WinDbg preview debug analysis createtoolhelp32snapshot

When the process is hidden, it is not correct CreateToolhelp32Snapshot Conduct Hook, It is Hook 了 ZwQuerySystemInformation, Wrote a call CreateToolhelp32Snapshot Show the applet of the process , Look at the , By the way Windbg Preview How to use it? .

1.
App store search Windbg Preview download , The interface is much better than the original version , And there are more functional areas , All kinds of convenience , This is recommended ！, When debugging the kernel, it seems that you need to open it with administrator privileges .

TIPS
If you don't download pdb Files need to be downloaded in advance , And you need to set it in the environment variable pdb Catalog , Specific Baidu common version Windbg Environment variable setting tutorial

2.
file —— open EXE file (taskmgr.exe The source code is attached )———- Automatic disconnection ———— But the place where it is broken is not procedural EP It's about , It is ntdll Inside , So we need to manually go to EP Code office

Input ： !dh taskmgr see taskmgr Of PE structure

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
    8664 machine (X64)
       6 number of sections
5B0982F3 time date stamp Sat May 26 23:53:23 2018

       0 file pointer to symbol table
       0 number of symbols
      F0 size of optional header
      22 characteristics
            Executable
            App can handle >2gb addresses

OPTIONAL HEADER VALUES
     20B magic #
   14.14 linker version
    1600 size of code
    2400 size of initialized data
       0 size of uninitialized data
    184C address of entry point                     // Entry point offset 
    1000 base of code
         ----- new -----
..........................

stay OPTIONAL HEADER VALUES Medium address of entry point Property identifies the entry point offset （RVA）
therefore EP Code address =taskmgr Base address +184C
Input g taskmgr+184C
Successful entry EP Code office

3.
Because there is PDB File so input directly bp taskmgr!main Again g And here comes main At function
find
00007ff64254108c ff156e1f0000 call qword ptr [taskmgr!_imp_CreateToolhelp32Snapshot (00007ff642543000)]
Follow me , Stepping function KERNEL32!CreateToolhelp32Snapshot:

Input again BP ntdll!ZwQuerySystemInformation to ZwQuerySystemInformation Break down to prevent running away

After careful tracking, it was found that KERNEL32!CreateToolhelp32Snapshot+0x103 There is a sentence here
call KERNEL32!ThpCreateRawSnap To follow up
Found in KERNEL32!ThpCreateRawSnap+0xcb Out call
KERNEL32!_imp_NtQuerySystemInformation

With the , find ZwQuerySystemInformation