以下部分全部为转贴,特此声明!
***********************************************************
在Windows 2003中HOOK ZwCreateProcessEx 创建时间:2005-03-09 文章属性:原创 文章提交: suei8423 (suei8423_at_163.com) 作者:ZwelL 工作需要,想控制进程的创建,于是HOOK了ZwCreateProcess,后来发现xp和2003中创建进程的都用NtCreateProcessEx(参见[1])。 但是ZwCreateProcessEx未被ntoskrnl.exe导出,用softice的ntcall命令也没有看到,网上也没有找到相关代码。没办法,跟踪ntoskrnl!ZwCreateProcess >u ntoskrnl!ZwCreateProcessEx _ZwCreateProcess 0008:804e7ae2 bb32000000 mov eax, 00000032 但是ZwCreateProcessEx有9个参数,最后一个未知,4字节,猜成HANDLE型。 原型如下: typedef NTSTATUS (*NTCREATEPROCESSEX)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL, IN HANDLE Unknown ); 最终用硬编码HOOK 成功,代码如下: #include "ntddk.h" #include "stdarg.h" #include "stdio.h" #include "ntiologc.h" #define DWORD unsigned long #define WORD unsigned short #define BOOL unsigned long typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry; extern PServiceDescriptorTableEntry KeServiceDescriptorTable; typedef NTSTATUS (*NTCREATEPROCESSEX)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL, IN HANDLE Unknown ); NTCREATEPROCESSEX OldNtCreateProcessEx; // Length of process name (rounded up to next DWORD) #define PROCNAMELEN 20 // Maximum length of NT process name #define NT_PROCNAMELEN 16 ULONG gProcessNameOffset; void GetProcessNameOffset() { PEPROCESS curproc; int i; curproc = PsGetCurrentProcess(); for( i = 0; i < 3*PAGE_SIZE; i++ ) { if( !strncmp( "System", (PCHAR) curproc + i, strlen("System") )) { gProcessNameOffset = i; } } } BOOL GetProcessName( PCHAR theName ) { PEPROCESS curproc; char *nameptr; ULONG i; KIRQL oldirql; if( gProcessNameOffset ) { curproc = PsGetCurrentProcess(); nameptr = (PCHAR) curproc + gProcessNameOffset; strncpy( theName, nameptr, NT_PROCNAMELEN ); theName[NT_PROCNAMELEN] = 0; /* NULL at end */ return TRUE; } return FALSE; } NTSTATUS NewNtCreateProcessEx( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL, IN HANDLE Unknown OPTIONAL) { CHAR aProcessName[PROCNAMELEN]; GetProcessName( aProcessName ); DbgPrint("rootkit: NewNtCreateProcessEx() from %s/n", aProcessName); //DbgPrint("ok"); return OldNtCreateProcessEx(ProcessHandle,DesiredAccess, ObjectAttributes,ParentProcess,InheritObjectTable,SectionHandle,DebugPort,ExceptionPort,Unknown); } NTSTATUS OnStubDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { Irp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest (Irp, IO_NO_INCREMENT ); return Irp->IoStatus.Status; } VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("ROOTKIT: OnUnload called/n"); _asm { CLI //dissable interrupt MOV EAX, CR0 //move CR0 register into EAX AND EAX, NOT 10000H //disable WP bit MOV CR0, EAX //write register back } (NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32))=OldNtCreateProcessEx; _asm { MOV EAX, CR0 //move CR0 register into EAX OR EAX, 10000H //enable WP bit MOV CR0, EAX //write register back STI //enable interrupt } } NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { int i; DbgPrint("My Driver Loaded!"); GetProcessNameOffset(); // Register a dispatch function for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) { theDriverObject->MajorFunction[i] = OnStubDispatch; } theDriverObject->DriverUnload = OnUnload; // save old system call locations //OldNtCreateProcessEx=(NTCREATEPROCESSEX)(SYSTEMSERVICE(0x32)); OldNtCreateProcessEx=(NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32)); _asm { CLI //dissable interrupt MOV EAX, CR0 //move CR0 register into EAX AND EAX, NOT 10000H //disable WP bit MOV CR0, EAX //write register back } (NTCREATEPROCESSEX)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0x32))= NewNtCreateProcessEx; _asm { MOV EAX, CR0 //move CR0 register into EAX OR EAX, 10000H //enable WP bit MOV CR0, EAX //write register back STI //enable interrupt } return STATUS_SUCCESS; } 这样很不爽,每次都要这样看索引号,问了SOBEIT,可以通过从NTDLL中这样获取服务索引号: 来自rookkit: #include #include BOOL GetId( char *FuncName, ULONG *FunctionID ) { //get the function's address PBYTE Function = (PBYTE)GetProcAddress( GetModuleHandle( "ntdll.dll" ), FuncName ); /* do some sanity checks, make sure this function has a corresponding kernel level function */ *FunctionID = 0; //func not found... if ( Function == NULL ) { return FALSE; } /* 77F5B438 B8 00000000 MOV EAX, _FUNCTION_ID_ 77F5B43D BA 0003FE7F MOV EDX,7FFE0300 77F5B442 FFD2 CALL EDX 77F5B444 C2 1800 RETN XX */ //mov eax if ( *Function != 0xB8 ) { return FALSE; } /* since the address of the function which actually makes the call (SYSCALL) may change, we just check for mov edx */ if ( *(Function + 5) != 0xBA ) { return FALSE; } //call edx /*if ( *(PWORD)(Function + 10) != 0xD2FF ) { return FALSE; } //retn if ( *(Function + 12) != 0xC2 ) { return FALSE; }*/ *FunctionID = *(PDWORD)(Function + 1); return TRUE; } int main(int argc, char* argv[]) { ULONG Id; printf( "function name: NtCreateProcessEx/n" ); GetId( "NtCreateProcessEx", &Id ); printf( "function id: %08X/n", Id ); return 0; } /// 这样也不爽,要从用户态传到驱动层不方便,最后,用这个代码: #include "ntddk.h" #include "stdarg.h" #include "stdio.h" #include "ntiologc.h" #include "ntimage.h" #define DWORD unsigned long #define WORD unsigned short #define BOOL unsigned long #define BYTE unsigned char #define SEC_IMAGE 0x01000000 typedef struct _SECTION_IMAGE_INFORMATION { PVOID EntryPoint; ULONG StackZeroBits; ULONG StackReserved; ULONG StackCommit; ULONG ImageSubsystem; WORD SubsystemVersionLow; WORD SubsystemVersionHigh; ULONG Unknown1; ULONG ImageCharacteristics; ULONG ImageMachineType; ULONG Unknown2[3]; } SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION; DWORD GetDllFunctionAddress(char* lpFunctionName, PUNICODE_STRING pDllName) { HANDLE hThread, hSection, hFile, hMod; SECTION_IMAGE_INFORMATION sii; IMAGE_DOS_HEADER* dosheader; IMAGE_OPTIONAL_HEADER* opthdr; IMAGE_EXPORT_DIRECTORY* pExportTable; DWORD* arrayOfFunctionAddresses; DWORD* arrayOfFunctionNames; WORD* arrayOfFunctionOrdinals; DWORD functionOrdinal; DWORD Base, x, functionAddress; char* functionName; STRING ntFunctionName, ntFunctionNameSearch; PVOID BaseAddress = NULL; SIZE_T size=0; OBJECT_ATTRIBUTES oa = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE}; IO_STATUS_BLOCK iosb; //_asm int 3; ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT); oa.ObjectName = 0; ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile); ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE); ZwClose(hFile); hMod = BaseAddress; dosheader = (IMAGE_DOS_HEADER *)hMod; opthdr =(IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+dosheader->e_lfanew+24); pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); // now we can get the exported functions, but note we convert from RVA to address arrayOfFunctionAddresses = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfFunctions); arrayOfFunctionNames = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfNames); arrayOfFunctionOrdinals = (WORD*)( (BYTE*)hMod + pExportTable->AddressOfNameOrdinals); Base = pExportTable->Base; RtlInitString(&ntFunctionNameSearch, lpFunctionName); for(x = 0; x < pExportTable->NumberOfFunctions; x++) { functionName = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]); RtlInitString(&ntFunctionName, functionName); functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array counts from 0 // this is the funny bit. you would expect the function pointer to simply be arrayOfFunctionAddresses[x]... // oh no... thats too simple. it is actually arrayOfFunctionAddresses[functionOrdinal]!! functionAddress = (DWORD)( (BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]); if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0) { ZwClose(hSection); return functionAddress; } } ZwClose(hSection); return 0; } NTSTATUS OnStubDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { Irp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest (Irp, IO_NO_INCREMENT ); return Irp->IoStatus.Status; } VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("ROOTKIT: OnUnload called/n"); } NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { int i; UNICODE_STRING dllName; DWORD functionAddress; int position; DbgPrint("My Driver Loaded!"); theDriverObject->DriverUnload = OnUnload; RtlInitUnicodeString(&dllName, L"//Device//HarddiskVolume1//Windows//System32//ntdll.dll"); functionAddress = GetDllFunctionAddress("ZwCreateProcessEx", &dllName); position = *((WORD*)(functionAddress+1)); DbgPrint("Id:%d/n", position); return STATUS_SUCCESS; } 上面的代码从驱动层加载NTDLL,再从输出表中找出函数地址,mov eax,[ID]对应的b8后面的字就是索引号,其实跟前一个代码作用是相似的, 只是驱动层没有LoadLibrary,只能这样解决了。将上面的代码整合起来就比较完善了,大家看着改吧。这里顺便把2003中的服务描述表发出来,希望对大家有帮助: Service table address:0x80567980 Number of services:280=0x127 Index Address Parameters Name ------------------------------------------------------------------------------------------------- 0x0 0x8058ddce 6 NtAcceptConnectPort 0x1 0x80596b7e 8 NtAccessCheck 0x2 0x805976ce b NtAccessCheckAndAuditAlarm 0x3 0x805a8bb7 b NtAccessCheckByType 0x4 0x8059968a 10 NtAccessCheckByTypeAndAuditAlarm 0x5 0x80658705 b NtAccessCheckByTypeResultList 0x6 0x8065a9b2 10 NtAccessCheckByTypeResultListAndAuditAlarm 0x7 0x8065a9f5 11 NtAccessCheckByTypeResultListAndAuditAlarmByHandle 0x8 0x8059dc4f 3 NtAddAtom 0xb 0x806581e2 6 NtAdjustGroupsToken 0xc 0x80597836 6 NtAdjustPrivilegesToken 0xd 0x8065104b 2 NtAlertResumeThread 0xe 0x805971ea 1 NtAlertThread 0xf 0x805996cc 1 NtAllocateLocallyUniqueId 0x10 0x80647eb9 3 NtAllocateUserPhysicalPages 0x11 0x805a70dc 4 NtAllocateUuids 0x12 0x80583188 6 NtAllocateVirtualMemory 0x13 0x8058faff 2 NtApphelpCacheControl 0x14 0x805e92fb 2 NtAreMappedFilesTheSame 0x15 0x805aae6f 2 NtAssignProcessToJobObject 0x16 0x804ebbcc 3 NtCallbackReturn 0x18 0x805eb49d 2 NtCancelIoFile 0x19 0x804f7445 2 NtCancelTimer 0x1a 0x8058c43a 1 NtClearEvent 0x1b 0x805768ac 1 NtClose 0x1c 0x80596eea 3 NtCloseObjectAuditAlarm 0x1d 0x80626f6f 2 NtCompactKeys 0x1e 0x8065b8ff 3 NtCompareTokens 0x1f 0x8058dc82 1 NtCompleteConnectPort 0x20 0x806271d6 1 NtCompressKey 0x21 0x8058c55a 8 NtConnectPort 0x22 0x804eb14b 2 NtContinue 0x23 0x805b0b1e 4 NtCreateDebugObject 0x24 0x805aabaf 3 NtCreateDirectoryObject 0x25 0x80578522 5 NtCreateEvent 0x26 0x80668009 3 NtCreateEventPair 0x27 0x805790cb b NtCreateFile 0x28 0x8059f5ab 4 NtCreateIoCompletion 0x29 0x805e09eb 3 NtCreateJobObject 0x2a 0x80651805 3 NtCreateJobSet 0x2b 0x80592a39 7 NtCreateKey 0x2c 0x805f225d 8 NtCreateMailslotFile 0x2d 0x805863a1 4 NtCreateMutant 0x2e 0x8058f416 e NtCreateNamedPipeFile 0x2f 0x805c8e1e 4 NtCreatePagingFile 0x30 0x805a32a4 5 NtCreatePort 0x31 0x805bd684 8 NtCreateProcess 0x32 0x8058efe3 9 NtCreateProcessEx 0x33 0x806685b7 9 NtCreateProfile 0x34 0x80573eca 7 NtCreateSection 0x35 0x8059afa9 5 NtCreateSemaphore 0x36 0x805ab548 4 NtCreateSymbolicLinkObject 0x37 0x80588254 8 NtCreateThread 0x38 0x805a2688 4 NtCreateTimer 0x39 0x805a62a4 d NtCreateToken 0x3a 0x805bc212 5 NtCreateWaitablePort 0x3b 0x805b12c1 2 NtDebugActiveProcess 0x3c 0x805b17dc 3 NtDebugContinue 0x3d 0x80574c08 2 NtDelayExecution 0x3e 0x8059ab90 1 NtDeleteAtom 0x41 0x805b7979 1 NtDeleteFile 0x42 0x805eca87 1 NtDeleteKey 0x43 0x8065aa3a 3 NtDeleteObjectAuditAlarm 0x44 0x805a20d4 2 NtDeleteValueKey 0x45 0x80586f5e a NtDeviceIoControlFile 0x46 0x805c9f0b 1 NtDisplayString 0x47 0x8058051e 7 NtDuplicateObject 0x48 0x8059cc7c 6 NtDuplicateToken 0x4b 0x8059a085 6 NtEnumerateKey 0x4c 0x80667a42 3 NtEnumerateSystemEnvironmentValuesEx 0x4d 0x8059d849 6 NtEnumerateValueKey 0x4e 0x805ac037 2 NtExtendSection 0x4f 0x805e41d5 6 NtFilterToken 0x50 0x8059e01a 3 NtFindAtom 0x51 0x805920a7 2 NtFlushBuffersFile 0x52 0x8058a8b5 3 NtFlushInstructionCache 0x53 0x805e715b 1 NtFlushKey 0x54 0x805a130d 4 NtFlushVirtualMemory 0x55 0x80648b20 0 NtFlushWriteBuffer 0x56 0x8064852a 3 NtFreeUserPhysicalPages 0x57 0x8057b2bf 4 NtFreeVirtualMemory 0x58 0x8057f504 a NtFsControlFile 0x59 0x805e8674 2 NtGetContextThread 0x5a 0x8064de05 2 NtGetDevicePowerState 0x5b 0x805e8ccb 4 NtGetPlugPlayEvent 0x5c 0x80544ec4 7 NtGetWriteWatch 0x5d 0x805f12e2 1 NtImpersonateAnonymousToken 0x5e 0x80597fdf 2 NtImpersonateClientOfPort 0x5f 0x8059b9c8 3 NtImpersonateThread 0x60 0x805b77c8 1 NtInitializeRegistry 0x61 0x8064dc59 4 NtInitiatePowerAction 0x62 0x8058ec31 2 NtIsProcessInJob 0x63 0x8064ddf2 0 NtIsSystemResumeAutomatic 0x64 0x805bc19c 2 NtListenPort 0x65 0x805b9dfe 1 NtLoadDriver 0x66 0x805b2d8f 2 NtLoadKey 0x67 0x8062758c 3 NtLoadKey2 0x68 0x805b4a6c 4 NtLoadKeyEx 0x69 0x805a2342 a NtLockFile 0x6a 0x805e4eaa 2 NtLockProductActivationKeys 0x6b 0x805de064 1 NtLockRegistryKey 0x6c 0x805e4a65 4 NtLockVirtualMemory 0x6d 0x805ab8ba 1 NtMakePermanentObject 0x6e 0x805abb05 1 NtMakeTemporaryObject 0x6f 0x80647392 3 NtMapUserPhysicalPages 0x70 0x80647859 3 NtMapUserPhysicalPagesScatter 0x71 0x80589905 a NtMapViewOfSection 0x74 0x805ef59d 9 NtNotifyChangeDirectoryFile 0x75 0x80599f1c a NtNotifyChangeKey 0x76 0x80599d2d c NtNotifyChangeMultipleKeys 0x77 0x8058ef66 3 NtOpenDirectoryObject 0x78 0x80599615 3 NtOpenEvent 0x79 0x806680f4 3 NtOpenEventPair 0x7a 0x8057909d 6 NtOpenFile 0x7b 0x80634e03 3 NtOpenIoCompletion 0x7c 0x805af8b0 3 NtOpenJobObject 0x7d 0x80578d88 3 NtOpenKey 0x7e 0x80586508 3 NtOpenMutant 0x7f 0x805ed885 c NtOpenObjectAuditAlarm 0x80 0x80593613 4 NtOpenProcess 0x81 0x8057e110 3 NtOpenProcessToken 0x82 0x8057e816 4 NtOpenProcessTokenEx 0x83 0x8058a94b 3 NtOpenSection 0x84 0x805b3152 3 NtOpenSemaphore 0x85 0x8058ea10 3 NtOpenSymbolicLinkObject 0x86 0x805a2a8c 4 NtOpenThread 0x87 0x8057f976 4 NtOpenThreadToken 0x88 0x8057f8e5 5 NtOpenThreadTokenEx 0x89 0x805eb40f 3 NtOpenTimer 0x8a 0x805a24a2 3 NtPlugPlayControl 0x8b 0x805ae364 5 NtPowerInformation 0x8c 0x805a2c28 3 NtPrivilegeCheck 0x8d 0x805e48ce 6 NtPrivilegeObjectAuditAlarm 0x8e 0x805a7bf0 5 NtPrivilegedServiceAuditAlarm 0x8f 0x80584a67 5 NtProtectVirtualMemory 0x90 0x8059f752 2 NtPulseEvent 0x91 0x80585755 2 NtQueryAttributesFile 0x94 0x80508c75 2 NtQueryDebugFilterState 0x95 0x8057ffd5 2 NtQueryDefaultLocale 0x96 0x80587c53 1 NtQueryDefaultUILanguage 0x97 0x8058731c b NtQueryDirectoryFile 0x98 0x80595d65 7 NtQueryDirectoryObject 0x9a 0x80635410 9 NtQueryEaFile 0x9b 0x805a2d89 5 NtQueryEvent 0x9c 0x8059b735 2 NtQueryFullAttributesFile 0x9d 0x805edffe 5 NtQueryInformationAtom 0x9e 0x805852cf 5 NtQueryInformationFile 0x9f 0x805af5ab 5 NtQueryInformationJobObject 0xa0 0x80644a66 5 NtQueryInformationPort 0xa1 0x8057fdea 5 NtQueryInformationProcess 0xa2 0x80576dc6 5 NtQueryInformationThread 0xa3 0x8057e718 5 NtQueryInformationToken 0xa4 0x8059d58c 1 NtQueryInstallUILanguage 0xa5 0x80668a4e 2 NtQueryIntervalProfile 0xa6 0x80634ebc 5 NtQueryIoCompletion 0xa7 0x80580c31 5 NtQueryKey 0xa8 0x80626765 6 NtQueryMultipleValueKey 0xa9 0x80668412 5 NtQueryMutant 0xaa 0x805f1cad 5 NtQueryObject 0xab 0x80626953 2 NtQueryOpenSubKeys 0xac 0x80626b89 4 NtQueryOpenSubKeysEx 0xad 0x8057f59e 2 NtQueryPerformanceCounter 0xae 0x80635c9d 9 NtQueryQuotaInformationFile 0xaf 0x8058679a 5 NtQuerySection 0xb0 0x805997e7 5 NtQuerySecurityObject 0xb1 0x80667325 5 NtQuerySemaphore 0xb2 0x8058e816 3 NtQuerySymbolicLinkObject 0xb3 0x80667a76 4 NtQuerySystemEnvironmentValue 0xb5 0x8057cbe2 4 NtQuerySystemInformation 0xb6 0x80597e57 1 NtQuerySystemTime 0xb7 0x8058c677 5 NtQueryTimer 0xb8 0x8059e436 3 NtQueryTimerResolution 0xb9 0x80577d61 6 NtQueryValueKey 0xba 0x80582264 6 NtQueryVirtualMemory 0xbb 0x8057960d 5 NtQueryVolumeInformationFile 0xbc 0x8058c78e 5 NtQueueApcThread 0xbd 0x804eb198 3 NtRaiseException 0xbe 0x80667075 6 NtRaiseHardError 0xbf 0x8057d886 9 NtReadFile 0xc0 0x805aeb82 9 NtReadFileScatter 0xc1 0x8059859d 6 NtReadRequestData 0xc2 0x805861e0 5 NtReadVirtualMemory 0xc3 0x80588402 1 NtRegisterThreadTerminatePort 0xc4 0x80574b77 2 NtReleaseMutant 0xc5 0x80598eb5 3 NtReleaseSemaphore 0xc6 0x80577945 5 NtRemoveIoCompletion 0xc7 0x8066e462 2 NtRemoveProcessDebug 0xc8 0x80626dec 2 NtRenameKey 0xc9 0x8062748f 3 NtReplaceKey 0xca 0x80580e50 2 NtReplyPort 0xcb 0x8057b2a0 4 NtReplyWaitReceivePort 0xcc 0x8057adb0 5 NtReplyWaitReceivePortEx 0xcd 0x80644b39 2 NtReplyWaitReplyPort 0xce 0x80667a4f 1 NtModifyDriverEntry 0xcf 0x805985f2 2 NtRequestPort 0xd0 0x8058cbc3 3 NtRequestWaitReplyPort 0xd1 0x8064dc04 1 NtRequestWakeupLatency 0xd2 0x805a4751 2 NtResetEvent 0xd3 0x8054543e 3 NtResetWriteWatch 0xd4 0x80627286 3 NtRestoreKey 0xd5 0x80650ff5 1 NtResumeProcess 0xd6 0x805806fa 2 NtResumeThread 0xd7 0x80627325 2 NtSaveKey 0xd8 0x806273b2 3 NtSaveKeyEx 0xd9 0x80625f0d 3 NtSaveMergedKeys 0xda 0x8058d4b2 9 NtSecureConnectPort 0xdd 0x805b16f1 2 NtSetContextThread 0xde 0x8066e4f1 3 NtSetDebugFilterState 0xdf 0x805ca1ac 1 NtSetDefaultHardErrorPort 0xe0 0x805b748b 2 NtSetDefaultLocale 0xe1 0x805b7433 1 NtSetDefaultUILanguage 0xe2 0x80667a5c 2 NtSetBootEntryOrder 0xe3 0x8063594e 4 NtSetEaFile 0xe4 0x8057abd7 2 NtSetEvent 0xe5 0x80575690 1 NtSetEventBoostPriority 0xe6 0x806683b0 1 NtSetHighEventPair 0xe7 0x806682e6 1 NtSetHighWaitLowEventPair 0xe8 0x8066e255 5 NtSetInformationDebugObject 0xe9 0x80578747 5 NtSetInformationFile 0xea 0x805e0b5f 4 NtSetInformationJobObject 0xeb 0x80626400 4 NtSetInformationKey 0xec 0x8059223e 4 NtSetInformationObject 0xed 0x80580221 4 NtSetInformationProcess 0xee 0x80577629 4 NtSetInformationThread 0xef 0x805a6844 4 NtSetInformationToken 0xf0 0x806685a0 2 NtSetIntervalProfile 0xf1 0x8057c39a 5 NtSetIoCompletion 0xf2 0x806508db 6 NtSetLdtEntries 0xf3 0x8066834f 1 NtSetLowEventPair 0xf4 0x8066827d 1 NtSetLowWaitHighEventPair 0xf5 0x80635c7e 4 NtSetQuotaInformationFile 0xf6 0x805a5626 3 NtSetSecurityObject 0xf7 0x80667d39 2 NtSetSystemEnvironmentValue 0xf8 0x80667a35 5 NtSetSystemEnvironmentValueEx 0xf9 0x80597238 3 NtSetSystemInformation 0xfa 0x8067b325 3 NtSetSystemPowerState 0xfb 0x8066697b 2 NtSetSystemTime 0xfc 0x805abc19 2 NtSetThreadExecutionState 0xfd 0x804ee9bf 7 NtSetTimer 0xfe 0x805acb3b 3 NtSetTimerResolution 0xff 0x805bc73c 1 NtSetUuidSeed 0x100 0x80592859 6 NtSetValueKey 0x101 0x806361ed 5 NtSetVolumeInformationFile 0x102 0x8066614b 1 NtShutdownSystem 0x103 0x80546d9e 4 NtSignalAndWaitForSingleObject 0x104 0x806687ec 1 NtStartProfile 0x105 0x80668999 1 NtStopProfile 0x106 0x80650fa0 1 NtSuspendProcess 0x107 0x805b0163 2 NtSuspendThread 0x108 0x80668af2 6 NtSystemDebugControl 0x109 0x80651a9b 2 NtTerminateJobObject 0x10a 0x80590cba 2 NtTerminateProcess 0x10b 0x80576714 2 NtTerminateThread 0x10c 0x8057e4f8 0 NtTestAlert 0x10d 0x8051ed5e 4 NtTraceEvent 0x10e 0x80667a69 4 NtTranslateFilePath 0x10f 0x806383c5 1 NtUnloadDriver 0x110 0x8062747c 1 NtUnloadKey 0x111 0x80625fc6 2 NtUnloadKey2 0x112 0x806261cb 2 NtUnloadKeyEx 0x113 0x805a220b 5 NtUnlockFile 0x114 0x805ae977 4 NtUnlockVirtualMemory 0x115 0x80589e79 2 NtUnmapViewOfSection 0x116 0x805c5aa2 2 NtVdmControl 0x117 0x805b07c8 4 NtWaitForDebugEvent 0x118 0x80574d38 5 NtWaitForMultipleObjects 0x119 0x8057428d 3 NtWaitForSingleObject 0x11a 0x8066821c 1 NtWaitHighEventPair 0x11b 0x806681bb 1 NtWaitLowEventPair 0x11c 0x80578248 9 NtWriteFile 0x11d 0x805aefe1 9 NtWriteFileGather 0x11e 0x805990a6 6 NtWriteRequestData 0x11f 0x805862d7 5 NtWriteVirtualMemory 0x120 0x805091c1 0 NtYieldExecution 0x121 0x805d7d7f 4 NtCreateKeyedEvent 0x122 0x8058f5cf 3 NtOpenKeyedEvent 0x123 0x8066922f 4 NtReleaseKeyedEvent 0x124 0x806694aa 4 NtWaitForKeyedEvent 0x125 0x8064f170 0 NtQueryPortInformationProcess 0x126 0x8064f1a4 0 NtGetCurrentProcessorNumber 参考资料: 1.MSDN系列(3)--Administrator用户直接获取SYSTEM权限 scz http://www.nsfocus.net/index.php?act=magazine&do=view&mid=1900 2.hooking functions not exported by ntoskrnl http://www.rootkit.com/newsread.php?newsid=151 3.Simple Hooking of Functions not Exported by Ntoskrnl.exe http://www.rootkit.com/newsread.php?newsid=248
