Quote:
" If a Kernel component calls the ZwXxx version of a native API, all is well. The previous mode is set to Kernel and the credentials of the Kernel are used."
ntoskrnl.exe的ZwOpenProcess函数如下:
nt!ZwOpenProcess: 80826dc8 b87a000000 mov eax,7Ah 80826dcd 8d542404 lea edx,[esp+4] 80826dd1 9c pushfd 80826dd2 6a08 push 8 80826dd4 e898ea0300 call nt!KiSystemService (80865871) 80826dd9 c21000 ret 10h
Q:如何从以上代码看出内核模式调用函数ZwOpenProcess 会将Previous Mode设置为Kernel Mode (0),并调用NtOpenProcess?
谢谢!
|