PspCreateProcessNotifyRoutine,PspCreateThreadNotifyRoutine,PspLoadImageNotifyRoutine表全部清空
2009-08-20 11:31
453 查看
RtlInitUnicodeString(&name,L"PsSetCreateProcessNotifyRoutine");
RemoveNotifyRoutine((PVOID)MmGetSystemRoutineAddress(&name));
RtlInitUnicodeString(&name,L"PsRemoveCreateThreadNotifyRoutine");
RemoveNotifyRoutine((PVOID)MmGetSystemRoutineAddress(&name));
RtlInitUnicodeString(&name,L"PsRemoveLoadImageNotifyRoutine");
RemoveNotifyRoutine((PVOID)MmGetSystemRoutineAddress(&name));
__declspec(naked) void DisableWPBitAndCli()
{
__asm
{
cli
mov eax, cr0
and eax, 0xFFFEFFFF
mov cr0, eax
retn
}
}
__declspec(naked) void EnableWPBitAndSti()
{
__asm
{
mov eax, cr0
or eax, 0x10000
mov cr0, eax
sti
retn
}
}
NTSTATUS
MydrvDispatch (
IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp
)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest( Irp, 0 );
return Irp->IoStatus.Status;
}
/*
NTSTATUS RemoveNotifyRoutine(PVOID RemoveFunPointer)
can remove all of the Routine of CreateThread and CreateProcess and LoadImage
注意传入参数为下面三者之一
PsSetCreateProcessNotifyRoutine
PsRemoveCreateThreadNotifyRoutine
PsRemoveLoadImageNotifyRoutine
===========
by xp sp2
*/
NTSTATUS RemoveNotifyRoutine(PVOID RemoveFunPointer)
{
ULONG AddrFun;
ULONG* pRoutineList;
ULONG i;
pRoutineList = 0;
AddrFun = (ULONG)RemoveFunPointer;
DbgPrint("RemoveNotifyRoutine = %08X/n",RemoveFunPointer);
//
//the RemoveFunPointer could
//only be PsRemoveLoadImageNotifyRoutine
//or PsSetCreateProcessNotifyRoutine
//or PsRemoveCreateThreadNotifyRoutine
//find code bf 00975680 mov edi,offset nt!PsThreadType+0x44 (80569700)
//
for(i = AddrFun;i<AddrFun + 0x20;i++)
{
if( 0xbf == *(PBYTE)i )
{
i++;
pRoutineList = (ULONG*)( *(ULONG*)i );
break;
}
}
if( 0 == pRoutineList)
{
DbgPrint("Can not find the RoutineList/n");
return STATUS_UNSUCCESSFUL;
}
if( TRUE != MmIsAddressValid((PVOID)pRoutineList) )// memory is valid
{
DbgPrint("Access Memory is not Valid %08X/n",pRoutineList);
return STATUS_UNSUCCESSFUL;
}
//
//Zero the PspCreateThreadNotifyRoutine;
//
DisableWPBitAndCli();
for(i=0;i<8;i++) //这里写成0x40也没有问题,我看他这个表应该长度为0x40,但网上说PspCreateProcessNotifyRoutine表长
度在win2K下为8,xp下为多少,我没有找到资料,懒得去分析代码找出他的长度
{
//if( 0 == pRoutineList[i] )break;
pRoutineList[i] = 0;//清空
}
EnableWPBitAndSti();
DbgPrint("RemoveNotifyRoutine STATUS_SUCCESS %08X/n",RemoveFunPointer);
return STATUS_SUCCESS;
RemoveNotifyRoutine((PVOID)MmGetSystemRoutineAddress(&name));
RtlInitUnicodeString(&name,L"PsRemoveCreateThreadNotifyRoutine");
RemoveNotifyRoutine((PVOID)MmGetSystemRoutineAddress(&name));
RtlInitUnicodeString(&name,L"PsRemoveLoadImageNotifyRoutine");
RemoveNotifyRoutine((PVOID)MmGetSystemRoutineAddress(&name));
__declspec(naked) void DisableWPBitAndCli()
{
__asm
{
cli
mov eax, cr0
and eax, 0xFFFEFFFF
mov cr0, eax
retn
}
}
__declspec(naked) void EnableWPBitAndSti()
{
__asm
{
mov eax, cr0
or eax, 0x10000
mov cr0, eax
sti
retn
}
}
NTSTATUS
MydrvDispatch (
IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp
)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest( Irp, 0 );
return Irp->IoStatus.Status;
}
/*
NTSTATUS RemoveNotifyRoutine(PVOID RemoveFunPointer)
can remove all of the Routine of CreateThread and CreateProcess and LoadImage
注意传入参数为下面三者之一
PsSetCreateProcessNotifyRoutine
PsRemoveCreateThreadNotifyRoutine
PsRemoveLoadImageNotifyRoutine
===========
by xp sp2
*/
NTSTATUS RemoveNotifyRoutine(PVOID RemoveFunPointer)
{
ULONG AddrFun;
ULONG* pRoutineList;
ULONG i;
pRoutineList = 0;
AddrFun = (ULONG)RemoveFunPointer;
DbgPrint("RemoveNotifyRoutine = %08X/n",RemoveFunPointer);
//
//the RemoveFunPointer could
//only be PsRemoveLoadImageNotifyRoutine
//or PsSetCreateProcessNotifyRoutine
//or PsRemoveCreateThreadNotifyRoutine
//find code bf 00975680 mov edi,offset nt!PsThreadType+0x44 (80569700)
//
for(i = AddrFun;i<AddrFun + 0x20;i++)
{
if( 0xbf == *(PBYTE)i )
{
i++;
pRoutineList = (ULONG*)( *(ULONG*)i );
break;
}
}
if( 0 == pRoutineList)
{
DbgPrint("Can not find the RoutineList/n");
return STATUS_UNSUCCESSFUL;
}
if( TRUE != MmIsAddressValid((PVOID)pRoutineList) )// memory is valid
{
DbgPrint("Access Memory is not Valid %08X/n",pRoutineList);
return STATUS_UNSUCCESSFUL;
}
//
//Zero the PspCreateThreadNotifyRoutine;
//
DisableWPBitAndCli();
for(i=0;i<8;i++) //这里写成0x40也没有问题,我看他这个表应该长度为0x40,但网上说PspCreateProcessNotifyRoutine表长
度在win2K下为8,xp下为多少,我没有找到资料,懒得去分析代码找出他的长度
{
//if( 0 == pRoutineList[i] )break;
pRoutineList[i] = 0;//清空
}
EnableWPBitAndSti();
DbgPrint("RemoveNotifyRoutine STATUS_SUCCESS %08X/n",RemoveFunPointer);
return STATUS_SUCCESS;
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- CreateThread CreateProcess
- 剥下“java.lang.OutOfMemoryError: unable to create new native thread”的外衣 创建线程数公式(MaxProcessMemory - JVMMemory – ReservedOsMemory)
- 监控系统所有进程的创建和销毁 (PsSetCreateProcessNotifyRoutine)
- CreateRemoteThread和WriteProcessMemory技术
- 赞!VC++编程创建远程线程式调用CALL_VirtualAllocEx_WriteProcessMemory_CreateRemoteThread_WaitForSingleObject
- Inlinehook PspCreateProcess
- Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows7
- CreateRemoteThread和WriteProcessMemory技术
- Exception in thread "main" java.io.IOException: Cannot run program "XX": CreateProcess error
- 《Windows API巡礼》--CreateRemoteThread和WriteProcessMemory
- Exception in thread "main" java.io.IOException: Cannot run program "XX": CreateProcess error
- VirtualAllocEx;WriteProcessMemory;CreateRemoteThread
- CreateRemoteThreadWriteProcessMemory技术 简要的
- PspCreateProcess
- CreateRemoteThread和WriteProcessMemory技术
- Create Process Thread Linux
- 进程创建过程分析NtCreateProcess-NtCreateProcessEx-PspCreateProcess
- CreateRemoteThread和WriteProcessMemory技术
- delphi Createthread的线程传参数
- 启动jupyter&ipython时,报错“Fatal error in launcher: Unable to create process using '"'”