本文详细探讨了Windows系统中创建进程的过程,从CreateProcess API开始,涉及内部的多个步骤,包括路径搜索、文件属性检查、权限验证、安全检查、模块加载等。深入解析了如CreateProcessInternalW、ZwQueryInformationJobObject、NtOpenFile等关键函数的作用,揭示了进程创建背后的复杂机制。
;进程创建过程开始 CreateProcessA call kernel32!CreateProcessA ;10个参数 ; BOOL WINAPI CreateProcess( ; __in_opt LPCTSTR lpApplicationName, ; __inout_opt LPTSTR lpCommandLine, ; __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes, ; __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, ; __in BOOL bInheritHandles, ; __in DWORD dwCreationFlags, NORMAL_PRIORITY_CLASS ; __in_opt LPVOID lpEnvironment, ; __in_opt LPCTSTR lpCurrentDirectory, ; __in LPSTARTUPINFO lpStartupInfo, ; __out LPPROCESS_INFORMATION lpProcessInformation ; ); ; 直接调用kernel32!CreateProcessInternalA call kernel32!CreateProcessInternalA ; 12个参数,第一个与最后一个为零,中间10个延接了上面传入的10个参数 ; 主要任务是将ANSI字符转换成Unicode字符,很多代码用于了转换与检查,所以,直接用Unicode编程将大大增加执行效率 call kernel32!CreateProcessInternalW ; 12个参数 ; 基本延续上面的 ; 第6个参数 and 0F7FFFFFFh
以下为kernel32!CreateProcessInternalW中的流程:
call ntdll!ZwQueryInformationJobObject ; ZwQueryInformationJobObjectretrieves information about a job object. ; NTSYSAPI ; NTSTATUS ; NTAPI ; ZwQueryInformationJobObject( ; IN HANDLE JobHandle, == 0 ; IN JOBOBJECTINFOCLASS JobInformationClass, == 4 ; OUT PVOID JobInformation, == Address ; IN ULONG JobInformationLength, == 4 ; OUT PULONG ReturnLengthOPTIONAL == 0 ; ); ; 判断返回值是否为C0000022h (拒绝访问) call kernel32!SearchPathW ; 进行路径搜索 call kernel32!GetFileAttributesW ; 获取文件属性 call kernel32!BasepIsSetupInvokedByWinLogon ; 判断是否WinLogon进程 call ntdll!RtlDosPathNameToNtPathName_U call ntdll!RtlDetermineDosPathNameType_U ; 路径转换 call ntdll!NtOpenFile ; 打开文件 call ntdll!NtCreateSection ; NtCreateSection( ; OUT PHANDLE SectionHandle, ; IN ACCESS_MASK DesiredAccess, ; IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, ; IN PLARGE_INTEGER MaximumSize OPTIONAL, ; IN ULONG Protect, ; IN ULONG Attributes, ; IN HANDLE FileHandle OPTIONAL ; ); ; 创建Section CreateFileMapping是对NtCreateSection的封装,所以在这一步,程序被映射进了内存 call kernel32!BasepIsProcessAllowed ; 就一个参数为Unicode进程名字 ; 其内部调用了RtlEnterCriticalSection进入临界区 ; 再调用NtOpenKey打开: ; "/Registry/MACHINE/System/CurrentControlSet/Control/Session Manager/AppCertDlls" ; 解释: ; AppCertDlls details. ; Create in the "//Registry//MACHINE//System//CurrentControlSet//Control//Session Manager//AppCertDlls" ; ; The Key with name "AppSecDll" type REG_EXPAND_SZ, and put there, something like that "%SystemRoot%/system32/ .Dll" ... In fact, they may be there a lot, so keep this in mind. ; ; This yours DLL must have mandatory entry point with name CreateProcessNotify, and prototype as specified below. ; 结束 ; 最后调用RtlLeaveCriticalSection call kernel32!BasepCheckBadapp ; 对进程行行兼容性检查 ; 1. IsShimInfrastructureDisabled ; 2. RtlAllocateHeap NTDLL ; 3. __imp__memmove ; 4. BaseCheckAppcompatCache KERNEL32 ; 1. __SEH_prolog ; 2. BasepShimCacheCheckBypass KERNEL32 ; 3. BasepShimCacheLock KERNEL32 ; 4. BasepShimCacheLookup KERNEL32 ; 5. BasepShimCacheUnlock KERNEL32 ; 6. __SEH_epilog ; 5. RtlFreeHeap NTDLL ; 其中会加载: ; call kernel32!LdrLoadDllC:/WINDOWS/system32/Apphelp.dll ; 调用其中的“ApphelpCheckRunApp” call kernel32!BasepCheckWinSaferRestrictions ; 1. RtlEnterCriticalSection NTDLL ; 2. NtOpenThreadToken ; NtOpenThreadToken ( IN HANDLE ThreadHandle, == 0FFFFFFFEh(-2 当前线程) ; IN ACCESS_MASK DesiredAccess, == 2000000h ; IN BOOLEAN OpenAsSelf, == 1 ; OUT PHANDLE TokenHandle ; ) ; 判断返值是否等于0C000007Ch(试图引用不存在的令牌)否跳走(跳走后的没跟,估计是跳向了NtSetInformationThread) ; 是则继续向下Call ; 3. NtOpenProcessToken ; NtOpenProcessTokenEx ( IN HANDLE ProcessHandle, == -1 当前进程 ; IN ACCESS_MASK DesiredAccess, == 0ah ; IN ULONG HandleAttributes, ; OUT PHANDLE TokenHandle ; ) ; 判断返回值是否为0C0000022h(拒绝访问), ; 是跳走,否继续 ; 4. NtQueryInformationToken ; NtQueryInformationToken ( IN HANDLE TokenHandle, == 上面得到的句柄 ; IN TOKEN_INFORMATION_CLASS TokenInformationClass, == 1 ; OUT PVOID TokenInformation, ; IN ULONG TokenInformationLength, ; OUT PULONG ReturnLength ; ) ; 5. RtlInitializeSid ; RtlInitializeSid( IN PSID Sid, ; IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, ; IN UCHAR SubAuthorityCount ); ; 6. RtlSubAuthoritySid ; 7. RtlEqualSid ; 8. NtOpenKey "/Registry/MACHINE/System/CurrentControlSet/Control/SafeBoot/Option" ; 打开失败,继续打开下面的: ; "/Registry/Machine/Software/Policies/Microsoft/Windows/Safer/CodeIdentifiers" ; 打开成功: ; Call NtQueryValueKey 取"TransparentEnabled"项的值 ; 判断得到的值是否为零,不为零为设某变量为1 ; Call NtQueryValueKey 取"AuthenticodeEnabled"项的值 ; 判断得到的值是否为零,不为零则跳转,我这里是零 ; 9. NtClose ; 10. call kernel32!LdrLoadDll "ADVAPI32.DLL" ; 装入DLL ; 11. call kernel32!LdrGetProcedureAddress ;获取下列API地址 ; "SaferIdentifyLevel" ; "SaferComputeTokenFromLevel" ; "SaferCloseLevel" ; "SaferRecordEventLogEntry" ; 12. NtClose ; 13. call kernel32!__security_check_cookie call ntdll!ZwQuerySection ; ZwQuerySection ( IN HANDLE SectionHandle, == Section句柄 ; IN SECTION_INFORMATION_CLASS SectionInformationClass, == 1 ; OUT PVOID SectionInformation, ; IN SIZE_T Length, ; OUT PSIZE_T ResultLength ; ) call kernel32!LdrQueryImageFileExecutionOptions ; 获取调试信息,映像劫持~ ; LdrQueryImageFileExecutionOptions ( IN PUNICODE_STRING SubKey, == "/??/E:/AAAAA.exe"进程名 ; IN PCWSTR ValueName, == "Debugger" ; IN ULONG Type, == 1 ; OUT PVOID Buffer, ; IN ULONG BufferSize, ; OUT PULONG ReturnedLength OPTIONAL ; ) call kernel32!BasepIsImageVersionOk call kernel32!LoadLibraryA "advapi32.dll" call kernel32!GetProcAddress "CreateProcessAsUserSecure" call ntdll!ZwQuerySystemInformation ; ZwQuerySystemInformation( ; IN SYSTEM_INFORMATION_CLASSSystemInformationClass, == 47H == "SystemCreateSession" ; INOUT PVOIDSystemInformation, ; IN ULONGSystemInformationLength, ; OUT PULONGReturnLength OPTIONAL ; ); call kernel32!FreeLibrary "advapi32.dll" call kernel32!BaseFormatObjectAttributes call ntdll!ZwCreateProcessEx mov eax,30h call ntdll!KiFastSystemCall call ntdll!ZwSetInformationProcess ; NtSetInformationProcess ( IN HANDLE ProcessHandle, == ZwCreateProcessEx时得到的进程句柄 ; IN PROCESSINFOCLASS ProcessInformationClass, == 12h == ProcessDefaultHardErrorMode ; IN PVOID ProcessInformation, == 2 == SEM_NOGPFAULTERRORBOX ; IN ULONG ProcessInformationLength == 2 ; ) call kernel32!BasepSxsCreateProcessCsrMessage ; 1. BasepSxsGetProcessImageBaseAddress KERNEL32 ; 2. RtlMultiAppendUnicodeStringBuffer NTDLL ; 3. BasepSxsCreateStreams KERNEL32 ; 4. BasepSxsIsStatusFileNotFoundEtc ; 5. BasepSxsIsStatusResourceNotFound call ntdll!NtQueryInformationProcess ; ZwQueryInformationProcess( ; IN HANDLE ProcessHandle, == 进程句柄 ; IN PROCESSINFOCLASS ProcessInformationClass, == 0 == ProcessBasicInformation ; OUT PVOID ProcessInformation, ; IN ULONG ProcessInformationLength, ; OUT PULONG ReturnLength OPTIONAL ; ); call kernel32!BasePushProcessParameters ; 1. __SEH_prolog ; 2. GetFullPathNameW KERNEL32 ; 3. BaseComputeProcessDllPath KERNEL32 ; 4. RtlInitUnicodeString ; 5. RtlCreateProcessParameters NTDLL ; 6. NtAllocateVirtualMemory ; 7. NtWriteVirtualMemory ; 8. __security_check_cookie ; 9. __SEH_epilog call kernel32!BaseCreateStack ; 1. RtlImageNtHeader NTDLL ; 2. NtAllocateVirtualMemory ; 3. NtProtectVirtualMemory call kernel32!BaseInitializeContext ; BaseInitializeContext(PCONTEXT Context, // 0x200 bytes ; PPEB Peb, ; PVOID EntryPoint, ; DWORD StackTop, ; int Type // union (Process, Thread, Fiber) ; ); call kernel32!BaseFormatObjectAttributes call ntdll!ZwCreateThread mov eax,35h call ntdll!KiFastSystemCall call kernel32!GetModuleHandleA "NULL" eax == 0400000h ;程序装入地址 call ntdll!RtlImageNtHeader eax ; 验证NTHeader ; 下面是通知Cress.exe的几个函数 call ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace call ntdll!CsrClientCallServer call ntdll!CsrFreeCaptureBuffer ;-------------- call ntdll!ZwResumeThread ;启动线程移交控制权并返回 ret ;;进程创建过程结束 CreateProcessA
扫一扫
评论
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
查看更多评论
添加红包
