0: kd> u NtOpenProcess l 28B
nt!NtOpenProcess:
805cc3fc 68c4000000 push 0C4h
805cc401 68b8b44d80 push offset nt!ObWatchHandles+0x25c (804db4b8)
805cc406 e87507f7ff call nt!_SEH_prolog (8053cb80)
805cc40b 33f6 xor esi,esi
805cc40d 8975d4 mov dword ptr [ebp-2Ch],esi
805cc410 33c0 xor eax,eax
805cc412 8d7dd8 lea edi,[ebp-28h]
805cc415 ab stos dword ptr es:[edi]
805cc416 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc41c 8a8040010000 mov al,byte ptr [eax+140h]
805cc422 8845cc mov byte ptr [ebp-34h],al
805cc425 84c0 test al,al
805cc427 0f848f000000 je nt!NtOpenProcess+0xc0 (805cc4bc)
805cc42d 8975fc mov dword ptr [ebp-4],esi
805cc430 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc435 8b4d08 mov ecx,dword ptr [ebp+8]
805cc438 3bc8 cmp ecx,eax
805cc43a 7202 jb nt!NtOpenProcess+0x42 (805cc43e)
805cc43c 8930 mov dword ptr [eax],esi
805cc43e 8b01 mov eax,dword ptr [ecx]
805cc440 8901 mov dword ptr [ecx],eax
805cc442 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc445 f6c303 test bl,3
805cc448 7405 je nt!NtOpenProcess+0x53 (805cc44f)
805cc44a e8178c0400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc44f a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc454 3bd8 cmp ebx,eax
805cc456 7207 jb nt!NtOpenProcess+0x63 (805cc45f)
805cc458 8930 mov dword ptr [eax],esi
805cc45a a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc45f 397308 cmp dword ptr [ebx+8],esi
805cc462 0f9545e6 setne byte ptr [ebp-1Ah]
805cc466 8b4b0c mov ecx,dword ptr [ebx+0Ch]
805cc469 894dc8 mov dword ptr [ebp-38h],ecx
805cc46c 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc46f 3bce cmp ecx,esi
805cc471 7429 je nt!NtOpenProcess+0xa0 (805cc49c)
805cc473 f6c103 test cl,3
805cc476 740d je nt!NtOpenProcess+0x89 (805cc485)
805cc478 e8e98b0400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc47d a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc482 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc485 3bc8 cmp ecx,eax
805cc487 7202 jb nt!NtOpenProcess+0x8f (805cc48b)
805cc489 8930 mov dword ptr [eax],esi
805cc48b 8b01 mov eax,dword ptr [ecx]
805cc48d 8945d4 mov dword ptr [ebp-2Ch],eax
805cc490 8b4104 mov eax,dword ptr [ecx+4]
805cc493 8945d8 mov dword ptr [ebp-28h],eax
805cc496 c645e701 mov byte ptr [ebp-19h],1
805cc49a eb04 jmp nt!NtOpenProcess+0xa4 (805cc4a0)
805cc49c c645e700 mov byte ptr [ebp-19h],0
805cc4a0 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc4a4 eb42 jmp nt!NtOpenProcess+0xec (805cc4e8)
805cc4a6 8b45ec mov eax,dword ptr [ebp-14h]
805cc4a9 8b00 mov eax,dword ptr [eax]
805cc4ab 8b00 mov eax,dword ptr [eax]
805cc4ad 8945c4 mov dword ptr [ebp-3Ch],eax
805cc4b0 33c0 xor eax,eax
805cc4b2 40 inc eax
805cc4b3 c3 ret
805cc4b4 8b45c4 mov eax,dword ptr [ebp-3Ch]
805cc4b7 e9b0010000 jmp nt!NtOpenProcess+0x270 (805cc66c)
805cc4bc 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc4bf 397308 cmp dword ptr [ebx+8],esi
805cc4c2 0f9545e6 setne byte ptr [ebp-1Ah]
805cc4c6 8b430c mov eax,dword ptr [ebx+0Ch]
805cc4c9 8945c8 mov dword ptr [ebp-38h],eax
805cc4cc 8b4514 mov eax,dword ptr [ebp+14h]
805cc4cf 3bc6 cmp eax,esi
805cc4d1 7411 je nt!NtOpenProcess+0xe8 (805cc4e4)
805cc4d3 8b08 mov ecx,dword ptr [eax]
805cc4d5 894dd4 mov dword ptr [ebp-2Ch],ecx
805cc4d8 8b4004 mov eax,dword ptr [eax+4]
805cc4db 8945d8 mov dword ptr [ebp-28h],eax
805cc4de c645e701 mov byte ptr [ebp-19h],1
805cc4e2 eb04 jmp nt!NtOpenProcess+0xec (805cc4e8)
805cc4e4 c645e700 mov byte ptr [ebp-19h],0
805cc4e8 807de600 cmp byte ptr [ebp-1Ah],0
805cc4ec 740a je nt!NtOpenProcess+0xfc (805cc4f8)
805cc4ee 807de700 cmp byte ptr [ebp-19h],0
805cc4f2 0f857d010000 jne nt!NtOpenProcess+0x279 (805cc675)
805cc4f8 a1b8495680 mov eax,dword ptr [nt!PsProcessType (805649b8)]
805cc4fd 83c068 add eax,68h
805cc500 50 push eax
805cc501 ff750c push dword ptr [ebp+0Ch]
805cc504 8d852cffffff lea eax,[ebp-0D4h]
805cc50a 50 push eax
805cc50b 8d8548ffffff lea eax,[ebp-0B8h]
805cc511 50 push eax
805cc512 e8a1580200 call nt!SeCreateAccessState (805f1db8)
805cc517 3bc6 cmp eax,esi
805cc519 0f8c5b010000 jl nt!NtOpenProcess+0x27e (805cc67a)
805cc51f ff75cc push dword ptr [ebp-34h]
805cc522 ff3520dd6780 push dword ptr [nt!SeDebugPrivilege+0x4 (8067dd20)]
805cc528 ff351cdd6780 push dword ptr [nt!SeDebugPrivilege (8067dd1c)]
805cc52e e881c70200 call nt!SeSinglePrivilegeCheck (805f8cb4)
805cc533 84c0 test al,al
805cc535 7425 je nt!NtOpenProcess+0x160 (805cc55c)
805cc537 8b8558ffffff mov eax,dword ptr [ebp-0A8h]
805cc53d a900000002 test eax,2000000h
805cc542 740c je nt!NtOpenProcess+0x154 (805cc550)
805cc544 818d5cffffffff0f1f00 or dword ptr [ebp-0A4h],1F0FFFh
805cc54e eb06 jmp nt!NtOpenProcess+0x15a (805cc556)
805cc550 09855cffffff or dword ptr [ebp-0A4h],eax
805cc556 89b558ffffff mov dword ptr [ebp-0A8h],esi
805cc55c 807de600 cmp byte ptr [ebp-1Ah],0
805cc560 745e je nt!NtOpenProcess+0x1c4 (805cc5c0)
805cc562 8d45e0 lea eax,[ebp-20h]
805cc565 50 push eax
805cc566 56 push esi
805cc567 56 push esi
805cc568 8d8548ffffff lea eax,[ebp-0B8h]
805cc56e 50 push eax
805cc56f ff75cc push dword ptr [ebp-34h]
805cc572 ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)]
805cc578 53 push ebx
805cc579 e86803ffff call nt!ObOpenObjectByName (805bc8e6)
805cc57e 8bf8 mov edi,eax
805cc580 8d8548ffffff lea eax,[ebp-0B8h]
805cc586 50 push eax
805cc587 e8ee550200 call nt!SeDeleteAccessState (805f1b7a)
805cc58c 3bfe cmp edi,esi
805cc58e 7c13 jl nt!NtOpenProcess+0x1a7 (805cc5a3)
805cc590 c745fc01000000 mov dword ptr [ebp-4],1
805cc597 8b45e0 mov eax,dword ptr [ebp-20h]
805cc59a 8b4d08 mov ecx,dword ptr [ebp+8]
805cc59d 8901 mov dword ptr [ecx],eax
805cc59f 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc5a3 8bc7 mov eax,edi
805cc5a5 e9d0000000 jmp nt!NtOpenProcess+0x27e (805cc67a)
805cc5aa 8b45ec mov eax,dword ptr [ebp-14h]
805cc5ad 8b00 mov eax,dword ptr [eax]
805cc5af 8b00 mov eax,dword ptr [eax]
805cc5b1 8945c0 mov dword ptr [ebp-40h],eax
805cc5b4 33c0 xor eax,eax
805cc5b6 40 inc eax
805cc5b7 c3 ret
805cc5b8 8b45c0 mov eax,dword ptr [ebp-40h]
805cc5bb e9ac000000 jmp nt!NtOpenProcess+0x270 (805cc66c)
805cc5c0 807de700 cmp byte ptr [ebp-19h],0
805cc5c4 0f84ab000000 je nt!NtOpenProcess+0x279 (805cc675)
805cc5ca 8975d0 mov dword ptr [ebp-30h],esi
805cc5cd 3975d8 cmp dword ptr [ebp-28h],esi
805cc5d0 7425 je nt!NtOpenProcess+0x1fb (805cc5f7)
805cc5d2 8d45d0 lea eax,[ebp-30h]
805cc5d5 50 push eax
805cc5d6 8d45dc lea eax,[ebp-24h]
805cc5d9 50 push eax
805cc5da 8d45d4 lea eax,[ebp-2Ch]
805cc5dd 50 push eax
805cc5de e83f7a0000 call nt!PsLookupProcessThreadByCid (805d4022)
805cc5e3 8bf8 mov edi,eax
805cc5e5 3bfe cmp edi,esi
805cc5e7 7d1c jge nt!NtOpenProcess+0x209 (805cc605)
805cc5e9 8d8548ffffff lea eax,[ebp-0B8h]
805cc5ef 50 push eax
805cc5f0 e885550200 call nt!SeDeleteAccessState (805f1b7a)
805cc5f5 ebac jmp nt!NtOpenProcess+0x1a7 (805cc5a3)
805cc5f7 8d45dc lea eax,[ebp-24h]
805cc5fa 50 push eax
805cc5fb ff75d4 push dword ptr [ebp-2Ch]
805cc5fe e8db7a0000 call nt!PsLookupProcessByProcessId (805d40de)
805cc603 ebde jmp nt!NtOpenProcess+0x1e7 (805cc5e3)
805cc605 8d45e0 lea eax,[ebp-20h]
805cc608 50 push eax
805cc609 ff75cc push dword ptr [ebp-34h]
805cc60c ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)]
805cc612 56 push esi
805cc613 8d8548ffffff lea eax,[ebp-0B8h]
805cc619 50 push eax
805cc61a ff75c8 push dword ptr [ebp-38h]
805cc61d ff75dc push dword ptr [ebp-24h]
805cc620 e84706ffff call nt!ObOpenObjectByPointer (805bcc6c)
805cc625 8bf8 mov edi,eax
805cc627 8d8548ffffff lea eax,[ebp-0B8h]
805cc62d 50 push eax
805cc62e e847550200 call nt!SeDeleteAccessState (805f1b7a)
805cc633 8b4dd0 mov ecx,dword ptr [ebp-30h]
805cc636 3bce cmp ecx,esi
805cc638 7405 je nt!NtOpenProcess+0x243 (805cc63f)
805cc63a e83fb0f5ff call nt!ObfDereferenceObject (8052767e)
805cc63f 8b4ddc mov ecx,dword ptr [ebp-24h]
805cc642 e837b0f5ff call nt!ObfDereferenceObject (8052767e)
805cc647 3bfe cmp edi,esi
805cc649 0f8c54ffffff jl nt!NtOpenProcess+0x1a7 (805cc5a3)
805cc64f c745fc02000000 mov dword ptr [ebp-4],2
805cc656 e93cffffff jmp nt!NtOpenProcess+0x19b (805cc597)
805cc65b 8b45ec mov eax,dword ptr [ebp-14h]
805cc65e 8b00 mov eax,dword ptr [eax]
805cc660 8b00 mov eax,dword ptr [eax]
805cc662 8945bc mov dword ptr [ebp-44h],eax
805cc665 33c0 xor eax,eax
805cc667 40 inc eax
805cc668 c3 ret
805cc669 8b45bc mov eax,dword ptr [ebp-44h]
805cc66c 8b65e8 mov esp,dword ptr [ebp-18h]
805cc66f 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc673 eb05 jmp nt!NtOpenProcess+0x27e (805cc67a)
805cc675 b8300000c0 mov eax,0C0000030h
805cc67a e83c05f7ff call nt!_SEH_epilog (8053cbbb)
805cc67f c21000 ret 10h
805cc682 cc int 3
805cc683 cc int 3
805cc684 cc int 3
805cc685 cc int 3
805cc686 cc int 3
805cc687 cc int 3
nt!NtOpenThread:
805cc688 68c0000000 push 0C0h
805cc68d 68e0b44d80 push offset nt!ObWatchHandles+0x284 (804db4e0)
805cc692 e8e904f7ff call nt!_SEH_prolog (8053cb80)
805cc697 33f6 xor esi,esi
805cc699 8975d4 mov dword ptr [ebp-2Ch],esi
805cc69c 33c0 xor eax,eax
805cc69e 8d7dd8 lea edi,[ebp-28h]
805cc6a1 ab stos dword ptr es:[edi]
805cc6a2 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc6a8 8a8040010000 mov al,byte ptr [eax+140h]
805cc6ae 8845d0 mov byte ptr [ebp-30h],al
805cc6b1 84c0 test al,al
805cc6b3 0f848f000000 je nt!NtOpenThread+0xc0 (805cc748)
805cc6b9 8975fc mov dword ptr [ebp-4],esi
805cc6bc a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc6c1 8b4d08 mov ecx,dword ptr [ebp+8]
805cc6c4 3bc8 cmp ecx,eax
805cc6c6 7202 jb nt!NtOpenThread+0x42 (805cc6ca)
805cc6c8 8930 mov dword ptr [eax],esi
805cc6ca 8b01 mov eax,dword ptr [ecx]
805cc6cc 8901 mov dword ptr [ecx],eax
805cc6ce 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc6d1 f6c303 test bl,3
805cc6d4 7405 je nt!NtOpenThread+0x53 (805cc6db)
805cc6d6 e88b890400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc6db a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc6e0 3bd8 cmp ebx,eax
805cc6e2 7207 jb nt!NtOpenThread+0x63 (805cc6eb)
805cc6e4 8930 mov dword ptr [eax],esi
805cc6e6 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc6eb 397308 cmp dword ptr [ebx+8],esi
805cc6ee 0f9545e6 setne byte ptr [ebp-1Ah]
805cc6f2 8b4b0c mov ecx,dword ptr [ebx+0Ch]
805cc6f5 894dcc mov dword ptr [ebp-34h],ecx
805cc6f8 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc6fb 3bce cmp ecx,esi
805cc6fd 7429 je nt!NtOpenThread+0xa0 (805cc728)
805cc6ff f6c103 test cl,3
805cc702 740d je nt!NtOpenThread+0x89 (805cc711)
805cc704 e85d890400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc709 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc70e 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc711 3bc8 cmp ecx,eax
805cc713 7202 jb nt!NtOpenThread+0x8f (805cc717)
805cc715 8930 mov dword ptr [eax],esi
805cc717 8b01 mov eax,dword ptr [ecx]
805cc719 8945d4 mov dword ptr [ebp-2Ch],eax
805cc71c 8b4104 mov eax,dword ptr [ecx+4]
805cc71f 8945d8 mov dword ptr [ebp-28h],eax
805cc722 c645e701 mov byte ptr [ebp-19h],1
805cc726 eb04 jmp nt!NtOpenThread+0xa4 (805cc72c)
805cc728 c645e700 mov byte ptr [ebp-19h],0
805cc72c 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc730 eb42 jmp nt!NtOpenThread+0xec (805cc774)
805cc732 8b45ec mov eax,dword ptr [ebp-14h]
805cc735 8b00 mov eax,dword ptr [eax]
805cc737 8b00 mov eax,dword ptr [eax]
805cc739 8945c8 mov dword ptr [ebp-38h],eax
805cc73c 33c0 xor eax,eax
805cc73e 40 inc eax
805cc73f c3 ret
805cc740 8b45c8 mov eax,dword ptr [ebp-38h]
805cc743 e99a010000 jmp nt!NtOpenThread+0x25a (805cc8e2)
805cc748 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc74b 397308 cmp dword ptr [ebx+8],esi
805cc74e 0f9545e6 setne byte ptr [ebp-1Ah]
805cc752 8b430c mov eax,dword ptr [ebx+0Ch]
805cc755 8945cc mov dword ptr [ebp-34h],eax
805cc758 8b4514 mov eax,dword ptr [ebp+14h]
805cc75b 3bc6 cmp eax,esi
805cc75d 7411 je nt!NtOpenThread+0xe8 (805cc770)
805cc75f 8b08 mov ec
蹂躏D&F数据之XP-NtOpenProcess(虚拟机)
最新推荐文章于 2021-05-23 08:42:38 发布
本文详细探讨了在Windows XP环境下,针对D&F数据进行操作的技术过程,尤其是如何利用XP-NtOpenProcess API在虚拟机环境中实现这一目标。通过对系统调用的分析和实践,揭示了数据访问的复杂性和安全性问题。
摘要由CSDN通过智能技术生成