-
-
[旧帖]
[求助]X64 ring0 inline hook KeStackAttachProcess 蓝屏
0.00雪花
-
发表于:
2016-1-29 13:35
2140
-
[旧帖] [求助]X64 ring0 inline hook KeStackAttachProcess 蓝屏
0.00雪花
不是PG问题,Pass PG 用了老V的代码,稳定并久远
VOID My_KeStackAttachProcess(__inout PRKPROCESS PROCESS,__out PRKAPC_STATE ApcState)
{
if (PROCESS && MmIsAddressValid(PROCESS))
if (IsThisProcessEx_Form_Str((char*)PsGetProcessImageFileName((PEPROCESS)PROCESS)))
{
if (!IsThisProcessEx_Form_Str_while((char*)PsGetProcessImageFileName(PsGetCurrentProcess())))
{
Log("进程:%s附加保护进程__My_KeStackAttachProcess__:%s\n", PsGetProcessImageFileName(PsGetCurrentProcess()), (PsGetProcessImageFileName((PEPROCESS)PROCESS)));
这样返回蓝屏,直接返回蓝屏,PROCESS=(PRKPROCESS)PsGetCurrentProcess(),替换也蓝屏,不返回不蓝屏
//return Old_KeStackAttachProcess((PRKPROCESS)PsGetCurrentProcess(), ApcState);
}
}
return Old_KeStackAttachProcess(PROCESS, ApcState);
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
