SDT entry 44 (ZwDuplicateObject) hooked BA8000CC !
SDT entry 7A (ZwOpenProcess) hooked BA800060 !
SDT entry 80 (ZwOpenThread) hooked BA800096 !
SDT entry C1 (ZwReplaceKey) hooked BA800138 !
SDT entry CC (ZwRestoreKey) hooked BA80016E !
SDT entry ED (ZwSetSecurityObject) hooked BA800102 !
Process notifiers:
[0] B9BB78D0 cz_cota.sys
Registry notifiers:
[0] B9BBCC10 cz_cota.sys
IopNotifyLastChanceShutdownQueueHead:
[0] DevObj 8AF07F18 Drv 8AF2CB40 \??\C:\WINDOWS\system32\Drivers\cz_ddall.sys
And new fltmgr instance:
INSTANCE 8AA5F720:
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION: 8AA5F864
PreOperation: B9718EE0 cz_cotam.sys
PostOperation: 00000000
IRP_MJ_CREATE: 8AA5F8AC
PreOperation: B9719270 cz_cotam.sys
PostOperation: 00000000
IRP_MJ_WRITE: 8AA5F894
PreOperation: B9719020 cz_cotam.sys
PostOperation: 00000000
IRP_MJ_SET_INFORMATION: 8AA5F87C
PreOperation: B9718F50 cz_cotam.sys
PostOperation: B9718FA0 cz_cotam.sys
IRP_MJ_CLEANUP: 8AA5F8C4
PreOperation: B9718FD0 cz_cotam.sys
PostOperation: B9719000 cz_cotam.sys
INSTANCE 8AAA2008:
IRP_MJ_CREATE: 8AAA214C
PreOperation: B9BC3AE0 cz_cota.sys
PostOperation: B9BC3A40 cz_cota.sys
IRP_MJ_SET_INFORMATION: 8AAA2164
PreOperation: B9BC3930 cz_cota.sys
PostOperation: 00000000
Комментариев нет:
Отправить комментарий