博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
创建进程流程CreateProcess
阅读量:4709 次
发布时间:2019-06-10

本文共 3996 字,大约阅读时间需要 13 分钟。

//---------------------------------------创建进程流程---------------------------------------------

call kernel32!CreateProcessA

 BOOL WINAPI CreateProcess(
 LPCTSTR lpApplicationName,
 LPTSTR lpCommandLine,
 LPSECURITY_ATTRIBUTES lpProcessAttributes,
 LPSECURITY_ATTRIBUTES lpThreadAttributes,
 BOOL bInheritHandles,
 DWORD dwCreationFlags,
 LPVOID lpEnvironment,
 LPCTSTR lpCurrentDirectory,
 LPSTARTUPINFO lpStartupInfo,
 LPPROCESS_INFORMATION lpProcessInformation)
{
/* 参数说明:第一个与最后一个为零,中间10个延接了上面传入的10个参数
   主要目的:是将ANSI字符转换成Unicode字符*/
 call kernel32!CreateProcessInternalA(...)
 {
  {
   call kernel32!CreateProcessInternalW(...)
   {
    call ntdll!ZwQueryInformationJobObject(HANDLE JobHandle
     JOBOBJECTINFOCLASS JobInformationClass
     PVOID JobInformation
     ULONG JobInformationLength
     PULONG ReturnLengthOPTIONAL);
    判断返回值是否为C0000022h (拒绝访问)
    call kernel32!SearchPathW(...); //进行路径搜索
    call kernel32!GetFileAttributesW(...);//获取文件属性
    call kernel32!BasepIsSetupInvokedByWinLogon(...);//判断是否WinLogon进程
    call ntdll!RtlDosPathNameToNtPathName_U(....);
    call ntdll!RtlIInitUnicodeString();
    call ntdll!RtlDetermineDosPathNameType_U(.); //路径转换
    call ntdll!NtOpenFile(); //打开文件
    //创建Section CreateFileMapping是对NtCreateSection的封装
    call ntdll!NtCreateSection(
     PHANDLE SectionHandle,
     ACCESS_MASK DesiredAccess,
     POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
     PLARGE_INTEGER MaximumSize OPTIONAL,
     ULONG Protect,
     ULONG Attributes,
     HANDLE FileHandle OPTIONAL);  //程序被映射进了内存
    {
     call kernel32!BasepCheckWinSaferRestrictions
     {
      RtlEnterCriticalSection(...);
      NtOpenThreadToken();//判断返值是否等于0C000007Ch(试图引用不存在的令牌)否跳走
      NtOpenProcessToken();//判断返回值是否为0C0000022h(拒绝访问)
     }
    }
    call ntdll.NtQuerySection(...);
    call kernel32!LdrQueryImageFileExecutionOptions //获取调试信息,映像劫持
     LdrQueryImageFileExecutionOptions ( IN PUNICODE_STRING SubKey, == "\??\E:\AAAAA.exe"进程名
     PCWSTR ValueName, == "Debugger"
     ULONG Type,
     PVOID Buffer,
     ULONG BufferSize,
     PULONG ReturnedLength OPTIONAL)
    call kernel32!BasepIsImageVersionOk
    LoadLibraryA(advapi32.dll);
    GetProcAddress("CreateProcessAsUserSecure");
    call kernel32!BasepCheckBadapp();//对进程行行兼容性检查
    call kernel32!BasepIsImageVersionOk
    call kernel32!FreeLibrary "advapi32.dll"

    call kernel32!BaseFormatObjectAttributes

    call ntdll!ZwCreateProcessEx
    mov eax,30h
    call ntdll!KiFastSystemCall
    call ntdll!ZwSetInformationProcess

    NtSetInformationProcess ( ProcessHandle, == ZwCreateProcessEx时得到的进程句柄

     PROCESSINFOCLASS ProcessInformationClass, == 12h == ProcessDefaultHardErrorMode
     PVOID ProcessInformation, == 2 == SEM_NOGPFAULTERRORBOX
     ULONG ProcessInformationLength == 2)
    
    NtSetInformationProcess(...)
    call kernel32!BasepSxsCreateProcessCsrMessage
    {
     BasepSxsGetProcessImageBaseAddress KERNEL32
     RtlMultiAppendUnicodeStringBuffer NTDLL
     BasepSxsCreateStreams KERNEL32
     BasepSxsIsStatusFileNotFoundEtc
     BasepSxsIsStatusResourceNotFound
    }
    call ntdll!NtQueryInformationProcess(
     HANDLE ProcessHandle, == 进程句柄
     PROCESSINFOCLASS ProcessInformationClass, == 0 == ProcessBasicInformation
     PVOID ProcessInformation,
     ULONG ProcessInformationLength,
     PULONG ReturnLength OPTIONAL);
    call kernel32!BasePushProcessParameters
    {
     __SEH_prolog
     GetFullPathNameW KERNEL32
     BaseComputeProcessDllPath KERNEL32
     RtlInitUnicodeString
     RtlCreateProcessParameters NTDLL
     NtAllocateVirtualMemory
     NtWriteVirtualMemory
     __security_check_cookie
     __SEH_epilog
    }
    call kernel32!BaseCreateStack
    {
     NTDLL.RtlImageNtHeader
     NtAllocateVirtualMemory
     NtProtectVirtualMemory
    }
    call kernel32!BaseInitializeContext
    {
     BaseInitializeContext
      (PCONTEXT Context, // 0x200 bytes
       PPEB Peb,
       PVOID EntryPoint,
       DWORD StackTop,
       int Type );
    }
    call kernel32!BaseFormatObjectAttributes
    call ntdll!ZwCreateThread
    mov eax,35h
    call ntdll!KiFastSystemCall
    call kernel32!GetModuleHandleA "NULL"
    eax == 0400000h ;程序装入地址
    call ntdll!RtlImageNtHeader eax //验证NTHeader
    //下面是通知Cress.exe的几个函数
    call ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace
    call ntdll!CsrClientCallServer
    call ntdll!CsrFreeCaptureBuffer
    call ntdll!ZwResumeThread ;启动线程移交控制权并返回
    ret //进程创建过程结束
   }
  } 
 }
}

 

转载于:https://www.cnblogs.com/xiaojinma/archive/2012/12/07/2806627.html

你可能感兴趣的文章
自定义圆环进度条
查看>>
UILayer
查看>>
复杂对象写入文件
查看>>
k8s-高级调度方式-二十一
查看>>
[HDU3555]Bomb
查看>>
基于dubbo的分布式系统(一)安装docker
查看>>
Recursion
查看>>
66. Plus One
查看>>
COMP30023 Computer Systems 2019
查看>>
CSS选择器分类
查看>>
Kali学习笔记39:SQL手工注入(1)
查看>>
C# MD5加密
查看>>
Codeforces Round #329 (Div. 2)D LCA+并查集路径压缩
查看>>
移动应用开发测试工具Bugtags集成和使用教程
查看>>
Java GC、新生代、老年代
查看>>
Liferay 6.2 改造系列之十一:默认关闭CDN动态资源
查看>>
多线程
查看>>
折线切割平面
查看>>
获取当前路径下的所有文件路径 :listFiles
查看>>
图像形态学及更通用的形态学的原理及细节汇总
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-10-23 21:26:40   当前IP: 3.141.37.212   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我