|
[求助]监控进程退出 判断是自己退出 还是被其他进程终结问题
哥 还不如 hook ZwTerminateProcess 简单 有没有查询的思路 |
|
[调查]未来针对个人电脑的商业杀毒软件是否会被替代或消亡?
不会 反而更迫切 很简单 国家不会把安全掌握在别国的手中 |
|
|
|
[原创]过用户层HOOK 驱动层SSDT HOOK (之进程保护篇)
是的,进程id,线程id. 其实也是一个EPROCESS ETHREAD地址的索引。进程id,线程id都是4的倍数。(windows 内核原理与实现 p134有提及)。 起床,翻看了w2k的源码。分析了一下 源码。如下:
NTSTATUS PsLookupProcessByProcessId( IN HANDLE ProcessId, OUT PEPROCESS *Process ) { ......................... CidEntry = ExMapHandleToPointer(PspCidTable, ProcessId); ......................... } NTKERNELAPI PHANDLE_TABLE_ENTRY ExMapHandleToPointer ( IN PHANDLE_TABLE HandleTable, IN HANDLE Handle ) { EXHANDLE LocalHandle; PHANDLE_TABLE_ENTRY HandleTableEntry; PAGED_CODE(); LocalHandle.GenericHandleOverlay = Handle; // // Translate the input handle to a handle table entry and make // sure it is a valid handle. // HandleTableEntry = ExpLookupHandleTableEntry( HandleTable, LocalHandle ); ..................... } PHANDLE_TABLE_ENTRY ExpLookupHandleTableEntry ( IN PHANDLE_TABLE HandleTable, IN EXHANDLE Handle ) { ULONG i,j,k,l; PAGED_CODE(); // // Decode the handle index into its separate table indicies // l = (Handle.Index >> 24) & 255; i = (Handle.Index >> 16) & 255; j = (Handle.Index >> 8) & 255; k = (Handle.Index) & 255; // // The last bits should be 0 into a valid handle. If a function calls // ExpLookupHandleTableEntry for a kernel handle, it should decode the handle // before. // if ( l != 0 ) { // // Invalid handle. Return a NULL table entry. // return NULL; } // // Check that the top level table is present // if (HandleTable->Table[i] == NULL) { return NULL; } ........................................ } // // The Ex/Ob handle table package uses a common handle definition. The actual // type definition for a handle is a pvoid and is declared in sdk/inc. This // package uses only the low 32 bits of the pvoid pointer. // // For simplicity we declare a new typedef called an exhandle // // The 2 bits of an EXHANDLE is available to the application and is // ignored by the system. The next 24 bits store the handle table entry // index and is used to refer to a particular entry in a handle table. // // Note that this format is immutable because there are outside programs with // hardwired code that already assumes the format of a handle. // typedef struct _EXHANDLE { union { struct { // // Application available tag bits // ULONG TagBits : 2; // // The handle table entry index // ULONG Index : 30; }; HANDLE GenericHandleOverlay; }; } EXHANDLE, *PEXHANDLE; DWORD dwProcessId --------> HANDLE -------> EXHANDLE EXHANDLE -----> TarBits 是没有使用的 所以 :4 5 6 7 都应该是 system进程 的进程ID (例子) . 所以: If(dwProcessId == MydwProcessId) 应该改为: #define ID_ALIGN(ProcessId) ((ProcessId) >> 2) if(ID_ALIGN(dwProcessId) == ID_ALIGN(MydwProcessId)
最后于 2018-12-23 14:35
被花弄影h编辑
,原因: .
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值