前言:
1 #if 0 2 3 其实,现在我要做的这件事情,是有个前提的, 4 有一天晚上,我和一个朋友讨论一个相关技术的问题, 5 (因为我也不是很懂,我不确定我的观点是正确的,所以才是讨论), 6 我们聊到了,Windows的映射机制, 7 我们模拟的场景是这样的: 8 (简单场景,x86环境下,非x64的复杂场景) 9 系统中有个进程A,有个进程B,进程A加载了一个系统DLL,B进程也加载了一个系统DLL(如ntdll,kernel32等等), 10 这时,系统里面的这个DLL的内存是怎样的,是有一份数据在物理内存中,然后映射到多个进程,还是本身就有多个拷贝, 11 其实,我俩对这点都没有异议,理论基础知识吧,DLL,本身在物理内存中有一份数据,被映射到多个进程中, 12 后续部分才是我们出现矛盾的重点, 13 既然只有一份,那么系统是怎么保证如果在B进程中,我对当前DLL执行了HOOK操作后,A进程中的DLL没有改变,没有被HOOK。 14 15 我不懂Windows具体是如何实现的,我当时能想到的唯一的合理的解决方案就是。。。写时拷贝。。。 16 在映射过来的第一时间,数据是没变的,只要它没有修改,就不会改变,但是当开HOOK的时候,写入内存的时候,这时候,它变了, 17 系统也好,CPU也好,给它做了一份拷贝,然后用拷贝的页替换了当前的页,用写时拷贝的方法,来实现了HOOK本进程的内存,但是其它进程没有改变, 18 当时我的这位同事没有找到合理的解决方案,而他却说我的想法不对,是有问题的, 19 这样,我们就出现了分歧, 20 有了今天的这篇文。 21 22 实际上也没什么文了,就是一堆的调试信息。 23 24 #endif
正文:
对 alg 进程 ntdll 模块内存的计算
1 [PC Hunter Standard][[alg.exe]进程模块(35)]: 35 2 模块路径 基地址 大小 文件厂商 3 C:\WINDOWS\System32\alg.exe 0x01000000 0x0000D000 Microsoft Corporation 4 C:\WINDOWS\system32\ntdll.dll 0x7C920000 0x00096000 Microsoft Corporation 5 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x0011E000 Microsoft Corporation 6 C:\WINDOWS\system32\msvcrt.dll 0x77BE0000 0x00058000 Microsoft Corporation 7 C:\WINDOWS\System32\ATL.DLL 0x76AF0000 0x00011000 Microsoft Corporation 8 C:\WINDOWS\system32\USER32.dll 0x77D10000 0x00090000 Microsoft Corporation 9 C:\WINDOWS\system32\GDI32.dll 0x77EF0000 0x00049000 Microsoft Corporation 10 C:\WINDOWS\system32\ADVAPI32.dll 0x77DA0000 0x000A9000 Microsoft Corporation 11 C:\WINDOWS\system32\RPCRT4.dll 0x77E50000 0x00093000 Microsoft Corporation 12 C:\WINDOWS\system32\Secur32.dll 0x77FC0000 0x00011000 Microsoft Corporation 13 C:\WINDOWS\system32\ole32.dll 0x76990000 0x0013E000 Microsoft Corporation 14 C:\WINDOWS\system32\OLEAUT32.dll 0x770F0000 0x0008B000 Microsoft Corporation 15 C:\WINDOWS\System32\WSOCK32.dll 0x71A40000 0x0000B000 Microsoft Corporation 16 C:\WINDOWS\System32\WS2_32.dll 0x71A20000 0x00017000 Microsoft Corporation 17 C:\WINDOWS\System32\WS2HELP.dll 0x71A10000 0x00008000 Microsoft Corporation 18 C:\WINDOWS\System32\MSWSOCK.DLL 0x719C0000 0x0003E000 Microsoft Corporation 19 C:\WINDOWS\System32\ShimEng.dll 0x5CC30000 0x00026000 Microsoft Corporation 20 C:\WINDOWS\AppPatch\AcGenral.DLL 0x58FB0000 0x001CA000 Microsoft Corporation 21 C:\WINDOWS\System32\WINMM.dll 0x76B10000 0x0002A000 Microsoft Corporation 22 C:\WINDOWS\System32\MSACM32.dll 0x77BB0000 0x00015000 Microsoft Corporation 23 C:\WINDOWS\system32\VERSION.dll 0x77BD0000 0x00008000 Microsoft Corporation 24 C:\WINDOWS\system32\SHELL32.dll 0x7D590000 0x007F4000 Microsoft Corporation 25 C:\WINDOWS\system32\SHLWAPI.dll 0x77F40000 0x00076000 Microsoft Corporation 26 C:\WINDOWS\system32\USERENV.dll 0x759D0000 0x000AF000 Microsoft Corporation 27 C:\WINDOWS\System32\UxTheme.dll 0x5ADC0000 0x00037000 Microsoft Corporation 28 C:\WINDOWS\system32\IMM32.DLL 0x76300000 0x0001D000 Microsoft Corporation 29 C:\WINDOWS\System32\LPK.DLL 0x62C20000 0x00009000 Microsoft Corporation 30 C:\WINDOWS\System32\USP10.dll 0x73FA0000 0x0006B000 Microsoft Corporation 31 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll 0x77180000 0x00103000 Microsoft Corporation 32 C:\WINDOWS\system32\comctl32.dll 0x5D170000 0x0009A000 Microsoft Corporation 33 C:\WINDOWS\System32\CLBCATQ.DLL 0x76FA0000 0x0007F000 Microsoft Corporation 34 C:\WINDOWS\System32\COMRes.dll 0x77020000 0x0009A000 Microsoft Corporation 35 C:\WINDOWS\System32\xpsp2res.dll 0x00730000 0x00549000 Microsoft Corporation 36 C:\WINDOWS\system32\hnetcfg.dll 0x60FD0000 0x00055000 Microsoft Corporation 37 C:\WINDOWS\System32\wshtcpip.dll 0x71A00000 0x00008000 Microsoft Corporation 38 39 开了PAE 40 41 PROCESS 8177d020 SessionId: 0 Cid: 0284 Peb: 7ffdb000 ParentCid: 02ec 42 DirBase: 02b80180 ObjectTable: e2622c08 HandleCount: 106. 43 Image: alg.exe 44 45 .process /i 8177d020 46 47 kd> r cr3 48 cr3=02b80180 49 50 kd> !dd 02b80180 51 # 2b80180 0cc7f801 00000000 0e580801 00000000 52 # 2b80190 0de41801 00000000 0dd7e801 00000000 53 # 2b801a0 f8c63220 00000000 08e54801 00000000 54 # 2b801b0 08e56801 00000000 08e53801 00000000 55 # 2b801c0 1ad6e801 00000000 1ad6f801 00000000 56 # 2b801d0 1ad70801 00000000 1ad6d801 00000000 57 # 2b801e0 1aebc801 00000000 1af3d801 00000000 58 # 2b801f0 1af3e801 00000000 1aefb801 00000000 59 60 7C920000 61 62 2 9 9 12 63 1 0x1E4 0x120 0 64 65 kd> !dq 0x0e580000+0x1E4*8 66 # e580f20 00000000`0ea1a867 00000000`00000000 67 # e580f30 00000000`00000000 00000000`00000000 68 # e580f40 00000000`00000000 00000000`00000000 69 # e580f50 00000000`0eeb2867 00000000`0eeb3867 70 # e580f60 00000000`1031b867 00000000`0eb5b867 71 # e580f70 00000000`0e515867 00000000`00000000 72 # e580f80 00000000`00000000 00000000`00000000 73 # e580f90 00000000`00000000 00000000`00000000 74 75 76 kd> !dq 0x0ea1a000+0x120*8 77 # ea1a900 80000000`03e0f025 00000000`055e4025 78 # ea1a910 00000000`055e5025 00000000`055e6025 79 # ea1a920 00000000`055e7025 00000000`055e8025 80 # ea1a930 00000000`055e9025 00000000`055ea025 81 # ea1a940 00000000`055eb025 00000000`055ec025 82 # ea1a950 00000000`055ed025 00000000`055ee025 83 # ea1a960 00000000`055ef025 00000000`055f0025 84 # ea1a970 00000000`055f1025 00000000`055f2025 85 86 87 kd> !db 0x03e0f000 88 # 3e0f000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. 89 # 3e0f010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 [email protected] 90 # 3e0f020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 91 # 3e0f030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................ 92 # 3e0f040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th 93 # 3e0f050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 94 # 3e0f060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 95 # 3e0f070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 96 97 98 99 kd> db 7C920000 100 7c920000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. 101 7c920010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 [email protected] 102 7c920020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 103 7c920030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................ 104 7c920040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th 105 7c920050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 106 7c920060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 107 7c920070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 108 109 110 111 看这个位置,已经是被HOOK过的地址 112 0x7C94188B 113 基址都相同,同一个模块, 114 所以每个进程只看这个地址对应的物理地址,及数据, 115 就可以了 116 117 .process /i 8177d020 118 119 kd> r cr3 120 cr3=02b80180 121 122 kd> !dd 02b80180 123 # 2b80180 0cc7f801 00000000 0e580801 00000000 124 # 2b80190 0de41801 00000000 0dd7e801 00000000 125 # 2b801a0 f8c63220 00000000 08e54801 00000000 126 # 2b801b0 08e56801 00000000 08e53801 00000000 127 # 2b801c0 1ad6e801 00000000 1ad6f801 00000000 128 # 2b801d0 1ad70801 00000000 1ad6d801 00000000 129 # 2b801e0 1aebc801 00000000 1af3d801 00000000 130 # 2b801f0 1af3e801 00000000 1aefb801 00000000 131 132 0x7C94188B 133 134 2 9 9 12 135 1 0x1E4 0x141 0x88B 136 137 kd> !dq 0x0e580000+0x1E4*8 138 # e580f20 00000000`0ea1a867 00000000`00000000 139 # e580f30 00000000`00000000 00000000`00000000 140 # e580f40 00000000`00000000 00000000`00000000 141 # e580f50 00000000`0eeb2867 00000000`0eeb3867 142 # e580f60 00000000`1031b867 00000000`0eb5b867 143 # e580f70 00000000`0e515867 00000000`00000000 144 # e580f80 00000000`00000000 00000000`00000000 145 # e580f90 00000000`00000000 00000000`00000000 146 147 kd> !dq 0x0ea1a000+0x141*8 148 # ea1aa08 00000000`05704025 00000000`05705025 149 # ea1aa18 00000000`05706025 00000000`056c7025 150 # ea1aa28 00000000`056c8025 00000000`056c9025 151 # ea1aa38 00000000`056ca025 00000000`056cb025 152 # ea1aa48 00000000`056cc025 00000000`0568d025 153 # ea1aa58 00000000`0568e025 00000000`0568f025 154 # ea1aa68 00000000`05650025 00000000`05651025 155 # ea1aa78 00000000`05652025 00000000`05653025 156 157 kd> !db 0570488B 158 # 570488b 6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00 j,h...|.4...d... 159 # 570489b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3.. 160 # 57048ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;. 161 # 57048bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9 162 # 57048cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X. 163 # 57048db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f.. 164 # 57048eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9 165 # 57048fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f 166 167 kd> db 0x7C94188B 168 7c94188b 6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00 j,h...|.4...d... 169 7c94189b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3.. 170 7c9418ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;. 171 7c9418bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9 172 7c9418cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X. 173 7c9418db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f.. 174 7c9418eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9 175 7c9418fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f
对 imapi 进程 ntdll 模块内存的计算
1 [PC Hunter Standard][[imapi.exe]进程模块(35)]: 35 2 模块路径 基地址 大小 文件厂商 3 C:\WINDOWS\system32\imapi.exe 0x01000000 0x00029000 Microsoft Corporation 4 C:\WINDOWS\system32\ntdll.dll 0x7C920000 0x00096000 Microsoft Corporation 5 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x0011E000 Microsoft Corporation 6 C:\WINDOWS\system32\ADVAPI32.dll 0x77DA0000 0x000A9000 Microsoft Corporation 7 C:\WINDOWS\system32\RPCRT4.dll 0x77E50000 0x00093000 Microsoft Corporation 8 C:\WINDOWS\system32\Secur32.dll 0x77FC0000 0x00011000 Microsoft Corporation 9 C:\WINDOWS\system32\USER32.dll 0x77D10000 0x00090000 Microsoft Corporation 10 C:\WINDOWS\system32\GDI32.dll 0x77EF0000 0x00049000 Microsoft Corporation 11 C:\WINDOWS\system32\ole32.dll 0x76990000 0x0013E000 Microsoft Corporation 12 C:\WINDOWS\system32\msvcrt.dll 0x77BE0000 0x00058000 Microsoft Corporation 13 C:\WINDOWS\system32\OLEAUT32.dll 0x770F0000 0x0008B000 Microsoft Corporation 14 C:\WINDOWS\system32\SETUPAPI.dll 0x76060000 0x00156000 Microsoft Corporation 15 C:\WINDOWS\system32\ShimEng.dll 0x5CC30000 0x00026000 Microsoft Corporation 16 C:\WINDOWS\AppPatch\AcGenral.DLL 0x58FB0000 0x001CA000 Microsoft Corporation 17 C:\WINDOWS\system32\WINMM.dll 0x76B10000 0x0002A000 Microsoft Corporation 18 C:\WINDOWS\system32\MSACM32.dll 0x77BB0000 0x00015000 Microsoft Corporation 19 C:\WINDOWS\system32\VERSION.dll 0x77BD0000 0x00008000 Microsoft Corporation 20 C:\WINDOWS\system32\SHELL32.dll 0x7D590000 0x007F4000 Microsoft Corporation 21 C:\WINDOWS\system32\SHLWAPI.dll 0x77F40000 0x00076000 Microsoft Corporation 22 C:\WINDOWS\system32\USERENV.dll 0x759D0000 0x000AF000 Microsoft Corporation 23 C:\WINDOWS\system32\UxTheme.dll 0x5ADC0000 0x00037000 Microsoft Corporation 24 C:\WINDOWS\system32\IMM32.DLL 0x76300000 0x0001D000 Microsoft Corporation 25 C:\WINDOWS\system32\LPK.DLL 0x62C20000 0x00009000 Microsoft Corporation 26 C:\WINDOWS\system32\USP10.dll 0x73FA0000 0x0006B000 Microsoft Corporation 27 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll 0x77180000 0x00103000 Microsoft Corporation 28 C:\WINDOWS\system32\comctl32.dll 0x5D170000 0x0009A000 Microsoft Corporation 29 C:\WINDOWS\system32\xpsp2res.dll 0x00830000 0x00549000 Microsoft Corporation 30 C:\WINDOWS\system32\CLBCATQ.DLL 0x76FA0000 0x0007F000 Microsoft Corporation 31 C:\WINDOWS\system32\COMRes.dll 0x77020000 0x0009A000 Microsoft Corporation 32 C:\WINDOWS\system32\ACTXPRXY.DLL 0x71CC0000 0x0001B000 Microsoft Corporation 33 C:\WINDOWS\system32\rsaenh.dll 0x68000000 0x00036000 Microsoft Corporation 34 C:\WINDOWS\system32\WINTRUST.dll 0x76C00000 0x0002E000 Microsoft Corporation 35 C:\WINDOWS\system32\CRYPT32.dll 0x765E0000 0x00095000 Microsoft Corporation 36 C:\WINDOWS\system32\MSASN1.dll 0x76DB0000 0x00012000 Microsoft Corporation 37 C:\WINDOWS\system32\IMAGEHLP.dll 0x76C60000 0x00029000 Microsoft Corporation 38 39 开了PAE 40 41 PROCESS 817714b8 SessionId: 0 Cid: 0e38 Peb: 7ffdd000 ParentCid: 02ec 42 DirBase: 02b803c0 ObjectTable: e1936438 HandleCount: 118. 43 Image: imapi.exe 44 45 .process /i 817714b8 46 47 kd> r cr3 48 cr3=02b803c0 49 50 kd> !dd 02b803c0 51 # 2b803c0 087c7801 00000000 1a663801 00000000 52 # 2b803d0 06e4a801 00000000 08c02801 00000000 53 # 2b803e0 f8c63300 00000000 130dc801 00000000 54 # 2b803f0 06e9d801 00000000 12bda801 00000000 55 # 2b80400 0b8ef801 00000000 07a70801 00000000 56 # 2b80410 0b931801 00000000 06e6e801 00000000 57 # 2b80420 0ddc5801 00000000 18886801 00000000 58 # 2b80430 11547801 00000000 12004801 00000000 59 60 7C920000 61 62 2 9 9 12 63 1 0x1E4 0x120 0 64 65 kd> !dq 0x1a663000+0x1E4*8 66 #1a663f20 00000000`08bcb867 00000000`00000000 67 #1a663f30 00000000`00000000 00000000`00000000 68 #1a663f40 00000000`00000000 00000000`00000000 69 #1a663f50 00000000`08ea6867 00000000`04c51867 70 #1a663f60 00000000`0b68a867 00000000`13fa7867 71 #1a663f70 00000000`09712867 00000000`00000000 72 #1a663f80 00000000`00000000 00000000`00000000 73 #1a663f90 00000000`00000000 00000000`00000000 74 75 76 kd> !dq 0x08bcb000+0x120*8 77 # 8bcb900 80000000`03e0f025 00000000`055e4025 78 # 8bcb910 00000000`055e5025 00000000`055e6025 79 # 8bcb920 00000000`055e7025 00000000`055e8025 80 # 8bcb930 00000000`055e9025 00000000`055ea025 81 # 8bcb940 00000000`055eb025 00000000`055ec025 82 # 8bcb950 00000000`055ed025 00000000`055ee025 83 # 8bcb960 00000000`055ef025 00000000`055f0025 84 # 8bcb970 00000000`055f1025 00000000`055f2025 85 86 87 kd> !db 0x03e0f000 88 # 3e0f000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. 89 # 3e0f010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 [email protected] 90 # 3e0f020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 91 # 3e0f030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................ 92 # 3e0f040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th 93 # 3e0f050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 94 # 3e0f060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 95 # 3e0f070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 96 97 98 99 kd> db 7C920000 100 7c920000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. 101 7c920010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 [email protected] 102 7c920020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 103 7c920030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................ 104 7c920040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th 105 7c920050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 106 7c920060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 107 7c920070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 108 109 110 111 看这个位置,已经是被HOOK过的地址 112 0x7C94188B 113 基址都相同,同一个模块, 114 所以每个进程只看这个地址对应的物理地址,及数据, 115 就可以了 116 117 .process /i 817714b8 118 119 kd> r cr3 120 cr3=02b803c0 121 122 kd> !dd 02b803c0 123 # 2b803c0 087c7801 00000000 1a663801 00000000 124 # 2b803d0 06e4a801 00000000 08c02801 00000000 125 # 2b803e0 f8c63300 00000000 130dc801 00000000 126 # 2b803f0 06e9d801 00000000 12bda801 00000000 127 # 2b80400 0b8ef801 00000000 07a70801 00000000 128 # 2b80410 0b931801 00000000 06e6e801 00000000 129 # 2b80420 0ddc5801 00000000 18886801 00000000 130 # 2b80430 11547801 00000000 12004801 00000000 131 132 0x7C94188B 133 134 2 9 9 12 135 1 0x1E4 0x141 0x88B 136 137 kd> !dq 0x1a663000+0x1E4*8 138 #1a663f20 00000000`08bcb867 00000000`00000000 139 #1a663f30 00000000`00000000 00000000`00000000 140 #1a663f40 00000000`00000000 00000000`00000000 141 #1a663f50 00000000`08ea6867 00000000`04c51867 142 #1a663f60 00000000`0b68a867 00000000`13fa7867 143 #1a663f70 00000000`09712867 00000000`00000000 144 #1a663f80 00000000`00000000 00000000`00000000 145 #1a663f90 00000000`00000000 00000000`00000000 146 147 kd> !dq 0x08bcb000+0x141*8 148 # 8bcba08 00000000`05704025 00000000`05705025 149 # 8bcba18 00000000`05706025 00000000`056c7025 150 # 8bcba28 00000000`056c8025 00000000`056c9025 151 # 8bcba38 00000000`056ca025 00000000`056cb025 152 # 8bcba48 00000000`056cc025 00000000`0568d025 153 # 8bcba58 00000000`0568e025 00000000`0568f025 154 # 8bcba68 00000000`05650025 00000000`05651025 155 # 8bcba78 00000000`05652025 00000000`05653025 156 157 kd> !db 0570488B 158 # 570488b 6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00 j,h...|.4...d... 159 # 570489b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3.. 160 # 57048ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;. 161 # 57048bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9 162 # 57048cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X. 163 # 57048db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f.. 164 # 57048eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9 165 # 57048fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f 166 167 kd> db 0x7C94188B 168 7c94188b 6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00 j,h...|.4...d... 169 7c94189b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3.. 170 7c9418ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;. 171 7c9418bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9 172 7c9418cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X. 173 7c9418db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f.. 174 7c9418eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9 175 7c9418fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f
前两个进程都是正常的进程,
这里要计算的是 explorer 进程,这个进程是被修理过的,内部HOOK点很多,
这里计算了一个点
ntdll.dll->RtlCreateProcessParameters
这个函数的HOOK点,位于 0x7C94188B
前面三处计算也有计算此处 HOOK 点
1 [PC Hunter Standard][[explorer.exe]进程模块(123)]: 123 2 模块路径 基地址 大小 文件厂商 3 C:\WINDOWS\Explorer.EXE 0x01000000 0x000F1000 Microsoft Corporation 4 C:\WINDOWS\system32\ntdll.dll 0x7C920000 0x00096000 Microsoft Corporation 5 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x0011E000 Microsoft Corporation 6 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\exnscan.dll 0x10000000 0x00075000 Tencent 7 C:\WINDOWS\system32\CRYPT32.dll 0x765E0000 0x00095000 Microsoft Corporation 8 C:\WINDOWS\system32\ADVAPI32.dll 0x77DA0000 0x000A9000 Microsoft Corporation 9 C:\WINDOWS\system32\RPCRT4.dll 0x77E50000 0x00093000 Microsoft Corporation 10 C:\WINDOWS\system32\Secur32.dll 0x77FC0000 0x00011000 Microsoft Corporation 11 C:\WINDOWS\system32\MSASN1.dll 0x76DB0000 0x00012000 Microsoft Corporation 12 C:\WINDOWS\system32\msvcrt.dll 0x77BE0000 0x00058000 Microsoft Corporation 13 C:\WINDOWS\system32\USER32.dll 0x77D10000 0x00090000 Microsoft Corporation 14 C:\WINDOWS\system32\GDI32.dll 0x77EF0000 0x00049000 Microsoft Corporation 15 C:\WINDOWS\system32\WS2_32.dll 0x71A20000 0x00017000 Microsoft Corporation 16 C:\WINDOWS\system32\WS2HELP.dll 0x71A10000 0x00008000 Microsoft Corporation 17 C:\WINDOWS\system32\SHELL32.dll 0x7D590000 0x007F4000 Microsoft Corporation 18 C:\WINDOWS\system32\SHLWAPI.dll 0x77F40000 0x00076000 Microsoft Corporation 19 C:\WINDOWS\system32\ole32.dll 0x76990000 0x0013E000 Microsoft Corporation 20 C:\WINDOWS\system32\VERSION.dll 0x77BD0000 0x00008000 Microsoft Corporation 21 C:\WINDOWS\system32\PSAPI.DLL 0x76BC0000 0x0000B000 Microsoft Corporation 22 C:\WINDOWS\system32\NETAPI32.dll 0x5FDD0000 0x00055000 Microsoft Corporation 23 C:\WINDOWS\system32\iphlpapi.dll 0x76D30000 0x00018000 Microsoft Corporation 24 C:\WINDOWS\system32\BROWSEUI.dll 0x75EF0000 0x000FD000 Microsoft Corporation 25 C:\WINDOWS\system32\OLEAUT32.dll 0x770F0000 0x0008B000 Microsoft Corporation 26 C:\WINDOWS\system32\SHDOCVW.dll 0x7E550000 0x00173000 Microsoft Corporation 27 C:\WINDOWS\system32\CRYPTUI.dll 0x75430000 0x00071000 Microsoft Corporation 28 C:\WINDOWS\system32\WININET.dll 0x76680000 0x000A6000 Microsoft Corporation 29 C:\WINDOWS\system32\WINTRUST.dll 0x76C00000 0x0002E000 Microsoft Corporation 30 C:\WINDOWS\system32\IMAGEHLP.dll 0x76C60000 0x00029000 Microsoft Corporation 31 C:\WINDOWS\system32\WLDAP32.dll 0x76F30000 0x0002C000 Microsoft Corporation 32 C:\WINDOWS\system32\UxTheme.dll 0x5ADC0000 0x00037000 Microsoft Corporation 33 C:\WINDOWS\system32\ShimEng.dll 0x5CC30000 0x00026000 Microsoft Corporation 34 C:\WINDOWS\AppPatch\AcGenral.DLL 0x58FB0000 0x001CA000 Microsoft Corporation 35 C:\WINDOWS\system32\WINMM.dll 0x76B10000 0x0002A000 Microsoft Corporation 36 C:\WINDOWS\system32\MSACM32.dll 0x77BB0000 0x00015000 Microsoft Corporation 37 C:\WINDOWS\system32\USERENV.dll 0x759D0000 0x000AF000 Microsoft Corporation 38 C:\WINDOWS\system32\IMM32.DLL 0x76300000 0x0001D000 Microsoft Corporation 39 C:\WINDOWS\system32\LPK.DLL 0x62C20000 0x00009000 Microsoft Corporation 40 C:\WINDOWS\system32\USP10.dll 0x73FA0000 0x0006B000 Microsoft Corporation 41 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll 0x77180000 0x00103000 Microsoft Corporation 42 C:\WINDOWS\system32\comctl32.dll 0x5D170000 0x0009A000 Microsoft Corporation 43 C:\Program Files\360\360safe\safemon\SafeWrapper32.dll 0x70000000 0x00005000 360.cn 44 C:\Program Files\360\360safe\safemon\safemon.dll 0x70200000 0x0024C000 360.cn 45 C:\Program Files\360\360safe\safemon\Safehmpg.dll 0x00BC0000 0x0009B000 46 C:\Program Files\360\360safe\360verify.dll 0x00D70000 0x0001C000 47 C:\WINDOWS\System32\mswsock.dll 0x719C0000 0x0003E000 Microsoft Corporation 48 C:\WINDOWS\system32\DNSAPI.dll 0x76EF0000 0x00027000 Microsoft Corporation 49 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll 0x01250000 0x00040000 Tencent 50 C:\WINDOWS\system32\CLBCATQ.DLL 0x76FA0000 0x0007F000 Microsoft Corporation 51 C:\WINDOWS\system32\COMRes.dll 0x77020000 0x0009A000 Microsoft Corporation 52 C:\WINDOWS\System32\winrnr.dll 0x76F80000 0x00008000 Microsoft Corporation 53 C:\WINDOWS\system32\MPRAPI.dll 0x76D10000 0x00018000 Microsoft Corporation 54 C:\WINDOWS\system32\ACTIVEDS.dll 0x77C90000 0x00032000 Microsoft Corporation 55 C:\WINDOWS\system32\adsldpc.dll 0x76DE0000 0x00025000 Microsoft Corporation 56 C:\WINDOWS\system32\ATL.DLL 0x76AF0000 0x00011000 Microsoft Corporation 57 C:\WINDOWS\system32\rtutils.dll 0x76E50000 0x0000E000 Microsoft Corporation 58 C:\WINDOWS\system32\SAMLIB.dll 0x71B70000 0x00013000 Microsoft Corporation 59 C:\WINDOWS\system32\SETUPAPI.dll 0x76060000 0x00156000 Microsoft Corporation 60 C:\WINDOWS\system32\msctfime.ime 0x73640000 0x0002E000 Microsoft Corporation 61 C:\WINDOWS\system32\rasadhlp.dll 0x76F90000 0x00006000 Microsoft Corporation 62 C:\WINDOWS\system32\appHelp.dll 0x76D70000 0x00022000 Microsoft Corporation 63 C:\Program Files\360\360safe\safemon\360UDiskGuard.dll 0x01930000 0x00034000 360.cn 64 C:\WINDOWS\system32\hnetcfg.dll 0x60FD0000 0x00055000 Microsoft Corporation 65 C:\WINDOWS\System32\wshtcpip.dll 0x71A00000 0x00008000 Microsoft Corporation 66 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMGCShellExt.dll 0x019B0000 0x00071000 Tencent 67 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll 0x78130000 0x0009B000 Microsoft Corporation 68 C:\WINDOWS\System32\cscui.dll 0x76590000 0x0004E000 Microsoft Corporation 69 C:\WINDOWS\System32\CSCDLL.dll 0x76570000 0x0001C000 Microsoft Corporation 70 C:\WINDOWS\system32\themeui.dll 0x5B680000 0x0006E000 Microsoft Corporation 71 C:\WINDOWS\system32\MSIMG32.dll 0x762F0000 0x00005000 Microsoft Corporation 72 C:\WINDOWS\system32\xpsp2res.dll 0x01AF0000 0x00549000 Microsoft Corporation 73 C:\WINDOWS\system32\ACTXPRXY.DLL 0x71CC0000 0x0001B000 Microsoft Corporation 74 C:\WINDOWS\system32\msutb.dll 0x5FE40000 0x00031000 Microsoft Corporation 75 C:\WINDOWS\system32\MSCTF.dll 0x74680000 0x0004C000 Microsoft Corporation 76 C:\WINDOWS\system32\msi.dll 0x7C9C0000 0x002BC000 Microsoft Corporation 77 C:\WINDOWS\system32\LINKINFO.dll 0x76950000 0x00008000 Microsoft Corporation 78 C:\WINDOWS\system32\ntshrui.dll 0x76960000 0x00024000 Microsoft Corporation 79 C:\WINDOWS\system32\urlmon.dll 0x7EAE0000 0x000A1000 Microsoft Corporation 80 C:\WINDOWS\system32\NETSHELL.dll 0x7DE40000 0x00199000 Microsoft Corporation 81 C:\WINDOWS\system32\credui.dll 0x76BD0000 0x0002D000 Microsoft Corporation 82 C:\WINDOWS\system32\dot3api.dll 0x42E00000 0x0000A000 Microsoft Corporation 83 C:\WINDOWS\system32\dot3dlg.dll 0x4A5C0000 0x00006000 Microsoft Corporation 84 C:\WINDOWS\system32\OneX.DLL 0x5A990000 0x00028000 Microsoft Corporation 85 C:\WINDOWS\system32\WTSAPI32.dll 0x76F20000 0x00008000 Microsoft Corporation 86 C:\WINDOWS\system32\WINSTA.dll 0x762D0000 0x00010000 Microsoft Corporation 87 C:\WINDOWS\system32\eappcfg.dll 0x4A820000 0x00022000 Microsoft Corporation 88 C:\WINDOWS\system32\MSVCP60.dll 0x75FF0000 0x00065000 Microsoft Corporation 89 C:\WINDOWS\system32\eappprxy.dll 0x582E0000 0x0000E000 Microsoft Corporation 90 C:\WINDOWS\system32\webcheck.dll 0x74A90000 0x00044000 Microsoft Corporation 91 C:\WINDOWS\system32\WSOCK32.dll 0x71A40000 0x0000B000 Microsoft Corporation 92 C:\WINDOWS\system32\stobject.dll 0x74A60000 0x00020000 Microsoft Corporation 93 C:\WINDOWS\system32\BatMeter.dll 0x74A50000 0x0000A000 Microsoft Corporation 94 C:\WINDOWS\system32\POWRPROF.dll 0x74A30000 0x00008000 Microsoft Corporation 95 C:\WINDOWS\system32\wdmaud.drv 0x72C90000 0x00009000 Microsoft Corporation 96 C:\WINDOWS\system32\msacm32.drv 0x72C80000 0x00008000 Microsoft Corporation 97 C:\WINDOWS\system32\midimap.dll 0x77BA0000 0x00007000 Microsoft Corporation 98 C:\WINDOWS\system32\rsaenh.dll 0x68000000 0x00036000 Microsoft Corporation 99 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\TSInjectFrm-11-7-17805-233.dll 0x03310000 0x00071000 Tencent 100 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMIpc.dll 0x01540000 0x0002A000 Tencent 101 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll 0x7C420000 0x00087000 Microsoft Corporation 102 C:\WINDOWS\system32\MPR.dll 0x71A90000 0x00012000 Microsoft Corporation 103 C:\WINDOWS\System32\vmhgfs.dll 0x017B0000 0x0000F000 VMware, Inc. 104 C:\WINDOWS\System32\drprov.dll 0x75ED0000 0x00007000 Microsoft Corporation 105 C:\WINDOWS\System32\ntlanman.dll 0x71B90000 0x0000E000 Microsoft Corporation 106 C:\WINDOWS\System32\NETUI0.dll 0x71C50000 0x00015000 Microsoft Corporation 107 C:\WINDOWS\System32\NETUI1.dll 0x71C10000 0x00040000 Microsoft Corporation 108 C:\WINDOWS\System32\NETRAP.dll 0x71C00000 0x00007000 Microsoft Corporation 109 C:\WINDOWS\System32\davclnt.dll 0x75EE0000 0x0000A000 Microsoft Corporation 110 C:\Program Files\Tencent\QQ\ShellExt\QQShellExt.dll 0x595A0000 0x00017000 Tencent 111 C:\WINDOWS\system32\ATL100.DLL 0x78A60000 0x00026000 Microsoft Corporation 112 C:\WINDOWS\system32\MSVCR100.dll 0x78AA0000 0x000BF000 Microsoft Corporation 113 C:\WINDOWS\system32\MSVCP100.dll 0x78050000 0x00069000 Microsoft Corporation 114 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\plugins\FileSmash\QMSoftExt.dll 0x037A0000 0x00054000 Tencent 115 C:\WINDOWS\system32\comdlg32.dll 0x76320000 0x00047000 Microsoft Corporation 116 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMContextUninstall.dll 0x01880000 0x0000F000 Tencent 117 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMContextScan.dll 0x02040000 0x00013000 Tencent 118 C:\Program Files\baidu\BaiduYunGuanjia\YunShellExt.dll 0x02100000 0x00038000 119 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.23084_x-ww_f3f35550\gdiplus.dll 0x4AE90000 0x001AB000 Microsoft Corporation 120 C:\Program Files\WinRAR\rarext.dll 0x03840000 0x00062000 WinRAR 压缩管理软件中文版 121 C:\Program Files\360\360safe\SoftMgr\SoftMgrExt.dll 0x039B0000 0x00040000 360.cn 122 C:\Program Files\360\360safe\Utils\shell360ext.dll 0x03A10000 0x00048000 360.cn 123 C:\Program Files\Notepad++\NppShell_06.dll 0x01340000 0x00044000 124 C:\Program Files\7-Zip\7-zip.dll 0x013B0000 0x00011000 Igor Pavlov 125 C:\WINDOWS\system32\SXS.DLL 0x75E00000 0x000AE000 Microsoft Corporation 126 127 开了PAE 128 129 PROCESS 8192fbf8 SessionId: 0 Cid: 01fc Peb: 7ffde000 ParentCid: 07c4 130 DirBase: 02b80280 ObjectTable: e1d1a0e8 HandleCount: 472. 131 Image: explorer.exe 132 133 .process /i 8192fbf8 134 135 kd> r cr3 136 cr3=02b80280 137 138 kd> !dd 02b80280 139 # 2b80280 1cc85801 00000000 1cd06801 00000000 140 # 2b80290 1cd87801 00000000 1cc84801 00000000 141 # 2b802a0 1d7bb801 00000000 1d87c801 00000000 142 # 2b802b0 1d8fd801 00000000 1d87a801 00000000 143 # 2b802c0 1d692801 00000000 1d793801 00000000 144 # 2b802d0 1d554801 00000000 1d751801 00000000 145 # 2b802e0 1dcce801 00000000 1dc4f801 00000000 146 # 2b802f0 1db50801 00000000 1db4d801 00000000 147 148 0x7C920000 149 150 2 9 9 12 151 1 0x1E4 0x120 0 152 153 kd> !dq 0x1cd06000+0x1E4*8 154 #1cd06f20 00000000`1cdf4867 00000000`19226867 155 #1cd06f30 00000000`14b87867 00000000`00000000 156 #1cd06f40 00000000`00000000 00000000`00000000 157 #1cd06f50 00000000`1ccdb867 00000000`1cddc867 158 #1cd06f60 00000000`1510a867 00000000`0d8c6867 159 #1cd06f70 00000000`00046867 00000000`1e90c867 160 #1cd06f80 00000000`00000000 00000000`00000000 161 #1cd06f90 00000000`1cdae867 00000000`1ceaf867 162 163 164 kd> !dq 0x1cdf4000+0x120*8 165 #1cdf4900 80000000`09dcc025 00000000`055e4025 166 #1cdf4910 00000000`055e5025 00000000`055e6025 167 #1cdf4920 00000000`055e7025 00000000`055e8025 168 #1cdf4930 00000000`055e9025 00000000`055ea025 169 #1cdf4940 00000000`055eb025 00000000`055ec025 170 #1cdf4950 00000000`055ed025 00000000`055ee025 171 #1cdf4960 00000000`055ef025 00000000`1d3d1025 172 #1cdf4970 00000000`1d84e025 00000000`055f2025 173 174 175 kd> !db 0x09dcc000 176 # 9dcc000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. 177 # 9dcc010 b8 00 00 00 00 00 00 00-40 00 00 00 44 65 74 6f [email protected] 178 # 9dcc020 75 72 73 21 00 00 00 00-00 00 00 00 00 00 00 00 urs!............ 179 # 9dcc030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................ 180 # 9dcc040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th 181 # 9dcc050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 182 # 9dcc060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 183 # 9dcc070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 184 185 186 187 kd> db 7C920000 188 7c920000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. 189 7c920010 b8 00 00 00 00 00 00 00-40 00 00 00 44 65 74 6f [email protected] 190 7c920020 75 72 73 21 00 00 00 00-00 00 00 00 00 00 00 00 urs!............ 191 7c920030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................ 192 7c920040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th 193 7c920050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 194 7c920060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 195 7c920070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 196 197 198 199 看这个位置,已经是被HOOK过的地址 200 0x7C94188B 201 基址都相同,同一个模块, 202 所以每个进程只看这个地址对应的物理地址,及数据, 203 就可以了 204 205 .process /i 8192fbf8 206 207 kd> r cr3 208 cr3=02b80280 209 210 kd> !dd 02b80280 211 # 2b80280 1cc85801 00000000 1cd06801 00000000 212 # 2b80290 1cd87801 00000000 1cc84801 00000000 213 # 2b802a0 1d7bb801 00000000 1d87c801 00000000 214 # 2b802b0 1d8fd801 00000000 1d87a801 00000000 215 # 2b802c0 1d692801 00000000 1d793801 00000000 216 # 2b802d0 1d554801 00000000 1d751801 00000000 217 # 2b802e0 1dcce801 00000000 1dc4f801 00000000 218 # 2b802f0 1db50801 00000000 1db4d801 00000000 219 220 0x7C94188B 221 222 2 9 9 12 223 1 0x1E4 0x141 0x88B 224 225 kd> !dq 0x1cd06000+0x1E4*8 226 #1cd06f20 00000000`1cdf4867 00000000`19226867 227 #1cd06f30 00000000`14b87867 00000000`00000000 228 #1cd06f40 00000000`00000000 00000000`00000000 229 #1cd06f50 00000000`1ccdb867 00000000`1cddc867 230 #1cd06f60 00000000`1510a867 00000000`0d8c6867 231 #1cd06f70 00000000`00046867 00000000`1e90c867 232 #1cd06f80 00000000`00000000 00000000`00000000 233 #1cd06f90 00000000`1cdae867 00000000`1ceaf867 234 235 kd> !dq 0x1cdf4000+0x141*8 236 #1cdf4a08 00000000`1d6e0025 00000000`05705025 237 #1cdf4a18 00000000`05706025 00000000`056c7025 238 #1cdf4a28 00000000`056c8025 00000000`056c9025 239 #1cdf4a38 00000000`056ca025 00000000`056cb025 240 #1cdf4a48 00000000`056cc025 00000000`0568d025 241 #1cdf4a58 00000000`0568e025 00000000`0568f025 242 #1cdf4a68 00000000`05650025 00000000`05651025 243 #1cdf4a78 00000000`05652025 00000000`05653025 244 245 kd> !db 1d6e088B 246 #1d6e088b e9 6e 6a 91 84 cc cc e8-34 d0 fe ff 64 a1 18 00 .nj.....4...d... 247 #1d6e089b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3.. 248 #1d6e08ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;. 249 #1d6e08bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9 250 #1d6e08cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X. 251 #1d6e08db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f.. 252 #1d6e08eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9 253 #1d6e08fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f 254 255 kd> db 0x7C94188B 256 7c94188b e9 6e 6a 91 84 cc cc e8-34 d0 fe ff 64 a1 18 00 .nj.....4...d... 257 7c94189b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3.. 258 7c9418ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;. 259 7c9418bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9 260 7c9418cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X. 261 7c9418db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f.. 262 7c9418eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9 263 7c9418fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f
全部HOOK点,备用
1 [PC Hunter Standard][explorer.exe-->Ring3 Hook]: 115 2 挂钩对象 挂钩位置 钩子类型 挂钩处当前值 挂钩处原始值 3 Explorer.EXE->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 4 len(10) ntdll.dll->KiUserCallbackDispatcher 0x7C92E460->0x70288AC0[C:\Program Files\360\360safe\safemon\safemon.dll] inline E9 5B A6 95 F3 CC CC CC CC CC 83 C4 04 5A 64 A1 18 00 00 00 5 [*]len(5) ntdll.dll->LdrLoadDll 0x7C93632D->0x00BD8CF0[C:\Program Files\360\360safe\safemon\Safehmpg.dll] inline E9 BE 29 2A 84 68 6C 02 00 00 6 [*]len(5) ntdll.dll->NtOpenKey 0x7C92D5CE->0x0125D890[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll] inline E9 BD 02 93 84 B8 77 00 00 00 7 [*]len(5) ntdll.dll->NtQueryValueKey 0x7C92D96E->0x0125D1C7[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll] inline E9 54 F8 92 84 B8 B1 00 00 00 8 [*]len(7) ntdll.dll->RtlCreateProcessParameters 0x7C94188B->0x012582FE[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll] inline E9 6E 6A 91 84 CC CC 6A 2C 68 10 1C 94 7C 9 [*]len(5) ntdll.dll->ZwOpenKey 0x7C92D5CE->0x0125D890[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll] inline E9 BD 02 93 84 B8 77 00 00 00 10 [*]len(5) ntdll.dll->ZwQueryValueKey 0x7C92D96E->0x0125D1C7[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll] inline E9 54 F8 92 84 B8 B1 00 00 00 11 [*]len(5) kernel32.dll->CreateProcessW 0x7C802336->0x00BD8520[C:\Program Files\360\360safe\safemon\Safehmpg.dll] inline E9 E5 61 3D 84 8B FF 55 8B EC 12 [*]len(5) kernel32.dll->ExitProcess 0x7C81CB12->0x033137DE[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\TSInjectFrm-11-7-17805-233.dll] inline E9 C7 6C AF 86 8B FF 55 8B EC 13 [*]exnscan.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 14 [*]CRYPT32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 15 ADVAPI32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 16 RPCRT4.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 17 Secur32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 18 [*]MSASN1.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 19 msvcrt.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 20 [*]USER32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 21 [*]len(5) USER32.dll->ShowWindow 0x77D2AF56->0x03318082[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\TSInjectFrm-11-7-17805-233.dll] inline E9 27 D1 5E 8B B8 2B 12 00 00 22 [*]GDI32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 23 [*]WS2_32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 24 WS2HELP.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 25 SHELL32.dll->KERNEL32.dll:CreateProcessW 0x7C802336->0x012581B2[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll] Iat B2 81 25 01 36 23 80 7C 26 [*]SHELL32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 27 len(5) SHELL32.dll->[Ordinal:175] 0x7D5BB218->0x01258073[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll] inline E9 56 CE C9 83 8B FF 55 8B EC 28 len(5) SHELL32.dll->SHGetSpecialFolderPathW 0x7D5BB218->0x01258073[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll] inline E9 56 CE C9 83 8B FF 55 8B EC 29 [*]len(5) SHELL32.dll->ShellExecuteExW 0x7D5D995B->0x01258119[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll] inline E9 B9 E7 C7 83 8B FF 55 8B EC 30 len(4) SHELL32.dll 0x7D5985D8->_ inline B7 7E 25 01 AF 7A 5F 7D 31 len(8) SHELL32.dll 0x7D59FA58->_ inline E0 A4 BD 00 10 A3 BD 00 65 7D 5E 7D 25 5E 5E 7D 32 SHLWAPI.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 33 ole32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 34 VERSION.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 35 PSAPI.DLL->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 36 [*]NETAPI32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 37 iphlpapi.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 38 [*]BROWSEUI.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 39 [*]OLEAUT32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 40 [*]SHDOCVW.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 41 CRYPTUI.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 42 WININET.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 43 WINTRUST.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 44 [*]IMAGEHLP.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 45 WLDAP32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 46 [*]UxTheme.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 47 WINMM.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 48 MSACM32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 49 USERENV.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 50 IMM32.DLL->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 51 [*]USP10.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 52 comctl32.dll[WinSxs]->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 53 comctl32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 54 safemon.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 55 [*]Safehmpg.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 56 len(29) Safehmpg.dll->SafehmpgHelper 0x00BEDF60->_ inline 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 60 9C 68 7D DF BE 00 68 60 DE BE 00 C3 60 9C 50 90 58 74 06 90 75 03 90 66 B8 74 03 75 01 E8 8B 44 24 04 8B 5D 0C 8B C9 90 90 57 360verify.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 58 mswsock.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 59 DNSAPI.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 60 [*]qmiesafedll.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 61 CLBCATQ.DLL->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 62 MPRAPI.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 63 [*]ACTIVEDS.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 64 [*]adsldpc.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 65 [*]ATL.DLL->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 66 [*]SETUPAPI.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 67 [*]msctfime.ime->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 68 [*]rasadhlp.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 69 appHelp.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 70 360UDiskGuard.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 71 [*]hnetcfg.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 72 QMGCShellExt.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 73 [*]MSVCR80.dll[WinSxs]->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 74 cscui.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 75 CSCDLL.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 76 themeui.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 77 ACTXPRXY.DLL->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 78 [*]msutb.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 79 MSCTF.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 80 msi.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 81 [*]LINKINFO.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 82 ntshrui.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 83 [*]urlmon.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 84 NETSHELL.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 85 credui.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 86 [*]WTSAPI32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 87 [*]eappcfg.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 88 [*]webcheck.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 89 stobject.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 90 [*]BatMeter.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 91 wdmaud.drv->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 92 [*]rsaenh.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 93 [*]TSInjectFrm-11-7-17805-233.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 94 QMIpc.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 95 MPR.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 96 vmhgfs.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 97 ntlanman.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 98 [*]NETUI0.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 99 davclnt.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 100 QQShellExt.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 101 ATL100.DLL->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 102 MSVCR100.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 103 [*]QMSoftExt.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 104 comdlg32.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 105 [*]QMContextUninstall.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 106 QMContextScan.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 107 [*]YunShellExt.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 108 gdiplus.dll[WinSxs]->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 109 rarext.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 110 [*]SoftMgrExt.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 111 shell360ext.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 112 NppShell_06.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 113 7-zip.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 114 SXS.DLL->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 115 WZCSAPI.DLL->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 116 wzcdlg.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C 117 [*]WINHTTP.dll->KERNEL32.dll:GetProcAddress 0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll] Iat 74 77 C3 5C 40 AE 80 7C
实际上,这三个文档是可以对比的,前两个文档里面(alg 、imapi),可以清楚地看到,页表都没变,都是一样的,
但是到了第三个文档,explorer 里面,页表已经变了
所以,我感觉,这就是因为使用了写时拷贝相关的技术,才实现的这种情况。
(其实我也不能确定它就是这样,它一定是使用写时拷贝,因为可以实现当前效果的方法很多,但是写时拷贝是最成熟的,而且这也应该是Windows内存管理相关的方法)
时间: 2024-10-10 20:04:56