|
[求助]themida 2.1.8 的反调试
这玩意剧烈猛烈~ |
|
|
|
[求助]文件过滤驱动查询盘符问题。(Dynamic disk)
根据传说是这么处理的~~ ////////////////////////////////////////////////////////////////////////// // // ConvertDeviceName // // 将形如 "\\Device\\HarddiskVolumeX\\xxxx的内核文件路径 // 转化为 DOS文件路径(c:\\xxxx\\xxx....) // ////////////////////////////////////////////////////////////////////////// NTSTATUS ConvertDeviceName(LPCWSTR FileName , LPCWSTR OutFileName) { HANDLE FileHandle ; OBJECT_ATTRIBUTES oba; IO_STATUS_BLOCK iosb ; UNICODE_STRING uniname; NTSTATUS stat ; PFILE_OBJECT FileObject ; RtlInitUnicodeString(&uniname , FileName); InitializeObjectAttributes(&oba , &uniname , OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE , 0 , 0 ); stat = IoCreateFile(&FileHandle , FILE_READ_ATTRIBUTES , &oba, &iosb , 0, FILE_ATTRIBUTE_NORMAL , FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE , FILE_OPEN, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT , 0 , 0, CreateFileTypeNone , 0, IO_NO_PARAMETER_CHECKING ); if (!NT_SUCCESS(stat)) { return stat ; } stat = ObReferenceObjectByHandle(FileHandle , GENERIC_READ , *IoFileObjectType , KernelMode , &FileObject , NULL); if (!NT_SUCCESS(stat) || !FileObject || !FileObject->FileName.Length || !FileObject->FileName.Buffer) { ZwClose(FileHandle); return STATUS_INVALID_PARAMETER ; } //开始获取DosName { UNICODE_STRING VolumeName ; UNICODE_STRING FanalName ; BOOL WillFreeVolumeName = TRUE ; VolumeName.Buffer = NULL ; VolumeName.Length = 0 ; VolumeName.MaximumLength = 0 ; stat = RtlVolumeDeviceToDosName(FileObject->DeviceObject , &VolumeName); if (!NT_SUCCESS(stat)) { RtlInitUnicodeString(&VolumeName , L"\\" ); WillFreeVolumeName = FALSE ; } if (FileObject->FileName.Length + VolumeName.Length >= 0x800 * 2) { ObDereferenceObject(FileObject); ZwClose(FileHandle); if (WillFreeVolumeName && MmIsAddressValid(VolumeName.Buffer)) { ExFreePool(VolumeName.Buffer); } return STATUS_INVALID_PARAMETER ; } RtlZeroMemory((PVOID)OutFileName , 0x800 * 2); RtlInitUnicodeString(&FanalName , OutFileName); FanalName.MaximumLength = 0x800 * 2 ; //byte if (!NT_SUCCESS(RtlAppendUnicodeStringToString(&FanalName , &VolumeName))) { ObDereferenceObject(FileObject); ZwClose(FileHandle); if (WillFreeVolumeName && MmIsAddressValid(VolumeName.Buffer)) { ExFreePool(VolumeName.Buffer); } return STATUS_INVALID_PARAMETER ; } if (!NT_SUCCESS(RtlAppendUnicodeStringToString(&FanalName , &FileObject->FileName))) { ObDereferenceObject(FileObject); ZwClose(FileHandle); if (WillFreeVolumeName && MmIsAddressValid(VolumeName.Buffer)) { ExFreePool(VolumeName.Buffer); } return STATUS_INVALID_PARAMETER ; } ObDereferenceObject(FileObject); ZwClose(FileHandle); if (WillFreeVolumeName && MmIsAddressValid(VolumeName.Buffer)) { ExFreePool(VolumeName.Buffer); } return STATUS_SUCCESS ; } } |
|
|
|
[分享]逆向整理包编译通过版鬼影3.0代码~
无法用windbg调试鸟~ |
|
[分享]逆向整理包编译通过版鬼影3.0代码~
FS提取出来了,话说主要是太多bin要逆~而且跟鬼影类似的各种硬的要命的硬编地址~ |
|
|
|
[分享]逆向整理包编译通过版鬼影3.0代码~
样本不知去向了~ |
|
[分享]逆向整理包编译通过版鬼影3.0代码~
话说TDL4那个负责安装的exe太操蛋了 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值