with the PE loading routine (LDR function family), you have to look at the Microsoft CRT source code. The CRT code sets up the CRT using heap (mainly for the new syntax) you can have a comprehensive understanding of heap applications, such as heapinit. c. heaphook. c. heapdump. c. heapwalk. c.
Next we will talk about the virtual memory organization. The basic structure of virtual memory management is VAD (virtual address descriptors ). Because the Windows NT/2000 memory subsystem actually alloc
). Suppose we allocate 0 x B18 bytes, in fact, the system will allocate 0xb20 bytes, and the eight more bytes are pool_header structure, which is used for pool management. The structure of pool_header is as follows:
+ 0x000 previussize: POS 0, 9 bits+ 0x000 poolindex: POS 9, 7 bits+ 0x002 blocksize: POS 0, 9 bits+ 0x002 pooltype: POS 9, 7 bits+ 0x000 ulong1: uint4b+ 0x004 processbilled: ptr32 _ eprocess+ 0x004 pooltag: uint4b+ 0x004 allocatorbacktrace
When zwterminateprocess hook is written, the parameters that hook zwterminateprocess are handle processhandle and ntstatus exitstatus. The structure is as follows:
Ntstatus Zwterminateprocess ( In handleProcesshandle, In ntstatusExitstatus );
When processhandle is null, it indicates that the process has ended. When the process ends other processes, processhandle points to the process object of the terminated process. To obtain the name of the terminated process, perform the following operations
);
Return int (CID. uniqueprocess );}
Extern "C"Int wmain (INT argc, wchar_t * argv []){Unicode_string imagefile;Rtlinitunicodestring ( imagefile, argv [1]);
Exec ( imagefile, argv [2]);
Return 0;}
Usage: For ppp.exe after compilation, Run "C: root directory" qqq.exe" with PPP. Set "parent path" to "assumer.exe", and" PID "of" assumer.exe "***. On the console, enter:Ppp.exe /?? /C:/qqq.exe ***Use other tools to check the parent process of qqq.exe, instead of PPP, but explorer. At the time of cr
Start of Windbg script and expansion Tool
I haven't written any articles for a long time. Recently I have been busy with script and extension tools for the project's adjustable nature. In view of the strong power of windbg and the relatively small amount of information, I decided to write a series of articles on how to develop Windbg scripts and extended commands. Your support is my greatest motivation. I hope this series of articles will help you.
So what does a complete windbg script look like
Problem: when using windbg + vmare for kernel debugging, multi-thread switching may occur, resulting in a thread being no longer the same when the number of F10, this greatly affects normal debugging.
Solution: 1. You can set a breakpoint for a process or thread: BP/P eprocess address BP/t ethread address.
2. You can use scripts. I have never used this method, but I don't understand windbg scripts.
3. The last method is also stupid, that is, to b
process space. When you need to read and write these virtual addresses, it calls the relevant kernel functions, lock the physical and logical pages corresponding to these virtual addresses to prevent physical pages from being replaced and logical pages from being modified or released.
In another case, the driver can also use MDL to execute pure kernel tasks. In particular, if only non-Paging memory is called, these pages will not be replaced in the page file, therefore, you do not need to con
(expressed in pseudo code ):
Disablereadprotection ();
Modifyssdt ();
Enablereadprotection ();
Intel's documentation states: "If cr0.wp = 1, the access type is determined by the R/W flag of the page Directory and page table items. If cr0.wp = 0, the superuser permission allows read and write access ." Therefore, to damage write protection on ssdt, We need to temporarily clear the write protect (WP) Mark.
By assigning your own MDL to describe ssdt, we can disable read protection. MDL is associat
It is very convenient to use ironruby + sharpdevelop to develop GUI programs. The ironruby hands-on series program is to use Ruby to write a series of gadgets to familiarize themselves with ironruby.Ironruby installed on my machine isIronruby 1.0 for. NET 2.0 SP1Ironruby: http://ironruby.codeplex.com/releases
Download the sample code in this article: Click to download this file. After decompression, run. dat.
My homepage: Www.w-yong.com
This article describes how to write a Process Manager, in
;. Formats 00428378Evaluate expression:hex:00428378decimal:4359032octal:00020501570binary:00000000 01000010 10000011 01111000Chars:. b.xTime:fri Feb 20 18:50:32 1970Float:low 6.1083e-039 High 0double:2.15365e-317Based on the structure of the PAE32-bit linear address we derive:Page Catalog pointer Table index = 0x0Page Directory index is 000000 010 = 0x2Page Table index is 00010 = 0x28In-page offset is 0011 01111000 = 0x378We use!process 0 0 to find the eproc
Tags: des style blog io color ar os using SP1 pop-up windows implemented via Kifastcallentry or regular SSDT hooks2 File filter driver causes pop-up windows!process 0 0//List all processes. reload!process fffffa800a04b3a0 f//List all stack backtracking for the specified process!IRP//If it is because the release of sensitive files by the pop-up window Use this command to observe the IRP!fileobj//parsing the file name inside the IRP3 Sensitive registry writes pop-up windows that cause registry cal
is smooth, because the router is usually maintained by the manufacturer. Even some manufacturers always say: "If you forget the password, please contact the dealer ." In fact, there are many Unix vulnerabilities. What's more, the vro's fragile operating system? Of course, routers generally cannot penetrate into the vro. Because, you cannot log on remotely, and generally the Administrator will not open it. However, there are many vro Denial-of-Service
network is smooth, because the router is usually maintained by the manufacturer. Even some manufacturers always say: "If you forget the password, please contact the dealer ." In fact, there are many Unix vulnerabilities. What's more, the vro's fragile operating system? Of course, routers generally cannot penetrate into the vro. Because, you cannot log on remotely, and generally the Administrator will not open it. However, there are many vro Denial-of
still your plan!12. The most worrying problem is always unexpected.13. Sales tasks keep growing and the pressure is getting bigger and bigger. More and more income, less and less sleep.14. scalping: The better the performance, the more difficult the task is to complete.15. A qingsao's point of view: "customers come here". It is annoying to rush for goods.16. During the promotion, we will find that there is only one table, but there are two tables.17. Your favorite
have the alter permission to use alter table.Alter table shop modify dealer char (15 );10. Alter routineYou must have the alter routine permission to use {alter | drop} {procedure | function}Mysql> grant alter routine on PYT. * To 'p1' @ 'localhost ';Mysql> drop procedure pro_shop;Query OK, 0 rows affected (0.00 Sec)
Mysql> revoke alter routine on PYT. * From 'p1' @ 'localhost ';[MySQL @ mydev ~] $ Mysql-H localhost-u P1-P PYTMysql> drop procedure pr
in:In addition to asynchronous processing, Microsoft messaging Queue (MSMQ) is mainly a distributed processing technology. In distributed processing, an important technical element is message processing. the message class has been provided in the messaging namespace and can be used to transmit messages. on the premise that the sender and receiver of a message should have a unified interface specification in terms of data definition.The Application of MSMQ in distributed processing has been impl
to do a step-by-Step shipment scan, to whom?
Two-dimensional code anti-channeling cargo system, "stock rebate" to the dealer driving force
First, anti-counterfeiting anti-channeling cargo control system solutions
can give each product a unique two-dimensional code "ID", users sweep a product QR code, you can enter the product home page, to guide users to become fans of public attention, access to the online shop, it is easy to the line of accurate
these graphic texts to indicate the sales area. For example, the words "special for sale in a certain area" are printed on the outer packing of the product, or "yu" is printed to Henan and "Ji" is sold to Hebei. The cost of this anti-fraud measure is low. Of course, the technical content of anti-fraud measures is also low, and the cost and risk of anti-fraud measures are low. The goods dealer can adopt a simple method. After a simple operation, it ca
7-Portal Wall Cabinet
It is not easy for programmers xdjm to buy a house. It has been laid by a developer or a second-hand house, and cannot be swallowed up by an installer, a building material dealer, a furniture dealer, or a soft contractor. We need to arm ourselves with knowledge and fight together with js to the end. Let's take a look at the fence home decoration series compiled by Leng Shan.
PDF: http:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.