|
[原创]小议“非法模块”与“第三方检测”的那些事儿(2)
这……不是得搞安全软件的那一套了,最终又陷入到初级的云分析/反云分析的对抗中…… 顺便请教下V大,EPROCESS中类型为双向链表的成员有木有不宜修改/锻链的(比如内核在线程调度时会依赖其中某些位置的) |
|
[原创]小议“非法模块”与“第三方检测”的那些事儿(2)
个人感觉游戏进行云扫描有压力,要做得好投入有点大。样本抓少了没效果,抓多了忙不过来。 |
|
windows内核编程,如何鉴别进程
调试,看蓝屏的错误类型和出错的位置 |
|
|
|
windows内核编程,如何鉴别进程
通过目标进程的EPROCESS可以得到目标进程的可执行文件路径(当然有可能被隐藏),然后检验可执行文件。内核里实现CRC和MD5之类的算法完全没问题,注意好一些小细节即可。 |
|
[求助]关于Windows NT中进程PDE的存储问题
大致上跟踪了下切换线程的过程,木有发现从页交换文件载入页表的行为…… |
|
[求助]关于Windows NT中进程PDE的存储问题
非PAE模式下PDE至少4KB吧,256个进程就1MB去了。。。Windows NT设计之初内存不像现在这么充裕,几MB浪费不起…… |
|
[求助]关于Windows NT中进程PDE的存储问题
可能俺没描述清楚。。。问题简而言之就是:是不是所有内存的页目录或者页目录指针(开启PAE时)都一定存在于物理内存中,不会被换出 |
|
这只狗如何打掉,请教一下菜鸟.
怎么看着像VMP…… |
|
|
|
|
|
|
|
shadow ssdt hook的一段代码,求解释
说一下我用KTHREAD.ServiceTable获取SSDT Shadow的思路: 找到GUI线程,然后通过该线程的KTHREAD.ServiceTable获取SSDT Shadow 判断一个线程是否是GUI的线程的标准就是该线程的KTHREAD.Win32Thread是否为0。 找到GUI线程就简单了,比如遍历explorer.exe的线程表,或者去遍历线程也可以 不过个人认为最好还是少用内核对象。容易被发现。 |
|
shadow ssdt hook的一段代码,求解释
WRK中,_KTHREAD是有Win32Thread这个域的 typedef struct _KTHREAD { // // The dispatcher header and mutant listhead are fairly infrequently // referenced. // DISPATCHER_HEADER Header; LIST_ENTRY MutantListHead; // // The following fields are referenced during context switches and wait // operatings. They have been carefully laid out to get the best cache // hit ratios. // PVOID InitialStack; PVOID StackLimit; PVOID KernelStack; KSPIN_LOCK ThreadLock; union { KAPC_STATE ApcState; struct { UCHAR ApcStateFill[KAPC_STATE_ACTUAL_LENGTH]; BOOLEAN ApcQueueable; volatile UCHAR NextProcessor; volatile UCHAR DeferredProcessor; UCHAR AdjustReason; SCHAR AdjustIncrement; }; }; KSPIN_LOCK ApcQueueLock; #if !defined(_AMD64_) ULONG ContextSwitches; volatile UCHAR State; UCHAR NpxState; KIRQL WaitIrql; KPROCESSOR_MODE WaitMode; #endif LONG_PTR WaitStatus; union { PKWAIT_BLOCK WaitBlockList; PKGATE GateObject; }; BOOLEAN Alertable; BOOLEAN WaitNext; UCHAR WaitReason; SCHAR Priority; UCHAR EnableStackSwap; volatile UCHAR SwapBusy; BOOLEAN Alerted[MaximumMode]; union { LIST_ENTRY WaitListEntry; SINGLE_LIST_ENTRY SwapListEntry; }; PRKQUEUE Queue; #if !defined(_AMD64_) ULONG WaitTime; union { struct { SHORT KernelApcDisable; SHORT SpecialApcDisable; }; ULONG CombinedApcDisable; }; #endif PVOID Teb; union { KTIMER Timer; struct { UCHAR TimerFill[KTIMER_ACTUAL_LENGTH]; // // N.B. The following bit number definitions must match the // following bit field. // // N.B. These bits can only be written with interlocked // operations. // #define KTHREAD_AUTO_ALIGNMENT_BIT 0 #define KTHREAD_DISABLE_BOOST_BIT 1 union { struct { LONG AutoAlignment : 1; LONG DisableBoost : 1; LONG ReservedFlags : 30; }; LONG ThreadFlags; }; }; }; union { KWAIT_BLOCK WaitBlock[THREAD_WAIT_OBJECTS + 1]; struct { UCHAR WaitBlockFill0[KWAIT_BLOCK_OFFSET_TO_BYTE0]; BOOLEAN SystemAffinityActive; }; struct { UCHAR WaitBlockFill1[KWAIT_BLOCK_OFFSET_TO_BYTE1]; CCHAR PreviousMode; }; struct { UCHAR WaitBlockFill2[KWAIT_BLOCK_OFFSET_TO_BYTE2]; UCHAR ResourceIndex; }; struct { UCHAR WaitBlockFill3[KWAIT_BLOCK_OFFSET_TO_BYTE3]; UCHAR LargeStack; }; #if defined(_AMD64_) struct { UCHAR WaitBlockFill4[KWAIT_BLOCK_OFFSET_TO_LONG0]; ULONG ContextSwitches; }; struct { UCHAR WaitBlockFill5[KWAIT_BLOCK_OFFSET_TO_LONG1]; volatile UCHAR State; UCHAR NpxState; KIRQL WaitIrql; KPROCESSOR_MODE WaitMode; }; struct { UCHAR WaitBlockFill6[KWAIT_BLOCK_OFFSET_TO_LONG2]; ULONG WaitTime; }; struct { UCHAR WaitBlockFill7[KWAIT_BLOCK_OFFSET_TO_LONG3]; union { struct { SHORT KernelApcDisable; SHORT SpecialApcDisable; }; ULONG CombinedApcDisable; }; }; #endif }; LIST_ENTRY QueueListEntry; // // The following fields are accessed during system service dispatch. // PKTRAP_FRAME TrapFrame; PVOID CallbackStack; PVOID ServiceTable; #if defined(_AMD64_) ULONG KernelLimit; #endif // // The following fields are referenced during ready thread and wait // completion. // UCHAR ApcStateIndex; UCHAR IdealProcessor; BOOLEAN Preempted; BOOLEAN ProcessReadyQueue; #if defined(_AMD64_) PVOID Win32kTable; ULONG Win32kLimit; #endif BOOLEAN KernelStackResident; SCHAR BasePriority; SCHAR PriorityDecrement; CHAR Saturation; KAFFINITY UserAffinity; PKPROCESS Process; KAFFINITY Affinity; // // The below fields are infrequently referenced. // PKAPC_STATE ApcStatePointer[2]; union { KAPC_STATE SavedApcState; struct { UCHAR SavedApcStateFill[KAPC_STATE_ACTUAL_LENGTH]; CCHAR FreezeCount; CCHAR SuspendCount; UCHAR UserIdealProcessor; UCHAR CalloutActive; #if defined(_AMD64_) BOOLEAN CodePatchInProgress; #elif defined(_X86_) UCHAR Iopl; #else UCHAR OtherPlatformFill; #endif }; }; [COLOR="Red"] PVOID Win32Thread;[/COLOR] PVOID StackBase; union { KAPC SuspendApc; struct { UCHAR SuspendApcFill0[KAPC_OFFSET_TO_SPARE_BYTE0]; SCHAR Quantum; }; struct { UCHAR SuspendApcFill1[KAPC_OFFSET_TO_SPARE_BYTE1]; UCHAR QuantumReset; }; struct { UCHAR SuspendApcFill2[KAPC_OFFSET_TO_SPARE_LONG]; ULONG KernelTime; }; struct { UCHAR SuspendApcFill3[KAPC_OFFSET_TO_SYSTEMARGUMENT1]; PVOID TlsArray; }; struct { UCHAR SuspendApcFill4[KAPC_OFFSET_TO_SYSTEMARGUMENT2]; PVOID BBTData; }; struct { UCHAR SuspendApcFill5[KAPC_ACTUAL_LENGTH]; UCHAR PowerState; ULONG UserTime; }; }; union { KSEMAPHORE SuspendSemaphore; struct { UCHAR SuspendSemaphorefill[KSEMAPHORE_ACTUAL_LENGTH]; ULONG SListFaultCount; }; }; LIST_ENTRY ThreadListEntry; PVOID SListFaultAddress; #if defined(_WIN64) LONG64 ReadOperationCount; LONG64 WriteOperationCount; LONG64 OtherOperationCount; LONG64 ReadTransferCount; LONG64 WriteTransferCount; LONG64 OtherTransferCount; #endif } KTHREAD, *PKTHREAD, *PRKTHREAD; #if !defined(_X86AMD64_) && defined(_AMD64_) C_ASSERT((FIELD_OFFSET(KTHREAD, ServiceTable) + 16) == FIELD_OFFSET(KTHREAD, Win32kTable)); C_ASSERT((FIELD_OFFSET(KTHREAD, ServiceTable) + 8) == FIELD_OFFSET(KTHREAD, KernelLimit)); C_ASSERT((FIELD_OFFSET(KTHREAD, Win32kTable) + 8) == FIELD_OFFSET(KTHREAD, Win32kLimit)); #endif // // ccNUMA supported in multiprocessor PAE and WIN64 systems only. // #if (defined(_WIN64) || defined(_X86PAE_)) && !defined(NT_UP) #define KE_MULTINODE #endif |
|
DeviceIoControl问题
改了共享标志还是老样子 |
|
shadow ssdt hook的一段代码,求解释
PsConvertToGuiThread是个内部函数,将一个非gui线程转换为gui线程,但不推荐自己调用它,可能会出问题。 win32thread这个域是在ethread还是kthread有点忘了,肯定是存在的,待会回去看看。。。 我的实现方式是遍历一个肯定有gui线程的进程中的线程去找。 |
|
|
|
shadow ssdt hook的一段代码,求解释
判断是不是gui线程的方法是监测kthread.win32thread是否为0,非0就是gui线程 fastcall ObfDereferenceObject是因为PsLookupThreadByThreadId后该线程对应的线程对象的引用计数增加了,需要减少,详情请msdn PsLookupThreadByThreadId。 这个实现方法有局限噢,64位下的kthread没有ssdt指针了 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值