|
|
|
[公告]kx币赚取及消费
支持 |
|
[原创]穿透ghost种植木马
木马有好有坏,给网警做侦查使用就是好的。 |
|
|
|
[原创]应用层结束Anti RootKit
可以自己启动一个傀儡进程比如regedit.exe,然后父窗口设置为这个进程就行了。 |
|
[原创]反模拟类游戏外挂
键盘鼠标回调、WRITE_PORT_UCHAR、READ_PORT_UCHAR需要在内核中调用的。 |
|
[原创]反模拟类游戏外挂
游戏外挂有模拟类、内部Call功能调用、脱机类外挂。模拟类外挂就是模拟人的行为,自动操作鼠标键盘。 |
|
|
|
[原创]内核层内存扫描的探究
BOOLEAN ReadFromPageFile(PEPROCESS_LIST ep_list_entry, ULONG pageIndex ,ULONGLONG pageOffset ,ULONG size ,KIRQL irql_lock) { BOOLEAN ret = FALSE; PFILE_OBJECT pFile=NULL; if(!g_MmPagingFile || !ep_list_entry) { //KdPrint(("MmPagingFile is null\n")); return ret; } if (MmIsAddressValid((PVOID)(GeKdDebuggerDataBlock-> MmNumberOfPagingFiles.VirtualAddress)) && pageIndex>=(ULONG)*((PULONG)GeKdDebuggerDataBlock-> MmNumberOfPagingFiles.VirtualAddress)) { //KdPrint(("pageIndex is outIndex of MmPagingFile\n")); return ret; } if(!MmIsAddressValid((PVOID)(g_MmPagingFile+pageIndex)) || !MmIsAddressValid((PVOID)(*(g_MmPagingFile+pageIndex)))) { //KdPrint(("MmPagingFile array's element is valid!\n")); return ret; } __try { if (gWinVerDetail==WINDOWS_VERSION_7) { PMMPAGING_FILE_WIN7 pMmPageingFile= (PMMPAGING_FILE_WIN7)(*(g_MmPagingFile+pageIndex)); if (!pMmPageingFile || !MmIsAddressValid(pMmPageingFile)) return ret; ret = ReadFromMapFile(ep_list_entry,pMmPageingFile->File, pageOffset,size,irql_lock); } else if (gWinVerDetail==WINDOWS_VERSION_VISTA_2008) { PMMPAGING_FILE_VISTA pMmPageingFile= (PMMPAGING_FILE_VISTA)(*(g_MmPagingFile+pageIndex)); if (!pMmPageingFile || !MmIsAddressValid(pMmPageingFile)) return ret; ret = ReadFromMapFile(ep_list_entry,pMmPageingFile->File, pageOffset,size,irql_lock); } else if (gWinVerDetail==WINDOWS_VERSION_XP) { PMMPAGING_FILE_XP pMmPageingFile= (PMMPAGING_FILE_XP)(*(g_MmPagingFile+pageIndex)); if (!pMmPageingFile || !MmIsAddressValid(pMmPageingFile)) return ret; ret = ReadFromMapFile(ep_list_entry,pMmPageingFile->File, pageOffset,size,irql_lock); } } __except(EXCEPTION_EXECUTE_HANDLER) { ret = FALSE; } return ret; } BOOLEAN ReadFromMapFile(PEPROCESS_LIST ep_list_entry ,PFILE_OBJECT pFilePointer ,ULONGLONG Start ,ULONG Length ,KIRQL irql_lock) { BOOLEAN ret = FALSE; IO_STATUS_BLOCK IoStatus; LARGE_INTEGER Offset; NTSTATUS Status; PMDL Mdl=NULL; KEVENT Event; PIRP pIrp=NULL; UNREFERENCED_PARAMETER(ep_list_entry); if(!pFilePointer || !MmIsAddressValid(pFilePointer) || !pFilePointer->DeviceObject || !MmIsAddressValid(pFilePointer->DeviceObject) || Length <= 0) return FALSE; RtlZeroMemory(pProcessData,Length); Mdl = IoAllocateMdl(pProcessData, Length, FALSE, FALSE, NULL); //需申请全局唯一 if (!Mdl) return FALSE; Offset.QuadPart = Start; MmBuildMdlForNonPagedPool(Mdl); Mdl->MdlFlags |= MDL_IO_PAGE_READ; KeInitializeEvent(&Event, NotificationEvent, FALSE); //NotificationEvent不自动重置 KeEnterCriticalRegion(); Status = GeIoPageRead(pFilePointer, Mdl, &Offset, &Event, &IoStatus,pIrp); if (Status == STATUS_PENDING) { //无限等待,即使原型PTE状态改变了(读取页面文件偏移、长度变了),驱动也不会卡死 KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE, NULL); Status = IoStatus.Status; } KeLeaveCriticalRegion(); if ((!NT_SUCCESS(Status) && Status != STATUS_END_OF_FILE) || Status== STATUS_TIMEOUT) { if(Mdl) IoFreeMdl(Mdl); return FALSE; } if(IoStatus.Status == STATUS_END_OF_FILE || IoStatus.Status == STATUS_SUCCESS) ret = TRUE; if(Mdl) IoFreeMdl(Mdl); return ret; } |
|
[求助]线程钩子
SetWindowsHookEx会有一个dll注入到其它进程中去的,是其它进程中的线程。 |
|
[求助]DLL怎么隐藏输入表
加一个加密壳,壳会对输入表进行加密。 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值