首页
社区
课程
招聘
[原创]现学现用之windbg的高级玩法外篇二:干掉QQProtect.sys
发表于: 2013-10-2 00:17 58919

[原创]现学现用之windbg的高级玩法外篇二:干掉QQProtect.sys

2013-10-2 00:17
58919
0: kd> [COLOR=Red]!process 0 0 system[/COLOR]
PROCESS [COLOR=Red][B]867b5830  [/B][/COLOR]SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 06ca0020  ObjectTable: e1002e40  HandleCount: 401.
    Image: System
0: kd>[COLOR=Red] lm m qq*[/COLOR]
start    end        module name
[COLOR=Red]eee0c000 eee36680[/COLOR]   QQProtect   (deferred)    
0: kd>[COLOR=Red] r @$t0=@@(#FIELD_OFFSET(nt!_EPROCESS, ThreadListHead))[/COLOR]
0: kd> [COLOR=Red]r @$t1= @@(#FIELD_OFFSET(nt!_ETHREAD, ThreadListEntry))[/COLOR]
0: kd> [COLOR=Red]r @$t2=@@(#FIELD_OFFSET(nt!_ETHREAD, StartAddress))[/COLOR]
0: kd>[COLOR=Red] !list "-t nt!_LIST_ENTRY.FLink -e -x \"r @$t3=@$extret-@$t1; r @$t4= @$t3+@$t2; r @$t5=poi(@$t4);.if(@@((unsigned long)@$t5>(unsigned long)[B]0xeee0c000 [/B]&& (unsigned long)@$t5<(unsigned long)[B]0xeee36680[/B])){r @$t3;dt -b nt!_ETHREAD Cid. @$t3; dds @$t4 l1;}; \" [B]867b5830[/B]+@$t0"
[/COLOR]
r @$t3=@$extret-@$t1; r @$t4= @$t3+@$t2; r @$t5=poi(@$t4);.if(@@((unsigned long)@$t5>(unsigned long)0xeee0c000 && (unsigned long)@$t5<(unsigned long)0xeee36680)){r @$t3;dt -b nt!_ETHREAD Cid. @$t3; dds @$t4 l1;};  
$t3=[COLOR=Red]86699130 [/COLOR][COLOR=Blue]//ETHREAD地址[/COLOR]
   +0x1ec Cid  : 
      +0x000 UniqueProcess : 0x00000004[COLOR=Blue] //进程ID[/COLOR]
      +0x004 UniqueThread : 0x00000160[COLOR=Blue]  //线程ID[/COLOR]
86699354  eee11a0c [COLOR=Red]QQProtect+0x5a0c[/COLOR] [COLOR=Blue]//线程的起始地址[/COLOR]

r @$t3=@$extret-@$t1; r @$t4= @$t3+@$t2; r @$t5=poi(@$t4);.if(@@((unsigned long)@$t5>(unsigned long)0xeee0c000 && (unsigned long)@$t5<(unsigned long)0xeee36680)){r @$t3;dt -b nt!_ETHREAD Cid. @$t3; dds @$t4 l1;};  
$t3=[COLOR=Red]862de020[/COLOR]
   +0x1ec Cid  : 
      +0x000 UniqueProcess : 0x00000004 
      +0x004 UniqueThread : 0x00000164 
862de244  eee22626 [COLOR=Red]QQProtect+0x16626[/COLOR]
0: kd>[COLOR=Red] !dh -s eee0c000[/COLOR]

SECTION HEADER #1
   [COLOR=Blue].text[/COLOR] name
   1B516 virtual size
     480 virtual address
   1B580 size of raw data
     480 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
68000020 flags
         Code
         Not Paged
         (no align specified)
         Execute Read

SECTION HEADER #2
  [COLOR=Blue].rdata [/COLOR]name
    3A8C virtual size
   1BA00 virtual address
    3B00 size of raw data
   1BA00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
48000040 flags
         Initialized Data
         Not Paged
         (no align specified)
         Read Only


Debug Directories(1)
    Type       Size     Address  Pointer
    cv           8f       1e868    1e868    Format: RSDS, guid, 1, f:\qqprotectdrvbuild\qqbuilder_qd3.5.1_drv2.9\basic_qqprotectdrv_vob\qqprotectdrv\objfre_wxp_x86\i386\QQProtectSYS.pdb

SECTION HEADER #3
   [COLOR=Blue].data[/COLOR] name
    82AC virtual size
   1F500 virtual address
    8300 size of raw data
   1F500 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C8000040 flags
         Initialized Data
         Not Paged //不分页内存
         (no align specified)
         Read Write

SECTION HEADER #4
   [B][COLOR=Blue]INIT [/COLOR]name[/B]
     CC6 virtual size
   27800 virtual address
     D00 size of raw data
   27800 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
E2000020 flags
         Code
         Discardable [COLOR=Blue]//可废弃的,初始化完成后,内核可以回收这块内存。[/COLOR]
                                     [COLOR=Blue]//但是由于内核的页粒度为0x1000,INIT段的开始处一部分内存与.data段在同一块内存页中,那此段的前0x200个字节就是理想的APC数据块载体[/COLOR]了
         (no align specified)
         Execute Read Write

SECTION HEADER #5
   [COLOR=Blue].rsrc [/COLOR]name
     310 virtual size
   28500 virtual address
     380 size of raw data
   28500 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Discardable [COLOR=Blue]//模块加载完成后,此块的内存就被回收了[/COLOR]
         (no align specified)
         Read Only

SECTION HEADER #6
 [COLOR=Blue] .reloc[/COLOR] name
    1D90 virtual size
   28880 virtual address
    1E00 size of raw data
   28880 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Discardable [COLOR=Blue]//模块加载完成后,此块的内存就被回收了[/COLOR]
         (no align specified)
         Read Only
0: kd> [COLOR=Red]? eee0c000+27800 [/COLOR]
Evaluate expression: -287098880 = [COLOR=Red]eee33800[/COLOR]
0: kd> [COLOR=Red].for(r @$t1=0;@$t1<200;r @$t1=@$t1+4) {ed [B]eee33800[/B]+@$t1 0;}[/COLOR]
0: kd> [COLOR=Red]x nt!pspExitthread[/COLOR]
[B][COLOR=Red]805d3086 [/COLOR][/B]nt!PspExitThread = <no type information>
0: kd> [COLOR=Red]a eee33800[/COLOR]
eee33800 push 748
[COLOR=Red]push 748[/COLOR]
eee33805 call 805d3086 
[COLOR=Red]call 805d3086 [/COLOR]
eee3380a ret 0n20
[COLOR=Red]ret 0n20[/COLOR]
eee3380d 
0: kd> [COLOR=Red]uf eee33800[/COLOR]
QQProtect+0x27800:
eee33800 6848070000      push    748h
eee33805 e87cf87991      call    nt!PspExitThread (805d3086)
eee3380a c21400          ret     14h
0: kd> [COLOR=Red]r @$t0=[B]eee33900[/B]; r @$t1=[B]86699130[/B]; r@$t2=[B]eee33800[/B];?? ((nt!_KAPC*)@$t0)->Type=18;?? ((nt!_KAPC*)@$t0)->Size=sizeof(nt!_KAPC);?? ((nt!_KAPC*)@$t0)->Thread=@$t1;?? ((nt!_KAPC*)@$t0)->KernelRoutine=@$t2;?? ((nt!_KAPC*)@$t0)->Inserted=1;r @$t3=@@(&(((nt!_ETHREAD*)@$t1)->Tcb.ApcState.ApcListHead[0]));r @$t4=@@(&(((nt!_KAPC*)@$t0)->ApcListEntry));r @$t5=@@(((nt!_LIST_ENTRY*)@$t3)->Flink);?? ((nt!_LIST_ENTRY*)@$t4)->Flink=@$t5;?? ((nt!_LIST_ENTRY*)@$t4)->Blink=@$t3;?? ((nt!_LIST_ENTRY*)@$t5)->Blink=@$t4;?? ((nt!_LIST_ENTRY*)@$t3)->Flink=@$t4;?? ((nt!_ETHREAD*)@$t1)->Tcb.ApcState.KernelApcPending=1;[/COLOR]
0: kd> [COLOR=Red]dt nt!_KAPC @$t0[/COLOR]
   +0x000 Type             : [COLOR=Red]0n18 [/COLOR][COLOR=Blue]//ApcObject=18[/COLOR]
   +0x002 Size             : [COLOR=Red]0n48 [/COLOR][COLOR=Blue]//nt!_KAPC结构大小[/COLOR]
   +0x004 Spare0           : 0
   +0x008 Thread           : [COLOR=Red]0x86699130 [/COLOR]_KTHREAD [COLOR=Blue]//所属线程[/COLOR]
   +0x00c ApcListEntry     : _LIST_ENTRY [[COLOR=Red] 0x86699164 - 0x86699164 [/COLOR]] [COLOR=Blue]//用来插入线程APC队列[/COLOR]
   +0x014 KernelRoutine    : [COLOR=Red]0xeee33800     [/COLOR]void  +0 [COLOR=Blue]//APC内核回调函数指针[/COLOR]
   +0x018 RundownRoutine   : (null) 
   +0x01c NormalRoutine    : (null) 
   +0x020 NormalContext    : (null) 
   +0x024 SystemArgument1  : (null) 
   +0x028 SystemArgument2  : (null) 
   +0x02c ApcStateIndex    : 0 ''
   +0x02d ApcMode          : 0 ''
   +0x02e Inserted         : [COLOR=Red]0x1 [/COLOR]''[COLOR=Blue] //已插入[/COLOR]
0: kd>[COLOR=Red] dt -b nt!_KTHREAD ApcState. @$t1[/COLOR]
   +0x034 ApcState  : 
      +0x000 ApcListHead : 
       [00] _LIST_ENTRY [[COLOR=Red] 0xeee3390c - 0xeee3390c[/COLOR] ] [COLOR=Blue]//原始APC列表[/COLOR]
       [01]  [ 0x8669916c - 0x8669916c ]
      +0x010 Process   : 0x867b5830 
      +0x014 KernelApcInProgress : 0 ''
      +0x015 KernelApcPending : [COLOR=Red]0x1 [/COLOR]'' [COLOR=Blue]//需要处理APC标志[/COLOR]
      +0x016 UserApcPending : 0 ''
   +0x138 ApcStatePointer : 
    [00] 
    [01] 
   +0x165 ApcStateIndex : 0 ''
0: kd> [COLOR=Red]r @$t0=[B]eee33950[/B]; r @$t1=[B]862de020[/B]; r@$t2=[B]eee33800[/B];?? ((nt!_KAPC*)@$t0)->Type=18;?? ((nt!_KAPC*)@$t0)->Size=sizeof(nt!_KAPC);?? ((nt!_KAPC*)@$t0)->Thread=@$t1;?? ((nt!_KAPC*)@$t0)->KernelRoutine=@$t2;?? ((nt!_KAPC*)@$t0)->Inserted=1;r @$t3=@@(&(((nt!_ETHREAD*)@$t1)->Tcb.ApcState.ApcListHead[0]));r @$t4=@@(&(((nt!_KAPC*)@$t0)->ApcListEntry));r @$t5=@@(((nt!_LIST_ENTRY*)@$t3)->Flink);?? ((nt!_LIST_ENTRY*)@$t4)->Flink=@$t5;?? ((nt!_LIST_ENTRY*)@$t4)->Blink=@$t3;?? ((nt!_LIST_ENTRY*)@$t5)->Blink=@$t4;?? ((nt!_LIST_ENTRY*)@$t3)->Flink=@$t4;?? ((nt!_ETHREAD*)@$t1)->Tcb.ApcState.KernelApcPending=1;[/COLOR]
0: kd> [COLOR=Red]dt nt!_KAPC @$t0;dt -b nt!_KTHREAD ApcState. @$t1;[/COLOR]
   +0x000 Type             : [COLOR=Red]0n18[/COLOR]
   +0x002 Size             : [COLOR=Red]0n48[/COLOR]
   +0x004 Spare0           : 0
   +0x008 Thread           : [COLOR=Red]0x862de020 [/COLOR]_KTHREAD
   +0x00c ApcListEntry     : _LIST_ENTRY [ [COLOR=Red]0x862de054 - 0x862de054[/COLOR] ]
   +0x014 KernelRoutine    : [COLOR=Red]0xeee33800     [/COLOR]void  +0
   +0x018 RundownRoutine   : (null) 
   +0x01c NormalRoutine    : (null) 
   +0x020 NormalContext    : (null) 
   +0x024 SystemArgument1  : (null) 
   +0x028 SystemArgument2  : (null) 
   +0x02c ApcStateIndex    : 0 ''
   +0x02d ApcMode          : 0 ''
   +0x02e Inserted         : [COLOR=Red]0x1 [/COLOR]''
   +0x034 ApcState  : 
      +0x000 ApcListHead : 
       [00] _LIST_ENTRY [ [COLOR=Red]0xeee3395c - 0xeee3395c[/COLOR] ]
       [01]  [ 0x862de05c - 0x862de05c ]
      +0x010 Process   : 0x867b5830 
      +0x014 KernelApcInProgress : 0 ''
      +0x015 KernelApcPending : [COLOR=Red]0x1 [/COLOR]''
      +0x016 UserApcPending : 0 ''
   +0x138 ApcStatePointer : 
    [00] 
    [01] 
   +0x165 ApcStateIndex : 0 ''

0: kd> [COLOR=Red]dp nt!KeServiceDescriptorTableShadow l8[/COLOR]
8055d6c0 [COLOR=Red] 80505450 [/COLOR]00000000 [COLOR=Red]0000011c [/COLOR]805058c4
8055d6d0 [COLOR=Red] bf999b80 [/COLOR]00000000 [COLOR=Red]0000029b [/COLOR]bf99a890
0: kd> [COLOR=Red]dps 80505450 l11c[/COLOR]
... [COLOR=Blue]//太多了,忽略一部分[/COLOR]
805054e0  8061795a nt!NtCreateEventPair
[B][COLOR=Blue]805054e4  eee1b6f4 QQProtect+0xf6f4[/COLOR][/B]
805054e8  80579a62 nt!NtCreateIoCompletion
...
80505520  805c49b6 nt!NtCreateSymbolicLinkObject
[B][COLOR=Blue]80505524  eee16768 QQProtect+0xa768[/COLOR][/B]
80505528  80617622 nt!NtCreateTimer
...
80505544  806170d6 nt!NtCancelDeviceWakeupRequest
[B][COLOR=Blue]80505548  eee1b58a QQProtect+0xf58a[/COLOR][/B]
8050554c  80624c16 nt!NtDeleteKey
...
8050561c  80617a32 nt!NtOpenEventPair
[B][COLOR=Blue]80505620  eee1b896 QQProtect+0xf896[/COLOR][/B]
80505624  80579b3a nt!NtOpenIoCompletion
...
80505634  805f541a nt!NtOpenObjectAuditAlarm
[COLOR=Blue][B]80505638  eee208d2 QQProtect+0x148d2[/B][/COLOR]
8050563c  805ee722 nt!NtOpenProcessToken
...
80505670  805f4918 nt!NtPrivilegedServiceAuditAlarm
[B][COLOR=Blue]80505674  eee11b3e QQProtect+0x5b3e[/COLOR][/B]
80505678  8060f7ba nt!NtPulseEvent
[B][COLOR=Blue]8050567c  eee212e2 QQProtect+0x152e2[/COLOR][/B]
80505680  806170e4 nt!NtEnumerateBootEntries
...
8050571c  8057ccea nt!NtQueryVolumeInformationFile
[B][COLOR=Blue]80505720  eee21808 QQProtect+0x15808[/COLOR][/B]
80505724  80545eb4 nt!NtRaiseException
...
80505734  805a6e50 nt!NtReadRequestData
[B][COLOR=Blue]80505738  eee10b76 QQProtect+0x4b76[/COLOR][/B]
8050573c  805d3754 nt!NtRegisterThreadTerminatePort
...
805057a0  806170e4 nt!NtEnumerateBootEntries
[B][COLOR=Blue]805057a4  eee20d54 QQProtect+0x14d54[/COLOR][/B]
805057a8  80646ce0 nt!NtSetDebugFilterState
...
805057cc  806439f2 nt!NtSetInformationDebugObject
[B][COLOR=Blue]805057d0  eee1b4ce QQProtect+0xf4ce[/COLOR][/B]
805057d4  805d7928 nt!NtSetInformationJobObject
...
[COLOR=Black]80505848  805d58b0 nt!NtSuspendThread[/COLOR][B][COLOR=Blue]
8050584c  eee20e38 QQProtect+0x14e38[/COLOR][/B]
80505850  805d84bc nt!NtTerminateJobObject
[COLOR=Blue][B]80505854  eee20a0a QQProtect+0x14a0a[/B][/COLOR]
80505858  805d3b98 nt!NtTerminateThread
...
805058a0  805a6e78 nt!NtWriteRequestData
[COLOR=Blue][B]805058a4  eee10fa4 QQProtect+0x4fa4[/B][/COLOR]
805058a8  80505ad8 nt!NtYieldExecution
...
0: kd>[COLOR=Red] dps bf999b80 l29b[/COLOR]
bf999b80  ????????
bf999b84  ????????
bf999b88  ????????
bf999b8c  ????????
bf999b90  ????????
bf999b94  ????????
bf999b98  ????????
bf999b9c  ????????
bf999ba0  ????????
bf999ba4  ????????
bf999ba8  ????????
bf999bac  ????????
bf999bb0  ????????
bf999bb4  ????????
bf999bb8  ????????
0: kd>[COLOR=Red] !address bf999b80[/COLOR]
  bf800000 - 001c3000                           
          Usage       KernelSpaceUsageImage
          ImageName   win32k.sys
0: kd> [COLOR=Red]!chkimg -d nt[/COLOR]
    805054e4-805054e7  4 bytes - nt!KiServiceTable+94
    [ [COLOR=Blue]84 a0 57 80[/COLOR]:f4 b6 e1 ee ]
    80505524-80505527  4 bytes - nt!KiServiceTable+d4 (+0x40)
    [[COLOR=Blue] d4 1f 5d 80[/COLOR]:68 67 e1 ee ]
    80505548-8050554b  4 bytes - nt!KiServiceTable+f8 (+0x24)
    [ [COLOR=Blue]2c 7c 57 80[/COLOR]:8a b5 e1 ee ]
    80505620-80505623  4 bytes - nt!KiServiceTable+1d0 (+0xd8)
    [ [COLOR=Blue]82 b1 57 80[/COLOR]:96 b8 e1 ee ]
    80505638-8050563b  4 bytes - nt!KiServiceTable+1e8 (+0x18)
    [ [COLOR=Blue]fc c3 5c 80[/COLOR]:d2 08 e2 ee ]
    80505674-80505677  4 bytes - nt!KiServiceTable+224 (+0x3c)
    [[COLOR=Blue] da 93 5b 80[/COLOR]:3e 1b e1 ee ]
    8050567c-8050567f  4 bytes - nt!KiServiceTable+22c (+0x08)
    [ [COLOR=Blue]d6 7e 57 80[/COLOR]:e2 12 e2 ee ]
    80505720-80505723  4 bytes - nt!KiServiceTable+2d0 (+0xa4)
    [ [COLOR=Blue]32 22 5d 80[/COLOR]:08 18 e2 ee ]
    80505738-8050573b  4 bytes - nt!KiServiceTable+2e8 (+0x18)
    [ [COLOR=Blue]8a 52 5b 80[/COLOR]:76 0b e1 ee ]
    805057a4-805057a7  4 bytes - nt!KiServiceTable+354 (+0x6c)
    [ [COLOR=Blue]f6 26 5d 80[/COLOR]:54 0d e2 ee ]
    805057d0-805057d3  4 bytes - nt!KiServiceTable+380 (+0x2c)
    [ [COLOR=Blue]10 c0 57 80[/COLOR]:ce b4 e1 ee ]
    8050584c-8050584f  4 bytes - nt!KiServiceTable+3fc (+0x7c)
    [ [COLOR=Blue]6e 87 61 80[/COLOR]:38 0e e2 ee ]
    80505854-80505857  4 bytes - nt!KiServiceTable+404 (+0x08)
    [ [COLOR=Blue]9e 39 5d 80[/COLOR]:0a 0a e2 ee ]
    805058a4-805058a7  4 bytes - nt!KiServiceTable+454 (+0x50)
    [ [COLOR=Blue]94 53 5b 80[/COLOR]:a4 0f e1 ee ]
    805a2cba-805a2cbd  4 bytes - nt!KeUserModeCallback+8
    [ [COLOR=Blue]c2 9e f9 ff[/COLOR]:c8 45 87 6e ]
    805b3e0f-805b3e15  7 bytes - nt!MmUnmapViewOfSection+17 (+0x11155)
    [ [COLOR=Blue]cc cc cc cc cc 8b ff[/COLOR]:e9 bc bd 85 6e eb f9 ]
[B][COLOR=Blue]67[/COLOR][/B] errors : nt (805054e4-805b3e15)
805a2cba-805a2cbd  4 bytes - nt!KeUserModeCallback+8
    [ [COLOR=Blue]c2 9e f9 ff[/COLOR]:c8 45 87 6e ]
    805b3e0f-805b3e15  7 bytes - nt!MmUnmapViewOfSection+17 (+0x11155)
    [ [COLOR=Blue]cc cc cc cc cc 8b ff[/COLOR]:e9 bc bd 85 6e eb f9 ]

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 6
支持
分享
最新回复 (61)
雪    币: 7146
活跃值: (3731)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
asd
2
lz和qq结缘还是结怨了 呵呵
2013-10-2 00:29
0
雪    币: 623
活跃值: (40)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
3
mark
2013-10-2 00:32
0
雪    币: 284
活跃值: (3604)
能力值: ( LV5,RANK:75 )
在线值:
发帖
回帖
粉丝
4
前排学习,比翻windbg帮助爽多了~
2013-10-2 01:57
0
雪    币: 371
活跃值: (72)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
5
很好很强大,很累很蛋碎.~
2013-10-2 08:00
0
雪    币: 124
活跃值: (469)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
6
这就是所谓的沙发??
2013-10-2 08:02
0
雪    币: 4
活跃值: (168)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
小白撸过
2013-10-2 09:38
0
雪    币: 27
活跃值: (36)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
大神!!
2013-10-2 09:54
0
雪    币: 102
活跃值: (19)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
向楼主学习,很强大。。。
2013-10-2 10:32
0
雪    币: 279
活跃值: (13)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
楼主确实强大~~
2013-10-2 11:01
0
雪    币: 515
活跃值: (3272)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
wem
11
学习,学习
2013-10-2 12:27
0
雪    币: 103
活跃值: (126)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
12
lz很强悍啊 争取搞一个系列的 持续关注中……
2013-10-2 13:19
0
雪    币: 108
活跃值: (44)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
13
好东西,学习
2013-10-2 13:46
0
雪    币: 13
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
14
楼主啊 快送我个注册码 呵呵
2013-10-3 23:20
0
雪    币: 205
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
15
楼主我不是腾讯的人,但是人家有理由保护自己的软件,所以开发一个驱动保护自身并没什么过错,这跟有些网游使用一些内核技术保护登录是一个道理~
2013-10-6 09:01
0
雪    币: 101
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
16
我也超喜欢windbg,目前win领域最强大的调试器,IDA除外,楼主的帖子可以省去我不少啃书自己实践摸索的时间,感谢
2013-10-6 09:46
0
雪    币: 101
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
17
楼主,最好科普下windbg脚本,再弄几个经典的例子
2013-10-6 09:50
0
雪    币: 199
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
18
看了眼花缭乱,要是能做成一个软件就好,选择---确认---解除---成功
2013-10-6 12:31
0
雪    币: 541
活跃值: (654)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
19
你直接用xuetr好了
2013-10-6 12:38
0
雪    币: 458
活跃值: (306)
能力值: ( LV12,RANK:400 )
在线值:
发帖
回帖
粉丝
20
楼主的实力太强大 了。很多好文,学习一下。
2013-10-8 17:26
0
雪    币: 212
活跃值: (16)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
21
mark学习!
2013-10-9 12:48
0
雪    币: 6723
活跃值: (1199)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
22
mark 一下,稍后细读
2013-10-9 14:49
0
雪    币: 41
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
23
good job!
2013-10-9 17:27
0
雪    币: 142
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
24
对楼主的崇拜就如同滔滔江水,连绵不绝
2013-10-9 17:44
0
雪    币: 4
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
25
mark,下班回去看看
2013-10-10 11:27
0
游客
登录 | 注册 方可回帖
返回
//