|
[分享]全新原创Anti-rootkit软件SysReveal,欢迎试用
v大您别打击我……继续膜拜v大 |
|
[分享]全新原创Anti-rootkit软件SysReveal,欢迎试用
大家将那个ksbinsword忘记吧,当时纯粹为提交作业上去。现在在写另个好玩的东西,搞完了再开源。这回是规范的工程性代码 |
|
[半原创]贴点内核态中创建用户态进程的代码
很简单的函数,创建远程线程。内核态用户态都可以: NTSTATUS MyCreateRemoteThread( IN HANDLE ProcessHandle, IN PVOID ThreadStartAddress, IN PVOID ThreadParameter, IN OUT ULONG *ThreadStackSize, OUT PVOID *ThreadStackAddress, OUT HANDLE *ThreadHandle ) { OBJECT_ATTRIBUTES ObjectAttributes; CONTEXT ThreadContext; INITIAL_TEB InitialTeb; CLIENT_ID ThreadClientId; NTSTATUS Status; //HMODULE hNTDLL = LoadLibraryW(L"ntdll.dll"); //pFnZwAllocateVirtualMemory ZwAllocateVirtualMemory = // (pFnZwAllocateVirtualMemory) GetProcAddress (hNTDLL, "ZwAllocateVirtualMemory"); //pFnZwFreeVirtualMemory ZwFreeVirtualMemory = // (pFnZwFreeVirtualMemory) GetProcAddress (hNTDLL, "ZwFreeVirtualMemory"); //pFnZwCreateThread ZwCreateThread = // (pFnZwCreateThread) GetProcAddress (hNTDLL, "ZwCreateThread"); //pFnRtlInitializeContext RtlInitializeContext = // (pFnRtlInitializeContext) GetProcAddress (hNTDLL, "RtlInitializeContext"); // 创建新线程的堆栈 *ThreadHandle = NULL; *ThreadStackAddress = NULL; *ThreadStackSize = 0x400000; Status = ZwAllocateVirtualMemory( ProcessHandle, ThreadStackAddress, 0, ThreadStackSize, MEM_COMMIT, PAGE_READWRITE ); if ( ! NT_SUCCESS( Status )) return Status; InitialTeb.StackLimit = *ThreadStackAddress; InitialTeb.StackBase = (PVOID)((PCHAR)*ThreadStackAddress + *ThreadStackSize ); //RtlpCreateStack(handle, 0, 0, 0L, &InitialTeb ); RtlInitializeContext( ProcessHandle, &ThreadContext, ThreadParameter, ThreadStartAddress, InitialTeb.StackBase ); InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL ); Status = ZwCreateThread( ThreadHandle, THREAD_ALL_ACCESS, &ObjectAttributes, ProcessHandle, &ThreadClientId, &ThreadContext, &InitialTeb, FALSE ); if ( ! NT_SUCCESS( Status )) { *ThreadStackSize = 0; ZwFreeVirtualMemory( ProcessHandle, ThreadStackAddress, ThreadStackSize, MEM_RELEASE ); } return Status; } int __stdcall RtlInitializeContext(int a1, CONTEXT *a2, char a3, DWORD a4, DWORD a5) { int result; DWORD v6; DWORD v7; int v8; a2->Eax = 0; a2->Ebp = 0; a2->SegGs = 0; a2->SegEs = 32; a2->SegDs = 32; a2->SegSs = 32; a2->Eip = a4; v6 = a5; v7 = (DWORD)&a2->Esp; a2->Ebx = 1; a2->Ecx = 2; a2->Edx = 3; a2->Esi = 4; a2->Edi = 5; a2->SegFs = 56; a2->SegCs = 24; a2->EFlags = 512; a2->ContextFlags = 65543; v6 -= 4; v8 = a1; a2->Esp = v6; result = ZwWriteVirtualMemory(v8, v6, &a3, 4, 0); *(_DWORD *)v7 -= 4; return result; } HANDLE MyOpenProcess(HANDLE id) { NTSTATUS status; OBJECT_ATTRIBUTES oa = {sizeof(OBJECT_ATTRIBUTES), 0, NULL, 0}; ACCESS_MASK da = 0x0001; HANDLE ProcessHandle = NULL; CLIENT_ID ClientId; ClientId.UniqueProcess = id; ClientId.UniqueThread = 0; ZwOpenProcess(&ProcessHandle, da, &oa, &ClientId); return ProcessHandle; } |
|
[原创]DiskSpy2.0版本,支持扇区级的文件删除,复制,检测隐藏文件
有我的ntfs.sys源码,别的都可以省了~,只是可惜大家没看到价值 |
|
[原创]六一献小礼:完整可编译NT4's NTFS源码(可稳定替换xp原版ntfs.sys)
貌似这么久过来还没人发现这个工程的价值 |
|
[原创]六一献小礼:完整可编译NT4's NTFS源码(可稳定替换xp原版ntfs.sys)
这几天由于某种原因暂时没法调试,你单步自己找找吧…… |
|
[原创]六一献小礼:完整可编译NT4's NTFS源码(可稳定替换xp原版ntfs.sys)
在DriverEntry我加了个断点,你没到断点就挂了? |
|
|
|
[原创]六一献小礼:完整可编译NT4's NTFS源码(可稳定替换xp原版ntfs.sys)
多谢指正。编译相关见http://www.debugman.com/read.php?tid=3174。我这没WDK,所以没法测试,呵呵。 |
|
[原创]六一献小礼:完整可编译NT4's NTFS源码(可稳定替换xp原版ntfs.sys)
经测试,完全可以在win2k3+wrk下正常运行。现在用wrk+山寨ntfs调试,全是代码级,很爽 |
|
[求助]为什么Win32k.sys映射的代码区内存不可读
被换页了吧 · |
|
[求助]请问 Symbolic Links Viewer 这个工具的原理是什么
KsBinSword里面的page3代码里就有 |
|
[求助]知道PID怎么获取进程文件全路径
见论坛里山寨版冰刃的实现 |
|
[求助]FileSystemControl编译不能通过
只是个共用体的问题。自己加上去 |
|
[求助]MmMapViewOfSection函数疑问
。 见http://www.longene.org/forum/viewtopic.php?f=8&p=2668 MiMapViewOfPhysicalSection 这个是用在映射物理地址的(在创建\Device\PhysicalMemory对象后)。 更详细的可看毛大师的Windows内核情景分析。MmMapViewOfSection 是在创建内存共享区(Section ) 后进行映射的函数,可以映射普通文件,PE文件(虽然这个也可看做普通文件,但win下特别对待了),以及 \Device\PhysicalMemory 对象(把物理内存进行映射) |
|
[求助]NtCreateProcess()函数疑问
是PspCreateProcess 中调用的 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值