|
[求助]NtCreateSection进程监控
你的意思是排除掉dll, sys等吧? 我早已排除了, 我是说仅仅是exe 就被 NtCreateSection 了好几次 |
|
[求助]exe和dll怎样区分
I know. Thanks. |
|
|
|
[求助]exe和dll怎样区分
那么dll, exe, sys 的值分别是什么呢 |
|
[求助]如何计算出x86指令的大小
用反汇编引擎, 直接看看楚狂人说的吧: 下面的任务是拷贝代码。我们前面得到的jmp指令为7个字节。就是说我们至少要拷贝出7个字节的代码。我们不能只拷贝7字节。指令长度不定,这可能把一条指令分成两段。我们只好逐条执行进行反汇编。当得到的总的字节数达到或者超过7个字节的时候,大功告成。下面假设IofCallDriver的开始地址为start_address. size_t length,total_length = 0; struct xde_instr code_instr={0}; byte_t *start_address = (byte_t *)MmGetSystemRoutineAddress(…); while(total_length < 7) { length = xde_disasm(start_address ,&code_instr); // 反汇编一条指令 if(length == 0) // 如果有指令解析失败,就直接返回失败 return false; total_length += length; // 计算已经反汇编的指令的总长度 } xde_disasm是一个反汇编引擎,可以从附件 |
|
[求助]如何获取ShadowSSDT的系统调用号?
不好意思,看成ssdt了 |
|
[求助]如何获取ShadowSSDT的系统调用号?
是啊 。。。。。。。。。 |
|
[求助]如何获取ShadowSSDT的系统调用号?
/* this routine is to help get system sevices number by specified service name */ NTSTATUS IhkGetSystemServicesNumber( IN PCHAR ServiceName, //ZwXxx or NtXxx OUT PULONG ServiceNumber ) { UNICODE_STRING usModuleName; HANDLE moduleFileHandle; NTSTATUS status; OBJECT_ATTRIBUTES objectAttrib; IO_STATUS_BLOCK ioStatus; HANDLE sectionHandle; PUCHAR baseAddress = NULL; SIZE_T size = 0; PIMAGE_OPTIONAL_HEADER optHeader; PIMAGE_EXPORT_DIRECTORY exprotTable; PULONG routineAddrs; PULONG routineNames; PSHORT routineOrdinals; ULONG i; PCHAR name; ULONG index; PVOID addr; //ntdll.dll // note : we use ntdll.dll because the routine it exports is // more than ntoskrnl and // the header ZwXxx or NtXxx in it is all start as // mov eax, <services number>(32bit) // RtlInitUnicodeString (&usModuleName, L"\\SystemRoot\\system32\\ntdll.dll"); InitializeObjectAttributes (&objectAttrib, &usModuleName, OBJ_CASE_INSENSITIVE , NULL, NULL ); //open file status = ZwCreateFile(&moduleFileHandle, FILE_EXECUTE, &objectAttrib, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if(!NT_SUCCESS(status)){ return status; } objectAttrib.ObjectName = NULL; //map file status = ZwCreateSection( §ionHandle, SECTION_ALL_ACCESS, &objectAttrib, 0, PAGE_EXECUTE, SEC_IMAGE, moduleFileHandle); if(!NT_SUCCESS(status)){ ZwClose(moduleFileHandle); return status; } status = ZwMapViewOfSection( sectionHandle, NtCurrentProcess(), &baseAddress, 0, 0x1000, NULL, &size, ViewShare , MEM_TOP_DOWN, PAGE_READWRITE ); if(!NT_SUCCESS(status)){ ZwClose(moduleFileHandle); ZwClose(sectionHandle); return status; } ZwClose(moduleFileHandle); //get export table optHeader = &((PIMAGE_NT_HEADERS )( baseAddress + ((PIMAGE_DOS_HEADER )baseAddress)->e_lfanew))->OptionalHeader ; exprotTable = (PIMAGE_EXPORT_DIRECTORY)(baseAddress + optHeader->DataDirectory [ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress); // now we can get the exported functions, but note we convert from RVA to address routineAddrs = (PULONG)( baseAddress + exprotTable ->AddressOfFunctions ); routineNames = (PULONG)( baseAddress + exprotTable->AddressOfNames); routineOrdinals = (PSHORT)( baseAddress + exprotTable->AddressOfNameOrdinals); //search for(i = 0; i < exprotTable ->NumberOfFunctions ; i++){ name = (PCHAR)(baseAddress + routineNames [i]); if(!strcmp(name, ServiceName )){ //found // always need to add base, -1 as array counts from 0 index = routineOrdinals [i] + exprotTable ->Base - 1; // this is the funny bit. you would expect the function pointer to // simply be routineAddrs[i]... // oh no... thats too simple. it is actually routineAddrs[index]!! addr = (PVOID)(baseAddress + routineAddrs [index]); //get the index of serviecs in ZwXxx's or NtXxx's header *ServiceNumber = *(PULONG)((PUCHAR)addr + 1); ZwClose(sectionHandle); return STATUS_SUCCESS ; } } ZwUnmapViewOfSection (NtCurrentProcess(), baseAddress); ZwClose(sectionHandle); return STATUS_NOT_FOUND ; } |
|
[求助] KeAcquireQueuedSpinLock(LockQueueDispatcherLock) 错误
不好意思,原来是因为忘加__fastcall修饰了,已解决 |
|
[求助]KeSetEvent 用户模式创建的 event
你是说 ObReferenceOjbectByHandle 成功后, 先不 ObDereferenceOjbect 把。 这样虽然不会出错, 但是驱动在用户进程突然结束后 怎样尽快得知呢? |
|
[求助]KeSetEvent 用户模式创建的 event
麻烦说详细一些吧 |
|
[求助]弱问文件系统过滤
知道了,thanks all |
|
[求助]弱问文件系统过滤
好的,再传一遍,带bsod的minidump |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值