x64上面的每个回调都会对应一个count计数。注册表回调也会有。保存PspNotifyEnableMask标志,每个位分别代表相应的回调是否存在。
对应的位和相应的汇编代码如下。即使这个回调已经被杀毒软件注册了,我们通过定位相应的count并将其清0或者将相应的标志位置为0就可以让相应的回调得不到执行。
从而禁用掉杀软的安全机制。
PspNotifyEnableMask 1 1 1 1=f thread processex process image回调 xp count 清零攻击 nt!PspCreateProcessNotifyRoutineCount PspCreateThread PspExitProcess PsSetCreateProcessNotifyRoutine PAGE:83FCC97B B8 E4 AD F7 83 mov eax, offset _PspCreateProcessNotifyRoutineCount PAGE:83FCC980 F0 0F C1 08 lock xadd [eax], ecx PAGE:83FCC984 A1 78 AB F7 83 mov eax, _PspNotifyEnableMask PAGE:83FCC989 A8 02 test al, 2 //10 PAGE:83FCC98B 0F 85 70 FF FF FF jnz loc_83FCC901 PAGE:83FCC991 B8 78 AB F7 83 mov eax, offset _PspNotifyEnableMask PAGE:83FCC996 F0 0F BA 28 01 lock bts dword ptr [eax], 1 nt!PspCreateProcessNotifyRoutineExCount PspCreateThread PspExitProcess PsSetCreateProcessNotifyRoutineEx PAGE:83FCC9A0 B8 E0 AD F7 83 mov eax, offset _PspCreateProcessNotifyRoutineExCount PAGE:83FCC9A5 F0 0F C1 08 lock xadd [eax], ecx PAGE:83FCC9A9 A1 78 AB F7 83 mov eax, _PspNotifyEnableMask PAGE:83FCC9AE A8 04 test al, 4 //100 nt!PspCreateThreadNotifyRoutineCount PspCreateThread PspExitThread PsSetCreateThreadNotifyRoutine PAGE:840A07C1 E8 48 F3 FF FF call _EtwTraceThread@12 ; EtwTraceThread(x,x,x) PAGE:840A07C6 A1 78 AB F7 83 mov eax, _PspNotifyEnableMask PAGE:840A07CB A8 08 test al, 8 //1000 nt!PspLoadImageNotifyRoutineCount _PsImageNotifyEnabled PsSetLoadImageNotifyRoutine PAGE:83FFDF16 E8 41 06 00 00 call _MiObtainSectionForDriver@20 ; MiObtainSectionForDriver(x,x,x,x,x) PAGE:83FFDF1B 33 DB xor ebx, ebx PAGE:83FFDF1D 89 44 24 0C mov [esp+60h+var_54], eax PAGE:83FFDF21 39 5C 24 14 cmp [esp+60h+var_4C], ebx PAGE:83FFDF25 0F 84 B7 00 00 00 jz loc_83FFDFE2 PAGE:83FFDF2B A1 78 AB F7 83 mov eax, _PspNotifyEnableMask PAGE:83FFDF30 8B 4C 24 14 mov ecx, [esp+60h+var_4C] PAGE:83FFDF34 A8 01 test al, 1//1 win7 PspNotifyEnableMask 统管这4个 0111=7