前言

这几天在看WRK的时候，偶然间发现的一个东西，逆向之后，发现了个僵尸进程的玩法。目前菜鸡一枚，有说的不准确的地方，请大家多多指正！

被忽略的RundownProtection

看过WRK的同学们应该对这个属性不陌生，每当要对某个进程进行操作的时候，总会有一个属性检查，贴上部分代码

ProcessToLock = FromProcess;if (FromProcess == PsGetCurrentProcess()) {ProcessToLock = ToProcess;}//// Make sure the process still has an address space.//if (ExAcquireRundownProtection (&ProcessToLock->RundownProtect) == FALSE) {return STATUS_PROCESS_IS_TERMINATING;}

这是RundownProtect的结构体，可以看到在正常情况下是为0的

  [Type: _EX_RUNDOWN_REF][+0x000] Count            : 0x0 [Type: unsigned __int64][+0x000] Ptr              : 0x0 [Type: void *]

看到WRK的注释之后，便欲探索一下ExAcquireRundownProtection 。

ExAcquireRundownProtection

.text:00000001400FA630 48 8B 01                                      mov     rax, [rcx]
.text:00000001400FA633 A8 01                                         test    al, 1           ; 判断RunRef.count的位0是否为1，等于则跳转
.text:00000001400FA635 75 13                                         jnz     short loc_1400FA64A ; 返回FALSE
.text:00000001400FA635
.text:00000001400FA637 44 8D 04 12                                   lea     r8d, [rdx+rdx]  ; 参数
.text:00000001400FA637
.text:00000001400FA63B
.text:00000001400FA63B                               loc_1400FA63B:                          ; CODE XREF: ExAcquireRundownProtectionEx+18↓j
.text:00000001400FA63B 49 8D 14 00                                   lea     rdx, [r8+rax]   ; 参数
.text:00000001400FA63F F0 48 0F B1 11                                lock cmpxchg [rcx], rdx ; Compare and Exchange
.text:00000001400FA644 74 07                                         jz      short loc_1400FA64D ; 返回TRUE
.text:00000001400FA644
.text:00000001400FA646 A8 01                                         test    al, 1           ; Logical Compare
.text:00000001400FA648 74 F1                                         jz      short loc_1400FA63B ; 循环
.text:00000001400FA648
.text:00000001400FA64A
.text:00000001400FA64A                               loc_1400FA64A:                          ; CODE XREF: ExAcquireRundownProtectionEx+5↑j
.text:00000001400FA64A 32 C0                                         xor     al, al          ; 返回FALSE
.text:00000001400FA64C C3                                            retn                    ; Return Near from Procedure
.text:00000001400FA64C
.text:00000001400FA64D                               ; ---------------------------------------------------------------------------
.text:00000001400FA64D
.text:00000001400FA64D                               loc_1400FA64D:                          ; CODE XREF: ExAcquireRundownProtectionEx+14↑j
.text:00000001400FA64D B0 01                                         mov     al, 1           ; 返回TRUE
.text:00000001400FA64F C3                                            retn                    ; Return Near from Procedure

经过一番逆向后，发现当RundownProtection的第一个成员的第零位（二进制）为0时，则函数返回TRUE，否则返回FALSE。

应用

如果我们修改RundownProtect为1，那么是否可以实现任何API访问此进程都失败呢，接下来做一下实验。

kd> dt _EPROCESS fffffa8002402710
nt!_EPROCESS+0x000 Pcb              : _KPROCESS+0x160 ProcessLock      : _EX_PUSH_LOCK+0x168 CreateTime       : _LARGE_INTEGER 0x01d7a08a`1c139093+0x170 ExitTime         : _LARGE_INTEGER 0x0+0x178 RundownProtect   : _EX_RUNDOWN_REF+0x180 UniqueProcessId  : 0x00000000`0000057c Void+0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`02b6e5b8 - 0xfffffa80`027b1528 ]+0x198 ProcessQuotaUsage : [2] 0x2680+0x1a8 ProcessQuotaPeak : [2] 0x2c20+0x1b8 CommitCharge     : 0x1f8+0x1c0 QuotaBlock       : 0xfffffa80`010724c0 _EPROCESS_QUOTA_BLOCK+0x1c8 CpuQuotaBlock    : (null) +0x1d0 PeakVirtualSize  : 0x6002000+0x1d8 VirtualSize      : 0x50e7000+0x1e0 SessionProcessLinks : _LIST_ENTRY [ 0xfffffa80`02af5b40 - 0xfffffa80`027b1580 ]+0x1f0 DebugPort        : (null) +0x1f8 ExceptionPortData : 0xfffffa80`01fd5c90 Void+0x1f8 ExceptionPortValue : 0xfffffa80`01fd5c90+0x1f8 ExceptionPortState : 0y000+0x200 ObjectTable      : 0xfffff8a0`021b6d70 _HANDLE_TABLE+0x208 Token            : _EX_FAST_REF+0x210 WorkingSetPage   : 0x22102+0x218 AddressCreationLock : _EX_PUSH_LOCK+0x220 RotateInProgress : (null) +0x228 ForkInProgress   : (null) +0x230 HardwareTrigger  : 0+0x238 PhysicalVadRoot  : 0xfffffa80`00d95bc0 _MM_AVL_TABLE+0x240 CloneRoot        : (null) +0x248 NumberOfPrivatePages : 0x18c+0x250 NumberOfLockedPages : 0+0x258 Win32Process     : 0xfffff900`c2ffd010 Void+0x260 Job              : 0xfffffa80`00d27220 _EJOB+0x268 SectionObject    : 0xfffff8a0`02aeb6e0 Void+0x270 SectionBaseAddress : 0x00000000`00400000 Void+0x278 Cookie           : 0xf2b3718a+0x27c UmsScheduledThreads : 0+0x280 WorkingSetWatch  : (null) +0x288 Win32WindowStation : 0x00000000`0000005c Void+0x290 InheritedFromUniqueProcessId : 0x00000000`00000524 Void+0x298 LdtInformation   : (null) +0x2a0 Spare            : (null) +0x2a8 ConsoleHostProcess : 0+0x2b0 DeviceMap        : 0xfffff8a0`015bff10 Void+0x2b8 EtwDataSource    : (null) +0x2c0 FreeTebHint      : 0x00000000`7efa0000 Void+0x2c8 FreeUmsTebHint   : 0x00000001`00000000 Void+0x2d0 PageDirectoryPte : _HARDWARE_PTE+0x2d0 Filler           : 0+0x2d8 Session          : 0xfffff880`009c9000 Void+0x2e0 ImageFileName    : [15]  "Dbgview.exe"+0x2ef PriorityClass    : 0x2 ''+0x2f0 JobLinks         : _LIST_ENTRY [ 0xfffffa80`00d27248 - 0xfffffa80`00d27248 ]+0x300 LockedPagesList  : (null) +0x308 ThreadListHead   : _LIST_ENTRY [ 0xfffffa80`024b6f80 - 0xfffffa80`02515860 ]+0x318 SecurityPort     : (null) +0x320 Wow64Process     : 0x00000000`7efde000 Void+0x328 ActiveThreads    : 3+0x32c ImagePathHash    : 0xdecf2e47+0x330 DefaultHardErrorProcessing : 1+0x334 LastThreadExitStatus : 0n0+0x338 Peb              : 0x00000000`7efdf000 _PEB+0x340 PrefetchTrace    : _EX_FAST_REF+0x348 ReadOperationCount : _LARGE_INTEGER 0x0+0x350 WriteOperationCount : _LARGE_INTEGER 0x0+0x358 OtherOperationCount : _LARGE_INTEGER 0x0+0x360 ReadTransferCount : _LARGE_INTEGER 0x0+0x368 WriteTransferCount : _LARGE_INTEGER 0x0+0x370 OtherTransferCount : _LARGE_INTEGER 0x0+0x378 CommitChargeLimit : 0+0x380 CommitChargePeak : 0x226+0x388 AweInfo          : (null) +0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO+0x398 Vm               : _MMSUPPORT+0x420 MmProcessLinks   : _LIST_ENTRY [ 0xfffffa80`02b6e850 - 0xfffffa80`027b17c0 ]+0x430 HighestUserAddress : 0x00000000`7fff0000 Void+0x438 ModifiedPageCount : 7+0x43c Flags2           : 0x2d014+0x43c JobNotReallyActive : 0y0+0x43c AccountingFolded : 0y0+0x43c NewProcessReported : 0y1+0x43c ExitProcessReported : 0y0+0x43c ReportCommitChanges : 0y1+0x43c LastReportMemory : 0y0+0x43c ReportPhysicalPageChanges : 0y0+0x43c HandleTableRundown : 0y0+0x43c NeedsHandleRundown : 0y0+0x43c RefTraceEnabled  : 0y0+0x43c NumaAware        : 0y0+0x43c ProtectedProcess : 0y0+0x43c DefaultPagePriority : 0y101+0x43c PrimaryTokenFrozen : 0y1+0x43c ProcessVerifierTarget : 0y0+0x43c StackRandomizationDisabled : 0y1+0x43c AffinityPermanent : 0y0+0x43c AffinityUpdateEnable : 0y0+0x43c PropagateNode    : 0y0+0x43c ExplicitAffinity : 0y0+0x440 Flags            : 0x144d0801+0x440 CreateReported   : 0y1+0x440 NoDebugInherit   : 0y0+0x440 ProcessExiting   : 0y0+0x440 ProcessDelete    : 0y0+0x440 Wow64SplitPages  : 0y0+0x440 VmDeleted        : 0y0+0x440 OutswapEnabled   : 0y0+0x440 Outswapped       : 0y0+0x440 ForkFailed       : 0y0+0x440 Wow64VaSpace4Gb  : 0y0+0x440 AddressSpaceInitialized : 0y10+0x440 SetTimerResolution : 0y0+0x440 BreakOnTermination : 0y0+0x440 DeprioritizeViews : 0y0+0x440 WriteWatch       : 0y0+0x440 ProcessInSession : 0y1+0x440 OverrideAddressSpace : 0y0+0x440 HasAddressSpace  : 0y1+0x440 LaunchPrefetched : 0y1+0x440 InjectInpageErrors : 0y0+0x440 VmTopDown        : 0y0+0x440 ImageNotifyDone  : 0y1+0x440 PdeUpdateNeeded  : 0y0+0x440 VdmAllowed       : 0y0+0x440 CrossSessionCreate : 0y0+0x440 ProcessInserted  : 0y1+0x440 DefaultIoPriority : 0y010+0x440 ProcessSelfDelete : 0y0+0x440 SetTimerResolutionLink : 0y0+0x444 ExitStatus       : 0n259+0x448 VadRoot          : _MM_AVL_TABLE+0x488 AlpcContext      : _ALPC_PROCESS_CONTEXT+0x4a8 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]+0x4b8 RequestedTimerResolution : 0+0x4bc ActiveThreadsHighWatermark : 6+0x4c0 SmallestTimerResolution : 0+0x4c8 TimerResolutionStackRecord : (null) 

我们看到0x178偏移处，找到了RundownProtect这个属性，接着修改为1（第0位为0的数皆可）。

kd> ed fffffa8002402710+178 1

接着我们进入虚拟机查看效果

程序正常运行，不会PG。
（测试环境Win7 X64 7600）

总结

这个函数还有很多用处，例如多线程同步等等，还有就是…做完才发现，已经有大佬发过这个思路了~
更早的一篇