>>微软后门函数 RegisterSystemThread
>>原形
VOID STDCALL RegisterSystemThread (DWORD flags, DWORD reserved)
>>等值定义
define RST_DONTJOURNALATTACH 0x00000002
define RST_DONTATTACHQUEUE 0x00000001 >>推测 查不出定义来!
;调用例子Windbg
if (bDisableJournaling) {
// Disable journaling
Rst = (RST)GetProcAddress( GetModuleHandle( "user32.dll" ), "RegisterSystemThread" );
if (Rst) {
(Rst) (RST_DONTJOURNALATTACH, 0);
}
}
>>作用:微软后门函数 用来阻止Hook入侵
>>相关函数
>>本函数没有导出 无法直接使用 是RegisterSystemThread的原型
VOID zzzRegisterSystemThread (DWORD dwFlags, DWORD dwReserved)
{
PTHREADINFO ptiCurrent;
UserAssert(dwReserved == 0);
if (dwReserved != 0)
return;
ptiCurrent = PtiCurrent();
if (dwFlags & RST_DONTATTACHQUEUE)
ptiCurrent->TIF_flags |= TIF_DONTATTACHQUEUE;
if (dwFlags & RST_DONTJOURNALATTACH) {
ptiCurrent->TIF_flags |= TIF_DONTJOURNALATTACH;
/*
* If we are already journaling, then this queue was already
* journal attached. We need to unattach and reattach journaling
* so that we are removed from the journal attached queues.
*/
if (FJOURNALPLAYBACK() || FJOURNALRECORD()) {
zzzJournalAttach(ptiCurrent, FALSE);
zzzJournalAttach(ptiCurrent, TRUE);
}
}
}
而实际上 RegisterSystemThread的系统服务接口是以下函数
VOID RegisterSystemThread(
DWORD dwFlags, DWORD dwReserved)
{
NtUserCallTwoParam(dwFlags, dwReserved, SFI_ZZZREGISTERSYSTEMTHREAD);
}
库为user32.dll 未导出 需要动态获取!