1 串口,调试. debugging mode 启动.
2 BugCheck C000021A(e1c52ce0,c0000034,0,0)
用windbg的帮助文档可以搜索 C000021A。
STOP: C000021A{Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with
a status of 0x00000001 (0x00000000 0x00000000).
The system has been shut down.
然后db查看e1c52ce0
db e1c52ce0。
3 桌面(explorer.exe)启动前,有WinLogon.exe 。
SMSS.exe是内核创建的第一个用户进程,然后它启动CSRSS和WinLogon.
4
0:005> !error c0000034
Error code: (NTSTATUS) 0xc0000034 (3221225524) - <Unable to get error code text>
没有像书上现实的那样出现错误提示。
5 延迟删除,例如杀毒摇删除已经载入内存的病毒,就需要重启后删除文件。
MoveFileEx(src,dst,MOVEFILE_DELAY_UNTIL_REBOOT)
重启后删除的api
当dwFlags参数被设置为MOVEFILE_DELAY_UNTIL_REBOOT时,MoveFileEx把重启后移动的文件和要移到的文件的位置 存在下面的多字符注册表值(REG_MULTI_SZ)里:HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ControlSession ManagerPendingFileRenameOperations。
6
Early launch antimalware
Platforms
- Clients - Windows 8
- Servers - Windows Server 2012
Description
As antimalware (AM) software has become better and better at detecting runtime malware, attackers are also becoming better at creating rootkits that can hide from detection.