|
[求助]关于应用层内联的问题
那我应该怎么写? |
|
[求助]关于inline hook 的平栈问题
我发现,在这里: __declspec (naked) VOID fake_KeStackAttachProcess ( PKPROCESS pKProcess, PVOID APCState ) { //做了我自己的处理 ...... Proxy_KeStackAttachProcess(pKProcess,APCState); } 加入了自己的处理后也能跑,但是会引起访问违规! |
|
[求助]关于inline hook 的平栈问题
最后两个字节是0x0080 |
|
[求助]关于inline hook 的平栈问题
是的, Proxy_KeStackAttachProcess的头五个字节是KeStackAttachProcess的原始的五个字节; 后五个字节是跳转到KeStackAttachProcess的第六个字节处的实现,都已经实现了,最后两个字节是08 00 |
|
[求助]关于inline hook 的平栈问题
大侠,帮帮我 |
|
[讨论]如何多个进程可同时访问驱动?
大侠请指点,谢谢 |
|
[讨论]如何多个进程可同时访问驱动?
HANDLE hSys = NULL; HFILE hFile = OpenFile( drv , ..., OF_READWRITE ); if( HFILE_ERROR == hFile ) { hSys = CreateFile( "\\\\.\\Drv" , GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE , NULL , OPEN_EXISTING, 0 , 0 ); } 这样写有问题呀, |
|
[讨论]如何禁用Device\\PhysicalMemory
HANDLE Section; DWORD Res; NTSTATUS ntS; PACL OldDacl=NULL, NewDacl=NULL; PSECURITY_DESCRIPTOR SecDesc=NULL; EXPLICIT_ACCESS Access; OBJECT_ATTRIBUTES ObAttributes; INIT_UNICODE(ObName, L"\\Device\\PhysicalMemory"); BOOL mode; memset(&Access, 0, sizeof(EXPLICIT_ACCESS)); InitializeObjectAttributes(&ObAttributes, &ObName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); // open handle de \Device\PhysicalMemory ntS = NtOpenSection(&Section, WRITE_DAC | READ_CONTROL, &ObAttributes); if (ntS != STATUS_SUCCESS) { printf("error: NtOpenSection (code: %x)\n", ntS); goto cleanup; } // retrieve a copy of the security descriptor Res = GetSecurityInfo(Section, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &OldDacl, NULL, &SecDesc); if (Res != ERROR_SUCCESS) { printf("error: GetSecurityInfo (code: %lu)\n", Res); goto cleanup; } Access.grfAccessPermissions = 0; // :P Access.grfAccessMode = DENY_ACCESS; Access.grfInheritance = NO_INHERITANCE; Access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; // change these informations to grant access to a group or other user Access.Trustee.TrusteeForm = TRUSTEE_IS_NAME; Access.Trustee.TrusteeType = TRUSTEE_IS_USER; Access.Trustee.ptstrName = "CURRENT_USER"; // create the new ACL Res = SetEntriesInAcl(1, &Access, NULL, &NewDacl); if (Res != ERROR_SUCCESS) { printf("error: SetEntriesInAcl (code: %lu)\n", Res); goto cleanup; } // update ACL Res = SetSecurityInfo(Section, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, NewDacl, NULL); if (Res != ERROR_SUCCESS) { printf("error: SetEntriesInAcl (code: %lu)\n", Res); goto cleanup; } printf("\\Device\\PhysicalMemory chmoded\n"); cleanup: if (Section) NtClose(Section); if (SecDesc) LocalFree(SecDesc); 怎么没有起作用? |
|
[讨论]如何获取Device\\PhysicalMemory对象的地址
在windbg中,使用命令!object device\physicalmemory可以获取,它是怎么获取的? |
|
[讨论]如何禁用Device\\PhysicalMemory
Hook NtOpenSection 不彻底. |
|
[求助]Win7 安装 Windbg 后不能调试
win7 家庭版不支持本地内核调试,其他的版本可以支持! bcdedit /debug on bcdedit /bootdebug on 重启机器, 以管理员权限启动windbg,就可以本地内核调试了 |
|
[讨论]恢复shadow SSDT表失败的原因
楼上说的有道理,我获取了shadow表,没有排序 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值