PsCreateSystemThread()函數的還原

主要是對傳入的參數進行檢查,再調用PspCreateThread()

typedef struct _client_id
{
    PVOID UniqueProcess;
    PVOID UniqueThread;
}CLIENT_ID,* PCLIENT_ID;
typedef struct _unknown
{
    UNONG num1;
    ULONG num2;
    ULONG num3;
}UNKNOW,* PUNKNOWN; //可能是一些系統的基礎數據組合在一起的
NTSTATUS
  PsCreateSystemThread(
    OUT PHANDLE             ThreadHandle,               //ebp+8
    IN ULONG                DesiredAccess,              //ebp+ch
    IN POBJECT_ATTRUBUTES   ObjectAttrubutes OPTIONAL,  //ebp+10h
    IN HANDLE               ProcessHandle OPTIONAL,     //ebp+14h
    OUT PCLIENT_ID          ClientId OPTIONAL,          //ebp+18H
    IN PKSTART_ROUTINE      StartRoutine,               //ebp+1Ch
    IN PVOID                StartContext                //ebp+20h    
    );
{
    PHANDLE tempThreadHandle=NULL;                 //esp+8
    CLIENT_ID tempClientId=NULL;                   //esp+ch
    OBJECT_ATTRIBUTES tempObjectAttrubutes=NULL;   //esp+18h
    UNKNOWN unknown={0};                           //esp+30h
    UNLONG tempCookie=0;                           //esp+3ch
    Cookie=(nt!_security_cookie)^(esp);     //這裏不太會翻譯,大概意思就是2個值做^運算，
                                            //可以看後面的反彙編代碼
    tempThreadHandle=ThreadHandle;
    tempClientId=ClientId;
    //
    if(NULL!=ObjectAttributes)
    {
        tempObjectAttributes=*ObjectAttributes;
    }
    else
    {
        tempObjectAttributes.Length=0x18;                  //esp+18h
        temObejctAttributes.RootDirectory=NULL;            //esp+1ch
        tempObjectAttributes.ObjectName=NULL;              //esp+20h
        tempObjectAttributes.Attributes=0x200;             //esp+24h
        tempObjectAttrubutes.SecurityDescriptor=NULL;      //esp+28h
        tempObjectAttributes.SecurityQualityOfService=NULL;//esp+2ch
    }
    //
    if(NULL!=ProcessHandle) //好像ClientId這個參數沒有傳到PspCreateThread裏去
    {
        tempClientId.UniqueProcess=ProcessHandle;
        PspCreateThread(tempCookie,DesiredAccess,
            tempObjectAttributes.SecurityQualityOfService,NULL,
            NULL,NULL,tempObjectAttributes.SecurityDescriptor,NULL,NULL,StartRoutine,
            StartContext,NULL);
    }
    else
    {
        tempClientId.UniqueProcess=NULL;
        InterLockedExchangeAdd(PspSystemThreadAssignment,1);
        unknown.num1=*(KeActiveProcessors+0x8);
        unknown.num2=KeQueryActiveGroupCount();
        //
        PspCreateThread(&tempCookie,DesiredAccess,
            tempObjectAttributes.SecurityQualityOfService,NULL,
            PsInitialSystemProcess,unknown,tempObjectAttributes.SecurityDescriptor,
            NULL,NULL,StartRoutine,StartContext,NULL);
    }
    _security_check_cookie(tempCookie^esp);
}

nt!PsCreateSystemThread:
84249fb0 8bff            mov     edi,edi
84249fb2 55              push    ebp
84249fb3 8bec            mov     ebp,esp
84249fb5 83e4f8          and     esp,0FFFFFFF8h
84249fb8 83ec34          sub     esp,34h
84249fbb a148ba1684      mov     eax,dword ptr [nt!__security_cookie (8416ba48)]
84249fc0 33c4            xor     eax,esp  //這裏不知道怎麼表達
84249fc2 89442430        mov     dword ptr [esp+30h],eax
84249fc6 8b4508          mov     eax,dword ptr [ebp+8]
84249fc9 8b4d18          mov     ecx,dword ptr [ebp+18h]
84249fcc 53              push    ebx
84249fcd 89442408        mov     dword ptr [esp+8],eax
84249fd1 8b4514          mov     eax,dword ptr [ebp+14h]
84249fd4 894c240c        mov     dword ptr [esp+0Ch],ecx
84249fd8 56              push    esi
84249fd9 8b7510          mov     esi,dword ptr [ebp+10h]
84249fdc 33c9            xor     ecx,ecx
84249fde 57              push    edi
84249fdf 3bc1            cmp     eax,ecx
84249fe1 740a            je      nt!PsCreateSystemThread+0x3d (84249fed)

nt!PsCreateSystemThread+0x33:
84249fe3 8944240c        mov     dword ptr [esp+0Ch],eax
84249fe7 33db            xor     ebx,ebx
84249fe9 33c0            xor     eax,eax
84249feb eb45            jmp     nt!PsCreateSystemThread+0x82 (8424a032)

nt!PsCreateSystemThread+0x3d:
84249fed 8b1d3ca01a84    mov     ebx,dword ptr [nt!PsInitialSystemProcess (841aa03c)]
84249ff3 894c240c        mov     dword ptr [esp+0Ch],ecx
84249ff7 e8e0b4eaff      call    nt!KeQueryActiveGroupCount (840f54dc)
84249ffc 0fb7d0          movzx   edx,ax
84249fff 33c0            xor     eax,eax
8424a001 8d7c2430        lea     edi,[esp+30h]
8424a005 ab              stos    dword ptr es:[edi]
8424a006 ab              stos    dword ptr es:[edi]
8424a007 ab              stos    dword ptr es:[edi]
8424a008 33c0            xor     eax,eax
8424a00a bffcbe3a84      mov     edi,offset nt!PspSystemThreadAssignment (843abefc)
8424a00f 40              inc     eax
8424a010 f00fc107        lock xadd dword ptr [edi],eax
8424a014 40              inc     eax
8424a015 0fb7fa          movzx   edi,dx
8424a018 99              cdq
8424a019 f7ff            idiv    eax,edi
8424a01b 0fb7c2          movzx   eax,dx
8424a01e 8b0485885c1a84  mov     eax,dword ptr nt!KeActiveProcessors+0x8 (841a5c88)[eax*4]
8424a025 89442430        mov     dword ptr [esp+30h],eax
8424a029 6689542434      mov     word ptr [esp+34h],dx
8424a02e 8d442430        lea     eax,[esp+30h]

nt!PsCreateSystemThread+0x82:
8424a032 3bf1            cmp     esi,ecx
8424a034 7522            jne     nt!PsCreateSystemThread+0xa8 (8424a058)

nt!PsCreateSystemThread+0x86:
8424a036 c744241818000000 mov     dword ptr [esp+18h],18h
8424a03e 894c241c        mov     dword ptr [esp+1Ch],ecx
8424a042 c744242400020000 mov     dword ptr [esp+24h],200h
8424a04a 894c2420        mov     dword ptr [esp+20h],ecx
8424a04e 894c2428        mov     dword ptr [esp+28h],ecx
8424a052 894c242c        mov     dword ptr [esp+2Ch],ecx
8424a056 eb13            jmp     nt!PsCreateSystemThread+0xbb (8424a06b)

nt!PsCreateSystemThread+0xa8:
8424a058 6a06            push    6
8424a05a 59              pop     ecx
8424a05b 8d7c2418        lea     edi,[esp+18h]
8424a05f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
8424a061 814c242400020000 or      dword ptr [esp+24h],200h
8424a069 33c9            xor     ecx,ecx

nt!PsCreateSystemThread+0xbb:
8424a06b 51              push    ecx
8424a06c ff7520          push    dword ptr [ebp+20h]
8424a06f 33d2            xor     edx,edx
8424a071 ff751c          push    dword ptr [ebp+1Ch]
8424a074 51              push    ecx
8424a075 51              push    ecx
8424a076 ff742428        push    dword ptr [esp+28h]
8424a07a 33c9            xor     ecx,ecx
8424a07c 50              push    eax
8424a07d 53              push    ebx
8424a07e ff74242c        push    dword ptr [esp+2Ch]
8424a082 8d44243c        lea     eax,[esp+3Ch]
8424a086 50              push    eax
8424a087 ff750c          push    dword ptr [ebp+0Ch]
8424a08a ff74243c        push    dword ptr [esp+3Ch]
8424a08e e8f4480400      call    nt!PspCreateThread (8428e987)
8424a093 8b4c243c        mov     ecx,dword ptr [esp+3Ch]
8424a097 5f              pop     edi
8424a098 5e              pop     esi
8424a099 5b              pop     ebx
8424a09a 33cc            xor     ecx,esp
8424a09c e84704e7ff      call    nt!__security_check_cookie (840ba4e8)
8424a0a1 8be5            mov     esp,ebp
8424a0a3 5d              pop     ebp
8424a0a4 c21c00          ret     1Ch