|
[原创]Win10 X64下SSDT表中的函数地址计算公式
补充下对应脚本: aS ufLinkS "<u><col fg=\\\"emphfg\\\"><link name=\\\"%p\\\" cmd=\\\"uf 0x%p\\\">"; aS ufLinkE "</link></col></u>"; r $t1 = nt!KeServiceDescriptorTable; r $t2 = poi(@$t1 + 0x10); r $t1 = poi(@$t1); .printf "\n\nKeServiceDescriptorTable->KiServiceTable: %p\nKeServiceDescriptorTable->Count: %d\n", @$t1, @$t2; .printf "\nOrd Address fnAddr Symbols\n"; .printf "--------------------------------\n\n"; .for (r $t0 = 0; @$t0 != @$t2; r $t0 = @$t0 + 1) { r @$t3 = (poi(@$t1 + @$t0 * 4)) & 0x00000000`FFFFFFFF; $$.printf "2. %p\n", @$t3; .if ( @$t3 & 0x80000000 ) { r @$t3 = (@$t3 >> 4) | 0xFFFFFFFF`F0000000; r @$t3 = 0 - @$t3; r @$t3 = @$t1 - @$t3; } .else { r @$t3 = (@$t3 >> 4); r @$t3 = (@$t1 + @$t3); } .printf /D "[%3d] ${ufLinkS}%p${ufLinkE} (%y)\n", @$t0, @$t3, @$t3, @$t3, @$t3; } .printf "\n- end -\n"; |
|
[原创]Win10 X64下SSDT表中的函数地址计算公式
补充下对应脚本: aS ufLinkS "<u><col fg=\\\"emphfg\\\"><link name=\\\"%p\\\" cmd=\\\"uf 0x%p\\\">"; aS ufLinkE "</link></col></u>"; r $t1 = nt!KeServiceDescriptorTable; r $t2 = poi(@$t1 + 0x10); r $t1 = poi(@$t1); .printf "\n\nKeServiceDescriptorTable->KiServiceTable: %p\nKeServiceDescriptorTable->Count: %d\n", @$t1, @$t2; .printf "\nOrd Address fnAddr Symbols\n"; .printf "--------------------------------\n\n"; .for (r $t0 = 0; @$t0 != @$t2; r $t0 = @$t0 + 1) { r @$t3 = (poi(@$t1 + @$t0 * 4)) & 0x00000000`FFFFFFFF; $$.printf "2. %p\n", @$t3; .if ( @$t3 & 0x80000000 ) { r @$t3 = (@$t3 >> 4) | 0xFFFFFFFF`F0000000; r @$t3 = 0 - @$t3; r @$t3 = @$t1 - @$t3; } .else { r @$t3 = (@$t3 >> 4); r @$t3 = (@$t1 + @$t3); } .printf /D "[%3d] ${ufLinkS}%p${ufLinkE} (%y)\n", @$t0, @$t3, @$t3, @$t3, @$t3; } .printf "\n- end -\n"; |
|
[分享]《Windows 内核设计思想》看雪论坛独家连载,附PDF下载
随书源码在哪里??书今天到的,源码何在??给的网址没有源码 |
|
[讨论]有多少大神不是科班出身?
三哥也是学医的 |
|
[求助]MiniFilter过滤不到文件名称
楼主,回去好好看看WDK文档。去掉FltObjects->FileObject的判断。 |
|
[招聘]杭州艾朴软件招聘内核&驱动开发[长期有效]
这薪水太低了,完全和要求的水平不符合 |
|
微过滤驱动蓝屏问题
IoVolumeDeviceToDosName函数分配的,所以释放是正确的。 这个说实话,直接这么看代码,没有啥问题。 建议LZ,你自己挂上debug调试下,把分析的发出来。 另外给你一个强烈的建议: 内核下,有返回值的API,都检查下返回值吧。可以减少非常多的挂的情况。如果按LZ说,挂的地方是RtlUnicodeStringToAnsiString,建议你先检查运行级别是否高于PASSIVE_LEVEL,再检查返回值吧。 |
|
[翻译]调用内核中未公开的API(x64平台)
好文,mark |
|
[原创]NDIS Filter Drivers指南
貌似MSDN的翻译版 |
|
[原创]VS2012 ddk驱动编译与虚拟机联机调试设置(已更新)
32楼提到的问题有2种情况: 1、编译WDF驱动的时候,产生这情况的原因是没有找到WDF coinstaller DLL, 下载wdfcoinstaller 安装后,以上错误消失。下载地址:http://msdn.microsoft.com/en-us/windows/hardware/br259104 2、编译非WDF驱动的时候,在win7上,原因是安装了KB2862966这个更新包。 第1种情况,我不能肯定;第2种情况,我可以肯定。 |
|
[原创]一个特别的tdi蓝屏
求老外的那篇文章地址,调试方面有待提高。 |
|
[求助]驱动中如何调用RtlDosPathNameToNtPathName_U等ntdll的未公开函数
首先:RtlInitEmptyUnicodeString初始化的UNICODE_STRING, 成员length为0. #define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) \ ((_ucStr)->Buffer = (_buf), \ (_ucStr)->Length = 0, \ (_ucStr)->MaximumLength = (USHORT)(_bufSize)) 用下面的方法可以将:\??\C:得到你想要的\Device\HarddiskVolumeXXX ZwOpenSymbolicLinkObject ZwQuerySymbolicLinkObject ZwClose |
|
[求助]RtlLookupFunctionEntry是做什么用的?
VS2008带的MSDN,有这个函数的说明 RtlLookupFunctionEntry Function Searches the active function tables for an entry that corresponds to the specified PC value. PVOID WINAPI RtlLookupFunctionEntry( __in ULONGLONG ControlPC, __out PULONGLONG ImageBase, __out PULONGLONG TargetGp ); Parameters ControlPC The virtual address of an instruction bundle within the function. ImageBase The base address of module to which the function belongs. TargetGp The global pointer value of the module. This parameter has a different declaration on x64 systems. For more information, see x64 Definition. Return Value If there is no entry in the function table for the specified PC, the function returns NULL. Otherwise, the function returns the address of the function table entry that corresponds to the specified PC. x64 Definition This function is declared as follows: PRUNTIME_FUNCTION WINAPI RtlLookupFunctionEntry ( IN ULONG64 ControlPc, OUT PULONG64 ImageBase, IN OUT PUNWIND_HISTORY_TABLE HistoryTable OPTIONAL ); #define UNWIND_HISTORY_TABLE_SIZE 12 typedef struct _UNWIND_HISTORY_TABLE_ENTRY { ULONG64 ImageBase; PRUNTIME_FUNCTION FunctionEntry; } UNWIND_HISTORY_TABLE_ENTRY, *PUNWIND_HISTORY_TABLE_ENTRY; #define UNWIND_HISTORY_TABLE_NONE 0 #define UNWIND_HISTORY_TABLE_GLOBAL 1 #define UNWIND_HISTORY_TABLE_LOCAL 2 typedef struct _UNWIND_HISTORY_TABLE { ULONG Count; UCHAR Search; ULONG64 LowAddress; ULONG64 HighAddress; UNWIND_HISTORY_TABLE_ENTRY Entry[UNWIND_HISTORY_TABLE_SIZE]; } UNWIND_HISTORY_TABLE, *PUNWIND_HISTORY_TABLE; Requirements Client Requires Windows XP 64-Bit Edition Version 2003. Server Requires 64-bit edition of Windows Server 2003. Library Use Kernel32.lib. DLL Requires Kernel32.dll. |
|
[求助][求助]怎么判断一个文件被哪个进程占用呢?
函数:ZwQuerySystemInformation(SystemHandleInformation, ……) 而结构体_SYSTEM_HANDLE_INFORMATION在extypes.h头文件中有定义: typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; }SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; ULONG GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; |
|
[求助][求助]怎么判断一个文件被哪个进程占用呢?
2楼的朋友已经回答你了啊。就那个函数,返回的数据中,有ProcessId的 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值