|
|
|
[求助]打印出来的进程名,中文乱码
void GetProcessPath(ULONG eprocess,CHAR ProcessPath[256]) { ULONG object; PFILE_OBJECT FilePointer; UNICODE_STRING path; //路径 UNICODE_STRING name; //盘符 ANSI_STRING string; path.Length=0; path.MaximumLength=256; path.Buffer=(PWCHAR)ExAllocatePoolWithTag(NonPagedPool,256,MEM_TAG); //必须释放 if(MmIsAddressValid((PULONG)(eprocess+0x138)))//Eprocess->sectionobject(0x138) { object=(*(PULONG)(eprocess+0x138)); KdPrint(("[GetProcessFileName] sectionobject :0x%x\n",object)); if(MmIsAddressValid((PULONG)((ULONG)object+0x014))) { object=*(PULONG)((ULONG)object+0x014); KdPrint(("[GetProcessFileName] Segment :0x%x\n",object)); if(MmIsAddressValid((PULONG)((ULONG)object+0x0))) { object=*(PULONG)((ULONG_PTR)object+0x0); KdPrint(("[GetProcessFileName] ControlAera :0x%x\n",object)); if(MmIsAddressValid((PULONG)((ULONG)object+0x024))) { object=*(PULONG)((ULONG)object+0x024); KdPrint(("[GetProcessFileName] FilePointer :0x%x\n",object)); } else return ; } else return ; } else return ; } else return ; FilePointer=(PFILE_OBJECT)object; //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName)); ObReferenceObjectByPointer((PVOID)FilePointer,0,NULL,KernelMode);//引用计数+1,操作对象 RtlVolumeDeviceToDosName(FilePointer->DeviceObject,&name); //获取盘符名 //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&name)); RtlCopyUnicodeString(&path,&name);//盘符连接 RtlAppendUnicodeStringToString(&path,&FilePointer->FileName);//路径连接 //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&path)); ObDereferenceObject(FilePointer); //关闭对象引用 //需要转换成ANSI_STRING,然后在转换成char输出给ring3 RtlUnicodeStringToAnsiString(&string,&path,TRUE); //释放内存 if(string.Length >= 256 ) //保证以\0结尾 { memcpy(ProcessPath, string.Buffer, 256); *(ProcessPath + 255) = 0; } else { memcpy(ProcessPath, string.Buffer, string.Length); ProcessPath[string.Length] = 0; } ExFreePool(path.Buffer); //释放 RtlFreeAnsiString(&string);//释放 }用这个函数 依据eprocess得到进程全路径 |
|
[求助]在DriverUnload间歇出现这种问题
太精辟了 不懂 |
|
[求助]关于修改其他进程汇编代码
修改只读属性 R3 (char *)VirtualAllocEx(hProcess, NULL, lstrlen(code)+1, MEM_COMMIT, PAGE_READWRITE); R0用 CR0寄存器或者MDL映射 |
|
[求助]在DriverUnload间歇出现这种问题
魔法盾挂钩35个函数 使用感受:很糟糕 |
|
[求助]在DriverUnload间歇出现这种问题
魔法盾同样挂钩这几个函数 它就稳定 不知道 如何处理的 |
|
[求助]在DriverUnload间歇出现这种问题
那怎么处理 可以避免这种错误 |
|
[求助]在DriverUnload间歇出现这种问题
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (ce) |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值