-
-
[求助]Pte Hook无法进断点,启动失败
-
发表于: 2小时前
-
这里是一个pte hook,虚拟机环境是1809.虚拟机加载后无法启动,nointegritychecks Yes
testsigning Yes.麻烦大牛解惑,项目代码在附件
>bcdedit /enum
Windows 启动管理器
--------------------
标识符 {bootmgr}
device partition=\Device\HarddiskVolume1
path \EFI\Microsoft\Boot\bootmgfw.efi
description Windows Boot Manager
locale zh-CN
inherit {globalsettings}
default {current}
resumeobject {200a1b49-6828-11f0-b541-957713b6f9bd}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30
Windows 启动加载器
-------------------
标识符 {current}
device partition=C:
path \Windows\system32\winload.efi
description Windows 10
locale zh-CN
inherit {bootloadersettings}
recoverysequence {200a1b4b-6828-11f0-b541-957713b6f9bd}
displaymessageoverride Recovery
recoveryenabled Yes
nointegritychecks Yes
testsigning Yes
isolatedcontext Yes
allowedinmemorysettings 0x15000075
osdevice partition=C:
systemroot \Windows
resumeobject {200a1b49-6828-11f0-b541-957713b6f9bd}
nx OptIn
bootmenupolicy Standard
debug Yes
dumpbin -headers C:\Users\Administrator\Desktop\hack\MyDriver1\x64\Debug\MyDriver1\MyDriver1.sys
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
8664 machine (x64)
6 number of sections
69840EE4 time date stamp Thu Feb 5 11:30:44 2026
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
22 characteristics
Executable
Application can handle large (>2GB) addresses
OPTIONAL HEADER VALUES
20B magic # (PE32+)
14.43 linker version
1400 size of code
1600 size of initialized data
0 size of uninitialized data
1190 entry point (0000000140001190) DriverEntry
1000 base of code
140000000 image base (0000000140000000 to 0000000140007FFF)
1000 section alignment
200 file alignment
10.00 operating system version
10.00 image version
10.00 subsystem version
0 Win32 version
8000 size of image
400 size of headers
5379 checksum
1 subsystem (Native)
4160 DLL characteristics
High Entropy Virtual Addresses
Dynamic base
NX compatible
Control Flow Guard
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
6000 [ 28] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
5000 [ B4] RVA [size] of Exception Directory
2400 [ 730] RVA [size] of Certificates Directory
7000 [ 24] RVA [size] of Base Relocation Directory
3348 [ 38] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
3200 [ 148] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
3000 [ 60] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
108C virtual size
1000 virtual address (0000000140001000 to 000000014000208B)
1200 size of raw data
400 file pointer to raw data (00000400 to 000015FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
68000020 flags
Code
Not Paged
Execute Read
SECTION HEADER #2
.rdata name
5D4 virtual size
3000 virtual address (0000000140003000 to 00000001400035D3)
600 size of raw data
1600 file pointer to raw data (00001600 to 00001BFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
48000040 flags
Initialized Data
Not Paged
Read Only
Debug Directories
Time Type Size RVA Pointer
-------- ------- -------- -------- --------
69840EE4 cv 5E 00003380 1980 Format: RSDS, {EF5DA7DE-7E3B-4D69-AAC9-EED007163FC1}, 1, C:\Users\Administrator\Desktop\hack\MyDriver1\x64\Debug\MyDriver1.pdb
69840EE4 coffgrp 128 000033E0 19E0
SECTION HEADER #3
.data name
B30 virtual size
4000 virtual address (0000000140004000 to 0000000140004B2F)
200 size of raw data
1C00 file pointer to raw data (00001C00 to 00001DFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C8000040 flags
Initialized Data
Not Paged
Read Write
SECTION HEADER #4
.pdata name
B4 virtual size
5000 virtual address (0000000140005000 to 00000001400050B3)
200 size of raw data
1E00 file pointer to raw data (00001E00 to 00001FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
48000040 flags
Initialized Data
Not Paged
Read Only
SECTION HEADER #5
INIT name
192 virtual size
6000 virtual address (0000000140006000 to 0000000140006191)
200 size of raw data
2000 file pointer to raw data (00002000 to 000021FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
62000020 flags
Code
Discardable
Execute Read
SECTION HEADER #6
.reloc name
24 virtual size
7000 virtual address (0000000140007000 to 0000000140007023)
200 size of raw data
2200 file pointer to raw data (00002200 to 000023FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
Summary
1000 .data
1000 .pdata
1000 .rdata
1000 .reloc
2000 .text
1000 INIT
|
|
|---|---|
