杭州做兼职网站建设/市场营销七大策略
熊猫卫士2008升级到最新版,PavTPK.sys,显示编译日期为2007.5.19
该驱动使用PsSetLoadImageNotifyRoutine,注册了一个镜像加载回调,位于PavTPK+0x21d0
大致函数结构如下:
PavTPK+0x21d0_ImageLoadNotifyRoutine
|
------> PavTPK+0x1910_RaiseIrql
|
------> PavTPK+0x36f8_Call_PsCreateSystemThread
PavTPK+1910函数中,PavTPK.sys使用hal!KfRaiseIrql函数提升了当前线程的IRQL
aac29a32 b902040000 mov ecx,402h
接着在PavTPK+0x36f8中,PavTPK.sys又调用了PsCreateSystemThread来创建系统线程
MSDN中指出,PsCreateSystemThread函数是不允许执行在非PASSIVE_LEVEL下的:
The PsCreateSystemThread routine creates a system thread that executes in kernel mode and returns a handle for the thread.
Requirements
IRQL: PASSIVE_LEVEL
Headers: Declared in wdm.h. Include wdm.h, ntddk.h, or ntifs.h.
同时PsCreateSystemThread在WIN2000下是不允许在非SYSTEM上下文调用的,熊猫卫士的驱动在Image Load Notify Routine中调用PsCreateSystemThread也是错误的
在高IRQL下调用PsCreateSystemThread至少打破了一条规则:MSDN下对线程通知回调的定义:
MSDN中对PsSetCreateNotifyRoutine的定义中明确指出:
When it is called, the driver's thread-creation notify routine runs at IRQL = PASSIVE_LEVEL either in the context of the newly created thread or in the context of the exiting thread.
也就是说 PsCreateSystemThread->PspCreateThread->call psp create thread notify routine 必须保证IRQL都是PASSIVE_LEVEL,在高IRQL下调用PsCreateSystemThread显然破坏了这一规则
建议:更改程序逻辑,不要在镜像回调中使用PsCreateSystemThread创建系统线程