相关知识点
- syscall 的指令集为
0f 05- syscall 系统调用表在不同的版本不一样,具体可以查看 Windows X86-64 System Call Table (XP/2003/Vista/7/8/10/11 and Server)
以下代码主要记录 CreateThreadEx 和 NtTerminateProcess 两个系统调用接口的 ASM 实现与调用
汇编代码
.code
NtCreateThreadEx proc
mov r10, rcx
mov eax, 0C7h
syscall
ret
NtCreateThreadEx endp
NtTerminateProcess proc
mov r10, rcx
mov eax, 02Ch
syscall
ret
NtTerminateProcess endp
end如何调用
// 使用前需要先声明函数原型
EXTERN_C NTSTATUS NtCreateThreadEx(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN LPVOID ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
IN PVOID StartRoutine,
IN PVOID Argument OPTIONAL,
IN ULONG CreateFlags,
IN SIZE_T ZeroBits,
IN SIZE_T StackSize,
IN SIZE_T MaximumStackSize,
IN LPVOID AttributeList OPTIONAL);
EXTERN_C NTSTATUS NtTerminateProcess(
HANDLE ProcessHandle,
NTSTATUS ExitStatus
);
// call NtTerminateProcess
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, true, pid);
if (handle)
{
NTSTATUS status = NtTerminateProcess(handle, 1);
cout << GREEN << "Kill:" << pid << " | Result:" << status << WHITE << endl;
}
else
{
cout << RED << "GetLastError(" << GetLastError() << ")\n" << WHITE << endl;
}
// call NtCreateThreadEx
HANDLE hthread = nullptr;
NtCreateThreadEx(&hthread, GENERIC_EXECUTE, nullptr, hproc, ThreadProc, nullptr, FALSE, 0, 0, 0, nullptr);
// function ThreadProc
DWORD WINAPI ThreadProc(LPVOID prarm)
{
std::cout << "thead id:" << GetCurrentThreadId() << std::endl;
return 0;
}