, pSecondSpecialData, ulSecondSpecialDataSize);
  97. return pPspCreateProcessNotifyRoutineAddress;
  98. }

根据特征码获取 PspCreateProcessNotifyRoutine 数组地址

  1. // 根据特征码获取 PspCreateProcessNotifyRoutine 数组地址
  2. PVOID SearchPspCreateProcessNotifyRoutine(PUCHAR pFirstSpecialData, ULONG ulFirstSpecialDataSize, PUCHAR pSecondSpecialData, ULONG ulSecondSpecialDataSize)
  3. {
  4. UNICODE_STRING ustrFuncName;
  5. PVOID pAddress = NULL;
  6. LONG lOffset = 0;
  7. PVOID pPsSetCteateProcessNotifyRoutine = NULL;
  8. PVOID pPspSetCreateProcessNotifyRoutineAddress = NULL;
  9. PVOID pPspCreateProcessNotifyRoutineAddress = NULL;
  10. // 先获取 PsSetCreateProcessNotifyRoutine 函数地址
  11. RtlInitUnicodeString(&ustrFuncName, L"PsSetCreateProcessNotifyRoutine");
  12. pPsSetCteateProcessNotifyRoutine = MmGetSystemRoutineAddress(&ustrFuncName);
  13. if (NULL == pPsSetCteateProcessNotifyRoutine)
  14. {
  15. ShowError("MmGetSystemRoutineAddress", 0);
  16. return pPspCreateProcessNotifyRoutineAddress;
  17. }
  18. // 然后, 查找 PspSetCreateProcessNotifyRoutine 函数地址
  19. pAddress = SearchMemory(pPsSetCteateProcessNotifyRoutine,
  20. (PVOID)((PUCHAR)pPsSetCteateProcessNotifyRoutine + 0xFF),
  21. pFirstSpecialData, ulFirstSpecialDataSize);
  22. if (NULL == pAddress)
  23. {
  24. ShowError("SearchMemory1", 0);
  25. return pPspCreateProcessNotifyRoutineAddress;
  26. }
  27. // 获取偏移数据, 并计算地址
  28. lOffset = *(PLONG)pAddress;
  29. pPspSetCreateProcessNotifyRoutineAddress = (PVOID)((PUCHAR)pAddress + sizeof(LONG) + lOffset);
  30. // 最后, 查找 PspCreateProcessNotifyRoutine 地址
  31. pAddress = SearchMemory(pPspSetCreateProcessNotifyRoutineAddress,
  32. (PVOID)((PUCHAR)pPspSetCreateProcessNotifyRoutineAddress + 0xFF),
  33. pSecondSpecialData, ulSecondSpecialDataSize);
  34. if (NULL == pAddress)
  35. {
  36. ShowError("SearchMemory2", 0);
  37. return pPspCreateProcessNotifyRoutineAddress;
  38. }
  39. // 获取地址
  40. #ifdef _WIN64
  41. // 64 位先获取偏移, 再计算地址
  42. lOffset = *(PLONG)pAddress;
  43. pPspCreateProcessNotifyRoutineAddress = (PVOID)((PUCHAR)pAddress + sizeof(LONG) + lOffset);
  44. #else
  45. // 32 位直接获取地址
  46. pPspCreateProcessNotifyRoutineAddress = *(PVOID *)pAddress;
  47. #endif
  48. return pPspCreateProcessNotifyRoutineAddress;
  49. }

指定内存区域的特征码扫描

  1. // 指定内存区域的特征码扫描
  2. PVOID SearchMemory(PVOID pStartAddress, PVOID pEndAddress, PUCHAR pMemoryData, ULONG ulMemoryDataSize)
  3. {
  4. PVOID pAddress = NULL;
  5. PUCHAR i = NULL;
  6. ULONG m = 0;
  7. // 扫描内存
  8. for (i = (PUCHAR)pStartAddress; i < (PUCHAR)pEndAddress; i++)
  9. {
  10. // 判断特征码
  11. for (m = 0; m < ulMemoryDataSize; m++)
  12. {
  13. if (*(PUCHAR)(i + m) != pMemoryData[m])
  14. {
  15. break;
  16. }
  17. }
  18. // 判断是否找到符合特征码的地址
  19. if (m >= ulMemoryDataSize)
  20. {
  21. // 找到特征码位置, 获取紧接着特征码的下一地址
  22. pAddress = (PVOID)(i + ulMemoryDataSize);
  23. break;
  24. }
  25. }
  26. return pAddress;
  27. }

程序测试

在 Win7 32 位系统下,驱动程序正常执行:

在 Win8.1 32 位系统下,驱动程序正常执行:

在 Win10 32 位系统下,驱动程序正常执行:

在 Win7 64 位系统下,驱动程序正常执行:

在 Win8.1 64 位系统下,驱动程序正常执行:

在 Win10 64 位系统下,驱动程序正常执行:

总结

要理解清楚获取 PspCreateProcessNotifyRoutine 地址的流程,其中,不同系统的内存特征码是不同的,要注意区分。大家也不用记忆这些特征码,如果需要用到,可以随时使用 WinDbg 来进行逆向查看就好。

而且,不同位数系统中,对 PspCreateProcessNotifyRoutine 数组中的值解密方式也不相同,这个需要区分开来。

删除回调常用就有 3 种方式,自己根据需要选择一种使用即可。

参考

参考自《Windows黑客编程技术详解》一书

附录

Win7 32 位 PspSetCreateProcessNotifyRoutine

  1. lkd> uf PspSetCreateProcessNotifyRoutine
  2. nt!PspSetCreateProcessNotifyRoutine:
  3. 83fa573b 8bff mov edi,edi
  4. 83fa573d 55 push ebp
  5. 83fa573e 8bec mov ebp,esp
  6. 83fa5740 807d0c00 cmp byte ptr [ebp+0Ch],0
  7. 83fa5744 53 push ebx
  8. 83fa5745 56 push esi
  9. 83fa5746 57 push edi
  10. 83fa5747 0f84fa000000 je nt!PspSetCreateProcessNotifyRoutine+0x10a (83fa5847)
  11. nt!PspSetCreateProcessNotifyRoutine+0x12:
  12. 83fa574d 648b3524010000 mov esi,dword ptr fs:[124h]
  13. 83fa5754 66ff8e84000000 dec word ptr [esi+84h]
  14. 83fa575b 33db xor ebx,ebx
  15. 83fa575d c7450ce032f583 mov dword ptr [ebp+0Ch],offset nt!PspCreateProcessNotifyRoutine (83f532e0)
  16. nt!PspSetCreateProcessNotifyRoutine+0x29:
  17. 83fa5764 ff750c push dword ptr [ebp+0Ch]
  18. 83fa5767 e894bb0d00 call nt!ExReferenceCallBackBlock (84081300)
  19. 83fa576c 8bf8 mov edi,eax
  20. 83fa576e 85ff test edi,edi
  21. 83fa5770 7439 je nt!PspSetCreateProcessNotifyRoutine+0x6e (83fa57ab)
  22. nt!PspSetCreateProcessNotifyRoutine+0x37:
  23. 83fa5772 8b4f08 mov ecx,dword ptr [edi+8]
  24. 83fa5775 e8e31ef2ff call nt!ExGetCallBackBlockRoutine (83ec765d)
  25. 83fa577a 3b4508 cmp eax,dword ptr [ebp+8]
  26. 83fa577d 7522 jne nt!PspSetCreateProcessNotifyRoutine+0x64 (83fa57a1)
  27. nt!PspSetCreateProcessNotifyRoutine+0x44:
  28. 83fa577f 85c9 test ecx,ecx
  29. 83fa5781 7509 jne nt!PspSetCreateProcessNotifyRoutine+0x4f (83fa578c)
  30. nt!PspSetCreateProcessNotifyRoutine+0x48:
  31. 83fa5783 384d10 cmp byte ptr [ebp+10h],cl
  32. 83fa5786 7519 jne nt!PspSetCreateProcessNotifyRoutine+0x64 (83fa57a1)
  33. nt!PspSetCreateProcessNotifyRoutine+0x4d:
  34. 83fa5788 eb08 jmp nt!PspSetCreateProcessNotifyRoutine+0x55 (83fa5792)
  35. nt!PspSetCreateProcessNotifyRoutine+0x4f:
  36. 83fa578c 807d1000 cmp byte ptr [ebp+10h],0
  37. 83fa5790 740f je nt!PspSetCreateProcessNotifyRoutine+0x64 (83fa57a1)
  38. nt!PspSetCreateProcessNotifyRoutine+0x55:
  39. 83fa5792 8b450c mov eax,dword ptr [ebp+0Ch]
  40. 83fa5795 57 push edi
  41. 83fa5796 33c9 xor ecx,ecx
  42. 83fa5798 e8abfeffff call nt!ExCompareExchangeCallBack (83fa5648)
  43. 83fa579d 84c0 test al,al
  44. 83fa579f 7547 jne nt!PspSetCreateProcessNotifyRoutine+0xab (83fa57e8)
  45. nt!PspSetCreateProcessNotifyRoutine+0x64:
  46. 83fa57a1 8b450c mov eax,dword ptr [ebp+0Ch]
  47. 83fa57a4 8bcf mov ecx,edi
  48. 83fa57a6 e889bc0d00 call nt!ExDereferenceCallBackBlock (84081434)
  49. nt!PspSetCreateProcessNotifyRoutine+0x6e:
  50. 83fa57ab 83450c04 add dword ptr [ebp+0Ch],4
  51. 83fa57af 43 inc ebx
  52. 83fa57b0 83fb40 cmp ebx,40h
  53. 83fa57b3 72af jb nt!PspSetCreateProcessNotifyRoutine+0x29 (83fa5764)
  54. nt!PspSetCreateProcessNotifyRoutine+0x78:
  55. 83fa57b5 66ff8684000000 inc word ptr [esi+84h]
  56. 83fa57bc 0fb78684000000 movzx eax,word ptr [esi+84h]
  57. 83fa57c3 6685c0 test ax,ax
  58. 83fa57c6 7516 jne nt!PspSetCreateProcessNotifyRoutine+0xa1 (83fa57de)
  59. nt!PspSetCreateProcessNotifyRoutine+0x8b:
  60. 83fa57c8 8d4640 lea eax,[esi+40h]
  61. 83fa57cb 3900 cmp dword ptr [eax],eax
  62. 83fa57cd 740f je nt!PspSetCreateProcessNotifyRoutine+0xa1 (83fa57de)
  63. nt!PspSetCreateProcessNotifyRoutine+0x92:
  64. 83fa57cf 6683be8600000000 cmp word ptr [esi+86h],0
  65. 83fa57d7 7505 jne nt!PspSetCreateProcessNotifyRoutine+0xa1 (83fa57de)
  66. nt!PspSetCreateProcessNotifyRoutine+0x9c:
  67. 83fa57d9 e8a714e9ff call nt!KiCheckForKernelApcDelivery (83e36c85)
  68. nt!PspSetCreateProcessNotifyRoutine+0xa1:
  69. 83fa57de b87a0000c0 mov eax,0C000007Ah
  70. 83fa57e3 e9c5000000 jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fa58ad)
  71. nt!PspSetCreateProcessNotifyRoutine+0xab:
  72. 83fa57e8 83c9ff or ecx,0FFFFFFFFh
  73. 83fa57eb 807d1000 cmp byte ptr [ebp+10h],0
  74. 83fa57ef b8e433f583 mov eax,offset nt!PspCreateProcessNotifyRoutineCount (83f533e4)
  75. 83fa57f4 7405 je nt!PspSetCreateProcessNotifyRoutine+0xbe (83fa57fb)
  76. nt!PspSetCreateProcessNotifyRoutine+0xb9:
  77. 83fa57f6 b8e033f583 mov eax,offset nt!PspCreateProcessNotifyRoutineExCount (83f533e0)
  78. nt!PspSetCreateProcessNotifyRoutine+0xbe:
  79. 83fa57fb f00fc108 lock xadd dword ptr [eax],ecx
  80. 83fa57ff 8d049de032f583 lea eax,nt!PspCreateProcessNotifyRoutine (83f532e0)[ebx*4]
  81. 83fa5806 8bcf mov ecx,edi
  82. 83fa5808 e827bc0d00 call nt!ExDereferenceCallBackBlock (84081434)
  83. 83fa580d 66ff8684000000 inc word ptr [esi+84h]
  84. 83fa5814 0fb78684000000 movzx eax,word ptr [esi+84h]
  85. 83fa581b 6685c0 test ax,ax
  86. 83fa581e 7516 jne nt!PspSetCreateProcessNotifyRoutine+0xf9 (83fa5836)
  87. nt!PspSetCreateProcessNotifyRoutine+0xe3:
  88. 83fa5820 8d4640 lea eax,[esi+40h]
  89. 83fa5823 3900 cmp dword ptr [eax],eax
  90. 83fa5825 740f je nt!PspSetCreateProcessNotifyRoutine+0xf9 (83fa5836)
  91. nt!PspSetCreateProcessNotifyRoutine+0xea:
  92. 83fa5827 6683be8600000000 cmp word ptr [esi+86h],0
  93. 83fa582f 7505 jne nt!PspSetCreateProcessNotifyRoutine+0xf9 (83fa5836)
  94. nt!PspSetCreateProcessNotifyRoutine+0xf4:
  95. 83fa5831 e84f14e9ff call nt!KiCheckForKernelApcDelivery (83e36c85)
  96. nt!PspSetCreateProcessNotifyRoutine+0xf9:
  97. 83fa5836 8bcf mov ecx,edi
  98. 83fa5838 e83a251700 call nt!ExWaitForCallBacks (84117d77)
  99. 83fa583d 57 push edi
  100. 83fa583e e8c88a0e00 call nt!AlpcpFreeBuffer (8408e30b)
  101. nt!PspSetCreateProcessNotifyRoutine+0x106:
  102. 83fa5843 33c0 xor eax,eax
  103. 83fa5845 eb66 jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fa58ad)
  104. nt!PspSetCreateProcessNotifyRoutine+0x10a:
  105. 83fa5847 807d1000 cmp byte ptr [ebp+10h],0
  106. 83fa584b 7413 je nt!PspSetCreateProcessNotifyRoutine+0x123 (83fa5860)
  107. nt!PspSetCreateProcessNotifyRoutine+0x110:
  108. 83fa584d ff7508 push dword ptr [ebp+8]
  109. 83fa5850 e82bb0fdff call nt!MmVerifyCallbackFunction (83f80880)
  110. 83fa5855 85c0 test eax,eax
  111. 83fa5857 7507 jne nt!PspSetCreateProcessNotifyRoutine+0x123 (83fa5860)
  112. nt!PspSetCreateProcessNotifyRoutine+0x11c:
  113. 83fa5859 b8220000c0 mov eax,0C0000022h
  114. 83fa585e eb4d jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fa58ad)
  115. nt!PspSetCreateProcessNotifyRoutine+0x123:
  116. 83fa5860 33c0 xor eax,eax
  117. 83fa5862 384510 cmp byte ptr [ebp+10h],al
  118. 83fa5865 0f95c0 setne al
  119. 83fa5868 50 push eax
  120. 83fa5869 ff7508 push dword ptr [ebp+8]
  121. 83fa586c e8a8fdffff call nt!ExAllocateCallBack (83fa5619)
  122. 83fa5871 8bd8 mov ebx,eax
  123. 83fa5873 85db test ebx,ebx
  124. 83fa5875 7507 jne nt!PspSetCreateProcessNotifyRoutine+0x141 (83fa587e)
  125. nt!PspSetCreateProcessNotifyRoutine+0x13a:
  126. 83fa5877 b89a0000c0 mov eax,0C000009Ah
  127. 83fa587c eb2f jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fa58ad)
  128. nt!PspSetCreateProcessNotifyRoutine+0x141:
  129. 83fa587e bee032f583 mov esi,offset nt!PspCreateProcessNotifyRoutine (83f532e0)
  130. 83fa5883 33ff xor edi,edi
  131. nt!PspSetCreateProcessNotifyRoutine+0x148:
  132. 83fa5885 6a00 push 0
  133. 83fa5887 8bcb mov ecx,ebx
  134. 83fa5889 8bc6 mov eax,esi
  135. 83fa588b e8b8fdffff call nt!ExCompareExchangeCallBack (83fa5648)
  136. 83fa5890 84c0 test al,al
  137. 83fa5892 7520 jne nt!PspSetCreateProcessNotifyRoutine+0x177 (83fa58b4)
  138. nt!PspSetCreateProcessNotifyRoutine+0x157:
  139. 83fa5894 83c704 add edi,4
  140. 83fa5897 83c604 add esi,4
  141. 83fa589a 81ff00010000 cmp edi,100h
  142. 83fa58a0 72e3 jb nt!PspSetCreateProcessNotifyRoutine+0x148 (83fa5885)
  143. nt!PspSetCreateProcessNotifyRoutine+0x165:
  144. 83fa58a2 53 push ebx
  145. 83fa58a3 e8638a0e00 call nt!AlpcpFreeBuffer (8408e30b)
  146. 83fa58a8 b80d0000c0 mov eax,0C000000Dh
  147. nt!PspSetCreateProcessNotifyRoutine+0x170:
  148. 83fa58ad 5f pop edi
  149. 83fa58ae 5e pop esi
  150. 83fa58af 5b pop ebx
  151. 83fa58b0 5d pop ebp
  152. 83fa58b1 c20c00 ret 0Ch
  153. nt!PspSetCreateProcessNotifyRoutine+0x177:
  154. 83fa58b4 33c9 xor ecx,ecx
  155. 83fa58b6 41 inc ecx
  156. 83fa58b7 807d1000 cmp byte ptr [ebp+10h],0
  157. 83fa58bb 7525 jne nt!PspSetCreateProcessNotifyRoutine+0x1a5 (83fa58e2)
  158. nt!PspSetCreateProcessNotifyRoutine+0x180:
  159. 83fa58bd b8e433f583 mov eax,offset nt!PspCreateProcessNotifyRoutineCount (83f533e4)
  160. 83fa58c2 f00fc108 lock xadd dword ptr [eax],ecx
  161. 83fa58c6 a19830f583 mov eax,dword ptr [nt!PspNotifyEnableMask (83f53098)]
  162. 83fa58cb a802 test al,2
  163. 83fa58cd 0f8570ffffff jne nt!PspSetCreateProcessNotifyRoutine+0x106 (83fa5843)
  164. nt!PspSetCreateProcessNotifyRoutine+0x196:
  165. 83fa58d3 b89830f583 mov eax,offset nt!PspNotifyEnableMask (83f53098)
  166. 83fa58d8 f00fba2801 lock bts dword ptr [eax],1
  167. 83fa58dd e961ffffff jmp nt!PspSetCreateProcessNotifyRoutine+0x106 (83fa5843)
  168. nt!PspSetCreateProcessNotifyRoutine+0x1a5:
  169. 83fa58e2 b8e033f583 mov eax,offset nt!PspCreateProcessNotifyRoutineExCount (83f533e0)
  170. 83fa58e7 f00fc108 lock xadd dword ptr [eax],ecx
  171. 83fa58eb a19830f583 mov eax,dword ptr [nt!PspNotifyEnableMask (83f53098)]
  172. 83fa58f0 a804 test al,4
  173. 83fa58f2 0f854bffffff jne nt!PspSetCreateProcessNotifyRoutine+0x106 (83fa5843)
  174. nt!PspSetCreateProcessNotifyRoutine+0x1bb:
  175. 83fa58f8 b89830f583 mov eax,offset nt!PspNotifyEnableMask (83f53098)
  176. 83fa58fd f00fba2802 lock bts dword ptr [eax],2
  177. 83fa5902 e93cffffff jmp nt!PspSetCreateProcessNotifyRoutine+0x106 (83fa5843)

Win7 64 位 PspSetCreateProcessNotifyRoutine

  1. lkd> uf PspSetCreateProcessNotifyRoutine
  2. nt!PspSetCreateProcessNotifyRoutine:
  3. fffff800`042be1b0 48895c2408 mov qword ptr [rsp+8],rbx
  4. fffff800`042be1b5 48896c2410 mov qword ptr [rsp+10h],rbp
  5. fffff800`042be1ba 4889742418 mov qword ptr [rsp+18h],rsi
  6. fffff800`042be1bf 57 push rdi
  7. fffff800`042be1c0 4154 push r12
  8. fffff800`042be1c2 4155 push r13
  9. fffff800`042be1c4 4156 push r14
  10. fffff800`042be1c6 4157 push r15
  11. fffff800`042be1c8 4883ec20 sub rsp,20h
  12. fffff800`042be1cc 4533e4 xor r12d,r12d
  13. fffff800`042be1cf 418ae8 mov bpl,r8b
  14. fffff800`042be1d2 4c8be9 mov r13,rcx
  15. fffff800`042be1d5 418d5c2401 lea ebx,[r12+1]
  16. fffff800`042be1da 413ad4 cmp dl,r12b
  17. fffff800`042be1dd 0f840e010000 je nt!PspSetCreateProcessNotifyRoutine+0x141 (fffff800`042be2f1)
  18. nt!PspSetCreateProcessNotifyRoutine+0x33:
  19. fffff800`042be1e3 65488b3c2588010000 mov rdi,qword ptr gs:[188h]
  20. fffff800`042be1ec 83c8ff or eax,0FFFFFFFFh
  21. fffff800`042be1ef 660187c4010000 add word ptr [rdi+1C4h],ax
  22. fffff800`042be1f6 4c8d358395d6ff lea r14,[nt!PspCreateProcessNotifyRoutine (fffff800`04027780)]
  23. nt!PspSetCreateProcessNotifyRoutine+0x4d:
  24. fffff800`042be1fd 418bc4 mov eax,r12d
  25. fffff800`042be200 4d8d3cc6 lea r15,[r14+rax*8]
  26. fffff800`042be204 498bcf mov rcx,r15
  27. fffff800`042be207 e8f4ecedff call nt!ExReferenceCallBackBlock (fffff800`0419cf00)
  28. fffff800`042be20c 33d2 xor edx,edx
  29. fffff800`042be20e 488bf0 mov rsi,rax
  30. fffff800`042be211 483bc2 cmp rax,rdx
  31. fffff800`042be214 743d je nt!PspSetCreateProcessNotifyRoutine+0xa3 (fffff800`042be253)
  32. nt!PspSetCreateProcessNotifyRoutine+0x66:
  33. fffff800`042be216 488bc8 mov rcx,rax
  34. fffff800`042be219 e89eb4c0ff call nt!ExGetCallBackBlockRoutine (fffff800`03ec96bc)
  35. fffff800`042be21e 493bc5 cmp rax,r13
  36. fffff800`042be221 7523 jne nt!PspSetCreateProcessNotifyRoutine+0x96 (fffff800`042be246)
  37. nt!PspSetCreateProcessNotifyRoutine+0x73:
  38. fffff800`042be223 48395110 cmp qword ptr [rcx+10h],rdx
  39. fffff800`042be227 7507 jne nt!PspSetCreateProcessNotifyRoutine+0x80 (fffff800`042be230)
  40. nt!PspSetCreateProcessNotifyRoutine+0x79:
  41. fffff800`042be229 403aea cmp bpl,dl
  42. fffff800`042be22c 7407 je nt!PspSetCreateProcessNotifyRoutine+0x85 (fffff800`042be235)
  43. nt!PspSetCreateProcessNotifyRoutine+0x7e:
  44. fffff800`042be22e eb16 jmp nt!PspSetCreateProcessNotifyRoutine+0x96 (fffff800`042be246)
  45. nt!PspSetCreateProcessNotifyRoutine+0x80:
  46. fffff800`042be230 403aea cmp bpl,dl
  47. fffff800`042be233 7411 je nt!PspSetCreateProcessNotifyRoutine+0x96 (fffff800`042be246)
  48. nt!PspSetCreateProcessNotifyRoutine+0x85:
  49. fffff800`042be235 4c8bc6 mov r8,rsi
  50. fffff800`042be238 498bcf mov rcx,r15
  51. fffff800`042be23b e8100ef5ff call nt!ExCompareExchangeCallBack (fffff800`0420f050)
  52. fffff800`042be240 33c9 xor ecx,ecx
  53. fffff800`042be242 3ac1 cmp al,cl
  54. fffff800`042be244 7540 jne nt!PspSetCreateProcessNotifyRoutine+0xd6 (fffff800`042be286)
  55. nt!PspSetCreateProcessNotifyRoutine+0x96:
  56. fffff800`042be246 488bd6 mov rdx,rsi
  57. fffff800`042be249 498bcf mov rcx,r15
  58. fffff800`042be24c e8bb2eeeff call nt!ExDereferenceCallBackBlock (fffff800`041a110c)
  59. fffff800`042be251 33d2 xor edx,edx
  60. nt!PspSetCreateProcessNotifyRoutine+0xa3:
  61. fffff800`042be253 4403e3 add r12d,ebx
  62. fffff800`042be256 4183fc40 cmp r12d,40h
  63. fffff800`042be25a 72a1 jb nt!PspSetCreateProcessNotifyRoutine+0x4d (fffff800`042be1fd)
  64. nt!PspSetCreateProcessNotifyRoutine+0xac:
  65. fffff800`042be25c 66019fc4010000 add word ptr [rdi+1C4h],bx
  66. fffff800`042be263 7517 jne nt!PspSetCreateProcessNotifyRoutine+0xcc (fffff800`042be27c)
  67. nt!PspSetCreateProcessNotifyRoutine+0xb5:
  68. fffff800`042be265 488d4750 lea rax,[rdi+50h]
  69. fffff800`042be269 483900 cmp qword ptr [rax],rax
  70. fffff800`042be26c 740e je nt!PspSetCreateProcessNotifyRoutine+0xcc (fffff800`042be27c)
  71. nt!PspSetCreateProcessNotifyRoutine+0xbe:
  72. fffff800`042be26e 663997c6010000 cmp word ptr [rdi+1C6h],dx
  73. fffff800`042be275 7505 jne nt!PspSetCreateProcessNotifyRoutine+0xcc (fffff800`042be27c)
  74. nt!PspSetCreateProcessNotifyRoutine+0xc7:
  75. fffff800`042be277 e834f5b6ff call nt!KiCheckForKernelApcDelivery (fffff800`03e2d7b0)
  76. nt!PspSetCreateProcessNotifyRoutine+0xcc:
  77. fffff800`042be27c b87a0000c0 mov eax,0C000007Ah
  78. fffff800`042be281 e916010000 jmp nt!PspSetCreateProcessNotifyRoutine+0x1ec (fffff800`042be39c)
  79. nt!PspSetCreateProcessNotifyRoutine+0xd6:
  80. fffff800`042be286 403ae9 cmp bpl,cl
  81. fffff800`042be289 750a jne nt!PspSetCreateProcessNotifyRoutine+0xe5 (fffff800`042be295)
  82. nt!PspSetCreateProcessNotifyRoutine+0xdb:
  83. fffff800`042be28b f08305f196d6ffff lock add dword ptr [nt!PspCreateProcessNotifyRoutineCount (fffff800`04027984)],0FFFFFFFFh
  84. fffff800`042be293 eb08 jmp nt!PspSetCreateProcessNotifyRoutine+0xed (fffff800`042be29d)
  85. nt!PspSetCreateProcessNotifyRoutine+0xe5:
  86. fffff800`042be295 f08305e396d6ffff lock add dword ptr [nt!PspCreateProcessNotifyRoutineExCount (fffff800`04027980)],0FFFFFFFFh
  87. nt!PspSetCreateProcessNotifyRoutine+0xed:
  88. fffff800`042be29d 418bc4 mov eax,r12d
  89. fffff800`042be2a0 488bd6 mov rdx,rsi
  90. fffff800`042be2a3 498d0cc6 lea rcx,[r14+rax*8]
  91. fffff800`042be2a7 e8602eeeff call nt!ExDereferenceCallBackBlock (fffff800`041a110c)
  92. fffff800`042be2ac 66019fc4010000 add word ptr [rdi+1C4h],bx
  93. fffff800`042be2b3 7519 jne nt!PspSetCreateProcessNotifyRoutine+0x11e (fffff800`042be2ce)
  94. nt!PspSetCreateProcessNotifyRoutine+0x105:
  95. fffff800`042be2b5 488d4750 lea rax,[rdi+50h]
  96. fffff800`042be2b9 483900 cmp qword ptr [rax],rax
  97. fffff800`042be2bc 7410 je nt!PspSetCreateProcessNotifyRoutine+0x11e (fffff800`042be2ce)
  98. nt!PspSetCreateProcessNotifyRoutine+0x10e:
  99. fffff800`042be2be 33c0 xor eax,eax
  100. fffff800`042be2c0 663987c6010000 cmp word ptr [rdi+1C6h],ax
  101. fffff800`042be2c7 7505 jne nt!PspSetCreateProcessNotifyRoutine+0x11e (fffff800`042be2ce)
  102. nt!PspSetCreateProcessNotifyRoutine+0x119:
  103. fffff800`042be2c9 e8e2f4b6ff call nt!KiCheckForKernelApcDelivery (fffff800`03e2d7b0)
  104. nt!PspSetCreateProcessNotifyRoutine+0x11e:
  105. fffff800`042be2ce 33c0 xor eax,eax
  106. fffff800`042be2d0 f0480fb11e lock cmpxchg qword ptr [rsi],rbx
  107. fffff800`042be2d5 740d je nt!PspSetCreateProcessNotifyRoutine+0x134 (fffff800`042be2e4)
  108. nt!PspSetCreateProcessNotifyRoutine+0x127:
  109. fffff800`042be2d7 483bc3 cmp rax,rbx
  110. fffff800`042be2da 7408 je nt!PspSetCreateProcessNotifyRoutine+0x134 (fffff800`042be2e4)
  111. nt!PspSetCreateProcessNotifyRoutine+0x12c:
  112. fffff800`042be2dc 488bce mov rcx,rsi
  113. fffff800`042be2df e86cd4b9ff call nt!ExfWaitForRundownProtectionRelease (fffff800`03e5b750)
  114. nt!PspSetCreateProcessNotifyRoutine+0x134:
  115. fffff800`042be2e4 488bce mov rcx,rsi
  116. fffff800`042be2e7 e864d7fbff call nt!IopDeallocateApc (fffff800`0427ba50)
  117. fffff800`042be2ec e9a9000000 jmp nt!PspSetCreateProcessNotifyRoutine+0x1ea (fffff800`042be39a)
  118. nt!PspSetCreateProcessNotifyRoutine+0x141:
  119. fffff800`042be2f1 413aec cmp bpl,r12b
  120. fffff800`042be2f4 7419 je nt!PspSetCreateProcessNotifyRoutine+0x15f (fffff800`042be30f)
  121. nt!PspSetCreateProcessNotifyRoutine+0x146:
  122. fffff800`042be2f6 e8b51dfbff call nt!MmVerifyCallbackFunction (fffff800`042700b0)
  123. fffff800`042be2fb 413bc4 cmp eax,r12d
  124. fffff800`042be2fe 750a jne nt!PspSetCreateProcessNotifyRoutine+0x15a (fffff800`042be30a)
  125. nt!PspSetCreateProcessNotifyRoutine+0x150:
  126. fffff800`042be300 b8220000c0 mov eax,0C0000022h
  127. fffff800`042be305 e992000000 jmp nt!PspSetCreateProcessNotifyRoutine+0x1ec (fffff800`042be39c)
  128. nt!PspSetCreateProcessNotifyRoutine+0x15a:
  129. fffff800`042be30a 488bd3 mov rdx,rbx
  130. fffff800`042be30d eb03 jmp nt!PspSetCreateProcessNotifyRoutine+0x162 (fffff800`042be312)
  131. nt!PspSetCreateProcessNotifyRoutine+0x15f:
  132. fffff800`042be30f 498bd4 mov rdx,r12
  133. nt!PspSetCreateProcessNotifyRoutine+0x162:
  134. fffff800`042be312 498bcd mov rcx,r13
  135. fffff800`042be315 e846a8fbff call nt!ExAllocateCallBack (fffff800`04278b60)
  136. fffff800`042be31a 488bf0 mov rsi,rax
  137. fffff800`042be31d 493bc4 cmp rax,r12
  138. fffff800`042be320 7507 jne nt!PspSetCreateProcessNotifyRoutine+0x179 (fffff800`042be329)
  139. nt!PspSetCreateProcessNotifyRoutine+0x172:
  140. fffff800`042be322 b89a0000c0 mov eax,0C000009Ah
  141. fffff800`042be327 eb73 jmp nt!PspSetCreateProcessNotifyRoutine+0x1ec (fffff800`042be39c)
  142. nt!PspSetCreateProcessNotifyRoutine+0x179:
  143. fffff800`042be329 418bfc mov edi,r12d
  144. fffff800`042be32c 4c8d354d94d6ff lea r14,[nt!PspCreateProcessNotifyRoutine (fffff800`04027780)]
  145. nt!PspSetCreateProcessNotifyRoutine+0x183:
  146. fffff800`042be333 8bc7 mov eax,edi
  147. fffff800`042be335 4533c0 xor r8d,r8d
  148. fffff800`042be338 488bd6 mov rdx,rsi
  149. fffff800`042be33b 498d0cc6 lea rcx,[r14+rax*8]
  150. fffff800`042be33f e80c0df5ff call nt!ExCompareExchangeCallBack (fffff800`0420f050)
  151. fffff800`042be344 413ac4 cmp al,r12b
  152. fffff800`042be347 7516 jne nt!PspSetCreateProcessNotifyRoutine+0x1af (fffff800`042be35f)
  153. nt!PspSetCreateProcessNotifyRoutine+0x199:
  154. fffff800`042be349 03fb add edi,ebx
  155. fffff800`042be34b 83ff40 cmp edi,40h
  156. fffff800`042be34e 72e3 jb nt!PspSetCreateProcessNotifyRoutine+0x183 (fffff800`042be333)
  157. nt!PspSetCreateProcessNotifyRoutine+0x1a0:
  158. fffff800`042be350 488bce mov rcx,rsi
  159. fffff800`042be353 e8f8d6fbff call nt!IopDeallocateApc (fffff800`0427ba50)
  160. fffff800`042be358 b80d0000c0 mov eax,0C000000Dh
  161. fffff800`042be35d eb3d jmp nt!PspSetCreateProcessNotifyRoutine+0x1ec (fffff800`042be39c)
  162. nt!PspSetCreateProcessNotifyRoutine+0x1af:
  163. fffff800`042be35f 413aec cmp bpl,r12b
  164. fffff800`042be362 751c jne nt!PspSetCreateProcessNotifyRoutine+0x1d0 (fffff800`042be380)
  165. nt!PspSetCreateProcessNotifyRoutine+0x1b4:
  166. fffff800`042be364 f0011d1996d6ff lock add dword ptr [nt!PspCreateProcessNotifyRoutineCount (fffff800`04027984)],ebx
  167. fffff800`042be36b 8b056f91d6ff mov eax,dword ptr [nt!PspNotifyEnableMask (fffff800`040274e0)]
  168. fffff800`042be371 a802 test al,2
  169. fffff800`042be373 7525 jne nt!PspSetCreateProcessNotifyRoutine+0x1ea (fffff800`042be39a)
  170. nt!PspSetCreateProcessNotifyRoutine+0x1c5:
  171. fffff800`042be375 f00fba2d6291d6ff01 lock bts dword ptr [nt!PspNotifyEnableMask (fffff800`040274e0)],1
  172. fffff800`042be37e eb1a jmp nt!PspSetCreateProcessNotifyRoutine+0x1ea (fffff800`042be39a)
  173. nt!PspSetCreateProcessNotifyRoutine+0x1d0:
  174. fffff800`042be380 f0011df995d6ff lock add dword ptr [nt!PspCreateProcessNotifyRoutineExCount (fffff800`04027980)],ebx
  175. fffff800`042be387 8b055391d6ff mov eax,dword ptr [nt!PspNotifyEnableMask (fffff800`040274e0)]
  176. fffff800`042be38d a804 test al,4
  177. fffff800`042be38f 7509 jne nt!PspSetCreateProcessNotifyRoutine+0x1ea (fffff800`042be39a)
  178. nt!PspSetCreateProcessNotifyRoutine+0x1e1:
  179. fffff800`042be391 f00fba2d4691d6ff02 lock bts dword ptr [nt!PspNotifyEnableMask (fffff800`040274e0)],2
  180. nt!PspSetCreateProcessNotifyRoutine+0x1ea:
  181. fffff800`042be39a 33c0 xor eax,eax
  182. nt!PspSetCreateProcessNotifyRoutine+0x1ec:
  183. fffff800`042be39c 488b5c2450 mov rbx,qword ptr [rsp+50h]
  184. fffff800`042be3a1 488b6c2458 mov rbp,qword ptr [rsp+58h]
  185. fffff800`042be3a6 488b742460 mov rsi,qword ptr [rsp+60h]
  186. fffff800`042be3ab 4883c420 add rsp,20h
  187. fffff800`042be3af 415f pop r15
  188. fffff800`042be3b1 415e pop r14
  189. fffff800`042be3b3 415d pop r13
  190. fffff800`042be3b5 415c pop r12
  191. fffff800`042be3b7 5f pop rdi
  192. fffff800`042be3b8 c3 ret

Win8.1 32 位 PspSetCreateProcessNotifyRoutine

  1. lkd> uf PspSetCreateProcessNotifyRoutine
  2. nt!PspSetCreateProcessNotifyRoutine:
  3. 819b987e 8bff mov edi,edi
  4. 819b9880 55 push ebp
  5. 819b9881 8bec mov ebp,esp
  6. 819b9883 83ec10 sub esp,10h
  7. 819b9886 53 push ebx
  8. 819b9887 8bd9 mov ebx,ecx
  9. 819b9889 895df4 mov dword ptr [ebp-0Ch],ebx
  10. 819b988c 56 push esi
  11. 819b988d 57 push edi
  12. 819b988e 84d2 test dl,dl
  13. 819b9890 0f8567020a00 jne nt! ?? ::NNGAKEGL::`string'+0x70493 (81a59afd)
  14. nt!PspSetCreateProcessNotifyRoutine+0x18:
  15. 819b9896 33f6 xor esi,esi
  16. 819b9898 33ff xor edi,edi
  17. 819b989a 46 inc esi
  18. 819b989b 385508 cmp byte ptr [ebp+8],dl
  19. 819b989e 756e jne nt!PspSetCreateProcessNotifyRoutine+0x90 (819b990e)
  20. nt!PspSetCreateProcessNotifyRoutine+0x22:
  21. 819b98a0 8bd7 mov edx,edi
  22. nt!PspSetCreateProcessNotifyRoutine+0x24:
  23. 819b98a2 8bcb mov ecx,ebx
  24. 819b98a4 e8a9000000 call nt!ExAllocateCallBack (819b9952)
  25. 819b98a9 8bc8 mov ecx,eax
  26. 819b98ab 894dfc mov dword ptr [ebp-4],ecx
  27. 819b98ae 85c9 test ecx,ecx
  28. 819b98b0 0f846b030a00 je nt! ?? ::NNGAKEGL::`string'+0x705b7 (81a59c21)
  29. nt!PspSetCreateProcessNotifyRoutine+0x38:
  30. 819b98b6 b8c8158681 mov eax,offset nt!PspCreateProcessNotifyRoutine (818615c8)
  31. 819b98bb 8bdf mov ebx,edi
  32. 819b98bd 8945f8 mov dword ptr [ebp-8],eax
  33. nt!PspSetCreateProcessNotifyRoutine+0x42:
  34. 819b98c0 8bd1 mov edx,ecx
  35. 819b98c2 8bc8 mov ecx,eax
  36. 819b98c4 57 push edi
  37. 819b98c5 e88e24d9ff call nt!ExCompareExchangeCallBack (8174bd58)
  38. 819b98ca 84c0 test al,al
  39. 819b98cc 751c jne nt!PspSetCreateProcessNotifyRoutine+0x6c (819b98ea)
  40. nt!PspSetCreateProcessNotifyRoutine+0x50:
  41. 819b98ce 8b45f8 mov eax,dword ptr [ebp-8]
  42. 819b98d1 83c304 add ebx,4
  43. 819b98d4 8b4dfc mov ecx,dword ptr [ebp-4]
  44. 819b98d7 83c004 add eax,4
  45. 819b98da 8945f8 mov dword ptr [ebp-8],eax
  46. 819b98dd 81fb00010000 cmp ebx,100h
  47. 819b98e3 72db jb nt!PspSetCreateProcessNotifyRoutine+0x42 (819b98c0)
  48. nt!PspSetCreateProcessNotifyRoutine+0x67:
  49. 819b98e5 e941030a00 jmp nt! ?? ::NNGAKEGL::`string'+0x705c1 (81a59c2b)
  50. nt!PspSetCreateProcessNotifyRoutine+0x6c:
  51. 819b98ea 807d0800 cmp byte ptr [ebp+8],0
  52. 819b98ee 752b jne nt!PspSetCreateProcessNotifyRoutine+0x9d (819b991b)
  53. nt!PspSetCreateProcessNotifyRoutine+0x72:
  54. 819b98f0 b8541cb481 mov eax,offset nt!PspCreateProcessNotifyRoutineCount (81b41c54)
  55. 819b98f5 f00fc130 lock xadd dword ptr [eax],esi
  56. 819b98f9 46 inc esi
  57. 819b98fa a1441cb481 mov eax,dword ptr [nt!PspNotifyEnableMask (81b41c44)]
  58. 819b98ff a802 test al,2
  59. 819b9901 7437 je nt!PspSetCreateProcessNotifyRoutine+0xbc (819b993a)
  60. nt!PspSetCreateProcessNotifyRoutine+0x85:
  61. 819b9903 33c0 xor eax,eax
  62. nt!PspSetCreateProcessNotifyRoutine+0x87:
  63. 819b9905 5f pop edi
  64. 819b9906 5e pop esi
  65. 819b9907 5b pop ebx
  66. 819b9908 8be5 mov esp,ebp
  67. 819b990a 5d pop ebp
  68. 819b990b c20400 ret 4
  69. nt!PspSetCreateProcessNotifyRoutine+0x90:
  70. 819b990e e86d000000 call nt!MmVerifyCallbackFunction (819b9980)
  71. 819b9913 85c0 test eax,eax
  72. 819b9915 742f je nt!PspSetCreateProcessNotifyRoutine+0xc8 (819b9946)
  73. nt!PspSetCreateProcessNotifyRoutine+0x99:
  74. 819b9917 8bd6 mov edx,esi
  75. 819b9919 eb87 jmp nt!PspSetCreateProcessNotifyRoutine+0x24 (819b98a2)
  76. nt!PspSetCreateProcessNotifyRoutine+0x9d:
  77. 819b991b b8501cb481 mov eax,offset nt!PspCreateProcessNotifyRoutineExCount (81b41c50)
  78. 819b9920 f00fc130 lock xadd dword ptr [eax],esi
  79. 819b9924 46 inc esi
  80. 819b9925 a1441cb481 mov eax,dword ptr [nt!PspNotifyEnableMask (81b41c44)]
  81. 819b992a a804 test al,4
  82. 819b992c 75d5 jne nt!PspSetCreateProcessNotifyRoutine+0x85 (819b9903)
  83. nt!PspSetCreateProcessNotifyRoutine+0xb0:
  84. 819b992e b8441cb481 mov eax,offset nt!PspNotifyEnableMask (81b41c44)
  85. 819b9933 f00fba2802 lock bts dword ptr [eax],2
  86. 819b9938 ebc9 jmp nt!PspSetCreateProcessNotifyRoutine+0x85 (819b9903)
  87. nt!PspSetCreateProcessNotifyRoutine+0xbc:
  88. 819b993a b8441cb481 mov eax,offset nt!PspNotifyEnableMask (81b41c44)
  89. 819b993f f00fba2801 lock bts dword ptr [eax],1
  90. 819b9944 ebbd jmp nt!PspSetCreateProcessNotifyRoutine+0x85 (819b9903)
  91. nt!PspSetCreateProcessNotifyRoutine+0xc8:
  92. 819b9946 b8220000c0 mov eax,0C0000022h
  93. 819b994b ebb8 jmp nt!PspSetCreateProcessNotifyRoutine+0x87 (819b9905)
  94. nt! ?? ::NNGAKEGL::`string'+0x70493:
  95. 81a59afd 648b3524010000 mov esi,dword ptr fs:[124h]
  96. 81a59b04 66ff8e3c010000 dec word ptr [esi+13Ch]
  97. 81a59b0b 33ff xor edi,edi
  98. 81a59b0d b8c8158681 mov eax,offset nt!PspCreateProcessNotifyRoutine (818615c8)
  99. 81a59b12 897df8 mov dword ptr [ebp-8],edi
  100. 81a59b15 8945fc mov dword ptr [ebp-4],eax
  101. nt! ?? ::NNGAKEGL::`string'+0x704ae:
  102. 81a59b18 8bc8 mov ecx,eax
  103. 81a59b1a e85bb2c2ff call nt!ExReferenceCallBackBlock (81684d7a)
  104. 81a59b1f 8bd8 mov ebx,eax
  105. 81a59b21 85db test ebx,ebx
  106. 81a59b23 7426 je nt! ?? ::NNGAKEGL::`string'+0x704e1 (81a59b4b)
  107. nt! ?? ::NNGAKEGL::`string'+0x704bb:
  108. 81a59b25 8bcb mov ecx,ebx
  109. 81a59b27 e86a67d1ff call nt!ExGetCallBackBlockContext (81770296)
  110. 81a59b2c 8bd0 mov edx,eax
  111. 81a59b2e e86d67d1ff call nt!ExGetCallBackBlockRoutine (817702a0)
  112. 81a59b33 3b45f4 cmp eax,dword ptr [ebp-0Ch]
  113. 81a59b36 7509 jne nt! ?? ::NNGAKEGL::`string'+0x704d7 (81a59b41)
  114. nt! ?? ::NNGAKEGL::`string'+0x704ce:
  115. 81a59b38 85d2 test edx,edx
  116. 81a59b3a 7557 jne nt! ?? ::NNGAKEGL::`string'+0x70529 (81a59b93)
  117. nt! ?? ::NNGAKEGL::`string'+0x704d2:
  118. 81a59b3c 385508 cmp byte ptr [ebp+8],dl
  119. 81a59b3f 7458 je nt! ?? ::NNGAKEGL::`string'+0x7052f (81a59b99)
  120. nt! ?? ::NNGAKEGL::`string'+0x704d7:
  121. 81a59b41 8b4dfc mov ecx,dword ptr [ebp-4]
  122. 81a59b44 8bd3 mov edx,ebx
  123. 81a59b46 e8e7b1c2ff call nt!ExDereferenceCallBackBlock (81684d32)
  124. nt! ?? ::NNGAKEGL::`string'+0x704e1:
  125. 81a59b4b 8b4df8 mov ecx,dword ptr [ebp-8]
  126. 81a59b4e 8b45fc mov eax,dword ptr [ebp-4]
  127. 81a59b51 41 inc ecx
  128. 81a59b52 83c004 add eax,4
  129. 81a59b55 894df8 mov dword ptr [ebp-8],ecx
  130. 81a59b58 8945fc mov dword ptr [ebp-4],eax
  131. 81a59b5b 83f940 cmp ecx,40h
  132. 81a59b5e 72b8 jb nt! ?? ::NNGAKEGL::`string'+0x704ae (81a59b18)
  133. nt! ?? ::NNGAKEGL::`string'+0x704f6:
  134. 81a59b60 0fbf863c010000 movsx eax,word ptr [esi+13Ch]
  135. 81a59b67 40 inc eax
  136. 81a59b68 6689863c010000 mov word ptr [esi+13Ch],ax
  137. 81a59b6f 6685c0 test ax,ax
  138. 81a59b72 7515 jne nt! ?? ::NNGAKEGL::`string'+0x7051f (81a59b89)
  139. nt! ?? ::NNGAKEGL::`string'+0x7050a:
  140. 81a59b74 8d4670 lea eax,[esi+70h]
  141. 81a59b77 3900 cmp dword ptr [eax],eax
  142. 81a59b79 740e je nt! ?? ::NNGAKEGL::`string'+0x7051f (81a59b89)
  143. nt! ?? ::NNGAKEGL::`string'+0x70511:
  144. 81a59b7b 6639be3e010000 cmp word ptr [esi+13Eh],di
  145. 81a59b82 7505 jne nt! ?? ::NNGAKEGL::`string'+0x7051f (81a59b89)
  146. nt! ?? ::NNGAKEGL::`string'+0x7051a:
  147. 81a59b84 e8fb79c8ff call nt!KiCheckForKernelApcDelivery (816e1584)
  148. nt! ?? ::NNGAKEGL::`string'+0x7051f:
  149. 81a59b89 b87a0000c0 mov eax,0C000007Ah
  150. 81a59b8e e972fdf5ff jmp nt!PspSetCreateProcessNotifyRoutine+0x87 (819b9905)
  151. nt! ?? ::NNGAKEGL::`string'+0x70529:
  152. 81a59b93 807d0800 cmp byte ptr [ebp+8],0
  153. 81a59b97 74a8 je nt! ?? ::NNGAKEGL::`string'+0x704d7 (81a59b41)
  154. nt! ?? ::NNGAKEGL::`string'+0x7052f:
  155. 81a59b99 8b4dfc mov ecx,dword ptr [ebp-4]
  156. 81a59b9c 33d2 xor edx,edx
  157. 81a59b9e 53 push ebx
  158. 81a59b9f e8b421cfff call nt!ExCompareExchangeCallBack (8174bd58)
  159. 81a59ba4 84c0 test al,al
  160. 81a59ba6 7499 je nt! ?? ::NNGAKEGL::`string'+0x704d7 (81a59b41)
  161. nt! ?? ::NNGAKEGL::`string'+0x7053e:
  162. 81a59ba8 83c8ff or eax,0FFFFFFFFh
  163. 81a59bab b9541cb481 mov ecx,offset nt!PspCreateProcessNotifyRoutineCount (81b41c54)
  164. 81a59bb0 807d0800 cmp byte ptr [ebp+8],0
  165. 81a59bb4 7405 je nt! ?? ::NNGAKEGL::`string'+0x70551 (81a59bbb)
  166. nt! ?? ::NNGAKEGL::`string'+0x7054c:
  167. 81a59bb6 b9501cb481 mov ecx,offset nt!PspCreateProcessNotifyRoutineExCount (81b41c50)
  168. nt! ?? ::NNGAKEGL::`string'+0x70551:
  169. 81a59bbb f00fc101 lock xadd dword ptr [ecx],eax
  170. 81a59bbf 8b45f8 mov eax,dword ptr [ebp-8]
  171. 81a59bc2 8bd3 mov edx,ebx
  172. 81a59bc4 8d0c85c8158681 lea ecx,nt!PspCreateProcessNotifyRoutine (818615c8)[eax*4]
  173. 81a59bcb e862b1c2ff call nt!ExDereferenceCallBackBlock (81684d32)
  174. 81a59bd0 0fbf863c010000 movsx eax,word ptr [esi+13Ch]
  175. 81a59bd7 40 inc eax
  176. 81a59bd8 6689863c010000 mov word ptr [esi+13Ch],ax
  177. 81a59bdf 6685c0 test ax,ax
  178. 81a59be2 7515 jne nt! ?? ::NNGAKEGL::`string'+0x7058f (81a59bf9)
  179. nt! ?? ::NNGAKEGL::`string'+0x7057a:
  180. 81a59be4 8d4670 lea eax,[esi+70h]
  181. 81a59be7 3900 cmp dword ptr [eax],eax
  182. 81a59be9 740e je nt! ?? ::NNGAKEGL::`string'+0x7058f (81a59bf9)
  183. nt! ?? ::NNGAKEGL::`string'+0x70581:
  184. 81a59beb 6639be3e010000 cmp word ptr [esi+13Eh],di
  185. 81a59bf2 7505 jne nt! ?? ::NNGAKEGL::`string'+0x7058f (81a59bf9)
  186. nt! ?? ::NNGAKEGL::`string'+0x7058a:
  187. 81a59bf4 e88b79c8ff call nt!KiCheckForKernelApcDelivery (816e1584)
  188. nt! ?? ::NNGAKEGL::`string'+0x7058f:
  189. 81a59bf9 33f6 xor esi,esi
  190. 81a59bfb 33c0 xor eax,eax
  191. 81a59bfd 46 inc esi
  192. 81a59bfe 8bce mov ecx,esi
  193. 81a59c00 f00fb10b lock cmpxchg dword ptr [ebx],ecx
  194. 81a59c04 85c0 test eax,eax
  195. 81a59c06 740d je nt! ?? ::NNGAKEGL::`string'+0x705ab (81a59c15)
  196. nt! ?? ::NNGAKEGL::`string'+0x7059e:
  197. 81a59c08 3bc6 cmp eax,esi
  198. 81a59c0a 7409 je nt! ?? ::NNGAKEGL::`string'+0x705ab (81a59c15)
  199. nt! ?? ::NNGAKEGL::`string'+0x705a2:
  200. 81a59c0c 8bd0 mov edx,eax
  201. 81a59c0e 8bcb mov ecx,ebx
  202. 81a59c10 e87d36ccff call nt!ExfWaitForRundownProtectionRelease (8171d292)
  203. nt! ?? ::NNGAKEGL::`string'+0x705ab:
  204. 81a59c15 57 push edi
  205. 81a59c16 53 push ebx
  206. 81a59c17 e8f4a3ddff call nt!ExFreePoolWithTag (81834010)
  207. 81a59c1c e9e2fcf5ff jmp nt!PspSetCreateProcessNotifyRoutine+0x85 (819b9903)
  208. nt! ?? ::NNGAKEGL::`string'+0x705b7:
  209. 81a59c21 b89a0000c0 mov eax,0C000009Ah
  210. 81a59c26 e9dafcf5ff jmp nt!PspSetCreateProcessNotifyRoutine+0x87 (819b9905)
  211. nt! ?? ::NNGAKEGL::`string'+0x705c1:
  212. 81a59c2b 57 push edi
  213. 81a59c2c ff75fc push dword ptr [ebp-4]
  214. 81a59c2f e8dca3ddff call nt!ExFreePoolWithTag (81834010)
  215. 81a59c34 b80d0000c0 mov eax,0C000000Dh
  216. 81a59c39 e9c7fcf5ff jmp nt!PspSetCreateProcessNotifyRoutine+0x87 (819b9905)

Win8.1 64 位 PspSetCreateProcessNotifyRoutine

  1. lkd> uf PspSetCreateProcessNotifyRoutine
  2. Flow analysis was incomplete, some code may be missing
  3. nt!PspSetCreateProcessNotifyRoutine:
  4. fffff803`10775bc4 48895c2408 mov qword ptr [rsp+8],rbx
  5. fffff803`10775bc9 48896c2410 mov qword ptr [rsp+10h],rbp
  6. fffff803`10775bce 4889742418 mov qword ptr [rsp+18h],rsi
  7. fffff803`10775bd3 57 push rdi
  8. fffff803`10775bd4 4154 push r12
  9. fffff803`10775bd6 4155 push r13
  10. fffff803`10775bd8 4156 push r14
  11. fffff803`10775bda 4157 push r15
  12. fffff803`10775bdc 4883ec20 sub rsp,20h
  13. fffff803`10775be0 4533f6 xor r14d,r14d
  14. fffff803`10775be3 418ae8 mov bpl,r8b
  15. fffff803`10775be6 4c8be1 mov r12,rcx
  16. fffff803`10775be9 418d7e01 lea edi,[r14+1]
  17. fffff803`10775bed 84d2 test dl,dl
  18. fffff803`10775bef 0f85c52e0b00 jne nt! ?? ::NNGAKEGL::`string'+0x79eba (fffff803`10828aba)
  19. nt!PspSetCreateProcessNotifyRoutine+0x31:
  20. fffff803`10775bf5 4584c0 test r8b,r8b
  21. fffff803`10775bf8 7577 jne nt!PspSetCreateProcessNotifyRoutine+0xad (fffff803`10775c71)
  22. nt!PspSetCreateProcessNotifyRoutine+0x36:
  23. fffff803`10775bfa 418bd6 mov edx,r14d
  24. nt!PspSetCreateProcessNotifyRoutine+0x39:
  25. fffff803`10775bfd 498bcc mov rcx,r12
  26. fffff803`10775c00 e8ab000000 call nt!ExAllocateCallBack (fffff803`10775cb0)
  27. fffff803`10775c05 488bf0 mov rsi,rax
  28. fffff803`10775c08 4885c0 test rax,rax
  29. fffff803`10775c0b 0f84ef2f0b00 je nt! ?? ::NNGAKEGL::`string'+0x7a000 (fffff803`10828c00)
  30. nt!PspSetCreateProcessNotifyRoutine+0x4d:
  31. fffff803`10775c11 418bde mov ebx,r14d
  32. fffff803`10775c14 4c8d3de5b1deff lea r15,[nt!PspCreateProcessNotifyRoutine (fffff803`10560e00)]
  33. nt!PspSetCreateProcessNotifyRoutine+0x57:
  34. fffff803`10775c1b 8bc3 mov eax,ebx
  35. fffff803`10775c1d 4533c0 xor r8d,r8d
  36. fffff803`10775c20 488bd6 mov rdx,rsi
  37. fffff803`10775c23 498d0cc7 lea rcx,[r15+rax*8]
  38. fffff803`10775c27 e874b8c3ff call nt!ExCompareExchangeCallBack (fffff803`103b14a0)
  39. fffff803`10775c2c 84c0 test al,al
  40. fffff803`10775c2e 750c jne nt!PspSetCreateProcessNotifyRoutine+0x78 (fffff803`10775c3c)
  41. nt!PspSetCreateProcessNotifyRoutine+0x6c:
  42. fffff803`10775c30 03df add ebx,edi
  43. fffff803`10775c32 83fb40 cmp ebx,40h
  44. fffff803`10775c35 72e4 jb nt!PspSetCreateProcessNotifyRoutine+0x57 (fffff803`10775c1b)
  45. nt!PspSetCreateProcessNotifyRoutine+0x73:
  46. fffff803`10775c37 e9ce2f0b00 jmp nt! ?? ::NNGAKEGL::`string'+0x7a00a (fffff803`10828c0a)
  47. nt!PspSetCreateProcessNotifyRoutine+0x78:
  48. fffff803`10775c3c 4084ed test bpl,bpl
  49. fffff803`10775c3f 7545 jne nt!PspSetCreateProcessNotifyRoutine+0xc2 (fffff803`10775c86)
  50. nt!PspSetCreateProcessNotifyRoutine+0x7d:
  51. fffff803`10775c41 f0013d005a1b00 lock add dword ptr [nt!PspCreateProcessNotifyRoutineCount (fffff803`1092b648)],edi
  52. fffff803`10775c48 8b05ce541b00 mov eax,dword ptr [nt!PspNotifyEnableMask (fffff803`1092b11c)]
  53. fffff803`10775c4e a802 test al,2
  54. fffff803`10775c50 7450 je nt!PspSetCreateProcessNotifyRoutine+0xde (fffff803`10775ca2)
  55. nt!PspSetCreateProcessNotifyRoutine+0x8e:
  56. fffff803`10775c52 33c0 xor eax,eax
  57. fffff803`10775c54 488b5c2450 mov rbx,qword ptr [rsp+50h]
  58. fffff803`10775c59 488b6c2458 mov rbp,qword ptr [rsp+58h]
  59. fffff803`10775c5e 488b742460 mov rsi,qword ptr [rsp+60h]
  60. fffff803`10775c63 4883c420 add rsp,20h
  61. fffff803`10775c67 415f pop r15
  62. fffff803`10775c69 415e pop r14
  63. fffff803`10775c6b 415d pop r13
  64. fffff803`10775c6d 415c pop r12
  65. fffff803`10775c6f 5f pop rdi
  66. fffff803`10775c70 c3 ret
  67. nt!PspSetCreateProcessNotifyRoutine+0xad:
  68. fffff803`10775c71 e87e000000 call nt!MmVerifyCallbackFunction (fffff803`10775cf4)
  69. fffff803`10775c76 85c0 test eax,eax
  70. fffff803`10775c78 0f84782f0b00 je nt! ?? ::NNGAKEGL::`string'+0x79ff6 (fffff803`10828bf6)
  71. nt!PspSetCreateProcessNotifyRoutine+0xba:
  72. fffff803`10775c7e 488bd7 mov rdx,rdi
  73. fffff803`10775c81 e977ffffff jmp nt!PspSetCreateProcessNotifyRoutine+0x39 (fffff803`10775bfd)
  74. nt!PspSetCreateProcessNotifyRoutine+0xc2:
  75. fffff803`10775c86 f0013db7591b00 lock add dword ptr [nt!PspCreateProcessNotifyRoutineExCount (fffff803`1092b644)],edi
  76. fffff803`10775c8d 8b0589541b00 mov eax,dword ptr [nt!PspNotifyEnableMask (fffff803`1092b11c)]
  77. fffff803`10775c93 a804 test al,4
  78. fffff803`10775c95 75bb jne nt!PspSetCreateProcessNotifyRoutine+0x8e (fffff803`10775c52)
  79. nt!PspSetCreateProcessNotifyRoutine+0xd3:
  80. fffff803`10775c97 f00fba2d7c541b0002 lock bts dword ptr [nt!PspNotifyEnableMask (fffff803`1092b11c)],2
  81. fffff803`10775ca0 ebb0 jmp nt!PspSetCreateProcessNotifyRoutine+0x8e (fffff803`10775c52)
  82. nt!PspSetCreateProcessNotifyRoutine+0xde:
  83. fffff803`10775ca2 f00fba2d71541b0001 lock bts dword ptr [nt!PspNotifyEnableMask (fffff803`1092b11c)],1
  84. fffff803`10775cab eba5 jmp nt!PspSetCreateProcessNotifyRoutine+0x8e (fffff803`10775c52)

Win10 32 位 PspSetCreateProcessNotifyRoutine

  1. kd> uf PspSetCreateProcessNotifyRoutine
  2. nt!PspSetCreateProcessNotifyRoutine:
  3. 81e1c9fe 8bff mov edi,edi
  4. 81e1ca00 55 push ebp
  5. 81e1ca01 8bec mov ebp,esp
  6. 81e1ca03 83ec10 sub esp,10h
  7. 81e1ca06 53 push ebx
  8. 81e1ca07 8bd9 mov ebx,ecx
  9. 81e1ca09 895df4 mov dword ptr [ebp-0Ch],ebx
  10. 81e1ca0c 56 push esi
  11. 81e1ca0d 57 push edi
  12. 81e1ca0e 84d2 test dl,dl
  13. 81e1ca10 0f85d11b0a00 jne nt! ?? ::NNGAKEGL::`string'+0x69bdb (81ebe5e7)
  14. nt!PspSetCreateProcessNotifyRoutine+0x18:
  15. 81e1ca16 33ff xor edi,edi
  16. 81e1ca18 385508 cmp byte ptr [ebp+8],dl
  17. 81e1ca1b 7560 jne nt!PspSetCreateProcessNotifyRoutine+0x7f (81e1ca7d)
  18. nt!PspSetCreateProcessNotifyRoutine+0x1f:
  19. 81e1ca1d 8bd7 mov edx,edi
  20. nt!PspSetCreateProcessNotifyRoutine+0x21:
  21. 81e1ca1f 8bcb mov ecx,ebx
  22. 81e1ca21 e89a000000 call nt!ExAllocateCallBack (81e1cac0)
  23. 81e1ca26 8945f8 mov dword ptr [ebp-8],eax
  24. 81e1ca29 85c0 test eax,eax
  25. 81e1ca2b 0f84d81c0a00 je nt! ?? ::NNGAKEGL::`string'+0x69cfd (81ebe709)
  26. nt!PspSetCreateProcessNotifyRoutine+0x33:
  27. 81e1ca31 bb30dccb81 mov ebx,offset nt!PspCreateProcessNotifyRoutine (81cbdc30)
  28. 81e1ca36 8bf7 mov esi,edi
  29. nt!PspSetCreateProcessNotifyRoutine+0x3a:
  30. 81e1ca38 57 push edi
  31. 81e1ca39 8bd0 mov edx,eax
  32. 81e1ca3b 8bcb mov ecx,ebx
  33. 81e1ca3d e8921dd6ff call nt!ExCompareExchangeCallBack (81b7e7d4)
  34. 81e1ca42 84c0 test al,al
  35. 81e1ca44 7516 jne nt!PspSetCreateProcessNotifyRoutine+0x5e (81e1ca5c)
  36. nt!PspSetCreateProcessNotifyRoutine+0x48:
  37. 81e1ca46 8b45f8 mov eax,dword ptr [ebp-8]
  38. 81e1ca49 83c604 add esi,4
  39. 81e1ca4c 83c304 add ebx,4
  40. 81e1ca4f 81fe00010000 cmp esi,100h
  41. 81e1ca55 72e1 jb nt!PspSetCreateProcessNotifyRoutine+0x3a (81e1ca38)
  42. nt!PspSetCreateProcessNotifyRoutine+0x59:
  43. 81e1ca57 e9b71c0a00 jmp nt! ?? ::NNGAKEGL::`string'+0x69d07 (81ebe713)
  44. nt!PspSetCreateProcessNotifyRoutine+0x5e:
  45. 81e1ca5c 807d0800 cmp byte ptr [ebp+8],0
  46. 81e1ca60 7529 jne nt!PspSetCreateProcessNotifyRoutine+0x8d (81e1ca8b)
  47. nt!PspSetCreateProcessNotifyRoutine+0x64:
  48. 81e1ca62 f0ff05d8bdff81 lock inc dword ptr [nt!PspCreateProcessNotifyRoutineCount (81ffbdd8)]
  49. 81e1ca69 a1c4bdff81 mov eax,dword ptr [nt!PspNotifyEnableMask (81ffbdc4)]
  50. 81e1ca6e a802 test al,2
  51. 81e1ca70 7435 je nt!PspSetCreateProcessNotifyRoutine+0xa9 (81e1caa7)
  52. nt!PspSetCreateProcessNotifyRoutine+0x74:
  53. 81e1ca72 33c0 xor eax,eax
  54. nt!PspSetCreateProcessNotifyRoutine+0x76:
  55. 81e1ca74 5f pop edi
  56. 81e1ca75 5e pop esi
  57. 81e1ca76 5b pop ebx
  58. 81e1ca77 8be5 mov esp,ebp
  59. 81e1ca79 5d pop ebp
  60. 81e1ca7a c20400 ret 4
  61. nt!PspSetCreateProcessNotifyRoutine+0x7f:
  62. 81e1ca7d e86c000000 call nt!MmVerifyCallbackFunction (81e1caee)
  63. 81e1ca82 85c0 test eax,eax
  64. 81e1ca84 742d je nt!PspSetCreateProcessNotifyRoutine+0xb5 (81e1cab3)
  65. nt!PspSetCreateProcessNotifyRoutine+0x88:
  66. 81e1ca86 33d2 xor edx,edx
  67. 81e1ca88 42 inc edx
  68. 81e1ca89 eb94 jmp nt!PspSetCreateProcessNotifyRoutine+0x21 (81e1ca1f)
  69. nt!PspSetCreateProcessNotifyRoutine+0x8d:
  70. 81e1ca8b f0ff05d4bdff81 lock inc dword ptr [nt!PspCreateProcessNotifyRoutineExCount (81ffbdd4)]
  71. 81e1ca92 a1c4bdff81 mov eax,dword ptr [nt!PspNotifyEnableMask (81ffbdc4)]
  72. 81e1ca97 a804 test al,4
  73. 81e1ca99 75d7 jne nt!PspSetCreateProcessNotifyRoutine+0x74 (81e1ca72)
  74. nt!PspSetCreateProcessNotifyRoutine+0x9d:
  75. 81e1ca9b b8c4bdff81 mov eax,offset nt!PspNotifyEnableMask (81ffbdc4)
  76. 81e1caa0 f00fba2802 lock bts dword ptr [eax],2
  77. 81e1caa5 ebcb jmp nt!PspSetCreateProcessNotifyRoutine+0x74 (81e1ca72)
  78. nt!PspSetCreateProcessNotifyRoutine+0xa9:
  79. 81e1caa7 b8c4bdff81 mov eax,offset nt!PspNotifyEnableMask (81ffbdc4)
  80. 81e1caac f00fba2801 lock bts dword ptr [eax],1
  81. 81e1cab1 ebbf jmp nt!PspSetCreateProcessNotifyRoutine+0x74 (81e1ca72)
  82. nt!PspSetCreateProcessNotifyRoutine+0xb5:
  83. 81e1cab3 b8220000c0 mov eax,0C0000022h
  84. 81e1cab8 ebba jmp nt!PspSetCreateProcessNotifyRoutine+0x76 (81e1ca74)

Win10 64 位 PspSetCreateProcessNotifyRoutine

  1. kd> uf PspSetCreateProcessNotifyRoutine
  2. nt!PspSetCreateProcessNotifyRoutine:
  3. fffff800`a09a4530 48895c2408 mov qword ptr [rsp+8],rbx
  4. fffff800`a09a4535 48896c2410 mov qword ptr [rsp+10h],rbp
  5. fffff800`a09a453a 4889742418 mov qword ptr [rsp+18h],rsi
  6. fffff800`a09a453f 57 push rdi
  7. fffff800`a09a4540 4154 push r12
  8. fffff800`a09a4542 4155 push r13
  9. fffff800`a09a4544 4156 push r14
  10. fffff800`a09a4546 4157 push r15
  11. fffff800`a09a4548 4883ec20 sub rsp,20h
  12. fffff800`a09a454c 8ada mov bl,dl
  13. fffff800`a09a454e 8bf2 mov esi,edx
  14. fffff800`a09a4550 d0eb shr bl,1
  15. fffff800`a09a4552 4c8be1 mov r12,rcx
  16. fffff800`a09a4555 80e301 and bl,1
  17. fffff800`a09a4558 f6c201 test dl,1
  18. fffff800`a09a455b 0f8559770900 jne nt! ?? ::NNGAKEGL::`string'+0x6752a (fffff800`a0a3bcba)
  19. nt!PspSetCreateProcessNotifyRoutine+0x31:
  20. fffff800`a09a4561 84db test bl,bl
  21. fffff800`a09a4563 7573 jne nt!PspSetCreateProcessNotifyRoutine+0xa8 (fffff800`a09a45d8)
  22. nt!PspSetCreateProcessNotifyRoutine+0x35:
  23. fffff800`a09a4565 488bd6 mov rdx,rsi
  24. fffff800`a09a4568 498bcc mov rcx,r12
  25. fffff800`a09a456b e8a0000000 call nt!ExAllocateCallBack (fffff800`a09a4610)
  26. fffff800`a09a4570 488bf0 mov rsi,rax
  27. fffff800`a09a4573 4885c0 test rax,rax
  28. fffff800`a09a4576 0f8400780900 je nt! ?? ::NNGAKEGL::`string'+0x675ec (fffff800`a0a3bd7c)
  29. nt!PspSetCreateProcessNotifyRoutine+0x4c:
  30. fffff800`a09a457c 33ff xor edi,edi
  31. fffff800`a09a457e 4c8d3dfb0bdfff lea r15,[nt!PspCreateProcessNotifyRoutine (fffff800`a0795180)]
  32. nt!PspSetCreateProcessNotifyRoutine+0x55:
  33. fffff800`a09a4585 498d0cff lea rcx,[r15+rdi*8]
  34. fffff800`a09a4589 4533c0 xor r8d,r8d
  35. fffff800`a09a458c 488bd6 mov rdx,rsi
  36. fffff800`a09a458f e8fce9bfff call nt!ExCompareExchangeCallBack (fffff800`a05a2f90)
  37. fffff800`a09a4594 84c0 test al,al
  38. fffff800`a09a4596 750c jne nt!PspSetCreateProcessNotifyRoutine+0x74 (fffff800`a09a45a4)
  39. nt!PspSetCreateProcessNotifyRoutine+0x68:
  40. fffff800`a09a4598 ffc7 inc edi
  41. fffff800`a09a459a 83ff40 cmp edi,40h
  42. fffff800`a09a459d 72e6 jb nt!PspSetCreateProcessNotifyRoutine+0x55 (fffff800`a09a4585)
  43. nt!PspSetCreateProcessNotifyRoutine+0x6f:
  44. fffff800`a09a459f e9e2770900 jmp nt! ?? ::NNGAKEGL::`string'+0x675f6 (fffff800`a0a3bd86)
  45. nt!PspSetCreateProcessNotifyRoutine+0x74:
  46. fffff800`a09a45a4 84db test bl,bl
  47. fffff800`a09a45a6 7540 jne nt!PspSetCreateProcessNotifyRoutine+0xb8 (fffff800`a09a45e8)
  48. nt!PspSetCreateProcessNotifyRoutine+0x78:
  49. fffff800`a09a45a8 f0ff051d481d00 lock inc dword ptr [nt!PspCreateProcessNotifyRoutineCount (fffff800`a0b78dcc)]
  50. fffff800`a09a45af 8b0583441d00 mov eax,dword ptr [nt!PspNotifyEnableMask (fffff800`a0b78a38)]
  51. fffff800`a09a45b5 a802 test al,2
  52. fffff800`a09a45b7 744b je nt!PspSetCreateProcessNotifyRoutine+0xd4 (fffff800`a09a4604)
  53. nt!PspSetCreateProcessNotifyRoutine+0x89:
  54. fffff800`a09a45b9 33c0 xor eax,eax
  55. nt!PspSetCreateProcessNotifyRoutine+0x8b:
  56. fffff800`a09a45bb 488b5c2450 mov rbx,qword ptr [rsp+50h]
  57. fffff800`a09a45c0 488b6c2458 mov rbp,qword ptr [rsp+58h]
  58. fffff800`a09a45c5 488b742460 mov rsi,qword ptr [rsp+60h]
  59. fffff800`a09a45ca 4883c420 add rsp,20h
  60. fffff800`a09a45ce 415f pop r15
  61. fffff800`a09a45d0 415e pop r14
  62. fffff800`a09a45d2 415d pop r13
  63. fffff800`a09a45d4 415c pop r12
  64. fffff800`a09a45d6 5f pop rdi
  65. fffff800`a09a45d7 c3 ret
  66. nt!PspSetCreateProcessNotifyRoutine+0xa8:
  67. fffff800`a09a45d8 e837020000 call nt!MmVerifyCallbackFunction (fffff800`a09a4814)
  68. fffff800`a09a45dd 85c0 test eax,eax
  69. fffff800`a09a45df 7584 jne nt!PspSetCreateProcessNotifyRoutine+0x35 (fffff800`a09a4565)
  70. nt!PspSetCreateProcessNotifyRoutine+0xb1:
  71. fffff800`a09a45e1 b8220000c0 mov eax,0C0000022h
  72. fffff800`a09a45e6 ebd3 jmp nt!PspSetCreateProcessNotifyRoutine+0x8b (fffff800`a09a45bb)
  73. nt!PspSetCreateProcessNotifyRoutine+0xb8:
  74. fffff800`a09a45e8 f0ff05d9471d00 lock inc dword ptr [nt!PspCreateProcessNotifyRoutineExCount (fffff800`a0b78dc8)]
  75. fffff800`a09a45ef 8b0543441d00 mov eax,dword ptr [nt!PspNotifyEnableMask (fffff800`a0b78a38)]
  76. fffff800`a09a45f5 a804 test al,4
  77. fffff800`a09a45f7 75c0 jne nt!PspSetCreateProcessNotifyRoutine+0x89 (fffff800`a09a45b9)
  78. nt!PspSetCreateProcessNotifyRoutine+0xc9:
  79. fffff800`a09a45f9 f00fba2d36441d0002 lock bts dword ptr [nt!PspNotifyEnableMask (fffff800`a0b78a38)],2
  80. fffff800`a09a4602 ebb5 jmp nt!PspSetCreateProcessNotifyRoutine+0x89 (fffff800`a09a45b9)
  81. nt!PspSetCreateProcessNotifyRoutine+0xd4:
  82. fffff800`a09a4604 f00fba2d2b441d0001 lock bts dword ptr [nt!PspNotifyEnableMask (fffff800`a0b78a38)],1
  83. fffff800`a09a460d ebaa jmp nt!PspSetCreateProcessNotifyRoutine+0x89 (fffff800`a09a45b9)

Win7 32 位 PsSetCreateProcessNotifyRoutine

  1. lkd> uf PsSetCreateProcessNotifyRoutine
  2. nt!PsSetCreateProcessNotifyRoutine:
  3. 83fa5720 8bff mov edi,edi
  4. 83fa5722 55 push ebp
  5. 83fa5723 8bec mov ebp,esp
  6. 83fa5725 6a00 push 0
  7. 83fa5727 ff750c push dword ptr [ebp+0Ch]
  8. 83fa572a ff7508 push dword ptr [ebp+8]
  9. 83fa572d e809000000 call nt!PspSetCreateProcessNotifyRoutine (83fa573b)
  10. 83fa5732 5d pop ebp
  11. 83fa5733 c20800 ret 8

Win7 64 位 PsSetCreateProcessNotifyRoutine

  1. lkd> u PsSetCreateProcessNotifyRoutine
  2. nt!PsSetCreateProcessNotifyRoutine:
  3. fffff800`042be3c0 4533c0 xor r8d,r8d
  4. fffff800`042be3c3 e9e8fdffff jmp nt!PspSetCreateProcessNotifyRoutine (fffff800`042be1b0)

Win8.1 32 位 PsSetCreateProcessNotifyRoutine

  1. lkd> uf PsSetCreateProcessNotifyRoutine
  2. nt!PsSetCreateProcessNotifyRoutine:
  3. 811617d2 8bff mov edi,edi
  4. 811617d4 55 push ebp
  5. 811617d5 8bec mov ebp,esp
  6. 811617d7 8a550c mov dl,byte ptr [ebp+0Ch]
  7. 811617da 8b4d08 mov ecx,dword ptr [ebp+8]
  8. 811617dd 6a00 push 0
  9. 811617df e89a000000 call nt!PspSetCreateProcessNotifyRoutine (8116187e)
  10. 811617e4 5d pop ebp
  11. 811617e5 c20800 ret 8

Win8.1 64 位 PsSetCreateProcessNotifyRoutine

  1. lkd> u PsSetCreateProcessNotifyRoutine
  2. nt!PsSetCreateProcessNotifyRoutine:
  3. fffff803`10775b00 4533c0 xor r8d,r8d
  4. fffff803`10775b03 e9bc000000 jmp nt!PspSetCreateProcessNotifyRoutine (fffff803`10775bc4)

Win10 32 位 PsSetCreateProcessNotifyRoutine

  1. kd> uf PsSetCreateProcessNotifyRoutine
  2. nt!PsSetCreateProcessNotifyRoutine:
  3. 81e1c8d4 8bff mov edi,edi
  4. 81e1c8d6 55 push ebp
  5. 81e1c8d7 8bec mov ebp,esp
  6. 81e1c8d9 8a550c mov dl,byte ptr [ebp+0Ch]
  7. 81e1c8dc 8b4d08 mov ecx,dword ptr [ebp+8]
  8. 81e1c8df 6a00 push 0
  9. 81e1c8e1 e818010000 call nt!PspSetCreateProcessNotifyRoutine (81e1c9fe)
  10. 81e1c8e6 5d pop ebp
  11. 81e1c8e7 c20800 ret 8

Win10 64 位 PsSetCreateProcessNotifyRoutine

  1. kd> u PsSetCreateProcessNotifyRoutine
  2. nt!PsSetCreateProcessNotifyRoutine:
  3. fffff800`a09a4460 33c0 xor eax,eax
  4. fffff800`a09a4462 84d2 test dl,dl
  5. fffff800`a09a4464 448d4001 lea r8d,[rax+1]
  6. fffff800`a09a4468 410f45c0 cmovne eax,r8d
  7. fffff800`a09a446c 8bd0 mov edx,eax
  8. fffff800`a09a446e e9bd000000 jmp nt!PspSetCreateProcessNotifyRoutine (fffff800`a09a4530)
上传的附件 cloud_download PsSetCreateProcessNotifyRoutine_Enum_Remove_Test.7z ( 11.91kb, 5次下载 )

发送私信

这一切都不是我的,但总有一天,会是我的

73
文章数
67
评论数
最近文章
eject