创建进程流程CreateProcess
- //---------------------------------------创建进程流程---------------------------------------------call kernel32!CreateProcessABOOL WINAPI CreateProcess(LPCTSTR lpApplicationName,LPTSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCTSTR lpCurrentDirectory,LPSTARTUPINFO lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation){/* 参数说明:第一个与最后一个为零,中间10个延接了上面传入的10个参数主要目的:是将ANSI字符转换成Unicode字符*/call kernel32!CreateProcessInternalA(...){{call kernel32!CreateProcessInternalW(...){call ntdll!ZwQueryInformationJobObject(HANDLE JobHandleJOBOBJECTINFOCLASS JobInformationClassPVOID JobInformationULONG JobInformationLengthPULONG ReturnLengthOPTIONAL);判断返回值是否为C0000022h (拒绝访问)call kernel32!SearchPathW(...); //进行路径搜索call kernel32!GetFileAttributesW(...);//获取文件属性call kernel32!BasepIsSetupInvokedByWinLogon(...);//判断是否WinLogon进程call ntdll!RtlDosPathNameToNtPathName_U(....);call ntdll!RtlIInitUnicodeString();call ntdll!RtlDetermineDosPathNameType_U(.); //路径转换call ntdll!NtOpenFile(); //打开文件//创建Section CreateFileMapping是对NtCreateSection的封装call ntdll!NtCreateSection(PHANDLE SectionHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,PLARGE_INTEGER MaximumSize OPTIONAL,ULONG Protect,ULONG Attributes,HANDLE FileHandle OPTIONAL); //程序被映射进了内存{call kernel32!BasepCheckWinSaferRestrictions{RtlEnterCriticalSection(...);NtOpenThreadToken();//判断返值是否等于0C000007Ch(试图引用不存在的令牌)否跳走NtOpenProcessToken();//判断返回值是否为0C0000022h(拒绝访问)}}call ntdll.NtQuerySection(...);call kernel32!LdrQueryImageFileExecutionOptions //获取调试信息,映像劫持LdrQueryImageFileExecutionOptions ( IN PUNICODE_STRING SubKey, == "\??\E:\AAAAA.exe"进程名PCWSTR ValueName, == "Debugger"ULONG Type,PVOID Buffer,ULONG BufferSize,PULONG ReturnedLength OPTIONAL)call kernel32!BasepIsImageVersionOkLoadLibraryA(advapi32.dll);GetProcAddress("CreateProcessAsUserSecure");call kernel32!BasepCheckBadapp();//对进程行行兼容性检查call kernel32!BasepIsImageVersionOkcall kernel32!FreeLibrary "advapi32.dll"call kernel32!BaseFormatObjectAttributescall ntdll!ZwCreateProcessExmov eax,30hcall ntdll!KiFastSystemCallcall ntdll!ZwSetInformationProcessNtSetInformationProcess ( ProcessHandle, == ZwCreateProcessEx时得到的进程句柄PROCESSINFOCLASS ProcessInformationClass, == 12h == ProcessDefaultHardErrorModePVOID ProcessInformation, == 2 == SEM_NOGPFAULTERRORBOXULONG ProcessInformationLength == 2)NtSetInformationProcess(...)call kernel32!BasepSxsCreateProcessCsrMessage{BasepSxsGetProcessImageBaseAddress KERNEL32RtlMultiAppendUnicodeStringBuffer NTDLLBasepSxsCreateStreams KERNEL32BasepSxsIsStatusFileNotFoundEtcBasepSxsIsStatusResourceNotFound}call ntdll!NtQueryInformationProcess(HANDLE ProcessHandle, == 进程句柄PROCESSINFOCLASS ProcessInformationClass, == 0 == ProcessBasicInformationPVOID ProcessInformation,ULONG ProcessInformationLength,PULONG ReturnLength OPTIONAL);call kernel32!BasePushProcessParameters{__SEH_prologGetFullPathNameW KERNEL32BaseComputeProcessDllPath KERNEL32RtlInitUnicodeStringRtlCreateProcessParameters NTDLLNtAllocateVirtualMemoryNtWriteVirtualMemory__security_check_cookie__SEH_epilog}call kernel32!BaseCreateStack{NTDLL.RtlImageNtHeaderNtAllocateVirtualMemoryNtProtectVirtualMemory}call kernel32!BaseInitializeContext{BaseInitializeContext(PCONTEXT Context, // 0x200 bytesPPEB Peb,PVOID EntryPoint,DWORD StackTop,int Type );}call kernel32!BaseFormatObjectAttributescall ntdll!ZwCreateThreadmov eax,35hcall ntdll!KiFastSystemCallcall kernel32!GetModuleHandleA "NULL"eax == 0400000h ;程序装入地址call ntdll!RtlImageNtHeader eax //验证NTHeader//下面是通知Cress.exe的几个函数call ntdll!CsrCaptureMessageMultiUnicodeStringsInPlacecall ntdll!CsrClientCallServercall ntdll!CsrFreeCaptureBuffercall ntdll!ZwResumeThread ;启动线程移交控制权并返回ret //进程创建过程结束}}}}
- 上一篇: EMMC 162 153 221 脚位图
- 下一篇:
文章标签: CreateProcess丨
本文链接: http://lmroot.com/blog/?id=26,尊重共享,欢迎转载,请自觉添加本文链接,谢谢!
版权声明: 本文除特别说明外均由 老道的博客 原创
分享本文:
呃 本文暂时没人评论 来添加一个吧