|
[原创]抛砖引玉—硬件断点的检测和反检测
国标 到此一游 |
|
|
|
[原创]ObCallback 回调钩子检测
国标 到此一游 |
|
[原创]创建进程时注入DLL
MARK |
|
[分享]32位hook还原
MARK |
|
[公告]2014/1/14 服务器搬迁,停机半天
我等的福音呀 |
|
[求助]R3层还原DOS路径名
现在我也采取了一个折中的方案调整了代码 for (c = L'A'; c <= L'Z'; c++) { drivername[4] =c; ///本来在在这一句报异常,错误号0xc0000005,现在改为一般的宽字符,而在下句初始化,就没报错了,但在另外地方报错了,见下面; RtlInitUnicodeString(&driveLetterName, drivername); InitializeObjectAttributes(&attributes, &driveLetterName, OBJ_CASE_INSENSITIVE, 0, 0); status=ZwOpenSymbolicLinkObject(&linkHandle, GENERIC_READ, &attributes);//报错,0xc0000005 // if (!NT_SUCCESS(ZwOpenSymbolicLinkObject(&linkHandle, FILE_ALL_ACCESS/*GENERIC_READ*/, &attributes))) // continue; if (!NT_SUCCESS(status)) { return status ; } if (!NT_SUCCESS(ZwQuerySymbolicLinkObject(linkHandle, &linkTarget, NULL))) continue; |
|
[求助]R3层还原DOS路径名
本来已经能够显示设备符号路径了,我就是想转换到DOS路径名。是不是这个字符串初始化有问题 driveLetterName.Buffer[4] = c; ///在这一句报异常,错误号0xc0000005 |
|
[求助]R3层还原DOS路径名
NTSTATUS SfNtNameToDosName(PUNICODE_STRING NtName,PUNICODE_STRING DosName) { OBJECT_ATTRIBUTES attributes; UNICODE_STRING driveLetterName, linkTarget; HANDLE linkHandle=INVALID_HANDLE_VALUE; WCHAR c; linkTarget.Length = 0; linkTarget.MaximumLength = 256; linkTarget.Buffer = (USHORT*)malloc(linkTarget.MaximumLength); RtlInitUnicodeString(&driveLetterName, L"\\??\\C:"); for (c = L'A'; c <= L'Z'; c++) { driveLetterName.Buffer[4] = c; ///在这一句报异常,错误号0xc0000005 InitializeObjectAttributes(&attributes, &driveLetterName, OBJ_CASE_INSENSITIVE, 0, NULL); if (!NT_SUCCESS(ZwOpenSymbolicLinkObject(&linkHandle, GENERIC_READ, &attributes))) continue; if (!NT_SUCCESS(ZwQuerySymbolicLinkObject(linkHandle, &linkTarget, NULL))) continue; //KdPrint(("%wZ->%wZ\n", &driveLetterName, &linkTarget)); if (_wcsnicmp(NtName->Buffer, linkTarget.Buffer, linkTarget.Length>>1) == 0) { DosName->Length = 4 + NtName->Length - linkTarget.Length; DosName->MaximumLength = DosName->Length + 2; DosName->Buffer =(USHORT*)malloc(DosName->MaximumLength); if (!DosName->Buffer) return STATUS_INSUFFICIENT_RESOURCES; memcpy((PBYTE)DosName->Buffer + 4, (PBYTE)NtName->Buffer + linkTarget.Length, NtName->Length - linkTarget.Length); DosName->Buffer[0] = c; DosName->Buffer[1] = L':'; DosName->Buffer[DosName->Length>>1] = 0; RtlFreeUnicodeString(&linkTarget); return STATUS_SUCCESS; } } RtlFreeUnicodeString(&linkTarget); return STATUS_NOT_FOUND; } |
|
[求助]驱动如何在指定进程中内存写入
给你段代码看能否用 PMDL NTAPI IoCreateWriteMdlForAddress(PVOID InAddress,PVOID *OutAddress,size_t Size) ////创建内存可写; { PMDL pMdl=NULL; if(Size>0) { if((InAddress==NULL)|(Size==0)) return NULL; // if(!MmIsAddressValid(InAddress)) // return NULL; if(OutAddress==NULL) return NULL; if(!MmIsAddressValid(OutAddress)) return NULL; } else { return NULL; } pMdl=MmCreateMdl(NULL,InAddress,Size); if(pMdl==NULL) { return NULL; } MmBuildMdlForNonPagedPool(pMdl); // My_Mdl->MdlFlags = My_Mdl->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; if(!FlagOn(pMdl->MdlFlags,MDL_MAPPED_TO_SYSTEM_VA)) SetFlag(pMdl->MdlFlags,MDL_MAPPED_TO_SYSTEM_VA); *OutAddress=MmMapLockedPages(pMdl, KernelMode); return pMdl; } VOID NTAPI IoFreeMdlForAddress(PVOID Address,PMDL pMdl) { MmUnmapLockedPages(Address,pMdl); IoFreeMdl(pMdl); } |
|
[原创]开源 NtosTools
谢谢小房的开源 |
|
[分享]获取windbg下载地址
自己没用好,就不能说东西不好,真是不是我无能,是共军太狡猾勒 |
|
驱动加载先后的问题
呵呵呵呵,这还不简单,在改回来就行了 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值