KdDisableDebugger
NtReadVirtualMemory
NtWriteVirtualMemory
NtOpenProcess
NtOpenThread
ObOpenObjectByPointer
KeAttachProcess
GetContextThread
ObpGetObjectSecurity
ObAssignSecurity
ObpRemoveObjectRoutine
NtSetContextThread
NtGetContextThread
NtDeviceIoControlFile
NtWriteFile
NtOpenSection
NtProtectVirtualMemory
NtReadVirtualMemory
NtWriteVirtualMemory
KeStackAttachProcess
KiAttachProcess
KiMoveApcState
SwapContext
PsActiveProcessHead
PsInitialSystemProcess 是一个指向 system 进程的 EPROCESS。这个结构 成员 EPROCESS.ActiveProcessLinks.Blink 就是指向 PsActiveProcessHead
ObCheckObjectAccess |