WIN7X64定位PsTerminateProcess
大家对PspTerminateProcess这玩意不陌生吧,这玩意在pjf的《进程终止的内幕》提到过。而搜索PspTerminateProcess的方法我觉得很恶心人,其实根本不用那么麻烦,先搞到NtTerminateJobObject,找到PspTerminateAllProcessesInJob,然后就可以找到PspTerminateProcess了,如图所示:这并不是本文的重点,重点是:在x64下,没有名为PspTerminateProcess的函数!当输入了uf nt!PspTerminateProcess指令后,WinDbg的输出显示不能解析指令!
lkd> uf nt!PspTerminateProcess
Couldn't resolve error at 'nt!PspTerminateProcess'
本人声明一下绝对不是符号文件的问题!
如果你认为输入了uf nt!PspTerminateProcess提示未找到函数就认为这种函数不存在,你就错了!它只是换了个名字罢了!
那么换了什么名字呢?我们先查看NtTerminateJobObject的反汇编代码:
lkd> uf nt!NtTerminateJobObject
nt!NtTerminateJobObject:
fffff800`01ae2890 4c8bdc mov r11,rsp
fffff800`01ae2893 49895b08 mov qword ptr ,rbx
fffff800`01ae2897 57 push rdi
fffff800`01ae2898 4883ec40 sub rsp,40h
fffff800`01ae289c 65488b042588010000 mov rax,qword ptr gs:
fffff800`01ae28a5 498363e800 and qword ptr ,0
fffff800`01ae28aa 4c8b05d729fdffmov r8,qword ptr
fffff800`01ae28b1 448a88f6010000mov r9b,byte ptr
fffff800`01ae28b8 8bfa mov edi,edx
fffff800`01ae28ba 498d5318 lea rdx,
fffff800`01ae28be 498953e0 mov qword ptr ,rdx
fffff800`01ae28c2 ba08000000 mov edx,8
fffff800`01ae28c7 c744242044666c74 mov dword ptr ,746C6644h
fffff800`01ae28cf e80c7c0900 call nt!ObReferenceObjectByHandleWithTag (fffff800`01b7a4e0)
fffff800`01ae28d4 8bd8 mov ebx,eax
fffff800`01ae28d6 85c0 test eax,eax
fffff800`01ae28d8 781b js nt!NtTerminateJobObject+0x65 (fffff800`01ae28f5)
nt!NtTerminateJobObject+0x4a:
fffff800`01ae28da 488b4c2460 mov rcx,qword ptr
fffff800`01ae28df 4533c0 xor r8d,r8d
fffff800`01ae28e2 8bd7 mov edx,edi
fffff800`01ae28e4 e8d7000000 call nt!PspTerminateAllProcessesInJob (fffff800`01ae29c0)
fffff800`01ae28e9 488b4c2460 mov rcx,qword ptr
fffff800`01ae28ee e84dbbdaff call nt!ObfDereferenceObject (fffff800`0188e440)
fffff800`01ae28f3 8bc3 mov eax,ebx
nt!NtTerminateJobObject+0x65:
fffff800`01ae28f5 488b5c2450 mov rbx,qword ptr
fffff800`01ae28fa 4883c440 add rsp,40h
fffff800`01ae28fe 5f pop rdi
fffff800`01ae28ff c3 ret
注意到“fffff800`01ae28e4 e8d7000000 call nt!PspTerminateAllProcessesInJob (fffff800`01ae29c0)”这行标记了红色的代码了没?又是熟悉的函数,看看反汇编代码吧。
lkd> uf nt!PspTerminateAllProcessesInJob
nt!PspTerminateAllProcessesInJob:
fffff800`01ae29c0 48895c2408 mov qword ptr ,rbx
fffff800`01ae29c5 48896c2410 mov qword ptr ,rbp
fffff800`01ae29ca 4889742418 mov qword ptr ,rsi
fffff800`01ae29cf 57 push rdi
fffff800`01ae29d0 4154 push r12
fffff800`01ae29d2 4155 push r13
fffff800`01ae29d4 4156 push r14
fffff800`01ae29d6 4157 push r15
fffff800`01ae29d8 4883ec20 sub rsp,20h
fffff800`01ae29dc 65488b342588010000 mov rsi,qword ptr gs:
fffff800`01ae29e5 448bf2 mov r14d,edx
fffff800`01ae29e8 4533ff xor r15d,r15d
fffff800`01ae29eb 33d2 xor edx,edx
fffff800`01ae29ed 458ae8 mov r13b,r8b
fffff800`01ae29f0 488bd9 mov rbx,rcx
fffff800`01ae29f3 418aef mov bpl,r15b
fffff800`01ae29f6 e80dffffff call nt!PsGetNextJobProcess (fffff800`01ae2908)
fffff800`01ae29fb 493bc7 cmp rax,r15
fffff800`01ae29fe 0f854c210f00 jne nt! ?? ::NNGAKEGL::`string'+0x48d20 (fffff800`01bd4b50)
nt!PspTerminateAllProcessesInJob+0x44:
fffff800`01ae2a04 488b5c2450 mov rbx,qword ptr
fffff800`01ae2a09 488b742460 mov rsi,qword ptr
fffff800`01ae2a0e 408ac5 mov al,bpl
fffff800`01ae2a11 488b6c2458 mov rbp,qword ptr
fffff800`01ae2a16 4883c420 add rsp,20h
fffff800`01ae2a1a 415f pop r15
fffff800`01ae2a1c 415e pop r14
fffff800`01ae2a1e 415d pop r13
fffff800`01ae2a20 415c pop r12
fffff800`01ae2a22 5f pop rdi
fffff800`01ae2a23 c3 ret
nt! ?? ::NNGAKEGL::`string'+0x48d20:
fffff800`01bd4b50 488bf8 mov rdi,rax
fffff800`01bd4b53 41bf01000000 mov r15d,1
nt! ?? ::NNGAKEGL::`string'+0x48d29:
fffff800`01bd4b59 4484bf3c040000test byte ptr ,r15b
fffff800`01bd4b60 0f8593000000 jne nt! ?? ::NNGAKEGL::`string'+0x48dc9 (fffff800`01bd4bf9)
nt! ?? ::NNGAKEGL::`string'+0x48d36:
fffff800`01bd4b66 418bd6 mov edx,r14d
fffff800`01bd4b69 488bcf mov rcx,rdi
fffff800`01bd4b6c e8af550600 call nt!PsTerminateProcess (fffff800`01c3a120)
fffff800`01bd4b71 85c0 test eax,eax
fffff800`01bd4b73 0f8880000000 js nt! ?? ::NNGAKEGL::`string'+0x48dc9 (fffff800`01bd4bf9)
nt! ?? ::NNGAKEGL::`string'+0x48d49:
fffff800`01bd4b79 66ff8ec4010000dec word ptr
fffff800`01bd4b80 488d4b38 lea rcx,
fffff800`01bd4b84 418ad7 mov dl,r15b
fffff800`01bd4b87 e8f458cbff call nt!ExAcquireResourceExclusiveLite (fffff800`0188a480)
fffff800`01bd4b8c 4484bf3c040000test byte ptr ,r15b
fffff800`01bd4b93 7538 jne nt! ?? ::NNGAKEGL::`string'+0x48d9d (fffff800`01bd4bcd)
nt! ?? ::NNGAKEGL::`string'+0x48d65:
fffff800`01bd4b95 f04409bf3c040000 lock or dword ptr ,r15d
fffff800`01bd4b9d 4584ed test r13b,r13b
fffff800`01bd4ba0 7407 je nt! ?? ::NNGAKEGL::`string'+0x48d79 (fffff800`01bd4ba9)
nt! ?? ::NNGAKEGL::`string'+0x48d72:
fffff800`01bd4ba2 4401bbcc000000add dword ptr ,r15d
nt! ?? ::NNGAKEGL::`string'+0x48d79:
fffff800`01bd4ba9 8383c8000000ffadd dword ptr ,0FFFFFFFFh
fffff800`01bd4bb0 750d jne nt! ?? ::NNGAKEGL::`string'+0x48d8f (fffff800`01bd4bbf)
nt! ?? ::NNGAKEGL::`string'+0x48d82:
fffff800`01bd4bb2 4533c0 xor r8d,r8d
fffff800`01bd4bb5 33d2 xor edx,edx
fffff800`01bd4bb7 488bcb mov rcx,rbx
fffff800`01bd4bba e8413acbff call nt!KeSetEvent (fffff800`01888600)
nt! ?? ::NNGAKEGL::`string'+0x48d8f:
fffff800`01bd4bbf 488bd7 mov rdx,rdi
fffff800`01bd4bc2 488bcb mov rcx,rbx
fffff800`01bd4bc5 e8429af6ff call nt!PspFoldProcessAccountingIntoJob (fffff800`01b3e60c)
fffff800`01bd4bca 418aef mov bpl,r15b
nt! ?? ::NNGAKEGL::`string'+0x48d9d:
fffff800`01bd4bcd 488d4b38 lea rcx,
fffff800`01bd4bd1 e85ac3cbff call nt!ExReleaseResourceLite (fffff800`01890f30)
fffff800`01bd4bd6 664401bec4010000 add word ptr ,r15w
fffff800`01bd4bde 7519 jne nt! ?? ::NNGAKEGL::`string'+0x48dc9 (fffff800`01bd4bf9)
nt! ?? ::NNGAKEGL::`string'+0x48db0:
fffff800`01bd4be0 488d4650 lea rax,
fffff800`01bd4be4 483900 cmp qword ptr ,rax
fffff800`01bd4be7 7410 je nt! ?? ::NNGAKEGL::`string'+0x48dc9 (fffff800`01bd4bf9)
nt! ?? ::NNGAKEGL::`string'+0x48db9:
fffff800`01bd4be9 33c0 xor eax,eax
fffff800`01bd4beb 663986c6010000cmp word ptr ,ax
fffff800`01bd4bf2 7505 jne nt! ?? ::NNGAKEGL::`string'+0x48dc9 (fffff800`01bd4bf9)
nt! ?? ::NNGAKEGL::`string'+0x48dc4:
fffff800`01bd4bf4 e8b7cbc5ff call nt!KiCheckForKernelApcDelivery (fffff800`018317b0)
nt! ?? ::NNGAKEGL::`string'+0x48dc9:
fffff800`01bd4bf9 488bd7 mov rdx,rdi
fffff800`01bd4bfc 488bcb mov rcx,rbx
fffff800`01bd4bff e804ddf0ff call nt!PsGetNextJobProcess (fffff800`01ae2908)
fffff800`01bd4c04 488bf8 mov rdi,rax
fffff800`01bd4c07 33c0 xor eax,eax
fffff800`01bd4c09 483bf8 cmp rdi,rax
fffff800`01bd4c0c 0f8547ffffff jne nt! ?? ::NNGAKEGL::`string'+0x48d29 (fffff800`01bd4b59)
nt! ?? ::NNGAKEGL::`string'+0x48de2:
fffff800`01bd4c12 e9edddf0ff jmp nt!PspTerminateAllProcessesInJob+0x44 (fffff800`01ae2a04)
看到没?!PspTerminateProcess其实没有消失,它只是改了名叫PsTerminateProcess!反汇编一下这个函数,发现它是老套的调用PspTerminateThreadByPointer方式!
lkd> uf nt!PsTerminateProcess
nt!PsTerminateProcess:
fffff800`01c3a120 48895c2408 mov qword ptr ,rbx
fffff800`01c3a125 4889742410 mov qword ptr ,rsi
fffff800`01c3a12a 57 push rdi
fffff800`01c3a12b 4883ec20 sub rsp,20h
fffff800`01c3a12f 65488b1c2588010000 mov rbx,qword ptr gs:
fffff800`01c3a138 4c8bd1 mov r10,rcx
fffff800`01c3a13b be01000000 mov esi,1
fffff800`01c3a140 66ff8bc4010000dec word ptr
fffff800`01c3a147 0f0d8940040000prefetchw
fffff800`01c3a14e 8b8140040000 mov eax,dword ptr
nt!PsTerminateProcess+0x34:
fffff800`01c3a154 8bc8 mov ecx,eax
fffff800`01c3a156 83c908 or ecx,8
fffff800`01c3a159 f0410fb18a40040000 lock cmpxchg dword ptr ,ecx
fffff800`01c3a162 75f0 jne nt!PsTerminateProcess+0x34 (fffff800`01c3a154)
nt!PsTerminateProcess+0x44:
fffff800`01c3a164 a808 test al,8
fffff800`01c3a166 7408 je nt!PsTerminateProcess+0x50 (fffff800`01c3a170)
nt!PsTerminateProcess+0x48:
fffff800`01c3a168 41b903000000 mov r9d,3
fffff800`01c3a16e eb10 jmp nt!PsTerminateProcess+0x60 (fffff800`01c3a180)
nt!PsTerminateProcess+0x50:
fffff800`01c3a170 448bce mov r9d,esi
fffff800`01c3a173 b905000000 mov ecx,5
fffff800`01c3a178 0fbae01e bt eax,1Eh
fffff800`01c3a17c 440f42c9 cmovb r9d,ecx
nt!PsTerminateProcess+0x60:
fffff800`01c3a180 448bc2 mov r8d,edx
fffff800`01c3a183 498bca mov rcx,r10
fffff800`01c3a186 488bd3 mov rdx,rbx
fffff800`01c3a189 e8122cf0ff call nt!PspTerminateAllThreads (fffff800`01b3cda0)
fffff800`01c3a18e 8bf8 mov edi,eax
fffff800`01c3a190 6601b3c4010000add word ptr ,si
fffff800`01c3a197 7518 jne nt!PsTerminateProcess+0x91 (fffff800`01c3a1b1)
nt!PsTerminateProcess+0x79:
fffff800`01c3a199 488d4b50 lea rcx,
fffff800`01c3a19d 483909 cmp qword ptr ,rcx
fffff800`01c3a1a0 740f je nt!PsTerminateProcess+0x91 (fffff800`01c3a1b1)
nt!PsTerminateProcess+0x82:
fffff800`01c3a1a2 6683bbc601000000 cmp word ptr ,0
fffff800`01c3a1aa 7505 jne nt!PsTerminateProcess+0x91 (fffff800`01c3a1b1)
nt!PsTerminateProcess+0x8c:
fffff800`01c3a1ac e8ff75bfff call nt!KiCheckForKernelApcDelivery (fffff800`018317b0)
nt!PsTerminateProcess+0x91:
fffff800`01c3a1b1 488b5c2430 mov rbx,qword ptr
fffff800`01c3a1b6 488b742438 mov rsi,qword ptr
fffff800`01c3a1bb 8bc7 mov eax,edi
fffff800`01c3a1bd 4883c420 add rsp,20h
fffff800`01c3a1c1 5f pop rdi
fffff800`01c3a1c2 c3 ret
lkd> uf nt!PspTerminateAllThreads
nt!PspTerminateAllThreads:
fffff800`01b3cda0 488bc4 mov rax,rsp
fffff800`01b3cda3 48895808 mov qword ptr ,rbx
fffff800`01b3cda7 48896810 mov qword ptr ,rbp
fffff800`01b3cdab 48897018 mov qword ptr ,rsi
fffff800`01b3cdaf 44894820 mov dword ptr ,r9d
fffff800`01b3cdb3 57 push rdi
fffff800`01b3cdb4 4154 push r12
fffff800`01b3cdb6 4155 push r13
fffff800`01b3cdb8 4156 push r14
fffff800`01b3cdba 4157 push r15
fffff800`01b3cdbc 4883ec20 sub rsp,20h
fffff800`01b3cdc0 0fbaa1400400000d bt dword ptr ,0Dh
fffff800`01b3cdc8 458bf1 mov r14d,r9d
fffff800`01b3cdcb 458be8 mov r13d,r8d
fffff800`01b3cdce 488bea mov rbp,rdx
fffff800`01b3cdd1 488bf9 mov rdi,rcx
fffff800`01b3cdd4 0f82bbd20700 jb nt! ?? ::NNGAKEGL::`string'+0x17ac0 (fffff800`01bba095)
nt!PspTerminateAllThreads+0x3a:
fffff800`01b3cdda 4c8b7d70 mov r15,qword ptr
fffff800`01b3cdde 33d2 xor edx,edx
fffff800`01b3cde0 488bcf mov rcx,rdi
fffff800`01b3cde3 e8b8feffff call nt!PspGetPreviousProcessThread (fffff800`01b3cca0)
fffff800`01b3cde8 8b5c2468 mov ebx,dword ptr
fffff800`01b3cdec 488bf0 mov rsi,rax
fffff800`01b3cdef 410fb6c6 movzx eax,r14b
fffff800`01b3cdf3 83e001 and eax,1
fffff800`01b3cdf6 03c0 add eax,eax
fffff800`01b3cdf8 33c3 xor eax,ebx
fffff800`01b3cdfa 83e002 and eax,2
fffff800`01b3cdfd 33d8 xor ebx,eax
fffff800`01b3cdff 410fb6c6 movzx eax,r14b
fffff800`01b3ce03 d1e8 shr eax,1
fffff800`01b3ce05 83e001 and eax,1
fffff800`01b3ce08 33c3 xor eax,ebx
fffff800`01b3ce0a 83e001 and eax,1
fffff800`01b3ce0d 33d8 xor ebx,eax
fffff800`01b3ce0f 410fb6c6 movzx eax,r14b
fffff800`01b3ce13 c1e802 shr eax,2
fffff800`01b3ce16 83e001 and eax,1
fffff800`01b3ce19 c1e002 shl eax,2
fffff800`01b3ce1c 33c3 xor eax,ebx
fffff800`01b3ce1e 83e004 and eax,4
fffff800`01b3ce21 4885f6 test rsi,rsi
fffff800`01b3ce24 0f84b3d20700 je nt! ?? ::NNGAKEGL::`string'+0x17b08 (fffff800`01bba0dd)
nt!PspTerminateAllThreads+0x8a:
fffff800`01b3ce2a 33d8 xor ebx,eax
fffff800`01b3ce2c 4533e4 xor r12d,r12d
fffff800`01b3ce2f 488bce mov rcx,rsi
fffff800`01b3ce32 f6c301 test bl,1
fffff800`01b3ce35 0f8576d20700 jne nt! ?? ::NNGAKEGL::`string'+0x17adc (fffff800`01bba0b1)
nt!PspTerminateAllThreads+0x9b:
fffff800`01b3ce3b 4c8bf6 mov r14,rsi
fffff800`01b3ce3e e8ad40d5ff call nt!ObfReferenceObject (fffff800`01890ef0)
nt!PspTerminateAllThreads+0xa3:
fffff800`01b3ce43 483bf5 cmp rsi,rbp
fffff800`01b3ce46 0f85ba000000 jne nt!PspTerminateAllThreads+0x166 (fffff800`01b3cf06)
nt!PspTerminateAllThreads+0xac:
fffff800`01b3ce4c 488bd6 mov rdx,rsi
fffff800`01b3ce4f 488bcf mov rcx,rdi
fffff800`01b3ce52 e849feffff call nt!PspGetPreviousProcessThread (fffff800`01b3cca0)
fffff800`01b3ce57 488bf0 mov rsi,rax
fffff800`01b3ce5a 4885c0 test rax,rax
fffff800`01b3ce5d 75e4 jne nt!PspTerminateAllThreads+0xa3 (fffff800`01b3ce43)
nt!PspTerminateAllThreads+0xbf:
fffff800`01b3ce5f 33d2 xor edx,edx
nt!PspTerminateAllThreads+0xc1:
fffff800`01b3ce61 488bcf mov rcx,rdi
fffff800`01b3ce64 e83f8afeff call nt!PsGetNextProcessThread (fffff800`01b258a8)
fffff800`01b3ce69 488bf0 mov rsi,rax
fffff800`01b3ce6c 483bc5 cmp rax,rbp
fffff800`01b3ce6f 0f85d9000000 jne nt!PspTerminateAllThreads+0x1ae (fffff800`01b3cf4e)
nt!PspTerminateAllThreads+0xd5:
fffff800`01b3ce75 493bf6 cmp rsi,r14
fffff800`01b3ce78 0f8511010000 jne nt!PspTerminateAllThreads+0x1ef (fffff800`01b3cf8f)
nt!PspTerminateAllThreads+0xde:
fffff800`01b3ce7e 488bce mov rcx,rsi
fffff800`01b3ce81 e8ba15d5ff call nt!ObfDereferenceObject (fffff800`0188e440)
fffff800`01b3ce86 498bce mov rcx,r14
fffff800`01b3ce89 e8b215d5ff call nt!ObfDereferenceObject (fffff800`0188e440)
fffff800`01b3ce8e 448b742468 mov r14d,dword ptr
nt!PspTerminateAllThreads+0xf3:
fffff800`01b3ce93 f6c302 test bl,2
fffff800`01b3ce96 0f8520d20700 jne nt! ?? ::NNGAKEGL::`string'+0x17ae7 (fffff800`01bba0bc)
nt!PspTerminateAllThreads+0xfc:
fffff800`01b3ce9c 41f6c608 test r14b,8
fffff800`01b3cea0 7420 je nt!PspTerminateAllThreads+0x122 (fffff800`01b3cec2)
nt!PspTerminateAllThreads+0x102:
fffff800`01b3cea2 488d8f78010000lea rcx,
fffff800`01b3cea9 0f0d09 prefetchw
fffff800`01b3ceac 488b01 mov rax,qword ptr
fffff800`01b3ceaf 4883e0fe and rax,0FFFFFFFFFFFFFFFEh
fffff800`01b3ceb3 488d50fe lea rdx,
fffff800`01b3ceb7 f0480fb111 lock cmpxchg qword ptr ,rdx
fffff800`01b3cebc 0f8526d20700 jne nt! ?? ::NNGAKEGL::`string'+0x17b13 (fffff800`01bba0e8)
nt!PspTerminateAllThreads+0x122:
fffff800`01b3cec2 493bff cmp rdi,r15
fffff800`01b3cec5 0f85e7000000 jne nt!PspTerminateAllThreads+0x212 (fffff800`01b3cfb2)
nt!PspTerminateAllThreads+0x12b:
fffff800`01b3cecb 4181fc22010000cmp r12d,122h
fffff800`01b3ced2 0f8434d20700 je nt! ?? ::NNGAKEGL::`string'+0x17b37 (fffff800`01bba10c)
nt!PspTerminateAllThreads+0x138:
fffff800`01b3ced8 4883bff001000000 cmp qword ptr ,0
fffff800`01b3cee0 0f851dd20700 jne nt! ?? ::NNGAKEGL::`string'+0x17b2e (fffff800`01bba103)
nt!PspTerminateAllThreads+0x146:
fffff800`01b3cee6 488b5c2450 mov rbx,qword ptr
fffff800`01b3ceeb 488b6c2458 mov rbp,qword ptr
fffff800`01b3cef0 488b742460 mov rsi,qword ptr
fffff800`01b3cef5 418bc4 mov eax,r12d
fffff800`01b3cef8 4883c420 add rsp,20h
fffff800`01b3cefc 415f pop r15
fffff800`01b3cefe 415e pop r14
fffff800`01b3cf00 415d pop r13
fffff800`01b3cf02 415c pop r12
fffff800`01b3cf04 5f pop rdi
fffff800`01b3cf05 c3 ret
nt!PspTerminateAllThreads+0x166:
fffff800`01b3cf06 f6c304 test bl,4
fffff800`01b3cf09 0f8588000000 jne nt!PspTerminateAllThreads+0x1f7 (fffff800`01b3cf97)
nt!PspTerminateAllThreads+0x16f:
fffff800`01b3cf0f 488d8e30040000lea rcx,
fffff800`01b3cf16 0f0d09 prefetchw
fffff800`01b3cf19 488b01 mov rax,qword ptr
fffff800`01b3cf1c 4883e0fe and rax,0FFFFFFFFFFFFFFFEh
fffff800`01b3cf20 488d5002 lea rdx,
fffff800`01b3cf24 f0480fb111 lock cmpxchg qword ptr ,rdx
fffff800`01b3cf29 0f8595000000 jne nt!PspTerminateAllThreads+0x224 (fffff800`01b3cfc4)
nt!PspTerminateAllThreads+0x18f:
fffff800`01b3cf2f 83cb08 or ebx,8
nt!PspTerminateAllThreads+0x192:
fffff800`01b3cf32 f6c308 test bl,8
fffff800`01b3cf35 0f8411ffffff je nt!PspTerminateAllThreads+0xac (fffff800`01b3ce4c)
nt!PspTerminateAllThreads+0x19b:
fffff800`01b3cf3b 4533c0 xor r8d,r8d
fffff800`01b3cf3e 418bd5 mov edx,r13d
fffff800`01b3cf41 488bce mov rcx,rsi
fffff800`01b3cf44 e8cfd40100 call nt!PspTerminateThreadByPointer (fffff800`01b5a418)
fffff800`01b3cf49 e9fefeffff jmp nt!PspTerminateAllThreads+0xac (fffff800`01b3ce4c)
nt!PspTerminateAllThreads+0x1ae:
fffff800`01b3cf4e f6c304 test bl,4
fffff800`01b3cf51 0f851effffff jne nt!PspTerminateAllThreads+0xd5 (fffff800`01b3ce75)
nt!PspTerminateAllThreads+0x1b7:
fffff800`01b3cf57 0fbaa64804000010 bt dword ptr ,10h
fffff800`01b3cf5f 0f8210ffffff jb nt!PspTerminateAllThreads+0xd5 (fffff800`01b3ce75)
nt!PspTerminateAllThreads+0x1c5:
fffff800`01b3cf65 488d8e30040000lea rcx,
fffff800`01b3cf6c 0f0d09 prefetchw
fffff800`01b3cf6f 488b01 mov rax,qword ptr
fffff800`01b3cf72 4883e0fe and rax,0FFFFFFFFFFFFFFFEh
fffff800`01b3cf76 488d50fe lea rdx,
fffff800`01b3cf7a f0480fb111 lock cmpxchg qword ptr ,rdx
fffff800`01b3cf7f 0f84f0feffff je nt!PspTerminateAllThreads+0xd5 (fffff800`01b3ce75)
nt!PspTerminateAllThreads+0x1e5:
fffff800`01b3cf85 e88a6cd6ff call nt!ExfReleaseRundownProtection (fffff800`018a3c14)
fffff800`01b3cf8a e9e6feffff jmp nt!PspTerminateAllThreads+0xd5 (fffff800`01b3ce75)
nt!PspTerminateAllThreads+0x1ef:
fffff800`01b3cf8f 488bd6 mov rdx,rsi
fffff800`01b3cf92 e9cafeffff jmp nt!PspTerminateAllThreads+0xc1 (fffff800`01b3ce61)
nt!PspTerminateAllThreads+0x1f7:
fffff800`01b3cf97 8a864c040000 mov al,byte ptr
fffff800`01b3cf9d 33c9 xor ecx,ecx
fffff800`01b3cf9f 2480 and al,80h
fffff800`01b3cfa1 3c80 cmp al,80h
fffff800`01b3cfa3 0f94c1 sete cl
fffff800`01b3cfa6 c1e103 shl ecx,3
fffff800`01b3cfa9 33cb xor ecx,ebx
fffff800`01b3cfab 83e108 and ecx,8
fffff800`01b3cfae 33d9 xor ebx,ecx
fffff800`01b3cfb0 eb80 jmp nt!PspTerminateAllThreads+0x192 (fffff800`01b3cf32)
nt!PspTerminateAllThreads+0x212:
fffff800`01b3cfb2 4181fd04000140cmp r13d,40010004h
fffff800`01b3cfb9 0f850cffffff jne nt!PspTerminateAllThreads+0x12b (fffff800`01b3cecb)
nt!PspTerminateAllThreads+0x21f:
fffff800`01b3cfbf e92fd10700 jmp nt! ?? ::NNGAKEGL::`string'+0x17b1e (fffff800`01bba0f3)
nt!PspTerminateAllThreads+0x224:
fffff800`01b3cfc4 e82b6cd6ff call nt!ExfAcquireRundownProtection (fffff800`018a3bf4)
fffff800`01b3cfc9 84c0 test al,al
fffff800`01b3cfcb 0f855effffff jne nt!PspTerminateAllThreads+0x18f (fffff800`01b3cf2f)
nt!PspTerminateAllThreads+0x231:
fffff800`01b3cfd1 f00fbaae4804000010 lock bts dword ptr ,10h
fffff800`01b3cfda 0f92c0 setb al
fffff800`01b3cfdd 0fb6c8 movzx ecx,al
fffff800`01b3cfe0 c1e104 shl ecx,4
fffff800`01b3cfe3 33cb xor ecx,ebx
fffff800`01b3cfe5 83e110 and ecx,10h
fffff800`01b3cfe8 33d9 xor ebx,ecx
fffff800`01b3cfea 83e3f7 and ebx,0FFFFFFF7h
fffff800`01b3cfed e940ffffff jmp nt!PspTerminateAllThreads+0x192 (fffff800`01b3cf32)
nt! ?? ::NNGAKEGL::`string'+0x17ac0:
fffff800`01bba095 4c8d81e0020000lea r8,
fffff800`01bba09c 488bd1 mov rdx,rcx
fffff800`01bba09f 488d0d0addfcfflea rcx,
fffff800`01bba0a6 e845280500 call nt!PspCatchCriticalBreak (fffff800`01c0c8f0)
fffff800`01bba0ab 90 nop
fffff800`01bba0ac e9292df8ff jmp nt!PspTerminateAllThreads+0x3a (fffff800`01b3cdda)
nt! ?? ::NNGAKEGL::`string'+0x17adc:
fffff800`01bba0b1 e88a43cdff call nt!ObfDereferenceObject (fffff800`0188e440)
fffff800`01bba0b6 90 nop
fffff800`01bba0b7 e9d72df8ff jmp nt!PspTerminateAllThreads+0xf3 (fffff800`01b3ce93)
nt! ?? ::NNGAKEGL::`string'+0x17ae7:
fffff800`01bba0bc 4839bd10020000cmp qword ptr ,rdi
fffff800`01bba0c3 0f85d32df8ff jne nt!PspTerminateAllThreads+0xfc (fffff800`01b3ce9c)
nt! ?? ::NNGAKEGL::`string'+0x17af4:
fffff800`01bba0c9 4533c0 xor r8d,r8d
fffff800`01bba0cc 418bd5 mov edx,r13d
fffff800`01bba0cf 488bcd mov rcx,rbp
fffff800`01bba0d2 e84103faff call nt!PspTerminateThreadByPointer (fffff800`01b5a418)
fffff800`01bba0d7 90 nop
fffff800`01bba0d8 e9bf2df8ff jmp nt!PspTerminateAllThreads+0xfc (fffff800`01b3ce9c)
nt! ?? ::NNGAKEGL::`string'+0x17b08:
fffff800`01bba0dd 41bc22010000 mov r12d,122h
fffff800`01bba0e3 e9b42df8ff jmp nt!PspTerminateAllThreads+0xfc (fffff800`01b3ce9c)
nt! ?? ::NNGAKEGL::`string'+0x17b13:
fffff800`01bba0e8 e8279bceff call nt!ExfReleaseRundownProtection (fffff800`018a3c14)
fffff800`01bba0ed 90 nop
fffff800`01bba0ee e9cf2df8ff jmp nt!PspTerminateAllThreads+0x122 (fffff800`01b3cec2)
nt! ?? ::NNGAKEGL::`string'+0x17b1e:
fffff800`01bba0f3 33d2 xor edx,edx
fffff800`01bba0f5 488bcf mov rcx,rdi
fffff800`01bba0f8 e823a30600 call nt!DbgkClearProcessDebugObject (fffff800`01c24420)
fffff800`01bba0fd 90 nop
fffff800`01bba0fe e9c82df8ff jmp nt!PspTerminateAllThreads+0x12b (fffff800`01b3cecb)
nt! ?? ::NNGAKEGL::`string'+0x17b2e:
fffff800`01bba103 493bff cmp rdi,r15
fffff800`01bba106 0f84da2df8ff je nt!PspTerminateAllThreads+0x146 (fffff800`01b3cee6)
nt! ?? ::NNGAKEGL::`string'+0x17b37:
fffff800`01bba10c 488bcf mov rcx,rdi
fffff800`01bba10f e8bcfd0700 call nt!PspDoHandleSweepSingle (fffff800`01c39ed0)
fffff800`01bba114 4533e4 xor r12d,r12d
fffff800`01bba117 e9ca2df8ff jmp nt!PspTerminateAllThreads+0x146 (fffff800`01b3cee6)
所以,本文的主题是:Win64下PspTerminateProcess改名为PsTerminateProcess了!
起这个标题的目的是为了让大家不知道主题是什么从而点进来以增加访问量的{:soso_e113:} 我一直以为PspTerminateProcess是一个杜撰的函数。原来是真的存在啊。
顺带,这个发现不错,先从SSDT找到NtTerminateJobObject,然后从NtTerminateJobObject的末尾倒数两个CALL找到PspTerminateAllProcessesInJob,然后从PspTerminateAllProcessesInJob开头数两个CALL就能找到PsTerminateProcess。
另外,最稳定的方案,兼容2000到WIN10的,是APC法。两个重点:
1.修改ETHREAD的FLAG的那个偏移可以从PsIsSystemThread里动态获得。甚至可以直接PATCH这个函数达到目的,这样子就连修改线程FLAG的步骤都免去了。
2.枚举线程用PsLookupThreadByThreadId+IoThreadToProcess。 好帖子 顶一下 共同进步 我一直以为PspTerminateProcess是一个杜撰的函数。原来是真的存在啊。
目测你是因为uf nt!NtTerminateProcess的时候发现并没有调用PspTerminateProcess。。。
页:
[1]