创建进程流程CreateProcess
//---------------------------------------创建进程流程---------------------------------------------
call kernel32!CreateProcessA
BOOL WINAPI CreateProcess(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
{
/* 参数说明:第一个与最后一个为零,中间10个延接了上面传入的10个参数
主要目的:是将ANSI字符转换成Unicode字符*/
call kernel32!CreateProcessInternalA(...)
{
{
call kernel32!CreateProcessInternalW(...)
{
call ntdll!ZwQueryInformationJobObject(HANDLE JobHandle
JOBOBJECTINFOCLASS JobInformationClass
PVOID JobInformation
ULONG JobInformationLength
PULONG ReturnLengthOPTIONAL);
判断返回值是否为C0000022h (拒绝访问)
call kernel32!SearchPathW(...); //进行路径搜索
call kernel32!GetFileAttributesW(...);//获取文件属性
call kernel32!BasepIsSetupInvokedByWinLogon(...);//判断是否WinLogon进程
call ntdll!RtlDosPathNameToNtPathName_U(....);
call ntdll!RtlIInitUnicodeString();
call ntdll!RtlDetermineDosPathNameType_U(.); //路径转换
call ntdll!NtOpenFile(); //打开文件
//创建Section CreateFileMapping是对NtCreateSection的封装
call ntdll!NtCreateSection(
PHANDLE SectionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
PLARGE_INTEGER MaximumSize OPTIONAL,
ULONG Protect,
ULONG Attributes,
HANDLE FileHandle OPTIONAL); //程序被映射进了内存
{
call kernel32!BasepCheckWinSaferRestrictions
{
RtlEnterCriticalSection(...);
NtOpenThreadToken();//判断返值是否等于0C000007Ch(试图引用不存在的令牌)否跳走
NtOpenProcessToken();//判断返回值是否为0C0000022h(拒绝访问)
}
}
call ntdll.NtQuerySection(...);
call kernel32!LdrQueryImageFileExecutionOptions //获取调试信息,映像劫持
LdrQueryImageFileExecutionOptions ( IN PUNICODE_STRING SubKey, == "\??\E:\AAAAA.exe"进程名
PCWSTR ValueName, == "Debugger"
ULONG Type,
PVOID Buffer,
ULONG BufferSize,
PULONG ReturnedLength OPTIONAL)
call kernel32!BasepIsImageVersionOk
LoadLibraryA(advapi32.dll);
GetProcAddress("CreateProcessAsUserSecure");
call kernel32!BasepCheckBadapp();//对进程行行兼容性检查
call kernel32!BasepIsImageVersionOk
call kernel32!FreeLibrary "advapi32.dll"
call kernel32!BaseFormatObjectAttributes
call ntdll!ZwCreateProcessEx
mov eax,30h
call ntdll!KiFastSystemCall
call ntdll!ZwSetInformationProcess
NtSetInformationProcess ( ProcessHandle, == ZwCreateProcessEx时得到的进程句柄
PROCESSINFOCLASS ProcessInformationClass, == 12h == ProcessDefaultHardErrorMode
PVOID ProcessInformation, == 2 == SEM_NOGPFAULTERRORBOX
ULONG ProcessInformationLength == 2)
NtSetInformationProcess(...)
call kernel32!BasepSxsCreateProcessCsrMessage
{
BasepSxsGetProcessImageBaseAddress KERNEL32
RtlMultiAppendUnicodeStringBuffer NTDLL
BasepSxsCreateStreams KERNEL32
BasepSxsIsStatusFileNotFoundEtc
BasepSxsIsStatusResourceNotFound
}
call ntdll!NtQueryInformationProcess(
HANDLE ProcessHandle, == 进程句柄
PROCESSINFOCLASS ProcessInformationClass, == 0 == ProcessBasicInformation
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength OPTIONAL);
call kernel32!BasePushProcessParameters
{
__SEH_prolog
GetFullPathNameW KERNEL32
BaseComputeProcessDllPath KERNEL32
RtlInitUnicodeString
RtlCreateProcessParameters NTDLL
NtAllocateVirtualMemory
NtWriteVirtualMemory
__security_check_cookie
__SEH_epilog
}
call kernel32!BaseCreateStack
{
NTDLL.RtlImageNtHeader
NtAllocateVirtualMemory
NtProtectVirtualMemory
}
call kernel32!BaseInitializeContext
{
BaseInitializeContext
(PCONTEXT Context, // 0x200 bytes
PPEB Peb,
PVOID EntryPoint,
DWORD StackTop,
int Type );
}
call kernel32!BaseFormatObjectAttributes
call ntdll!ZwCreateThread
mov eax,35h
call ntdll!KiFastSystemCall
call kernel32!GetModuleHandleA "NULL"
eax == 0400000h ;程序装入地址
call ntdll!RtlImageNtHeader eax //验证NTHeader
//下面是通知Cress.exe的几个函数
call ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace
call ntdll!CsrClientCallServer
call ntdll!CsrFreeCaptureBuffer
call ntdll!ZwResumeThread ;启动线程移交控制权并返回
ret //进程创建过程结束
}
}
}
}
