|
[求助]托盘图标动态变化(毫无规律)
可不可以考虑单独创建一个线程 处理图标动态变化?或者自己编程实现timer控件呢? |
|
[备份]SCM服务方式加载驱动
好习惯养成的 |
|
[原创]分析了一下360安全卫士的HOOK
open才能更加的完美 |
|
[原创]发个使用Native API的编程示例代码:LzOpenProcess杀冰刃
IS内存清零后 无法退出呢 |
|
[备份]SCM服务方式加载驱动
规范不是刻意做的 是良好的编程修养 |
|
[求助]请教一个Hook TerminateProcess的问题
iat hook啊 |
|
[求助]用eprocess遍历进程的一个问题
等我毕业也去360 |
|
[求助]用eprocess遍历进程的一个问题
//取进程全路径==================================================================== //原理Eprocess->sectionobject(0x138)->Segment(0x014)->ControlAera(0x000)->FilePointer(0x024)->(FileObject->FileName,FileObject->DeviceObject) void GetProcessPath(ULONG eprocess,CHAR ProcessPath[256]) { ULONG object; PFILE_OBJECT FilePointer; UNICODE_STRING path; //路径 UNICODE_STRING name; //盘符 ANSI_STRING string; path.Length=0; path.MaximumLength=256; path.Buffer=(PWCHAR)ExAllocatePoolWithTag(NonPagedPool,256,MEM_TAG); //必须释放 if(MmIsAddressValid((PULONG)(eprocess+0x138)))//Eprocess->sectionobject(0x138) { object=(*(PULONG)(eprocess+0x138)); KdPrint(("[GetProcessFileName] sectionobject :0x%x\n",object)); if(MmIsAddressValid((PULONG)((ULONG)object+0x014))) { object=*(PULONG)((ULONG)object+0x014); KdPrint(("[GetProcessFileName] Segment :0x%x\n",object)); if(MmIsAddressValid((PULONG)((ULONG)object+0x0))) { object=*(PULONG)((ULONG_PTR)object+0x0); KdPrint(("[GetProcessFileName] ControlAera :0x%x\n",object)); if(MmIsAddressValid((PULONG)((ULONG)object+0x024))) { object=*(PULONG)((ULONG)object+0x024); KdPrint(("[GetProcessFileName] FilePointer :0x%x\n",object)); } else return ; } else return ; } else return ; } else return ; FilePointer=(PFILE_OBJECT)object; //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName)); ObReferenceObjectByPointer((PVOID)FilePointer,0,NULL,KernelMode);//引用计数+1,操作对象 RtlVolumeDeviceToDosName(FilePointer->DeviceObject,&name); //获取盘符名 //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&name)); RtlCopyUnicodeString(&path,&name);//盘符连接 RtlAppendUnicodeStringToString(&path,&FilePointer->FileName);//路径连接 //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&path)); ObDereferenceObject(FilePointer); //关闭对象引用 //需要转换成ANSI_STRING,然后在转换成char输出给ring3 RtlUnicodeStringToAnsiString(&string,&path,TRUE); //释放内存 if(string.Length >= 256 ) //保证以\0结尾 { memcpy(ProcessPath, string.Buffer, 256); *(ProcessPath + 255) = 0; } else { memcpy(ProcessPath, string.Buffer, string.Length); ProcessPath[string.Length] = 0; } ExFreePool(path.Buffer); //释放 RtlFreeAnsiString(&string);//释放 } |
|
[备份]SCM服务方式加载驱动
开始规范写程序 |
|
[原创]PE感染型病毒的研究和代码实现,附上代码和论文
我BOSS好多年都不写代码了 |
|
|
|
[讨论]关于编程学习,我扯几句
顶教主啊 |
|
[分享]全新原创Anti-rootkit软件SysReveal,欢迎试用
出了比叉踢好看点 别的没叉踢好 |
|
[分享]全新原创Anti-rootkit软件SysReveal,欢迎试用
报告bug 注册表解析ROOT 软件卡死,无响应 |
|
|
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值