远程 _BaseRegOpenKey fuck本地了半天,最后竟然提示没权限。不过好像有小1字节的bug?
PS:那1字节不是bug, rpc通信的server端解析的时候,当最后一个字符是NULL,所以就去掉了。
弄好了,不过想不到被360日掉了。
b2290aa8 8050117a nt!KiSwapContext+0x2e
b2290ab4 804fa9be nt!KiSwapThread+0x46
b2290adc b2c0fca8 nt!KeWaitForSingleObject+0x1c2
WARNING: Stack unwind information not available. Following frames may be wrong.
b2290b24 b2c09cf2 qutmdrv+0x11ca8
b2290b48 b2c17435 qutmdrv+0xbcf2
b2290b68 b2c18d5a qutmdrv+0x19435
b2290c0c b2c195c6 qutmdrv+0x1ad5a
b2290c20 f86aaebc qutmdrv+0x1b5c6
b2290c54 f86abb4d Hookport+0xebc
b2290d34 8053d808 Hookport+0x1b4d
b2290d34 7c92eb94 nt!KiFastCallEntry+0xf8
0012f570 7c92da69 ntdll!KiFastSystemCallRet
0012f574 7c81f59c ntdll!ZwFsControlFile+0xc
0012f5d4 77e61224 kernel32!TransactNamedPipe+0x4e
0012f604 77e60898 RPCRT4!NMP_SyncSendRecv+0x54
0012f624 77e60e8d RPCRT4!OSF_CCONNECTION::TransSendReceive+0x9e
0012f6a0 77e60e0d RPCRT4!OSF_CCONNECTION::SendFragment+0x226
0012f6f8 77e60c6f RPCRT4!OSF_CCALL::SendNextFragment+0x1d2
0012f740 77e60bbc RPCRT4!OSF_CCALL::FastSendReceive+0x144
0012f75c 77e6110b RPCRT4!OSF_CCALL::SendReceiveHelper+0x58
0012f788 77e5a716 RPCRT4!OSF_CCALL::SendReceive+0x41
0012f794 77e5a747 RPCRT4!I_RpcSendReceive+0x24
0012f7a8 00403af4 RPCRT4!NdrSendReceive+0x2b
0012f8c4 0040149e idareg_client+0x3af4
0012ff80 00405313 idareg_client+0x149e
0012ffc0 7c816d4f idareg_client+0x5313
0012fff0 00000000 kernel32!BaseProcessStart+0x23
PS:擦,360 HOOK的点不少嘛,想自身patch 不调用ZwFsControlFile下发请求,竟然也给拦。