微软防止钩子注入的后门函数RegisterSystemThread

>>微软后门函数 RegisterSystemThread

>>原形
VOID STDCALL  RegisterSystemThread (DWORD flags, DWORD reserved)

>>等值定义

define RST_DONTJOURNALATTACH 0x00000002
define RST_DONTATTACHQUEUE   0x00000001  >>推测 查不出定义来!

;调用例子Windbg

if (bDisableJournaling) {
        // Disable journaling
        Rst = (RST)GetProcAddress( GetModuleHandle( "user32.dll" ), "RegisterSystemThread" );
        if (Rst) {
            (Rst) (RST_DONTJOURNALATTACH, 0);
        }
    }

>>作用:微软后门函数 用来阻止Hook入侵

>>相关函数

>>本函数没有导出 无法直接使用 是RegisterSystemThread的原型

VOID zzzRegisterSystemThread (DWORD dwFlags, DWORD dwReserved)
{
    PTHREADINFO ptiCurrent;

    UserAssert(dwReserved == 0);

    if (dwReserved != 0)
        return;

    ptiCurrent = PtiCurrent();

    if (dwFlags & RST_DONTATTACHQUEUE)
        ptiCurrent->TIF_flags |= TIF_DONTATTACHQUEUE;

    if (dwFlags & RST_DONTJOURNALATTACH) {
        ptiCurrent->TIF_flags |= TIF_DONTJOURNALATTACH;

        /*
         * If we are already journaling, then this queue was already
         * journal attached.  We need to unattach and reattach journaling
         * so that we are removed from the journal attached queues.
         */
        if (FJOURNALPLAYBACK() || FJOURNALRECORD()) {
            zzzJournalAttach(ptiCurrent, FALSE);
            zzzJournalAttach(ptiCurrent, TRUE);
        }
    }
}

而实际上 RegisterSystemThread的系统服务接口是以下函数

VOID RegisterSystemThread(
    DWORD dwFlags, DWORD dwReserved)
{
    NtUserCallTwoParam(dwFlags, dwReserved, SFI_ZZZREGISTERSYSTEMTHREAD);
}

库为user32.dll 未导出 需要动态获取!