Created
January 28, 2018 08:27
-
-
Save swwwolf/5bfd5707787645621f2e0536635b59bc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kd> dt nt!_PS_PROTECTED_TYPE | |
PsProtectedTypeNone = 0n0 | |
PsProtectedTypeProtectedLight = 0n1 | |
PsProtectedTypeProtected = 0n2 | |
PsProtectedTypeMax = 0n3 | |
kd> dt nt!_PS_PROTECTED_SIGNER | |
PsProtectedSignerNone = 0n0 | |
PsProtectedSignerAuthenticode = 0n1 | |
PsProtectedSignerCodeGen = 0n2 | |
PsProtectedSignerAntimalware = 0n3 | |
PsProtectedSignerLsa = 0n4 | |
PsProtectedSignerWindows = 0n5 | |
PsProtectedSignerWinTcb = 0n6 | |
PsProtectedSignerWinSystem = 0n7 | |
PsProtectedSignerApp = 0n8 | |
PsProtectedSignerMax = 0n9 | |
kd> dt nt!_PS_PROTECTION | |
+0x000 Level : UChar | |
+0x000 Type : Pos 0, 3 Bits | |
+0x000 Audit : Pos 3, 1 Bit | |
+0x000 Signer : Pos 4, 4 Bits | |
Before: | |
kd> dt nt!_EPROCESS ffffc88e809195c0 Protection. | |
+0x6ca Protection : | |
+0x000 Level : 0x31 '1' | |
+0x000 Type : 0y001 // PsProtectedTypeProtectedLight | |
+0x000 Audit : 0y0 // false | |
+0x000 Signer : 0y0011 // PsProtectedSignerAntimalware | |
After: | |
kd> dt nt!_EPROCESS ffffc88e809195c0 Protection. | |
+0x6ca Protection : | |
+0x000 Level : 0x1 '' | |
+0x000 Type : 0y001 // PsProtectedTypeProtectedLight | |
+0x000 Audit : 0y0 // false | |
+0x000 Signer : 0y0000 // PsProtectedSignerNone (!!!) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment