|
|
|
|
|
|
|
|
|
[求助]ida pro 如何下 d [esp+8] 功能?
静态分析一般来说查不了 |
|
[下载]SoftICE 4.3.2.1 (Lite Edition)
thanks http://bbs.pediy.com/showthread.php?t=34850&highlight=softice SoftICE v4.3.2.2485 & IceExt 0.70 Lite Edition (V2) |
|
|
|
|
|
第8个男人被黑了
登陆不了好几天了哦 |
|
|
|
|
|
|
|
[已解决]怎么加载这驱动呢
经过不懈努力,终于可以了 感谢上面各位的帮助,特发出来,以便后来人参考下,虽然很简单啊 .386 .model flat, stdcall option casemap:none include C:\RadASM\masm32\include\w2k\ntstatus.inc include C:\RadASM\masm32\include\w2k\ntddk.inc include C:\RadASM\masm32\include\w2k\ntoskrnl.inc include C:\RadASM\masm32\include\w2k\w2kundoc.inc includelib C:\RadASM\masm32\lib\w2k\ntoskrnl.lib include C:\RadASM\\masm32\Macros\Strings.mac .data P_addr dd 0 realaddr dd 0 CR0Reg dd 0 Messaga1 db "OpenProcess",0 Messaga2 db "Driver loaded", 0 .code ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local pDeviceObject:PVOID pushad invoke DbgPrint, addr Messaga2 mov edi, dword ptr KeServiceDescriptorTable mov edi, [edi] lea eax, [edi+(07ah*4)] mov P_addr, eax ;保存地址指针 push [edi+(07ah*4)] pop realaddr ;保存原来的地址 cli mov eax, CR0 mov CR0Reg, eax and eax,0fffeffffh mov cr0, eax mov eax,P_addr mov [eax], dword ptr offset hookproc mov eax, CR0Reg mov CR0, eax sti mov eax, pDriverObject assume eax:PTR DRIVER_OBJECT mov [eax].DriverUnload, offset DriverUnload assume eax:nothing popad mov eax, STATUS_SUCCESS ret DriverEntry endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::: DriverUnload proc pDriverObject:PDRIVER_OBJECT pushad cli mov eax, CR0 mov CR0Reg, eax and eax,0fffeffffh mov cr0, eax mov eax,P_addr mov edx,realaddr mov [eax], edx mov eax, CR0Reg mov CR0, eax sti popad ret DriverUnload endp ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: hookproc proc invoke DbgPrint, addr Messaga1 jmp dword ptr realaddr hookproc endp ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: end DriverEntry |
|
[已解决]怎么加载这驱动呢
不知道哪错了,貌似都修改SSDT表不成功的 |
|
[已解决]怎么加载这驱动呢
修改了这行 and eax,0fffeffffh // 根据楼上的楼上的提示,修改为这样,可以看到Messaga2,但是修改 不了SSDT,不知道何原因,等不到Messaga1 汗了 .386 .model flat, stdcall option casemap:none include C:\RadASM\masm32\include\w2k\ntstatus.inc include C:\RadASM\masm32\include\w2k\ntddk.inc include C:\RadASM\masm32\include\w2k\ntoskrnl.inc include C:\RadASM\masm32\include\w2k\w2kundoc.inc includelib C:\RadASM\masm32\lib\w2k\ntoskrnl.lib include C:\RadASM\\masm32\Macros\Strings.mac .data realaddr dd 0 CR0Reg dd 0 Messaga1 db "OpenProcess",0 Messaga2 db "Driver loaded", 0 .code ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local pDeviceObject:PVOID pushad invoke DbgPrint, addr Messaga2 mov edi, KeServiceDescriptorTable mov edi, [edi] mov eax, [edi+(07ah*4)] ;edi+07ah*4 - NtOpenProcess mov realaddr, eax cli mov eax, CR0 mov CR0Reg, eax and eax,0fffeffffh // 根据楼上的楼上的提示,修改为这样,可以看到Messaga2,但是修改 不了SSDT,不知道何原因,等不到Messaga1 汗了 mov cr0, eax mov [edi+(07ah*4)], dword ptr offset hookproc mov eax, CR0Reg mov CR0, eax sti mov eax, pDriverObject assume eax:PTR DRIVER_OBJECT mov [eax].DriverUnload, offset DriverUnload assume eax:nothing popad mov eax, STATUS_SUCCESS ret DriverEntry endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::: DriverUnload proc pDriverObject:PDRIVER_OBJECT pushad mov edi, KeServiceDescriptorTable mov edi, [edi] cli mov eax, CR0 mov CR0Reg, eax and eax, -1 mov cr0, eax mov eax, dword ptr realaddr mov [edi+(07ah*4)], eax mov eax, CR0Reg mov CR0, eax sti popad ret DriverUnload endp ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: hookproc proc invoke DbgPrint, addr Messaga1 jmp dword ptr realaddr ; ret hookproc endp ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::: end DriverEntry |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值