NTAPI NTSTATUS RtlQueryProtectedPolicy(GUID *, PDWORD out_flag);
Lets see how it works:loc_6A277EFB: ; CODE XREF: RtlQueryProtectedPolicy(x,x)+12 j
push edi
mov edi, offset _RtlpProtectedPoliciesSRWLock
push edi
call _RtlAcquireSRWLockShared@4 ; RtlAcquireSRWLockShared(x)
push offset _RtlpSearchProtectedPolicyEntry ; PtFuncCompare
push 14h ; SizeOfElements
push ds:_RtlpProtectedPoliciesActiveCount ; NumOfElements
push ds:_RtlpProtectedPolicies ; Base
push [ebp+Key] ; Key
call _bsearch
That policies stored in array RtlpProtectedPolicies, count located in RtlpProtectedPoliciesActiveCount and size of each policy is 0x14 bytes (0x18 under x64), so each policy looks like struct:
struct protected_policy
{
IID guid;
DWORD flag;
};
Lets see from where RtlQueryProtectedPolicy called
ntdll.dll:
- from RtlpAddVectoredHandler with GUID {1FC98BCA-1BA9-4397-93F9-349EAD41E057}
- from RtlGuardCheckLongJumpTarget with GUID {4F6AE3A6-8B1B-4623-A293-294CD743BBD1}
- from CheckForReadOnlyResourceFilter with GUID GUID_BasepAllowResourceConversion {739C343A-F3E1-4ED8-AC66-8435FEB7C5A5}
- from QueryProtectedPolicy function
so what?
ОтветитьУдалить