一字节anti创建进程线程等回调
很久没有发帖子了~~~上次一个哥们 一字节anti callbacks 其实还有更多地方哦~~~
但是这样 还是不够的
这次 一字节 anti 创建进程线程回调~~~
pspexitthread:
loc_140355BB8:
xor r8d, r8d
xor edx, edx
mov rcx, rdi
callEtwTraceThread
mov , sil
mov byte ptr , sil
mov , rsi
mov , ebx
orrax, 0FFFFFFFFFFFFFFFFh
add , ax
mov eax, csspNotifyEnableMask
mov r13d, 8
testr13b, al
jnz loc_14033B3EB
pspexitprocess
dec word ptr
mov ebp, csspNotifyEnableMask
mov eax, csspNotifyEnableMask
shr bpl, 2
and bpl, r14b
testal, 2
jzloc_1403BD6B6
先看一下 上面的反汇编代码
windbg 动态调试 的值 为
kd> dq PspNotifyEnableMask
fffff800`03e824e000000000`00000007 00000000`00000000
fffff800`03e824f000000000`00000000 00000000`00000000
fffff800`03e82500fffff8a0`0008ef5f 00000000`00000000
fffff800`03e8251000000000`00000000 00000000`00000000
fffff800`03e8252000000000`00000000 00000000`00000000
fffff800`03e8253000000000`00000000 00000000`00000000
fffff800`03e8254000000000`00000001 00000000`00000000
fffff800`03e8255000000000`00000000 00000000`00000000
so :*(ULONG32*)PspNotifyEnableMask=NULL;
页:
[1]