|
楼主 |
发表于 2010-10-17 00:27:58
|
显示全部楼层
本帖最后由 ok100fen 于 2010-10-17 00:30 编辑
下面代码中,红色的都满足吧
还是我理解错了?
[code]
lkd> u ntopenprocess
nt!NtOpenProcess:
805727c7 68c4000000 push 0C4h
805727cc 68d8b04e80 push offset nt!ObReferenceObjectByPointer+0x127 (804eb0d8)
805727d1 e8650cf7ff call nt!CIsqrt+0x2da (804e343b)
805727d6 33f6 xor esi,esi
805727d8 8975d4 mov dword ptr [ebp-2Ch],esi
805727db 33c0 xor eax,eax
805727dd 8d7dd8 lea edi,[ebp-28h]
805727e0 ab stos dword ptr es:[edi]
lkd> u
nt!NtOpenProcess+0x1a:
805727e1 64a124010000 mov eax,dword ptr fs:[00000124h]
805727e7 8a8040010000 mov al,byte ptr [eax+140h]
805727ed 8845cc mov byte ptr [ebp-34h],al
805727f0 84c0 test al,al
805727f2 0f84b0b10600 je nt!ObSetSecurityDescriptorInfo+0x115 (805dd9a8)
805727f8 8975fc mov dword ptr [ebp-4],esi
805727fb a1d40b5680 mov eax,dword ptr [nt!MmUserProbeAddress (80560bd4)]
80572800 8b4d08 mov ecx,dword ptr [ebp+8]
lkd> u
nt!NtOpenProcess+0x3c:
80572803 3bc8 cmp ecx,eax
80572805 0f83e36c0800 jae nt!IoCheckFunctionAccess+0x17987 (805f94ee)
8057280b 8b01 mov eax,dword ptr [ecx]
8057280d 8901 mov dword ptr [ecx],eax
8057280f 8b5d10 mov ebx,dword ptr [ebp+10h]
80572812 f6c303 test bl,3
80572815 0f85da6c0800 jne nt!IoCheckFunctionAccess+0x1798e (805f94f5)
8057281b a1d40b5680 mov eax,dword ptr [nt!MmUserProbeAddress (80560bd4)]
lkd> u
nt!NtOpenProcess+0x59:
80572820 3bd8 cmp ebx,eax
80572822 0f83d76c0800 jae nt!IoCheckFunctionAccess+0x17998 (805f94ff)
80572828 397308 cmp dword ptr [ebx+8],esi
8057282b 0f9545e6 setne byte ptr [ebp-1Ah]
8057282f 8b4b0c mov ecx,dword ptr [ebx+0Ch]
80572832 894dc8 mov dword ptr [ebp-38h],ecx
80572835 8b4d14 mov ecx,dword ptr [ebp+14h]
80572838 3bce cmp ecx,esi
lkd> u
nt!NtOpenProcess+0x73:
8057283a 0f8446060300 je nt!FsRtlOplockFsctrl+0x522 (805a2e86)
80572840 f6c103 test cl,3
80572843 0f85c26c0800 jne nt!IoCheckFunctionAccess+0x179a4 (805f950b)
80572849 3bc8 cmp ecx,eax
8057284b 0f83cc6c0800 jae nt!IoCheckFunctionAccess+0x179b6 (805f951d)
80572851 8b01 mov eax,dword ptr [ecx]
80572853 8945d4 mov dword ptr [ebp-2Ch],eax
80572856 8b4104 mov eax,dword ptr [ecx+4]
lkd> u
nt!NtOpenProcess+0x92:
80572859 8945d8 mov dword ptr [ebp-28h],eax
8057285c c645e701 mov byte ptr [ebp-19h],1
80572860 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
80572864 807de600 cmp byte ptr [ebp-1Ah],0
80572868 0f85d66c0800 jne nt!IoCheckFunctionAccess+0x179dd (805f9544)
8057286e a158245680 mov eax,dword ptr [nt!PsProcessType (80562458)]
80572873 83c068 add eax,68h
80572876 50 push eax
lkd> u
nt!NtOpenProcess+0xb0:
80572877 ff750c push dword ptr [ebp+0Ch]
8057287a 8d852cffffff lea eax,[ebp-0D4h]
80572880 50 push eax
80572881 8d8548ffffff lea eax,[ebp-0B8h]
80572887 50 push eax
80572888 e83429ffff call nt!SeCreateAccessState (805651c1)
8057288d 3bc6 cmp eax,esi
8057288f 0f8cac000000 jl nt!NtOpenProcess+0x17a (80572941)
lkd> u
nt!NtOpenProcess+0xce:
80572895 ff75cc push dword ptr [ebp-34h]
80572898 ff357c056980 push dword ptr [nt!SeSystemDefaultDacl+0x9c (8069057c)]
8057289e ff3578056980 push dword ptr [nt!SeSystemDefaultDacl+0x98 (80690578)]
805728a4 e8b4feffff call nt!SeSinglePrivilegeCheck (8057275d)
805728a9 84c0 test al,al
805728ab 0f85e3640100 jne nt!RtlNtStatusToDosError+0x7b (80588d94)
805728b1 807de600 cmp byte ptr [ebp-1Ah],0
805728b5 0f85a76c0800 jne nt!IoCheckFunctionAccess+0x179fb (805f9562)
lkd> u
nt!NtOpenProcess+0xf4:
805728bb 807de700 cmp byte ptr [ebp-19h],0
805728bf 0f84d3050300 je nt!FsRtlOplockFsctrl+0x534 (805a2e98)
805728c5 8975d0 mov dword ptr [ebp-30h],esi
805728c8 3975d8 cmp dword ptr [ebp-28h],esi
805728cb 0f8560fa0100 jne nt!ObReferenceObjectByName+0x184c (80592331)
805728d1 8d45dc lea eax,[ebp-24h]
805728d4 50 push eax
805728d5 ff75d4 push dword ptr [ebp-2Ch]
lkd> u
nt!NtOpenProcess+0x111:
805728d8 e871000000 call nt!PsLookupProcessByProcessId (8057294e)
805728dd 8bf8 mov edi,eax
805728df 3bfe cmp edi,esi
805728e1 0f8c8e050300 jl nt!FsRtlOplockFsctrl+0x511 (805a2e75)
805728e7 8d45e0 lea eax,[ebp-20h]
805728ea 50 push eax
805728eb ff75cc push dword ptr [ebp-34h]
805728ee ff3558245680 push dword ptr [nt!PsProcessType (80562458)]
lkd> u
nt!NtOpenProcess+0x12d:
805728f4 56 push esi
805728f5 8d8548ffffff lea eax,[ebp-0B8h]
805728fb 50 push eax
805728fc ff75c8 push dword ptr [ebp-38h]
805728ff ff75dc push dword ptr [ebp-24h]
80572902 e86fc1ffff call nt!ObOpenObjectByPointer (8056ea76)
80572907 8bf8 mov edi,eax
80572909 8d8548ffffff lea eax,[ebp-0B8h] |
|