前言:

 1 #if 0
 2 
 3 其实,现在我要做的这件事情,是有个前提的,
 4 有一天晚上,我和一个朋友讨论一个相关技术的问题,
 5 (因为我也不是很懂,我不确定我的观点是正确的,所以才是讨论),
 6 我们聊到了,Windows的映射机制,
 7 我们模拟的场景是这样的:
 8 (简单场景,x86环境下,非x64的复杂场景)
 9 系统中有个进程A,有个进程B,进程A加载了一个系统DLL,B进程也加载了一个系统DLL(如ntdll,kernel32等等),
10 这时,系统里面的这个DLL的内存是怎样的,是有一份数据在物理内存中,然后映射到多个进程,还是本身就有多个拷贝,
11 其实,我俩对这点都没有异议,理论基础知识吧,DLL,本身在物理内存中有一份数据,被映射到多个进程中,
12 后续部分才是我们出现矛盾的重点,
13 既然只有一份,那么系统是怎么保证如果在B进程中,我对当前DLL执行了HOOK操作后,A进程中的DLL没有改变,没有被HOOK。
14 
15 我不懂Windows具体是如何实现的,我当时能想到的唯一的合理的解决方案就是。。。写时拷贝。。。
16 在映射过来的第一时间,数据是没变的,只要它没有修改,就不会改变,但是当开HOOK的时候,写入内存的时候,这时候,它变了,
17 系统也好,CPU也好,给它做了一份拷贝,然后用拷贝的页替换了当前的页,用写时拷贝的方法,来实现了HOOK本进程的内存,但是其它进程没有改变,
18 当时我的这位同事没有找到合理的解决方案,而他却说我的想法不对,是有问题的,
19 这样,我们就出现了分歧,
20 有了今天的这篇文。
21 
22 实际上也没什么文了,就是一堆的调试信息。
23 
24 #endif
View Code

 

正文:

对 alg 进程 ntdll 模块内存的计算

  1 [PC Hunter Standard][[alg.exe]进程模块(35)]: 35
  2 模块路径        基地址        大小        文件厂商
  3 C:\WINDOWS\System32\alg.exe        0x01000000        0x0000D000        Microsoft Corporation
  4 C:\WINDOWS\system32\ntdll.dll        0x7C920000        0x00096000        Microsoft Corporation
  5 C:\WINDOWS\system32\kernel32.dll        0x7C800000        0x0011E000        Microsoft Corporation
  6 C:\WINDOWS\system32\msvcrt.dll        0x77BE0000        0x00058000        Microsoft Corporation
  7 C:\WINDOWS\System32\ATL.DLL        0x76AF0000        0x00011000        Microsoft Corporation
  8 C:\WINDOWS\system32\USER32.dll        0x77D10000        0x00090000        Microsoft Corporation
  9 C:\WINDOWS\system32\GDI32.dll        0x77EF0000        0x00049000        Microsoft Corporation
 10 C:\WINDOWS\system32\ADVAPI32.dll        0x77DA0000        0x000A9000        Microsoft Corporation
 11 C:\WINDOWS\system32\RPCRT4.dll        0x77E50000        0x00093000        Microsoft Corporation
 12 C:\WINDOWS\system32\Secur32.dll        0x77FC0000        0x00011000        Microsoft Corporation
 13 C:\WINDOWS\system32\ole32.dll        0x76990000        0x0013E000        Microsoft Corporation
 14 C:\WINDOWS\system32\OLEAUT32.dll        0x770F0000        0x0008B000        Microsoft Corporation
 15 C:\WINDOWS\System32\WSOCK32.dll        0x71A40000        0x0000B000        Microsoft Corporation
 16 C:\WINDOWS\System32\WS2_32.dll        0x71A20000        0x00017000        Microsoft Corporation
 17 C:\WINDOWS\System32\WS2HELP.dll        0x71A10000        0x00008000        Microsoft Corporation
 18 C:\WINDOWS\System32\MSWSOCK.DLL        0x719C0000        0x0003E000        Microsoft Corporation
 19 C:\WINDOWS\System32\ShimEng.dll        0x5CC30000        0x00026000        Microsoft Corporation
 20 C:\WINDOWS\AppPatch\AcGenral.DLL        0x58FB0000        0x001CA000        Microsoft Corporation
 21 C:\WINDOWS\System32\WINMM.dll        0x76B10000        0x0002A000        Microsoft Corporation
 22 C:\WINDOWS\System32\MSACM32.dll        0x77BB0000        0x00015000        Microsoft Corporation
 23 C:\WINDOWS\system32\VERSION.dll        0x77BD0000        0x00008000        Microsoft Corporation
 24 C:\WINDOWS\system32\SHELL32.dll        0x7D590000        0x007F4000        Microsoft Corporation
 25 C:\WINDOWS\system32\SHLWAPI.dll        0x77F40000        0x00076000        Microsoft Corporation
 26 C:\WINDOWS\system32\USERENV.dll        0x759D0000        0x000AF000        Microsoft Corporation
 27 C:\WINDOWS\System32\UxTheme.dll        0x5ADC0000        0x00037000        Microsoft Corporation
 28 C:\WINDOWS\system32\IMM32.DLL        0x76300000        0x0001D000        Microsoft Corporation
 29 C:\WINDOWS\System32\LPK.DLL        0x62C20000        0x00009000        Microsoft Corporation
 30 C:\WINDOWS\System32\USP10.dll        0x73FA0000        0x0006B000        Microsoft Corporation
 31 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll        0x77180000        0x00103000        Microsoft Corporation
 32 C:\WINDOWS\system32\comctl32.dll        0x5D170000        0x0009A000        Microsoft Corporation
 33 C:\WINDOWS\System32\CLBCATQ.DLL        0x76FA0000        0x0007F000        Microsoft Corporation
 34 C:\WINDOWS\System32\COMRes.dll        0x77020000        0x0009A000        Microsoft Corporation
 35 C:\WINDOWS\System32\xpsp2res.dll        0x00730000        0x00549000        Microsoft Corporation
 36 C:\WINDOWS\system32\hnetcfg.dll        0x60FD0000        0x00055000        Microsoft Corporation
 37 C:\WINDOWS\System32\wshtcpip.dll        0x71A00000        0x00008000        Microsoft Corporation
 38 
 39 开了PAE
 40 
 41 PROCESS 8177d020  SessionId: 0  Cid: 0284    Peb: 7ffdb000  ParentCid: 02ec
 42     DirBase: 02b80180  ObjectTable: e2622c08  HandleCount: 106.
 43     Image: alg.exe
 44 
 45 .process /i 8177d020
 46 
 47 kd> r cr3
 48 cr3=02b80180
 49 
 50 kd> !dd 02b80180
 51 # 2b80180 0cc7f801 00000000 0e580801 00000000
 52 # 2b80190 0de41801 00000000 0dd7e801 00000000
 53 # 2b801a0 f8c63220 00000000 08e54801 00000000
 54 # 2b801b0 08e56801 00000000 08e53801 00000000
 55 # 2b801c0 1ad6e801 00000000 1ad6f801 00000000
 56 # 2b801d0 1ad70801 00000000 1ad6d801 00000000
 57 # 2b801e0 1aebc801 00000000 1af3d801 00000000
 58 # 2b801f0 1af3e801 00000000 1aefb801 00000000
 59 
 60 7C920000
 61 
 62 2    9    9    12
 63 1    0x1E4    0x120    0
 64 
 65 kd> !dq 0x0e580000+0x1E4*8
 66 # e580f20 00000000`0ea1a867 00000000`00000000
 67 # e580f30 00000000`00000000 00000000`00000000
 68 # e580f40 00000000`00000000 00000000`00000000
 69 # e580f50 00000000`0eeb2867 00000000`0eeb3867
 70 # e580f60 00000000`1031b867 00000000`0eb5b867
 71 # e580f70 00000000`0e515867 00000000`00000000
 72 # e580f80 00000000`00000000 00000000`00000000
 73 # e580f90 00000000`00000000 00000000`00000000
 74 
 75 
 76 kd> !dq 0x0ea1a000+0x120*8
 77 # ea1a900 80000000`03e0f025 00000000`055e4025
 78 # ea1a910 00000000`055e5025 00000000`055e6025
 79 # ea1a920 00000000`055e7025 00000000`055e8025
 80 # ea1a930 00000000`055e9025 00000000`055ea025
 81 # ea1a940 00000000`055eb025 00000000`055ec025
 82 # ea1a950 00000000`055ed025 00000000`055ee025
 83 # ea1a960 00000000`055ef025 00000000`055f0025
 84 # ea1a970 00000000`055f1025 00000000`055f2025
 85 
 86 
 87 kd> !db 0x03e0f000
 88 # 3e0f000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
 89 # 3e0f010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
 90 # 3e0f020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
 91 # 3e0f030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................
 92 # 3e0f040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
 93 # 3e0f050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
 94 # 3e0f060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 
 95 # 3e0f070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
 96 
 97 
 98 
 99 kd> db 7C920000
100 7c920000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
101 7c920010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......
102 7c920020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
103 7c920030  00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00  ................
104 7c920040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
105 7c920050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
106 7c920060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 
107 7c920070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......
108 
109 
110 
111 看这个位置,已经是被HOOK过的地址
112 0x7C94188B
113 基址都相同,同一个模块,
114 所以每个进程只看这个地址对应的物理地址,及数据,
115 就可以了
116 
117 .process /i 8177d020
118 
119 kd> r cr3
120 cr3=02b80180
121 
122 kd> !dd 02b80180
123 # 2b80180 0cc7f801 00000000 0e580801 00000000
124 # 2b80190 0de41801 00000000 0dd7e801 00000000
125 # 2b801a0 f8c63220 00000000 08e54801 00000000
126 # 2b801b0 08e56801 00000000 08e53801 00000000
127 # 2b801c0 1ad6e801 00000000 1ad6f801 00000000
128 # 2b801d0 1ad70801 00000000 1ad6d801 00000000
129 # 2b801e0 1aebc801 00000000 1af3d801 00000000
130 # 2b801f0 1af3e801 00000000 1aefb801 00000000
131 
132 0x7C94188B
133 
134 2    9    9    12
135 1    0x1E4    0x141    0x88B
136 
137 kd> !dq 0x0e580000+0x1E4*8
138 # e580f20 00000000`0ea1a867 00000000`00000000
139 # e580f30 00000000`00000000 00000000`00000000
140 # e580f40 00000000`00000000 00000000`00000000
141 # e580f50 00000000`0eeb2867 00000000`0eeb3867
142 # e580f60 00000000`1031b867 00000000`0eb5b867
143 # e580f70 00000000`0e515867 00000000`00000000
144 # e580f80 00000000`00000000 00000000`00000000
145 # e580f90 00000000`00000000 00000000`00000000
146 
147 kd> !dq 0x0ea1a000+0x141*8
148 # ea1aa08 00000000`05704025 00000000`05705025
149 # ea1aa18 00000000`05706025 00000000`056c7025
150 # ea1aa28 00000000`056c8025 00000000`056c9025
151 # ea1aa38 00000000`056ca025 00000000`056cb025
152 # ea1aa48 00000000`056cc025 00000000`0568d025
153 # ea1aa58 00000000`0568e025 00000000`0568f025
154 # ea1aa68 00000000`05650025 00000000`05651025
155 # ea1aa78 00000000`05652025 00000000`05653025
156 
157 kd> !db 0570488B
158 # 570488b 6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00 j,h...|.4...d...
159 # 570489b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3..
160 # 57048ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;.
161 # 57048bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9
162 # 57048cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X.
163 # 57048db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f..
164 # 57048eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9
165 # 57048fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f
166 
167 kd> db 0x7C94188B
168 7c94188b  6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00  j,h...|.4...d...
169 7c94189b  00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89  ...p0.u..e...3..
170 7c9418ab  5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3  ]..]..]..]..E.;.
171 7c9418bb  0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39  ......3.f...M.f9
172 7c9418cb  48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04  H.......f;.t.9X.
173 7c9418db  0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01  .......M.;.t.f..
174 7c9418eb  66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39  f9A.......f;.t.9
175 7c9418fb  59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66  Y........M.;.t.f
View Code

 

对 imapi 进程 ntdll 模块内存的计算

  1 [PC Hunter Standard][[imapi.exe]进程模块(35)]: 35
  2 模块路径        基地址        大小        文件厂商
  3 C:\WINDOWS\system32\imapi.exe        0x01000000        0x00029000        Microsoft Corporation
  4 C:\WINDOWS\system32\ntdll.dll        0x7C920000        0x00096000        Microsoft Corporation
  5 C:\WINDOWS\system32\kernel32.dll        0x7C800000        0x0011E000        Microsoft Corporation
  6 C:\WINDOWS\system32\ADVAPI32.dll        0x77DA0000        0x000A9000        Microsoft Corporation
  7 C:\WINDOWS\system32\RPCRT4.dll        0x77E50000        0x00093000        Microsoft Corporation
  8 C:\WINDOWS\system32\Secur32.dll        0x77FC0000        0x00011000        Microsoft Corporation
  9 C:\WINDOWS\system32\USER32.dll        0x77D10000        0x00090000        Microsoft Corporation
 10 C:\WINDOWS\system32\GDI32.dll        0x77EF0000        0x00049000        Microsoft Corporation
 11 C:\WINDOWS\system32\ole32.dll        0x76990000        0x0013E000        Microsoft Corporation
 12 C:\WINDOWS\system32\msvcrt.dll        0x77BE0000        0x00058000        Microsoft Corporation
 13 C:\WINDOWS\system32\OLEAUT32.dll        0x770F0000        0x0008B000        Microsoft Corporation
 14 C:\WINDOWS\system32\SETUPAPI.dll        0x76060000        0x00156000        Microsoft Corporation
 15 C:\WINDOWS\system32\ShimEng.dll        0x5CC30000        0x00026000        Microsoft Corporation
 16 C:\WINDOWS\AppPatch\AcGenral.DLL        0x58FB0000        0x001CA000        Microsoft Corporation
 17 C:\WINDOWS\system32\WINMM.dll        0x76B10000        0x0002A000        Microsoft Corporation
 18 C:\WINDOWS\system32\MSACM32.dll        0x77BB0000        0x00015000        Microsoft Corporation
 19 C:\WINDOWS\system32\VERSION.dll        0x77BD0000        0x00008000        Microsoft Corporation
 20 C:\WINDOWS\system32\SHELL32.dll        0x7D590000        0x007F4000        Microsoft Corporation
 21 C:\WINDOWS\system32\SHLWAPI.dll        0x77F40000        0x00076000        Microsoft Corporation
 22 C:\WINDOWS\system32\USERENV.dll        0x759D0000        0x000AF000        Microsoft Corporation
 23 C:\WINDOWS\system32\UxTheme.dll        0x5ADC0000        0x00037000        Microsoft Corporation
 24 C:\WINDOWS\system32\IMM32.DLL        0x76300000        0x0001D000        Microsoft Corporation
 25 C:\WINDOWS\system32\LPK.DLL        0x62C20000        0x00009000        Microsoft Corporation
 26 C:\WINDOWS\system32\USP10.dll        0x73FA0000        0x0006B000        Microsoft Corporation
 27 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll        0x77180000        0x00103000        Microsoft Corporation
 28 C:\WINDOWS\system32\comctl32.dll        0x5D170000        0x0009A000        Microsoft Corporation
 29 C:\WINDOWS\system32\xpsp2res.dll        0x00830000        0x00549000        Microsoft Corporation
 30 C:\WINDOWS\system32\CLBCATQ.DLL        0x76FA0000        0x0007F000        Microsoft Corporation
 31 C:\WINDOWS\system32\COMRes.dll        0x77020000        0x0009A000        Microsoft Corporation
 32 C:\WINDOWS\system32\ACTXPRXY.DLL        0x71CC0000        0x0001B000        Microsoft Corporation
 33 C:\WINDOWS\system32\rsaenh.dll        0x68000000        0x00036000        Microsoft Corporation
 34 C:\WINDOWS\system32\WINTRUST.dll        0x76C00000        0x0002E000        Microsoft Corporation
 35 C:\WINDOWS\system32\CRYPT32.dll        0x765E0000        0x00095000        Microsoft Corporation
 36 C:\WINDOWS\system32\MSASN1.dll        0x76DB0000        0x00012000        Microsoft Corporation
 37 C:\WINDOWS\system32\IMAGEHLP.dll        0x76C60000        0x00029000        Microsoft Corporation
 38 
 39 开了PAE
 40 
 41 PROCESS 817714b8  SessionId: 0  Cid: 0e38    Peb: 7ffdd000  ParentCid: 02ec
 42     DirBase: 02b803c0  ObjectTable: e1936438  HandleCount: 118.
 43     Image: imapi.exe
 44 
 45 .process /i 817714b8
 46 
 47 kd> r cr3
 48 cr3=02b803c0
 49 
 50 kd> !dd 02b803c0
 51 # 2b803c0 087c7801 00000000 1a663801 00000000
 52 # 2b803d0 06e4a801 00000000 08c02801 00000000
 53 # 2b803e0 f8c63300 00000000 130dc801 00000000
 54 # 2b803f0 06e9d801 00000000 12bda801 00000000
 55 # 2b80400 0b8ef801 00000000 07a70801 00000000
 56 # 2b80410 0b931801 00000000 06e6e801 00000000
 57 # 2b80420 0ddc5801 00000000 18886801 00000000
 58 # 2b80430 11547801 00000000 12004801 00000000
 59 
 60 7C920000
 61 
 62 2    9    9    12
 63 1    0x1E4    0x120    0
 64 
 65 kd> !dq 0x1a663000+0x1E4*8
 66 #1a663f20 00000000`08bcb867 00000000`00000000
 67 #1a663f30 00000000`00000000 00000000`00000000
 68 #1a663f40 00000000`00000000 00000000`00000000
 69 #1a663f50 00000000`08ea6867 00000000`04c51867
 70 #1a663f60 00000000`0b68a867 00000000`13fa7867
 71 #1a663f70 00000000`09712867 00000000`00000000
 72 #1a663f80 00000000`00000000 00000000`00000000
 73 #1a663f90 00000000`00000000 00000000`00000000
 74 
 75 
 76 kd> !dq 0x08bcb000+0x120*8
 77 # 8bcb900 80000000`03e0f025 00000000`055e4025
 78 # 8bcb910 00000000`055e5025 00000000`055e6025
 79 # 8bcb920 00000000`055e7025 00000000`055e8025
 80 # 8bcb930 00000000`055e9025 00000000`055ea025
 81 # 8bcb940 00000000`055eb025 00000000`055ec025
 82 # 8bcb950 00000000`055ed025 00000000`055ee025
 83 # 8bcb960 00000000`055ef025 00000000`055f0025
 84 # 8bcb970 00000000`055f1025 00000000`055f2025
 85 
 86 
 87 kd> !db 0x03e0f000
 88 # 3e0f000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
 89 # 3e0f010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
 90 # 3e0f020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
 91 # 3e0f030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................
 92 # 3e0f040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
 93 # 3e0f050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
 94 # 3e0f060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 
 95 # 3e0f070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
 96 
 97 
 98 
 99 kd> db 7C920000
100 7c920000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
101 7c920010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......
102 7c920020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
103 7c920030  00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00  ................
104 7c920040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
105 7c920050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
106 7c920060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 
107 7c920070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......
108 
109 
110 
111 看这个位置,已经是被HOOK过的地址
112 0x7C94188B
113 基址都相同,同一个模块,
114 所以每个进程只看这个地址对应的物理地址,及数据,
115 就可以了
116 
117 .process /i 817714b8
118 
119 kd> r cr3
120 cr3=02b803c0
121 
122 kd> !dd 02b803c0
123 # 2b803c0 087c7801 00000000 1a663801 00000000
124 # 2b803d0 06e4a801 00000000 08c02801 00000000
125 # 2b803e0 f8c63300 00000000 130dc801 00000000
126 # 2b803f0 06e9d801 00000000 12bda801 00000000
127 # 2b80400 0b8ef801 00000000 07a70801 00000000
128 # 2b80410 0b931801 00000000 06e6e801 00000000
129 # 2b80420 0ddc5801 00000000 18886801 00000000
130 # 2b80430 11547801 00000000 12004801 00000000
131 
132 0x7C94188B
133 
134 2    9    9    12
135 1    0x1E4    0x141    0x88B
136 
137 kd> !dq 0x1a663000+0x1E4*8
138 #1a663f20 00000000`08bcb867 00000000`00000000
139 #1a663f30 00000000`00000000 00000000`00000000
140 #1a663f40 00000000`00000000 00000000`00000000
141 #1a663f50 00000000`08ea6867 00000000`04c51867
142 #1a663f60 00000000`0b68a867 00000000`13fa7867
143 #1a663f70 00000000`09712867 00000000`00000000
144 #1a663f80 00000000`00000000 00000000`00000000
145 #1a663f90 00000000`00000000 00000000`00000000
146 
147 kd> !dq 0x08bcb000+0x141*8
148 # 8bcba08 00000000`05704025 00000000`05705025
149 # 8bcba18 00000000`05706025 00000000`056c7025
150 # 8bcba28 00000000`056c8025 00000000`056c9025
151 # 8bcba38 00000000`056ca025 00000000`056cb025
152 # 8bcba48 00000000`056cc025 00000000`0568d025
153 # 8bcba58 00000000`0568e025 00000000`0568f025
154 # 8bcba68 00000000`05650025 00000000`05651025
155 # 8bcba78 00000000`05652025 00000000`05653025
156 
157 kd> !db 0570488B
158 # 570488b 6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00 j,h...|.4...d...
159 # 570489b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3..
160 # 57048ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;.
161 # 57048bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9
162 # 57048cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X.
163 # 57048db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f..
164 # 57048eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9
165 # 57048fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f
166 
167 kd> db 0x7C94188B
168 7c94188b  6a 2c 68 10 1c 94 7c e8-34 d0 fe ff 64 a1 18 00  j,h...|.4...d...
169 7c94189b  00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89  ...p0.u..e...3..
170 7c9418ab  5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3  ]..]..]..]..E.;.
171 7c9418bb  0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39  ......3.f...M.f9
172 7c9418cb  48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04  H.......f;.t.9X.
173 7c9418db  0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01  .......M.;.t.f..
174 7c9418eb  66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39  f9A.......f;.t.9
175 7c9418fb  59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66  Y........M.;.t.f
View Code

 

前两个进程都是正常的进程,

这里要计算的是 explorer 进程,这个进程是被修理过的,内部HOOK点很多,

这里计算了一个点

ntdll.dll->RtlCreateProcessParameters

这个函数的HOOK点,位于 0x7C94188B

前面三处计算也有计算此处 HOOK 点

  1 [PC Hunter Standard][[explorer.exe]进程模块(123)]: 123
  2 模块路径        基地址        大小        文件厂商
  3 C:\WINDOWS\Explorer.EXE        0x01000000        0x000F1000        Microsoft Corporation
  4 C:\WINDOWS\system32\ntdll.dll        0x7C920000        0x00096000        Microsoft Corporation
  5 C:\WINDOWS\system32\kernel32.dll        0x7C800000        0x0011E000        Microsoft Corporation
  6 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\exnscan.dll        0x10000000        0x00075000        Tencent
  7 C:\WINDOWS\system32\CRYPT32.dll        0x765E0000        0x00095000        Microsoft Corporation
  8 C:\WINDOWS\system32\ADVAPI32.dll        0x77DA0000        0x000A9000        Microsoft Corporation
  9 C:\WINDOWS\system32\RPCRT4.dll        0x77E50000        0x00093000        Microsoft Corporation
 10 C:\WINDOWS\system32\Secur32.dll        0x77FC0000        0x00011000        Microsoft Corporation
 11 C:\WINDOWS\system32\MSASN1.dll        0x76DB0000        0x00012000        Microsoft Corporation
 12 C:\WINDOWS\system32\msvcrt.dll        0x77BE0000        0x00058000        Microsoft Corporation
 13 C:\WINDOWS\system32\USER32.dll        0x77D10000        0x00090000        Microsoft Corporation
 14 C:\WINDOWS\system32\GDI32.dll        0x77EF0000        0x00049000        Microsoft Corporation
 15 C:\WINDOWS\system32\WS2_32.dll        0x71A20000        0x00017000        Microsoft Corporation
 16 C:\WINDOWS\system32\WS2HELP.dll        0x71A10000        0x00008000        Microsoft Corporation
 17 C:\WINDOWS\system32\SHELL32.dll        0x7D590000        0x007F4000        Microsoft Corporation
 18 C:\WINDOWS\system32\SHLWAPI.dll        0x77F40000        0x00076000        Microsoft Corporation
 19 C:\WINDOWS\system32\ole32.dll        0x76990000        0x0013E000        Microsoft Corporation
 20 C:\WINDOWS\system32\VERSION.dll        0x77BD0000        0x00008000        Microsoft Corporation
 21 C:\WINDOWS\system32\PSAPI.DLL        0x76BC0000        0x0000B000        Microsoft Corporation
 22 C:\WINDOWS\system32\NETAPI32.dll        0x5FDD0000        0x00055000        Microsoft Corporation
 23 C:\WINDOWS\system32\iphlpapi.dll        0x76D30000        0x00018000        Microsoft Corporation
 24 C:\WINDOWS\system32\BROWSEUI.dll        0x75EF0000        0x000FD000        Microsoft Corporation
 25 C:\WINDOWS\system32\OLEAUT32.dll        0x770F0000        0x0008B000        Microsoft Corporation
 26 C:\WINDOWS\system32\SHDOCVW.dll        0x7E550000        0x00173000        Microsoft Corporation
 27 C:\WINDOWS\system32\CRYPTUI.dll        0x75430000        0x00071000        Microsoft Corporation
 28 C:\WINDOWS\system32\WININET.dll        0x76680000        0x000A6000        Microsoft Corporation
 29 C:\WINDOWS\system32\WINTRUST.dll        0x76C00000        0x0002E000        Microsoft Corporation
 30 C:\WINDOWS\system32\IMAGEHLP.dll        0x76C60000        0x00029000        Microsoft Corporation
 31 C:\WINDOWS\system32\WLDAP32.dll        0x76F30000        0x0002C000        Microsoft Corporation
 32 C:\WINDOWS\system32\UxTheme.dll        0x5ADC0000        0x00037000        Microsoft Corporation
 33 C:\WINDOWS\system32\ShimEng.dll        0x5CC30000        0x00026000        Microsoft Corporation
 34 C:\WINDOWS\AppPatch\AcGenral.DLL        0x58FB0000        0x001CA000        Microsoft Corporation
 35 C:\WINDOWS\system32\WINMM.dll        0x76B10000        0x0002A000        Microsoft Corporation
 36 C:\WINDOWS\system32\MSACM32.dll        0x77BB0000        0x00015000        Microsoft Corporation
 37 C:\WINDOWS\system32\USERENV.dll        0x759D0000        0x000AF000        Microsoft Corporation
 38 C:\WINDOWS\system32\IMM32.DLL        0x76300000        0x0001D000        Microsoft Corporation
 39 C:\WINDOWS\system32\LPK.DLL        0x62C20000        0x00009000        Microsoft Corporation
 40 C:\WINDOWS\system32\USP10.dll        0x73FA0000        0x0006B000        Microsoft Corporation
 41 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll        0x77180000        0x00103000        Microsoft Corporation
 42 C:\WINDOWS\system32\comctl32.dll        0x5D170000        0x0009A000        Microsoft Corporation
 43 C:\Program Files\360\360safe\safemon\SafeWrapper32.dll        0x70000000        0x00005000        360.cn
 44 C:\Program Files\360\360safe\safemon\safemon.dll        0x70200000        0x0024C000        360.cn
 45 C:\Program Files\360\360safe\safemon\Safehmpg.dll        0x00BC0000        0x0009B000
 46 C:\Program Files\360\360safe\360verify.dll        0x00D70000        0x0001C000
 47 C:\WINDOWS\System32\mswsock.dll        0x719C0000        0x0003E000        Microsoft Corporation
 48 C:\WINDOWS\system32\DNSAPI.dll        0x76EF0000        0x00027000        Microsoft Corporation
 49 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll        0x01250000        0x00040000        Tencent
 50 C:\WINDOWS\system32\CLBCATQ.DLL        0x76FA0000        0x0007F000        Microsoft Corporation
 51 C:\WINDOWS\system32\COMRes.dll        0x77020000        0x0009A000        Microsoft Corporation
 52 C:\WINDOWS\System32\winrnr.dll        0x76F80000        0x00008000        Microsoft Corporation
 53 C:\WINDOWS\system32\MPRAPI.dll        0x76D10000        0x00018000        Microsoft Corporation
 54 C:\WINDOWS\system32\ACTIVEDS.dll        0x77C90000        0x00032000        Microsoft Corporation
 55 C:\WINDOWS\system32\adsldpc.dll        0x76DE0000        0x00025000        Microsoft Corporation
 56 C:\WINDOWS\system32\ATL.DLL        0x76AF0000        0x00011000        Microsoft Corporation
 57 C:\WINDOWS\system32\rtutils.dll        0x76E50000        0x0000E000        Microsoft Corporation
 58 C:\WINDOWS\system32\SAMLIB.dll        0x71B70000        0x00013000        Microsoft Corporation
 59 C:\WINDOWS\system32\SETUPAPI.dll        0x76060000        0x00156000        Microsoft Corporation
 60 C:\WINDOWS\system32\msctfime.ime        0x73640000        0x0002E000        Microsoft Corporation
 61 C:\WINDOWS\system32\rasadhlp.dll        0x76F90000        0x00006000        Microsoft Corporation
 62 C:\WINDOWS\system32\appHelp.dll        0x76D70000        0x00022000        Microsoft Corporation
 63 C:\Program Files\360\360safe\safemon\360UDiskGuard.dll        0x01930000        0x00034000        360.cn
 64 C:\WINDOWS\system32\hnetcfg.dll        0x60FD0000        0x00055000        Microsoft Corporation
 65 C:\WINDOWS\System32\wshtcpip.dll        0x71A00000        0x00008000        Microsoft Corporation
 66 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMGCShellExt.dll        0x019B0000        0x00071000        Tencent
 67 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll        0x78130000        0x0009B000        Microsoft Corporation
 68 C:\WINDOWS\System32\cscui.dll        0x76590000        0x0004E000        Microsoft Corporation
 69 C:\WINDOWS\System32\CSCDLL.dll        0x76570000        0x0001C000        Microsoft Corporation
 70 C:\WINDOWS\system32\themeui.dll        0x5B680000        0x0006E000        Microsoft Corporation
 71 C:\WINDOWS\system32\MSIMG32.dll        0x762F0000        0x00005000        Microsoft Corporation
 72 C:\WINDOWS\system32\xpsp2res.dll        0x01AF0000        0x00549000        Microsoft Corporation
 73 C:\WINDOWS\system32\ACTXPRXY.DLL        0x71CC0000        0x0001B000        Microsoft Corporation
 74 C:\WINDOWS\system32\msutb.dll        0x5FE40000        0x00031000        Microsoft Corporation
 75 C:\WINDOWS\system32\MSCTF.dll        0x74680000        0x0004C000        Microsoft Corporation
 76 C:\WINDOWS\system32\msi.dll        0x7C9C0000        0x002BC000        Microsoft Corporation
 77 C:\WINDOWS\system32\LINKINFO.dll        0x76950000        0x00008000        Microsoft Corporation
 78 C:\WINDOWS\system32\ntshrui.dll        0x76960000        0x00024000        Microsoft Corporation
 79 C:\WINDOWS\system32\urlmon.dll        0x7EAE0000        0x000A1000        Microsoft Corporation
 80 C:\WINDOWS\system32\NETSHELL.dll        0x7DE40000        0x00199000        Microsoft Corporation
 81 C:\WINDOWS\system32\credui.dll        0x76BD0000        0x0002D000        Microsoft Corporation
 82 C:\WINDOWS\system32\dot3api.dll        0x42E00000        0x0000A000        Microsoft Corporation
 83 C:\WINDOWS\system32\dot3dlg.dll        0x4A5C0000        0x00006000        Microsoft Corporation
 84 C:\WINDOWS\system32\OneX.DLL        0x5A990000        0x00028000        Microsoft Corporation
 85 C:\WINDOWS\system32\WTSAPI32.dll        0x76F20000        0x00008000        Microsoft Corporation
 86 C:\WINDOWS\system32\WINSTA.dll        0x762D0000        0x00010000        Microsoft Corporation
 87 C:\WINDOWS\system32\eappcfg.dll        0x4A820000        0x00022000        Microsoft Corporation
 88 C:\WINDOWS\system32\MSVCP60.dll        0x75FF0000        0x00065000        Microsoft Corporation
 89 C:\WINDOWS\system32\eappprxy.dll        0x582E0000        0x0000E000        Microsoft Corporation
 90 C:\WINDOWS\system32\webcheck.dll        0x74A90000        0x00044000        Microsoft Corporation
 91 C:\WINDOWS\system32\WSOCK32.dll        0x71A40000        0x0000B000        Microsoft Corporation
 92 C:\WINDOWS\system32\stobject.dll        0x74A60000        0x00020000        Microsoft Corporation
 93 C:\WINDOWS\system32\BatMeter.dll        0x74A50000        0x0000A000        Microsoft Corporation
 94 C:\WINDOWS\system32\POWRPROF.dll        0x74A30000        0x00008000        Microsoft Corporation
 95 C:\WINDOWS\system32\wdmaud.drv        0x72C90000        0x00009000        Microsoft Corporation
 96 C:\WINDOWS\system32\msacm32.drv        0x72C80000        0x00008000        Microsoft Corporation
 97 C:\WINDOWS\system32\midimap.dll        0x77BA0000        0x00007000        Microsoft Corporation
 98 C:\WINDOWS\system32\rsaenh.dll        0x68000000        0x00036000        Microsoft Corporation
 99 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\TSInjectFrm-11-7-17805-233.dll        0x03310000        0x00071000        Tencent
100 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMIpc.dll        0x01540000        0x0002A000        Tencent
101 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCP80.dll        0x7C420000        0x00087000        Microsoft Corporation
102 C:\WINDOWS\system32\MPR.dll        0x71A90000        0x00012000        Microsoft Corporation
103 C:\WINDOWS\System32\vmhgfs.dll        0x017B0000        0x0000F000        VMware, Inc.
104 C:\WINDOWS\System32\drprov.dll        0x75ED0000        0x00007000        Microsoft Corporation
105 C:\WINDOWS\System32\ntlanman.dll        0x71B90000        0x0000E000        Microsoft Corporation
106 C:\WINDOWS\System32\NETUI0.dll        0x71C50000        0x00015000        Microsoft Corporation
107 C:\WINDOWS\System32\NETUI1.dll        0x71C10000        0x00040000        Microsoft Corporation
108 C:\WINDOWS\System32\NETRAP.dll        0x71C00000        0x00007000        Microsoft Corporation
109 C:\WINDOWS\System32\davclnt.dll        0x75EE0000        0x0000A000        Microsoft Corporation
110 C:\Program Files\Tencent\QQ\ShellExt\QQShellExt.dll        0x595A0000        0x00017000        Tencent
111 C:\WINDOWS\system32\ATL100.DLL        0x78A60000        0x00026000        Microsoft Corporation
112 C:\WINDOWS\system32\MSVCR100.dll        0x78AA0000        0x000BF000        Microsoft Corporation
113 C:\WINDOWS\system32\MSVCP100.dll        0x78050000        0x00069000        Microsoft Corporation
114 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\plugins\FileSmash\QMSoftExt.dll        0x037A0000        0x00054000        Tencent
115 C:\WINDOWS\system32\comdlg32.dll        0x76320000        0x00047000        Microsoft Corporation
116 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMContextUninstall.dll        0x01880000        0x0000F000        Tencent
117 C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\QMContextScan.dll        0x02040000        0x00013000        Tencent
118 C:\Program Files\baidu\BaiduYunGuanjia\YunShellExt.dll        0x02100000        0x00038000
119 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.23084_x-ww_f3f35550\gdiplus.dll        0x4AE90000        0x001AB000        Microsoft Corporation
120 C:\Program Files\WinRAR\rarext.dll        0x03840000        0x00062000        WinRAR 压缩管理软件中文版
121 C:\Program Files\360\360safe\SoftMgr\SoftMgrExt.dll        0x039B0000        0x00040000        360.cn
122 C:\Program Files\360\360safe\Utils\shell360ext.dll        0x03A10000        0x00048000        360.cn
123 C:\Program Files\Notepad++\NppShell_06.dll        0x01340000        0x00044000
124 C:\Program Files\7-Zip\7-zip.dll        0x013B0000        0x00011000        Igor Pavlov
125 C:\WINDOWS\system32\SXS.DLL        0x75E00000        0x000AE000        Microsoft Corporation
126 
127 开了PAE
128 
129 PROCESS 8192fbf8  SessionId: 0  Cid: 01fc    Peb: 7ffde000  ParentCid: 07c4
130     DirBase: 02b80280  ObjectTable: e1d1a0e8  HandleCount: 472.
131     Image: explorer.exe
132 
133 .process /i 8192fbf8
134 
135 kd> r cr3
136 cr3=02b80280
137 
138 kd> !dd 02b80280
139 # 2b80280 1cc85801 00000000 1cd06801 00000000
140 # 2b80290 1cd87801 00000000 1cc84801 00000000
141 # 2b802a0 1d7bb801 00000000 1d87c801 00000000
142 # 2b802b0 1d8fd801 00000000 1d87a801 00000000
143 # 2b802c0 1d692801 00000000 1d793801 00000000
144 # 2b802d0 1d554801 00000000 1d751801 00000000
145 # 2b802e0 1dcce801 00000000 1dc4f801 00000000
146 # 2b802f0 1db50801 00000000 1db4d801 00000000
147 
148 0x7C920000
149 
150 2    9    9    12
151 1    0x1E4    0x120    0
152 
153 kd> !dq 0x1cd06000+0x1E4*8
154 #1cd06f20 00000000`1cdf4867 00000000`19226867
155 #1cd06f30 00000000`14b87867 00000000`00000000
156 #1cd06f40 00000000`00000000 00000000`00000000
157 #1cd06f50 00000000`1ccdb867 00000000`1cddc867
158 #1cd06f60 00000000`1510a867 00000000`0d8c6867
159 #1cd06f70 00000000`00046867 00000000`1e90c867
160 #1cd06f80 00000000`00000000 00000000`00000000
161 #1cd06f90 00000000`1cdae867 00000000`1ceaf867
162 
163 
164 kd> !dq 0x1cdf4000+0x120*8
165 #1cdf4900 80000000`09dcc025 00000000`055e4025
166 #1cdf4910 00000000`055e5025 00000000`055e6025
167 #1cdf4920 00000000`055e7025 00000000`055e8025
168 #1cdf4930 00000000`055e9025 00000000`055ea025
169 #1cdf4940 00000000`055eb025 00000000`055ec025
170 #1cdf4950 00000000`055ed025 00000000`055ee025
171 #1cdf4960 00000000`055ef025 00000000`1d3d1025
172 #1cdf4970 00000000`1d84e025 00000000`055f2025
173 
174 
175 kd> !db 0x09dcc000
176 # 9dcc000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
177 # 9dcc010 b8 00 00 00 00 00 00 00-40 00 00 00 44 65 74 6f ........@...Deto
178 # 9dcc020 75 72 73 21 00 00 00 00-00 00 00 00 00 00 00 00 urs!............
179 # 9dcc030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................
180 # 9dcc040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
181 # 9dcc050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
182 # 9dcc060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 
183 # 9dcc070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
184 
185 
186 
187 kd> db 7C920000
188 7c920000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
189 7c920010  b8 00 00 00 00 00 00 00-40 00 00 00 44 65 74 6f  ........@...Deto
190 7c920020  75 72 73 21 00 00 00 00-00 00 00 00 00 00 00 00  urs!............
191 7c920030  00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00  ................
192 7c920040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
193 7c920050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
194 7c920060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 
195 7c920070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......
196 
197 
198 
199 看这个位置,已经是被HOOK过的地址
200 0x7C94188B
201 基址都相同,同一个模块,
202 所以每个进程只看这个地址对应的物理地址,及数据,
203 就可以了
204 
205 .process /i 8192fbf8
206 
207 kd> r cr3
208 cr3=02b80280
209 
210 kd> !dd 02b80280
211 # 2b80280 1cc85801 00000000 1cd06801 00000000
212 # 2b80290 1cd87801 00000000 1cc84801 00000000
213 # 2b802a0 1d7bb801 00000000 1d87c801 00000000
214 # 2b802b0 1d8fd801 00000000 1d87a801 00000000
215 # 2b802c0 1d692801 00000000 1d793801 00000000
216 # 2b802d0 1d554801 00000000 1d751801 00000000
217 # 2b802e0 1dcce801 00000000 1dc4f801 00000000
218 # 2b802f0 1db50801 00000000 1db4d801 00000000
219 
220 0x7C94188B
221 
222 2    9    9    12
223 1    0x1E4    0x141    0x88B
224 
225 kd> !dq 0x1cd06000+0x1E4*8
226 #1cd06f20 00000000`1cdf4867 00000000`19226867
227 #1cd06f30 00000000`14b87867 00000000`00000000
228 #1cd06f40 00000000`00000000 00000000`00000000
229 #1cd06f50 00000000`1ccdb867 00000000`1cddc867
230 #1cd06f60 00000000`1510a867 00000000`0d8c6867
231 #1cd06f70 00000000`00046867 00000000`1e90c867
232 #1cd06f80 00000000`00000000 00000000`00000000
233 #1cd06f90 00000000`1cdae867 00000000`1ceaf867
234 
235 kd> !dq 0x1cdf4000+0x141*8
236 #1cdf4a08 00000000`1d6e0025 00000000`05705025
237 #1cdf4a18 00000000`05706025 00000000`056c7025
238 #1cdf4a28 00000000`056c8025 00000000`056c9025
239 #1cdf4a38 00000000`056ca025 00000000`056cb025
240 #1cdf4a48 00000000`056cc025 00000000`0568d025
241 #1cdf4a58 00000000`0568e025 00000000`0568f025
242 #1cdf4a68 00000000`05650025 00000000`05651025
243 #1cdf4a78 00000000`05652025 00000000`05653025
244 
245 kd> !db 1d6e088B
246 #1d6e088b e9 6e 6a 91 84 cc cc e8-34 d0 fe ff 64 a1 18 00 .nj.....4...d...
247 #1d6e089b 00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89 ...p0.u..e...3..
248 #1d6e08ab 5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3 ]..]..]..]..E.;.
249 #1d6e08bb 0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39 ......3.f...M.f9
250 #1d6e08cb 48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04 H.......f;.t.9X.
251 #1d6e08db 0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01 .......M.;.t.f..
252 #1d6e08eb 66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39 f9A.......f;.t.9
253 #1d6e08fb 59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66 Y........M.;.t.f
254 
255 kd> db 0x7C94188B
256 7c94188b  e9 6e 6a 91 84 cc cc e8-34 d0 fe ff 64 a1 18 00  .nj.....4...d...
257 7c94189b  00 00 8b 70 30 89 75 c4-e8 65 eb fe ff 33 db 89  ...p0.u..e...3..
258 7c9418ab  5d dc 89 5d e4 89 5d d4-89 5d fc 8b 45 0c 3b c3  ]..]..]..]..E.;.
259 7c9418bb  0f 84 18 d0 02 00 33 c9-66 8b 08 89 4d c8 66 39  ......3.f...M.f9
260 7c9418cb  48 02 0f 82 06 d0 02 00-66 3b cb 74 09 39 58 04  H.......f;.t.9X.
261 7c9418db  0f 84 f8 cf 02 00 8b 4d-10 3b cb 74 1b 66 8b 01  .......M.;.t.f..
262 7c9418eb  66 39 41 02 0f 82 e4 cf-02 00 66 3b c3 74 09 39  f9A.......f;.t.9
263 7c9418fb  59 04 0f 84 d6 cf 02 00-8b 4d 14 3b cb 74 1b 66  Y........M.;.t.f
View Code

 

全部HOOK点,备用

  1 [PC Hunter Standard][explorer.exe-->Ring3 Hook]: 115
  2 挂钩对象        挂钩位置        钩子类型        挂钩处当前值        挂钩处原始值
  3 Explorer.EXE->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
  4 len(10) ntdll.dll->KiUserCallbackDispatcher        0x7C92E460->0x70288AC0[C:\Program Files\360\360safe\safemon\safemon.dll]        inline        E9 5B A6 95 F3 CC CC CC CC CC        83 C4 04 5A 64 A1 18 00 00 00
  5 [*]len(5) ntdll.dll->LdrLoadDll        0x7C93632D->0x00BD8CF0[C:\Program Files\360\360safe\safemon\Safehmpg.dll]        inline        E9 BE 29 2A 84        68 6C 02 00 00
  6 [*]len(5) ntdll.dll->NtOpenKey        0x7C92D5CE->0x0125D890[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 BD 02 93 84        B8 77 00 00 00
  7 [*]len(5) ntdll.dll->NtQueryValueKey        0x7C92D96E->0x0125D1C7[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 54 F8 92 84        B8 B1 00 00 00
  8 [*]len(7) ntdll.dll->RtlCreateProcessParameters        0x7C94188B->0x012582FE[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 6E 6A 91 84 CC CC        6A 2C 68 10 1C 94 7C
  9 [*]len(5) ntdll.dll->ZwOpenKey        0x7C92D5CE->0x0125D890[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 BD 02 93 84        B8 77 00 00 00
 10 [*]len(5) ntdll.dll->ZwQueryValueKey        0x7C92D96E->0x0125D1C7[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 54 F8 92 84        B8 B1 00 00 00
 11 [*]len(5) kernel32.dll->CreateProcessW        0x7C802336->0x00BD8520[C:\Program Files\360\360safe\safemon\Safehmpg.dll]        inline        E9 E5 61 3D 84        8B FF 55 8B EC
 12 [*]len(5) kernel32.dll->ExitProcess        0x7C81CB12->0x033137DE[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\TSInjectFrm-11-7-17805-233.dll]        inline        E9 C7 6C AF 86        8B FF 55 8B EC
 13 [*]exnscan.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 14 [*]CRYPT32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 15 ADVAPI32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 16 RPCRT4.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 17 Secur32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 18 [*]MSASN1.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 19 msvcrt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 20 [*]USER32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 21 [*]len(5) USER32.dll->ShowWindow        0x77D2AF56->0x03318082[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\TSInjectFrm-11-7-17805-233.dll]        inline        E9 27 D1 5E 8B        B8 2B 12 00 00
 22 [*]GDI32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 23 [*]WS2_32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 24 WS2HELP.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 25 SHELL32.dll->KERNEL32.dll:CreateProcessW        0x7C802336->0x012581B2[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        Iat        B2 81 25 01        36 23 80 7C
 26 [*]SHELL32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 27 len(5) SHELL32.dll->[Ordinal:175]        0x7D5BB218->0x01258073[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 56 CE C9 83        8B FF 55 8B EC
 28 len(5) SHELL32.dll->SHGetSpecialFolderPathW        0x7D5BB218->0x01258073[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 56 CE C9 83        8B FF 55 8B EC
 29 [*]len(5) SHELL32.dll->ShellExecuteExW        0x7D5D995B->0x01258119[C:\Program Files\Tencent\QQPCMgr\11.7.62358.201\qmiesafedll.dll]        inline        E9 B9 E7 C7 83        8B FF 55 8B EC
 30 len(4) SHELL32.dll        0x7D5985D8->_        inline        B7 7E 25 01        AF 7A 5F 7D
 31 len(8) SHELL32.dll        0x7D59FA58->_        inline        E0 A4 BD 00 10 A3 BD 00        65 7D 5E 7D 25 5E 5E 7D
 32 SHLWAPI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 33 ole32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 34 VERSION.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 35 PSAPI.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 36 [*]NETAPI32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 37 iphlpapi.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 38 [*]BROWSEUI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 39 [*]OLEAUT32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 40 [*]SHDOCVW.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 41 CRYPTUI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 42 WININET.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 43 WINTRUST.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 44 [*]IMAGEHLP.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 45 WLDAP32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 46 [*]UxTheme.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 47 WINMM.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 48 MSACM32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 49 USERENV.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 50 IMM32.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 51 [*]USP10.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 52 comctl32.dll[WinSxs]->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 53 comctl32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 54 safemon.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 55 [*]Safehmpg.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 56 len(29) Safehmpg.dll->SafehmpgHelper        0x00BEDF60->_        inline        90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 60 9C 68 7D DF BE 00 68 60 DE BE 00 C3        60 9C 50 90 58 74 06 90 75 03 90 66 B8 74 03 75 01 E8 8B 44 24 04 8B 5D 0C 8B C9 90 90
 57 360verify.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 58 mswsock.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 59 DNSAPI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 60 [*]qmiesafedll.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 61 CLBCATQ.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 62 MPRAPI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 63 [*]ACTIVEDS.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 64 [*]adsldpc.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 65 [*]ATL.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 66 [*]SETUPAPI.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 67 [*]msctfime.ime->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 68 [*]rasadhlp.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 69 appHelp.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 70 360UDiskGuard.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 71 [*]hnetcfg.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 72 QMGCShellExt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 73 [*]MSVCR80.dll[WinSxs]->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 74 cscui.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 75 CSCDLL.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 76 themeui.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 77 ACTXPRXY.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 78 [*]msutb.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 79 MSCTF.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 80 msi.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 81 [*]LINKINFO.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 82 ntshrui.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 83 [*]urlmon.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 84 NETSHELL.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 85 credui.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 86 [*]WTSAPI32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 87 [*]eappcfg.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 88 [*]webcheck.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 89 stobject.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 90 [*]BatMeter.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 91 wdmaud.drv->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 92 [*]rsaenh.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 93 [*]TSInjectFrm-11-7-17805-233.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 94 QMIpc.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 95 MPR.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 96 vmhgfs.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 97 ntlanman.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 98 [*]NETUI0.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
 99 davclnt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
100 QQShellExt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
101 ATL100.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
102 MSVCR100.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
103 [*]QMSoftExt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
104 comdlg32.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
105 [*]QMContextUninstall.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
106 QMContextScan.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
107 [*]YunShellExt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
108 gdiplus.dll[WinSxs]->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
109 rarext.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
110 [*]SoftMgrExt.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
111 shell360ext.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
112 NppShell_06.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
113 7-zip.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
114 SXS.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
115 WZCSAPI.DLL->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
116 wzcdlg.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
117 [*]WINHTTP.dll->KERNEL32.dll:GetProcAddress        0x7C80AE40->0x5CC37774[C:\WINDOWS\system32\ShimEng.dll]        Iat        74 77 C3 5C        40 AE 80 7C
View Code

 

 

实际上,这三个文档是可以对比的,前两个文档里面(alg 、imapi),可以清楚地看到,页表都没变,都是一样的,

但是到了第三个文档,explorer 里面,页表已经变了

 

 

所以,我感觉,这就是因为使用了写时拷贝相关的技术,才实现的这种情况。

(其实我也不能确定它就是这样,它一定是使用写时拷贝,因为可以实现当前效果的方法很多,但是写时拷贝是最成熟的,而且这也应该是Windows内存管理相关的方法)