|
|
|
[求助]WinDbg查看KeServiceDescriptorTableShadow,里面数据无效
不好意思,我说错了,问题解决了, 原来我说写了个MFC的来进行DeviceIoControl获取,但是测试表明获取不成功,这是错误的,是因为我的代码有错所以不成功! 我总结下: 在WINDBG下看SHADOW表可能是看不见表中有函数地址, 解决的方法是通过写个GUI的程序,发送IRP_MJ_DEVICE_CONTROL来使驱动处于GUI线程上下文中,这样就能获取SHADOW表。 希望能为初学的朋友有点帮助 |
|
[求助]WinDbg查看KeServiceDescriptorTableShadow,里面数据无效
那样RKU是怎么获取得呢, 虽然网上好像很多文章都是写怎么获得shadow表的,但是就是没有说遇到这样情况的,即使有提到的也没有说具体实现的方法!好郁闷了,刚学驱动现在获得SHADOW表就弄不下去了, |
|
[求助]WinDbg查看KeServiceDescriptorTableShadow,里面数据无效
你们看看这是我在双机调试的情况 kd> dd 80553140 80553140 80502030 00000000 0000011c 805024a4 80553150 bf997600 00000000 0000029b bf998310 80553160 00000000 00000000 00000000 00000000 80553170 00000000 00000000 00000000 00000000 80553180 80502030 00000000 0000011c 805024a4 80553190 00000000 00000000 00000000 00000000 805531a0 00000000 00000000 00000000 00000000 805531b0 00000000 00000000 00000000 00000000 kd> dd bf997600 bf997600 ???????? ???????? ???????? ???????? bf997610 ???????? ???????? ???????? ???????? bf997620 ???????? ???????? ???????? ???????? bf997630 ???????? ???????? ???????? ???????? bf997640 ???????? ???????? ???????? ???????? bf997650 ???????? ???????? ???????? ???????? bf997660 ???????? ???????? ???????? ???????? bf997670 ???????? ???????? ???????? ???????? 我的SHADOW表是空的,上网找了些资料,说是要在GUI线程上下文才能获取得到, 于是我就写了个MFC的来进行DeviceIoControl获取,但是测试表明获取不成功,是不是和我的操作系统有关? 我的GHO版的XP |
|
[求助]WinDbg查看KeServiceDescriptorTableShadow,里面数据无效
谁这么就告诉下吧,我也是出现这样的情况 00000010 0:42:17 the KeServiceDescriptorTable:80505428 00000012 0:42:17 the KeServiceDescriptorTableShadow:bf947bf5 00000013 0:42:17 the NumberOfKeServiceDescriptorTableShadow:29b |
|
[求助]WinDbg查看KeServiceDescriptorTableShadow,里面数据无效
我也遇到这样的问题了,是不是要用R3下的程序来加载程序? |
|
[求助]Hook ZwDeviceIoControlFile后如果过滤?
自己顶上去,等高手回答! |
|
[求助]Hook ZwDeviceIoControlFile后如果过滤?
其中pDrv_tcpip我是这样获取的 ntStatus = IoGetDeviceObjectPointer(&deviceTCPUnicodeString, FILE_READ_DATA, &pFile_tcp, &pDev_tcp); if(!NT_SUCCESS(ntStatus)) { DbgPrint("查找失败!\n"); return ntStatus; } pDrv_tcpip = pDev_tcp->DriverObject; |
|
[求助]Hook ZwDeviceIoControlFile后如果过滤?
NTSTATUS NewZwDeviceIoControlFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ) { // LONG numconn; // LONG i; NTSTATUS rc; PFILE_OBJECT pFile; PDEVICE_OBJECT pDev; PDRIVER_OBJECT pDrv; rc = InstallTCPDriverHook(); if(NT_SUCCESS(rc)) { rc =ObReferenceObjectByHandle(FileHandle,0,*IoFileObjectType, KernelMode,(PVOID*)&pFile,0); if(NT_SUCCESS(rc)) { pDev = pFile->DeviceObject; pDrv= pDev->DriverObject; DbgPrint("转换句柄Rc:%08x,句柄:%08x,DEVICE:%08x!\n",pDrv,pDrv_tcpip,pDev); if(pDrv_tcpip == pDrv) { DbgPrint("找到句柄!\n"); } // else{ // DbgPrint("句柄没有找到!\n"); // } } } rc = ((ZWDEVICEIOCONTROLFILE)(OldZwDeviceIoControlFile)) (FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength ); return rc; } 这样写对不对呢? |
|
[求助]Hook ZwDeviceIoControlFile后如果过滤?
谢谢,小聪大大指点! |
|
[求助]Hook ZwDeviceIoControlFile后如果过滤?
自己顶等人 ,指点 |
|
[原创]绕过所有的注册表检查隐藏驱动注册表
膜拜MJ大大!!!!!!!!!! |
|
[求助]学习驱动遇到不能声明变量的问题
怎么可能会忘记函数的声明!在函数内部同样可以声明局部变量的,我要用的是局部变量又不是全局变量,现在我得把所用的变量都声明为全局变量才能编译成功,同样,在虚拟机中运行直接死机了。应该是我的环境设置有问题。 |
|
|
|
[求助]电脑中病毒,一开冰刃就重起
不会驱动边查资料边找用IDA静态看它初始化的例程代码,今天就到这里 INIT:000163A0 INIT:000163A0 public start INIT:000163A0 start proc near INIT:000163A0 INIT:000163A0 var_14 = dword ptr -14h INIT:000163A0 DestinationString= UNICODE_STRING ptr -0Ch INIT:000163A0 var_4 = dword ptr -4 INIT:000163A0 arg_0 = dword ptr 8 INIT:000163A0 arg_4 = dword ptr 0Ch INIT:000163A0 INIT:000163A0 push ebp INIT:000163A1 mov ebp, esp INIT:000163A3 sub esp, 14h INIT:000163A6 and [ebp+var_4], 0 INIT:000163AA push ebx INIT:000163AB push esi INIT:000163AC push edi INIT:000163AD push ecx INIT:000163AE push edx INIT:000163AF push edi INIT:000163B0 test cx, cx INIT:000163B3 xor dl, 57h INIT:000163B6 inc edi INIT:000163B7 or ch, 6Fh INIT:000163BA pop edi INIT:000163BB pop edx INIT:000163BC pop ecx INIT:000163BD push cx INIT:000163BF push eax INIT:000163C0 add ah, 3Fh INIT:000163C3 cmp eax, edi INIT:000163C5 cmp cl, 0Fh INIT:000163C8 and ah, cl INIT:000163CA and ah, al INIT:000163CC dec ax INIT:000163CE inc ah INIT:000163D0 pop eax INIT:000163D1 pop cx INIT:000163D3 push [ebp+arg_4] INIT:000163D6 call Funtion3 INIT:000163D6 INIT:000163DB mov esi, eax INIT:000163DD push ecx INIT:000163DE push edx INIT:000163DF test ch, 75h INIT:000163E2 inc cl INIT:000163E4 test ecx, 7D92h INIT:000163EA add ch, 63h INIT:000163ED or ecx, 136Eh INIT:000163F3 and cl, bl INIT:000163F5 test cx, 36A3h INIT:000163FA inc ecx INIT:000163FB test cx, cx INIT:000163FE pop edx INIT:000163FF pop ecx INIT:00016400 test esi, esi INIT:00016402 jge short loc_16424 INIT:00016402 INIT:00016404 push eax INIT:00016405 push ecx INIT:00016406 push edi INIT:00016407 test edi, 4C6Ah INIT:0001640D dec ax INIT:0001640F cmp ax, cx INIT:00016412 cmp ecx, edx INIT:00016414 or ecx, 2266h INIT:0001641A pop edi INIT:0001641B pop ecx INIT:0001641C pop eax INIT:0001641D mov eax, esi INIT:0001641F jmp loc_1650D INIT:0001641F INIT:00016424 ; --------------------------------------------------------------------------- INIT:00016424 INIT:00016424 loc_16424: ; CODE XREF: start+62j INIT:00016424 push eax INIT:00016425 push edx INIT:00016426 push di INIT:00016428 sub eax, 0DCCh INIT:0001642D pop di INIT:0001642F pop edx INIT:00016430 pop eax INIT:00016431 lea eax, [ebp+DestinationString] INIT:00016434 push offset DeviceName ; \\Device\\UtilityClub INIT:00016439 push eax ; DestinationString INIT:0001643A call ds:RtlInitUnicodeString INIT:00016440 pusha INIT:00016441 inc al INIT:00016443 and dl, bl INIT:00016445 or dx, ax INIT:00016448 and dx, 463Eh INIT:0001644D test dl, 63h INIT:00016450 xor ax, cx INIT:00016453 inc dl INIT:00016455 popa INIT:00016456 lea eax, [ebp+var_4] INIT:00016459 xor esi, esi INIT:0001645B push eax INIT:0001645C push esi INIT:0001645D push esi INIT:0001645E lea eax, [ebp+DestinationString] INIT:00016461 push 8000h INIT:00016466 push eax INIT:00016467 push esi INIT:00016468 push [ebp+arg_0] INIT:0001646B call IoCreateDevice ; IocreatDrivice INIT:00016471 cmp eax, esi INIT:00016473 jl loc_1650D INIT:00016473 INIT:00016479 lea eax, [ebp+var_14] INIT:0001647C push offset LinkName ; ; 连接名\\DosDevices\\UtilityClub INIT:00016481 push eax ; DestinationString INIT:00016482 call ds:RtlInitUnicodeString INIT:00016488 push ax INIT:0001648A push bx INIT:0001648C push edi INIT:0001648D inc bl INIT:0001648F test ah, 57h INIT:00016492 pop edi INIT:00016493 pop bx INIT:00016495 pop ax INIT:00016497 lea eax, [ebp+DestinationString] INIT:0001649A push eax INIT:0001649B lea eax, [ebp+var_14] INIT:0001649E push eax INIT:0001649F call IoCreateSymbolicLink INIT:000164A5 cmp eax, esi INIT:000164A7 mov [ebp+arg_4], eax INIT:000164AA jge short loc_164B7 INIT:000164AA INIT:000164AC push [ebp+var_4] INIT:000164AF call dword_162D0 INIT:000164B5 jmp short loc_1650A INIT:000164B5 INIT:000164B7 ; --------------------------------------------------------------------------- INIT:000164B7 INIT:000164B7 loc_164B7: ; CODE XREF: start+10Aj INIT:000164B7 mov eax, [ebp+arg_0] INIT:000164BA mov dword ptr [eax+38h], offset UnloadDevice INIT:000164C1 push edx INIT:000164C2 inc dl INIT:000164C4 or dh, dl INIT:000164C6 and edx, ebx INIT:000164C8 test dh, ah INIT:000164CA and dh, 5Eh INIT:000164CD pop edx INIT:000164CE call loc_13E24 INIT:000164CE INIT:000164D3 test eax, eax INIT:000164D5 jl short loc_164DE INIT:000164D5 INIT:000164D7 call loc_12FD8 INIT:000164D7 INIT:000164DC jmp short loc_164FD INIT:000164DC INIT:000164DE ; --------------------------------------------------------------------------- INIT:000164DE INIT:000164DE loc_164DE: ; CODE XREF: start+135j INIT:000164DE pusha INIT:000164DF xor ah, 71h INIT:000164E2 sub eax, 494Ch INIT:000164E7 test ax, 393Eh INIT:000164EB sub ebx, 40C2h INIT:000164F1 test ch, 6Dh INIT:000164F4 popa INIT:000164F5 push [ebp+arg_0] INIT:000164F8 call sub_12F66 INIT:000164F8 INIT:000164FD INIT:000164FD loc_164FD: ; CODE XREF: start+13Cj INIT:000164FD push ebx INIT:000164FE push edx INIT:000164FF mov bh, 64h INIT:00016501 pop edx INIT:00016502 pop ebx INIT:00016503 mov eax, [ebp+var_4] INIT:00016506 and byte ptr [eax+1Ch], 7Fh INIT:00016506 INIT:0001650A INIT:0001650A loc_1650A: ; CODE XREF: start+115j INIT:0001650A mov eax, [ebp+arg_4] INIT:0001650A INIT:0001650D INIT:0001650D loc_1650D: ; CODE XREF: start+7Fj INIT:0001650D ; start+D3j INIT:0001650D pop edi INIT:0001650E pop esi INIT:0001650F pop ebx INIT:00016510 leave INIT:00016511 retn 8 INIT:00016511 INIT:00016511 start endp |
|
[求助]电脑中病毒,一开冰刃就重起
终于拿到样本了,大家一起研究下吧!我已经上传了! |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值