|
如何利用映像回调(PsSetLoadImageNotifyRoutine)来拦截dll加载
以前搞过,方法是硬编码释放这个锁,就可以Protect了,完事儿再加上……不是很完美 |
|
[求助]PsGetContextThread的问题
你这代码,简直不忍直视。。。 首先,从Handle到Object,只需要ObRefrenceObjectByHandle就可以了,不需要Query再Lookup。。。。 其次,PsGetContextThread的第三个参数也不是你想怎么样就怎么样的,它的主要作用是,当参数是UserMode的时候,它会检查第二个输出缓冲区的地址是不是用户空间的有效地址。明显,虽然你给的context是来自于用户空间的,但是已经经过了映射,所以应该是算做内核空间地址(也就是说,context实际上是一个大于0x80000000的内核地址),这里应该用KernelMode。 还有这句: RtlMoveMemory_S(outputBuffer, &context, outputBufferLength); 你搞清楚输入输出的缓冲区关系再说吧,而且第三个参数怎么说也应该是sizeof(CONTEXT)吧? 最后给你贴个代码,我只能帮你到这儿了: NTSTATUS NtGetContextThread( __in HANDLE ThreadHandle, __inout PCONTEXT ThreadContext ) /*++ Routine Description: This function returns the usermode context of the specified thread. This function will fail if the specified thread is a system thread. It will return the wrong answer if the thread is a non-system thread that does not execute in user-mode. Arguments: ThreadHandle - Supplies an open handle to the thread object from which to retrieve context information. The handle must allow THREAD_GET_CONTEXT access to the thread. ThreadContext - Supplies the address of a buffer that will receive the context of the specified thread. Return Value: None. --*/ { KPROCESSOR_MODE Mode; NTSTATUS Status; PETHREAD Thread; PETHREAD CurrentThread; PAGED_CODE(); // // Get previous mode and reference specified thread. // CurrentThread = PsGetCurrentThread (); Mode = KeGetPreviousModeByThread (&CurrentThread->Tcb); Status = ObReferenceObjectByHandle (ThreadHandle, THREAD_GET_CONTEXT, PsThreadType, Mode, &Thread, NULL); // // If the reference was successful, the check if the specified thread // is a system thread. // if (NT_SUCCESS (Status)) { // // If the thread is not a system thread, then attempt to get the // context of the thread. // if (IS_SYSTEM_THREAD (Thread) == FALSE) { Status = PsGetContextThread (Thread, ThreadContext, Mode); } else { Status = STATUS_INVALID_HANDLE; } ObDereferenceObject (Thread); } return Status; } |
|
[求助]PsGetContextThread的问题
PsGetContextThread是这么用的? 难道不是这个样子? NTSTATUS PsGetContextThread( __in PETHREAD Thread, __inout PCONTEXT ThreadContext, __in KPROCESSOR_MODE Mode ) /*++ Routine Description: This function returns the usermode context of the specified thread. This function will fail if the specified thread is a system thread. It will return the wrong answer if the thread is a non-system thread that does not execute in user-mode. Arguments: Thread - Supplies a pointer to the thread object from which to retrieve context information. ThreadContext - Supplies the address of a buffer that will receive the context of the specified thread. Mode - Mode to use for validation checks. Return Value: None. --*/ 看楼主的参数,想调用的应该是这个函数吧: NTSTATUS NtGetContextThread( __in HANDLE ThreadHandle, __inout PCONTEXT ThreadContext ) /*++ Routine Description: This function returns the usermode context of the specified thread. This function will fail if the specified thread is a system thread. It will return the wrong answer if the thread is a non-system thread that does not execute in user-mode. Arguments: ThreadHandle - Supplies an open handle to the thread object from which to retrieve context information. The handle must allow THREAD_GET_CONTEXT access to the thread. ThreadContext - Supplies the address of a buffer that will receive the context of the specified thread. Return Value: None. --*/ 可惜这个函数没导出,ZwGetContextThread也没导出,所以不能直接这样用 但是PsGetContextThread是导出的,可以直接用,可是楼主好像没搞清楚参数 |
|
[原创][原创]个人对汇编级多线程的理解
问下楼主,单核CPU你准备怎么办? |
|
[求助]一个关机回写驱动,怎么清除
直接拔电源啊 |
|
|
|
[求助]求c语言定时器范例
#define _WIN32_WINNT 0x0500 #include <windows.h> #include <stdio.h> HANDLE gDoneEvent; VOID CALLBACK TimerRoutine(PVOID lpParam, BOOLEAN TimerOrWaitFired) { if (lpParam == NULL) { printf("TimerRoutine lpParam is NULL\n"); } else { // lpParam points to the argument; in this case it is an int printf("Timer routine called. Parameter is %d.\n", *(int*)lpParam); } SetEvent(gDoneEvent); } int main() { HANDLE hTimer = NULL; HANDLE hTimerQueue = NULL; int arg = 123; // Use an event object to track the TimerRoutine execution gDoneEvent = CreateEvent(NULL, TRUE, FALSE, NULL); if (NULL == gDoneEvent) { printf("CreateEvent failed (%d)\n", GetLastError()); return 1; } // Create the timer queue. hTimerQueue = CreateTimerQueue(); if (NULL == hTimerQueue) { printf("CreateTimerQueue failed (%d)\n", GetLastError()); return 2; } // Set a timer to call the timer routine in 10 seconds. if (!CreateTimerQueueTimer( &hTimer, hTimerQueue, (WAITORTIMERCALLBACK)TimerRoutine, &arg , 10000, 0, 0)) { printf("CreateTimerQueueTimer failed (%d)\n", GetLastError()); return 3; } // TODO: Do other useful work here printf("Call timer routine in 10 seconds...\n"); // Wait for the timer-queue thread to complete using an event // object. The thread will signal the event at that time. if (WaitForSingleObject(gDoneEvent, INFINITE) != WAIT_OBJECT_0) printf("WaitForSingleObject failed (%d)\n", GetLastError()); CloseHandle(gDoneEvent); // Delete all timers in the timer queue. if (!DeleteTimerQueue(hTimerQueue)) printf("DeleteTimerQueue failed (%d)\n", GetLastError()); return 0; } 以上内容来自MSDN |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值