• 进程及线程创建流程

    2008-04-09

    版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
    http://www.blogbus.com/liuyanghejerry-logs/18659676.html

    今天在MuseHero的博客看到的资料,先收藏下来,以后慢慢学习,顺便了解一下WINDOWS的进程机制。

    ;进程创建过程开始 CreateProcessA
    call   kernel32!CreateProcessA
     ;10个参数
    ; BOOL WINAPI CreateProcess(
    ;   __in_opt     LPCTSTR lpApplicationName,
    ;   __inout_opt  LPTSTR lpCommandLine,
    ;   __in_opt     LPSECURITY_ATTRIBUTES lpProcessAttributes,
    ;   __in_opt     LPSECURITY_ATTRIBUTES lpThreadAttributes,
    ;   __in         BOOL bInheritHandles,
    ;   __in         DWORD dwCreationFlags, NORMAL_PRIORITY_CLASS
    ;   __in_opt     LPVOID lpEnvironment,
    ;   __in_opt     LPCTSTR lpCurrentDirectory,
    ;   __in         LPSTARTUPINFO lpStartupInfo,
    ;   __out        LPPROCESS_INFORMATION lpProcessInformation
    ; );
    ; 直接调用kernel32!CreateProcessInternalA
    call   kernel32!CreateProcessInternalA
    ; 12个参数,第一个与最后一个为零,中间10个延接了上面传入的10个参数
    ; 主要任务是将ANSI字符转换成Unicode字符,很多代码用于了转换与检查,所以,直接用Unicode编程将大大增加执行效率  
    call   kernel32!CreateProcessInternalW
    ;  12个参数
    ;  基本延续上面的
    ;  第6个参数 and 0F7FFFFFFh

     

    以下为kernel32!CreateProcessInternalW中的流程:

     


     call ntdll!ZwQueryInformationJobObject
    ;  ZwQueryInformationJobObjectretrieves information about a job object.
    ;  NTSYSAPI
    ;  NTSTATUS
    ;  NTAPI
    ;  ZwQueryInformationJobObject(
    ;  IN HANDLE JobHandle,           == 0
    ;  IN JOBOBJECTINFOCLASS JobInformationClass,   == 4
    ;  OUT PVOID JobInformation,         == Address
    ;  IN ULONG JobInformationLength,       == 4
    ;  OUT PULONG ReturnLengthOPTIONAL       == 0
    ;  );
    ;  判断返回值是否为C0000022h (拒绝访问)
     call kernel32!SearchPathW
    ;  进行路径搜索
     call kernel32!GetFileAttributesW
    ;  获取文件属性
     call kernel32!BasepIsSetupInvokedByWinLogon
    ;  判断是否WinLogon进程
     call ntdll!RtlDosPathNameToNtPathName_U
     call ntdll!RtlDetermineDosPathNameType_U
    ;  路径转换
     call ntdll!NtOpenFile
    ;  打开文件
     call ntdll!NtCreateSection
    ;  NtCreateSection(
    ;       OUT PHANDLE SectionHandle,
    ;       IN ACCESS_MASK DesiredAccess,
    ;       IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
    ;       IN PLARGE_INTEGER MaximumSize OPTIONAL,
    ;       IN ULONG Protect,
    ;       IN ULONG Attributes,
    ;       IN HANDLE FileHandle OPTIONAL
    ;       );
    ;  创建Section CreateFileMapping是对NtCreateSection的封装,所以在这一步,程序被映射进了内存
     call kernel32!BasepIsProcessAllowed
    ;  就一个参数为Unicode进程名字
    ;  其内部调用了RtlEnterCriticalSection进入临界区
    ;  再调用NtOpenKey打开:
    ;  "\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls"
    ;  解释:
    ;    AppCertDlls details.
    ;    Create in the "\\Registry\\MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls"
    ;    
    ;    The Key with name "AppSecDll" type REG_EXPAND_SZ, and put there, something like that "%SystemRoot%\system32\.Dll" ... In fact, they may be there a lot, so keep this in mind.
    ;    
    ;    This yours DLL must have mandatory entry point with name CreateProcessNotify, and prototype as specified below.
    ;  结束
    ;  最后调用RtlLeaveCriticalSection
      
     call kernel32!BasepCheckBadapp
    ;  对进程行行兼容性检查
    ;  1. IsShimInfrastructureDisabled
    ;  2. RtlAllocateHeap    NTDLL
    ;  3. __imp__memmove    
    ;  4. BaseCheckAppcompatCache    KERNEL32
    ;    1. __SEH_prolog    
    ;    2. BasepShimCacheCheckBypass    KERNEL32
    ;    3. BasepShimCacheLock    KERNEL32
    ;    4. BasepShimCacheLookup    KERNEL32
    ;    5. BasepShimCacheUnlock    KERNEL32
    ;    6. __SEH_epilog
    ;  5. RtlFreeHeap    NTDLL
    ;  其中会加载:
    ;  call    kernel32!LdrLoadDllC:\WINDOWS\system32\Apphelp.dll
    ;  调用其中的“ApphelpCheckRunApp”
     call kernel32!BasepCheckWinSaferRestrictions
    ;  1. RtlEnterCriticalSection    NTDLL
    ;  2. NtOpenThreadToken
    ;   NtOpenThreadToken  (  IN HANDLE  ThreadHandle,  == 0FFFFFFFEh(-2 当前线程)
    ;     IN ACCESS_MASK  DesiredAccess,       == 2000000h
    ;     IN BOOLEAN  OpenAsSelf,         == 1
    ;     OUT PHANDLE  TokenHandle
    ;    )  
    ;   判断返值是否等于0C000007Ch(试图引用不存在的令牌)否跳走(跳走后的没跟,估计是跳向了NtSetInformationThread)
    ;   是则继续向下Call
    ;  3. NtOpenProcessToken
    ;   NtOpenProcessTokenEx  (  IN HANDLE  ProcessHandle,  == -1 当前进程
    ;     IN ACCESS_MASK  DesiredAccess,         == 0ah
    ;     IN ULONG  HandleAttributes, 
    ;     OUT PHANDLE  TokenHandle
    ;    ) 
    ;   判断返回值是否为0C0000022h(拒绝访问),
    ;   是跳走,否继续
    ;  4. NtQueryInformationToken
    ;   NtQueryInformationToken  (  IN HANDLE  TokenHandle,   == 上面得到的句柄
    ;     IN TOKEN_INFORMATION_CLASS  TokenInformationClass,  == 1
    ;     OUT PVOID  TokenInformation, 
    ;     IN ULONG  TokenInformationLength, 
    ;     OUT PULONG  ReturnLength
    ;    ) 
    ;  5. RtlInitializeSid 
    ;   RtlInitializeSid(    IN PSID  Sid,
    ;      IN PSID_IDENTIFIER_AUTHORITY  IdentifierAuthority,
    ;      IN UCHAR  SubAuthorityCount    );
    ;  6. RtlSubAuthoritySid
    ;  7. RtlEqualSid
    ;  8. NtOpenKey "\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option"
    ;   打开失败,继续打开下面的:
    ;   "\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
    ;   打开成功:
    ;   Call NtQueryValueKey 取"TransparentEnabled"项的值
    ;   判断得到的值是否为零,不为零为设某变量为1
    ;   Call NtQueryValueKey 取"AuthenticodeEnabled"项的值
    ;   判断得到的值是否为零,不为零则跳转,我这里是零
    ;  9. NtClose 
    ;  10. call kernel32!LdrLoadDll "ADVAPI32.DLL" ; 装入DLL
    ;  11. call kernel32!LdrGetProcedureAddress   ;获取下列API地址
    ;   "SaferIdentifyLevel"
    ;   "SaferComputeTokenFromLevel"
    ;   "SaferCloseLevel"
    ;   "SaferRecordEventLogEntry"
    ;  12. NtClose 
    ;  13. call    kernel32!__security_check_cookie
     call ntdll!ZwQuerySection
    ;  ZwQuerySection  (  IN HANDLE  SectionHandle,        == Section句柄
    ;    IN SECTION_INFORMATION_CLASS  SectionInformationClass,    == 1
    ;    OUT PVOID  SectionInformation, 
    ;    IN SIZE_T  Length, 
    ;    OUT PSIZE_T  ResultLength
    ;   )
     call kernel32!LdrQueryImageFileExecutionOptions     
    ;  获取调试信息,映像劫持~
    ;  LdrQueryImageFileExecutionOptions  (  IN PUNICODE_STRING  SubKey,   == "\??\E:\AAAAA.exe"进程名
    ;    IN PCWSTR  ValueName,                  == "Debugger"
    ;    IN ULONG  Type,                    == 1
    ;    OUT PVOID  Buffer, 
    ;    IN ULONG  BufferSize, 
    ;    OUT PULONG ReturnedLength  OPTIONAL
    ;   ) 
     call kernel32!BasepIsImageVersionOk
     call kernel32!LoadLibraryA  "advapi32.dll"
     call kernel32!GetProcAddress "CreateProcessAsUserSecure"
     call ntdll!ZwQuerySystemInformation 
    ;  ZwQuerySystemInformation(
    ;  IN SYSTEM_INFORMATION_CLASSSystemInformationClass,   == 47H == "SystemCreateSession"
    ;  INOUT PVOIDSystemInformation,
    ;  IN ULONGSystemInformationLength,
    ;  OUT PULONGReturnLength OPTIONAL
    ;  ); 
     call kernel32!FreeLibrary  "advapi32.dll"
     call kernel32!BaseFormatObjectAttributes
     call ntdll!ZwCreateProcessEx

      mov eax,30h
      call ntdll!KiFastSystemCall
     call ntdll!ZwSetInformationProcess
    ;  NtSetInformationProcess  (  IN HANDLE  ProcessHandle,  == ZwCreateProcessEx时得到的进程句柄
    ;    IN PROCESSINFOCLASS  ProcessInformationClass,        == 12h == ProcessDefaultHardErrorMode            
    ;    IN PVOID  ProcessInformation,          == 2 == SEM_NOGPFAULTERRORBOX 
    ;    IN ULONG  ProcessInformationLength        == 2
    ;   ) 
     call kernel32!BasepSxsCreateProcessCsrMessage
    ;  1. BasepSxsGetProcessImageBaseAddress    KERNEL32
    ;  2. RtlMultiAppendUnicodeStringBuffer    NTDLL
    ;  3. BasepSxsCreateStreams    KERNEL32
    ;  4. BasepSxsIsStatusFileNotFoundEtc    
    ;  5. BasepSxsIsStatusResourceNotFound    
     call ntdll!NtQueryInformationProcess
    ;  ZwQueryInformationProcess(
    ;  IN HANDLE ProcessHandle,         == 进程句柄
    ;  IN PROCESSINFOCLASS ProcessInformationClass,   == 0 == ProcessBasicInformation
    ;  OUT PVOID ProcessInformation,
    ;  IN ULONG ProcessInformationLength,
    ;  OUT PULONG ReturnLength OPTIONAL
    ;  ); 
     call kernel32!BasePushProcessParameters
    ;  1. __SEH_prolog    
    ;  2. GetFullPathNameW    KERNEL32
    ;  3. BaseComputeProcessDllPath    KERNEL32
    ;  4. RtlInitUnicodeString    
    ;  5. RtlCreateProcessParameters    NTDLL
    ;  6. NtAllocateVirtualMemory    
    ;  7. NtWriteVirtualMemory    
    ;  8. __security_check_cookie    
    ;  9. __SEH_epilog
     call kernel32!BaseCreateStack
    ;  1. RtlImageNtHeader    NTDLL
    ;  2. NtAllocateVirtualMemory    
    ;  3. NtProtectVirtualMemory
     call kernel32!BaseInitializeContext
    ;  BaseInitializeContext(PCONTEXT Context, // 0x200 bytes
    ;  PPEB Peb,
    ;  PVOID EntryPoint,
    ;  DWORD StackTop,
    ;  int Type // union (Process, Thread, Fiber)
    ;  ); 
     call kernel32!BaseFormatObjectAttributes
     call ntdll!ZwCreateThread
      mov eax,35h
      call ntdll!KiFastSystemCall
     call kernel32!GetModuleHandleA "NULL"
      eax == 0400000h ;程序装入地址
     call ntdll!RtlImageNtHeader eax
    ; 验证NTHeader
    ; 下面是通知Cress.exe的几个函数
     call ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace
     call ntdll!CsrClientCallServer
     call ntdll!CsrFreeCaptureBuffer
    ;-------------- 
     call ntdll!ZwResumeThread ;启动线程移交控制权并返回
     ret
    ;;进程创建过程结束 CreateProcessA 

     

    ;创建线程
    Call NtCreateThread

    ;NtCreateThread(
    ;      OUT PHANDLE ThreadHandle,     +8h
    ;      IN ACCESS_MASK DesiredAccess, +Ch
    ;      IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +10h
    ;      IN HANDLE ProcessHandle, +14h
    ;      OUT PCLIENT_ID ClientID, +18h
    ;      IN PCONTEXT Context, /* see _BaseInitializeContext */  +1ch
    ;      IN StackInformation* StackInfo, /* see _BaseCreateStack */ +20h
    ;      IN BOOLEAN CreateSuspended  /* ==1 */ +24h
    ;  );  




     

    805c6ae0 64a124010000    mov     eax,dword ptr fs:[00000124h]    ;取KTHREAD结构地址
    805c6ae6 8945e0          mov     dword ptr [ebp-20h],eax    ;保存在变量中
    805c6ae9 80b84001000000  cmp     byte ptr [eax+140h],0    ;比较KTHREAD.PreviousMode 是否为0
    805c6af6 a1b48b5580      mov     eax,dword ptr [nt!MmUserProbeAddress (80558bb4)]  ;取用户地址 eax == 7fff0000h
    805c6afb 8b4d08          mov     ecx,dword ptr [ebp+8]         ;取第一个参数 也就是句柄输出的地址
    805c6afe 3bc8            cmp     ecx,eax        ;进行地址比较
    805c6b00 7206            jb      nt!NtCreateThread+0x38 (805c6b08) ;低于跳转
    805c6b08 8b01            mov     eax,dword ptr [ecx]     ; -_-!
    805c6b0a 8901            mov     dword ptr [ecx],eax     ; -_-!
    805c6b0c 8b5d18          mov     ebx,dword ptr [ebp+18h]    ;取参数PCLIENT_ID到ebx
             ;以下为对 PCLIENT_ID的输入地址进行验证
    805c6b0f 85db            test    ebx,ebx
    805c6b11 7423            je      nt!NtCreateThread+0x66 (805c6b36)
    805c6b13 895ddc          mov     dword ptr [ebp-24h],ebx
    805c6b16 a1b48b5580      mov     eax,dword ptr [nt!MmUserProbeAddress (80558bb4)]
    805c6b1b 3bd8            cmp     ebx,eax
    805c6b1d 7203            jb      nt!NtCreateThread+0x52 (805c6b22)
    805c6b22 f6c303          test    bl,3
    805c6b25 7405            je      nt!NtCreateThread+0x5c (805c6b2c)
    805c6b2c 8a03            mov     al,byte ptr [ebx]
    805c6b2e 8803            mov     byte ptr [ebx],al
    805c6b30 8a4304          mov     al,byte ptr [ebx+4]
    805c6b33 884304          mov     byte ptr [ebx+4],al
             ;测试PCONTEXT Context参数
    805c6b36 837d1c00        cmp     dword ptr [ebp+1Ch],0 
    805c6b3a 743e            je      nt!NtCreateThread+0xaa (805c6b7a)
    805c6b3c f6451c03        test    byte ptr [ebp+1Ch],3
    805c6b40 7405            je      nt!NtCreateThread+0x77 (805c6b47)
    805c6b47 a1b48b5580      mov     eax,dword ptr [nt!MmUserProbeAddress (80558bb4)]
    805c6b4c 39451c          cmp     dword ptr [ebp+1Ch],eax
    805c6b4f 720b            jb      nt!NtCreateThread+0x8c (805c6b5c)
             ;测试StackInformation参数
    ;         Typedef struct _StackInformation
    ;         {
    ;              DWORD Reserved0;
    ;              DWORD Reserved1;
    ;              DWORD AddressOfTop;
    ;              DWORD CommitAddress;
    ;              DWORD ReservedAddress;
    ;         } StackInformation;
    805c6b5c 8b5d20        mov     ebx,dword ptr [ebp+20h]
    805c6b5f f6c303          test    bl,3
    805c6b62 740a            je      nt!NtCreateThread+0x9e (805c6b6e)
    805c6b6e 3bd8            cmp     ebx,eax            ;eax==7fff0000h 地址测试
    805c6b70 7216            jb      nt!NtCreateThread+0xb8 (805c6b88)
            ;以下为测试Reserved0与Reserved1两个参数是否为0,同时赋值两个变量为0
    805c6b88 8b03            mov     eax,dword ptr [ebx]          
    805c6b8a 8945c8          mov     dword ptr [ebp-38h],eax
    eax=00000000
    805c6b8d 8b4b04          mov     ecx,dword ptr [ebx+4]
    805c6b90 894dcc          mov     dword ptr [ebp-34h],ecx
    ecx=00000000
    805c6b93 33d2            xor     edx,edx
    805c6b95 3bc2            cmp     eax,edx
    805c6b97 750e            jne     nt!NtCreateThread+0xd7 (805c6ba7)
    805c6b99 3bca            cmp     ecx,edx
    805c6b9b 750a            jne     nt!NtCreateThread+0xd7 (805c6ba7)
            ; 将StackInformation参数中的内容移动到变量[ebp-38h]中
    805c6b9d 6a05            push    5
    805c6b9f 59              pop     ecx
    805c6ba0 8bf3            mov     esi,ebx
    805c6ba2 8d7dc8          lea     edi,[ebp-38h]
    805c6ba5 f3a5            rep movs dword ptr es:[edi],dword ptr [esi] 

     

    805c6ba7 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh ;将第一个变量赋值为 -1
    ;调用PspCreateThread
    ;PspCreateThread(
    ;    OUT PHANDLE ThreadHandle, 
    ;    IN ACCESS_MASK DesiredAccess,
    ;    IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
    ;    IN HANDLE ProcessHandle,
    ;    IN PEPROCESS ProcessPointer,
    ;    OUT PCLIENT_ID ClientId OPTIONAL,
    ;    IN PCONTEXT ThreadContext OPTIONAL,
    ;    IN PINITIAL_TEB InitialTeb OPTIONAL,
    ;    IN BOOLEAN CreateSuspended,
    ;    IN PKSTART_ROUTINE StartRoutine OPTIONAL,
    ;    IN PVOID StartContext
    ;    )
    805c6bab 52              push    edx      ;StartContext == 0   30
    805c6bac 52              push    edx      ;StartRoutine== 0    2c
    805c6bad ff7524          push    dword ptr [ebp+24h]  ;CreateSuspended    28
    805c6bb0 8d45c8          lea     eax,[ebp-38h]   ;         
    805c6bb3 50              push    eax        ;InitialTeb      24
    805c6bb4 ff751c          push    dword ptr [ebp+1Ch]  ;ThreadContext     20
    805c6bb7 ff7518          push    dword ptr [ebp+18h]  ;PCLIENT_ID参数    1c
    805c6bba 52              push    edx                  ;  ProcessPointer == 0  18
    805c6bbb ff7514          push    dword ptr [ebp+14h]  ;ProcessHandle     14
    805c6bbe ff7510          push    dword ptr [ebp+10h]  ;ObjectAttributes    10
    805c6bc1 ff750c          push    dword ptr [ebp+0Ch] ;DesiredAccess     c
    805c6bc4 ff7508          push    dword ptr [ebp+8]  ;ThreadHandle          8
    805c6bc7 e8c4efffff      call    nt!PspCreateThread (805c5b90)
           805c5b9f 64a124010000    mov     eax,dword ptr fs:[00000124h]
       805c5ba5 8945c4          mov     dword ptr [ebp-3Ch],eax    ;取KTHREAD保存到变量中
       805c5ba8 33f6            xor     esi,esi
       805c5baa 39752c          cmp     dword ptr [ebp+2Ch],esi    ;测试CreateSuspended标志是否为零
       805c5bad 7406            je      nt!PspCreateThread+0x25 (805c5bb5) ;为零跳转
       805c5bb5 8a8040010000    mov     al,byte ptr [eax+140h]     ;存KTHREAD.PreviousMode 到变量
       805c5bbb 8845d0          mov     byte ptr [ebp-30h],al
       805c5bbe 8975e4          mov     dword ptr [ebp-1Ch],esi             ;变量清零
       805c5bc1 33db            xor     ebx,ebx
       805c5bc3 895da4          mov     dword ptr [ebp-5Ch],ebx     ;变量清零
       805c5bc6 397514          cmp     dword ptr [ebp+14h],esi         ;判断ProcessHandle是否为零
       805c5bc9 7426            je      nt!PspCreateThread+0x61 (805c5bf1)  ;为零则跳转
       ;call    nt!ObReferenceObjectByHandle
    ;   ObReferenceObjectByHandle(
    ;       IN HANDLE  Handle,
    ;       IN ACCESS_MASK  DesiredAccess,
    ;       IN POBJECT_TYPE  ObjectType  OPTIONAL,
    ;       IN KPROCESSOR_MODE  AccessMode,
    ;       OUT PVOID  *Object,
    ;       OUT POBJECT_HANDLE_INFORMATION  HandleInformation  OPTIONAL
    ;       );   
       805c5bcb 56              push    esi       ;HandleInformation == 0   
       805c5bcc 8d856cffffff    lea     eax,[ebp-94h]
       805c5bd2 50              push    eax       ;*Object == 返回的对像指针
       805c5bd3 ff75d0          push    dword ptr [ebp-30h]     ;AccessMode == KTHREAD.PreviousMode == 1
       805c5bd6 ff3558a35580    push    dword ptr [nt!PsProcessType (8055a358)]  ;ObjectType
       805c5bdc 6a02            push    2        ;DesiredAccess == 2
       805c5bde ff7514          push    dword ptr [ebp+14h]     ;Handle == 进程句柄 == 110h
       805c5be1 e8aaa9feff      call    nt!ObReferenceObjectByHandle (805b0590)
       805c5be6 8b9d6cffffff    mov     ebx,dword ptr [ebp-94h]  ;保存进程对像指针到EBX
       805c5bec 895da4          mov     dword ptr [ebp-5Ch],ebx  ;保存进程对像指针到变量
       805c5bef eb1b            jmp     nt!PspCreateThread+0x7c (805c5c0c)
       805c5c0c 3bc6            cmp     eax,esi                  ;测试是否上一调用是否完成
       805c5c0e 0f8c33070000    jl      nt!PspCreateThread+0x7b7 (805c6347)
       805c5c14 807dd000        cmp     byte ptr [ebp-30h],0     ;比较KTHREAD.PreviousMode是否为0
       805c5c18 740f            je      nt!PspCreateThread+0x99 (805c5c29)
       805c5c1a 3b1d54a35580    cmp     ebx,dword ptr [nt!PsInitialSystemProcess (8055a354)] ;比较是否为系统进程 PsInitialSystemProcess返回系统进程的EPROCESS
       805c5c20 7507            jne     nt!PspCreateThread+0x99 (805c5c29) ;不等跳转



     

       ;call    nt!ObCreateObject (805b66b0)
    ;   ObCreateObject  (  IN KPROCESSOR_MODE ObjectAttributesAccessMode  OPTIONAL, 
    ;          IN POBJECT_TYPE  Type, 
    ;          IN POBJECT_ATTRIBUTES ObjectAttributes  OPTIONAL, 
    ;          IN KPROCESSOR_MODE  AccessMode, 
    ;          IN OUT PVOID ParseContext  OPTIONAL, 
    ;          IN ULONG  ObjectSize, 
    ;          IN ULONG PagedPoolCharge  OPTIONAL, 
    ;          IN ULONG NonPagedPoolCharge  OPTIONAL, 
    ;          OUT PVOID *  Object
    ;         )  
       805c5c29 8d45b0          lea     eax,[ebp-50h]     ;*  Object 保存对像指针
       805c5c2c 50              push    eax     ;
       805c5c2d 56              push    esi     ; NonPagedPoolCharge == 0
       805c5c2e 56              push    esi     ; PagedPoolCharge  == 0
       805c5c2f 6858020000      push    258h     ; ObjectSize == 258h
       805c5c34 56              push    esi      ;ParseContext == 0
       805c5c35 ff75d0          push    dword ptr [ebp-30h]   ;KPROCESSOR_MODE == KTHREAD.PreviousMode == 1
       805c5c38 ff7510          push    dword ptr [ebp+10h]   ;继承而来的ObjectAttributes参数
       805c5c3b ff355ca35580    push    dword ptr [nt!PsThreadType (8055a35c)] ;线程类型
       805c5c41 ff75d0          push    dword ptr [ebp-30h]   ;ObjectAttributesAccessMode == KTHREAD.PreviousMode == 1
       805c5c44 e8670affff      call    nt!ObCreateObject (805b66b0)
       805c5c49 3bc6            cmp     eax,esi    ;判断调用是否成功
       805c5c4b 7d10            jge     nt!PspCreateThread+0xcd (805c5c5d)
       805c5c5d b996000000      mov     ecx,96h
       805c5c62 33c0            xor     eax,eax
       805c5c64 8b75b0          mov     esi,dword ptr [ebp-50h]   ;移动对像指针
       805c5c67 8bfe            mov     edi,esi
       805c5c69 f3ab            rep stos dword ptr es:[edi]    ;移动到ES?
       805c5c6b 218634020000    and     dword ptr [esi+234h],eax ;ETHREAD.RundownProtect 清零
       805c5c71 899e20020000    mov     dword ptr [esi+220h],ebx ;移动进程的EPROCESS指针到ETHREAD.ThreadsProcess
       805c5c77 8dbeec010000    lea     edi,[esi+1ECh]     ;取ETHREAD.ActiveTimerListHead到EDI
       805c5c7d 8b8384000000    mov     eax,dword ptr [ebx+84h] ds:0023:817bd844=00000004 ;取当前进程ID到eax 4==系统进程
       805c5c83 8907            mov     dword ptr [edi],eax  ds:0023:8164e75c=00000000
       805c5c85 8975b4          mov     dword ptr [ebp-4Ch],esi ss:0010:f9e2fd00=00000630 ;保存ESI到变量
       805c5c88 8365b800        and     dword ptr [ebp-48h],0 ss:0010:f9e2fd04=8164e558  
       ;   ;ExCreateHandle ,PspCidTable,&CidEntry
       805c5c8c 8d45b4          lea     eax,[ebp-4Ch]
       805c5c8f 50              push    eax
       805c5c90 ff3560a35580    push    dword ptr [nt!PspCidTable (8055a360)] ds:0023:8055a360=e1001850
       805c5c96 e8f5e20300      call    nt!ExCreateHandle (80603f90)
       805c5c9b 8986f0010000    mov     dword ptr [esi+1F0h],eax ds:0023:8164e760=00000000 ;移动返回的线程句柄到ETHREAD._CLIENT_ID.UniqueThread eax=00000230
       805c5ca1 85c0            test    eax,eax      ;测试返回值
       805c5ca3 750a            jne     nt!PspCreateThread+0x11f (805c5caf)     [br=1]
       805c5caf a1bca35480      mov     eax,dword ptr [nt!MmReadClusterSize (8054a3bc)] ds:0023:8054a3bc=00000007
       805c5cb4 898640020000    mov     dword ptr [esi+240h],eax ds:0023:8164e7b0=00000000 ;填充ETHTREAD.ReadClusterSize
       805c5cba 6a01            push    1
       805c5cbc 6a00            push    0
       805c5cbe 8d86f4010000    lea     eax,[esi+1F4h]
       805c5cc4 50              push    eax
       805c5cc5 e87c64f3ff      call    nt!KeInitializeSemaphore (804fc146) ;初始化信号灯
       805c5cca 8d86c8010000    lea     eax,[esi+1C8h]  ;初始化ETHREAD.ExitTime
       805c5cd0 894004          mov     dword ptr [eax+4],eax ds:0023:8164e73c=00000000
       805c5cd3 8900            mov     dword ptr [eax],eax  ds:0023:8164e738=00000000
       
       805c5cd5 8d8610020000    lea     eax,[esi+210h]  ;初始化ETHREAD.IrpList
       805c5cdb 894004          mov     dword ptr [eax+4],eax ds:0023:8164e784=00000000
       805c5cde 8900            mov     dword ptr [eax],eax  ds:0023:8164e780=00000000
       
       805c5ce0 8d86d4010000    lea     eax,[esi+1D4h]  ;初始化ETHREAD.PostBlockList
       805c5ce6 894004          mov     dword ptr [eax+4],eax ds:0023:8164e748=00000000
       805c5ce9 8900            mov     dword ptr [eax],eax  ds:0023:8164e744=00000000
       805c5ceb 83a63802000000  and     dword ptr [esi+238h],0 ds:0023:8164e7a8=00000000
       
       805c5cf2 8d86e0010000    lea     eax,[esi+1E0h]   ;初始化ETHREAD.ActiveTimerListLock
       805c5cf8 50              push    eax
       805c5cf9 e8626ff7ff      call    nt!KeInitializeSpinLock (8053cc60)
       
       805c5cfe 8d86e4010000    lea     eax,[esi+1E4h]  ;初始化ETHREAD.ActiveTimerListHead
       805c5d04 894004          mov     dword ptr [eax+4],eax ds:0023:8164e758=00000000
       805c5d07 8900            mov     dword ptr [eax],eax  ds:0023:8164e754=00000000
       
       805c5d09 8d8b80000000    lea     ecx,[ebx+80h]  ;EPROCESS.RundownProtect
       805c5d0f 898d68ffffff    mov     dword ptr [ebp-98h],ecx ss:0010:f9e2fcb4=817bd840
       
       805c5d15 e874c60300      call    nt!ExAcquireRundownProtection (8060238e)
       805c5d1a 84c0            test    al,al
       805c5d1c 750a            jne     nt!PspCreateThread+0x198 (805c5d28)     [br=1]
       
       805c5d28 837d2000        cmp     dword ptr [ebp+20h],0 ss:0010:f9e2fd6c=00000000
       805c5d2c 0f8484000000    je      nt!PspCreateThread+0x226 (805c5db6)     [br=1]
       805c5db6 33c9            xor     ecx,ecx
       805c5db8 894de4          mov     dword ptr [ebp-1Ch],ecx ss:0010:f9e2fd30=00000000
       
       805c5dbb 6a10            push    10h
       805c5dbd 58              pop     eax
       805c5dbe 8d9648020000    lea     edx,[esi+248h]  ;移动10h到ETHREAD.CrossThreadFlags
       805c5dc4 f00902          lock or dword ptr [edx],eax  ds:0023:8164e7b8=00000000 

     

       805c5dc7 8b452c          mov     eax,dword ptr [ebp+2Ch] ss:0010:f9e2fd78={NDIS!ndisWorkerThread (f96fdb85)}
       805c5dca 898624020000    mov     dword ptr [esi+224h],eax ds:0023:8164e794=00000000 ;移动开始地址到 ETHREAD.StartAddress (PspCreateThread的第10个参数StartRoutine)
       
       805c5dd0 53              push    ebx ;EPROCESS
       805c5dd1 51              push    ecx ;==0
       805c5dd2 51              push    ecx ;==0
       805c5dd3 ff7530          push    dword ptr [ebp+30h]  ss:0010:f9e2fd7c=81591f50  ;StartContext
       805c5dd6 50              push    eax               ;ETHREAD.StartAddress
       805c5dd7 68f4595c80      push    offset nt!PspSystemThreadStartup (805c59f4)    
       805c5ddc 51              push    ecx               ;NULL
       805c5ddd 56              push    esi               ;ETHREAD
       805c5dde e8c10bfdff      call    nt!KeInitThread (805969a4)  ;初始化线程(在网上没找到C原型)
       805c5de3 8bf8            mov     edi,eax
       805c5de5 85ff            test    edi,edi     ;测试是否调用成功
       805c5de7 7d1c            jge     nt!PspCreateThread+0x275 (805c5e05)     [br=1]
       
       805c5e05 8b7dc4          mov     edi,dword ptr [ebp-3Ch] ss:0010:f9e2fd10=81781bd8
       805c5e08 ff8fd4000000    dec     dword ptr [edi+0D4h] ds:0023:81781cac=00000000
       805c5e0e 8d436c          lea     eax,[ebx+6Ch]   ;EPROCESS.ProcessLock
       805c5e11 89458c          mov     dword ptr [ebp-74h],eax ss:0010:f9e2fcd8=817bd82c
       805c5e14 b800000000      mov     eax,0
       805c5e19 8b4d8c          mov     ecx,dword ptr [ebp-74h] ss:0010:f9e2fcd8=817bd82c
       805c5e1c ba02000000      mov     edx,2
       805c5e21 0fb111          cmpxchg dword ptr [ecx],edx  ds:0023:817bd82c=00000000 ;设置EPROCESS.ProcessLock.Value==2
       805c5e24 85c0            test    eax,eax
       805c5e26 7408            je      nt!PspCreateThread+0x2a0 (805c5e30)     [br=1]
       805c5e30 f6834802000008  test    byte ptr [ebx+248h],8      ds:0023:817bda08=00
       805c5e37 746f            je      nt!PspCreateThread+0x318 (805c5ea8)     [br=1]
       
       805c5ea8 8d83a0010000    lea     eax,[ebx+1A0h]
       805c5eae 8b38            mov     edi,dword ptr [eax]  ds:0023:817bd960=00000034
       805c5eb0 8d4f01          lea     ecx,[edi+1]
       805c5eb3 8908            mov     dword ptr [eax],ecx  ds:0023:817bd960=00000034
       805c5eb5 8d862c020000    lea     eax,[esi+22Ch]   ;ETHREAD.ThreadListEntry
       805c5ebb 8d8b90010000    lea     ecx,[ebx+190h]   ;EPROCESS.ThreadListHead
       805c5ec1 8b5104          mov     edx,dword ptr [ecx+4] ds:0023:817bd954=816ad86c
       805c5ec4 8908            mov     dword ptr [eax],ecx  ds:0023:8164e79c=00000000
       805c5ec6 895004          mov     dword ptr [eax+4],edx ds:0023:8164e7a0=00000000
       805c5ec9 8902            mov     dword ptr [edx],eax  ds:0023:816ad86c=817bd950
       805c5ecb 894104          mov     dword ptr [ecx+4],eax ds:0023:817bd954=816ad86c
       805c5ece 56              push    esi   
       805c5ecf e8dc6af3ff      call    nt!KeStartThread (804fc9b0)
       call    nt!ExReleaseRundownProtection
       call    nt!WmiTraceThread
       call    nt!ObReferenceObjectEx
       call    nt!SeCreateAccessStateEx
       call    nt!ObInsertObject
       call    nt!SeDeleteAccessState
       call    nt!KeQuerySystemTime
       call    nt!ObGetObjectSecurity
       call    nt!PsReferencePrimaryToken
       call    nt!SeAccessCheck
       call    nt!ObFastDereferenceObject
       call    nt!ObReleaseObjectSecurity
       call    nt!KeReadyThread
       call    nt!ObfDereferenceObject  




     


    ;附ETHREAD结构数据:
       +0x000 Tcb              : _KTHREAD
          +0x000 Header           : _DISPATCHER_HEADER
          +0x010 MutantListHead   : _LIST_ENTRY [ 0x8164e580 - 0x8164e580 ]
          +0x018 InitialStack     : 0xf7d7e000
          +0x01c StackLimit       : 0xf7d7b000
          +0x020 Teb              : (null)
          +0x024 TlsArray         : (null)
          +0x028 KernelStack      : 0xf7d7ddd4
          +0x02c DebugActive      : 0 ''
          +0x02d State            : 0 ''
          +0x02e Alerted          : [2]  ""
          +0x030 Iopl             : 0 ''
          +0x031 NpxState         : 0xa ''
          +0x032 Saturation       : 0 ''
          +0x033 Priority         : 0 ''
          +0x034 ApcState         : _KAPC_STATE
          +0x04c ContextSwitches  : 0
          +0x050 IdleSwapBlock    : 0 ''
          +0x051 Spare0           : [3]  ""
          +0x054 WaitStatus       : 0
          +0x058 WaitIrql         : 0 ''
          +0x059 WaitMode         : 0 ''
          +0x05a WaitNext         : 0 ''
          +0x05b WaitReason       : 0 ''
          +0x05c WaitBlockList    : (null)
          +0x060 WaitListEntry    : _LIST_ENTRY [ 0x0 - 0x0 ]
          +0x060 SwapListEntry    : _SINGLE_LIST_ENTRY
          +0x068 WaitTime         : 0
          +0x06c BasePriority     : 0 ''
          +0x06d DecrementCount   : 0 ''
          +0x06e PriorityDecrement : 0 ''
          +0x06f Quantum          : 0 ''
          +0x070 WaitBlock        : [4] _KWAIT_BLOCK
          +0x0d0 LegoData         : (null)
          +0x0d4 KernelApcDisable : 0
          +0x0d8 UserAffinity     : 0
          +0x0dc SystemAffinityActive : 0 ''
          +0x0dd PowerState       : 0 ''
          +0x0de NpxIrql          : 0 ''
          +0x0df InitialNode      : 0 ''
          +0x0e0 ServiceTable     : 0x80553180
          +0x0e4 Queue            : (null)
          +0x0e8 ApcQueueLock     : 0
          +0x0f0 Timer            : _KTIMER
          +0x118 QueueListEntry   : _LIST_ENTRY [ 0x0 - 0x0 ]
          +0x120 SoftAffinity     : 1
          +0x124 Affinity         : 0
          +0x128 Preempted        : 0 ''
          +0x129 ProcessReadyQueue : 0 ''
          +0x12a KernelStackResident : 0x1 ''
          +0x12b NextProcessor    : 0 ''
          +0x12c CallbackStack    : (null)
          +0x130 Win32Thread      : (null)
          +0x134 TrapFrame        : (null)
          +0x138 ApcStatePointer  : [2] 0x8164e5a4 _KAPC_STATE
          +0x140 PreviousMode     : 0 ''
          +0x141 EnableStackSwap  : 0x1 ''
          +0x142 LargeStack       : 0 ''
          +0x143 ResourceIndex    : 0 ''
          +0x144 KernelTime       : 0
          +0x148 UserTime         : 0
          +0x14c SavedApcState    : _KAPC_STATE
          +0x164 Alertable        : 0 ''
          +0x165 ApcStateIndex    : 0 ''
          +0x166 ApcQueueable     : 0x1 ''
          +0x167 AutoAlignment    : 0 ''
          +0x168 StackBase        : 0xf7d7e000
          +0x16c SuspendApc       : _KAPC
          +0x19c SuspendSemaphore : _KSEMAPHORE
          +0x1b0 ThreadListEntry  : _LIST_ENTRY [ 0x0 - 0x0 ]
          +0x1b8 FreezeCount      : 0 ''
          +0x1b9 SuspendCount     : 0 ''
          +0x1ba IdealProcessor   : 0 ''
          +0x1bb DisableBoost     : 0 ''
       +0x1c0 CreateTime       : _LARGE_INTEGER 0x0
          +0x000 LowPart          : 0
          +0x004 HighPart         : 0
          +0x000 u                : __unnamed
          +0x000 QuadPart         : 0
       +0x1c0 NestedFaultCount : 0y00
       +0x1c0 ApcNeeded        : 0y0
       +0x1c8 ExitTime         : _LARGE_INTEGER 0x8164e738`8164e738
          +0x000 LowPart          : 0x8164e738
          +0x004 HighPart         : -2124093640
          +0x000 u                : __unnamed
          +0x000 QuadPart         : -9122912715270723784
       +0x1c8 LpcReplyChain    : _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
          +0x000 Flink            : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
          +0x004 Blink            : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
       +0x1c8 KeyedWaitChain   : _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
          +0x000 Flink            : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
          +0x004 Blink            : 0x8164e738 _LIST_ENTRY [ 0x8164e738 - 0x8164e738 ]
       +0x1d0 ExitStatus       : 0
       +0x1d0 OfsChain         : (null)
       +0x1d4 PostBlockList    : _LIST_ENTRY [ 0x8164e744 - 0x8164e744 ]
          +0x000 Flink            : 0x8164e744 _LIST_ENTRY [ 0x8164e744 - 0x8164e744 ]
          +0x004 Blink            : 0x8164e744 _LIST_ENTRY [ 0x8164e744 - 0x8164e744 ]
       +0x1dc TerminationPort  : (null)
       +0x1dc ReaperLink       : (null)
       +0x1dc KeyedWaitValue   : (null)
       +0x1e0 ActiveTimerListLock : 0
       +0x1e4 ActiveTimerListHead : _LIST_ENTRY [ 0x8164e754 - 0x8164e754 ]
        单篇博客显示不下,评论继续

    分享到:

    评论

  • 紧接上文
    +0x000 Flink : 0x817bd774 _LIST_ENTRY [ 0x817bd32c - 0x817bd950 ]
    +0x004 Blink : 0x8164e79c _LIST_ENTRY [ 0x817bd950 - 0x816ad86c ]
    +0x198 SecurityPort : 0xe16ebba0
    +0x19c PaeTop : (null)
    +0x1a0 ActiveThreads : 0x35
    +0x1a4 GrantedAccess : 0x1f0fff
    +0x1a8 DefaultHardErrorProcessing : 1
    +0x1ac LastThreadExitStatus : 0
    +0x1b0 Peb : (null)
    +0x1b4 PrefetchTrace : _EX_FAST_REF
    +0x000 Object : 0x81615965
    +0x000 RefCnt : 0y101
    +0x000 Value : 0x81615965
    +0x1b8 ReadOperationCount : _LARGE_INTEGER 0x50
    +0x000 LowPart : 0x50
    +0x004 HighPart : 0
    +0x000 u : __unnamed
    +0x000 QuadPart : 80
    +0x1c0 WriteOperationCount : _LARGE_INTEGER 0x11c
    +0x000 LowPart : 0x11c
    +0x004 HighPart : 0
    +0x000 u : __unnamed
    +0x000 QuadPart : 284
    +0x1c8 OtherOperationCount : _LARGE_INTEGER 0xbc7
    +0x000 LowPart : 0xbc7
    +0x004 HighPart : 0
    +0x000 u : __unnamed
    +0x000 QuadPart : 3015
    +0x1d0 ReadTransferCount : _LARGE_INTEGER 0x4ca32
    +0x000 LowPart : 0x4ca32
    +0x004 HighPart : 0
    +0x000 u : __unnamed
    +0x000 QuadPart : 313906
    +0x1d8 WriteTransferCount : _LARGE_INTEGER 0x1d4000
    +0x000 LowPart : 0x1d4000
    +0x004 HighPart : 0
    +0x000 u : __unnamed
    +0x000 QuadPart : 1916928
    +0x1e0 OtherTransferCount : _LARGE_INTEGER 0x436b8
    +0x000 LowPart : 0x436b8
    +0x004 HighPart : 0
    +0x000 u : __unnamed
    +0x000 QuadPart : 276152
    +0x1e8 CommitChargeLimit : 0
    +0x1ec CommitChargePeak : 0x1cc
    +0x1f0 AweInfo : (null)
    +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
    +0x000 ImageFileName : 0xe10007c0 _OBJECT_NAME_INFORMATION
    +0x1f8 Vm : _MMSUPPORT
    +0x000 LastTrimTime : _LARGE_INTEGER 0x0
    +0x008 Flags : _MMSUPPORT_FLAGS
    +0x00c PageFaultCount : 0xf15
    +0x010 PeakWorkingSetSize : 0x20e
    +0x014 WorkingSetSize : 0x4b
    +0x018 MinimumWorkingSetSize : 0
    +0x01c MaximumWorkingSetSize : 0x159
    +0x020 VmWorkingSetList : 0xc0883000 _MMWSL
    +0x024 WorkingSetExpansionLinks : _LIST_ENTRY [ 0x815d023c - 0x80558984 ]
    +0x02c Claim : 0
    +0x030 NextEstimationSlot : 0
    +0x034 NextAgingSlot : 0
    +0x038 EstimatedAvailable : 0
    +0x03c GrowthSinceLastEstimate : 0xf15
    +0x238 LastFaultCount : 0
    +0x23c ModifiedPageCount : 0x6a2
    +0x240 NumberOfVads : 0xa
    +0x244 JobStatus : 0
    +0x248 Flags : 0x40200
    +0x248 CreateReported : 0y0
    +0x248 NoDebugInherit : 0y0
    +0x248 ProcessExiting : 0y0
    +0x248 ProcessDelete : 0y0
    +0x248 Wow64SplitPages : 0y0
    +0x248 VmDeleted : 0y0
    +0x248 OutswapEnabled : 0y0
    +0x248 Outswapped : 0y0
    +0x248 ForkFailed : 0y0
    +0x248 HasPhysicalVad : 0y1
    +0x248 AddressSpaceInitialized : 0y00
    +0x248 SetTimerResolution : 0y0
    +0x248 BreakOnTermination : 0y0
    +0x248 SessionCreationUnderway : 0y0
    +0x248 WriteWatch : 0y0
    +0x248 ProcessInSession : 0y0
    +0x248 OverrideAddressSpace : 0y0
    +0x248 HasAddressSpace : 0y1
    +0x248 LaunchPrefetched : 0y0
    +0x248 InjectInpageErrors : 0y0
    +0x248 VmTopDown : 0y0
    +0x248 Unused3 : 0y0
    +0x248 Unused4 : 0y0
    +0x248 VdmAllowed : 0y0
    +0x248 Unused : 0y00000 (0)
    +0x248 Unused1 : 0y0
    +0x248 Unused2 : 0y0
    +0x24c ExitStatus : 259
    +0x250 NextPageColor : 0x3f69
    +0x252 SubSystemMinorVersion : 0 ''
    +0x253 SubSystemMajorVersion : 0 ''
    +0x252 SubSystemVersion : 0
    +0x254 PriorityClass : 0x2 ''
    +0x255 WorkingSetAcquiredUnsafe : 0 ''
    +0x258 Cookie : 0