能力值:
( LV2,RANK:10 )
|
-
-
2 楼
很不错呀 不过还是不完整 不知道用了哪些头文件。。 
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
留个标记 
|
能力值:
( LV13,RANK:1050 )
|
-
-
4 楼
代码写得不错,有几处硬编码,要是不用IDA对照看,还真不好理解。
|
能力值:
( LV13,RANK:330 )
|
-
-
5 楼
文件过滤驱动正在学,留着以后看 
|
能力值:
( LV4,RANK:50 )
|
-
-
6 楼
好文必留名!支持!
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
好文
好文好文好文好文
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
好好 学习了
谢谢了 DDDDDDDDDDDDDDDDDD
|
能力值:
( LV3,RANK:20 )
|
-
-
10 楼
楼主对fastfat.sys的暴力搜索范围是不是小了点,(143360也就是0x23000h) ??
以下是Ida的代码显示:
INIT:0002F953 mov dword ptr [esi+34h], offset byte_11914
INIT:0002F95A mov dword ptr [esi+38h], offset loc_17C8A
INIT:0002F961 mov dword ptr [esi+40h], offset loc_147C8
INIT:0002F968 mov dword ptr [esi+44h], offset loc_1060A
INIT:0002F96F mov dword ptr [esi+48h], offset loc_10AED
INIT:0002F976 mov dword ptr [esi+4Ch], offset loc_1B958
INIT:0002F97D mov dword ptr [esi+50h], offset loc_1E821
INIT:0002F984 mov dword ptr [esi+54h], offset loc_2738A
INIT:0002F98B mov dword ptr [esi+58h], offset loc_26D49
INIT:0002F992 mov dword ptr [esi+5Ch], offset loc_20BBE
INIT:0002F999 mov dword ptr [esi+60h], offset loc_21331
INIT:0002F9A0 mov dword ptr [esi+64h], offset loc_2F4F4
INIT:0002F9A7 mov dword ptr [esi+80h], offset loc_142FD
INIT:0002F9B1 mov dword ptr [esi+68h], offset loc_17B37
INIT:0002F9B8 mov dword ptr [esi+6Ch], offset loc_13948
INIT:0002F9BF mov dword ptr [esi+7Ch], offset loc_2DC4A
INIT:0002F9C6 mov dword ptr [esi+70h], offset loc_1D46B
INIT:0002F9CD mov dword ptr [esi+78h], offset loc_2E79D
INIT:0002F9D4 mov dword ptr [esi+0A4h], offset loc_2E1DB
|
能力值:
( LV3,RANK:20 )
|
-
-
11 楼
补充一下所用到的结构:
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
|
