|
hook ZwOpenProcess函数,蓝屏
好长时间了,来看还是没有人愿意帮我看一眼啊,错误的地方挺明显的,两处: 1. strncpy(ProcessName,processname_ansi.Buffer,strlen(processname_ansi.Length)); 应该是 strlen(processname_ansi.buffer),写错了 2. strncpy(ProcessName,processname_temp,MAXPROCNAMELEN-1); if (ClientId->UniqueThread) sprintf( ProcessName + strlen(ProcessName), ":%d",ClientId->UniqueThread); 这里不能用strlen(ProcessName),因为字符串函数是以'\0'作为结束符确定长度,但是上一步中这个字符串是通过strncpy复制过来的,没有结束符。 VMwareService.e会引起蓝屏,别的没有蓝,可能是因为processname超过了16个字符的长度,strlen的调用引发的蓝屏。 这种蓝屏都不是链表操作有误引发的,多数是缓冲区应用中被破坏了,所以释放的时候蓝屏,如strcpy,strncpy等函数要很小心使用,注意附加结束符 |
|
有没有学习Windbg的好资料
实际调试一下比较好,看看双机调试的资料,然后自己调试一下 |
|
谁能给个 R0 简单的 ZwOpenProcess - ZwTerminateProcess 结束进程的简单源码
NTSTATUS NtOpenProcess ( __out PHANDLE ProcessHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in_opt PCLIENT_ID ClientId ) /*++ Routine Description: This function opens a handle to a process object with the specified desired access. The object is located either by name, or by locating a thread whose Client ID matches the specified Client ID and then opening that thread's process. Arguments: ProcessHandle - Supplies a pointer to a variable that will receive the process object handle. DesiredAccess - Supplies the desired types of access for the process object. ObjectAttributes - Supplies a pointer to an object attributes structure. If the ObjectName field is specified, then ClientId must not be specified. ClientId - Supplies a pointer to a ClientId that if supplied specifies the thread whose process is to be opened. If this argument is specified, then ObjectName field of the ObjectAttributes structure must not be specified. Return Value: NTSTATUS - Status of call --*/ { HANDLE Handle; KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PEPROCESS Process; PETHREAD Thread; CLIENT_ID CapturedCid={0}; BOOLEAN ObjectNamePresent; BOOLEAN ClientIdPresent; ACCESS_STATE AccessState; AUX_ACCESS_DATA AuxData; ULONG Attributes; PAGED_CODE(); // // Make sure that only one of either ClientId or ObjectName is // present. // PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { // // Since we need to look at the ObjectName field, probe // ObjectAttributes and capture object name present indicator. // try { ProbeForWriteHandle (ProcessHandle); ProbeForReadSmallStructure (ObjectAttributes, sizeof(OBJECT_ATTRIBUTES), sizeof(ULONG)); ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName); Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, UserMode); if (ARGUMENT_PRESENT (ClientId)) { ProbeForReadSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG)); CapturedCid = *ClientId; ClientIdPresent = TRUE; } else { ClientIdPresent = FALSE; } } except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } else { ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName); Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, KernelMode); if (ARGUMENT_PRESENT (ClientId)) { CapturedCid = *ClientId; ClientIdPresent = TRUE; } else { ClientIdPresent = FALSE; } } if (ObjectNamePresent && ClientIdPresent) { return STATUS_INVALID_PARAMETER_MIX; } // // Create an AccessState here, because the caller may have // DebugPrivilege, which requires us to make special adjustments // to his desired access mask. We do this by modifying the // internal fields in the AccessState to achieve the effect // we desire. // Status = SeCreateAccessState( &AccessState, &AuxData, DesiredAccess, &PsProcessType->TypeInfo.GenericMapping ); if ( !NT_SUCCESS(Status) ) { return Status; } // // Check here to see if the caller has SeDebugPrivilege. If // he does, we will allow him any access he wants to the process. // We do this by clearing the DesiredAccess in the AccessState // and recording what we want him to have in the PreviouslyGrantedAccess // field. // // Note that this routine performs auditing as appropriate. // if (SeSinglePrivilegeCheck( SeDebugPrivilege, PreviousMode )) { if ( AccessState.RemainingDesiredAccess & MAXIMUM_ALLOWED ) { AccessState.PreviouslyGrantedAccess |= PROCESS_ALL_ACCESS; } else { AccessState.PreviouslyGrantedAccess |= ( AccessState.RemainingDesiredAccess ); } AccessState.RemainingDesiredAccess = 0; } if (ObjectNamePresent) { // // Open handle to the process object with the specified desired access, // set process handle value, and return service completion status. // Status = ObOpenObjectByName( ObjectAttributes, PsProcessType, PreviousMode, &AccessState, 0, NULL, &Handle ); SeDeleteAccessState( &AccessState ); if ( NT_SUCCESS(Status) ) { try { *ProcessHandle = Handle; } except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode (); } } return Status; } if ( ClientIdPresent ) { Thread = NULL; if (CapturedCid.UniqueThread) { Status = PsLookupProcessThreadByCid( &CapturedCid, &Process, &Thread ); if (!NT_SUCCESS(Status)) { SeDeleteAccessState( &AccessState ); return Status; } } else { Status = PsLookupProcessByProcessId( CapturedCid.UniqueProcess, &Process ); if ( !NT_SUCCESS(Status) ) { SeDeleteAccessState( &AccessState ); return Status; } } // // OpenObjectByAddress // Status = ObOpenObjectByPointer( Process, Attributes, &AccessState, 0, PsProcessType, PreviousMode, &Handle ); SeDeleteAccessState( &AccessState ); if (Thread) { ObDereferenceObject(Thread); } ObDereferenceObject(Process); if (NT_SUCCESS (Status)) { try { *ProcessHandle = Handle; } except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode (); } } return Status; } return STATUS_INVALID_PARAMETER_MIX; } NTSTATUS NtTerminateProcess( __in_opt HANDLE ProcessHandle, __in NTSTATUS ExitStatus ) /*++ Routine Description: This function causes the specified process and all of its threads to terminate. Arguments: ProcessHandle - Supplies a handle to the process to terminate. ExitStatus - Supplies the exit status associated with the process. Return Value: NTSTATUS - Status of operation --*/ { PETHREAD Thread, Self; PEPROCESS Process; PEPROCESS CurrentProcess; NTSTATUS st; BOOLEAN ProcessHandleSpecified; PAGED_CODE(); Self = PsGetCurrentThread(); CurrentProcess = PsGetCurrentProcessByThread (Self); if (ARGUMENT_PRESENT (ProcessHandle)) { ProcessHandleSpecified = TRUE; } else { ProcessHandleSpecified = FALSE; ProcessHandle = NtCurrentProcess(); } st = ObReferenceObjectByHandle (ProcessHandle, PROCESS_TERMINATE, PsProcessType, KeGetPreviousModeByThread(&Self->Tcb), &Process, NULL); if (!NT_SUCCESS (st)) { return(st); } if (Process->Flags & PS_PROCESS_FLAGS_BREAK_ON_TERMINATION) { PspCatchCriticalBreak ("Terminating critical process 0x%p (%s)\n", Process, Process->ImageFileName); } // // Acquire rundown protection just so we can give the right errors // if (!ExAcquireRundownProtection (&Process->RundownProtect)) { ObDereferenceObject (Process); return STATUS_PROCESS_IS_TERMINATING; } // // Mark process as deleting except for the obscure delete self case. // if (ProcessHandleSpecified) { PS_SET_BITS (&Process->Flags, PS_PROCESS_FLAGS_PROCESS_DELETE); } st = STATUS_NOTHING_TO_TERMINATE; for (Thread = PsGetNextProcessThread (Process, NULL); Thread != NULL; Thread = PsGetNextProcessThread (Process, Thread)) { st = STATUS_SUCCESS; if (Thread != Self) { PspTerminateThreadByPointer (Thread, ExitStatus, FALSE); } } ExReleaseRundownProtection (&Process->RundownProtect); if (Process == CurrentProcess) { if (ProcessHandleSpecified) { ObDereferenceObject (Process); // // Never Returns // PspTerminateThreadByPointer (Self, ExitStatus, TRUE); } } else if (ExitStatus == DBG_TERMINATE_PROCESS) { DbgkClearProcessDebugObject (Process, NULL); } // // If there are no threads in this process then clear out its handle table. // Do the same for processes being debugged. This is so a process can never lock itself into the system // by debugging itself or have a handle open to itself. // if (st == STATUS_NOTHING_TO_TERMINATE || (Process->DebugPort != NULL && ProcessHandleSpecified)) { ObClearProcessHandleTable (Process); st = STATUS_SUCCESS; } ObDereferenceObject(Process); return st; } 以上来自wrk 中 psdelete.c 和psopen.c 文件 |
|
mssmbios!_PEB
Connected to Windows XP 2600 x86 compatible target at (Fri Feb 5 14:25:27.421 2010 (GMT+8)), ptr64 FALSE Symbol search path is: d:\symbols Executable search path is: Unable to read selector for PCR for processor 0 ******************************************************************************* WARNING: Local kernel debugging requires booting with kernel debugging support (/debug or bcdedit -debug on) to work optimally. ******************************************************************************* Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp3_qfe.090804-1456 Machine Name: Kernel base = 0x804d8000 PsLoadedModuleList = 0x805644c0 Debug session time: Fri Feb 5 14:25:27.531 2010 (GMT+8) System Uptime: 0 days 0:41:43.236 lkd> !lmi nt Loaded Module Info: [nt] Module: ntkrnlmp Base Address: 804d8000 Image Name: ntkrnlmp.exe Machine Type: 332 (I386) Time Stamp: 4a783d8a Tue Aug 04 21:54:18 2009 Size: 228000 CheckSum: 20fd8d Characteristics: 10e perf Debug Data Dirs: Type Size VA Pointer CODEVIEW 25, 76ad0, 760d0 RSDS - GUID: {79D38DEF-79B7-454A-9D61-504200179432} Age: 2, Pdb: ntkrnlmp.pdb CLSID 4, 76acc, 760cc [Data not mapped] Image Type: MEMORY - Image read successfully from loaded memory. Symbol Type: PDB - Symbols loaded successfully from symbol server. d:\symbols\ntkrnlmp.pdb\79D38DEF79B7454A9D615042001794322\ntkrnlmp.pdb Load Report: public symbols , not source indexed d:\symbols\ntkrnlmp.pdb\79D38DEF79B7454A9D615042001794322\ntkrnlmp.pdb 我把360关掉了,还是不行, 仍然没有导出如 nt!_eprocess等结构 |
|
看雪有没有加壳脱壳的视频教程啊
我有个脱壳入门18篇,进阶13篇,但是要60多M ,可以qq 传给你 |
|
[转帖]The art of Reversing
里面有中文版或者英文版的么,没有就不下了 |
|
[推荐]Windows 内核情景分析--采用开源代码ReactOS
coohai 好可爱啊。 |
|
[求助]如何从内存映射句柄得到内核对象(_SECTION_OBJECT)
achillis 很犀利 |
|
[求助]GetDllFunctionAddress 蓝屏
我终于不蓝了,憋了快一个星期, functionAddress = (DWORD)((BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]); 这句之所以不对,是因为functonOrdinal取得不对,这个在经典getdllfunctionaddress函数里面定义的是 Dword类型,但是arrayOfFunctionOrdinals定义的是word*;我看了那个地址里面是 07 00 08 00... 取到的functonOrdinal是0x80007,多取了一个word; 我的头文件里定义错了word类型(这个应该是主要原因) #define word unsigned int // 占4字节 原来写错的 #define word unsigned short //2字节,应该是这个 ------------------------------------------------------------------------------------------------------------------ DWORD GetDllFunctionAddress(char* lpFunctionName, PUNICODE_STRING pDllName) { HANDLE hThread, hSection, hFile, hMod; SECTION_IMAGE_INFORMATION sii; IMAGE_DOS_HEADER* dosheader; IMAGE_OPTIONAL_HEADER* opthdr; IMAGE_EXPORT_DIRECTORY* pExportTable; DWORD* arrayOfFunctionAddresses; DWORD* arrayOfFunctionNames; WORD* arrayOfFunctionOrdinals; DWORD functionOrdinal; DWORD Base, x, functionAddress; char* functionName; STRING ntFunctionName, ntFunctionNameSearch; PVOID BaseAddress = NULL; SIZE_T size=0; OBJECT_ATTRIBUTES oa = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE}; IO_STATUS_BLOCK iosb; //_asm int 3; ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT); oa.ObjectName = 0; ZwCreateSection(&hSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile); ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE); ZwClose(hFile); hMod = BaseAddress; dosheader = (IMAGE_DOS_HEADER *)hMod; opthdr =(IMAGE_OPTIONAL_HEADER *) ((BYTE*)hMod+dosheader->e_lfanew+24); pExportTable =(IMAGE_EXPORT_DIRECTORY*)((BYTE*) hMod + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); // now we can get the exported functions, but note we convert from RVA to address arrayOfFunctionAddresses = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfFunctions); arrayOfFunctionNames = (DWORD*)( (BYTE*)hMod + pExportTable->AddressOfNames); arrayOfFunctionOrdinals = (WORD*)( (BYTE*)hMod + pExportTable->AddressOfNameOrdinals); Base = pExportTable->Base; RtlInitString(&ntFunctionNameSearch, lpFunctionName); for(x = 0; x < pExportTable->NumberOfFunctions; x++) { functionName = (char*)( (BYTE*)hMod + arrayOfFunctionNames[x]); RtlInitString(&ntFunctionName, functionName); functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array counts from 0 // this is the funny bit. you would expect the function pointer to simply be arrayOfFunctionAddresses[x]... // oh no... thats too simple. it is actually arrayOfFunctionAddresses[functionOrdinal]!! functionAddress = (DWORD)( (BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]); if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0) { ZwClose(hSection); return functionAddress; } } ZwClose(hSection); return 0; } |
|
|
|
[求助]GetDllFunctionAddress 蓝屏
232个人看帖,没人帮我调试下看看么,我真的被难倒这了 |
|
[求助]GetDllFunctionAddress 蓝屏
说是下面这句蓝的,可是我实在看不出有什么不对,别人也都这么用啊 functionAddress = (DWORD)((BYTE*)hMod + arrayOfFunctionAddresses[functionOrdinal]); 我是新手,不会调试,麻烦指点我下吧,停在这里无法前进了 |
|
[求助]GetDllFunctionAddress 蓝屏
我的系统 xp sp3 ,有人和我遇到过一样的问题没 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值