|
[求助]关于C++ CString 分割文本效率问题
boost自带,一行搞定。 |
|
[求助] vc 使用detours的问题
这玩意不是你这么用的. |
|
[原创]加载内存当中的DLL(文件),支持64位和32位。直接加载内存或资源当中的dll,不落地
支持异常处理吗?无模块这个最重要了。 |
|
[原创]纪念我HooK逝世的青春--XIgnCode3.TP.NP.HS.PP.GPK
又可以举报TP在win7上改PG了,大伙一起举报吊销它证书。 不止改PG,还HOOK SwapContext KiServiceTable + 0x200 KiPageFaultShadow KiSystemServiceUser |
|
[分享]基于WinDbg调试引擎编写的调试器,支持python
很好很强大…… |
|
[原创]SharpOD 反反调试插件 v0.6b (增加功能和修复BUG)
看过楼主的加强版2了,主要还是SE的硬件断点占坑和TP的很像。其它的早就已经撸过了…… 楼主很巧妙的利用了ProcessDebugObjectHandle 第三个参数和第五个参数一样。(值不为长度检测) 第三个参数给空第四个参数给正常。(拿返回值检测)
|
|
[原创]SharpOD 反反调试插件 v0.6b (增加功能和修复BUG)
NtSetInformationProcess: if (ProcessBreakOnTermination == ProcessInformationClass) { if (ProcessInformationLength != sizeof(ULONG)) { return STATUS_INFO_LENGTH_MISMATCH; } if (ProcessInformation == NULL) { return STATUS_ACCESS_VIOLATION; } AddQueryInfoBreak(ProcessHandle, *((ULONG *)ProcessInformation)); return STATUS_SUCCESS; } else if (ProcessHandleTracing == ProcessInformationClass) { bool enable = ProcessInformationLength != 0; if (enable) { if (ProcessInformationLength != sizeof(ULONG) && ProcessInformationLength != (sizeof(ULONG) * 2)) { return STATUS_INFO_LENGTH_MISMATCH; } if (ProcessInformation == NULL) { return STATUS_ACCESS_VIOLATION; } PPROCESS_HANDLE_TRACING_ENABLE_EX phtEx = (PPROCESS_HANDLE_TRACING_ENABLE_EX)ProcessInformation; if (phtEx->Flags != 0) { return STATUS_INVALID_PARAMETER; } } AddQueryInfoTracing(ProcessHandle, enable); return STATUS_SUCCESS; } else if (ProcessDebugFlags == ProcessInformationClass) { if (ProcessInformationLength != sizeof(ULONG)) { return STATUS_INFO_LENGTH_MISMATCH; } if (ProcessInformation == NULL) { return STATUS_ACCESS_VIOLATION; } ULONG Flags = *(ULONG*)ProcessInformation; if ((Flags & ~PROCESS_DEBUG_INHERIT) != 0) { return STATUS_INVALID_PARAMETER; } ULONG uFlags = PROCESS_DEBUG_INHERIT; if ((Flags & PROCESS_DEBUG_INHERIT) != 0) { uFlags &= ~PROCESS_NO_DEBUG_INHERIT; AddQueryInfoFlags(ProcessHandle, uFlags); } else { uFlags |= PROCESS_NO_DEBUG_INHERIT; AddQueryInfoFlags(ProcessHandle, uFlags); } return STATUS_SUCCESS; } NtQueryInformationProcess: if (NT_SUCCESS(status) && (0 != ProcessInformation) && (0 != ProcessInformationLength)) { ULONG backupReturnLength = 0; if ((ReturnLength != nullptr) && ((ULONG_PTR)ReturnLength >= (ULONG_PTR)ProcessInformation) && ((ULONG_PTR)ReturnLength <= (ULONG_PTR)ProcessInformation + ProcessInformationLength)) { backupReturnLength = *ReturnLength; } if (ProcessDebugFlags == ProcessInformationClass) { ULONG uFlags = FindInfoFlags(ProcessHandle); *((ULONG *)ProcessInformation) = ((uFlags & PROCESS_NO_DEBUG_INHERIT) != 0) ? 0 : PROCESS_DEBUG_INHERIT; } else if (ProcessDebugObjectHandle == ProcessInformationClass) { *((HANDLE *)ProcessInformation) = 0; status = STATUS_PORT_NOT_SET; } else if (ProcessDebugPort == ProcessInformationClass) { *((HANDLE *)ProcessInformation) = 0; } else if (ProcessBasicInformation == ProcessInformationClass) { PEPROCESS pEprocess = (PEPROCESS)Search64Process("explorer.exe"); HANDLE hPID = PsGetProcessId(pEprocess); ((PPROCESS_BASIC_INFORMATION)ProcessInformation)->InheritedFromUniqueProcessId = (ULONG_PTR)hPID; } else if (ProcessBreakOnTermination == ProcessInformationClass) { *((ULONG *)ProcessInformation) = FindInfoBreak(ProcessHandle); } else if (ProcessHandleTracing == ProcessInformationClass) { if (FindInfoTracing(ProcessHandle)) { status = STATUS_SUCCESS; } else { status = STATUS_INVALID_PARAMETER; } } if (backupReturnLength != 0) { *ReturnLength = backupReturnLength; } } else { if ((ProcessDebugObjectHandle == ProcessInformationClass) && (0 != ProcessInformationLength)) { status = STATUS_PORT_NOT_SET; } } 如果做成插件,取消附加就被检测到了。
|
|
[原创]SharpOD 反反调试插件 v0.6b (增加功能和修复BUG)
想知道楼主的 VMP 3.1(above)如何实现。 在内核下 else if (ProcessDebugObjectHandle == ProcessInformationClass) { if ((NULL != ProcessInformation) && (MmIsAddressValid(ProcessInformation))) { if (NT_SUCCESS(status)) { RtlZeroMemory(ProcessInformation, ProcessInformationLength); } status = STATUS_PORT_NOT_SET; } if (NULL != ReturnLength) { *ReturnLength = sizeof(HANDLE); } } 发现被XAntidebug2检测到了。 |
|
[求助]inline hook如何进行同步操作
其它线程都挂起,撸完了再激活。 |
|
win7 64 位 能HOOK NtQueryVirtualMemory 吗?
如果是要HOOK 这玩意隐藏模块内存,还不如直接摸模块的MMVAD. |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值