首页 > 代码库 > 难道是“写时拷贝”?

难道是“写时拷贝”?

前言:

技术分享
 1 #if 0 2  3 其实,现在我要做的这件事情,是有个前提的, 4 有一天晚上,我和一个朋友讨论一个相关技术的问题, 5 (因为我也不是很懂,我不确定我的观点是正确的,所以才是讨论), 6 我们聊到了,Windows的映射机制, 7 我们模拟的场景是这样的: 8 (简单场景,x86环境下,非x64的复杂场景) 9 系统中有个进程A,有个进程B,进程A加载了一个系统DLL,B进程也加载了一个系统DLL(如ntdll,kernel32等等),10 这时,系统里面的这个DLL的内存是怎样的,是有一份数据在物理内存中,然后映射到多个进程,还是本身就有多个拷贝,11 其实,我俩对这点都没有异议,理论基础知识吧,DLL,本身在物理内存中有一份数据,被映射到多个进程中,12 后续部分才是我们出现矛盾的重点,13 既然只有一份,那么系统是怎么保证如果在B进程中,我对当前DLL执行了HOOK操作后,A进程中的DLL没有改变,没有被HOOK。14 15 我不懂Windows具体是如何实现的,我当时能想到的唯一的合理的解决方案就是。。。写时拷贝。。。16 在映射过来的第一时间,数据是没变的,只要它没有修改,就不会改变,但是当开HOOK的时候,写入内存的时候,这时候,它变了,17 系统也好,CPU也好,给它做了一份拷贝,然后用拷贝的页替换了当前的页,用写时拷贝的方法,来实现了HOOK本进程的内存,但是其它进程没有改变,18 当时我的这位同事没有找到合理的解决方案,而他却说我的想法不对,是有问题的,19 这样,我们就出现了分歧,20 有了今天的这篇文。21 22 实际上也没什么文了,就是一堆的调试信息。23 24 #endif
View Code

 

正文:

对 alg 进程 ntdll 模块内存的计算

技术分享
  1 [PC Hunter Standard][[alg.exe]进程模块(35)]: 35  2 模块路径        基地址        大小        文件厂商  3 C:\WINDOWS\System32\alg.exe        0x01000000        0x0000D000        Microsoft Corporation  4 C:\WINDOWS\system32\ntdll.dll        0x7C920000        0x00096000        Microsoft Corporation  5 C:\WINDOWS\system32\kernel32.dll        0x7C800000        0x0011E000        Microsoft Corporation  6 C:\WINDOWS\system32\msvcrt.dll        0x77BE0000        0x00058000        Microsoft Corporation  7 C:\WINDOWS\System32\ATL.DLL        0x76AF0000        0x00011000        Microsoft Corporation  8 C:\WINDOWS\system32\USER32.dll        0x77D10000        0x00090000        Microsoft Corporation  9 C:\WINDOWS\system32\GDI32.dll        0x77EF0000        0x00049000        Microsoft Corporation 10 C:\WINDOWS\system32\ADVAPI32.dll        0x77DA0000        0x000A9000        Microsoft Corporation 11 C:\WINDOWS\system32\RPCRT4.dll        0x77E50000        0x00093000        Microsoft Corporation 12 C:\WINDOWS\system32\Secur32.dll        0x77FC0000        0x00011000        Microsoft Corporation 13 C:\WINDOWS\system32\ole32.dll        0x76990000        0x0013E000        Microsoft Corporation 14 C:\WINDOWS\system32\OLEAUT32.dll        0x770F0000        0x0008B000        Microsoft Corporation 15 C:\WINDOWS\System32\WSOCK32.dll        0x71A40000        0x0000B000        Microsoft Corporation 16 C:\WINDOWS\System32\WS2_32.dll        0x71A20000        0x00017000        Microsoft Corporation 17 C:\WINDOWS\System32\WS2HELP.dll        0x71A10000        0x00008000        Microsoft Corporation 18 C:\WINDOWS\System32\MSWSOCK.DLL        0x719C0000        0x0003E000        Microsoft Corporation 19 C:\WINDOWS\System32\ShimEng.dll        0x5CC30000        0x00026000        Microsoft Corporation 20 C:\WINDOWS\AppPatch\AcGenral.DLL        0x58FB0000        0x001CA000        Microsoft Corporation 21 C:\WINDOWS\System32\WINMM.dll        0x76B10000        0x0002A000        Microsoft Corporation 22 C:\WINDOWS\System32\MSACM32.dll        0x77BB0000        0x00015000        Microsoft Corporation 23 C:\WINDOWS\system32\VERSION.dll        0x77BD0000        0x00008000        Microsoft Corporation 24 C:\WINDOWS\system32\SHELL32.dll        0x7D590000        0x007F4000        Microsoft Corporation 25 C:\WINDOWS\system32\SHLWAPI.dll        0x77F40000        0x00076000        Microsoft Corporation 26 C:\WINDOWS\system32\USERENV.dll        0x759D0000        0x000AF000        Microsoft Corporation 27 C:\WINDOWS\System32\UxTheme.dll        0x5ADC0000        0x00037000        Microsoft Corporation 28 C:\WINDOWS\system32\IMM32.DLL        0x76300000        0x0001D000        Microsoft Corporation 29 C:\WINDOWS\System32\LPK.DLL        0x62C20000        0x00009000        Microsoft Corporation 30 C:\WINDOWS\System32\USP10.dll        0x73FA0000        0x0006B000        Microsoft Corporation 31 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll        0x77180000        0x00103000        Microsoft Corporation 32 C:\WINDOWS\system32\comctl32.dll        0x5D170000        0x0009A000        Microsoft Corporation 33 C:\WINDOWS\System32\CLBCATQ.DLL        0x76FA0000        0x0007F000        Microsoft Corporation 34 C:\WINDOWS\System32\COMRes.dll        0x77020000        0x0009A000        Microsoft Corporation 35 C:\WINDOWS\System32\xpsp2res.dll        0x00730000        0x00549000        Microsoft Corporation 36 C:\WINDOWS\system32\hnetcfg.dll        0x60FD0000        0x00055000        Microsoft Corporation 37 C:\WINDOWS\System32\wshtcpip.dll        0x71A00000        0x00008000        Microsoft Corporation 38  39 开了PAE 40  41 PROCESS 8177d020  SessionId: 0  Cid: 0284    Peb: 7ffdb000  ParentCid: 02ec 42     DirBase: 02b80180  ObjectTable: e2622c08  HandleCount: 106. 43     Image: alg.exe 44  45 .process /i 8177d020 46  47 kd> r cr3 48 cr3=02b80180 49  50 kd> !dd 02b80180 51 # 2b80180 0cc7f801 00000000 0e580801 00000000 52 # 2b80190 0de41801 00000000 0dd7e801 00000000 53 # 2b801a0 f8c63220 00000000 08e54801 00000000 54 # 2b801b0 08e56801 00000000 08e53801 00000000 55 # 2b801c0 1ad6e801 00000000 1ad6f801 00000000 56 # 2b801d0 1ad70801 00000000 1ad6d801 00000000 57 # 2b801e0 1aebc801 00000000 1af3d801 00000000 58 # 2b801f0 1af3e801 00000000 1aefb801 00000000 59  60 7C920000 61  62 2    9    9    12 63 1    0x1E4    0x120    0 64  65 kd> !dq 0x0e580000+0x1E4*8 66 # e580f20 00000000`0ea1a867 00000000`00000000 67 # e580f30 00000000`00000000 00000000`00000000 68 # e580f40 00000000`00000000 00000000`00000000 69 # e580f50 00000000`0eeb2867 00000000`0eeb3867 70 # e580f60 00000000`1031b867 00000000`0eb5b867 71 # e580f70 00000000`0e515867 00000000`00000000 72 # e580f80 00000000`00000000 00000000`00000000 73 # e580f90 00000000`00000000 00000000`00000000 74  75  76 kd> !dq 0x0ea1a000+0x120*8 77 # ea1a900 80000000`03e0f025 00000000`055e4025 78 # ea1a910 00000000`055e5025 00000000`055e6025 79 # ea1a920 00000000`055e7025 00000000`055e8025 80 # ea1a930 00000000`055e9025 00000000`055ea025 81 # ea1a940 00000000`055eb025 00000000`055ec025 82 # ea1a950 00000000`055ed025 00000000`055ee025 83 # ea1a960 00000000`055ef025 00000000`055f0025 84 # ea1a970 00000000`055f1025 00000000`055f2025 85  86  87 kd> !db 0x03e0f000 88 # 3e0f000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. 89 # 3e0f010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@....... 90 # 3e0f020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 91 # 3e0f030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................ 92 # 3e0f040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th 93 # 3e0f050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 94 # 3e0f060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS  95 # 3e0f070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 96  97  98  99 kd> db 7C920000100 7c920000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............101 7c920010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......102 7c920020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................103 7c920030  00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00  ................104 7c920040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th105 7c920050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno106 7c920060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 107 7c920070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......108 109 110 111 看这个位置,已经是被HOOK过的地址112 0x7C94188B113 基址都相同,同一个模块,114 所以每个进程只看这个地址对应的物理地址,及数据,115 就可以了116 117 .process /i 8177d020118 119 kd> r cr3120 cr3=02b80180121 122 kd> !dd 02b80180123 # 2b80180 0cc7f801 00000000 0e580801 00000000124 # 2b80190 0de41801 00000000 0dd7e801 00000000125 # 2b801a0 f8c63220 00000000 08e54801 00000000126 # 2b801b0 08e56801 00000000 08e53801 00000000127 # 2b801c0 1ad6e801 00000000 1ad6f801 00000000128 # 2b801d0 1ad70801 00000000 1ad6d801 00000000129 # 2b801e0 1aebc801 00000000 1af3d801 00000000130 # 2b801f0 1af3e801 00000000 1aefb801 00000000131 132 0x7C94188B133 134 2    9    9    12135 1    0x1E4    0x141    0x88B136 137 kd> !dq 0x0e580000+0x1E4*8138 # e580f20 00000000`0ea1a867 00000000`00000000139 # e580f30 00000000`00000000 00000000`00000000140 # e580f40 00000000`00000000 00000000`00000000141 # e580f50 00000000`0eeb2867 00000000`0eeb3867142 # e580f60 00000000`1031b867 00000000`0eb5b867143 # e580f70 00000000`0e515867 00000000`00000000144 # e580f80 00000000`00000000 00000000`00000000145 # e580f90 00000000`00000000 00000000`00000000146 147 kd> !dq 0x0ea1a000+0x141*8148 # ea1aa08 00000000`05704025 00000000`05705025149 # ea1aa18 00000000`05706025 00000000`056c7025150 # ea1aa28 00000000`056c8025 00000000`056c9025151 # ea1aa38 00000000`056ca025 00000000`056cb025152 # ea1aa48 00000000`056cc025 00000000`0568d025153 # ea1aa58 00000000`0568e025 00000000`0568f025154 # ea1aa68 00000000`05650025 00000000`05651025155 # ea1aa78 00000000`05652025 00000000`05653025156 157 kd> !db 0570488B158 # 570488b 6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00 j,h...|.4...d...159 # 570489b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3..160 # 57048ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;.161 # 57048bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9162 # 57048cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X.163 # 57048db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f..164 # 57048eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9165 # 57048fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f166 167 kd> db 0x7C94188B168 7c94188b  6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00  j,h...|.4...d...169 7c94189b  00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89  ...p0.u..e...3..170 7c9418ab  5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3  ]..]..]..]..E.;.171 7c9418bb  0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39  ......3.f...M.f9172 7c9418cb  48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04  H.......f;.t.9X.173 7c9418db  0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01  .......M.;.t.f..174 7c9418eb  66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39  f9A.......f;.t.9175 7c9418fb  59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66  Y........M.;.t.f
View Code

 

对 imapi 进程 ntdll 模块内存的计算

技术分享
  1 [PC Hunter Standard][[imapi.exe]进程模块(35)]: 35  2 模块路径        基地址        大小        文件厂商  3 C:\WINDOWS\system32\imapi.exe        0x01000000        0x00029000        Microsoft Corporation  4 C:\WINDOWS\system32\ntdll.dll        0x7C920000        0x00096000        Microsoft Corporation  5 C:\WINDOWS\system32\kernel32.dll        0x7C800000        0x0011E000        Microsoft Corporation  6 C:\WINDOWS\system32\ADVAPI32.dll        0x77DA0000        0x000A9000        Microsoft Corporation  7 C:\WINDOWS\system32\RPCRT4.dll        0x77E50000        0x00093000        Microsoft Corporation  8 C:\WINDOWS\system32\Secur32.dll        0x77FC0000        0x00011000        Microsoft Corporation  9 C:\WINDOWS\system32\USER32.dll        0x77D10000        0x00090000        Microsoft Corporation 10 C:\WINDOWS\system32\GDI32.dll        0x77EF0000        0x00049000        Microsoft Corporation 11 C:\WINDOWS\system32\ole32.dll        0x76990000        0x0013E000        Microsoft Corporation 12 C:\WINDOWS\system32\msvcrt.dll        0x77BE0000        0x00058000        Microsoft Corporation 13 C:\WINDOWS\system32\OLEAUT32.dll        0x770F0000        0x0008B000        Microsoft Corporation 14 C:\WINDOWS\system32\SETUPAPI.dll        0x76060000        0x00156000        Microsoft Corporation 15 C:\WINDOWS\system32\ShimEng.dll        0x5CC30000        0x00026000        Microsoft Corporation 16 C:\WINDOWS\AppPatch\AcGenral.DLL        0x58FB0000        0x001CA000        Microsoft Corporation 17 C:\WINDOWS\system32\WINMM.dll        0x76B10000        0x0002A000        Microsoft Corporation 18 C:\WINDOWS\system32\MSACM32.dll        0x77BB0000        0x00015000        Microsoft Corporation 19 C:\WINDOWS\system32\VERSION.dll        0x77BD0000        0x00008000        Microsoft Corporation 20 C:\WINDOWS\system32\SHELL32.dll        0x7D590000        0x007F4000        Microsoft Corporation 21 C:\WINDOWS\system32\SHLWAPI.dll        0x77F40000        0x00076000        Microsoft Corporation 22 C:\WINDOWS\system32\USERENV.dll        0x759D0000        0x000AF000        Microsoft Corporation 23 C:\WINDOWS\system32\UxTheme.dll        0x5ADC0000        0x00037000        Microsoft Corporation 24 C:\WINDOWS\system32\IMM32.DLL        0x76300000        0x0001D000        Microsoft Corporation 25 C:\WINDOWS\system32\LPK.DLL        0x62C20000        0x00009000        Microsoft Corporation 26 C:\WINDOWS\system32\USP10.dll        0x73FA0000        0x0006B000        Microsoft Corporation 27 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll        0x77180000        0x00103000        Microsoft Corporation 28 C:\WINDOWS\system32\comctl32.dll        0x5D170000        0x0009A000        Microsoft Corporation 29 C:\WINDOWS\system32\xpsp2res.dll        0x00830000        0x00549000        Microsoft Corporation 30 C:\WINDOWS\system32\CLBCATQ.DLL        0x76FA0000        0x0007F000        Microsoft Corporation 31 C:\WINDOWS\system32\COMRes.dll        0x77020000        0x0009A000        Microsoft Corporation 32 C:\WINDOWS\system32\ACTXPRXY.DLL        0x71CC0000        0x0001B000        Microsoft Corporation 33 C:\WINDOWS\system32\rsaenh.dll        0x68000000        0x00036000        Microsoft Corporation 34 C:\WINDOWS\system32\WINTRUST.dll        0x76C00000        0x0002E000        Microsoft Corporation 35 C:\WINDOWS\system32\CRYPT32.dll        0x765E0000        0x00095000        Microsoft Corporation 36 C:\WINDOWS\system32\MSASN1.dll        0x76DB0000        0x00012000        Microsoft Corporation 37 C:\WINDOWS\system32\IMAGEHLP.dll        0x76C60000        0x00029000        Microsoft Corporation 38  39 开了PAE 40  41 PROCESS 817714b8  SessionId: 0  Cid: 0e38    Peb: 7ffdd000  ParentCid: 02ec 42     DirBase: 02b803c0  ObjectTable: e1936438  HandleCount: 118. 43     Image: imapi.exe 44  45 .process /i 817714b8 46  47 kd> r cr3 48 cr3=02b803c0 49  50 kd> !dd 02b803c0 51 # 2b803c0 087c7801 00000000 1a663801 00000000 52 # 2b803d0 06e4a801 00000000 08c02801 00000000 53 # 2b803e0 f8c63300 00000000 130dc801 00000000 54 # 2b803f0 06e9d801 00000000 12bda801 00000000 55 # 2b80400 0b8ef801 00000000 07a70801 00000000 56 # 2b80410 0b931801 00000000 06e6e801 00000000 57 # 2b80420 0ddc5801 00000000 18886801 00000000 58 # 2b80430 11547801 00000000 12004801 00000000 59  60 7C920000 61  62 2    9    9    12 63 1    0x1E4    0x120    0 64  65 kd> !dq 0x1a663000+0x1E4*8 66 #1a663f20 00000000`08bcb867 00000000`00000000 67 #1a663f30 00000000`00000000 00000000`00000000 68 #1a663f40 00000000`00000000 00000000`00000000 69 #1a663f50 00000000`08ea6867 00000000`04c51867 70 #1a663f60 00000000`0b68a867 00000000`13fa7867 71 #1a663f70 00000000`09712867 00000000`00000000 72 #1a663f80 00000000`00000000 00000000`00000000 73 #1a663f90 00000000`00000000 00000000`00000000 74  75  76 kd> !dq 0x08bcb000+0x120*8 77 # 8bcb900 80000000`03e0f025 00000000`055e4025 78 # 8bcb910 00000000`055e5025 00000000`055e6025 79 # 8bcb920 00000000`055e7025 00000000`055e8025 80 # 8bcb930 00000000`055e9025 00000000`055ea025 81 # 8bcb940 00000000`055eb025 00000000`055ec025 82 # 8bcb950 00000000`055ed025 00000000`055ee025 83 # 8bcb960 00000000`055ef025 00000000`055f0025 84 # 8bcb970 00000000`055f1025 00000000`055f2025 85  86  87 kd> !db 0x03e0f000 88 # 3e0f000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. 89 # 3e0f010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@....... 90 # 3e0f020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 91 # 3e0f030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................ 92 # 3e0f040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th 93 # 3e0f050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 94 # 3e0f060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS  95 # 3e0f070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... 96  97  98  99 kd> db 7C920000100 7c920000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............101 7c920010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......102 7c920020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................103 7c920030  00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00  ................104 7c920040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th105 7c920050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno106 7c920060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 107 7c920070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......108 109 110 111 看这个位置,已经是被HOOK过的地址112 0x7C94188B113 基址都相同,同一个模块,114 所以每个进程只看这个地址对应的物理地址,及数据,115 就可以了116 117 .process /i 817714b8118 119 kd> r cr3120 cr3=02b803c0121 122 kd> !dd 02b803c0123 # 2b803c0 087c7801 00000000 1a663801 00000000124 # 2b803d0 06e4a801 00000000 08c02801 00000000125 # 2b803e0 f8c63300 00000000 130dc801 00000000126 # 2b803f0 06e9d801 00000000 12bda801 00000000127 # 2b80400 0b8ef801 00000000 07a70801 00000000128 # 2b80410 0b931801 00000000 06e6e801 00000000129 # 2b80420 0ddc5801 00000000 18886801 00000000130 # 2b80430 11547801 00000000 12004801 00000000131 132 0x7C94188B133 134 2    9    9    12135 1    0x1E4    0x141    0x88B136 137 kd> !dq 0x1a663000+0x1E4*8138 #1a663f20 00000000`08bcb867 00000000`00000000139 #1a663f30 00000000`00000000 00000000`00000000140 #1a663f40 00000000`00000000 00000000`00000000141 #1a663f50 00000000`08ea6867 00000000`04c51867142 #1a663f60 00000000`0b68a867 00000000`13fa7867143 #1a663f70 00000000`09712867 00000000`00000000144 #1a663f80 00000000`00000000 00000000`00000000145 #1a663f90 00000000`00000000 00000000`00000000146 147 kd> !dq 0x08bcb000+0x141*8148 # 8bcba08 00000000`05704025 00000000`05705025149 # 8bcba18 00000000`05706025 00000000`056c7025150 # 8bcba28 00000000`056c8025 00000000`056c9025151 # 8bcba38 00000000`056ca025 00000000`056cb025152 # 8bcba48 00000000`056cc025 00000000`0568d025153 # 8bcba58 00000000`0568e025 00000000`0568f025154 # 8bcba68 00000000`05650025 00000000`05651025155 # 8bcba78 00000000`05652025 00000000`05653025156 157 kd> !db 0570488B158 # 570488b 6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00 j,h...|.4...d...159 # 570489b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3..160 # 57048ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;.161 # 57048bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9162 # 57048cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X.163 # 57048db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f..164 # 57048eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9165 # 57048fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f166 167 kd> db 0x7C94188B168 7c94188b  6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00  j,h...|.4...d...169 7c94189b  00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89  ...p0.u..e...3..170 7c9418ab  5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3  ]..]..]..]..E.;.171 7c9418bb  0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39  ......3.f...M.f9172 7c9418cb  48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04  H.......f;.t.9X.173 7c9418db  0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01  .......M.;.t.f..174 7c9418eb  66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39  f9A.......f;.t.9175 7c9418fb  59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66  Y........M.;.t.f
View Code

 

前两个进程都是正常的进程,

这里要计算的是 explorer 进程,这个进程是被修理过的,内部HOOK点很多,

这里计算了一个点

ntdll.dll->RtlCreateProcessParameters

这个函数的HOOK点,位于 0x7C94188B

前面三处计算也有计算此处 HOOK 点

技术分享
  1 [PC Hunter Standard][[explorer.exe]进程模块(123)]: 123  2 模块路径        基地址        大小        文件厂商  3 C:\WINDOWS\Explorer.EXE        0x01000000        0x000F1000        Microsoft Corporation  4 C:\WINDOWS\system32\ntdll.dll        0x7C920000        0x00096000        Microsoft Corporation  5 C:\WINDOWS\system32\kernel32.dll        0x7C800000        0x0011E000        Microsoft Corporation  6 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\exnscan.dll        0x10000000        0x00075000        Tencent  7 C:\WINDOWS\system32\CRYPT32.dll        0x765E0000        0x00095000        Microsoft Corporation  8 C:\WINDOWS\system32\ADVAPI32.dll        0x77DA0000        0x000A9000        Microsoft Corporation  9 C:\WINDOWS\system32\RPCRT4.dll        0x77E50000        0x00093000        Microsoft Corporation 10 C:\WINDOWS\system32\Secur32.dll        0x77FC0000        0x00011000        Microsoft Corporation 11 C:\WINDOWS\system32\MSASN1.dll        0x76DB0000        0x00012000        Microsoft Corporation 12 C:\WINDOWS\system32\msvcrt.dll        0x77BE0000        0x00058000        Microsoft Corporation 13 C:\WINDOWS\system32\USER32.dll        0x77D10000        0x00090000        Microsoft Corporation 14 C:\WINDOWS\system32\GDI32.dll        0x77EF0000        0x00049000        Microsoft Corporation 15 C:\WINDOWS\system32\WS2_32.dll        0x71A20000        0x00017000        Microsoft Corporation 16 C:\WINDOWS\system32\WS2HELP.dll        0x71A10000        0x00008000        Microsoft Corporation 17 C:\WINDOWS\system32\SHELL32.dll        0x7D590000        0x007F4000        Microsoft Corporation 18 C:\WINDOWS\system32\SHLWAPI.dll        0x77F40000        0x00076000        Microsoft Corporation 19 C:\WINDOWS\system32\ole32.dll        0x76990000        0x0013E000        Microsoft Corporation 20 C:\WINDOWS\system32\VERSION.dll        0x77BD0000        0x00008000        Microsoft Corporation 21 C:\WINDOWS\system32\PSAPI.DLL        0x76BC0000        0x0000B000        Microsoft Corporation 22 C:\WINDOWS\system32\NETAPI32.dll        0x5FDD0000        0x00055000        Microsoft Corporation 23 C:\WINDOWS\system32\iphlpapi.dll        0x76D30000        0x00018000        Microsoft Corporation 24 C:\WINDOWS\system32\BROWSEUI.dll        0x75EF0000        0x000FD000        Microsoft Corporation 25 C:\WINDOWS\system32\OLEAUT32.dll        0x770F0000        0x0008B000        Microsoft Corporation 26 C:\WINDOWS\system32\SHDOCVW.dll        0x7E550000        0x00173000        Microsoft Corporation 27 C:\WINDOWS\system32\CRYPTUI.dll        0x75430000        0x00071000        Microsoft Corporation 28 C:\WINDOWS\system32\WININET.dll        0x76680000        0x000A6000        Microsoft Corporation 29 C:\WINDOWS\system32\WINTRUST.dll        0x76C00000        0x0002E000        Microsoft Corporation 30 C:\WINDOWS\system32\IMAGEHLP.dll        0x76C60000        0x00029000        Microsoft Corporation 31 C:\WINDOWS\system32\WLDAP32.dll        0x76F30000        0x0002C000        Microsoft Corporation 32 C:\WINDOWS\system32\UxTheme.dll        0x5ADC0000        0x00037000        Microsoft Corporation 33 C:\WINDOWS\system32\ShimEng.dll        0x5CC30000        0x00026000        Microsoft Corporation 34 C:\WINDOWS\AppPatch\AcGenral.DLL        0x58FB0000        0x001CA000        Microsoft Corporation 35 C:\WINDOWS\system32\WINMM.dll        0x76B10000        0x0002A000        Microsoft Corporation 36 C:\WINDOWS\system32\MSACM32.dll        0x77BB0000        0x00015000        Microsoft Corporation 37 C:\WINDOWS\system32\USERENV.dll        0x759D0000        0x000AF000        Microsoft Corporation 38 C:\WINDOWS\system32\IMM32.DLL        0x76300000        0x0001D000        Microsoft Corporation 39 C:\WINDOWS\system32\LPK.DLL        0x62C20000        0x00009000        Microsoft Corporation 40 C:\WINDOWS\system32\USP10.dll        0x73FA0000        0x0006B000        Microsoft Corporation 41 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll        0x77180000        0x00103000        Microsoft Corporation 42 C:\WINDOWS\system32\comctl32.dll        0x5D170000        0x0009A000        Microsoft Corporation 43 C:\Program Files\360\360safe\safemon\SafeWrapper32.dll        0x70000000        0x00005000        360.cn 44 C:\Program Files\360\360safe\safemon\safemon.dll        0x70200000        0x0024C000        360.cn 45 C:\Program Files\360\360safe\safemon\Safehmpg.dll        0x00BC0000        0x0009B000 46 C:\Program Files\360\360safe\360verify.dll        0x00D70000        0x0001C000 47 C:\WINDOWS\System32\mswsock.dll        0x719C0000        0x0003E000        Microsoft Corporation 48 C:\WINDOWS\system32\DNSAPI.dll        0x76EF0000        0x00027000        Microsoft Corporation 49 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll        0x01250000        0x00040000        Tencent 50 C:\WINDOWS\system32\CLBCATQ.DLL        0x76FA0000        0x0007F000        Microsoft Corporation 51 C:\WINDOWS\system32\COMRes.dll        0x77020000        0x0009A000        Microsoft Corporation 52 C:\WINDOWS\System32\winrnr.dll        0x76F80000        0x00008000        Microsoft Corporation 53 C:\WINDOWS\system32\MPRAPI.dll        0x76D10000        0x00018000        Microsoft Corporation 54 C:\WINDOWS\system32\ACTIVEDS.dll        0x77C90000        0x00032000        Microsoft Corporation 55 C:\WINDOWS\system32\adsldpc.dll        0x76DE0000        0x00025000        Microsoft Corporation 56 C:\WINDOWS\system32\ATL.DLL        0x76AF0000        0x00011000        Microsoft Corporation 57 C:\WINDOWS\system32\rtutils.dll        0x76E50000        0x0000E000        Microsoft Corporation 58 C:\WINDOWS\system32\SAMLIB.dll        0x71B70000        0x00013000        Microsoft Corporation 59 C:\WINDOWS\system32\SETUPAPI.dll        0x76060000        0x00156000        Microsoft Corporation 60 C:\WINDOWS\system32\msctfime.ime        0x73640000        0x0002E000        Microsoft Corporation 61 C:\WINDOWS\system32\rasadhlp.dll        0x76F90000        0x00006000        Microsoft Corporation 62 C:\WINDOWS\system32\appHelp.dll        0x76D70000        0x00022000        Microsoft Corporation 63 C:\Program Files\360\360safe\safemon\360UDiskGuard.dll        0x01930000        0x00034000        360.cn 64 C:\WINDOWS\system32\hnetcfg.dll        0x60FD0000        0x00055000        Microsoft Corporation 65 C:\WINDOWS\System32\wshtcpip.dll        0x71A00000        0x00008000        Microsoft Corporation 66 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMGCShellExt.dll        0x019B0000        0x00071000        Tencent 67 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll        0x78130000        0x0009B000        Microsoft Corporation 68 C:\WINDOWS\System32\cscui.dll        0x76590000        0x0004E000        Microsoft Corporation 69 C:\WINDOWS\System32\CSCDLL.dll        0x76570000        0x0001C000        Microsoft Corporation 70 C:\WINDOWS\system32\themeui.dll        0x5B680000        0x0006E000        Microsoft Corporation 71 C:\WINDOWS\system32\MSIMG32.dll        0x762F0000        0x00005000        Microsoft Corporation 72 C:\WINDOWS\system32\xpsp2res.dll        0x01AF0000        0x00549000        Microsoft Corporation 73 C:\WINDOWS\system32\ACTXPRXY.DLL        0x71CC0000        0x0001B000        Microsoft Corporation 74 C:\WINDOWS\system32\msutb.dll        0x5FE40000        0x00031000        Microsoft Corporation 75 C:\WINDOWS\system32\MSCTF.dll        0x74680000        0x0004C000        Microsoft Corporation 76 C:\WINDOWS\system32\msi.dll        0x7C9C0000        0x002BC000        Microsoft Corporation 77 C:\WINDOWS\system32\LINKINFO.dll        0x76950000        0x00008000        Microsoft Corporation 78 C:\WINDOWS\system32\ntshrui.dll        0x76960000        0x00024000        Microsoft Corporation 79 C:\WINDOWS\system32\urlmon.dll        0x7EAE0000        0x000A1000        Microsoft Corporation 80 C:\WINDOWS\system32\NETSHELL.dll        0x7DE40000        0x00199000        Microsoft Corporation 81 C:\WINDOWS\system32\credui.dll        0x76BD0000        0x0002D000        Microsoft Corporation 82 C:\WINDOWS\system32\dot3api.dll        0x42E00000        0x0000A000        Microsoft Corporation 83 C:\WINDOWS\system32\dot3dlg.dll        0x4A5C0000        0x00006000        Microsoft Corporation 84 C:\WINDOWS\system32\OneX.DLL        0x5A990000        0x00028000        Microsoft Corporation 85 C:\WINDOWS\system32\WTSAPI32.dll        0x76F20000        0x00008000        Microsoft Corporation 86 C:\WINDOWS\system32\WINSTA.dll        0x762D0000        0x00010000        Microsoft Corporation 87 C:\WINDOWS\system32\eappcfg.dll        0x4A820000        0x00022000        Microsoft Corporation 88 C:\WINDOWS\system32\MSVCP60.dll        0x75FF0000        0x00065000        Microsoft Corporation 89 C:\WINDOWS\system32\eappprxy.dll        0x582E0000        0x0000E000        Microsoft Corporation 90 C:\WINDOWS\system32\webcheck.dll        0x74A90000        0x00044000        Microsoft Corporation 91 C:\WINDOWS\system32\WSOCK32.dll        0x71A40000        0x0000B000        Microsoft Corporation 92 C:\WINDOWS\system32\stobject.dll        0x74A60000        0x00020000        Microsoft Corporation 93 C:\WINDOWS\system32\BatMeter.dll        0x74A50000        0x0000A000        Microsoft Corporation 94 C:\WINDOWS\system32\POWRPROF.dll        0x74A30000        0x00008000        Microsoft Corporation 95 C:\WINDOWS\system32\wdmaud.drv        0x72C90000        0x00009000        Microsoft Corporation 96 C:\WINDOWS\system32\msacm32.drv        0x72C80000        0x00008000        Microsoft Corporation 97 C:\WINDOWS\system32\midimap.dll        0x77BA0000        0x00007000        Microsoft Corporation 98 C:\WINDOWS\system32\rsaenh.dll        0x68000000        0x00036000        Microsoft Corporation 99 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\TSInjectFrm-11-7-17805-233.dll        0x03310000        0x00071000        Tencent100 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMIpc.dll        0x01540000        0x0002A000        Tencent101 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll        0x7C420000        0x00087000        Microsoft Corporation102 C:\WINDOWS\system32\MPR.dll        0x71A90000        0x00012000        Microsoft Corporation103 C:\WINDOWS\System32\vmhgfs.dll        0x017B0000        0x0000F000        VMware, Inc.104 C:\WINDOWS\System32\drprov.dll        0x75ED0000        0x00007000        Microsoft Corporation105 C:\WINDOWS\System32\ntlanman.dll        0x71B90000        0x0000E000        Microsoft Corporation106 C:\WINDOWS\System32\NETUI0.dll        0x71C50000        0x00015000        Microsoft Corporation107 C:\WINDOWS\System32\NETUI1.dll        0x71C10000        0x00040000        Microsoft Corporation108 C:\WINDOWS\System32\NETRAP.dll        0x71C00000        0x00007000        Microsoft Corporation109 C:\WINDOWS\System32\davclnt.dll        0x75EE0000        0x0000A000        Microsoft Corporation110 C:\Program Files\Tencent\QQ\ShellExt\QQShellExt.dll        0x595A0000        0x00017000        Tencent111 C:\WINDOWS\system32\ATL100.DLL        0x78A60000        0x00026000        Microsoft Corporation112 C:\WINDOWS\system32\MSVCR100.dll        0x78AA0000        0x000BF000        Microsoft Corporation113 C:\WINDOWS\system32\MSVCP100.dll        0x78050000        0x00069000        Microsoft Corporation114 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\plugins\FileSmash\QMSoftExt.dll        0x037A0000        0x00054000        Tencent115 C:\WINDOWS\system32\comdlg32.dll        0x76320000        0x00047000        Microsoft Corporation116 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMContextUninstall.dll        0x01880000        0x0000F000        Tencent117 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMContextScan.dll        0x02040000        0x00013000        Tencent118 C:\Program Files\baidu\BaiduYunGuanjia\YunShellExt.dll        0x02100000        0x00038000119 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.23084_x-ww_f3f35550\gdiplus.dll        0x4AE90000        0x001AB000        Microsoft Corporation120 C:\Program Files\WinRAR\rarext.dll        0x03840000        0x00062000        WinRAR 压缩管理软件中文版121 C:\Program Files\360\360safe\SoftMgr\SoftMgrExt.dll        0x039B0000        0x00040000        360.cn122 C:\Program Files\360\360safe\Utils\shell360ext.dll        0x03A10000        0x00048000        360.cn123 C:\Program Files\Notepad++\NppShell_06.dll        0x01340000        0x00044000124 C:\Program Files\7-Zip\7-zip.dll        0x013B0000        0x00011000        Igor Pavlov125 C:\WINDOWS\system32\SXS.DLL        0x75E00000        0x000AE000        Microsoft Corporation126 127 开了PAE128 129 PROCESS 8192fbf8  SessionId: 0  Cid: 01fc    Peb: 7ffde000  ParentCid: 07c4130     DirBase: 02b80280  ObjectTable: e1d1a0e8  HandleCount: 472.131     Image: explorer.exe132 133 .process /i 8192fbf8134 135 kd> r cr3136 cr3=02b80280137 138 kd> !dd 02b80280139 # 2b80280 1cc85801 00000000 1cd06801 00000000140 # 2b80290 1cd87801 00000000 1cc84801 00000000141 # 2b802a0 1d7bb801 00000000 1d87c801 00000000142 # 2b802b0 1d8fd801 00000000 1d87a801 00000000143 # 2b802c0 1d692801 00000000 1d793801 00000000144 # 2b802d0 1d554801 00000000 1d751801 00000000145 # 2b802e0 1dcce801 00000000 1dc4f801 00000000146 # 2b802f0 1db50801 00000000 1db4d801 00000000147 148 0x7C920000149 150 2    9    9    12151 1    0x1E4    0x120    0152 153 kd> !dq 0x1cd06000+0x1E4*8154 #1cd06f20 00000000`1cdf4867 00000000`19226867155 #1cd06f30 00000000`14b87867 00000000`00000000156 #1cd06f40 00000000`00000000 00000000`00000000157 #1cd06f50 00000000`1ccdb867 00000000`1cddc867158 #1cd06f60 00000000`1510a867 00000000`0d8c6867159 #1cd06f70 00000000`00046867 00000000`1e90c867160 #1cd06f80 00000000`00000000 00000000`00000000161 #1cd06f90 00000000`1cdae867 00000000`1ceaf867162 163 164 kd> !dq 0x1cdf4000+0x120*8165 #1cdf4900 80000000`09dcc025 00000000`055e4025166 #1cdf4910 00000000`055e5025 00000000`055e6025167 #1cdf4920 00000000`055e7025 00000000`055e8025168 #1cdf4930 00000000`055e9025 00000000`055ea025169 #1cdf4940 00000000`055eb025 00000000`055ec025170 #1cdf4950 00000000`055ed025 00000000`055ee025171 #1cdf4960 00000000`055ef025 00000000`1d3d1025172 #1cdf4970 00000000`1d84e025 00000000`055f2025173 174 175 kd> !db 0x09dcc000176 # 9dcc000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............177 # 9dcc010 b8 00 00 00 00 00 00 00-40 00 00 00 44 65 74 6f ........@...Deto178 # 9dcc020 75 72 73 21 00 00 00 00-00 00 00 00 00 00 00 00 urs!............179 # 9dcc030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................180 # 9dcc040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th181 # 9dcc050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno182 # 9dcc060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 183 # 9dcc070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......184 185 186 187 kd> db 7C920000188 7c920000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............189 7c920010  b8 00 00 00 00 00 00 00-40 00 00 00 44 65 74 6f  ........@...Deto190 7c920020  75 72 73 21 00 00 00 00-00 00 00 00 00 00 00 00  urs!............191 7c920030  00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00  ................192 7c920040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th193 7c920050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno194 7c920060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 195 7c920070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......196 197 198 199 看这个位置,已经是被HOOK过的地址200 0x7C94188B201 基址都相同,同一个模块,202 所以每个进程只看这个地址对应的物理地址,及数据,203 就可以了204 205 .process /i 8192fbf8206 207 kd> r cr3208 cr3=02b80280209 210 kd> !dd 02b80280211 # 2b80280 1cc85801 00000000 1cd06801 00000000212 # 2b80290 1cd87801 00000000 1cc84801 00000000213 # 2b802a0 1d7bb801 00000000 1d87c801 00000000214 # 2b802b0 1d8fd801 00000000 1d87a801 00000000215 # 2b802c0 1d692801 00000000 1d793801 00000000216 # 2b802d0 1d554801 00000000 1d751801 00000000217 # 2b802e0 1dcce801 00000000 1dc4f801 00000000218 # 2b802f0 1db50801 00000000 1db4d801 00000000219 220 0x7C94188B221 222 2    9    9    12223 1    0x1E4    0x141    0x88B224 225 kd> !dq 0x1cd06000+0x1E4*8226 #1cd06f20 00000000`1cdf4867 00000000`19226867227 #1cd06f30 00000000`14b87867 00000000`00000000228 #1cd06f40 00000000`00000000 00000000`00000000229 #1cd06f50 00000000`1ccdb867 00000000`1cddc867230 #1cd06f60 00000000`1510a867 00000000`0d8c6867231 #1cd06f70 00000000`00046867 00000000`1e90c867232 #1cd06f80 00000000`00000000 00000000`00000000233 #1cd06f90 00000000`1cdae867 00000000`1ceaf867234 235 kd> !dq 0x1cdf4000+0x141*8236 #1cdf4a08 00000000`1d6e0025 00000000`05705025237 #1cdf4a18 00000000`05706025 00000000`056c7025238 #1cdf4a28 00000000`056c8025 00000000`056c9025239 #1cdf4a38 00000000`056ca025 00000000`056cb025240 #1cdf4a48 00000000`056cc025 00000000`0568d025241 #1cdf4a58 00000000`0568e025 00000000`0568f025242 #1cdf4a68 00000000`05650025 00000000`05651025243 #1cdf4a78 00000000`05652025 00000000`05653025244 245 kd> !db 1d6e088B246 #1d6e088b e9 6e 6a 91 84 cc cc e8-34 d0 fe ff 64 a1 18 00 .nj.....4...d...247 #1d6e089b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3..248 #1d6e08ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;.249 #1d6e08bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9250 #1d6e08cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X.251 #1d6e08db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f..252 #1d6e08eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9253 #1d6e08fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f254 255 kd> db 0x7C94188B256 7c94188b  e9 6e 6a 91 84 cc cc e8-34 d0 fe ff 64 a1 18 00  .nj.....4...d...257 7c94189b  00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89  ...p0.u..e...3..258 7c9418ab  5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3  ]..]..]..]..E.;.259 7c9418bb  0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39  ......3.f...M.f9260 7c9418cb  48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04  H.......f;.t.9X.261 7c9418db  0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01  .......M.;.t.f..262 7c9418eb  66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39  f9A.......f;.t.9263 7c9418fb  59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66  Y........M.;.t.f
View Code

 

全部HOOK点,备用

技术分享
  1 [PC Hunter Standard][explorer.exe-->Ring3 Hook]: 115  2 挂钩对象        挂钩位置        钩子类型        挂钩处当前值        挂钩处原始值  3 Explorer.EXE->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C  4 len(10) ntdll.dll->KiUserCallbackDispatcher        0x7C92E460->0x70288AC0[C:\Program Files\360\360safe\safemon\safemon.dll]        inline        E9 5B A6 95 F3 CC CC CC CC CC        83 C4 04 5A 64 A1 18 00 00 00  5 [*]len(5) ntdll.dll->LdrLoadDll        0x7C93632D->0x00BD8CF0[C:\Program Files\360\360safe\safemon\Safehmpg.dll]        inline        E9 BE 29 2A 84        68 6C 02 00 00  6 [*]len(5) ntdll.dll->NtOpenKey        0x7C92D5CE->0x0125D890[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 BD 02 93 84        B8 77 00 00 00  7 [*]len(5) ntdll.dll->NtQueryValueKey        0x7C92D96E->0x0125D1C7[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 54 F8 92 84        B8 B1 00 00 00  8 [*]len(7) ntdll.dll->RtlCreateProcessParameters        0x7C94188B->0x012582FE[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 6E 6A 91 84 CC CC        6A 2C 68 10 1C 94 7C  9 [*]len(5) ntdll.dll->ZwOpenKey        0x7C92D5CE->0x0125D890[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 BD 02 93 84        B8 77 00 00 00 10 [*]len(5) ntdll.dll->ZwQueryValueKey        0x7C92D96E->0x0125D1C7[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 54 F8 92 84        B8 B1 00 00 00 11 [*]len(5) kernel32.dll->CreateProcessW        0x7C802336->0x00BD8520[C:\Program Files\360\360safe\safemon\Safehmpg.dll]        inline        E9 E5 61 3D 84        8B FF 55 8B EC 12 [*]len(5) kernel32.dll->ExitProcess        0x7C81CB12->0x033137DE[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\TSInjectFrm-11-7-17805-233.dll]        inline        E9 C7 6C AF 86        8B FF 55 8B EC 13 [*]exnscan.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 14 [*]CRYPT32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 15 ADVAPI32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 16 RPCRT4.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 17 Secur32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 18 [*]MSASN1.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 19 msvcrt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 20 [*]USER32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 21 [*]len(5) USER32.dll->ShowWindow        0x77D2AF56->0x03318082[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\TSInjectFrm-11-7-17805-233.dll]        inline        E9 27 D1 5E 8B        B8 2B 12 00 00 22 [*]GDI32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 23 [*]WS2_32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 24 WS2HELP.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 25 SHELL32.dll->KERNEL32.dll:CreateProcessW        0x7C802336->0x012581B2[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        Iat        B2 81 25 01        36 23 80 7C 26 [*]SHELL32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 27 len(5) SHELL32.dll->[Ordinal:175]        0x7D5BB218->0x01258073[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 56 CE C9 83        8B FF 55 8B EC 28 len(5) SHELL32.dll->SHGetSpecialFolderPathW        0x7D5BB218->0x01258073[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 56 CE C9 83        8B FF 55 8B EC 29 [*]len(5) SHELL32.dll->ShellExecuteExW        0x7D5D995B->0x01258119[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 B9 E7 C7 83        8B FF 55 8B EC 30 len(4) SHELL32.dll        0x7D5985D8->_        inline        B7 7E 25 01        AF 7A 5F 7D 31 len(8) SHELL32.dll        0x7D59FA58->_        inline        E0 A4 BD 00 10 A3 BD 00        65 7D 5E 7D 25 5E 5E 7D 32 SHLWAPI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 33 ole32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 34 VERSION.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 35 PSAPI.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 36 [*]NETAPI32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 37 iphlpapi.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 38 [*]BROWSEUI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 39 [*]OLEAUT32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 40 [*]SHDOCVW.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 41 CRYPTUI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 42 WININET.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 43 WINTRUST.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 44 [*]IMAGEHLP.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 45 WLDAP32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 46 [*]UxTheme.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 47 WINMM.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 48 MSACM32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 49 USERENV.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 50 IMM32.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 51 [*]USP10.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 52 comctl32.dll[WinSxs]->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 53 comctl32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 54 safemon.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 55 [*]Safehmpg.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 56 len(29) Safehmpg.dll->SafehmpgHelper        0x00BEDF60->_        inline        90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 60 9C 68 7D DF BE 00 68 60 DE BE 00 C3        60 9C 50 90 58 74 06 90 75 03 90 66 B8 74 03 75 01 E8 8B 44 24 04 8B 5D 0C 8B C9 90 90 57 360verify.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 58 mswsock.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 59 DNSAPI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 60 [*]qmiesafedll.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 61 CLBCATQ.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 62 MPRAPI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 63 [*]ACTIVEDS.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 64 [*]adsldpc.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 65 [*]ATL.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 66 [*]SETUPAPI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 67 [*]msctfime.ime->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 68 [*]rasadhlp.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 69 appHelp.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 70 360UDiskGuard.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 71 [*]hnetcfg.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 72 QMGCShellExt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 73 [*]MSVCR80.dll[WinSxs]->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 74 cscui.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 75 CSCDLL.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 76 themeui.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 77 ACTXPRXY.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 78 [*]msutb.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 79 MSCTF.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 80 msi.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 81 [*]LINKINFO.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 82 ntshrui.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 83 [*]urlmon.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 84 NETSHELL.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 85 credui.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 86 [*]WTSAPI32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 87 [*]eappcfg.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 88 [*]webcheck.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 89 stobject.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 90 [*]BatMeter.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 91 wdmaud.drv->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 92 [*]rsaenh.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 93 [*]TSInjectFrm-11-7-17805-233.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 94 QMIpc.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 95 MPR.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 96 vmhgfs.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 97 ntlanman.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 98 [*]NETUI0.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C 99 davclnt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C100 QQShellExt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C101 ATL100.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C102 MSVCR100.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C103 [*]QMSoftExt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C104 comdlg32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C105 [*]QMContextUninstall.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C106 QMContextScan.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C107 [*]YunShellExt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C108 gdiplus.dll[WinSxs]->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C109 rarext.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C110 [*]SoftMgrExt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C111 shell360ext.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C112 NppShell_06.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C113 7-zip.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C114 SXS.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C115 WZCSAPI.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C116 wzcdlg.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C117 [*]WINHTTP.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
View Code

 

 

实际上,这三个文档是可以对比的,前两个文档里面(alg 、imapi),可以清楚地看到,页表都没变,都是一样的,

但是到了第三个文档,explorer 里面,页表已经变了

 

技术分享

 

所以,我感觉,这就是因为使用了写时拷贝相关的技术,才实现的这种情况。

(其实我也不能确定它就是这样,它一定是使用写时拷贝,因为可以实现当前效果的方法很多,但是写时拷贝是最成熟的,而且这也应该是Windows内存管理相关的方法)

 

难道是“写时拷贝”?