|
[求助]有很多驱动加载工具,windows自带的sc工具可以本身可以加载驱动啊,
87 The parameter is incorrect. ERROR_INVALID_PARAMETER 参数有误 |
|
[求助]关于dipatch level
Callers of KeWaitForSingleObject must be running at IRQL <= DISPATCH_LEVEL. However, if Timeout = NULL or *Timeout != 0, the caller must be running at IRQL <= APC_LEVEL and in a nonarbitrary thread context. (If Timeout != NULL and *Timeout = 0, the caller must be running at IRQL <= DISPATCH_LEVEL.) |
|
[求助]用_stricmp被批了
不是有Rtl系列函数吗 |
|
[求助]有没有简单识别电脑的方法?
打开摄像头启动人像识别系统可以吗 |
|
[分享]Ring0注入Ring3运行一个EXE(xp,win7)
我自定义的 自己可以删除 |
|
[求助]监控windows系统的所有打印机
可以看看OpenPrinterW是怎么实现的我以前弄过 R3的 |
|
[求助]监控windows系统的所有打印机
打印机是串口吧?他总有驱动通信的 |
|
[分享]可惜我看不懂一堆畸形的俄语
照片差点吓到我 |
|
RPC DNS劫持
只有样本没有源码,应该是挂接\RPC Control\DNDResolver接管系统所有DNS解析的消息 然后修改的 禁止DNSCache是禁止DNS缓存,让所有解析都到他那里去 已经搞定了,只要\RPC Control\DNDResolver这个对象,关闭所有打开的句柄就行了 NTSTATUS status; UNICODE_STRING ustrDns; PFILE_OBJECT fileObj; PVOID pLpcObject; PLPCP_PORT_OBJECT pLpcObj = NULL; RtlInitUnicodeString(&ustrDns, L"\\RPC Control\\DNSResolver"); UNICODE_STRING ustrLPC; RtlInitUnicodeString(&ustrLPC, L"LpcPortObjectType"); PVOID pLpcPortObjectType = MmGetSystemRoutineAddress(&ustrLPC); if ( pLpcPortObjectType != NULL ) { status = ObReferenceObjectByName(&ustrDns, OBJ_CASE_INSENSITIVE, NULL, FILE_ALL_ACCESS, (POBJECT_TYPE)pLpcPortObjectType, KernelMode, NULL, &pLpcObject); pLpcObj = (PLPCP_PORT_OBJECT)pLpcObject; if ( MmIsAddressValid(pLpcObj) ) { //获取宿主进程ID HANDLE hProcId = PsGetProcessId(pLpcObj->ServerProcess); //获取进程句柄 HANDLE hProcess = NULL; status = ObOpenObjectByPointer((PVOID)pLpcObj->ServerProcess, 0, NULL, PROCESS_ALL_ACCESS, *PsProcessType, KernelMode, &hProcess); //枚举系统所有句柄 ULONG uRetLength = 0; PVOID pBuffer = kmalloc(0x100); PSYSTEM_HANDLE_INFORMATION pHandleInfo = NULL; ULONG HandleCount = 0; status = ZwQuerySystemInformation(SystemHandleInformation, pBuffer, 0x100, &uRetLength); if ( !NT_SUCCESS(status) ) { kfree(pBuffer); pBuffer = kmalloc(uRetLength); if ( pBuffer ) { RtlZeroMemory(pBuffer, uRetLength); status = ZwQuerySystemInformation(SystemHandleInformation, pBuffer, uRetLength, &uRetLength); if ( NT_SUCCESS(status) ) { //句柄数量 HandleCount = *((ULONG *)pBuffer); pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)((ULONG)pBuffer + sizeof(ULONG)); } } } POBJECT_TYPE_INFORMATION ObjTypeInfo = (POBJECT_TYPE_INFORMATION)kmalloc(MAX_PATH * 10); PVOID ObjName = (PVOID)kmalloc(MAX_PATH * 10); if ( ObjTypeInfo && ObjName ) { RtlZeroMemory(ObjTypeInfo, MAX_PATH * 10); RtlZeroMemory(ObjName, MAX_PATH * 10); } if ( HandleCount >0 && pHandleInfo != NULL ) { ULONG i; for ( i = 0; i < HandleCount; i ++ ) { if ( pHandleInfo[i].ProcessId == (ULONG)hProcId ) { HANDLE hObject; status = ZwDuplicateObject(hProcess, (HANDLE)pHandleInfo[i].Handle, NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS); if (!NT_SUCCESS(status)) continue; //Query the object type status = ZwQueryObject(hObject, ObjectTypeInformation, ObjTypeInfo, MAX_PATH * 10, &uRetLength); if (!NT_SUCCESS(status)) { ZwClose(hObject); continue; } status = ZwQueryObject(hObject, (OBJECT_INFORMATION_CLASS)1, ObjName, MAX_PATH * 10, &uRetLength); if (!NT_SUCCESS(status)) { ZwClose(hObject); continue; } UNICODE_STRING ustrType; UNICODE_STRING win7_ALPC_PORT; RtlInitUnicodeString(&ustrType, L"Port"); RtlInitUnicodeString(&win7_ALPC_PORT, L"ALPC Port"); if ( 0 == RtlCompareUnicodeString(&ustrType, &ObjTypeInfo->Name, TRUE) || 0 == RtlCompareUnicodeString(&win7_ALPC_PORT, &ObjTypeInfo->Name, TRUE) ) { if ( 0 == RtlCompareUnicodeString(&ustrDns,(PUNICODE_STRING)ObjName, TRUE) ) { KAPC_STATE k_apc; KeStackAttachProcess(pLpcObj->ServerProcess, &k_apc); ZwClose((HANDLE)pHandleInfo[i].Handle);//草泥马 KeUnstackDetachProcess(&k_apc); ZwClose(hObject);//必须关闭自己复制来的句柄 不然无法上网了 ZwTerminateProcess(hProcess, 0); } } } } } if ( pBuffer ) { kfree(pBuffer); pBuffer = NULL; } if ( ObjTypeInfo ) { kfree(ObjTypeInfo); ObjTypeInfo = NULL; } if ( ObjName ) { kfree(ObjName); ObjName = NULL; } if ( hProcess ) { ZwClose(hProcess); } } } if ( pLpcObject ) { ObDereferenceObject(pLpcObject); } if ( MmIsAddressValid(pLpcObj) ) { ObDereferenceObject(pLpcObj->ServerProcess); } |
|
[原创]tcp连接代理之asocks
mark... |
|
这些inlinehook是谁干的呢
hot patching |
|
|
|
Minifilter禁止创建
你要在你处理例程里面 直接完成IRP 然后返回 |
|
[推荐] 中国顶尖黑客 二分之一是历年高考状元
有道理有道理 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值