|
[分享]ida pro 6.6 原始安装文件 + sdk_utils
感谢分享,马上下来安装下看看 |
|
[注意]刚发现今天是1月13号
不容易啊...15年过去,看雪已然成为软件安全的权威论坛,无数人受益,感谢看雪团队以及那些无私奉献的大牛们和牛犊们 |
|
[求助]action表单提交到另一页面后的故事
根据你的请求类型,用http内置的request对象或者post对象取值,然后保存 |
|
<百度社招>客户端攻防功能模块开发与维护工程师
度娘不是进娱乐圈了吗? |
|
[求助][求助]:eek:关于截屏保护的一些问题
If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. 不能注释原来的啊,先调用原来的BitBlt函数,然后直接返回0 |
|
根据簇号快速定位文件路径
解析NTFS的USN数据库,看看everything的原理吧 |
|
[原创]深入探究Windows平台客户端安全问题-进程地址空间入侵和白加黑高阶利用
想起几年前被LPK搞得痛不欲生 |
|
[招聘]北京智明星通,招聘windows安全分析师
不知道要不要专科? |
|
[求助]MiniFilter过滤不到文件名称
还是直接上代码吧 #pragma once #ifdef __cplusplus extern "C" { #endif #include <fltKernel.h> #ifdef __cplusplus } #endif extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath); NTSTATUS FilterUnLoad(FLT_FILTER_UNLOAD_FLAGS Flags); FLT_PREOP_CALLBACK_STATUS PreOperationCallback(__inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext); FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(__inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __in_opt PVOID CompletionContext, __in FLT_POST_OPERATION_FLAGS Flags); const FLT_OPERATION_REGISTRATION Callback[] = { { IRP_MJ_CREATE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_CREATE_NAMED_PIPE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_CLOSE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_READ, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_WRITE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_QUERY_INFORMATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SET_INFORMATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_QUERY_EA, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SET_EA, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_FLUSH_BUFFERS, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_QUERY_VOLUME_INFORMATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SET_VOLUME_INFORMATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_DIRECTORY_CONTROL, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_FILE_SYSTEM_CONTROL, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_DEVICE_CONTROL, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_INTERNAL_DEVICE_CONTROL, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SHUTDOWN, 0, PreOperationCallback, NULL }, //post operation callback not supported { IRP_MJ_LOCK_CONTROL, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_CLEANUP, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_CREATE_MAILSLOT, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_QUERY_SECURITY, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SET_SECURITY, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_QUERY_QUOTA, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_SET_QUOTA, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_PNP, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_RELEASE_FOR_MOD_WRITE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_RELEASE_FOR_CC_FLUSH, 0, PreOperationCallback, PostOperationCallback }, /* { IRP_MJ_NOTIFY_STREAM_FILE_OBJECT, 0, PreOperationCallback, PostOperationCallback },*/ { IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_NETWORK_QUERY_OPEN, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_MDL_READ, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_MDL_READ_COMPLETE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_PREPARE_MDL_WRITE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_MDL_WRITE_COMPLETE, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_VOLUME_MOUNT, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_VOLUME_DISMOUNT, 0, PreOperationCallback, PostOperationCallback }, { IRP_MJ_OPERATION_END } }; CONST FLT_REGISTRATION g_registration = { sizeof(FLT_REGISTRATION), // Size FLT_REGISTRATION_VERSION, // Version NULL, // Flags NULL, // ContextRegistration Callback, // OperationRegistration FilterUnLoad, // FilterUnloadCallback NULL, // InstanceSetupCallback NULL, // InstanceQueryTeardownCallback NULL, // InstanceTeardownStartCallback NULL, // InstanceTeardownCompleteCallback NULL, // GenerateFileNameCallback NULL, // NormalizeNameComponentCallback NULL, // NormalizeContextCleanupCallback }; typedef struct _NULL_FILTER_DATA { PFLT_FILTER FilterHandle; } NULL_FILTER_DATA, *PNULL_FILTER_DATA; NULL_FILTER_DATA FilterData; #include "FsMiniFilter.h" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { NTSTATUS status = STATUS_UNSUCCESSFUL; __try { status = FltRegisterFilter(DriverObject, &g_registration, &FilterData.FilterHandle); if (NT_SUCCESS(status)){ status = FltStartFiltering(FilterData.FilterHandle); if (!NT_SUCCESS(status)){ FltUnregisterFilter(FilterData.FilterHandle); } } KdPrint(("MiniFilter启动成功\r\n")); } __except (EXCEPTION_EXECUTE_HANDLER) { KdPrint(("DriverEntry 异常\r\n")); } return status; } NTSTATUS FilterUnLoad(FLT_FILTER_UNLOAD_FLAGS Flags) { if (NULL != FilterData.FilterHandle) FltUnregisterFilter(FilterData.FilterHandle); KdPrint(("MiniFilter卸载成功\r\n")); return STATUS_SUCCESS; } FLT_PREOP_CALLBACK_STATUS PreOperationCallback(__inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __deref_out_opt PVOID *CompletionContext ) { KdPrint(("进入PreCallback\r\n")); __try { if (NULL != FltObjects->FileObject) { PFLT_FILE_NAME_INFORMATION fileNameInfo = NULL; NTSTATUS ntStatus = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &fileNameInfo); if (NT_SUCCESS(ntStatus)) { ntStatus = FltParseFileNameInformation(fileNameInfo); if (NT_SUCCESS(ntStatus)) { KdPrint(("%wZ\n", fileNameInfo->Name)); } FltReleaseFileNameInformation(fileNameInfo); fileNameInfo = NULL; } } } __except (EXCEPTION_EXECUTE_HANDLER) { KdPrint(("PreOperationCallback异常\r\n")); } FLT_PREOP_CALLBACK_STATUS returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK; if (Data->Iopb->MajorFunction == IRP_MJ_SHUTDOWN) { PostOperationCallback(Data, FltObjects, NULL, 0); returnStatus = FLT_PREOP_SUCCESS_NO_CALLBACK; } else { returnStatus = FLT_PREOP_SUCCESS_WITH_CALLBACK; } KdPrint(("离开PreCallback\r\n")); return FLT_PREOP_SUCCESS_WITH_CALLBACK; } FLT_POSTOP_CALLBACK_STATUS PostOperationCallback( __inout PFLT_CALLBACK_DATA Data, __in PCFLT_RELATED_OBJECTS FltObjects, __in_opt PVOID CompletionContext, __in FLT_POST_OPERATION_FLAGS Flags ) { KdPrint(("进入PostCallback\r\n")); FLT_POSTOP_CALLBACK_STATUS returnStatus = FLT_POSTOP_FINISHED_PROCESSING; __try { if (NULL != FltObjects->FileObject) { PFLT_FILE_NAME_INFORMATION fileNameInfo = NULL; NTSTATUS ntStatus = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &fileNameInfo); if (NT_SUCCESS(ntStatus)) { ntStatus = FltParseFileNameInformation(fileNameInfo); if (NT_SUCCESS(ntStatus)) { KdPrint(("%wZ\n", fileNameInfo->Name)); } FltReleaseFileNameInformation(fileNameInfo); fileNameInfo = NULL; } } } __except (EXCEPTION_EXECUTE_HANDLER) { KdPrint(("PostOperationCallback异常\r\n")); } KdPrint(("离开PostCallback\r\n")); return returnStatus; } |
|
|
|
[求助]MiniFilter过滤不到文件名称
在Pre回调中也一样,什么都拦截不到 |
|
[讨论]谈一谈,做一个杀毒软件,必备的Windows驱动程序
菜鸟来学习了,lz考虑的很多啊 |
|
|
|
[原创]Hook Com接口函数
收藏起来慢慢看 |
|
[原创]来了论坛整十年,还是水一帖记念一下
看看我多少年了。。。 |
|
[求助]LPC 32位和64位通信失败
膜拜V大,确实是地址翻译的问题.wow64lib是什么?具体该怎么解决地址翻译的问题.能不能送佛送到西? |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值