zoukankan      html  css  js  c++  java
  • x64windows安全机制进程_线程_模块加载回调摘要

    x64上面的每个回调都会对应一个count计数。注册表回调也会有。保存PspNotifyEnableMask标志,每个位分别代表相应的回调是否存在。

    对应的位和相应的汇编代码如下。即使这个回调已经被杀毒软件注册了,我们通过定位相应的count并将其清0或者将相应的标志位置为0就可以让相应的回调得不到执行。

    从而禁用掉杀软的安全机制。

    PspNotifyEnableMask
    
        1            1            1                1=f
    thread      processex        process            image回调
    
    
    xp  count 清零攻击
    nt!PspCreateProcessNotifyRoutineCount       PspCreateThread  PspExitProcess    PsSetCreateProcessNotifyRoutine
    PAGE:83FCC97B B8 E4 AD F7 83                                      mov     eax, offset _PspCreateProcessNotifyRoutineCount
    PAGE:83FCC980 F0 0F C1 08                                         lock xadd [eax], ecx
    PAGE:83FCC984 A1 78 AB F7 83                                      mov     eax, _PspNotifyEnableMask
    PAGE:83FCC989 A8 02                                               test    al, 2    //10
    PAGE:83FCC98B 0F 85 70 FF FF FF                                   jnz     loc_83FCC901
    PAGE:83FCC991 B8 78 AB F7 83                                      mov     eax, offset _PspNotifyEnableMask
    PAGE:83FCC996 F0 0F BA 28 01                                      lock bts dword ptr [eax], 1
    
    nt!PspCreateProcessNotifyRoutineExCount       PspCreateThread  PspExitProcess    PsSetCreateProcessNotifyRoutineEx
    PAGE:83FCC9A0 B8 E0 AD F7 83                                      mov     eax, offset _PspCreateProcessNotifyRoutineExCount
    PAGE:83FCC9A5 F0 0F C1 08                                         lock xadd [eax], ecx
    PAGE:83FCC9A9 A1 78 AB F7 83                                      mov     eax, _PspNotifyEnableMask
    PAGE:83FCC9AE A8 04                                               test    al, 4    //100
    
    nt!PspCreateThreadNotifyRoutineCount        PspCreateThread  PspExitThread  PsSetCreateThreadNotifyRoutine
    PAGE:840A07C1 E8 48 F3 FF FF                                      call    _EtwTraceThread@12 ; EtwTraceThread(x,x,x)
    PAGE:840A07C6 A1 78 AB F7 83                                      mov     eax, _PspNotifyEnableMask
    PAGE:840A07CB A8 08                                               test    al, 8    //1000
    
    
    nt!PspLoadImageNotifyRoutineCount              _PsImageNotifyEnabled             PsSetLoadImageNotifyRoutine
    PAGE:83FFDF16 E8 41 06 00 00                                      call    _MiObtainSectionForDriver@20 ; MiObtainSectionForDriver(x,x,x,x,x)
    PAGE:83FFDF1B 33 DB                                               xor     ebx, ebx
    PAGE:83FFDF1D 89 44 24 0C                                         mov     [esp+60h+var_54], eax
    PAGE:83FFDF21 39 5C 24 14                                         cmp     [esp+60h+var_4C], ebx
    PAGE:83FFDF25 0F 84 B7 00 00 00                                   jz      loc_83FFDFE2
    PAGE:83FFDF2B A1 78 AB F7 83                                      mov     eax, _PspNotifyEnableMask
    PAGE:83FFDF30 8B 4C 24 14                                         mov     ecx, [esp+60h+var_4C]
    PAGE:83FFDF34 A8 01                                               test    al, 1//1
    
    
    win7 PspNotifyEnableMask 统管这4个
    
    0111=7
  • 相关阅读:
    在 Windows 上测试 Redis Cluster的集群填坑笔记
    vmware安装黑苹果教程
    微信支付v3发布到iis时的证书问题
    Linux下安装SQL Server 2016(连接篇SQL Server on linux)
    Linux下安装SQL Server 2016(连接篇SQL Server on linux)
    Linux下安装SQL Server 2016(安装篇SQL Server on linux)
    Linux下安装SQL Server 2016(准备篇SQL Server on linux)
    客服端与服务端APP支付宝支付接口联调的那些坑
    ASP.NET MVC]WebAPI应用支持HTTPS的经验总结
    .net平台下C#socket通信(中)
  • 原文地址:https://www.cnblogs.com/kmshhl/p/4116371.html
Copyright © 2011-2022 走看看