首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[原创]动态检测回调是否被反注册
发表于: 2016-3-22 00:02 7203

[原创]动态检测回调是否被反注册

梦想奇迹 活跃值
2016-3-22 00:02
7203

结构体:

typedef struct _OBJECT_TYPE_INITIALIZER
{
	USHORT Length;
	union
	{
		UCHAR ObjectTypeFlags;
		struct
		{
			UCHAR CaseInsensitive: 1;    //  +0x002 CaseInsensitive  : Pos 0, 1 Bit
			UCHAR UnnamedObjectsOnly: 1;  //  +0x002 UnnamedObjectsOnly : Pos 1, 1 Bit
			UCHAR UseDefaultObject: 1;    //  +0x002 UseDefaultObject : Pos 2, 1 Bit
			UCHAR SecurityRequired: 1;    //  +0x002 SecurityRequired : Pos 3, 1 Bit
			UCHAR MaintainHandleCount: 1;  //  +0x002 MaintainHandleCount : Pos 4, 1 Bit
			UCHAR MaintainTypeList: 1;    //  +0x002 MaintainTypeList : Pos 5, 1 Bit
			UCHAR SupportsObjectCallbacks: 1;    //  +0x002 SupportsObjectCallbacks : Pos 6, 1 Bit
			UCHAR CacheAligned: 1;      //  +0x002 CacheAligned     : Pos 7, 1 Bit
		};
	};
	ULONG ObjectTypeCode;
	ULONG InvalidAttributes;
	GENERIC_MAPPING GenericMapping;
	ULONG ValidAccessMask;
	POOL_TYPE PoolType;
	ULONG DefaultPagedPoolCharge;
	ULONG DefaultNonPagedPoolCharge;
	PVOID DumpProcedure;
	LONG * OpenProcedure;
	PVOID CloseProcedure;
	PVOID DeleteProcedure;
	LONG * ParseProcedure;
	LONG * SecurityProcedure;
	LONG * QueryNameProcedure;
	UCHAR * OkayToCloseProcedure;

} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

typedef struct _OBJECT_TYPE_INITIALIZER_WIN8
{
	USHORT Length;
	union
	{
		UCHAR ObjectTypeFlags;
		struct
		{
			UCHAR CaseInsensitive: 1;    //  +0x002 CaseInsensitive  : Pos 0, 1 Bit
			UCHAR UnnamedObjectsOnly: 1;  //  +0x002 UnnamedObjectsOnly : Pos 1, 1 Bit
			UCHAR UseDefaultObject: 1;    //  +0x002 UseDefaultObject : Pos 2, 1 Bit
			UCHAR SecurityRequired: 1;    //  +0x002 SecurityRequired : Pos 3, 1 Bit
			UCHAR MaintainHandleCount: 1;  //  +0x002 MaintainHandleCount : Pos 4, 1 Bit
			UCHAR MaintainTypeList: 1;    //  +0x002 MaintainTypeList : Pos 5, 1 Bit
			UCHAR SupportsObjectCallbacks: 1;    //  +0x002 SupportsObjectCallbacks : Pos 6, 1 Bit
			UCHAR CacheAligned: 1;      //  +0x002 CacheAligned     : Pos 7, 1 Bit
		};
	};
	ULONG ObjectTypeCode;
	ULONG InvalidAttributes;
	GENERIC_MAPPING GenericMapping;
	ULONG ValidAccessMask;
	POOL_TYPE PoolType;
	ULONG DefaultPagedPoolCharge;
	ULONG DefaultNonPagedPoolCharge;
	PVOID DumpProcedure;
	LONG * OpenProcedure;
	PVOID CloseProcedure;
	PVOID DeleteProcedure;
	LONG * ParseProcedure;
	LONG * SecurityProcedure;
	LONG * QueryNameProcedure;
	UCHAR * OkayToCloseProcedure;
	ULONG WaitObjectFlagMask;
	USHORT WaitObjectFlagOffset;
	USHORT WaitObjectPointerOffset;

} OBJECT_TYPE_INITIALIZER_WIN8, *POBJECT_TYPE_INITIALIZER_WIN8;

typedef struct _FAKE_OBJECT_TYPE_WIN7
{
	LIST_ENTRY TypeList;
	UNICODE_STRING Name;
	PVOID DefaultObject;
	ULONG Index;
	ULONG TotalNumberOfObjects;
	ULONG TotalNumberOfHandles;
	ULONG HighWaterNumberOfObjects;
	ULONG HighWaterNumberOfHandles;
	OBJECT_TYPE_INITIALIZER TypeInfo;
	EX_PUSH_LOCK TypeLock;
 	ULONG Key;
 	LIST_ENTRY CallbackList;
} FAKE_OBJECT_TYPE_WIN7, *PFAKE_OBJECT_TYPE_WIN7;

typedef struct _FAKE_OBJECT_TYPE_WIN8
{
	LIST_ENTRY TypeList;
	UNICODE_STRING Name;
	PVOID DefaultObject;
	ULONG Index;
	ULONG TotalNumberOfObjects;
	ULONG TotalNumberOfHandles;
	ULONG HighWaterNumberOfObjects;
	ULONG HighWaterNumberOfHandles;
	OBJECT_TYPE_INITIALIZER_WIN8 TypeInfo;
	EX_PUSH_LOCK TypeLock;
	ULONG Key;
	LIST_ENTRY CallbackList;
} FAKE_OBJECT_TYPE_WIN8, *PFAKE_OBJECT_TYPE_WIN8;

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 3
支持
分享
最新回复 (4)
white、、
雪    币: 60
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
这字体看着好虚~ 难道是近视了?
2016-3-22 10:00
0
拓海真一
雪    币: 56
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
骚年,你撸多了
2016-3-22 11:33
0
梦想奇迹
雪    币: 110
活跃值: (40)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
4
结构体里少了个东西,会玩的自己找吧,哈哈
2016-3-25 19:24
0
hekes
雪    币: 4904
活跃值: (2330)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
mark
2016-3-28 12:11
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//