逆向未知dhook.sys驱动源代码[新手学习篇]

楼主^#

更多发布于：2007-01-14 19:51

  向doskey大牛学习!偶还是菜鸟只好找个驱动软西柿子来捏!
正好前几天中了一堆病毒马马.删除了N个EXE.最后发现驻留了一个SYS.拿了一个最弱的捏!其实直到我把源代码逆出来了为直.因为我这里暂时搞不到完整的Window _KPROCESS结构体.很有有关它的偏移地址给大家就解释不了了,也就是它的主要功能不知道了.以后在说吧!我是菜鸟!!!当一次学习逆向的过程!
大牛别踩!!!

IRP_MJ_CREATE和IRP_MJ_CLOSE，DriverUnload例程很简单可以看下面逆出的C代码。
关键IRP_MJ_DEVICE_CONTROL例程有点复杂和用户层通信.如下：
.text:000103DB ; int __stdcall sub_103DB(PDRIVER_OBJECT DeviceObject,PIRP Irp)
.text:000103DB sub_103DB proc near ; DATA XREF: start+5Eo
.text:000103DB
.text:000103DB Information = dword ptr -8
.text:000103DB ntStatus = dword ptr -4
.text:000103DB DeviceObject = dword ptr 8
.text:000103DB Irp = dword ptr 0Ch
.text:000103DB
.text:000103DB push ebp
.text:000103DC mov ebp, esp
.text:000103DE add esp, 0FFFFFFF8h
.text:000103E1 push esi
.text:000103E2 push edi
.text:000103E3 push ebx
.text:000103E4 mov [ebp+Information], 0
.text:000103EB mov [ebp+ntStatus], 0C0000001h
.text:000103F2 mov esi, [ebp+Irp]
.text:000103F5 mov eax, esi
.text:000103F7 mov eax, [eax+60h] ; IrpStack
.text:000103FA mov edi, eax
.text:000103FC mov eax, [edi+0Ch]
.text:000103FF push edi ; IrpStack
.text:00010400 cmp eax, 22E000h
.text:00010405 jnz loc_104C3
.text:00010405
.text:0001040B mov ecx, 34h
.text:00010410 cmp [edi+4], ecx
.text:00010413 jb loc_104B7
.text:00010413
.text:00010419 mov edi, [esi+0Ch] ; Irp->AssociatedIrp.SystemBuffer
.text:0001041C push edi ; VirtualAddress
.text:0001041D call MmIsAddressValid
.text:0001041D
.text:00010422 test al, al
.text:00010424 jz loc_10547
.text:00010424
.text:0001042A mov esi, [edi]
.text:0001042C movzx eax, byte ptr [edi+4]
.text:00010430 movzx edx, byte ptr [edi+5]
.text:00010434 mov VarA, eax
.text:00010439 mov VarB, edx
.text:0001043F push esi ; VirtualAddress__PUnKownData
.text:00010440 call MmIsAddressValid ; XXXXXXXXXXXXXXXXX
.text:00010440
.text:00010445 test al, al
.text:00010447 jz loc_10547
.text:00010447
.text:0001044D mov ecx, 34h
.text:00010452 push esi ; PUnKownData
.text:00010453 push edi ; inBuf
.text:00010454 rep movsb
.text:00010456 pop edi ; inBuf
.text:00010457 pop esi ; PUnKownData
.text:00010458 mov esi, [edi+24h]
.text:0001045B cmp esi, 0FFFFFFFFh
.text:0001045E jz short loc_104A1
.text:0001045E
.text:00010460 mov ebx, [edi+8]
.text:00010463 mov ebx, [ebx]
.text:00010465 mov ecx, UnKnowVariable_1
.text:0001046B mov ebx, [ecx+ebx]
.text:0001046E push ebx ; VirtualAddress
.text:0001046F call MmIsAddressValid
.text:0001046F
.text:00010474 or al, al
.text:00010476 jnz short loc_1047F
.text:00010476
.text:00010478 mov esi, 0FFFFFFFFh
.text:0001047D jmp short loc_104A1
.text:0001047D
.text:0001047F ; ---------------------------------------------------------------------------
.text:0001047F
.text:0001047F loc_1047F: ; CODE XREF: sub_103DB+9Bj
.text:0001047F mov eax, VarA
.text:00010484 mov ebx, [eax+ebx]
.text:00010487 push ebx ; VirtualAddress
.text:00010488 call MmIsAddressValid
.text:00010488
.text:0001048D or al, al
.text:0001048F jnz short loc_10498
.text:0001048F
.text:00010491 mov esi, 0FFFFFFFFh
.text:00010496 jmp short loc_104A1
.text:00010496
.text:00010498 ; ---------------------------------------------------------------------------
.text:00010498
.text:00010498 loc_10498: ; CODE XREF: sub_103DB+B4j
.text:00010498 add ebx, VarB
.text:0001049E mov esi, [ebx+esi*4]
.text:0001049E
.text:000104A1
.text:000104A1 loc_104A1: ; CODE XREF: sub_103DB+83j
.text:000104A1 ; sub_103DB+A2j
.text:000104A1 ; sub_103DB+BBj
.text:000104A1 mov [edi+30h], esi
.text:000104A4 mov [ebp+Information], 34h
.text:000104AB mov [ebp+ntStatus], 0
.text:000104B2 jmp loc_10547
.text:000104B2
.text:000104B7 ; ---------------------------------------------------------------------------
.text:000104B7
.text:000104B7 loc_104B7: ; CODE XREF: sub_103DB+38j
.text:000104B7 mov [ebp+ntStatus], 0C0000023h ; STATUS_BUFFER_TOO_SMALL
.text:000104BE jmp loc_10547
.text:000104BE
.text:000104C3 ; ---------------------------------------------------------------------------
.text:000104C3
.text:000104C3 loc_104C3: ; CODE XREF: sub_103DB+2Aj
.text:000104C3 cmp eax, 22E004h
.text:000104C8 jnz short loc_10547
.text:000104C8
.text:000104CA cmp dword ptr [edi+4], 18h
.text:000104CE jb short loc_10540
.text:000104CE
.text:000104D0 mov edi, [esi+0Ch]
.text:000104D3 push edi ; VirtualAddress
.text:000104D4 call MmIsAddressValid
.text:000104D4
.text:000104D9 test al, al
.text:000104DB jz short loc_10547
.text:000104DB
.text:000104DD mov esi, [edi]
.text:000104DF push esi ; VirtualAddress
.text:000104E0 call MmIsAddressValid
.text:000104E0
.text:000104E5 test al, al
.text:000104E7 jz short loc_10547
.text:000104E7
.text:000104E9 mov esi, [esi]
.text:000104EB push esi ; VirtualAddress
.text:000104EC call MmIsAddressValid
.text:000104EC
.text:000104F1 test al, al
.text:000104F3 jz short loc_10547
.text:000104F3
.text:000104F5 push esi
.text:000104F6 call IoThreadToProcess
.text:000104F6
.text:000104FB mov ebx, eax
.text:000104FD push ebx ; VirtualAddress
.text:000104FE call MmIsAddressValid
.text:000104FE
.text:00010503 test al, al
.text:00010505 jz short loc_10547 ; xxxxxxxxxxxxx
.text:00010505
.text:00010507 mov ecx, UnKnowVariable_2
.text:0001050D push dword ptr [ecx+esi]
.text:00010510 pop dword ptr [edi]
.text:00010512 mov ecx, UnKnowVariable_3
.text:00010518 push dword ptr [ecx+esi]
.text:0001051B pop dword ptr [edi+4]
.text:0001051E mov ecx, 10h
.text:00010523 mov esi, UnKnowVariable_4
.text:00010529 add esi, ebx
.text:0001052B add edi, 8
.text:0001052E rep movsb
.text:00010530 mov [ebp+Information], 18h
.text:00010537 mov [ebp+ntStatus], 0
.text:0001053E jmp short loc_10547
.text:0001053E
.text:00010540 ; ---------------------------------------------------------------------------
.text:00010540
.text:00010540 loc_10540: ; CODE XREF: sub_103DB+F3j
.text:00010540 mov [ebp+ntStatus], 0C0000023h
.text:00010540
.text:00010547
.text:00010547 loc_10547: ; CODE XREF: sub_103DB+49j
.text:00010547 ; sub_103DB+6Cj
.text:00010547 ; sub_103DB+D7j
.text:00010547 ; sub_103DB+E3j
.text:00010547 ; sub_103DB+EDj
.text:00010547 ; sub_103DB+100j ...
.text:00010547 pop edi ; IrpStack
.text:00010548 mov esi, [ebp+Irp]
.text:0001054B push [ebp+ntStatus]
.text:0001054E pop dword ptr [esi+18h]
.text:00010551 push [ebp+Information]
.text:00010554 pop dword ptr [esi+1Ch]
.text:00010557 push 0
.text:00010559 push [ebp+Irp]
.text:0001055C call IoCompleteRequest
.text:0001055C
.text:00010561 mov eax, [ebp+ntStatus]
.text:00010564 pop ebx
.text:00010565 pop edi
.text:00010566 pop esi
.text:00010567 leave
.text:00010568 retn 8
.text:00010568
.text:00010568 sub_103DB endp
.text:00010568

下面给出所有逆向出来的C源代码:里边用的数据类型很生硬,PVOID指针多处用到我都是根据寄存器和内存的长度才转化成特定的类型的.
#include <ntddk.h>
#include <ntdef.h>

#define dHook_CtlCode_A 0x22E000
#define dHook_CtlCode_B 0x22E004

VOID dHookUnloadDriver(
   IN PDRIVER_OBJECT DriverObject);

NTSTATUS dHookCreateClose(
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp
   );

NTSTATUS dHookDeviceControl(
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp
   );

NTSYSAPI PEPROCESS NTAPI
  IoThreadToProcess(
   IN PETHREAD Thread
   );

UNICODE_STRING DeviceNameString;
UNICODE_STRING LinkDeviceNameString;
ULONG UnKnowVariable[4];
NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
   ULONG MajorVersion;
   ULONG MinorVersion;
   PDEVICE_OBJECT deviceObject = NULL;
   NTSTATUS ntStatus=STATUS_DEVICE_CONFIGURATION_ERROR;

   RtlInitUnicodeString( &DeviceNameString, L"\\Device\\devEnumHook2" );
   RtlInitUnicodeString( &LinkDeviceNameString,L"\\DosDevices\\slEnumHook2");


   ntStatus = IoCreateDevice(
   DriverObject,
   0,
   &DeviceNameString,
   FILE_DEVICE_DISK_FILE_SYSTEM,//8790H
   FILE_DEVICE_SECURE_OPEN,
   FALSE,
   & deviceObject );

   if (!NT_SUCCESS( ntStatus ))
   {

   return ntStatus;;
   }

   ntStatus = IoCreateSymbolicLink(
   (PUNICODE_STRING) &LinkDeviceNameString,
   (PUNICODE_STRING) &DeviceNameString
   );

   if (!NT_SUCCESS(ntStatus))
   {
   IoDeleteDevice(deviceObject);
   return ntStatus;;
   }

  DriverObject->MajorFunction[IRP_MJ_CREATE] = dHookCreateClose;
  DriverObject->MajorFunction[IRP_MJ_CLOSE] = dHookCreateClose;
  DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = dHookDeviceControl;

  DriverObject->DriverUnload=dHookUnloadDriver;

  PsGetVersion(&MajorVersion,&MinorVersion,NULL,NULL);

  ntStatus=STATUS_SUCCESS;

  if(MajorVersion!=5)
   {
   ntStatus=STATUS_DEVICE_CONFIGURATION_ERROR;
   return ntStatus;
   }

  if(MinorVersion==0)
   {
   UnKnowVariable[0]=0x22C;//这些常量在dHook_CtlCode_B过程中调用修改Window进程结构_KPROCESS体用的.
   UnKnowVariable[1]=0x124;//具体我这里也没有各个window 的内核_KPROCESS结构体详细文挡.
   UnKnowVariable[2]=0x1E0;
   UnKnowVariable[3]=0x1E4;
   UnKnowVariable[4]=0x1FC;
   }
  else if(MinorVersion==1)
   {
   UnKnowVariable[0]=0x220;
   UnKnowVariable[1]=0x130;
   UnKnowVariable[2]=0x1EC;
   UnKnowVariable[3]=0x1F0;
   UnKnowVariable[4]=0x174;

   }
   else if(MinorVersion==2)
   {

   UnKnowVariable[0]=0x228;
   UnKnowVariable[1]=0x14C;
   UnKnowVariable[2]=0x1F4;
   UnKnowVariable[3]=0x1F8;
   UnKnowVariable[4]=0x154;

   }

   return ntStatus; ;

}

VOID dHookUnloadDriver(
   IN PDRIVER_OBJECT DriverObject)
{

   IoDeleteSymbolicLink(&LinkDeviceNameString);

   IoDeleteDevice( DriverObject->DeviceObject );
}

NTSTATUS dHookCreateClose(
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp
   )

{
   Irp->IoStatus.Status = STATUS_SUCCESS;
   Irp->IoStatus.Information = 0;
   IoCompleteRequest( Irp, IO_NO_INCREMENT );
   return STATUS_SUCCESS;
}

NTSTATUS dHookDeviceControl(
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp
   )

{
   PVOID PUnKownData,PUnKownData_A,PUnKownData_B;
  ULONG outBufLength,inBufLength;
  PIO_STACK_LOCATION IrpStack;
  char VarA,VarB, VarC;
  PEPROCESS peProcess;
  PVOID inBuf, PInfoProcess_A,PInfoProcess_B;
  int counter=0 ;
  ULONG UEnd;

  NTSTATUS ntStatus= STATUS_UNSUCCESSFUL;
  Irp->IoStatus.Information = 0;
  inBuf = Irp->AssociatedIrp.SystemBuffer;
  IrpStack = IoGetCurrentIrpStackLocation( Irp );

  outBufLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;//[ebp+60H+4]

  switch(IrpStack->Parameters.DeviceIoControl.IoControlCode )
   {
   case dHook_CtlCode_A:
   if(outBufLength<0x34)
   {
   ntStatus= STATUS_BUFFER_TOO_SMALL;
   break;
   }
   if(!MmIsAddressValid(inBuf))
   {
   break;
   }
   PUnKownData=(PVOID)((PLONG)inBuf)[0];//I/0包中前四个字节数据类型是另一个缓冲区的（指针）虚拟地址,因为下边用传数据用. PUnKownData
   VarA=(char)((PCHAR)inBuf)[4];//取出I/0包第5个字节
   VarB=(char)((PCHAR)inBuf)[5];//取出I/0包第6个字节
   if(!MmIsAddressValid(PUnKownData))
   {
   break;
   }

   for(counter=0;counter<=34;counter++)
   {
   VarC=*(((PCHAR)PUnKownData)+counter); //PUnKownData做源缓冲区地址，inBuf做目源缓冲区地址
   VarC=(char)((PCHAR)inBuf)[counter];//counter=34传34个字节
   }

   UEnd=(ULONG)((PLONG)inBuf)[24];//传输完毕,inBuf有了新的内容.要检测是否为0XFFFFFFF；
   if(UEnd==-1)//用-1做end标志.
   {
   (ULONG)((PULONG)inBuf)[30]=-1;//把设置-1标志做结束
   Irp->IoStatus.Information=0x34;//记录I/0包传的字节数量
   ntStatus=STATUS_SUCCESS;//设置成功
   break;
   }

   PUnKownData_A=(PVOID)((PULONG)inBuf)[8]; //inBuf[8]里又是一个指针的指针：PUnKownData_A
   PUnKownData_B=(PVOID)((PULONG)*(PULONG)((*(PULONG)PUnKownData_A)+UnKnowVariable[1]));//取出一个指针给PUnKownData_B
   if(!MmIsAddressValid(PUnKownData_A))
   {
   (ULONG)((PULONG)inBuf)[30]=-1;
   break;
   }
   PUnKownData_B=(PULONG)*((PULONG)PUnKownData_B+(ULONG)VarA); //设置缓冲区的偏移地址加VarA

   if(!MmIsAddressValid(PUnKownData_B))
   {
   (ULONG)((PULONG)inBuf)[30]=-1;
   break;
   }
   PUnKownData_B=(PULONG)*((PULONG)PUnKownData_B+(ULONG)VarB); //缓冲区的偏移地址加VarB
   (ULONG)((PULONG)inBuf)[30]=(ULONG)*((PULONG)PUnKownData_B+(ULONG)(UEnd*0x04));
   break;

   case dHook_CtlCode_B:
   if(outBufLength< 0x18)
   {
   ntStatus= STATUS_BUFFER_TOO_SMALL;
   break;
   }
   if(!MmIsAddressValid(inBuf))
   {
   break;
   }
   PUnKownData=(PVOID)*((PLONG)inBuf);
   if(!MmIsAddressValid(PUnKownData))
   {
   break;
   }
   PUnKownData_A=(PVOID)*(PULONG)PUnKownData;
   peProcess=IoThreadToProcess((PETHREAD)PUnKownData_A);//获取进程上下文
   if(!MmIsAddressValid(peProcess))
   {
   break;
   }
   PInfoProcess_A=(PULONG)peProcess+UnKnowVariable[2];//修改进程
   *(PULONG)inBuf=(ULONG)*(PULONG)PInfoProcess_A;
   PInfoProcess_B=(PULONG)peProcess+UnKnowVariable[3];//修改进程
   ((PULONG)inBuf)[1]=(ULONG)*(PULONG)PInfoProcess_B;

   PInfoProcess_A=(PULONG)peProcess+UnKnowVariable[4];//修改进程
   PInfoProcess_B=(PULONG)inBuf+2;
   for(counter=0;counter<=0x10;counter++)
   {
   VarC=*((PCHAR)PInfoProcess_A+counter);
   *((PCHAR)PInfoProcess_A+counter)=VarC;
   }

   break;
   }

   IoCompleteRequest( Irp, IO_NO_INCREMENT );
   return ntStatus;
}

=============================================
  用户把一个函数或变量的虚拟地址或指针写入I/0缓冲区.然后驱动读出里边数据,通信的数据类型可能有常量,变量,或指针.函数指针等.
方便期间各个举了个例子,用C写点.可以放在VC.60中编译通过.
[注意下面的例子仅仅是针对我上边那个IRP_MJ_DEVICE_CONTRL例程中一些各个类型访问用的]

   char Data[256];
   int a;
   PVOID PUnKnowData;
   PVOID PAdd;//定义函数指针
   ULONG A=1;//偏移地址A

   PUnKnowData=Data;

   ((PCHAR)PUnKnowData)[2]='1';//写个某个类型的常量
   char c= ((PCHAR)PUnKnowData)[2];//读

   ((PLONG)PUnKnowData)[4]=(ULONG)&a; //写入某个变量地址
   a=((PLONG)PUnKnowData)[4];//读

   ((PULONG)PUnKnowData)[4]=(ULONG)add;//写入某个函数地址
   PAdd=(PVOID)((PULONG)PUnKnowData)[4];//读

   (ULONG)(*(PULONG)PUnKnowData)=(ULONG)add;//指针方式写
   PAdd=(PULONG)((ULONG)(*(PULONG)PUnKnowData));//读

   (ULONG)(*((PULONG)PUnKnowData+A))=(ULONG)add; //用户把一个函数或变量的虚拟地址或指针写入I/0缓冲区任意++或--的偏移地址A中
   PAdd=(PULONG)(*((PULONG)PUnKnowData+A)); //这里是驱动的读出是个反向操作.

=============================================
源代码在附件中.多谢指正Bug!DDK_For_xp编译 BUG应该很多!!!多谢指点!
---------------------------------------------@
我是阿赖耶识....

附件名称/大小下载次数最后更新: dhook.sys.c.rar (4KB) 179 2007-01-14 19:51

喜欢2

最新喜欢：

zonrbo...

玄风残翼驱动牛犊注册日期2005-10-10 最后登录2015-04-07 粉丝0 关注0 积分21分威望172点贡献值0点好评度24点原创分0分专家分0分加关注写私信	沙发^# 发布于：2007-01-14 19:58 鼓掌，习惯了动态分析，现在正在学IDA，以后向大家多多学习。
	回复(0) 喜欢(0)

WY.lslrt

驱动牛犊

注册日期2004-07-30
最后登录2009-10-27
粉丝0
关注0
积分116分
威望15点
贡献值0点
好评度10点
原创分0分
专家分0分

加关注写私信

板凳^#

发布于：2007-01-14 20:15

好贴，顶一下

---传说中的分割线--------

回复喜欢

binjo

论坛版主

注册日期2003-04-23
最后登录2012-06-25
粉丝0
关注0
积分1002分
威望142点
贡献值0点
好评度140点
原创分0分
专家分0分

加关注写私信

地板^#

发布于：2007-01-15 10:25

ntStatus = IoCreateDevice(
          DriverObject,
          0,              
          &DeviceNameString,
          FILE_DEVICE_DISK_FILE_SYSTEM,//8790H
          FILE_DEVICE_SECURE_OPEN,
          FALSE,
          & deviceObject );

这里
   FILE_DEVICE_DISK_FILE_SYSTEM,//8790H
可能你从其它src里抄过来没改哈，sys中应该是FILE_DEVICE_UNKNOWN

   UnKnowVariable[2]=0x1EC;
   UnKnowVariable[3]=0x1F0;
   UnKnowVariable[4]=0x174;
这三个结构分别是：
_ETHREAD.Cid
_ETHREAD.UniqueThread
_EPROCESS.ImageFileName
其它几个单纯看ida我是看不出的

另外你说的 _KPROCESS结构体，不知你是从哪看出来要用到的？这个在我xp sp2的windbg里是这样的

lkd> dt  _KPROCESs
nt!_KPROCESS
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 ProfileListHead  : _LIST_ENTRY
   +0x018 DirectoryTableBase : [2] Uint4B
   +0x020 LdtDescriptor    : _KGDTENTRY
   +0x028 Int21Descriptor  : _KIDTENTRY
   +0x030 IopmOffset       : Uint2B
   +0x032 Iopl             : UChar
   +0x033 Unused           : UChar
   +0x034 ActiveProcessors : Uint4B
   +0x038 KernelTime       : Uint4B
   +0x03c UserTime         : Uint4B
   +0x040 ReadyListHead    : _LIST_ENTRY
   +0x048 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x04c VdmTrapcHandler  : Ptr32 Void
   +0x050 ThreadListHead   : _LIST_ENTRY
   +0x058 ProcessLock      : Uint4B
   +0x05c Affinity         : Uint4B
   +0x060 StackCount       : Uint2B
   +0x062 BasePriority     : Char
   +0x063 ThreadQuantum    : Char
   +0x064 AutoAlignment    : UChar
   +0x065 State            : UChar
   +0x066 ThreadSeed       : UChar
   +0x067 DisableBoost     : UChar
   +0x068 PowerState       : UChar
   +0x069 DisableQuantum   : UChar
   +0x06a IdealNode        : UChar
   +0x06b Flags            : _KEXECUTE_OPTIONS
   +0x06b ExecuteOptions   : UChar

回复喜欢

qiweixue 驱动小牛注册日期2004-07-21 最后登录2011-12-19 粉丝0 关注0 积分1006分威望274点贡献值0点好评度268点原创分1分专家分0分加关注写私信	地下室^# 发布于：2007-01-15 11:11 谢谢 binjo斑竹!!! _KProcess结构体在这里发现的: peProcess=IoThreadToProcess((PETHREAD)PUnKownData_A);// 最近windbg刚刚配置好双机调试...很都结构体非它不行捏.si有时候也只是兴叹了一下! 正在学习之中...
	回复(0) 喜欢(0)

qiweixue

驱动小牛

注册日期2004-07-21
最后登录2011-12-19
粉丝0
关注0
积分1006分
威望274点
贡献值0点
好评度268点
原创分1分
专家分0分

加关注写私信

5楼^#

发布于：2007-01-15 11:28

PEPROCESS IoThreadToProcess( IN PETHREAD Thread );

应该是返回EPROCESS结构体的.看错了之前不会用windbg.我把_KPROCESS等同与EPROCESS结构体,我只看的是ntddk.h头文件.

文章bug慢慢改过来.最近有点忙.修订一下是EPROCESS结构体:
winxp sp2

+0x000 Pcb : _KPROCESS
   +0x06c ProcessLock : _EX_PUSH_LOCK
   +0x070 CreateTime : _LARGE_INTEGER
   +0x078 ExitTime : _LARGE_INTEGER
   +0x080 RundownProtect : _EX_RUNDOWN_REF
   +0x084 UniqueProcessId : Ptr32 Void
   +0x088 ActiveProcessLinks : _LIST_ENTRY
   +0x090 QuotaUsage : [3] Uint4B
   +0x09c QuotaPeak : [3] Uint4B
   +0x0a8 CommitCharge : Uint4B
   +0x0ac PeakVirtualSize : Uint4B
   +0x0b0 VirtualSize : Uint4B
   +0x0b4 SessionProcessLinks : _LIST_ENTRY
   +0x0bc DebugPort : Ptr32 Void
   +0x0c0 ExceptionPort : Ptr32 Void
   +0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE
   +0x0c8 Token : _EX_FAST_REF
   +0x0cc WorkingSetLock : _FAST_MUTEX
   +0x0ec WorkingSetPage : Uint4B
   +0x0f0 AddressCreationLock : _FAST_MUTEX
   +0x110 HyperSpaceLock : Uint4B
   +0x114 ForkInProgress : Ptr32 _ETHREAD
   +0x118 HardwareTrigger : Uint4B
   +0x11c VadRoot : Ptr32 Void
   +0x120 VadHint : Ptr32 Void
   +0x124 CloneRoot : Ptr32 Void
   +0x128 NumberOfPrivatePages : Uint4B
   +0x12c NumberOfLockedPages : Uint4B
   +0x130 Win32Process : Ptr32 Void
   +0x134 Job : Ptr32 _EJOB
   +0x138 SectionObject : Ptr32 Void
   +0x13c SectionBaseAddress : Ptr32 Void
   +0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
   +0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
   +0x148 Win32WindowStation : Ptr32 Void
   +0x14c InheritedFromUniqueProcessId : Ptr32 Void
   +0x150 LdtInformation : Ptr32 Void
   +0x154 VadFreeHint : Ptr32 Void
   +0x158 VdmObjects : Ptr32 Void
   +0x15c DeviceMap : Ptr32 Void
   +0x160 PhysicalVadList : _LIST_ENTRY
   +0x168 PageDirectoryPte : _HARDWARE_PTE
   +0x168 Filler : Uint8B
   +0x170 Session : Ptr32 Void
   +0x174 ImageFileName : [16] UChar
   +0x184 JobLinks : _LIST_ENTRY
   +0x18c LockedPagesList : Ptr32 Void
   +0x190 ThreadListHead : _LIST_ENTRY
   +0x198 SecurityPort : Ptr32 Void
   +0x19c PaeTop : Ptr32 Void
   +0x1a0 ActiveThreads : Uint4B
   +0x1a4 GrantedAccess : Uint4B
   +0x1a8 DefaultHardErrorProcessing : Uint4B
   +0x1ac LastThreadExitStatus : Int4B
   +0x1b0 Peb : Ptr32 _PEB
   +0x1b4 PrefetchTrace : _EX_FAST_REF
   +0x1b8 ReadOperationCount : _LARGE_INTEGER
   +0x1c0 WriteOperationCount : _LARGE_INTEGER
   +0x1c8 OtherOperationCount : _LARGE_INTEGER
   +0x1d0 ReadTransferCount : _LARGE_INTEGER
   +0x1d8 WriteTransferCount : _LARGE_INTEGER
   +0x1e0 OtherTransferCount : _LARGE_INTEGER
   +0x1e8 CommitChargeLimit : Uint4B
   +0x1ec CommitChargePeak : Uint4B
   +0x1f0 AweInfo : Ptr32 Void
   +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x1f8 Vm : _MMSUPPORT
   +0x238 LastFaultCount : Uint4B
   +0x23c ModifiedPageCount : Uint4B
   +0x240 NumberOfVads : Uint4B
   +0x244 JobStatus : Uint4B
   +0x248 Flags : Uint4B
   +0x248 CreateReported : Pos 0, 1 Bit
   +0x248 NoDebugInherit : Pos 1, 1 Bit
   +0x248 ProcessExiting : Pos 2, 1 Bit
   +0x248 ProcessDelete : Pos 3, 1 Bit
   +0x248 Wow64SplitPages : Pos 4, 1 Bit
   +0x248 VmDeleted : Pos 5, 1 Bit
   +0x248 OutswapEnabled : Pos 6, 1 Bit
   +0x248 Outswapped : Pos 7, 1 Bit
   +0x248 ForkFailed : Pos 8, 1 Bit
   +0x248 HasPhysicalVad : Pos 9, 1 Bit
   +0x248 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x248 SetTimerResolution : Pos 12, 1 Bit
   +0x248 BreakOnTermination : Pos 13, 1 Bit
   +0x248 SessionCreationUnderway : Pos 14, 1 Bit
   +0x248 WriteWatch : Pos 15, 1 Bit
   +0x248 ProcessInSession : Pos 16, 1 Bit
   +0x248 OverrideAddressSpace : Pos 17, 1 Bit
   +0x248 HasAddressSpace : Pos 18, 1 Bit
   +0x248 LaunchPrefetched : Pos 19, 1 Bit
   +0x248 InjectInpageErrors : Pos 20, 1 Bit
   +0x248 VmTopDown : Pos 21, 1 Bit
   +0x248 Unused3 : Pos 22, 1 Bit
   +0x248 Unused4 : Pos 23, 1 Bit
   +0x248 VdmAllowed : Pos 24, 1 Bit
   +0x248 Unused : Pos 25, 5 Bits
   +0x248 Unused1 : Pos 30, 1 Bit
   +0x248 Unused2 : Pos 31, 1 Bit
   +0x24c ExitStatus : Int4B
   +0x250 NextPageColor : Uint2B
   +0x252 SubSystemMinorVersion : UChar
   +0x253 SubSystemMajorVersion : UChar
   +0x252 SubSystemVersion : Uint2B
   +0x254 PriorityClass : UChar
   +0x255 WorkingSetAcquiredUnsafe : UChar
   +0x258 Cookie : Uint4B

回复喜欢

xx_qiang 驱动小牛注册日期2004-07-30 最后登录2017-02-27 粉丝2 关注1 积分31分威望249点贡献值0点好评度171点原创分0分专家分0分加关注写私信	6楼^# 发布于：2007-01-16 14:16 顶一把，学习中。。。。
	回复(0) 喜欢(0)

wanshi131

驱动牛犊

注册日期2005-11-05
最后登录2010-06-09
粉丝0
关注0
积分0分
威望18点
贡献值0点
好评度17点
原创分0分
专家分0分

加关注写私信

7楼^#

发布于：2007-01-17 11:45

学习，我最近也中了一个木马。怎么也删不掉，决定把它逆向了。不过俺还没入门

海内存知己，天涯若比邻

回复喜欢

MichaelLi 驱动牛犊注册日期2003-10-02 最后登录2009-02-10 粉丝0 关注0 积分700分威望70点贡献值0点好评度70点原创分0分专家分0分加关注写私信	8楼^# 发布于：2007-01-23 12:19 学习中
	回复(0) 喜欢(0)

zhoujiamurong 驱动小牛注册日期2006-03-20 最后登录2009-05-06 粉丝4 关注0 积分1081分威望360点贡献值0点好评度215点原创分0分专家分0分加关注写私信	9楼^# 发布于：2008-04-06 16:17 弱弱的问一句楼主是反过来是 RtlInitUnicodeString( &LinkDeviceNameString,L"\\DosDevices\\slEnumHook2"); 我怎么反过来是 RtlInitUnicodeString( &LinkDeviceNameString,L"\\??\\slEnumHook2"); 我这块概念不清楚？到底是怎样的？还是两个都可以？
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册