进程创建流程

;进程创建过程开始 CreateProcessA
call kernel32!CreateProcessA
;10个参数
; BOOL WINAPI CreateProcess(
; __in_opt LPCTSTR lpApplicationName,
; __inout_opt LPTSTR lpCommandLine,
; __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
; __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
; __in BOOL bInheritHandles,
; __in DWORD dwCreationFlags, NORMAL_PRIORITY_CLASS
; __in_opt LPVOID lpEnvironment,
; __in_opt LPCTSTR lpCurrentDirectory,
; __in LPSTARTUPINFO lpStartupInfo,
; __out LPPROCESS_INFORMATION lpProcessInformation
; );
; 直接调用kernel32!CreateProcessInternalA
call kernel32!CreateProcessInternalA
; 12个参数,第一个与最后一个为零,中间10个延接了上面传入的10个参数
; 主要任务是将ANSI字符转换成Unicode字符,很多代码用于了转换与检查,所以,直接用Unicode编程将大大增加执行效率
call kernel32!CreateProcessInternalW
; 12个参数
; 基本延续上面的
; 第6个参数 and 0F7FFFFFFh

 

以下为kernel32!CreateProcessInternalW中的流程:

 

call ntdll!ZwQueryInformationJobObject
; ZwQueryInformationJobObjectretrieves information about a job object.
; NTSYSAPI
; NTSTATUS
; NTAPI
; ZwQueryInformationJobObject(
; IN HANDLE JobHandle, == 0
; IN JOBOBJECTINFOCLASS JobInformationClass, == 4
; OUT PVOID JobInformation, == Address
; IN ULONG JobInformationLength, == 4
; OUT PULONG ReturnLengthOPTIONAL == 0
; );
; 判断返回值是否为C0000022h (拒绝访问)
call kernel32!SearchPathW
; 进行路径搜索
call kernel32!GetFileAttributesW
; 获取文件属性
call kernel32!BasepIsSetupInvokedByWinLogon
; 判断是否WinLogon进程
call ntdll!RtlDosPathNameToNtPathName_U
call ntdll!RtlDetermineDosPathNameType_U
; 路径转换
call ntdll!NtOpenFile
; 打开文件
call ntdll!NtCreateSection
; NtCreateSection(
; OUT PHANDLE SectionHandle,
; IN ACCESS_MASK DesiredAccess,
; IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
; IN PLARGE_INTEGER MaximumSize OPTIONAL,
; IN ULONG Protect,
; IN ULONG Attributes,
; IN HANDLE FileHandle OPTIONAL
; );
; 创建Section CreateFileMapping是对NtCreateSection的封装,所以在这一步,程序被映射进了内存
call kernel32!BasepIsProcessAllowed
; 就一个参数为Unicode进程名字
; 其内部调用了RtlEnterCriticalSection进入临界区
; 再调用NtOpenKey打开:
; "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"
; 解释:
; AppCertDlls details.
; Create in the "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\SessionManager\\AppCertDlls"
;
; The Key with name "AppSecDll" type REG_EXPAND_SZ, and put there, something like that "%SystemRoot%\system32\.Dll" ... In fact, they may be there a lot, so keep this in mind.
;
; This yours DLL must have mandatory entry point with name CreateProcessNotify, and prototype as specified below.
; 结束
; 最后调用RtlLeaveCriticalSection

call kernel32!BasepCheckBadapp
; 对进程行行兼容性检查
; 1. IsShimInfrastructureDisabled
; 2. RtlAllocateHeap NTDLL
; 3. __imp__memmove
; 4. BaseCheckAppcompatCache KERNEL32
; 1. __SEH_prolog
; 2. BasepShimCacheCheckBypass KERNEL32
; 3. BasepShimCacheLock KERNEL32
; 4. BasepShimCacheLookup KERNEL32
; 5. BasepShimCacheUnlock KERNEL32
; 6. __SEH_epilog
; 5. RtlFreeHeap NTDLL
; 其中会加载:
; call kernel32!LdrLoadDllC:\WINDOWS\system32\Apphelp.dll
; 调用其中的“ApphelpCheckRunApp”
call kernel32!BasepCheckWinSaferRestrictions
; 1. RtlEnterCriticalSection NTDLL
; 2. NtOpenThreadToken
; NtOpenThreadToken ( IN HANDLE ThreadHandle, == 0FFFFFFFEh(-2 当前线程)
; IN ACCESS_MASK DesiredAccess, == 2000000h
; IN BOOLEAN OpenAsSelf, == 1
; OUT PHANDLE TokenHandle
; )
; 判断返值是否等于0C000007Ch(试图引用不存在的令牌)否跳走(跳走后的没跟,估计是跳向了NtSetInformationThread)
; 是则继续向下Call
; 3. NtOpenProcessToken
; NtOpenProcessTokenEx ( IN HANDLE ProcessHandle, == -1 当前进程
; IN ACCESS_MASK DesiredAccess, == 0ah
; IN ULONG HandleAttributes,
; OUT PHANDLE TokenHandle
; )
; 判断返回值是否为0C0000022h(拒绝访问),
; 是跳走,否继续
; 4. NtQueryInformationToken
; NtQueryInformationToken ( IN HANDLE TokenHandle, == 上面得到的句柄
; IN TOKEN_INFORMATION_CLASS TokenInformationClass, == 1
; OUT PVOID TokenInformation,
; IN ULONG TokenInformationLength,
; OUT PULONG ReturnLength
; )
; 5. RtlInitializeSid
; RtlInitializeSid( IN PSID Sid,
; IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
; IN UCHAR SubAuthorityCount );
; 6. RtlSubAuthoritySid
; 7. RtlEqualSid
; 8. NtOpenKey "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"
; 打开失败,继续打开下面的:
; "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
; 打开成功:
; Call NtQueryValueKey 取"TransparentEnabled"项的值
; 判断得到的值是否为零,不为零为设某变量为1
; Call NtQueryValueKey 取"AuthenticodeEnabled"项的值
; 判断得到的值是否为零,不为零则跳转,我这里是零
; 9. NtClose
; 10. call kernel32!LdrLoadDll "ADVAPI32.DLL" ; 装入DLL
; 11. call kernel32!LdrGetProcedureAddress ;获取下列API地址
; "SaferIdentifyLevel"
; "SaferComputeTokenFromLevel"
; "SaferCloseLevel"
; "SaferRecordEventLogEntry"
; 12. NtClose
; 13. call kernel32!__security_check_cookie
call ntdll!ZwQuerySection
; ZwQuerySection ( IN HANDLE SectionHandle, == Section句柄
; IN SECTION_INFORMATION_CLASS SectionInformationClass, == 1
; OUT PVOID SectionInformation,
; IN SIZE_T Length,
; OUT PSIZE_T ResultLength
; )
call kernel32!LdrQueryImageFileExecutionOptions
; 获取调试信息,映像劫持~
; LdrQueryImageFileExecutionOptions ( IN PUNICODE_STRING SubKey, == "\??\E:\AAAAA.exe"进程名
; IN PCWSTR ValueName, == "Debugger"
; IN ULONG Type, == 1
; OUT PVOID Buffer,
; IN ULONG BufferSize,
; OUT PULONG ReturnedLength OPTIONAL
; )
call kernel32!BasepIsImageVersionOk
call kernel32!LoadLibraryA "advapi32.dll"
call kernel32!GetProcAddress "CreateProcessAsUserSecure"
call ntdll!ZwQuerySystemInformation
; ZwQuerySystemInformation(
; IN SYSTEM_INFORMATION_CLASSSystemInformationClass, == 47H == "SystemCreateSession"
; INOUT PVOIDSystemInformation,
; IN ULONGSystemInformationLength,
; OUT PULONGReturnLength OPTIONAL
; );
call kernel32!FreeLibrary "advapi32.dll"
call kernel32!BaseFormatObjectAttributes
call ntdll!ZwCreateProcessEx
mov eax,30h
call ntdll!KiFastSystemCall
call ntdll!ZwSetInformationProcess
; NtSetInformationProcess ( IN HANDLE ProcessHandle, == ZwCreateProcessEx时得到的进程句柄
; IN PROCESSINFOCLASS ProcessInformationClass, == 12h == ProcessDefaultHardErrorMode
; IN PVOID ProcessInformation, == 2 == SEM_NOGPFAULTERRORBOX
; IN ULONG ProcessInformationLength == 2
; )
call kernel32!BasepSxsCreateProcessCsrMessage
; 1. BasepSxsGetProcessImageBaseAddress KERNEL32
; 2. RtlMultiAppendUnicodeStringBuffer NTDLL
; 3. BasepSxsCreateStreams KERNEL32
; 4. BasepSxsIsStatusFileNotFoundEtc
; 5. BasepSxsIsStatusResourceNotFound
call ntdll!NtQueryInformationProcess
; ZwQueryInformationProcess(
; IN HANDLE ProcessHandle, == 进程句柄
; IN PROCESSINFOCLASS ProcessInformationClass, == 0 == ProcessBasicInformation
; OUT PVOID ProcessInformation,
; IN ULONG ProcessInformationLength,
; OUT PULONG ReturnLength OPTIONAL
; );
call kernel32!BasePushProcessParameters
; 1. __SEH_prolog
; 2. GetFullPathNameW KERNEL32
; 3. BaseComputeProcessDllPath KERNEL32
; 4. RtlInitUnicodeString
; 5. RtlCreateProcessParameters NTDLL
; 6. NtAllocateVirtualMemory
; 7. NtWriteVirtualMemory
; 8. __security_check_cookie
; 9. __SEH_epilog
call kernel32!BaseCreateStack
; 1. RtlImageNtHeader NTDLL
; 2. NtAllocateVirtualMemory
; 3. NtProtectVirtualMemory
call kernel32!BaseInitializeContext
; BaseInitializeContext(PCONTEXT Context, // 0x200 bytes
; PPEB Peb,
; PVOID EntryPoint,
; DWORD StackTop,
; int Type // union (Process, Thread, Fiber)
; );
call kernel32!BaseFormatObjectAttributes
call ntdll!ZwCreateThread
mov eax,35h
call ntdll!KiFastSystemCall
call kernel32!GetModuleHandleA "NULL"
eax == 0400000h ;程序装入地址
call ntdll!RtlImageNtHeader eax
; 验证NTHeader
; 下面是通知Cress.exe的几个函数
call ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace
call ntdll!CsrClientCallServer
call ntdll!CsrFreeCaptureBuffer
;--------------
call ntdll!ZwResumeThread;启动线程移交控制权并返回
ret
;;进程创建过程结束 CreateProcessA

 

;创建线程
Call NtCreateThread
;NtCreateThread(
; OUT PHANDLE ThreadHandle, +8h
; IN ACCESS_MASK DesiredAccess, +Ch
; IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +10h
; IN HANDLE ProcessHandle, +14h
; OUT PCLIENT_ID ClientID, +18h
; IN PCONTEXT Context, /* see _BaseInitializeContext */ +1ch
; IN StackInformation* StackInfo, /* see _BaseCreateStack */ +20h
; IN BOOLEAN CreateSuspended /* ==1 */ +24h
; );　　

 

805c6ae0 64a124010000 mov eax,dword ptr fs:[00000124h] ;取KTHREAD结构地址
805c6ae6 8945e0 mov dword ptr [ebp-20h],eax ;保存在变量中
805c6ae9 80b84001000000 cmp byte ptr [eax+140h],0 ;比较KTHREAD.PreviousMode 是否为0
805c6af6 a1b48b5580 mov eax,dword ptr [nt!MmUserProbeAddress (80558bb4)] ;取用户地址 eax == 7fff0000h
805c6afb 8b4d08 mov ecx,dword ptr [ebp+8] ;取第一个参数 也就是句柄输出的地址
805c6afe 3bc8 cmp ecx,eax ;进行地址比较
805c6b00 7206 jb nt!NtCreateThread+0x38 (805c6b08) ;低于跳转
805c6b08 8b01 mov eax,dword ptr [ecx] ; -_-!
805c6b0a 8901 mov dword ptr [ecx],eax ; -_-!
805c6b0c 8b5d18 mov ebx,dword ptr [ebp+18h] ;取参数PCLIENT_ID到ebx
;以下为对 PCLIENT_ID的输入地址进行验证
805c6b0f 85db test ebx,ebx
805c6b11 7423 je nt!NtCreateThread+0x66 (805c6b36)
805c6b13 895ddc mov dword ptr [ebp-24h],ebx
805c6b16 a1b48b5580 mov eax,dword ptr [nt!MmUserProbeAddress (80558bb4)]
805c6b1b 3bd8 cmp ebx,eax
805c6b1d 7203 jb nt!NtCreateThread+0x52 (805c6b22)
805c6b22 f6c303 test bl,3
805c6b25 7405 je nt!NtCreateThread+0x5c (805c6b2c)
805c6b2c 8a03 mov al,byte ptr [ebx]
805c6b2e 8803 mov byte ptr [ebx],al
805c6b30 8a4304 mov al,byte ptr [ebx+4]
805c6b33 884304 mov byte ptr [ebx+4],al
;测试PCONTEXT Context参数
805c6b36 837d1c00 cmp dword ptr [ebp+1Ch],0
805c6b3a 743e je nt!NtCreateThread+0xaa (805c6b7a)
805c6b3c f6451c03 test byte ptr [ebp+1Ch],3
805c6b40 7405 je nt!NtCreateThread+0x77 (805c6b47)
805c6b47 a1b48b5580 mov eax,dword ptr [nt!MmUserProbeAddress (80558bb4)]
805c6b4c 39451c cmp dword ptr [ebp+1Ch],eax
805c6b4f 720b jb nt!NtCreateThread+0x8c (805c6b5c)
;测试StackInformation参数
; Typedef struct _StackInformation
; {
; DWORD Reserved0;
; DWORD Reserved1;
; DWORD AddressOfTop;
; DWORD CommitAddress;
; DWORD ReservedAddress;
; } StackInformation;
805c6b5c 8b5d20 mov ebx,dword ptr [ebp+20h]
805c6b5f f6c303 test bl,3
805c6b62 740a je nt!NtCreateThread+0x9e (805c6b6e)
805c6b6e 3bd8 cmp ebx,eax ;eax==7fff0000h 地址测试
805c6b70 7216 jb nt!NtCreateThread+0xb8 (805c6b88)
;以下为测试Reserved0与Reserved1两个参数是否为0,同时赋值两个变量为0
805c6b88 8b03 mov eax,dword ptr [ebx]
805c6b8a 8945c8 mov dword ptr [ebp-38h],eax
eax=00000000
805c6b8d 8b4b04 mov ecx,dword ptr [ebx+4]
805c6b90 894dcc mov dword ptr [ebp-34h],ecx
ecx=00000000
805c6b93 33d2 xor edx,edx
805c6b95 3bc2 cmp eax,edx
805c6b97 750e jne nt!NtCreateThread+0xd7 (805c6ba7)
805c6b99 3bca cmp ecx,edx
805c6b9b 750a jne nt!NtCreateThread+0xd7 (805c6ba7)
; 将StackInformation参数中的内容移动到变量[ebp-38h]中
805c6b9d 6a05 push 5
805c6b9f 59 pop ecx
805c6ba0 8bf3 mov esi,ebx
805c6ba2 8d7dc8 lea edi,[ebp-38h]
805c6ba5 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]　

 

805c6ba7 834dfcff or dword ptr [ebp-4],0FFFFFFFFh ;将第一个变量赋值为 -1
;调用PspCreateThread
;PspCreateThread(
; OUT PHANDLE ThreadHandle,
; IN ACCESS_MASK DesiredAccess,
; IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
; IN HANDLE ProcessHandle,
; IN PEPROCESS ProcessPointer,
; OUT PCLIENT_ID ClientId OPTIONAL,
; IN PCONTEXT ThreadContext OPTIONAL,
; IN PINITIAL_TEB InitialTeb OPTIONAL,
; IN BOOLEAN CreateSuspended,
; IN PKSTART_ROUTINE StartRoutine OPTIONAL,
; IN PVOID StartContext
; )
805c6bab 52 push edx ;StartContext == 0 30
805c6bac 52 push edx ;StartRoutine== 0 2c
805c6bad ff7524 push dword ptr [ebp+24h] ;CreateSuspended 28
805c6bb0 8d45c8 lea eax,[ebp-38h] ;
805c6bb3 50 push eax ;InitialTeb 24
805c6bb4 ff751c push dword ptr [ebp+1Ch] ;ThreadContext 20
805c6bb7 ff7518 push dword ptr [ebp+18h] ;PCLIENT_ID参数 1c
805c6bba 52 push edx ; ProcessPointer == 0 18
805c6bbb ff7514 push dword ptr [ebp+14h] ;ProcessHandle 14
805c6bbe ff7510 push dword ptr [ebp+10h] ;ObjectAttributes 10
805c6bc1 ff750c push dword ptr [ebp+0Ch] ;DesiredAccess c
805c6bc4 ff7508 push dword ptr [ebp+8] ;ThreadHandle 8
805c6bc7 e8c4efffff call nt!PspCreateThread (805c5b90)
805c5b9f 64a124010000 mov eax,dword ptr fs:[00000124h]
805c5ba5 8945c4 mov dword ptr [ebp-3Ch],eax ;取KTHREAD保存到变量中
805c5ba8 33f6 xor esi,esi
805c5baa 39752c cmp dword ptr [ebp+2Ch],esi ;测试CreateSuspended标志是否为零
805c5bad 7406 je nt!PspCreateThread+0x25 (805c5bb5) ;为零跳转
805c5bb5 8a8040010000 mov al,byte ptr [eax+140h] ;存KTHREAD.PreviousMode 到变量
805c5bbb 8845d0 mov byte ptr [ebp-30h],al
805c5bbe 8975e4 mov dword ptr [ebp-1Ch],esi ;变量清零
805c5bc1 33db xor ebx,ebx
805c5bc3 895da4 mov dword ptr [ebp-5Ch],ebx ;变量清零
805c5bc6 397514 cmp dword ptr [ebp+14h],esi ;判断ProcessHandle是否为零
805c5bc9 7426 je nt!PspCreateThread+0x61 (805c5bf1) ;为零则跳转
;call nt!ObReferenceObjectByHandle
; ObReferenceObjectByHandle(
; IN HANDLE Handle,
; IN ACCESS_MASK DesiredAccess,
; IN POBJECT_TYPE ObjectType OPTIONAL,
; IN KPROCESSOR_MODE AccessMode,
; OUT PVOID *Object,
; OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
; );
805c5bcb 56 push esi ;HandleInformation == 0
805c5bcc 8d856cffffff lea eax,[ebp-94h]
805c5bd2 50 push eax ;*Object == 返回的对像指针
805c5bd3 ff75d0 push dword ptr [ebp-30h] ;AccessMode == KTHREAD.PreviousMode == 1
805c5bd6 ff3558a35580 push dword ptr [nt!PsProcessType (8055a358)] ;ObjectType
805c5bdc 6a02 push 2 ;DesiredAccess == 2
805c5bde ff7514 push dword ptr [ebp+14h] ;Handle == 进程句柄 == 110h
805c5be1 e8aaa9feff call nt!ObReferenceObjectByHandle (805b0590)
805c5be6 8b9d6cffffff mov ebx,dword ptr [ebp-94h] ;保存进程对像指针到EBX
805c5bec 895da4 mov dword ptr [ebp-5Ch],ebx ;保存进程对像指针到变量
805c5bef eb1b jmp nt!PspCreateThread+0x7c (805c5c0c)
805c5c0c 3bc6 cmp eax,esi ;测试是否上一调用是否完成
805c5c0e 0f8c33070000 jl nt!PspCreateThread+0x7b7 (805c6347)
805c5c14 807dd000 cmp byte ptr [ebp-30h],0 ;比较KTHREAD.PreviousMode是否为0
805c5c18 740f je nt!PspCreateThread+0x99 (805c5c29)
805c5c1a 3b1d54a35580 cmp ebx,dword ptr [nt!PsInitialSystemProcess (8055a354)] ;比较是否为系统进程 PsInitialSystemProcess返回系统进程的EPROCESS
805c5c20 7507 jne nt!PspCreateThread+0x99 (805c5c29) ;不等跳转

 

;call nt!ObCreateObject (805b66b0)
; ObCreateObject ( IN KPROCESSOR_MODE ObjectAttributesAccessMode OPTIONAL,
; IN POBJECT_TYPE Type,
; IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
; IN KPROCESSOR_MODE AccessMode,
; IN OUT PVOID ParseContext OPTIONAL,
; IN ULONG ObjectSize,
; IN ULONG PagedPoolCharge OPTIONAL,
; IN ULONG NonPagedPoolCharge OPTIONAL,
; OUT PVOID * Object
; )
805c5c29 8d45b0 lea eax,[ebp-50h] ;* Object 保存对像指针
805c5c2c 50 push eax ;
805c5c2d 56 push esi ; NonPagedPoolCharge == 0
805c5c2e 56 push esi ; PagedPoolCharge == 0
805c5c2f 6858020000 push 258h ; ObjectSize == 258h
805c5c34 56 push esi ;ParseContext == 0
805c5c35 ff75d0 push dword ptr [ebp-30h] ;KPROCESSOR_MODE == KTHREAD.PreviousMode == 1
805c5c38 ff7510 push dword ptr [ebp+10h] ;继承而来的ObjectAttributes参数
805c5c3b ff355ca35580 push dword ptr [nt!PsThreadType (8055a35c)] ;线程类型
805c5c41 ff75d0 push dword ptr [ebp-30h] ;ObjectAttributesAccessMode == KTHREAD.PreviousMode == 1
805c5c44 e8670affff call nt!ObCreateObject (805b66b0)
805c5c49 3bc6 cmp eax,esi ;判断调用是否成功
805c5c4b 7d10 jge nt!PspCreateThread+0xcd (805c5c5d)
805c5c5d b996000000 mov ecx,96h
805c5c62 33c0 xor eax,eax
805c5c64 8b75b0 mov esi,dword ptr [ebp-50h] ;移动对像指针
805c5c67 8bfe mov edi,esi
805c5c69 f3ab rep stos dword ptr es:[edi] ;移动到ES?
805c5c6b 218634020000 and dword ptr [esi+234h],eax ;ETHREAD.RundownProtect 清零
805c5c71 899e20020000 mov dword ptr [esi+220h],ebx ;移动进程的EPROCESS指针到ETHREAD.ThreadsProcess
805c5c77 8dbeec010000 lea edi,[esi+1ECh] ;取ETHREAD.ActiveTimerListHead到EDI
805c5c7d 8b8384000000 mov eax,dword ptr [ebx+84h] ds:0023:817bd844=00000004 ;取当前进程ID到eax 4==系统进程
805c5c83 8907 mov dword ptr [edi],eax ds:0023:8164e75c=00000000
805c5c85 8975b4 mov dword ptr [ebp-4Ch],esi ss:0010:f9e2fd00=00000630 ;保存ESI到变量
805c5c88 8365b800 and dword ptr [ebp-48h],0 ss:0010:f9e2fd04=8164e558
; ;ExCreateHandle ,PspCidTable,&CidEntry
805c5c8c 8d45b4 lea eax,[ebp-4Ch]
805c5c8f 50 push eax
805c5c90 ff3560a35580 push dword ptr [nt!PspCidTable (8055a360)] ds:0023:8055a360=e1001850
805c5c96 e8f5e20300 call nt!ExCreateHandle (80603f90)
805c5c9b 8986f0010000 mov dword ptr [esi+1F0h],eax ds:0023:8164e760=00000000 ;移动返回的线程句柄到ETHREAD._CLIENT_ID.UniqueThread eax=00000230
805c5ca1 85c0 test eax,eax ;测试返回值
805c5ca3 750a jne nt!PspCreateThread+0x11f (805c5caf) [br=1]
805c5caf a1bca35480 mov eax,dword ptr [nt!MmReadClusterSize (8054a3bc)] ds:0023:8054a3bc=00000007
805c5cb4 898640020000 mov dword ptr [esi+240h],eax ds:0023:8164e7b0=00000000 ;填充ETHTREAD.ReadClusterSize
805c5cba 6a01 push 1
805c5cbc 6a00 push 0
805c5cbe 8d86f4010000 lea eax,[esi+1F4h]
805c5cc4 50 push eax
805c5cc5 e87c64f3ff call nt!KeInitializeSemaphore(804fc146) ;初始化信号灯
805c5cca 8d86c8010000 lea eax,[esi+1C8h] ;初始化ETHREAD.ExitTime
805c5cd0 894004 mov dword ptr [eax+4],eax ds:0023:8164e73c=00000000
805c5cd3 8900 mov dword ptr [eax],eax ds:0023:8164e738=00000000

805c5cd5 8d8610020000 lea eax,[esi+210h] ;初始化ETHREAD.IrpList
805c5cdb 894004 mov dword ptr [eax+4],eax ds:0023:8164e784=00000000
805c5cde 8900 mov dword ptr [eax],eax ds:0023:8164e780=00000000

805c5ce0 8d86d4010000 lea eax,[esi+1D4h] ;初始化ETHREAD.PostBlockList
805c5ce6 894004 mov dword ptr [eax+4],eax ds:0023:8164e748=00000000
805c5ce9 8900 mov dword ptr [eax],eax ds:0023:8164e744=00000000
805c5ceb 83a63802000000 and dword ptr [esi+238h],0 ds:0023:8164e7a8=00000000

805c5cf2 8d86e0010000 lea eax,[esi+1E0h] ;初始化ETHREAD.ActiveTimerListLock
805c5cf8 50 push eax
805c5cf9 e8626ff7ff call nt!KeInitializeSpinLock(8053cc60)

805c5cfe 8d86e4010000 lea eax,[esi+1E4h] ;初始化ETHREAD.ActiveTimerListHead
805c5d04 894004 mov dword ptr [eax+4],eax ds:0023:8164e758=00000000
805c5d07 8900 mov dword ptr [eax],eax ds:0023:8164e754=00000000

805c5d09 8d8b80000000 lea ecx,[ebx+80h] ;EPROCESS.RundownProtect
805c5d0f 898d68ffffff mov dword ptr [ebp-98h],ecx ss:0010:f9e2fcb4=817bd840

805c5d15 e874c60300 call nt!ExAcquireRundownProtection(8060238e)
805c5d1a 84c0 test al,al
805c5d1c 750a jne nt!PspCreateThread+0x198 (805c5d28) [br=1]

805c5d28 837d2000 cmp dword ptr [ebp+20h],0 ss:0010:f9e2fd6c=00000000
805c5d2c 0f8484000000 je nt!PspCreateThread+0x226 (805c5db6) [br=1]
805c5db6 33c9 xor ecx,ecx
805c5db8 894de4 mov dword ptr [ebp-1Ch],ecx ss:0010:f9e2fd30=00000000

805c5dbb 6a10 push 10h
805c5dbd 58 pop eax
805c5dbe 8d9648020000 lea edx,[esi+248h] ;移动10h到ETHREAD.CrossThreadFlags
805c5dc4 f00902 lock or dword ptr [edx],eax ds:0023:8164e7b8=00000000　

 

805c5dc7 8b452c mov eax,dword ptr [ebp+2Ch] ss:0010:f9e2fd78={NDIS!ndisWorkerThread (f96fdb85)}
805c5dca 898624020000 mov dword ptr [esi+224h],eax ds:0023:8164e794=00000000 ;移动开始地址到 ETHREAD.StartAddress (PspCreateThread的第10个参数StartRoutine)

805c5dd0 53 push ebx ;EPROCESS
805c5dd1 51 push ecx ;==0
805c5dd2 51 push ecx ;==0
805c5dd3 ff7530 push dword ptr [ebp+30h] ss:0010:f9e2fd7c=81591f50 ;StartContext
805c5dd6 50 push eax ;ETHREAD.StartAddress
805c5dd7 68f4595c80 push offset nt!PspSystemThreadStartup (805c59f4)
805c5ddc 51 push ecx ;NULL
805c5ddd 56 push esi ;ETHREAD
805c5dde e8c10bfdff call nt!KeInitThread(805969a4) ;初始化线程(在网上没找到C原型)
805c5de3 8bf8 mov edi,eax
805c5de5 85ff test edi,edi ;测试是否调用成功
805c5de7 7d1c jge nt!PspCreateThread+0x275 (805c5e05) [br=1]

805c5e05 8b7dc4 mov edi,dword ptr [ebp-3Ch] ss:0010:f9e2fd10=81781bd8
805c5e08 ff8fd4000000 dec dword ptr [edi+0D4h] ds:0023:81781cac=00000000
805c5e0e 8d436c lea eax,[ebx+6Ch] ;EPROCESS.ProcessLock
805c5e11 89458c mov dword ptr [ebp-74h],eax ss:0010:f9e2fcd8=817bd82c
805c5e14 b800000000 mov eax,0
805c5e19 8b4d8c mov ecx,dword ptr [ebp-74h] ss:0010:f9e2fcd8=817bd82c
805c5e1c ba02000000 mov edx,2
805c5e21 0fb111 cmpxchg dword ptr [ecx],edx ds:0023:817bd82c=00000000 ;设置EPROCESS.ProcessLock.Value==2
805c5e24 85c0 test eax,eax
805c5e26 7408 je nt!PspCreateThread+0x2a0 (805c5e30) [br=1]
805c5e30 f6834802000008 test byte ptr [ebx+248h],8 ds:0023:817bda08=00
805c5e37 746f je nt!PspCreateThread+0x318 (805c5ea8) [br=1]

805c5ea8 8d83a0010000 lea eax,[ebx+1A0h]
805c5eae 8b38 mov edi,dword ptr [eax] ds:0023:817bd960=00000034
805c5eb0 8d4f01 lea ecx,[edi+1]
805c5eb3 8908 mov dword ptr [eax],ecx ds:0023:817bd960=00000034
805c5eb5 8d862c020000 lea eax,[esi+22Ch] ;ETHREAD.ThreadListEntry
805c5ebb 8d8b90010000 lea ecx,[ebx+190h] ;EPROCESS.ThreadListHead
805c5ec1 8b5104 mov edx,dword ptr [ecx+4] ds:0023:817bd954=816ad86c
805c5ec4 8908 mov dword ptr [eax],ecx ds:0023:8164e79c=00000000
805c5ec6 895004 mov dword ptr [eax+4],edx ds:0023:8164e7a0=00000000
805c5ec9 8902 mov dword ptr [edx],eax ds:0023:816ad86c=817bd950
805c5ecb 894104 mov dword ptr [ecx+4],eax ds:0023:817bd954=816ad86c
805c5ece 56 push esi
805c5ecf e8dc6af3ff call nt!KeStartThread(804fc9b0)
call nt!ExReleaseRundownProtection
call nt!WmiTraceThread
call nt!ObReferenceObjectEx
call nt!SeCreateAccessStateEx
call nt!ObInsertObject
call nt!SeDeleteAccessState
call nt!KeQuerySystemTime
call nt!ObGetObjectSecurity
call nt!PsReferencePrimaryToken
call nt!SeAccessCheck
call nt!ObFastDereferenceObject
call nt!ObReleaseObjectSecurity
call nt!KeReadyThread
call nt!ObfDereferenceObject　　

 

;附ETHREAD结构数据:
+0x000 Tcb : _KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 MutantListHead : _LIST_ENTRY [ 0x8164e580 - 0x8164e580 ]
+0x018 InitialStack : 0xf7d7e000
+0x01c StackLimit : 0xf7d7b000
+0x020 Teb : (null)
+0x024 TlsArray : (null)
+0x028 KernelStack : 0xf7d7ddd4
+0x02c DebugActive : 0 ''
+0x02d State : 0 ''
+0x02e Alerted : [2] ""
+0x030 Iopl : 0 ''
+0x031 NpxState : 0xa ''
+0x032 Saturation : 0 ''
+0x033 Priority : 0 ''
+0x034 ApcState : _KAPC_STATE
+0x04c ContextSwitches : 0
+0x050 IdleSwapBlock : 0 ''
+0x051 Spare0 : [3] ""
+0x054 WaitStatus : 0
+0x058 WaitIrql : 0 ''
+0x059 WaitMode : 0 ''
+0x05a WaitNext : 0 ''
+0x05b WaitReason : 0 ''
+0x05c WaitBlockList : (null)
+0x060 WaitListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x060 SwapListEntry : _SINGLE_LIST_ENTRY
+0x068 WaitTime : 0
+0x06c BasePriority : 0 ''
+0x06d DecrementCount : 0 ''
+0x06e PriorityDecrement : 0 ''
+0x06f Quantum : 0 ''
+0x070 WaitBlock : [4] _KWAIT_BLOCK
+0x0d0 LegoData : (null)
+0x0d4 KernelApcDisable : 0
+0x0d8 UserAffinity : 0
+0x0dc SystemAffinityActive : 0 ''
+0x0dd PowerState : 0 ''
+0x0de NpxIrql : 0 ''
+0x0df InitialNode : 0 ''
+0x0e0 ServiceTable : 0x80553180
+0x0e4 Queue : (null)
+0x0e8 ApcQueueLock : 0
+0x0f0 Timer : _KTIMER
+0x118 QueueListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x120 SoftAffinity : 1
+0x124 Affinity : 0
+0x128 Preempted : 0 ''
+0x129 ProcessReadyQueue : 0 ''
+0x12a KernelStackResident : 0x1 ''
+0x12b NextProcessor : 0 ''
+0x12c CallbackStack : (null)
+0x130 Win32Thread : (null)
+0x134 TrapFrame : (null)
+0x138 ApcStatePointer : [2] 0x8164e5a4 _KAPC_STATE
+0x140 PreviousMode : 0 ''
+0x141 EnableStackSwap : 0x1 ''
+0x142 LargeStack : 0 ''
+0x143 ResourceIndex : 0 ''
+0x144 KernelTime : 0
+0x148 UserTime : 0
+0x14c SavedApcState : _KAPC_STATE
+0x164 Alertable : 0 ''
+0x165 ApcStateIndex : 0 ''
+0x166 ApcQueueable : 0x1 ''
+0x167 AutoAlignment : 0 ''
+0x168 StackBase : 0xf7d7e000
+0x16c SuspendApc : _KAPC
+0x19c SuspendSemaphore : _KSEMAPHORE
+0x1b0 ThreadListEntry : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x1b8 FreezeCount : 0 ''
+0x1b9 SuspendCount : 0 ''
+0x1ba IdealProcessor : 0 ''
+0x1bb DisableBoost : 0 ''
+0x1c0 CreateTime : _LARGE_INTEGER 0x0
+0x000 LowPart : 0
+0x004 HighPart : 0
+0x000 u : __unnamed
+0x000 QuadPart : 0
+0x1c0 NestedFaultCount : 0y00
+0x1c0 ApcNeeded : 0y0
+0x1c8 ExitTime : _LARGE_INTEGER 0x8164e738`8164e738
+0x000 LowPart : 0x8164e738
+0x004 HighPart : -2124093640
+0x000 u : __unnamed
+0x000 QuadPart : -9122912715270723784
+0x1c8 LpcReplyChain : _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
+0x000 Flink : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
+0x004 Blink : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
+0x1c8 KeyedWaitChain : _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
+0x000 Flink : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
+0x004 Blink : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
+0x1d0 ExitStatus : 0
+0x1d0 OfsChain : (null)
+0x1d4 PostBlockList : _LIST_ENTRY [ 0x8164e744 - 0x8164e744 ]
+0x000 Flink : 0x8164e744 _LIST_ENTRY [ 0x8164e744 - 0x8164e744 ]
+0x004 Blink : 0x8164e744 _LIST_ENTRY [ 0x8164e744 - 0x8164e744 ]
+0x1dc TerminationPort : (null)
+0x1dc ReaperLink : (null)
+0x1dc KeyedWaitValue : (null)
+0x1e0 ActiveTimerListLock : 0
+0x1e4 ActiveTimerListHead : _LIST_ENTRY [ 0x8164e754 - 0x8164e754 ]
单篇博客显示不下,评论继续