0Xc00000f0. In the end, no space is allocated in the zero page memory. That is to say, in the win8 system, zero-page memory is protected, leading to failure in allocating memory at zero-page addresses.
Next, let's take a look at the protection for NULL Pointer, that is, the zero-page memory, in the win8 system.2 improvement: windows zero-page memory Protection Mechanism
Win8's zero-page memory protection mechanism can be found through the search engine: in the *** WIN8 *** system, the *** flags
the stack location of key data such as DPC scheduling and locked resources is relatively large from the overflow point, it can be executed in the stack.
Security Return Method
The current environment is a process no. 0. to switch the process address space to another process, you must first obtain the eprocess address of the process. Process 0 is very special, that is, the process is basically not mounted on the linked list of all processes, such as a
I used to see someArticleYou can use the "active process chain" to hide or detect processes. I have not been clear about how to locate the active process chain. In the book "rootkit", I said that eprocess can be obtained through the psgetcurrentprocess function, but the explanation in the book is vague and I have never understood it.
Today, I used windbg to view the various structures and finally figured out the questions.
After the psgetcurrentpr
instruction corresponding to 0x3f is aas, which adjusted the EAX ascii, therefore, this 0x3f can be counted as part of SHELLCODE without affecting EAX and flag, saving a lot of bytes _ ^.
The current environment is a process no. 0. to switch the process address space to another process, you must first obtain the EPROCESS address of the process. Process 0 is very special, that is, the process is basically not mounted on the linked list of all processe
First of all, the name of a process may be obtained from the following parts (refer to Xiao Wei's "forgery Process" article): First, eprocess: 1, eprocess-->imagefilename (very commonly used, Where the ice blade gets the name of the process) 2, Eprocess-->seauditprocesscreationinfo->imagefilename (where the task manager gets the name of the process, Ntqueryinf
First, use the psgetcurrentprocess or iogetcurrentprocess function to obtain the current process handle. This handle is a pointer to the _ eprocess structure. The structure of _ eprocess is as follows:
Typedef struct _ eprocess{Kprocess PCB;Ntstatus exitstatus;Kevent lockevent;DWORD lockcount;Qword createtime;Qword exittime;Pvoid lockowner;DWORD uniqueprocessid;Q
Process depth
==============
Every Windows Process is represented by a block called executive process (eprocess. In addition to many process-related attributes, it also contains and points to a series of other related data structures. For example, each process has one or more executive threads (ETHREAD) used to represent the thread structure ). The executive thread will be discussed later. The eprocess and
Before hearing someone else's interview question is to ask the system to create the process of the specific process is what, the first thought is CreateProcess, but for the specific process is not very clear, today tidy up.From the operating system's perspective,To create a process step:1. Application Process block2. Allocating memory resources to processes3. Initialize the process block4. Link the process block into the ready queueThe knowledge in the textbook ...From the specific process of Cr
One way to get the process name of the current user process in the kernel driver
In the kernel driver, you can use the psgetcurrentprocess function to obtain the eprocess structure address of the currently called driver process. many articles say that the process name is stored at the 0x174 offset of the eprocess structure. another method is provided to obtain the process name. the idea is as follows: the
: 0000
DirBase: 00039000 ObjectTable: e1001c78 HandleCount: 396.
Image: System
VadRoot 86fae870 Vads 4 Clone 0 Private 3. Modified 124205. Locked 0.
DeviceMap e1005470
8. Run the dt command (dt nt! _ EPROCESS) observe the _ EPROCESS structure of the process.
9, in dt nt! Add the address recorded in step 1 after the _ EPROCESS command to display the values of the
In the kernel driver, you can use the psgetcurrentprocess function to obtain the eprocess structure address of the currently called driver process. many articles say that the process name is stored at the 0x174 offset of the eprocess structure. another method is provided to obtain the process name. the idea is as follows: the driver's Loading Function DriverEntry is running in the system process. you can us
adjustment, so in general does not affect the EAX and signs of the case can be a 0x3f as part of the Shellcode, you can save a lot of bytes ^_^.
now the current environment is the NO. 0 process, to cut the process address space to other processes must first get the eprocess address of that process. The No. 0 process is very special, that is, the process is basically not on the list of all processes, such as Activeprocesslinks, Sessionprocesslinks,
pdriverobj, punicode_string pregstr) {pdriverobj->driverunload = MyUnload;D Bgprint ("driverentry...\n");//1. Violence enumeration PID, enumeration process for (ULONG i = 0; i Method 3 and Method 1 are the same principle, enumerate the eprocess structure of the activeprocesslinks linked list implementation, the code is as follows[CPP]View PlainCopyPrint?
//Enumerate processes by Eprocess
NTSTATUS se
We know that DebugPort is located in the structure of eprocess.
No, I don't know. Go to the kindergarten and ask the kids
My shift here is 0X0BC, the system is not the same, the offset value is not the same
Can use WinDbg view, open local kernel debugging, input command: DT _eprocess
This is not much introduction, details to search the Internet
In addition, DNF.exe will invoke ntopenprocess for reverse debugging detection
So we don't waste, local mate
)/(Pm_current-> driver_path.length = 0 )){Return (DWORD) pm_current;}Pm_current = (module_entry *) pm_current-> le_mod.flink;}
Return 0;}
[List_entry psactiveprocesshead]
In theory, psactiveprocesshead can also be retrieved using the code search method, but it is simpler.Method.
The psinitialsystemprocess exported by ntoskrnl.exe is a peprocess, pointing. The eprocess structure member eprocess. activeproce
A process may open many kernel objects within its lifecycle. These objects need to be well managed to ensure efficiency. The NT kernel uses the table to save these open objects. The table pointer is stored in eprocess-> objecttable.Gussing.cnblogs.com
When accessing objecttable, we need to determine two types of information: Table address and table level. Object table is not always a huge and flat linear list, because sometimes the number of kernel
use. The main part of the Assembly Code to be inserted is
mov eax,0x7c86114dpush 1noppush 0xabcdcall eaxjmp end nopnop
0x7c86114d is the address of the winexec function in the middle of the system. The address varies with the system.
At the beginning of the operation, there was no response. The address was changed to the address of the winexec function in the current system, but this also brought about a problem and was not universal, if you want to manually change the value to another sy
a working set in Windows 2000/XP Based on the Internal Organization Mode of the working set of processes.
Eprocess is the description of the process structure, so starting with eprocess, you can certainly find the expression of the process working set. In fact, the sub-structure mmsupport in eprocess is some key content about the process and the memory subsystem
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.