可以看到识别inline hook的关键。
好了,我自己机器上实验下:先看下手册里介绍用法 https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf
实际使用发现确实加上-R 和 -Q会快很多!输出的结果如下:
PS D:\Application\volatility3-stable\moddmp_out> volatility26.exe -f D:\book\malwarecookbook-master\malwarecookbook-master\16\6\silentbanker.vmem\silentbanker.vmem apihooks -R -Q >.\hooks2.result.txt Volatility Foundation Volatility Framework 2.6 PS D:\Application\volatility3-stable\moddmp_out> notepad .\hooks2.result.txt PS D:\Application\volatility3-stable\moddmp_out> volatility26 -f D:\book\malwarecookbook-master\malwarecookbook-master\17\1\zeus.vmem\zeus.vmem apihooks -R -Q >hooks.result.txt Volatility Foundation Volatility Framework 2.6 PS D:\Application\volatility3-stable\moddmp_out> notepad .\hooks.result.txt
其中,zeus的hook结果:
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 676 (services.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9b0000)
Function: ntdll.dll!NtCreateThread at 0x7c90d7d2
Hook address: 0x7e3b47
Hooking module: <unknown>
Disassembly(0):
0x7c90d7d2 e97063ed83 JMP 0x7e3b47
0x7c90d7d7 ba0003fe7f MOV EDX, 0x7ffe0300
0x7c90d7dc ff12 CALL DWORD [EDX]
0x7c90d7de c22000 RET 0x20
0x7c90d7e1 90 NOP
0x7c90d7e2 90 NOP
0x7c90d7e3 90 NOP
0x7c90d7e4 90 NOP
0x7c90d7e5 90 NOP
0x7c90d7e6 90 NOP
0x7c90d7e7 b8 DB 0xb8
0x7c90d7e8 36 DB 0x36
0x7c90d7e9 00 DB 0x0
Disassembly(1):
0x7e3b47 55 PUSH EBP
0x7e3b48 8bec MOV EBP, ESP
0x7e3b4a 83ec18 SUB ESP, 0x18
0x7e3b4d 53 PUSH EBX
0x7e3b4e 56 PUSH ESI
0x7e3b4f 57 PUSH EDI
0x7e3b50 8b7d14 MOV EDI, [EBP+0x14]
0x7e3b53 8d4514 LEA EAX, [EBP+0x14]
0x7e3b56 50 PUSH EAX
0x7e3b57 6a18 PUSH 0x18
0x7e3b59 8d45e8 LEA EAX, [EBP-0x18]
0x7e3b5c 50 PUSH EAX
0x7e3b5d 33f6 XOR ESI, ESI
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 676 (services.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9b0000)
Function: ntdll.dll!NtQueryDirectoryFile at 0x7c90df5e
Hook address: 0x7e3ca5
Hooking module: <unknown>
Disassembly(0):
0x7c90df5e e9425ded83 JMP 0x7e3ca5
0x7c90df63 ba0003fe7f MOV EDX, 0x7ffe0300
0x7c90df68 ff12 CALL DWORD [EDX]
0x7c90df6a c22c00 RET 0x2c
0x7c90df6d 90 NOP
0x7c90df6e 90 NOP
0x7c90df6f 90 NOP
0x7c90df70 90 NOP
0x7c90df71 90 NOP
0x7c90df72 90 NOP
0x7c90df73 b8 DB 0xb8
0x7c90df74 92 XCHG EDX, EAX
0x7c90df75 00 DB 0x0
Disassembly(1):
0x7e3ca5 55 PUSH EBP ==》不在ntdll.dll (0x7c900000 - 0x7c9b0000)范围内 所以是恶意的!!!
0x7e3ca6 8bec MOV EBP, ESP
0x7e3ca8 e88bfeffff CALL 0x7e3b38
0x7e3cad ff7530 PUSH DWORD [EBP+0x30]
0x7e3cb0 ff752c PUSH DWORD [EBP+0x2c]
0x7e3cb3 ff7528 PUSH DWORD [EBP+0x28]
0x7e3cb6 ff7524 PUSH DWORD [EBP+0x24]
0x7e3cb9 ff7520 PUSH DWORD [EBP+0x20]
0x7e3cbc ff DB 0xff
。。。很多很多!!!
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: CRYPT32.dll (0x77a80000 - 0x77b14000)
Function: CRYPT32.dll!PFXImportCertStore at 0x77aef748
Hook address: 0x15d3692
Hooking module: <unknown>
Disassembly(0):
0x77aef748 e9453fae89 JMP 0x15d3692
0x77aef74d 83ec18 SUB ESP, 0x18
0x77aef750 53 PUSH EBX
0x77aef751 57 PUSH EDI
0x77aef752 33c0 XOR EAX, EAX
0x77aef754 8d7de8 LEA EDI, [EBP-0x18]
0x77aef757 33db XOR EBX, EBX
0x77aef759 f74510dcefffef TEST DWORD [EBP+0x10], 0xefffefdc
Disassembly(1):
0x15d3692 55 PUSH EBP
0x15d3693 8bec MOV EBP, ESP
0x15d3695 81ec80000000 SUB ESP, 0x80
0x15d369b 53 PUSH EBX
0x15d369c 56 PUSH ESI
0x15d369d e896040000 CALL 0x15d3b38
0x15d36a2 ff7510 PUSH DWORD [EBP+0x10]
0x15d36a5 8b7508 MOV ESI, [EBP+0x8]
0x15d36a8 ff DB 0xff
0x15d36a9 75 DB 0x75
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WININET.dll (0x771b0000 - 0x77256000)
Function: WININET.dll!HttpQueryInfoA at 0x771c8c6a
Hook address: 0x15e7477
Hooking module: <unknown>
Disassembly(0):
0x771c8c6a e908e8418a JMP 0x15e7477
0x771c8c6f 1c77 SBB AL, 0x77
0x771c8c71 e8fc89feff CALL 0x771b1672
0x771c8c76 33db XOR EBX, EBX
0x771c8c78 895ddc MOV [EBP-0x24], EBX
0x771c8c7b 895de4 MOV [EBP-0x1c], EBX
0x771c8c7e 39 DB 0x39
0x771c8c7f 1d DB 0x1d
0x771c8c80 50 PUSH EAX
0x771c8c81 98 CWDE
Disassembly(1):
0x15e7477 55 PUSH EBP
0x15e7478 8bec MOV EBP, ESP
0x15e747a 56 PUSH ESI
0x15e747b 57 PUSH EDI
0x15e747c bf6c275f01 MOV EDI, 0x15f276c
0x15e7481 57 PUSH EDI
0x15e7482 ff1574125d01 CALL DWORD [0x15d1274]
0x15e7488 8b7508 MOV ESI, [EBP+0x8]
0x15e748b e8 DB 0xe8
0x15e748c 67e5ff IN EAX, 0xff
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WININET.dll (0x771b0000 - 0x77256000)
Function: WININET.dll!HttpSendRequestA at 0x771c76b8
Hook address: 0x15e7366
Hooking module: <unknown>
Disassembly(0):
0x771c76b8 e9a9fc418a JMP 0x15e7366
0x771c76bd 6a13 PUSH 0x13
0x771c76bf 6a00 PUSH 0x0
0x771c76c1 ff7518 PUSH DWORD [EBP+0x18]
0x771c76c4 ff7514 PUSH DWORD [EBP+0x14]
0x771c76c7 ff7510 PUSH DWORD [EBP+0x10]
0x771c76ca ff750c PUSH DWORD [EBP+0xc]
0x771c76cd ff7508 PUSH DWORD [EBP+0x8]
Disassembly(1):
0x15e7366 55 PUSH EBP
0x15e7367 8bec MOV EBP, ESP
0x15e7369 e8cac7feff CALL 0x15d3b38
0x15e736e ff7510 PUSH DWORD [EBP+0x10]
0x15e7371 8b4518 MOV EAX, [EBP+0x18]
0x15e7374 ff750c PUSH DWORD [EBP+0xc]
0x15e7377 8b4d14 MOV ECX, [EBP+0x14]
0x15e737a ff7508 PUSH DWORD [EBP+0x8]
0x15e737d 6a DB 0x6a
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WININET.dll (0x771b0000 - 0x77256000)
Function: WININET.dll!HttpSendRequestExA at 0x7721190d
Hook address: 0x15e73ac
Hooking module: <unknown>
Disassembly(0):
0x7721190d e99a5a3d8a JMP 0x15e73ac
0x77211912 53 PUSH EBX
0x77211913 56 PUSH ESI
0x77211914 57 PUSH EDI
0x77211915 33db XOR EBX, EBX
0x77211917 33c0 XOR EAX, EAX
0x77211919 33c9 XOR ECX, ECX
0x7721191b 33d2 XOR EDX, EDX
0x7721191d 33ff XOR EDI, EDI
0x7721191f 395d10 CMP [EBP+0x10], EBX
0x77211922 7539 JNZ 0x7721195d
0x77211924 8b DB 0x8b
Disassembly(1):
0x15e73ac 55 PUSH EBP
0x15e73ad 8bec MOV EBP, ESP
0x15e73af 53 PUSH EBX
0x15e73b0 e883c7feff CALL 0x15d3b38
0x15e73b5 ff7518 PUSH DWORD [EBP+0x18]
0x15e73b8 8b450c MOV EAX, [EBP+0xc]
0x15e73bb ff7514 PUSH DWORD [EBP+0x14]
0x15e73be 8b5d08 MOV EBX, [EBP+0x8]
0x15e73c1 ff7510 PUSH DWORD [EBP+0x10]
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WININET.dll (0x771b0000 - 0x77256000)
Function: WININET.dll!HttpSendRequestExW at 0x771d53eb
Hook address: 0x15e7388
Hooking module: <unknown>
Disassembly(0):
0x771d53eb e9981f418a JMP 0x15e7388
0x771d53f0 83ec14 SUB ESP, 0x14
0x771d53f3 53 PUSH EBX
0x771d53f4 56 PUSH ESI
0x771d53f5 33c0 XOR EAX, EAX
0x771d53f7 57 PUSH EDI
0x771d53f8 33d2 XOR EDX, EDX
0x771d53fa 33db XOR EBX, EBX
0x771d53fc 33ff XOR EDI, EDI
0x771d53fe 33c9 XOR ECX, ECX
0x771d5400 395508 CMP [EBP+0x8], EDX
Disassembly(1):
0x15e7388 55 PUSH EBP
0x15e7389 8bec MOV EBP, ESP
0x15e738b 53 PUSH EBX
0x15e738c e8a7c7feff CALL 0x15d3b38
0x15e7391 ff7518 PUSH DWORD [EBP+0x18]
0x15e7394 8b450c MOV EAX, [EBP+0xc]
0x15e7397 ff7514 PUSH DWORD [EBP+0x14]
0x15e739a 8b5d08 MOV EBX, [EBP+0x8]
0x15e739d ff7510 PUSH DWORD [EBP+0x10]
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WININET.dll (0x771b0000 - 0x77256000)
Function: WININET.dll!HttpSendRequestW at 0x77211808
Hook address: 0x15e7344
Hooking module: <unknown>
Disassembly(0):
0x77211808 e9375b3d8a JMP 0x15e7344
0x7721180d 83ec14 SUB ESP, 0x14
0x77211810 53 PUSH EBX
0x77211811 33db XOR EBX, EBX
0x77211813 56 PUSH ESI
0x77211814 33f6 XOR ESI, ESI
0x77211816 33c0 XOR EAX, EAX
0x77211818 395d08 CMP [EBP+0x8], EBX
0x7721181b 57 PUSH EDI
0x7721181c 895df8 MOV [EBP-0x8], EBX
0x7721181f 89 DB 0x89
Disassembly(1):
0x15e7344 55 PUSH EBP
0x15e7345 8bec MOV EBP, ESP
0x15e7347 e8ecc7feff CALL 0x15d3b38
0x15e734c ff7510 PUSH DWORD [EBP+0x10]
0x15e734f 8b4518 MOV EAX, [EBP+0x18]
0x15e7352 ff750c PUSH DWORD [EBP+0xc]
0x15e7355 8b4d14 MOV ECX, [EBP+0x14]
0x15e7358 ff7508 PUSH DWORD [EBP+0x8]
0x15e735b 6a DB 0x6a
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WININET.dll (0x771b0000 - 0x77256000)
Function: WININET.dll!InternetCloseHandle at 0x771c61dc
Hook address: 0x15e7438
Hooking module: <unknown>
Disassembly(0):
0x771c61dc e95712428a JMP 0x15e7438
0x771c61e1 51 PUSH ECX
0x771c61e2 51 PUSH ECX
0x771c61e3 53 PUSH EBX
0x771c61e4 56 PUSH ESI
0x771c61e5 33db XOR EBX, EBX
0x771c61e7 33f6 XOR ESI, ESI
0x771c61e9 f60544a3237701 TEST BYTE [0x7723a344], 0x1
0x771c61f0 895dfc MOV [EBP-0x4], EBX
0x771c61f3 0f DB 0xf
Disassembly(1):
0x15e7438 53 PUSH EBX
0x15e7439 56 PUSH ESI
0x15e743a 57 PUSH EDI
0x15e743b e8f8c6feff CALL 0x15d3b38
0x15e7440 8b742410 MOV ESI, [ESP+0x10]
0x15e7444 56 PUSH ESI
0x15e7445 ff153c145d01 CALL DWORD [0x15d143c]
0x15e744b bf6c275f01 MOV EDI, 0x15f276c
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WININET.dll (0x771b0000 - 0x77256000)
Function: WININET.dll!InternetQueryDataAvailable at 0x771d325f
Hook address: 0x15e7415
Hooking module: <unknown>
Disassembly(0):
0x771d325f e9b141418a JMP 0x15e7415
0x771d3264 83ec10 SUB ESP, 0x10
0x771d3267 53 PUSH EBX
0x771d3268 33db XOR EBX, EBX
0x771d326a 391d50982377 CMP [0x77239850], EBX
0x771d3270 56 PUSH ESI
0x771d3271 57 PUSH EDI
0x771d3272 895dfc MOV [EBP-0x4], EBX
0x771d3275 c7 DB 0xc7
0x771d3276 45 INC EBP
Disassembly(1):
0x15e7415 e81ec7feff CALL 0x15d3b38
0x15e741a ff742410 PUSH DWORD [ESP+0x10]
0x15e741e ff742410 PUSH DWORD [ESP+0x10]
0x15e7422 ff742410 PUSH DWORD [ESP+0x10]
0x15e7426 6a00 PUSH 0x0
0x15e7428 6a00 PUSH 0x0
0x15e742a ff DB 0xff
0x15e742b 7424 JZ 0x15e7451
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WININET.dll (0x771b0000 - 0x77256000)
Function: WININET.dll!InternetReadFile at 0x771c9555
Hook address: 0x15e73d0
Hooking module: <unknown>
Disassembly(0):
0x771c9555 e976de418a JMP 0x15e73d0
0x771c955a 83ec24 SUB ESP, 0x24
0x771c955d 53 PUSH EBX
0x771c955e 33db XOR EBX, EBX
0x771c9560 391d50982377 CMP [0x77239850], EBX
0x771c9566 57 PUSH EDI
0x771c9567 895df4 MOV [EBP-0xc], EBX
0x771c956a 895df8 MOV [EBP-0x8], EBX
Disassembly(1):
0x15e73d0 e863c7feff CALL 0x15d3b38
0x15e73d5 33c0 XOR EAX, EAX
0x15e73d7 50 PUSH EAX
0x15e73d8 50 PUSH EAX
0x15e73d9 ff742418 PUSH DWORD [ESP+0x18]
0x15e73dd ff742418 PUSH DWORD [ESP+0x18]
0x15e73e1 ff742418 PUSH DWORD [ESP+0x18]
0x15e73e5 ff DB 0xff
0x15e73e6 7424 JZ 0x15e740c
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WININET.dll (0x771b0000 - 0x77256000)
Function: WININET.dll!InternetReadFileExA at 0x771f7e9a
Hook address: 0x15e73f2
Hooking module: <unknown>
Disassembly(0):
0x771f7e9a e953f53e8a JMP 0x15e73f2
0x771f7e9f 83ec20 SUB ESP, 0x20
0x771f7ea2 53 PUSH EBX
0x771f7ea3 56 PUSH ESI
0x771f7ea4 33c0 XOR EAX, EAX
0x771f7ea6 57 PUSH EDI
0x771f7ea7 33ff XOR EDI, EDI
0x771f7ea9 40 INC EAX
0x771f7eaa 393d50982377 CMP [0x77239850], EDI
0x771f7eb0 89 DB 0x89
0x771f7eb1 7d DB 0x7d
Disassembly(1):
0x15e73f2 e841c7feff CALL 0x15d3b38
0x15e73f7 ff742410 PUSH DWORD [ESP+0x10]
0x15e73fb ff742410 PUSH DWORD [ESP+0x10]
0x15e73ff 6a00 PUSH 0x0
0x15e7401 6a00 PUSH 0x0
0x15e7403 ff742418 PUSH DWORD [ESP+0x18]
0x15e7407 ff DB 0xff
0x15e7408 7424 JZ 0x15e742e
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WS2_32.dll (0x71ab0000 - 0x71ac7000)
Function: WS2_32.dll!WSASend at 0x71ab6233
Hook address: 0x15e112c
Hooking module: <unknown>
Disassembly(0):
0x71ab6233 e9f4aeb28f JMP 0x15e112c
0x71ab6238 51 PUSH ECX
0x71ab6239 51 PUSH ECX
0x71ab623a 813d2840ac714894ab71 CMP DWORD [0x71ac4028], 0x71ab9448
0x71ab6244 56 PUSH ESI
0x71ab6245 0f847f540000 JZ 0x71abb6ca
Disassembly(1):
0x15e112c 55 PUSH EBP
0x15e112d 8bec MOV EBP, ESP
0x15e112f 837d1000 CMP DWORD [EBP+0x10], 0x0
0x15e1133 56 PUSH ESI
0x15e1134 8b750c MOV ESI, [EBP+0xc]
0x15e1137 7615 JBE 0x15e114e
0x15e1139 57 PUSH EDI
0x15e113a 8b7d10 MOV EDI, [EBP+0x10]
0x15e113d ff36 PUSH DWORD [ESI]
0x15e113f 8b4604 MOV EAX, [ESI+0x4]
0x15e1142 ff DB 0xff
0x15e1143 75 DB 0x75
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WS2_32.dll (0x71ab0000 - 0x71ac7000)
Function: WS2_32.dll!closesocket at 0x71ab9639
Hook address: 0x15e10db
Hooking module: <unknown>
Disassembly(0):
0x71ab9639 e99d7ab28f JMP 0x15e10db
0x71ab963e 51 PUSH ECX
0x71ab963f 813d2840ac714894ab71 CMP DWORD [0x71ac4028], 0x71ab9448
0x71ab9649 56 PUSH ESI
0x71ab964a 0f84aef3ffff JZ 0x71ab89fe
0x71ab9650 e8 DB 0xe8
Disassembly(1):
0x15e10db 56 PUSH ESI
0x15e10dc bef4265f01 MOV ESI, 0x15f26f4
0x15e10e1 56 PUSH ESI
0x15e10e2 ff1574125d01 CALL DWORD [0x15d1274]
0x15e10e8 ff742408 PUSH DWORD [ESP+0x8]
0x15e10ec e859fcffff CALL 0x15e0d4a
0x15e10f1 85c0 TEST EAX, EAX
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1724 (explorer.exe)
Victim module: WS2_32.dll (0x71ab0000 - 0x71ac7000)
Function: WS2_32.dll!send at 0x71ab428a
Hook address: 0x15e110f
Hooking module: <unknown>
Disassembly(0):
0x71ab428a e980ceb28f JMP 0x15e110f
0x71ab428f 83ec10 SUB ESP, 0x10
0x71ab4292 56 PUSH ESI
0x71ab4293 57 PUSH EDI
0x71ab4294 33ff XOR EDI, EDI
0x71ab4296 813d2840ac714894ab71 CMP DWORD [0x71ac4028], 0x71ab9448
0x71ab42a0 0f DB 0xf
0x71ab42a1 84 DB 0x84
Disassembly(1):
0x15e110f 55 PUSH EBP
0x15e1110 8bec MOV EBP, ESP
0x15e1112 ff7510 PUSH DWORD [EBP+0x10]
0x15e1115 8b450c MOV EAX, [EBP+0xc]
0x15e1118 ff7508 PUSH DWORD [EBP+0x8]
0x15e111b e838fdffff CALL 0x15e0e58
0x15e1120 e8132affff CALL 0x15d3b38
0x15e1125 5d POP EBP
0x15e1126 ff DB 0xff
zeus这个恶意软件作者也是蛋疼,挂了那么多hook!!!不过iat和eat的hook,我看到两个恶意软件都没有体现。并且由于使用了vol26的版本,输出也和书中有很大的出入。
idt hook、irp hook、ssdt这几个比较少见,并且仅有ssdt作者提供了可以操作的vmem。可以参考原书,我就只是截图示意下volatility的用法:
IDT的见原书吧,这里不写了。
ssdt本质上也是劫持!!!
我本机的输出:
PS D:\Application\volatility3-stable\moddmp_out> volatility26.exe -f "D:\book\malwarecookbook-master\malwarecookbook-master\17\6\be2.vmem\be2.vmem" ssdt | grep -E -v "(ntoskrnl|win32k)" Volatility Foundation Volatility Framework 2.6 [x86] Gathering all referenced SSDTs from KTHREADs... Finding appropriate address space for tables... SSDT[0] at ff3aab90 with 284 entries Entry 0x0041: 0xff0d2487 (NtDeleteValueKey) owned by 00004A2A Entry 0x0047: 0xff0d216b (NtEnumerateKey) owned by 00004A2A Entry 0x0049: 0xff0d2267 (NtEnumerateValueKey) owned by 00004A2A Entry 0x0077: 0xff0d20c3 (NtOpenKey) owned by 00004A2A Entry 0x007a: 0xff0d1e93 (NtOpenProcess) owned by 00004A2A Entry 0x0080: 0xff0d1f0b (NtOpenThread) owned by 00004A2A Entry 0x0089: 0xff0d2617 (NtProtectVirtualMemory) owned by 00004A2A Entry 0x00ad: 0xff0d1da0 (NtQuerySystemInformation) owned by 00004A2A Entry 0x00ba: 0xff0d256b (NtReadVirtualMemory) owned by 00004A2A Entry 0x00d5: 0xff0d2070 (NtSetContextThread) owned by 00004A2A Entry 0x00f7: 0xff0d2397 (NtSetValueKey) owned by 00004A2A Entry 0x00fe: 0xff0d201d (NtSuspendThread) owned by 00004A2A Entry 0x0102: 0xff0d1fca (NtTerminateThread) owned by 00004A2A Entry 0x0115: 0xff0d25c1 (NtWriteVirtualMemory) owned by 00004A2A SSDT[0] at 80f162d0 with 284 entries Entry 0x0041: 0xff0d2487 (NtDeleteValueKey) owned by 00004A2A Entry 0x0047: 0xff0d216b (NtEnumerateKey) owned by 00004A2A Entry 0x0049: 0xff0d2267 (NtEnumerateValueKey) owned by 00004A2A Entry 0x0077: 0xff0d20c3 (NtOpenKey) owned by 00004A2A Entry 0x007a: 0xff0d1e93 (NtOpenProcess) owned by 00004A2A Entry 0x0080: 0xff0d1f0b (NtOpenThread) owned by 00004A2A Entry 0x0089: 0xff0d2617 (NtProtectVirtualMemory) owned by 00004A2A Entry 0x00ad: 0xff0d1da0 (NtQuerySystemInformation) owned by 00004A2A Entry 0x00ba: 0xff0d256b (NtReadVirtualMemory) owned by 00004A2A Entry 0x00d5: 0xff0d2070 (NtSetContextThread) owned by 00004A2A Entry 0x00f7: 0xff0d2397 (NtSetValueKey) owned by 00004A2A Entry 0x00fe: 0xff0d201d (NtSuspendThread) owned by 00004A2A Entry 0x0102: 0xff0d1fca (NtTerminateThread) owned by 00004A2A Entry 0x0115: 0xff0d25c1 (NtWriteVirtualMemory) owned by 00004A2A SSDT[0] at 80501030 with 284 entries SSDT[1] at bf997600 with 667 entries
不加过滤呢?输出就是一大篇的正常exe:
Entry 0x0024: 0x8060bb94 (NtCreateEventPair) owned by ntoskrnl.exe Entry 0x0025: 0x8056d14c (NtCreateFile) owned by ntoskrnl.exe Entry 0x0026: 0x8056b9de (NtCreateIoCompletion) owned by ntoskrnl.exe Entry 0x0027: 0x805ca126 (NtCreateJobObject) owned by ntoskrnl.exe Entry 0x0028: 0x805c9e5e (NtCreateJobSet) owned by ntoskrnl.exe Entry 0x0029: 0x80618bd2 (NtCreateKey) owned by ntoskrnl.exe Entry 0x002a: 0x8056d25a (NtCreateMailslotFile) owned by ntoskrnl.exe Entry 0x002b: 0x8060bf8c (NtCreateMutant) owned by ntoskrnl.exe Entry 0x002c: 0x8056d186 (NtCreateNamedPipeFile) owned by ntoskrnl.exe Entry 0x002d: 0x8059f8fa (NtCreatePagingFile) owned by ntoskrnl.exe Entry 0x002e: 0x80598f56 (NtCreatePort) owned by ntoskrnl.exe Entry 0x002f: 0x805c5ce8 (NtCreateProcess) owned by ntoskrnl.exe Entry 0x0030: 0x805c5c32 (NtCreateProcessEx) owned by ntoskrnl.exe Entry 0x0031: 0x8060c3ac (NtCreateProfile) owned by ntoskrnl.exe Entry 0x0032: 0x8059f23e (NtCreateSection) owned by ntoskrnl.exe Entry 0x0033: 0x80609936 (NtCreateSemaphore) owned by ntoskrnl.exe Entry 0x0034: 0x805b9410 (NtCreateSymbolicLinkObject) owned by ntoskrnl.exe Entry 0x0035: 0x805c5ad0 (NtCreateThread) owned by ntoskrnl.exe Entry 0x0036: 0x8060b85c (NtCreateTimer) owned by ntoskrnl.exe Entry 0x0037: 0x805edc98 (NtCreateToken) owned by ntoskrnl.exe Entry 0x0038: 0x80598f7a (NtCreateWaitablePort) owned by ntoskrnl.exe Entry 0x0039: 0x80637ac4 (NtDebugActiveProcess) owned by ntoskrnl.exe Entry 0x003a: 0x80637c14 (NtDebugContinue) owned by ntoskrnl.exe Entry 0x003b: 0x8060b26e (NtDelayExecution) owned by ntoskrnl.exe Entry 0x003c: 0x8060aa90 (NtDeleteAtom) owned by ntoskrnl.exe Entry 0x003d: 0x805bce0e (NtDeleteBootEntry) owned by ntoskrnl.exe Entry 0x003e: 0x8056ad2c (NtDeleteFile) owned by ntoskrnl.exe 。。。。