僵尸进程的一点玩法

刈劲敌

僵尸过程的一面弄法

序言

那几天正在看WRK的工夫，偶尔间发明的一个工具，顺背以后，发明了个僵尸过程的弄法。如今菜鸡一枚，有道的不准确的处所，请各人多多斧正！
被疏忽的RundownProtection

看过WRK的同学们该当对那个属性没有陌生，每当要对某个过程举办操纵的工夫，总会有一个属性检查，揭上部门代码

ProcessToLock = FromProcess;
if (FromProcess == PsGetCurrentProcess()) {
ProcessToLock = ToProcess;
}
//
// Make sure the process still has an address space.
//
if (ExAcquireRundownProtection (&ProcessToLock->RundownProtect) == FALSE) {
return STATUS_PROCESS_IS_TERMINATING;
}

复造代码

那是RundownProtect的构造体，能够看到正在一般状况下是为0的

[Type: _EX_RUNDOWN_REF]
[+0x000] Count : 0x0 [Type: unsigned __int64]
[+0x000] Ptr : 0x0 [Type: void *]

复造代码

看到WRK的正文以后，便欲探究一下ExAcquireRundownProtection 。
ExAcquireRundownProtection

.text:00000001400FA630 48 8B 01 mov rax, [rcx]
.text:00000001400FA633 A8 01 test al, 1 ; 判定RunRef.count的位0能否为1，即是则跳转
.text:00000001400FA635 75 13 jnz short loc_1400FA64A ; 返回FALSE
.text:00000001400FA635
.text:00000001400FA637 44 8D 04 12 lea r8d, [rdx+rdx] ; 参数
.text:00000001400FA637
.text:00000001400FA63B
.text:00000001400FA63B loc_1400FA63B: ; CODE XREF: ExAcquireRundownProtectionEx+18↓j
.text:00000001400FA63B 49 8D 14 00 lea rdx, [r8+rax] ; 参数
.text:00000001400FA63F F0 48 0F B1 11 lock cmpxchg [rcx], rdx ; Compare and Exchange
.text:00000001400FA644 74 07 jz short loc_1400FA64D ; 返回TRUE
.text:00000001400FA644
.text:00000001400FA646 A8 01 test al, 1 ; Logical Compare
.text:00000001400FA648 74 F1 jz short loc_1400FA63B ; 轮回
.text:00000001400FA648
.text:00000001400FA64A
.text:00000001400FA64A loc_1400FA64A: ; CODE XREF: ExAcquireRundownProtectionEx+5↑j
.text:00000001400FA64A 32 C0 xor al, al ; 返回FALSE
.text:00000001400FA64C C3 retn ; Return Near from Procedure
.text:00000001400FA64C
.text:00000001400FA64D ; ---------------------------------------------------------------------------
.text:00000001400FA64D
.text:00000001400FA64D loc_1400FA64D: ; CODE XREF: ExAcquireRundownProtectionEx+14↑j
.text:00000001400FA64D B0 01 mov al, 1 ; 返回TRUE
.text:00000001400FA64F C3 retn ; Return Near from Procedure

复造代码

颠末一番顺背后，发明当RundownProtection的第一个成员的第整位（两进造）为0时，则函数返回TRUE，不然返回FALSE。
使用

假如我们修正RundownProtect为1，那末能否能够完成任何API会见此过程皆失利呢，接下去做一下尝试。

kd> dt _EPROCESS fffffa8002402710
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER 0x01d7a08a`1c139093
+0x170 ExitTime : _LARGE_INTEGER 0x0
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : 0x00000000`0000057c Void
+0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`02b6e5b8 - 0xfffffa80`027b1528 ]
+0x198 ProcessQuotaUsage : [2] 0x2680
+0x1a8 ProcessQuotaPeak : [2] 0x2c20
+0x1b8 CommitCharge : 0x1f8
+0x1c0 QuotaBlock : 0xfffffa80`010724c0 _EPROCESS_QUOTA_BLOCK
+0x1c8 CpuQuotaBlock : (null)
+0x1d0 PeakVirtualSize : 0x6002000
+0x1d8 VirtualSize : 0x50e7000
+0x1e0 SessionProcessLinks : _LIST_ENTRY [ 0xfffffa80`02af5b40 - 0xfffffa80`027b1580 ]
+0x1f0 DebugPort : (null)
+0x1f8 ExceptionPortData : 0xfffffa80`01fd5c90 Void
+0x1f8 ExceptionPortValue : 0xfffffa80`01fd5c90
+0x1f8 ExceptionPortState : 0y000
+0x200 ObjectTable : 0xfffff8a0`021b6d70 _HANDLE_TABLE
+0x208 Token : _EX_FAST_REF
+0x210 WorkingSetPage : 0x22102
+0x218 AddressCreationLock : _EX_PUSH_LOCK
+0x220 RotateInProgress : (null)
+0x228 ForkInProgress : (null)
+0x230 HardwareTrigger : 0
+0x238 PhysicalVadRoot : 0xfffffa80`00d95bc0 _MM_AVL_TABLE
+0x240 CloneRoot : (null)
+0x248 NumberOfPrivatePages : 0x18c
+0x250 NumberOfLockedPages : 0
+0x258 Win32Process : 0xfffff900`c2ffd010 Void
+0x260 Job : 0xfffffa80`00d27220 _EJOB
+0x268 SectionObject : 0xfffff8a0`02aeb6e0 Void
+0x270 SectionBaseAddress : 0x00000000`00400000 Void
+0x278 Cookie : 0xf2b3718a
+0x27c UmsScheduledThreads : 0
+0x280 WorkingSetWatch : (null)
+0x288 Win32WindowStation : 0x00000000`0000005c Void
+0x290 InheritedFromUniqueProcessId : 0x00000000`00000524 Void
+0x298 LdtInformation : (null)
+0x2a0 Spare : (null)
+0x2a8 ConsoleHostProcess : 0
+0x2b0 DeviceMap : 0xfffff8a0`015bff10 Void
+0x2b8 EtwDataSource : (null)
+0x2c0 FreeTebHint : 0x00000000`7efa0000 Void
+0x2c8 FreeUmsTebHint : 0x00000001`00000000 Void
+0x2d0 PageDirectoryPte : _HARDWARE_PTE
+0x2d0 Filler : 0
+0x2d8 Session : 0xfffff880`009c9000 Void
+0x2e0 ImageFileName : [15] "Dbgview.exe"
+0x2ef PriorityClass : 0x2 ''
+0x2f0 JobLinks : _LIST_ENTRY [ 0xfffffa80`00d27248 - 0xfffffa80`00d27248 ]
+0x300 LockedPagesList : (null)
+0x308 ThreadListHead : _LIST_ENTRY [ 0xfffffa80`024b6f80 - 0xfffffa80`02515860 ]
+0x318 SecurityPort : (null)
+0x320 Wow64Process : 0x00000000`7efde000 Void
+0x328 ActiveThreads : 3
+0x32c ImagePathHash : 0xdecf2e47
+0x330 DefaultHardErrorProcessing : 1
+0x334 LastThreadExitStatus : 0n0
+0x338 Peb : 0x00000000`7efdf000 _PEB
+0x340 PrefetchTrace : _EX_FAST_REF
+0x348 ReadOperationCount : _LARGE_INTEGER 0x0
+0x350 WriteOperationCount : _LARGE_INTEGER 0x0
+0x358 OtherOperationCount : _LARGE_INTEGER 0x0
+0x360 ReadTransferCount : _LARGE_INTEGER 0x0
+0x368 WriteTransferCount : _LARGE_INTEGER 0x0
+0x370 OtherTransferCount : _LARGE_INTEGER 0x0
+0x378 CommitChargeLimit : 0
+0x380 CommitChargePeak : 0x226
+0x388 AweInfo : (null)
+0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x398 Vm : _MMSUPPORT
+0x420 MmProcessLinks : _LIST_ENTRY [ 0xfffffa80`02b6e850 - 0xfffffa80`027b17c0 ]
+0x430 HighestUserAddress : 0x00000000`7fff0000 Void
+0x438 ModifiedPageCount : 7
+0x43c Flags2 : 0x2d014
+0x43c JobNotReallyActive : 0y0
+0x43c AccountingFolded : 0y0
+0x43c NewProcessReported : 0y1
+0x43c ExitProcessReported : 0y0
+0x43c ReportCommitChanges : 0y1
+0x43c LastReportMemory : 0y0
+0x43c ReportPhysicalPageChanges : 0y0
+0x43c HandleTableRundown : 0y0
+0x43c NeedsHandleRundown : 0y0
+0x43c RefTraceEnabled : 0y0
+0x43c NumaAware : 0y0
+0x43c ProtectedProcess : 0y0
+0x43c DefaultPagePriority : 0y101
+0x43c PrimaryTokenFrozen : 0y1
+0x43c ProcessVerifierTarget : 0y0
+0x43c StackRandomizationDisabled : 0y1
+0x43c AffinityPermanent : 0y0
+0x43c AffinityUpdateEnable : 0y0
+0x43c PropagateNode : 0y0
+0x43c ExplicitAffinity : 0y0
+0x440 Flags : 0x144d0801
+0x440 CreateReported : 0y1
+0x440 NoDebugInherit : 0y0
+0x440 ProcessExiting : 0y0
+0x440 ProcessDelete : 0y0
+0x440 Wow64SplitPages : 0y0
+0x440 VmDeleted : 0y0
+0x440 OutswapEnabled : 0y0
+0x440 Outswapped : 0y0
+0x440 ForkFailed : 0y0
+0x440 Wow64VaSpace4Gb : 0y0
+0x440 AddressSpaceInitialized : 0y10
+0x440 SetTimerResolution : 0y0
+0x440 BreakOnTermination : 0y0
+0x440 DeprioritizeViews : 0y0
+0x440 WriteWatch : 0y0
+0x440 ProcessInSession : 0y1
+0x440 OverrideAddressSpace : 0y0
+0x440 HasAddressSpace : 0y1
+0x440 LaunchPrefetched : 0y1
+0x440 InjectInpageErrors : 0y0
+0x440 VmTopDown : 0y0
+0x440 ImageNotifyDone : 0y1
+0x440 PdeUpdateNeeded : 0y0
+0x440 VdmAllowed : 0y0
+0x440 CrossSessionCreate : 0y0
+0x440 ProcessInserted : 0y1
+0x440 DefaultIoPriority : 0y010
+0x440 ProcessSelfDelete : 0y0
+0x440 SetTimerResolutionLink : 0y0
+0x444 ExitStatus : 0n259
+0x448 VadRoot : _MM_AVL_TABLE
+0x488 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x4a8 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x4b8 RequestedTimerResolution : 0
+0x4bc ActiveThreadsHighWatermark : 6
+0x4c0 SmallestTimerResolution : 0
+0x4c8 TimerResolutionStackRecord : (null)

复造代码

我们看到0x178偏偏移处，找到了RundownProtect那个属性，接着修正为1（第0位为0的数皆可）。

kd> ed fffffa8002402710+178 1

复造代码

接着我们进进假造机检察结果

程序一般运转，没有会PG。
（测试情况Win7 X64 7600）
总结

那个函数另有许多用途，比方多线程同步等等，另有便是…做完才发明，曾经有年夜佬收过那个思绪了~
更早的一篇

免责声明：假如进犯了您的权益，请联络站少，我们会实时删除侵权内乱容，感谢协作！