|
[推荐]反键盘记录软件PrivacyKeyboard,超牛,各位大牛都进来试试能不能突破!
http://bbs.pediy.com/showthread.php?t=107137&highlight= 楼主你试试这个驱动可不可以,我系统没装还原软件,这软件和我的系统有冲突,玩不来, |
|
我毕业想从事系统安全或杀毒软件的行业 请问我应该学什么?
我很怀疑研究生专业方向有 逆向工程 这个 |
|
[推荐]反键盘记录软件PrivacyKeyboard,超牛,各位大牛都进来试试能不能突破!
我服了,一个破软件,安装了 还卸不了,弄得键盘输入全部丢失,只有重装,浪费了半天 |
|
[推荐]反键盘记录软件PrivacyKeyboard,超牛,各位大牛都进来试试能不能突破!
你们能安装成功?初始化错误,本来想截个屏的 ,结果让它给屏蔽了,来了个 大大的 stop 图标 |
|
弄过IATHOOK的进来帮忙解决个问题,100分求助
我顶sssss |
|
硬编码问题
哦,还少了个源文件的定义,pdte->FullDllName,换成 ntopenprocess所在模块的原始文件的全路径就ok了 |
|
硬编码问题
UCHAR CodeBuff[10]; status = ZwQuerySystemInformation(SystemModuleInformation,NULL,0,&length); if (status == STATUS_INFO_LENGTH_MISMATCH) { SysInfo = ExAllocatePool(NonPagedPool,length); if (NULL == SysInfo) { return; } } status = ZwQuerySystemInformation(SystemModuleInformation,SysInfo,length,&length); pSmi = (PSYSTEM_MODULE_INFORMATION)((char*)SysInfo+4); kBase = (ULONG)(pSmi->Base); kSize = (ULONG)(pSmi->Size); InitializeObjectAttributes ( &ob, &pdte->FullDllName, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = ZwOpenFile( &hFile, FILE_READ_ACCESS, &ob, &IoStatusBlock, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT ); ob.ObjectName = NULL; status = ZwCreateSection( &hSection, SECTION_MAP_EXECUTE, &ob, 0, PAGE_EXECUTE, SEC_IMAGE, hFile ); size = 0; status = ZwMapViewOfSection( hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE ); mBase = ExAllocatePool (NonPagedPool, size); RtlCopyMemory (mBase, BaseAddress, size); DosHead = (PIMAGE_DOS_HEADER)mBase; NtHeads = (PIMAGE_NT_HEADERS)((ULONG)DosHead + DosHead->e_lfanew); ExportDir = (PIMAGE_EXPORT_DIRECTORY)((PUCHAR)mBase + NtHeads->OptionalHeader.DataDirectory[0].VirtualAddress); RelocDir = (PIMAGE_BASE_RELOCATION)((ULONG)mBase + NtHeads->OptionalHeader.DataDirectory[5].VirtualAddress); Name = mBase + ExportDir->AddressOfNames; Ordinal = mBase + ExportDir->AddressOfNameOrdinals; Function = mBase + ExportDir->AddressOfFunctions; if (RelocDir != NULL) { while (RelocDir->VirtualAddress != 0 || RelocDir->SizeOfBlock != 0) { FixAddrBase = RelocDir->VirtualAddress + (ULONG)mBase; RelocSize = (RelocDir->SizeOfBlock - 8)/2; for ( i = 0; i < RelocSize; i++) { Temp = *(PUSHORT)((ULONG)RelocDir + sizeof (IMAGE_BASE_RELOCATION) + i * 2); if ( (Temp & 0xF000) == 0x3000) { Temp &= 0x0FFF; FixAddr = FixAddrBase + (ULONG)Temp; *(PULONG)FixAddr = *(PULONG)FixAddr + (ULONG)kBase - (ULONG)NtHeads->OptionalHeader.ImageBase; } } RelocDir = (ULONG)RelocDir + RelocDir->SizeOfBlock; } } for (i = 0; i < ExportDir->NumberOfNames; i++) { SystemFunName = (PCHAR)(*(PULONG)(Name + i * 4) + (ULONG)Base); index = *((PUSHORT)(Ordinal + i * 2)); Address = *((PULONG)(Function + index * 4)); if (Flag == 0) { if (!stricmp ("NtOpenProcess", SystemFunName)) { break; } } } memcopy (CodeBuff, Address + mBase, 10); //到这里就获得了原始ntopenprocess函数开头10字节代码 MyNtOpenProcessAdddress = MyNtProcessBorn (CodeBuff); //好了,什么都有了,ssdthook就ok了 ULONG MyNtProcessBorn (PUCHAR CodeBuff) { PUCHAR Temp; ULONG myntopenprocessaddress; myntopenprocessaddress = ExAllocatePool (NonPagedPool, 15); memcpy (myntprocessaddress, CodeBuff, 10); Temp = (PUCHAR)myntprocessaddress + 10; *(PUCHAR)Temp = 0xE9; Temp += 1; offset = (ULONG)realntopenprocessaddress - (ULONG)Temp - 4; *(PULONG)Temp = offset; return myntopenprocessaddress; } |
|
[求助]帮忙看看这段重定位代码有没有问题
高估zwmapviewofsection的能力了,简单了 |
|
硬编码问题
有方法,看看这个函数是哪个模块导出的,然后自己加载该模块,根据导出表找到 xxopenprocess原始代码的所在位置,读取开头的10个字节,放在你自己的函数里面 怎么放进你的函数,你可以自己申请一段内存,然后在内存里生成你的函数代码,再把这10个字节填充到相应位置 |
|
SSDT HOOK问题.
NtHookSSDT proc pushad mov eax,KeServiceDescriptorTable mov esi,[eax] 获得KeServiceDescriptorTable结构 mov esi,[esi] 获得KeServiceDescriptorTable.ServiceTableBase的地址 invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("ZwOpenProcess") inc eax movzx ecx,byte ptr[eax] 获得"ZwOpenProcess"的系统服务号 i sal ecx,2 add esi,ecx ( KeServiceDescriptorTable.ServiceTableBase + ecx * 4) 获得ZwOpenProcess的函数地址 mov dwZwOpenProcess_Addr,esi mov edi,dword ptr[esi] mov OriginalZwOpenProcess,edi mov edi,offset NewZwOpenProcess cli mov eax,cr0 xor eax,10000h mov cr0,eax mov dword ptr[esi],edi mov eax, cr0 xor eax,10000h mov cr0, eax sti popad ret NtHookSSDT endp 把上面这段程序给你转换成 C吧 RtlInitUnicodeString (&TempName, L"ZwOpenProcess"); Address = MmGetSystemRoutineAddress( &TempName); SsdtIndex = *(PULONG)((PUCHAR)Address +1); OriginalZwOpenAddress = KeServiceDescriptorTable.ServiceTableBase + SsdtIndex * 4; #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; extern PServiceDescriptorTableEntry_t KeServiceDescriptorTable #pragma pack() |
|
驱动中访问分页内存出错
非常感谢傷遺忘兄台热心帮助,正准备问你相关原理资料,就冒出来了还真不知道它没被映射进去 |
|
[求助]DSA 恒等式 的证明问题
版主,雪中送炭錒,你太伟大了,上次RSA也是你帮忙的,万分感激 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值