|
[求助]如何在驱动层防止源代码拷贝
动不动就驱动也是醉了,老老实实应用层HOOK就是那么拿不出手么? |
|
[求助]QueryFullProcessImageName无法获取进程路径
分享一个我写的获取进程路径的函数 DWORD WINAPI PsGetImageFileNameW(DWORD dwPid, LPWSTR lpImageFileName, DWORD nSize) { HANDLE hProc = NULL; DWORD dwCopied = 0; DWORD dwLastError = 0; do { static OSVERSIONINFOW osvi = {sizeof(OSVERSIONINFOW)}; if (osvi.dwMajorVersion == 0) { GetVersionExW(&osvi); } // //NT6以上的系统优先使用此方法,32、64、低权限通杀 // if (osvi.dwMajorVersion >= 6) { static lpfnNtQuerySystemInformation NtQuerySystemInformationX = NULL; if (NtQuerySystemInformationX == NULL) { NtQuerySystemInformationX = (lpfnNtQuerySystemInformation)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQuerySystemInformation"); } PVOID buffer = malloc(0x100); SYSTEM_PROCESS_IMAGE_NAME_INFORMATION info; info.ProcessId = (HANDLE)dwPid; info.ImageName.Length = 0; info.ImageName.MaximumLength = (USHORT)0x100; info.ImageName.Buffer = (PWSTR)buffer; NTSTATUS status = NtQuerySystemInformationX((SYSTEM_INFORMATION_CLASS)88, &info, sizeof(info), NULL); if (status == 0xC0000004L) { free(buffer); buffer = malloc(info.ImageName.MaximumLength); info.ImageName.Buffer = (PWSTR)buffer; status = NtQuerySystemInformationX((SYSTEM_INFORMATION_CLASS)88, &info, sizeof(info), NULL); } if (NT_SUCCESS(status)) { wchar_t devPath[MAX_PATH] = {0}; wcsncpy_s(devPath, MAX_PATH, info.ImageName.Buffer, info.ImageName.Length / 2); dwCopied = FsDevicePathToFilePathW(devPath, lpImageFileName, nSize); } free(buffer); if (dwCopied > 0) { break; } } // //如果是NT5或者NT6但上述代码执行失败,则用下面这种对权限有要求的方法 // hProc = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, dwPid); if (hProc == NULL) { dwLastError = GetLastError(); break; } dwCopied = GetModuleFileNameExW(hProc, NULL, lpImageFileName, nSize); if (dwCopied > 0) { dwLastError = GetLastError(); break; } //兼容64 & 2k if (dwCopied == 0 && GetLastError() == 299) { wchar_t psapi[MAX_PATH]; GetSystemDirectoryW(psapi, MAX_PATH); PathAppendW(psapi, L"psapi.dll"); HMODULE hMod = LoadLibraryW(psapi); if (hMod == NULL) { dwLastError = GetLastError(); break; } typedef DWORD (WINAPI *PGetProcessImageFileNameW)(HANDLE, LPWSTR, DWORD); PGetProcessImageFileNameW pFun = (PGetProcessImageFileNameW)GetProcAddress(hMod, "GetProcessImageFileNameW"); if (pFun == NULL) { dwLastError = GetLastError(); FreeLibrary(hMod); break; } dwCopied = pFun(hProc, lpImageFileName, nSize); if (dwCopied > 0) { dwCopied = FsDevicePathToFilePathW(lpImageFileName, lpImageFileName, nSize); dwLastError = GetLastError(); } FreeLibrary(hMod); } } while (FALSE); CloseHandle(hProc); SetLastError(dwLastError); return dwCopied; } |
|
[原创]各操作系统 获取EPROCESS中ActiveProcessLinks的偏移
学习了 不过我又在想 遍历链表查找explorer.exe会不会麻烦 简单点判断ImageFileName 偏移的第一个字节是不是英文 不知行不行 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值