//---------------------------------------创建进程流程---------------------------------------------
call kernel32!CreateProcessA
BOOL WINAPI CreateProcess( LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation){ /* 参数说明:第一个与最后一个为零,中间10个延接了上面传入的10个参数 主要目的:是将ANSI字符转换成Unicode字符*/ call kernel32!CreateProcessInternalA(...) { { call kernel32!CreateProcessInternalW(...) { call ntdll!ZwQueryInformationJobObject(HANDLE JobHandle JOBOBJECTINFOCLASS JobInformationClass PVOID JobInformation ULONG JobInformationLength PULONG ReturnLengthOPTIONAL); 判断返回值是否为C0000022h (拒绝访问) call kernel32!SearchPathW(...); //进行路径搜索 call kernel32!GetFileAttributesW(...);//获取文件属性 call kernel32!BasepIsSetupInvokedByWinLogon(...);//判断是否WinLogon进程 call ntdll!RtlDosPathNameToNtPathName_U(....); call ntdll!RtlIInitUnicodeString(); call ntdll!RtlDetermineDosPathNameType_U(.); //路径转换 call ntdll!NtOpenFile(); //打开文件 //创建Section CreateFileMapping是对NtCreateSection的封装 call ntdll!NtCreateSection( PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, PLARGE_INTEGER MaximumSize OPTIONAL, ULONG Protect, ULONG Attributes, HANDLE FileHandle OPTIONAL); //程序被映射进了内存 { call kernel32!BasepCheckWinSaferRestrictions { RtlEnterCriticalSection(...); NtOpenThreadToken();//判断返值是否等于0C000007Ch(试图引用不存在的令牌)否跳走 NtOpenProcessToken();//判断返回值是否为0C0000022h(拒绝访问) } } call ntdll.NtQuerySection(...); call kernel32!LdrQueryImageFileExecutionOptions //获取调试信息,映像劫持 LdrQueryImageFileExecutionOptions ( IN PUNICODE_STRING SubKey, == "\??\E:\AAAAA.exe"进程名 PCWSTR ValueName, == "Debugger" ULONG Type, PVOID Buffer, ULONG BufferSize, PULONG ReturnedLength OPTIONAL) call kernel32!BasepIsImageVersionOk LoadLibraryA(advapi32.dll); GetProcAddress("CreateProcessAsUserSecure"); call kernel32!BasepCheckBadapp();//对进程行行兼容性检查 call kernel32!BasepIsImageVersionOk call kernel32!FreeLibrary "advapi32.dll"call kernel32!BaseFormatObjectAttributes
call ntdll!ZwCreateProcessEx mov eax,30h call ntdll!KiFastSystemCall call ntdll!ZwSetInformationProcessNtSetInformationProcess ( ProcessHandle, == ZwCreateProcessEx时得到的进程句柄
PROCESSINFOCLASS ProcessInformationClass, == 12h == ProcessDefaultHardErrorMode PVOID ProcessInformation, == 2 == SEM_NOGPFAULTERRORBOX ULONG ProcessInformationLength == 2) NtSetInformationProcess(...) call kernel32!BasepSxsCreateProcessCsrMessage { BasepSxsGetProcessImageBaseAddress KERNEL32 RtlMultiAppendUnicodeStringBuffer NTDLL BasepSxsCreateStreams KERNEL32 BasepSxsIsStatusFileNotFoundEtc BasepSxsIsStatusResourceNotFound } call ntdll!NtQueryInformationProcess( HANDLE ProcessHandle, == 进程句柄 PROCESSINFOCLASS ProcessInformationClass, == 0 == ProcessBasicInformation PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength OPTIONAL); call kernel32!BasePushProcessParameters { __SEH_prolog GetFullPathNameW KERNEL32 BaseComputeProcessDllPath KERNEL32 RtlInitUnicodeString RtlCreateProcessParameters NTDLL NtAllocateVirtualMemory NtWriteVirtualMemory __security_check_cookie __SEH_epilog } call kernel32!BaseCreateStack { NTDLL.RtlImageNtHeader NtAllocateVirtualMemory NtProtectVirtualMemory } call kernel32!BaseInitializeContext { BaseInitializeContext (PCONTEXT Context, // 0x200 bytes PPEB Peb, PVOID EntryPoint, DWORD StackTop, int Type ); } call kernel32!BaseFormatObjectAttributes call ntdll!ZwCreateThread mov eax,35h call ntdll!KiFastSystemCall call kernel32!GetModuleHandleA "NULL" eax == 0400000h ;程序装入地址 call ntdll!RtlImageNtHeader eax //验证NTHeader //下面是通知Cress.exe的几个函数 call ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace call ntdll!CsrClientCallServer call ntdll!CsrFreeCaptureBuffer call ntdll!ZwResumeThread ;启动线程移交控制权并返回 ret //进程创建过程结束 } } }}