|
[求助]HOOK NtCreateEvent 问题
NTSTATUS NtCreateEvent ( __out PHANDLE EventHandle, __in ACCESS_MASK DesiredAccess, __in_opt POBJECT_ATTRIBUTES ObjectAttributes, __in EVENT_TYPE EventType, __in BOOLEAN InitialState ) /*++ Routine Description: This function creates an event object, sets it initial state to the specified value, and opens a handle to the object with the specified desired access. Arguments: EventHandle - Supplies a pointer to a variable that will receive the event object handle. DesiredAccess - Supplies the desired types of access for the event object. ObjectAttributes - Supplies a pointer to an object attributes structure. EventType - Supplies the type of the event (autoclearing or notification). InitialState - Supplies the initial state of the event object. Return Value: NTSTATUS. --*/ { PVOID Event; HANDLE Handle; KPROCESSOR_MODE PreviousMode; NTSTATUS Status; // // Get previous processor mode and probe output handle address if // necessary. // PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { try { ProbeForWriteHandle(EventHandle); } except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } // // Check argument validity. // if ((EventType != NotificationEvent) && (EventType != SynchronizationEvent)) { return STATUS_INVALID_PARAMETER; } // // Allocate event object. // Status = ObCreateObject(PreviousMode, ExEventObjectType, ObjectAttributes, PreviousMode, NULL, sizeof(KEVENT), 0, 0, &Event); // // If the event object was successfully allocated, then initialize the // event object and attempt to insert the event object in the current // process' handle table. // if (NT_SUCCESS(Status)) { KeInitializeEvent((PKEVENT)Event, EventType, InitialState); Status = ObInsertObject(Event, NULL, DesiredAccess, 0, NULL, &Handle); // // If the event object was successfully inserted in the current // process' handle table, then attempt to write the event object // handle value. If the write attempt fails, then do not report // an error. When the caller attempts to access the handle value, // an access violation will occur. // if (NT_SUCCESS(Status)) { if (PreviousMode != KernelMode) { try { *EventHandle = Handle; } except(EXCEPTION_EXECUTE_HANDLER) { NOTHING; } } else { *EventHandle = Handle; } } } // // Return service status. // return Status; } |
|
[原创]浅谈系列之-Add New SSDT 长夜漫漫-看流星
error C2065: 'NewNtOpenProcess' : undeclared identifier |
|
|
|
[原创]Win32Asm 驱动学习笔记 1-2 章
一般的反汇编代码中能有几句伪指令? |
|
[原创]Win32Asm 驱动学习笔记 1-2 章
这样只会更加不知其所以然! |
|
|
|
[原创]基于AStyle的代码整理工具V1.0
有SourceStyler好用吗?? |
|
[求助]如此防进程多开
干革命工作要求实、严谨!不能来虚的... 你还在猜测?... 操起IDA、OD、WinDBG,老老实实一步一步跟踪下, 彻底弄清它的防多开手段,再用相应的手段解决它! 貌似一般的防多开最少都有十几种手段的... |
|
[求助]脱壳中的汇编指令sysenter是什么作用?
Intel的CPU: sysenter指令从Ring3层进入Ring0层 sysexit指令从Ring0层返回Ring3层 AMD的CPU: syscall指令从Ring3层进入Ring0层 sysret指令从Ring0层返回Ring3层 |
|
[调查]哎~湖南朋友有没?进来逛逛吧~
俺也是老乡,报个到! |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值