{"id":1430,"date":"2015-06-22T11:58:00","date_gmt":"2015-06-22T03:58:00","guid":{"rendered":"http:\/\/blog.dynox.cn\/?p=1430"},"modified":"2023-08-12T08:48:32","modified_gmt":"2023-08-12T00:48:32","slug":"%e8%84%91%e6%ae%8b%e7%9a%84pssetcreateprocessnotifyroutine","status":"publish","type":"post","link":"https:\/\/blog.dynox.cn\/?p=1430","title":{"rendered":"\u8111\u6b8b\u7684PsSetCreateProcessNotifyRoutine"},"content":{"rendered":"<div class=\"gruber-markdown\"><p><span style=\"font-size: small;\">Vista\u4e4b\u524d\u7684\u7cfb\u7edf\uff0cXP\u53caServer 2003\u53ea\u67098\u4e2a\u5751\uff0c\u5c31\u662f\u8bf4\u524d8\u4e2a\u8c03\u7528\u6210\u529f\u4e4b\u540e\uff0c\u540e\u7eed\u7684\u6240\u6709\u8c03\u7528\u90fd\u4f1a\u5931\u8d25\uff0c\u770b\u6765\u901a\u8fc7\u6ce8\u518ccallback\u7684\u65b9\u5f0f\u6765\u76d1\u63a7\u8fdb\u7a0b\u975e\u5e38\u4e0d\u9760\u8c31\u3002<\/span><\/p>\n<p><span style=\"font-size: small;\">\u4ece\u5185\u6838\u89d2\u5ea6\u6765\u8bf4\uff0c\u5c3d\u91cf\u5c11\u7684\u8c03\u7528\u4e0d\u4ec5\u63d0\u9ad8\u7cfb\u7edf\u54cd\u5e94\u65f6\u95f4\uff0c\u4e5f\u964d\u4f4e\u4e86\u4e0d\u9760\u8c31\u7684\u9a71\u52a8\u6240\u53ef\u80fd\u5e26\u6765\u95ee\u9898\uff0c\u4f46\u9650\u5236\u4e3a\u533a\u533a8\u4e2a\u603b\u4e0d\u662f\u89e3\u51b3\u529e\u6cd5\u5427\uff0c\u6bd4\u5982Symantec\u5bb6\u7684SEP\u52a8\u4e0d\u52a8\u5c31\u53603\u4e2a\uff0c\u817e\u8baf\u5bb6(Tencent)\u66f4\u725bB\uff0c\u5b89\u5168\u7ba1\u5bb6\u8981\u7528\u51e0\u4e2a\uff0cQQ\u4e5f\u8981\u7528\uff0c\u5c31\u8fde\u6d4f\u89c8\u5668\u4e5f\u8981\u641e\u4e2a\u9a71\u52a8\u5e76\u4e5f\u8981\u6ce8\u518c\u4e2a\u8fdb\u7a0b\u521b\u5efa\u7684\u56de\u8c03\u901a\u77e5\uff0c\u8fd9\u4e5f\u592a\u8ba9\u4eba\u65e0\u8bed\u4e86\u5427\u3002<\/span><\/p>\n<p><span style=\"font-size: small;\">\u597d\u5728\u4eceVista\u5f00\u59cb\uff0c\u8fd9\u4e2a\u9650\u5236\u4ece8\u4e2a\u53d8\u6210\u4e8664\u4e2a\uff0c\u7ffb\u4e86\u6574\u65748\u500d\uff0c\u5475\u5475\uff0c\u8fd9\u4e0b\u591f\u7528\u4e86\uff1f\uff01<\/span><\/p>\n<p><span style=\"font-size: small;\">\u4e0b\u9762\u662f\u4e00\u4e2a\u5178\u578b\u7684XP\u7cfb\u7edf\u5b9e\u4f8b\uff0c8\u4e2a\u56de\u8c03\u4f1a\u88ab\u5360\u6ee1\u4e86\uff0c\u540e\u8d77\u7684\u9a71\u52a8\u4eec\u53ea\u80fd\u60f3\u5176\u5b83\u529e\u6cd5\u4e86\uff1a<\/span><\/p>\n<blockquote>0: kd&gt; x nt!PspCreateProcessNotifyRoutine\n80564a40 nt!PspCreateProcessNotifyRoutine = &lt;no type information&gt;\n0: kd&gt; dd 80564a40\n80564a40\u00a0 e101894f e15e4eb7 e2031ff6 e1e8b56f\n80564a50\u00a0 e20a8d9f e51c641f e52246b7 e5ad82cf\n80564a60\u00a0 00000008 00000000 86a85d58 8656fac0\n80564a70\u00a0 86b9b5a0 86be5208 86be45a0 00000000\n80564a80\u00a0 00000000 00000000 00000000 00000000\n80564a90\u00a0 00000000 00000000 00000000 00000000\n80564aa0\u00a0 00000000 6d6f7441 00000000 00000001\n80564ab0\u00a0 00000000 00000000 00000000 00000000\n0: kd&gt; .for (r $t0=0; $t0 &lt; 8; r $t0=$t0+1) {r $t1 = poi($t0 * 4 + nt!PspCreateProcessNotifyRoutine); .if ($t1 == 0) {.continue;}; r $t1 = $t1 &amp; 0xFFFFFFF8; r $t1 = poi($t1 + 4); r $t0; r $t1; u $t1; ln $t1;}\n$t0=00000000\n$t1=f7310790\nTsFltMgr+0x10790:\nf7310790 55\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebp\nf7310791 8bec\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebp,esp\nf7310793 83e4f8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 and\u00a0\u00a0\u00a0\u00a0 esp,0FFFFFFF8h\nf7310796 83ec14\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sub\u00a0\u00a0\u00a0\u00a0 esp,14h\nf7310799 53\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebx\nf731079a 56\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi\nf731079b 8b35a07b31f7\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 esi,dword ptr [TsFltMgr+0x17ba0 (f7317ba0)]\nf73107a1 57\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 edi\n$t0=00000001\n$t1=f771a788\nghcore+0x3788:\nf771a788 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi\nf771a78a 55\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebp\nf771a78b 8bec\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebp,esp\nf771a78d 33c0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xor\u00a0\u00a0\u00a0\u00a0 eax,eax\nf771a78f 390564b471f7\u00a0\u00a0\u00a0 cmp\u00a0\u00a0\u00a0\u00a0 dword ptr [ghcore+0x4464 (f771b464)],eax\nf771a795 7508\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jne\u00a0\u00a0\u00a0\u00a0 ghcore+0x379f (f771a79f)\nf771a797 39056cb471f7\u00a0\u00a0\u00a0 cmp\u00a0\u00a0\u00a0\u00a0 dword ptr [ghcore+0x446c (f771b46c)],eax\nf771a79d 741a\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 je\u00a0\u00a0\u00a0\u00a0\u00a0 ghcore+0x37b9 (f771a7b9)\n$t0=00000002\n$t1=ed1a3b00\nSYMEVENT+0xcb00:\ned1a3b00 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi\ned1a3b02 55\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebp\ned1a3b03 8bec\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebp,esp\ned1a3b05 51\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ecx\ned1a3b06 53\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebx\ned1a3b07 8b5d08\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebx,dword ptr [ebp+8]\ned1a3b0a 56\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi\ned1a3b0b 33f6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xor\u00a0\u00a0\u00a0\u00a0 esi,esi\n$t0=00000003\n$t1=ecfeb120\nQQFrmMgr+0xe120:\necfeb120 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi\necfeb122 55\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebp\necfeb123 8bec\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebp,esp\necfeb125 51\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ecx\necfeb126 51\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ecx\necfeb127 53\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebx\necfeb128 8b5d0c\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebx,dword ptr [ebp+0Ch]\necfeb12b 56\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi\n$t0=00000004\n$t1=ecd098a0\nSysPlant+0x78a0:\necd098a0 55\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebp\necd098a1 8bec\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebp,esp\necd098a3 83e4f8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 and\u00a0\u00a0\u00a0\u00a0 esp,0FFFFFFF8h\necd098a6 51\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ecx\necd098a7 53\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebx\necd098a8 56\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi\necd098a9 57\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 edi\necd098aa a12480d1ec\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax,dword ptr [SysPlant+0x16024 (ecd18024)]\n$t0=00000005\n$t1=866b41d0\n866b41d0 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\n866b41d1 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\n866b41d2 e9e7c4f466\u00a0\u00a0\u00a0\u00a0\u00a0 jmp\u00a0\u00a0\u00a0\u00a0 QMUdisk+0x26be (ed6006be)\n866b41d7 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\n866b41d8 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\n866b41d9 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\n866b41da 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\n866b41db 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\n$t0=00000006\n$t1=ecaf8070\nBHDrvx86+0x6c070:\necaf8070 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi\necaf8072 55\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebp\necaf8073 8bec\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebp,esp\necaf8075 807d1000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmp\u00a0\u00a0\u00a0\u00a0 byte ptr [ebp+10h],0\necaf8079 750f\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jne\u00a0\u00a0\u00a0\u00a0 BHDrvx86+0x6c08a (ecaf808a)\necaf807b 8b450c\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 eax,dword ptr [ebp+0Ch]\necaf807e 8b0d48e0b8ec\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ecx,dword ptr [BHDrvx86+0x102048 (ecb8e048)]\necaf8084 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 eax\n$t0=00000007\n$t1=ee461eba\ndekfs+0x4eba:\nee461eba 8bff\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 edi,edi\nee461ebc 55\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebp\nee461ebd 8bec\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 ebp,esp\nee461ebf 83ec10\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sub\u00a0\u00a0\u00a0\u00a0 esp,10h\nee461ec2 807d1000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmp\u00a0\u00a0\u00a0\u00a0 byte ptr [ebp+10h],0\nee461ec6 53\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 ebx\nee461ec7 56\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 esi\nee461ec8 57\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 edi<\/blockquote>\n<p><span style=\"font-size: small;\">Server 2008 X64\u7cfb\u7edf\u5df2\u7ecf\u53ef\u4ee5\u652f\u630164\u4e2a\u6ce8\u518c\u56de\u8c03\u4e86\uff0c\u8fd9\u4e2a\u9650\u5236\u662f\u786c\u7f16\u7801\u5728<\/span><\/p>\n<p><span style=\"font-size: small;\">\u51fd\u6570PsSetCreateProcessNotifyRoutine\u4e2d\u7684\uff1a<\/span><\/p>\n<blockquote>0: kd&gt; u nt!PspSetCreateProcessNotifyRoutine\nnt!PspSetCreateProcessNotifyRoutine:\nfffff800`01c3fab0 48895c2408\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 qword ptr [rsp+8],rbx\nfffff800`01c3fab5 48896c2410\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 qword ptr [rsp+10h],rbp\nfffff800`01c3faba 4889742418\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 qword ptr [rsp+18h],rsi\n\u2026\u2026\nfffff800`01c3fad4 bb01000000 \u00a0 \u00a0 \u00a0mov \u00a0 \u00a0 ebx,1\n\u2026\u2026\nfffff800`01c3fb3e e89d3cf1ff\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 nt!ExDereferenceCallBackBlock (fffff800`01b537e0)\nfffff800`01c3fb43 4403e3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add\u00a0\u00a0\u00a0\u00a0 r12d,ebx\nfffff800`01c3fb46 4183fc40\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cmp\u00a0\u00a0\u00a0\u00a0 r12d,40h\nfffff800`01c3fb4a 72ae\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jb\u00a0\u00a0\u00a0\u00a0\u00a0 nt!PspSetCreateProcessNotifyRoutine+0x4a (fffff800`01c3fafa)\nfffff800`01c3fb4c 66019fb4010000\u00a0 add\u00a0\u00a0\u00a0\u00a0 word ptr [rdi+1B4h],bx\nfffff800`01c3fb53 7518\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jne\u00a0\u00a0\u00a0\u00a0 nt!PspSetCreateProcessNotifyRoutine+0xbd (fffff800`01c3fb6d)\n\u2026\u2026<\/blockquote>\n<p><span style=\"font-size: small;\">\u6b64\u7cfb\u7edf\u4e0a\u5e76\u672a\u5b89\u88c5\u817e\u8baf\u7ba1\u5bb6\u7b49\u7c7b\u4f3c\u7684\u9632\u6bd2\u7a0b\u5e8f\uff0c\u4f46\u662f64\u4e2a\u6ce8\u518c\u56de\u8c03\u5df2\u67096\u4e2a\u88ab\u4f7f\u7528\uff0c\u5dee\u4e0d\u591a\u5168\u662fM$\u81ea\u5bb6\u7ed9\u5360\u7528\u7684\uff1a<\/span><\/p>\n<blockquote>0: kd&gt; x nt!PspCreateProcessNotifyRoutine\nfffff800`019f8ee0 nt!PspCreateProcessNotifyRoutine = &lt;no type information&gt;\n0: kd&gt; dq fffff800`019f8ee0\nfffff800`019f8ee0\u00a0 fffff880`00008c4f fffff880`006d7acf\nfffff800`019f8ef0\u00a0 fffff880`006f694f fffff880`007ff5cf\nfffff800`019f8f00\u00a0 fffff880`098168af fffff880`0a30216f\nfffff800`019f8f10\u00a0 00000000`00000000 00000000`00000000\nfffff800`019f8f20\u00a0 00000000`00000000 00000000`00000000\nfffff800`019f8f30\u00a0 00000000`00000000 00000000`00000000\nfffff800`019f8f40\u00a0 00000000`00000000 00000000`00000000\nfffff800`019f8f50\u00a0 00000000`00000000 00000000`00000000\n0: kd&gt; .for (r $t0=0; $t0 &lt; 0x40; r $t0=$t0+1) {r $t1=poi($t0 * 8 + nt!PspCreateProcessNotifyRoutine); .if ($t1 == 0) {.continue}; r $t0; r $t1 = $t1 &amp; 0xFFFFFFFFFFFFFFF0; r $t1 = poi($t1 + 8); r $t1; u $t1; ln $t1;}\n$t0=0000000000000000\n$t1=fffff8000188dbd0\nnt!ViCreateProcessCallback:\nfffff800`0188dbd0 fff3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 rbx\nfffff800`0188dbd2 4883ec40\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sub\u00a0\u00a0\u00a0\u00a0 rsp,40h\nfffff800`0188dbd6 833dc3a2160000\u00a0 cmp\u00a0\u00a0\u00a0\u00a0 dword ptr [nt!ViVerifierEnabled (fffff800`019f7ea0)],0\nfffff800`0188dbdd 0f8583b6fcff\u00a0\u00a0\u00a0 jne\u00a0\u00a0\u00a0\u00a0 nt! ?? ::FNODOBFM::`string'+0x21140 (fffff800`01859266)\nfffff800`0188dbe3 4883c440\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add\u00a0\u00a0\u00a0\u00a0 rsp,40h\nfffff800`0188dbe7 5b\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pop\u00a0\u00a0\u00a0\u00a0 rbx\nfffff800`0188dbe8 c3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ret\nfffff800`0188dbe9 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\n(fffff800`0188dbd0)\u00a0\u00a0 nt!ViCreateProcessCallback\u00a0\u00a0 |\u00a0 (fffff800`0188dbf0)\u00a0\u00a0 nt!IopAllocateFileObjectExtension\nExact matches:\nnt!ViCreateProcessCallback = &lt;no type information&gt;\n$t0=0000000000000001\n$t1=fffffa6000e52ffc\nksecdd!CredMarshalTargetInfo+0x8cc:\nfffffa60`00e52ffc 4883ec28\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sub\u00a0\u00a0\u00a0\u00a0 rsp,28h\nfffffa60`00e53000 488364244800\u00a0\u00a0\u00a0 and\u00a0\u00a0\u00a0\u00a0 qword ptr [rsp+48h],0\nfffffa60`00e53006 4584c0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 r8b,r8b\nfffffa60`00e53009 488bc2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 rax,rdx\nfffffa60`00e5300c 7546\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jne\u00a0\u00a0\u00a0\u00a0 ksecdd!CredMarshalTargetInfo+0x924 (fffffa60`00e53054)\nfffffa60`00e5300e 488d542448\u00a0\u00a0\u00a0\u00a0\u00a0 lea\u00a0\u00a0\u00a0\u00a0 rdx,[rsp+48h]\nfffffa60`00e53013 488bc8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 rcx,rax\nfffffa60`00e53016 ff15dc00feff\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 qword ptr [ksecdd!BCryptDestroySecret+0x191c8 (fffffa60`00e330f8)]\n(fffffa60`00e52730)\u00a0\u00a0 ksecdd!CredMarshalTargetInfo+0x8cc\u00a0\u00a0 |\u00a0 (fffffa60`00e535f4)\u00a0\u00a0 ksecdd!AcquireCredentialsHandleW\n$t0=0000000000000002\n$t1=fffffa600106f830\ntcpip+0x69830:\nfffffa60`0106f830 4d85c0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 r8,r8\nfffffa60`0106f833 7405\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 je\u00a0\u00a0\u00a0\u00a0\u00a0 tcpip+0x6983a (fffffa60`0106f83a)\nfffffa60`0106f835 e9860b0000\u00a0\u00a0\u00a0\u00a0\u00a0 jmp\u00a0\u00a0\u00a0\u00a0 tcpip+0x6a3c0 (fffffa60`010703c0)\nfffffa60`0106f83a e911130000\u00a0\u00a0\u00a0\u00a0\u00a0 jmp\u00a0\u00a0\u00a0\u00a0 tcpip+0x6ab50 (fffffa60`01070b50)\nfffffa60`0106f83f 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\nfffffa60`0106f840 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\nfffffa60`0106f841 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\nfffffa60`0106f842 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\n$t0=0000000000000003\n$t1=fffffa600074e06c\nCI!I_PEProcessNotify:\nfffffa60`0074e06c 4584c0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 test\u00a0\u00a0\u00a0 r8b,r8b\nfffffa60`0074e06f 7528\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 jne\u00a0\u00a0\u00a0\u00a0 CI!I_PEProcessNotify+0x2d (fffffa60`0074e099)\nfffffa60`0074e071 53\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 rbx\nfffffa60`0074e072 4883ec20\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sub\u00a0\u00a0\u00a0\u00a0 rsp,20h\nfffffa60`0074e076 488bda\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 rbx,rdx\nfffffa60`0074e079 ff15f1d1f5ff\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 qword ptr [CI!_imp_IoGetCurrentProcess (fffffa60`006ab270)]\nfffffa60`0074e07f 488bc8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 rcx,rax\nfffffa60`0074e082 ff1530d0f5ff\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 qword ptr [CI!_imp_PsIsProtectedProcess (fffffa60`006ab0b8)]\n(fffffa60`0074e06c)\u00a0\u00a0 CI!I_PEProcessNotify\u00a0\u00a0 |\u00a0 (fffffa60`0074e0a0)\u00a0\u00a0 CI!RSA32Alloc\nExact matches:\nCI!I_PEProcessNotify = &lt;no type information&gt;\n$t0=0000000000000004\n$t1=fffffa6002fac964\ndekfs+0x6964:\nfffffa60`02fac964 48895c2408\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 qword ptr [rsp+8],rbx\nfffffa60`02fac969 48896c2410\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 qword ptr [rsp+10h],rbp\nfffffa60`02fac96e 56\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 rsi\nfffffa60`02fac96f 57\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 rdi\nfffffa60`02fac970 4154\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 r12\nfffffa60`02fac972 4155\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 r13\nfffffa60`02fac974 4156\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 r14\nfffffa60`02fac976 4883ec50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sub\u00a0\u00a0\u00a0\u00a0 rsp,50h\n$t0=0000000000000005\n$t1=fffffa600c545b2d\npeauth!I_PEProcessNotify:\nfffffa60`0c545b2d 48895c2408\u00a0\u00a0\u00a0\u00a0\u00a0 mov\u00a0\u00a0\u00a0\u00a0 qword ptr [rsp+8],rbx\nfffffa60`0c545b32 57\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push\u00a0\u00a0\u00a0 rdi\nfffffa60`0c545b33 4883ec20\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sub\u00a0\u00a0\u00a0\u00a0 rsp,20h\nfffffa60`0c545b37 e8cc6bfdff\u00a0\u00a0\u00a0\u00a0\u00a0 call\u00a0\u00a0\u00a0 peauth!WARBIRD::Stub_VerifyVerifierCheckSum (fffffa60`0c51c708)\nfffffa60`0c545b3c 90\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 nop\nfffffa60`0c545b3d 360000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add\u00a0\u00a0\u00a0\u00a0 byte ptr ss:[rax],al\nfffffa60`0c545b40 00fd\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 add\u00a0\u00a0\u00a0\u00a0 ch,bh\nfffffa60`0c545b42 140a\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 adc\u00a0\u00a0\u00a0\u00a0 al,0Ah\n(fffffa60`0c545b2d)\u00a0\u00a0 peauth!I_PEProcessNotify\u00a0\u00a0 |\u00a0 (fffffa60`0c545fe1)\u00a0\u00a0 peauth!PEReturnCertChain\nExact matches:\npeauth!I_PEProcessNotify = &lt;no type information&gt;<\/blockquote><\/div>","protected":false},"excerpt":{"rendered":"<p>Vista\u4e4b\u524d\u7684\u7cfb\u7edf\uff0cXP\u53caServer 2003\u53ea\u67098\u4e2a\u5751\uff0c\u5c31\u662f\u8bf4\u524d8\u4e2a\u8c03\u7528\u6210\u529f\u4e4b\u540e\uff0c\u540e\u7eed\u7684\u6240\u6709\u8c03\u7528\u90fd\u4f1a\u5931\u8d25 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[9],"tags":[560,559,394],"views":2924,"_links":{"self":[{"href":"https:\/\/blog.dynox.cn\/index.php?rest_route=\/wp\/v2\/posts\/1430"}],"collection":[{"href":"https:\/\/blog.dynox.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.dynox.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.dynox.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.dynox.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1430"}],"version-history":[{"count":5,"href":"https:\/\/blog.dynox.cn\/index.php?rest_route=\/wp\/v2\/posts\/1430\/revisions"}],"predecessor-version":[{"id":1735,"href":"https:\/\/blog.dynox.cn\/index.php?rest_route=\/wp\/v2\/posts\/1430\/revisions\/1735"}],"wp:attachment":[{"href":"https:\/\/blog.dynox.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.dynox.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.dynox.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}