table of Contents
A foreword Dian
Because of his work, you may later write ark tool. So Saturday and Sunday at nothing to reverse the process callback array. Although a lot of information, but they understand it yourself. Better than others for good.
So mind your own ideas as well as reverse the results of the analysis.
Kernel PsSetCreateProcessNotifyRoutine callback function is used to set the process to monitor.
Respective Ex also has a function. Ex function does not reverse. Simple look. Said here about the
process callback to reverse.
Two Dian reverse process
1.windbg mount win7 32 bits. Targeting function disassembly position
Positioning disassembly follows:
kd> uf PsSetCreateProcessNotifyRoutine
nt!PsSetCreateProcessNotifyRoutine:
83fd87de 8bff mov edi,edi
83fd87e0 55 push ebp
83fd87e1 8bec mov ebp,esp
83fd87e3 6a00 push 0
83fd87e5 ff750c push dword ptr [ebp+0Ch] 参数2 ---------> 是否删除
83fd87e8 ff7508 push dword ptr [ebp+8] 参数1 ---------> 回调函数地址
83fd87eb e809000000 call nt!PspSetCreateProcessNotifyRoutine (83fd87f9)
83fd87f0 5d pop ebp
83fd87f1 c20800 ret 8
You can see inside the function call is: PspSetCreateProcessNotifyRoutine
total of three parameters
Fake code
PspSetCreateProcessNotifyRoutine (0, your own callback function address, whether marked for deletion)
Ex inverse function of the series found becomes a function of only the first parameter of 0 to 1.
2. Reverse PspSetCreateProcessNotifyRoutine
The underlying function call it, then reverse it.
kd> uf PspSetCreateProcessNotifyRoutine
nt!PspSetCreateProcessNotifyRoutine:
83fd87f9 8bff mov edi,edi
83fd87fb 55 push ebp
83fd87fc 8bec mov ebp,esp
83fd87fe 807d0c00 cmp byte ptr [ebp+0Ch],0 //判断是设置回调还是清除回调.
83fd8802 53 push ebx
83fd8803 56 push esi //保存寄存器环境.
83fd8804 57 push edi
83fd8805 0f84fa000000 je nt!PspSetCreateProcessNotifyRoutine+0x10a (83fd8905) 是否删除回调 == 0 跳转.也就是设置回调. 删除回调走上边.
====================> 删除回调走的位置
nt!PspSetCreateProcessNotifyRoutine+0x12:
83fd880b 648b3524010000 mov esi,dword ptr fs:[124h]
83fd8812 66ff8e84000000 dec word ptr [esi+84h]
83fd8819 33db xor ebx,ebx
83fd881b c7450ce06cf883 mov dword ptr [ebp+0Ch],offset nt!PspCreateProcessNotifyRoutine (83f86ce0) //获得回调函数数组地址.
nt!PspSetCreateProcessNotifyRoutine+0x29:
83fd8822 ff750c push dword ptr [ebp+0Ch] //数组地址压栈.
83fd8825 e88ea90d00 call nt!ExReferenceCallBackBlock (840b31b8) //逆向ExReferenceCallBackBlock
83fd882a 8bf8 mov edi,eax
83fd882c 85ff test edi,edi
83fd882e 7439 je nt!PspSetCreateProcessNotifyRoutine+0x6e (83fd8869)
nt!PspSetCreateProcessNotifyRoutine+0x37:
83fd8830 8b4f08 mov ecx,dword ptr [edi+8]
83fd8833 e81b3cf2ff call nt!ExGetCallBackBlockRoutine (83efc453)
83fd8838 3b4508 cmp eax,dword ptr [ebp+8]
83fd883b 7522 jne nt!PspSetCreateProcessNotifyRoutine+0x64 (83fd885f)
nt!PspSetCreateProcessNotifyRoutine+0x44:
83fd883d 85c9 test ecx,ecx
83fd883f 7509 jne nt!PspSetCreateProcessNotifyRoutine+0x4f (83fd884a)
nt!PspSetCreateProcessNotifyRoutine+0x48:
83fd8841 384d10 cmp byte ptr [ebp+10h],cl
83fd8844 7519 jne nt!PspSetCreateProcessNotifyRoutine+0x64 (83fd885f)
nt!PspSetCreateProcessNotifyRoutine+0x4d:
83fd8846 eb08 jmp nt!PspSetCreateProcessNotifyRoutine+0x55 (83fd8850)
nt!PspSetCreateProcessNotifyRoutine+0x4f:
83fd884a 807d1000 cmp byte ptr [ebp+10h],0
83fd884e 740f je nt!PspSetCreateProcessNotifyRoutine+0x64 (83fd885f)
nt!PspSetCreateProcessNotifyRoutine+0x55:
83fd8850 8b450c mov eax,dword ptr [ebp+0Ch]
83fd8853 57 push edi
83fd8854 33c9 xor ecx,ecx
83fd8856 e8abfeffff call nt!ExCompareExchangeCallBack (83fd8706)
83fd885b 84c0 test al,al
83fd885d 7547 jne nt!PspSetCreateProcessNotifyRoutine+0xab (83fd88a6)
nt!PspSetCreateProcessNotifyRoutine+0x64:
83fd885f 8b450c mov eax,dword ptr [ebp+0Ch]
83fd8862 8bcf mov ecx,edi
83fd8864 e883aa0d00 call nt!ExDereferenceCallBackBlock (840b32ec)
nt!PspSetCreateProcessNotifyRoutine+0x6e:
83fd8869 83450c04 add dword ptr [ebp+0Ch],4
83fd886d 43 inc ebx
83fd886e 83fb40 cmp ebx,40h
83fd8871 72af jb nt!PspSetCreateProcessNotifyRoutine+0x29 (83fd8822)
nt!PspSetCreateProcessNotifyRoutine+0x78:
83fd8873 66ff8684000000 inc word ptr [esi+84h]
83fd887a 0fb78684000000 movzx eax,word ptr [esi+84h]
83fd8881 6685c0 test ax,ax
83fd8884 7516 jne nt!PspSetCreateProcessNotifyRoutine+0xa1 (83fd889c)
nt!PspSetCreateProcessNotifyRoutine+0x8b:
83fd8886 8d4640 lea eax,[esi+40h]
83fd8889 3900 cmp dword ptr [eax],eax
83fd888b 740f je nt!PspSetCreateProcessNotifyRoutine+0xa1 (83fd889c)
nt!PspSetCreateProcessNotifyRoutine+0x92:
83fd888d 6683be8600000000 cmp word ptr [esi+86h],0
83fd8895 7505 jne nt!PspSetCreateProcessNotifyRoutine+0xa1 (83fd889c)
nt!PspSetCreateProcessNotifyRoutine+0x9c:
83fd8897 e8fd3be9ff call nt!KiCheckForKernelApcDelivery (83e6c499)
nt!PspSetCreateProcessNotifyRoutine+0xa1:
83fd889c b87a0000c0 mov eax,0C000007Ah
83fd88a1 e9c5000000 jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fd896b)
nt!PspSetCreateProcessNotifyRoutine+0xab:
83fd88a6 83c9ff or ecx,0FFFFFFFFh
83fd88a9 807d1000 cmp byte ptr [ebp+10h],0
83fd88ad b8e46df883 mov eax,offset nt!PspCreateProcessNotifyRoutineCount (83f86de4)
83fd88b2 7405 je nt!PspSetCreateProcessNotifyRoutine+0xbe (83fd88b9)
nt!PspSetCreateProcessNotifyRoutine+0xb9:
83fd88b4 b8e06df883 mov eax,offset nt!PspCreateProcessNotifyRoutineExCount (83f86de0)
nt!PspSetCreateProcessNotifyRoutine+0xbe:
83fd88b9 f00fc108 lock xadd dword ptr [eax],ecx
83fd88bd 8d049de06cf883 lea eax,nt!PspCreateProcessNotifyRoutine (83f86ce0)[ebx*4]
83fd88c4 8bcf mov ecx,edi
83fd88c6 e821aa0d00 call nt!ExDereferenceCallBackBlock (840b32ec)
83fd88cb 66ff8684000000 inc word ptr [esi+84h]
83fd88d2 0fb78684000000 movzx eax,word ptr [esi+84h]
83fd88d9 6685c0 test ax,ax
83fd88dc 7516 jne nt!PspSetCreateProcessNotifyRoutine+0xf9 (83fd88f4)
nt!PspSetCreateProcessNotifyRoutine+0xe3:
83fd88de 8d4640 lea eax,[esi+40h]
83fd88e1 3900 cmp dword ptr [eax],eax
83fd88e3 740f je nt!PspSetCreateProcessNotifyRoutine+0xf9 (83fd88f4)
nt!PspSetCreateProcessNotifyRoutine+0xea:
83fd88e5 6683be8600000000 cmp word ptr [esi+86h],0
83fd88ed 7505 jne nt!PspSetCreateProcessNotifyRoutine+0xf9 (83fd88f4)
nt!PspSetCreateProcessNotifyRoutine+0xf4:
83fd88ef e8a53be9ff call nt!KiCheckForKernelApcDelivery (83e6c499)
nt!PspSetCreateProcessNotifyRoutine+0xf9:
83fd88f4 8bcf mov ecx,edi
83fd88f6 e890f41600 call nt!ExWaitForCallBacks (84147d8b)
83fd88fb 57 push edi
83fd88fc e814780e00 call nt!SepFreeCapturedString (840c0115)
nt!PspSetCreateProcessNotifyRoutine+0x106:
83fd8901 33c0 xor eax,eax
83fd8903 eb66 jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fd896b)
// 设置回调会走的路线.
nt!PspSetCreateProcessNotifyRoutine+0x10a:
83fd8905 807d1000 cmp byte ptr [ebp+10h],0 //判断第三个参数是否为0
83fd8909 7413 je nt!PspSetCreateProcessNotifyRoutine+0x123 (83fd891e)
nt!PspSetCreateProcessNotifyRoutine+0x110:
83fd890b ff7508 push dword ptr [ebp+8]
83fd890e e856affdff call nt!MmVerifyCallbackFunction (83fb3869)
83fd8913 85c0 test eax,eax
83fd8915 7507 jne nt!PspSetCreateProcessNotifyRoutine+0x123 (83fd891e)
nt!PspSetCreateProcessNotifyRoutine+0x11c:
83fd8917 b8220000c0 mov eax,0C0000022h
83fd891c eb4d jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fd896b)
//第三个参数是默认Push 0.会到这里.
nt!PspSetCreateProcessNotifyRoutine+0x123:
83fd891e 33c0 xor eax,eax
83fd8920 384510 cmp byte ptr [ebp+10h],al
83fd8923 0f95c0 setne al // == 0 则设置al位. 如果比较滞后 ==0 相等.(zf=1) 则设置al位0 .如果不相等则al = 1.
83fd8926 50 push eax 0
83fd8927 ff7508 push dword ptr [ebp+8] 回调函数地址.
83fd892a e8a8fdffff call nt!ExAllocateCallBack (83fd86d7)
83fd892f 8bd8 mov ebx,eax
83fd8931 85db test ebx,ebx //判断ebx结果是否是0. 不是0 跳转.
83fd8933 7507 jne nt!PspSetCreateProcessNotifyRoutine+0x141 (83fd893c)
nt!PspSetCreateProcessNotifyRoutine+0x13a:
83fd8935 b89a0000c0 mov eax,0C000009Ah
83fd893a eb2f jmp nt!PspSetCreateProcessNotifyRoutine+0x170 (83fd896b)
nt!PspSetCreateProcessNotifyRoutine+0x141:
83fd893c bee06cf883 mov esi,offset nt!PspCreateProcessNotifyRoutine (83f86ce0) //不是0跳转到此位置. 获取数组.
83fd8941 33ff xor edi,edi
nt!PspSetCreateProcessNotifyRoutine+0x148:
83fd8943 6a00 push 0
83fd8945 8bcb mov ecx,ebx ecx = ExAllocateCallBack 返回值.
83fd8947 8bc6 mov eax,esi eax = 数组
83fd8949 e8b8fdffff call nt!ExCompareExchangeCallBack (83fd8706) //应该是遍历数组.进行比较.设置回调.
83fd894e 84c0 test al,al
83fd8950 7520 jne nt!PspSetCreateProcessNotifyRoutine+0x177 (83fd8972)
nt!PspSetCreateProcessNotifyRoutine+0x157:
83fd8952 83c704 add edi,4
83fd8955 83c604 add esi,4
83fd8958 81ff00010000 cmp edi,100h
83fd895e 72e3 jb nt!PspSetCreateProcessNotifyRoutine+0x148 (83fd8943)
nt!PspSetCreateProcessNotifyRoutine+0x165:
83fd8960 53 push ebx
83fd8961 e8af770e00 call nt!SepFreeCapturedString (840c0115)
83fd8966 b80d0000c0 mov eax,0C000000Dh
nt!PspSetCreateProcessNotifyRoutine+0x170:
83fd896b 5f pop edi
83fd896c 5e pop esi
83fd896d 5b pop ebx
83fd896e 5d pop ebp
83fd896f c20c00 ret 0Ch
nt!PspSetCreateProcessNotifyRoutine+0x177:
83fd8972 33c9 xor ecx,ecx
83fd8974 41 inc ecx
83fd8975 807d1000 cmp byte ptr [ebp+10h],0
83fd8979 7525 jne nt!PspSetCreateProcessNotifyRoutine+0x1a5 (83fd89a0)
nt!PspSetCreateProcessNotifyRoutine+0x180:
83fd897b b8e46df883 mov eax,offset nt!PspCreateProcessNotifyRoutineCount (83f86de4)
83fd8980 f00fc108 lock xadd dword ptr [eax],ecx
83fd8984 a1786bf883 mov eax,dword ptr [nt!PspNotifyEnableMask (83f86b78)]
83fd8989 a802 test al,2
83fd898b 0f8570ffffff jne nt!PspSetCreateProcessNotifyRoutine+0x106 (83fd8901)
nt!PspSetCreateProcessNotifyRoutine+0x196:
83fd8991 b8786bf883 mov eax,offset nt!PspNotifyEnableMask (83f86b78)
83fd8996 f00fba2801 lock bts dword ptr [eax],1
83fd899b e961ffffff jmp nt!PspSetCreateProcessNotifyRoutine+0x106 (83fd8901)
nt!PspSetCreateProcessNotifyRoutine+0x1a5:
83fd89a0 b8e06df883 mov eax,offset nt!PspCreateProcessNotifyRoutineExCount (83f86de0)
83fd89a5 f00fc108 lock xadd dword ptr [eax],ecx
83fd89a9 a1786bf883 mov eax,dword ptr [nt!PspNotifyEnableMask (83f86b78)]
83fd89ae a804 test al,4
83fd89b0 0f854bffffff jne nt!PspSetCreateProcessNotifyRoutine+0x106 (83fd8901)
nt!PspSetCreateProcessNotifyRoutine+0x1bb:
83fd89b6 b8786bf883 mov eax,offset nt!PspNotifyEnableMask (83f86b78)
83fd89bb f00fba2802 lock bts dword ptr [eax],2
83fd89c0 e93cffffff jmp nt!PspSetCreateProcessNotifyRoutine+0x106 (83fd8901)
<===================================================================================>
We can see the callback function array obtained by the above. And the function array stack. So you need to look at the new function of reverse
First look at the contents of the callback function array inside.
83f86ce0 = callback function array
to find the callback function array will find that this value is not callback address.
The following callback ExReferenceCallBackBlock incoming callback address, so it's certainly operations
3. Reverse ExReferenceCallBackBlock
kd> uf ExReferenceCallBackBlock
nt!ExReferenceCallBackBlock:
840b31b8 8bff mov edi,edi
840b31ba 55 push ebp
840b31bb 8bec mov ebp,esp
840b31bd 8b5508 mov edx,dword ptr [ebp+8] edx = 数组地址
840b31c0 8b0a mov ecx,dword ptr [edx] ecx = 数组[0] 第一项.
840b31c2 53 push ebx
840b31c3 56 push esi
840b31c4 57 push edi
840b31c5 6a07 push 7
840b31c7 5b pop ebx ebx = 7
840b31c8 84cb test bl,cl 判断bl 跟 cl 肯定不等于 0 .
840b31ca 7417 je nt!ExReferenceCallBackBlock+0x2b (840b31e3)
// bl cl 不会 = 0,所以走此位置.
nt!ExReferenceCallBackBlock+0x14:
840b31cc 8d41ff lea eax,[ecx-1] 不相等的情况 eax = [ecx - 1] 的地址. eax = &(数组[0]+1)的地址 例如数组内容为: 8d408c3f 现在成了 8d408c3E
840b31cf 8bf0 mov esi,eax esi = [ecx - 1]
840b31d1 8bfa mov edi,edx edi = 数组地址
840b31d3 8bc1 mov eax,ecx eax = 数组[0]
840b31d5 f00fb137 lock cmpxchg dword ptr [edi],esi 数组[0] = &([数组[0] +1] 的值.
840b31d9 3bc1 cmp eax,ecx 数组[0] == 数组[0]
840b31db 7406 je nt!ExReferenceCallBackBlock+0x2b (840b31e3)
nt!ExReferenceCallBackBlock+0x25:
840b31dd 8bc8 mov ecx,eax
840b31df 84c3 test bl,al
840b31e1 75e9 jne nt!ExReferenceCallBackBlock+0x14 (840b31cc)
都相等会跳转此处.
nt!ExReferenceCallBackBlock+0x2b:
840b31e3 85c9 test ecx,ecx ecx = &(数组[0] + 1)
840b31e5 7507 jne nt!ExReferenceCallBackBlock+0x36 (840b31ee) //大部分情况下会跳转.因为数组内容可能不为0
nt!ExReferenceCallBackBlock+0x2f:
840b31e7 33c0 xor eax,eax
840b31e9 e9f2000000 jmp nt!ExReferenceCallBackBlock+0x122 (840b32e0)
//跳转位置.
nt!ExReferenceCallBackBlock+0x36:
840b31ee 8bc1 mov eax,ecx eax = 数组[0]
840b31f0 23c3 and eax,ebx eax = 数组[0] & 7; eax = 7;
840b31f2 0f859a000000 jne nt!ExReferenceCallBackBlock+0xd4 (840b3292)
nt!ExReferenceCallBackBlock+0x40:
840b31f8 648b3524010000 mov esi,dword ptr fs:[124h]
840b31ff 66ff8e86000000 dec word ptr [esi+86h]
840b3206 6a11 push 11h
840b3208 b9d807f883 mov ecx,offset nt!ExpCallBackFlush (83f807d8)
840b320d 5f pop edi
840b320e 8bd9 mov ebx,ecx
840b3210 f00fb13b lock cmpxchg dword ptr [ebx],edi
840b3214 85c0 test eax,eax
840b3216 7408 je nt!ExReferenceCallBackBlock+0x68 (840b3220)
nt!ExReferenceCallBackBlock+0x60:
840b3218 e80c56e4ff call nt!ExfAcquirePushLockShared (83ef8829)
840b321d 8b5508 mov edx,dword ptr [ebp+8]
nt!ExReferenceCallBackBlock+0x68:
840b3220 8b3a mov edi,dword ptr [edx]
840b3222 83e7f8 and edi,0FFFFFFF8h
840b3225 7423 je nt!ExReferenceCallBackBlock+0x92 (840b324a)
nt!ExReferenceCallBackBlock+0x6f:
840b3227 8b0f mov ecx,dword ptr [edi]
840b3229 83e1fe and ecx,0FFFFFFFEh
840b322c 8d4102 lea eax,[ecx+2]
840b322f 8bd0 mov edx,eax
840b3231 8bdf mov ebx,edi
840b3233 8bc1 mov eax,ecx
840b3235 f00fb113 lock cmpxchg dword ptr [ebx],edx
840b3239 3bc1 cmp eax,ecx
840b323b 740d je nt!ExReferenceCallBackBlock+0x92 (840b324a)
nt!ExReferenceCallBackBlock+0x85:
840b323d 8bcf mov ecx,edi
840b323f e806a5e2ff call nt!ExfAcquireRundownProtection (83edd74a)
840b3244 84c0 test al,al
840b3246 7502 jne nt!ExReferenceCallBackBlock+0x92 (840b324a)
nt!ExReferenceCallBackBlock+0x90:
840b3248 33ff xor edi,edi
nt!ExReferenceCallBackBlock+0x92:
840b324a b9d807f883 mov ecx,offset nt!ExpCallBackFlush (83f807d8)
840b324f 6a11 push 11h
840b3251 33d2 xor edx,edx
840b3253 8bd9 mov ebx,ecx
840b3255 58 pop eax
840b3256 f00fb113 lock cmpxchg dword ptr [ebx],edx
840b325a 83f811 cmp eax,11h
840b325d 7405 je nt!ExReferenceCallBackBlock+0xac (840b3264)
nt!ExReferenceCallBackBlock+0xa7:
840b325f e80a54e4ff call nt!ExfReleasePushLockShared (83ef866e)
nt!ExReferenceCallBackBlock+0xac:
840b3264 66ff8686000000 inc word ptr [esi+86h]
840b326b 0fb78686000000 movzx eax,word ptr [esi+86h]
840b3272 6685c0 test ax,ax
840b3275 750c jne nt!ExReferenceCallBackBlock+0xcb (840b3283)
nt!ExReferenceCallBackBlock+0xbf:
840b3277 83c640 add esi,40h
840b327a 3936 cmp dword ptr [esi],esi
840b327c 7405 je nt!ExReferenceCallBackBlock+0xcb (840b3283)
nt!ExReferenceCallBackBlock+0xc6:
840b327e e81692dbff call nt!KiCheckForKernelApcDelivery (83e6c499)
nt!ExReferenceCallBackBlock+0xcb:
840b3283 85ff test edi,edi
840b3285 0f845cffffff je nt!ExReferenceCallBackBlock+0x2f (840b31e7)
nt!ExReferenceCallBackBlock+0xd3:
840b328b eb51 jmp nt!ExReferenceCallBackBlock+0x120 (840b32de)
//跳转到此位置.
nt!ExReferenceCallBackBlock+0xd4:
840b3292 83e1f8 and ecx,0FFFFFFF8h ecx = 数组[0] & 0xFFFFFFF8 结果得出是一个地址. 数组里面的值已经不是以前的值了. 8d408c3f 变成了 8d408c3E
840b3295 8bf9 mov edi,ecx 结果给 edi保存
840b3297 83f801 cmp eax,1
840b329a 7542 jne nt!ExReferenceCallBackBlock+0x120 (840b32de)
nt!ExReferenceCallBackBlock+0xde:
840b329c 8bd3 mov edx,ebx
840b329e e8f1c4e1ff call nt!ExAcquireRundownProtectionEx (83ecf794)
840b32a3 84c0 test al,al
840b32a5 7437 je nt!ExReferenceCallBackBlock+0x120 (840b32de)
nt!ExReferenceCallBackBlock+0xe9:
840b32a7 8b4508 mov eax,dword ptr [ebp+8]
840b32aa 8b08 mov ecx,dword ptr [eax]
840b32ac 8bc1 mov eax,ecx
840b32ae eb1d jmp nt!ExReferenceCallBackBlock+0x10f (840b32cd)
nt!ExReferenceCallBackBlock+0xf2:
840b32b0 8bc1 mov eax,ecx
840b32b2 83e0f8 and eax,0FFFFFFF8h
840b32b5 3bf8 cmp edi,eax
840b32b7 751c jne nt!ExReferenceCallBackBlock+0x117 (840b32d5)
nt!ExReferenceCallBackBlock+0xfb:
840b32b9 8b7508 mov esi,dword ptr [ebp+8]
840b32bc 8d4107 lea eax,[ecx+7]
840b32bf 8bd0 mov edx,eax
840b32c1 8bc1 mov eax,ecx
840b32c3 f00fb116 lock cmpxchg dword ptr [esi],edx
840b32c7 3bc1 cmp eax,ecx
840b32c9 7413 je nt!ExReferenceCallBackBlock+0x120 (840b32de)
nt!ExReferenceCallBackBlock+0x10d:
840b32cb 8bc8 mov ecx,eax
nt!ExReferenceCallBackBlock+0x10f:
840b32cd 23c3 and eax,ebx
840b32cf 03c3 add eax,ebx
840b32d1 3bc3 cmp eax,ebx
840b32d3 76db jbe nt!ExReferenceCallBackBlock+0xf2 (840b32b0)
nt!ExReferenceCallBackBlock+0x117:
840b32d5 8bd3 mov edx,ebx
840b32d7 8bcf mov ecx,edi
840b32d9 e8f96cdcff call nt!ExReleaseRundownProtectionEx (83e79fd7)
//eax = 7 不是1.所以直接跳转到结束位置
nt!ExReferenceCallBackBlock+0x120:
840b32de 8bc7 mov eax,edi 结果给eax.进行返回.
nt!ExReferenceCallBackBlock+0x122:
840b32e0 5f pop edi
840b32e1 5e pop esi
840b32e2 5b pop ebx
840b32e3 5d pop ebp
840b32e4 c20400 ret 4
Order function may be learned by reverse function array [0] the modified content is modified to a value of -1 as the contents of the array as seen above...:
Now the value of the first content 0x8d408c3f will become 0x8d408c3e
There are many branches did not go down. Finally, the operation will come to decrypt function address.
Such as: 0x8d408c3e & 0xFFFFFFF8 = function address table
as follows:
The second function is what we are looking for the address of this function address table.
It is 0x83f01d35 go pchunter view.
But there will be a top issue. 0x8d408c3f value will become 0x8d408c3e directly 0x8d408c3f & 0xFFFFFFF8 result is the same.
So what can be ignored modify the values above.
A formula can be derived function address = * ((array [n] & 0xFFFFFFF8) + 4);
What formula can be applied. Calculated once.
Using the code may traverse a function of the address table is the second function table address with a random Examples
Its second term is 8c5f89d8 find the right explanation.
Wed and summary
Can be found by reversing the array. Then the following operations may be performed
1. The removal of the array. Passed to the function address. PsSetCreateProcessNotifyRoutine call the second parameter to TRUE to remove. You can also pick your own. Which is equivalent to an internal implementation of the code of this function removal hook
2. The process callback priority can find an array would write your callback to the first item in the array, so that you will be a priority soon. this did not try. considered it a thought.
Reverse back 64 bit.