如何编写全新机制的应用层调试器？？
漫天搜索找不到什么有用的资料...

[求助]xuetr被游戏检测到怎么办？
换个其它的老版本试试
或改以下东西：
可执行文件名、窗口标题、窗口类名、驱动名、驱动设备名、驱动符号链接名、互斥体名

[求助]双进程 OD无法附加。请问怎么解决？
用户层程序仅只允许被一个调试器调试，现在游戏进程自已调试自己，你的调试器再去调试游戏进程就不被允许了，
解决方法依次是：
将游戏进程DebugPort清零
清除DebugObjectHandle
清除相关的DebugFlags

[建议]新论坛还能改不？
各种反人类...
IE8浏览不了！

[求助]新论坛真难用.
还是建议改回旧版论坛，新版论坛真的很难用！

[讨论]电脑裸奔有什么不中毒，不被挂马攻略呢？
主动防御类、沙盒类、虚拟机类、影子还原类...

[讨论]谁hook过shadow ssdt表的NtUserGetMessage?
加锁行不行：

KSPIN_LOCK spinlock;  //自旋锁必须是全局的，以防止多个CPU重入

KeInitializeSpinLock(&spinlock);  //初始化自旋锁

KeAcquireSpinLock(&spinlock, &irql);  //启用自旋锁

//这里执行想要的操作
UnHook();

KeReleaseSpinLock(&spinlock, irql);  //释放自旋锁

[讨论]谁hook过shadow ssdt表的NtUserGetMessage?
看你开关内存保护时无论是用cr0寄存器还是用MDL时都用了#pragma PAGEDCODE这句，
这是使用了分页内存吧，
在整个代码中都去掉#pragma PAGEDCODE，
全部用非分页内存试试！

[求助]call调用子程序内部sub esp,xx 导致堆栈用完了怎么办
栈由系统自动分配，速度较快，程序员是无法控制的。
栈的大小是有默认值的，如果申请的临时变量太大的话就会超过栈的大小，造成栈溢出。
默认值为1MB
最小值为4Byte
可以在Visual C++中设置：
项目->属性->链接器->系统->堆栈保留大小

[求助]内存搜索器编写思路
MEMORY_BASIC_INFORMATION mbi;
if(mbi.State == MEM_COMMIT)

[求助]万能的大神啊,进来看一眼呗
既然是分配内存空间的时候失败，
多半是因为保护程序的驱动Hook了NtReadVirtualMemory和NtWriteVirtualMemory，
自己脱钩即可，
用PC Hunter看下吧！

关于模拟鼠标的问题
这是神马情况？
我是来回答  qq小雨的  的问题的，怎么现在我成了这个帖子的发帖人了？？
qq小雨的 发这个帖子的时间怎么比我的发帖时间还晚啊？？
论坛发帖时间出错了，版主来解决！！

关于模拟鼠标的问题
先恢复以下内核函数：

NtUserSendInput
NtUserGetMessage
NtUserPeekMessage

再恢复以下用户函数：

SetWindowHookEx

最后使用以下用户函数：

SendInput
mouse_event
SendMessage
PostMessage

最近在玩一款游戏，遇到了一个小问题
看看这三个函数有没有被挂钩：
NtUserGetMessage
NtUserPeekMessage
NtUserSendInput

[求助]帮忙看一下驱动教程的代码
没错！

LONG_PTR
ObDereferenceObject (
    PVOID Object
    );

前面的函数引用的是哪个对象，后面的ObDereferenceObject要减少引用计数的就是那个对象！

[求助]PEPROCESS定义在哪个头文件啊
WRK:
Ke.h
Ps.h

[求助]PEPROCESS定义在哪个头文件啊
typedef struct _EPROCESS
{
        KPROCESS Pcb;

        //
        // Lock used to protect:
        // The list of threads in the process.
        // Process token.
        // Win32 process field.
        // Process and thread affinity setting.
        //

        EX_PUSH_LOCK ProcessLock;

        LARGE_INTEGER CreateTime;
        LARGE_INTEGER ExitTime;

        //
        // Structure to allow lock free cross process access to the process
        // handle table, process section and address space. Acquire rundown
        // protection with this if you do cross process handle table, process
        // section or address space references.
        //

        EX_RUNDOWN_REF RundownProtect;

        HANDLE UniqueProcessId;

        //
        // Global list of all processes in the system. Processes are removed
        // from this list in the object deletion routine.  References to
        // processes in this list must be done with ObReferenceObjectSafe
        // because of this.
        //

        LIST_ENTRY ActiveProcessLinks;

        //
        // Quota Fields.
        //

        SIZE_T QuotaUsage[PsQuotaTypes];
        SIZE_T QuotaPeak[PsQuotaTypes];
        SIZE_T CommitCharge;

        //
        // VmCounters.
        //

        SIZE_T PeakVirtualSize;
        SIZE_T VirtualSize;

        LIST_ENTRY SessionProcessLinks;

        PVOID DebugPort;
        PVOID ExceptionPort;
        PHANDLE_TABLE ObjectTable;

        //
        // Security.
        //

        EX_FAST_REF Token;

        PFN_NUMBER WorkingSetPage;
        KGUARDED_MUTEX AddressCreationLock;
        KSPIN_LOCK HyperSpaceLock;

        struct _ETHREAD *ForkInProgress;
        ULONG_PTR HardwareTrigger;

        PMM_AVL_TABLE PhysicalVadRoot;
        PVOID CloneRoot;
        PFN_NUMBER NumberOfPrivatePages;
        PFN_NUMBER NumberOfLockedPages;
        PVOID Win32Process;
        struct _EJOB *Job;
        PVOID SectionObject;

        PVOID SectionBaseAddress;

        PEPROCESS_QUOTA_BLOCK QuotaBlock;

        PPAGEFAULT_HISTORY WorkingSetWatch;
        HANDLE Win32WindowStation;
        HANDLE InheritedFromUniqueProcessId;

        PVOID LdtInformation;
        PVOID VadFreeHint;
        PVOID VdmObjects;
        PVOID DeviceMap;

        PVOID Spare0[3];
        union
        {
                HARDWARE_PTE PageDirectoryPte;
                ULONGLONG Filler;
        };
        PVOID Session;
        UCHAR ImageFileName[16];

        LIST_ENTRY JobLinks;
        PVOID LockedPagesList;

        LIST_ENTRY ThreadListHead;

        //
        // Used by rdr/security for authentication.
        //

        PVOID SecurityPort;

#ifdef _WIN64
        PWOW64_PROCESS Wow64Process;
#else
        PVOID PaeTop;
#endif

        ULONG ActiveThreads;

        ACCESS_MASK GrantedAccess;

        ULONG DefaultHardErrorProcessing;

        NTSTATUS LastThreadExitStatus;

        //
        // Peb
        //

        PPEB Peb;

        //
        // Pointer to the prefetches trace block.
        //
        EX_FAST_REF PrefetchTrace;

        LARGE_INTEGER ReadOperationCount;
        LARGE_INTEGER WriteOperationCount;
        LARGE_INTEGER OtherOperationCount;
        LARGE_INTEGER ReadTransferCount;
        LARGE_INTEGER WriteTransferCount;
        LARGE_INTEGER OtherTransferCount;

        SIZE_T CommitChargeLimit;
        SIZE_T CommitChargePeak;

        PVOID AweInfo;

        //
        // This is used for SeAuditProcessCreation.
        // It contains the full path to the image file.
        //

        SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;

        MMSUPPORT Vm;

#if !defined(_WIN64)
        LIST_ENTRY MmProcessLinks;
#else
        ULONG Spares[2];
#endif

        ULONG ModifiedPageCount;

#define PS_JOB_STATUS_NOT_REALLY_ACTIVE      0x00000001UL
#define PS_JOB_STATUS_ACCOUNTING_FOLDED      0x00000002UL
#define PS_JOB_STATUS_NEW_PROCESS_REPORTED   0x00000004UL
#define PS_JOB_STATUS_EXIT_PROCESS_REPORTED  0x00000008UL
#define PS_JOB_STATUS_REPORT_COMMIT_CHANGES  0x00000010UL
#define PS_JOB_STATUS_LAST_REPORT_MEMORY     0x00000020UL
#define PS_JOB_STATUS_REPORT_PHYSICAL_PAGE_CHANGES  0x00000040UL

        ULONG JobStatus;

        //
        // Process flags. Use interlocked operations with PS_SET_BITS, etc
        // to modify these.
        //

#define PS_PROCESS_FLAGS_CREATE_REPORTED        0x00000001UL // Create process debug call has occurred
#define PS_PROCESS_FLAGS_NO_DEBUG_INHERIT       0x00000002UL // Don't inherit debug port
#define PS_PROCESS_FLAGS_PROCESS_EXITING        0x00000004UL // PspExitProcess entered
#define PS_PROCESS_FLAGS_PROCESS_DELETE         0x00000008UL // Delete process has been issued
#define PS_PROCESS_FLAGS_WOW64_SPLIT_PAGES      0x00000010UL // Wow64 split pages
#define PS_PROCESS_FLAGS_VM_DELETED             0x00000020UL // VM is deleted
#define PS_PROCESS_FLAGS_OUTSWAP_ENABLED        0x00000040UL // Outswap enabled
#define PS_PROCESS_FLAGS_OUTSWAPPED             0x00000080UL // Outswapped
#define PS_PROCESS_FLAGS_FORK_FAILED            0x00000100UL // Fork status
#define PS_PROCESS_FLAGS_WOW64_4GB_VA_SPACE     0x00000200UL // Wow64 process with 4gb virtual address space
#define PS_PROCESS_FLAGS_ADDRESS_SPACE1         0x00000400UL // Addr space state1
#define PS_PROCESS_FLAGS_ADDRESS_SPACE2         0x00000800UL // Addr space state2
#define PS_PROCESS_FLAGS_SET_TIMER_RESOLUTION   0x00001000UL // SetTimerResolution has been called
#define PS_PROCESS_FLAGS_BREAK_ON_TERMINATION   0x00002000UL // Break on process termination
#define PS_PROCESS_FLAGS_CREATING_SESSION       0x00004000UL // Process is creating a session
#define PS_PROCESS_FLAGS_USING_WRITE_WATCH      0x00008000UL // Process is using the write watch APIs
#define PS_PROCESS_FLAGS_IN_SESSION             0x00010000UL // Process is in a session
#define PS_PROCESS_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00020000UL // Process must use native address space (Win64 only)
#define PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE      0x00040000UL // This process has an address space
#define PS_PROCESS_FLAGS_LAUNCH_PREFETCHED      0x00080000UL // Process launch was prefetched
#define PS_PROCESS_INJECT_INPAGE_ERRORS         0x00100000UL // Process should be given inpage errors - hardcoded in trap.asm too
#define PS_PROCESS_FLAGS_VM_TOP_DOWN            0x00200000UL // Process memory allocations default to top-down
#define PS_PROCESS_FLAGS_IMAGE_NOTIFY_DONE      0x00400000UL // We have sent a message for this image
#define PS_PROCESS_FLAGS_PDE_UPDATE_NEEDED      0x00800000UL // The system PDEs need updating for this process (NT32 only)
#define PS_PROCESS_FLAGS_VDM_ALLOWED            0x01000000UL // Process allowed to invoke NTVDM support
#define PS_PROCESS_FLAGS_SMAP_ALLOWED           0x02000000UL // Process allowed to invoke SMAP support
#define PS_PROCESS_FLAGS_CREATE_FAILED          0x04000000UL // Process create failed

#define PS_PROCESS_FLAGS_DEFAULT_IO_PRIORITY    0x38000000UL // The default I/O priority for created threads. (3 bits)

#define PS_PROCESS_FLAGS_PRIORITY_SHIFT         27

#define PS_PROCESS_FLAGS_EXECUTE_SPARE1         0x40000000UL //
#define PS_PROCESS_FLAGS_EXECUTE_SPARE2         0x80000000UL //

        union
        {
                ULONG Flags;

                //
                // Fields can only be set by the PS_SET_BITS and other interlocked
                // macros.  Reading fields is best done via the bit definitions so
                // references are easy to locate.
                //

                struct
                {
                        ULONG CreateReported : 1;
                        ULONG NoDebugInherit : 1;
                        ULONG ProcessExiting : 1;
                        ULONG ProcessDelete : 1;
                        ULONG Wow64SplitPages : 1;
                        ULONG VmDeleted : 1;
                        ULONG OutswapEnabled : 1;
                        ULONG Outswapped : 1;
                        ULONG ForkFailed : 1;
                        ULONG Wow64VaSpace4Gb : 1;
                        ULONG AddressSpaceInitialized : 2;
                        ULONG SetTimerResolution : 1;
                        ULONG BreakOnTermination : 1;
                        ULONG SessionCreationUnderway : 1;
                        ULONG WriteWatch : 1;
                        ULONG ProcessInSession : 1;
                        ULONG OverrideAddressSpace : 1;
                        ULONG HasAddressSpace : 1;
                        ULONG LaunchPrefetched : 1;
                        ULONG InjectInpageErrors : 1;
                        ULONG VmTopDown : 1;
                        ULONG ImageNotifyDone : 1;
                        ULONG PdeUpdateNeeded : 1;    // NT32 only
                        ULONG VdmAllowed : 1;
                        ULONG SmapAllowed : 1;
                        ULONG CreateFailed : 1;
                        ULONG DefaultIoPriority : 3;
                        ULONG Spare1 : 1;
                        ULONG Spare2 : 1;
                };
        };

        NTSTATUS ExitStatus;

        USHORT NextPageColor;
        union
        {
                struct
                {
                        UCHAR SubSystemMinorVersion;
                        UCHAR SubSystemMajorVersion;
                };
                USHORT SubSystemVersion;
        };
        UCHAR PriorityClass;

        MM_AVL_TABLE VadRoot;

        ULONG Cookie;
} EPROCESS, *PEPROCESS;

typedef struct _KPROCESS
{
        //
        // The dispatch header and profile listhead are fairly infrequently
        // referenced.
        //

        DISPATCHER_HEADER Header;
        LIST_ENTRY ProfileListHead;

        //
        // The following fields are referenced during context switches.
        //

        ULONG_PTR DirectoryTableBase[2];

#if defined(_X86_)

        KGDTENTRY LdtDescriptor;
        KIDTENTRY Int21Descriptor;
        USHORT IopmOffset;
        UCHAR Iopl;
        BOOLEAN Unused;

#endif

#if defined(_AMD64_)

        USHORT IopmOffset;

#endif

        volatile KAFFINITY ActiveProcessors;

        //
        // The following fields are referenced during clock interrupts.
        //

        ULONG KernelTime;
        ULONG UserTime;

        //
        // The following fields are referenced infrequently.
        //

        LIST_ENTRY ReadyListHead;
        SINGLE_LIST_ENTRY SwapListEntry;

#if defined(_X86_)

        PVOID VdmTrapcHandler;

#else

        PVOID Reserved1;

#endif

        LIST_ENTRY ThreadListHead;
        KSPIN_LOCK ProcessLock;
        KAFFINITY Affinity;

        //
        // N.B. The following bit number definitions must match the following
        //      bit field.
        //
        // N.B. These bits can only be written with interlocked operations.
        //

#define KPROCESS_AUTO_ALIGNMENT_BIT 0
#define KPROCESS_DISABLE_BOOST_BIT 1
#define KPROCESS_DISABLE_QUANTUM_BIT 2

        union
        {
                struct
                {
                        LONG AutoAlignment : 1;
                        LONG DisableBoost : 1;
                        LONG DisableQuantum : 1;
                        LONG ReservedFlags : 29;
                };

                LONG ProcessFlags;
        };

        SCHAR BasePriority;
        SCHAR QuantumReset;
        UCHAR State;
        UCHAR ThreadSeed;
        UCHAR PowerState;
        UCHAR IdealNode;
        BOOLEAN Visited;
        union
        {
                KEXECUTE_OPTIONS Flags;
                UCHAR ExecuteOptions;
        };

#if !defined(_X86_) && !defined(_AMD64_)

        PALIGNMENT_EXCEPTION_TABLE AlignmentExceptionTable;

#endif

        ULONG_PTR StackCount;
        LIST_ENTRY ProcessListEntry;
} KPROCESS, *PKPROCESS, *PRKPROCESS;

[求助]windows的提权过程
OpenProcessToken
LookupPrivilegeValue
AdjustTokenPrivileges