能力值:
( LV2,RANK:10 )
26 楼
膜拜赵老板
能力值:
( LV2,RANK:10 )
27 楼
小王子,我来晚了,顶个……
能力值:
( LV2,RANK:10 )
28 楼
恭祝楼主新年发财!
能力值:
( LV2,RANK:10 )
29 楼
顶,收藏了,谢谢楼主分享
能力值:
( LV2,RANK:10 )
30 楼
厉害!我什么时候可以转正就高兴了
能力值:
( LV2,RANK:10 )
31 楼
好东西zhidexuex
能力值:
( LV5,RANK:70 )
32 楼
新年快乐了,恭喜楼主
能力值:
( LV2,RANK:10 )
33 楼
想问下步骤三IDA是打开什么文件?Tessafe.sys吗?还是其他文件,谢谢!
能力值:
( LV5,RANK:70 )
34 楼
打开系统内核文件ntkrnlpa.exe,搜索文本,搜索所有就可以搜到了
能力值:
( LV2,RANK:10 )
35 楼
能不能说下,为什么.h文件里面也有函数?
是现在的流行写法吗?看来我out了。
能力值:
( LV5,RANK:70 )
36 楼
额,这是测试时随便写的代码,文章也说过代码很乱,只是想提供个思路,代码自己实现比较好..
能力值:
( LV2,RANK:10 )
37 楼
ok,非常感谢
能力值:
( LV2,RANK:10 )
38 楼
为什么木有人研究64位的呢!
能力值:
( LV2,RANK:10 )
39 楼
我还有个问题想问下,我在windbg下u IoAllocMdl 的时候,调试器总是直接busy,但是如果u kdsendpacket这类函数的时候就支持,这是为什么?是因为微软的标准符号里面没有IoAllocMdl 这个函数吗?求解释,谢谢。
能力值:
( LV2,RANK:10 )
40 楼
学习学习了!
能力值:
( LV5,RANK:70 )
41 楼
哥们~你打错了吧,IoAllocateMdl
能力值:
( LV2,RANK:10 )
42 楼
哈哈,还真是,谢谢楼主。。。
能力值:
( LV2,RANK:10 )
43 楼
楼主,还有个问题想咨询下,在你代码里ul_imp_KdSendPacket和ul_imp_KdReceivePacket是什么意思?为什么要用KdRefreshDebuggerNotPresent和IoAcquireRemoveLockEx的偏移位置去算,我虚拟机是XP的,没有KdRefreshDebuggerNotPresent怎么办?这两个等同于求_imp__KdSendPacket和_imp_KdReceivePacket的地址吗?主要为了实现什么目的,求解答。
能力值:
( LV5,RANK:70 )
44 楼
1.特征码定位关键函数,找自己相应的特征进行定位就好了.
2.u kdsendpacket发现是一个跳转表地址,而tp 做了iat hook,我的绕过方法就是修改这个跳转表到真正函数地址.
能力值:
( LV2,RANK:10 )
45 楼
楼主 你的代码是什么环境编译的 我用wdk7.1 命令行总是出错 还有 如果移植到xp下 哪里有变动呢
能力值:
( LV5,RANK:70 )
46 楼
我用的是2013+8.1,偏移啥的自己找找吧,应该不难~
能力值:
( LV2,RANK:10 )
47 楼
楼主,我还有个问题想问下,我现在碰到一个问题,就是把IoAllocateMdl函数用你的那个方法HOOK掉之后,现在每次打开游戏,最后都会有ee900ffc 8054151c 00000000 00000158 00000000 nt!MmAccessFault+0x2
ee900ffc 805415ca 00000000 00000158 00000000 nt!KiTrap0E+0xcc
这个错误,但是具体的原因找不到,具体的错误信息能帮我看下吗?
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------ BUGCHECK_STR: 0x7f_8
TSS: 00000028 -- (.tss 0x28)
eax=00000000 ebx=ee901088 ecx=00000000 edx=00000000 esi=00000000 edi=00000158
eip=8051d36a esp=ee901000 ebp=ee901014 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!MmAccessFault+0x2:
8051d36a 55 push ebp
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
TRAP_FRAME: ee901170 -- (.trap 0xffffffffee901170)
ErrCode = 00000000
eax=d0000006 ebx=ee901258 ecx=00000000 edx=00000000 esi=00000000 edi=00000158
eip=805415ca esp=ee9011e4 ebp=ee9011e4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!KiTrap0E+0x17a:
805415ca 83be5801000000 cmp dword ptr [esi+158h],0 ds:0023:00000158=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 8054151c to 8051d36a
STACK_TEXT:
ee900ffc 8054151c 00000000 00000158 00000000 nt!MmAccessFault+0x2
ee900ffc 805415ca 00000000 00000158 00000000 nt!KiTrap0E+0xcc
ee901088 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9010fc 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901170 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9011e4 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901258 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9012cc 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901340 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9013b4 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901428 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee90149c 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901510 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901584 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9015f8 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee90166c 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9016e0 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901754 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9017c8 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee90183c 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9018b0 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901924 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901998 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901a0c 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901a80 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901af4 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901b68 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901bdc 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901c50 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901cc4 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901d38 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901dac 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901e20 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901e94 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901f08 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901f7c 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee901ff0 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902064 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9020d8 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee90214c 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9021c0 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902234 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9022a8 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee90231c 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902390 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902404 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902478 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9024ec 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902560 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9025d4 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902648 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9026bc 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902730 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9027a4 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902818 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee90288c 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902900 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902974 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9029e8 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902a5c 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902ad0 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902b44 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902bb8 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902c2c 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902ca0 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902d14 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902d88 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902dfc 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902e70 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902ee4 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902f58 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee902fcc 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee903040 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee9030b4 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a
ee903128 805415ca badb0d00 00000000 00000001 nt!KiTrap0E+0x17a STACK_COMMAND: .tss 0x28 ; kb
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
FOLLOWUP_NAME: MachineOwner
DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a
FOLLOWUP_IP:
nt!KiTrap0E+cc
8054151c 85c0 test eax,eax
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KiTrap0E+cc
FAILURE_BUCKET_ID: TRAP_FRAME_RECURSION
BUCKET_ID: TRAP_FRAME_RECURSION
Followup: MachineOwner
能力值:
( LV2,RANK:10 )
48 楼
顶贴啊各位,都搞得怎么样子了
能力值:
( LV4,RANK:50 )
49 楼
mark一个今后看~
能力值:
( LV2,RANK:10 )
50 楼
No prior disassembly possible
001b:1099754b 68a78a2953 push 53298AA7h
老是出现异常