2021-08-16

最新推荐文章于 2023-01-03 11:41:52 发布
最新推荐文章于 2023-01-03 11:41:52 发布
阅读量775 收藏
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_36947774/article/details/119732149
版权

一、回顾
上次课我们学习了 _KAPC_STATE , _KAPC 结构,分析了 TerminateThread 函数最终如何通过插入 APC 的方式来通知目标线程终止。

这次课我们来学习备用APC队列 SavedApcState ,这个结构在进程挂靠attach时会使用到。

课后作业是分析 NtReadVirtualMemory 函数,通过分析,我们可以了解什么是 attach ,以及 attach 时如何使用 SavedApcState 。

二、SavedApcState
进程 attach
kd> dt _KTHREAD
nt!_KTHREAD

+0x034 ApcState : _KAPC_STATE

+0x138 ApcStatePointer : [2] Ptr32 _KAPC_STATE

+0x14c SavedApcState : _KAPC_STATE

+0x165 ApcStateIndex : UChar
+0x166 ApcQueueable : UChar

假设A进程创建T线程。
当不发生 attach 时,A的APC队列存到 ApcState,SavedApcState 不使用;
当T线程 attach 到B进程时,把A的APC队列暂时保存到 SavedApcState ,B的存到 ApcState。

ApcStatePointer 和 ApcStateIndex
再介绍一下 ApcStatePointer 和 ApcStateIndex 。
为了操作方便,_KTHREAD结构体中定义了一个指针数组ApcStatePointer ,长度为2。

正常情况下:
ApcStatePointer[0] 指向 ApcState
ApcStatePointer[1] 指向 SavedApcState

挂靠情况下:
ApcStatePointer[0] 指向 SavedApcState
ApcStatePointer[1] 指向 ApcState

ApcStateIndex用来标识当前线程处于什么状态:0 正常状态 1 挂靠状态。

所以不论是正常状态还是attach状态, ApcStatePointer[ApcStateIndex] 都指向线程当前所使用的CR3的进程的 ApcState 。

另外,KAPC结构里也有一个同名成员 ApcStateIndex ,这里介绍的是 KTHREAD 里的,二者含义不同,注意区分。

ApcQueueable
这个值表示线程当前是否可以插入 APC ,如果线程正在退出,那么是不能插入的。

三、分析 NtReadVirtualMemory
这部分是课后练习。

分析 NtReadVirtualMemory 在attach时如何备份和恢复APC队列。

这部分函数层层调用,全部贴出来会导致博客的篇幅过长,但是不贴又不方便以后复习,所以我会在不太重要的函数后标注,大家可以有选择性地跳过外层的函数,关注底层函数。

NtReadVirtualMemory(底层调用了 MmCopyVirtualMemory)
NTSTATUS
NtReadVirtualMemory (
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN SIZE_T BufferSize,
OUT PSIZE_T NumberOfBytesRead OPTIONAL
)

/*++

Routine Description:

This function copies the specified address range from the specified
process into the specified address range of the current process.

Arguments:

 ProcessHandle - Supplies an open handle to a process object.

 BaseAddress - Supplies the base address in the specified process
               to be read.

 Buffer - Supplies the address of a buffer which receives the
          contents from the specified process address space.

 BufferSize - Supplies the requested number of bytes to read from
              the specified process.

 NumberOfBytesRead - Receives the actual number of bytes
                     transferred into the specified buffer.

Return Value:

NTSTATUS.

–*/

{
SIZE_T BytesCopied;
KPROCESSOR_MODE PreviousMode;
PEPROCESS Process;
NTSTATUS Status;
PETHREAD CurrentThread;

PAGED_CODE();

//
// Get the previous mode and probe output argument if necessary.
//

CurrentThread = PsGetCurrentThread ();
PreviousMode = KeGetPreviousModeByThread(&CurrentThread->Tcb);

// 如果是3环调用这个函数
if (PreviousMode != KernelMode) {
	// 非法访问内存,返回 STATUS_ACCESS_VIOLATION
    if (((PCHAR)BaseAddress + BufferSize < (PCHAR)BaseAddress) ||
        ((PCHAR)Buffer + BufferSize < (PCHAR)Buffer) ||
        ((PVOID)((PCHAR)BaseAddress + BufferSize) > MM_HIGHEST_USER_ADDRESS) ||
        ((PVOID)((PCHAR)Buffer + BufferSize) > MM_HIGHEST_USER_ADDRESS)) {

        return STATUS_ACCESS_VIOLATION;
    }
	// 如果 NumberOfBytesRead 不是空指针,确保其可写
    if (ARGUMENT_PRESENT(NumberOfBytesRead)) {
        try {
			// ProbeForWriteUlong_ptr 在 ex.h 定义,作用是确保地址可写
            ProbeForWriteUlong_ptr (NumberOfBytesRead);

        } except(EXCEPTION_EXECUTE_HANDLER) {
            return GetExceptionCode();
        }
    }
}

//
// If the buffer size is not zero, then attempt to read data from the
// specified process address space into the current process address
// space.

// 如果缓冲区大小不为0,从目标进程复制数据到当前进程

BytesCopied = 0;
Status = STATUS_SUCCESS;
if (BufferSize != 0) {

    //
    // Reference the target process.
    // 获取目标进程EPROCESS

    Status = ObReferenceObjectByHandle(ProcessHandle,
                                       PROCESS_VM_READ,
                                       PsProcessType,
                                       PreviousMode,
                                       (PVOID *)&Process,
                                       NULL);

    //
    // If the process was successfully referenced, then attempt to
    // read the specified memory either by direct mapping or copying
    // through nonpaged pool.
    // 如果获取目标进程成功,尝试读取数据,通过映射或复制的方式

    if (Status == STATUS_SUCCESS) {

        Status = MmCopyVirtualMemory (Process,
                                      BaseAddress,
                                      PsGetCurrentProcessByThread(CurrentThread),
                                      Buffer,
                                      BufferSize,
                                      PreviousMode,
                                      &BytesCopied);

        //
        // Dereference the target process.
        //

        ObDereferenceObject(Process); // 引用计数-1
    }
}

//
// If requested, return the number of bytes read.
// 如果 NumberOfBytesRead 非空,返回读取到的字节数

if (ARGUMENT_PRESENT(NumberOfBytesRead)) {
    try {
        *NumberOfBytesRead = BytesCopied;

    } except(EXCEPTION_EXECUTE_HANDLER) {
        NOTHING;
    }
}

return Status;

}

发现干活的是 MmCopyVirtualMemory 函数,所以接下来分析 MmCopyVirtualMemory。

MmCopyVirtualMemory (底层调用 MiDoMappedCopy 或 MiDoPoolCopy )
通过分析,发现这个函数判断要读取的内存大小,决定用 MiDoMappedCopy 还是 MiDoPoolCopy,如果大于 511 字节,使用 MiDoMappedCopy ,否则使用 MiDoPoolCopy .

NTSTATUS
MmCopyVirtualMemory(
IN PEPROCESS FromProcess,
IN CONST VOID *FromAddress,
IN PEPROCESS ToProcess,
OUT PVOID ToAddress,
IN SIZE_T BufferSize,
IN KPROCESSOR_MODE PreviousMode,
OUT PSIZE_T NumberOfBytesCopied
)
{
NTSTATUS Status;
PEPROCESS ProcessToLock;

// 断言 BufferSize != 0
if (BufferSize == 0) {
    ASSERT (FALSE);         // No one should call with a zero size.
    return STATUS_SUCCESS;
}

// 锁定要读取数据的进程
ProcessToLock = FromProcess;
if (FromProcess == PsGetCurrentProcess()) {
    ProcessToLock = ToProcess;
}

//
// Make sure the process still has an address space.
// 确保进程还活着

if (ExAcquireRundownProtection (&ProcessToLock->RundownProtect) == FALSE) {
    return STATUS_PROCESS_IS_TERMINATING;
}

//
// If the buffer size is greater than the pool move threshold,
// then attempt to write the memory via direct mapping.
//
// #define POOL_MOVE_THRESHOLD 511
// 如果要复制的字节数大于511,采用内存映射方式
if (BufferSize > POOL_MOVE_THRESHOLD) {
    Status = MiDoMappedCopy(FromProcess,
                            FromAddress,
                            ToProcess,
                            ToAddress,
                            BufferSize,
                            PreviousMode,
                            NumberOfBytesCopied);

    //
    // If the completion status is not a working quota problem,
    // then finish the service. Otherwise, attempt to write the
    // memory through nonpaged pool.
    //

    if (Status != STATUS_WORKING_SET_QUOTA) {
        goto CompleteService;
    }

    *NumberOfBytesCopied = 0;
}

//
// There was not enough working set quota to write the memory via
// direct mapping or the size of the write was below the pool move
// threshold. Attempt to write the specified memory through nonpaged
// pool.
//

Status = MiDoPoolCopy(FromProcess,
                      FromAddress,
                      ToProcess,
                      ToAddress,
                      BufferSize,
                      PreviousMode,
                      NumberOfBytesCopied);

//
// Dereference the target process.
//

CompleteService:

//
// Indicate that the vm operation is complete.
//

ExReleaseRundownProtection (&ProcessToLock->RundownProtect);

return Status;

}

真正干活的是 MiDoMappedCopy 和 MiDoPoolCopy。

为了给后面的分析作铺垫,我这里先给出 KeStackAttachProcess 函数的源码,先弄明白 attach 做了哪些工作。

KeStackAttachProcess (底层调用 KiAttachProcess )
VOID
KeStackAttachProcess (
IN PRKPROCESS Process,
OUT PRKAPC_STATE ApcState
)

/*++

Routine Description:

This function attaches a thread to a target process' address space
and returns information about a previous attached process.

Arguments:

Process - Supplies a pointer to a dispatcher object of type process.

Return Value:

None.

–*/

{

KIRQL OldIrql;
PRKTHREAD Thread;

ASSERT_PROCESS(Process);
ASSERT(KeGetCurrentIrql() <= DISPATCH_LEVEL);

//
// If the current thread is executing a DPC, then bug check.
// 如果当前线程正在执行 DPC,则蓝屏。

Thread = KeGetCurrentThread();
if (KeIsExecutingDpc() != FALSE) {
    KeBugCheckEx(INVALID_PROCESS_ATTACH_ATTEMPT,
                 (ULONG_PTR)Process,
                 (ULONG_PTR)Thread->ApcState.Process,
                 (ULONG)Thread->ApcStateIndex,
                 (ULONG)KeIsExecutingDpc());
}

//
// If the target process is not the current process, then attach the
// target process. Otherwise, return a distinguished process value to
// indicate that an attach was not performed.
// 如果尝试 attach 自己,那么设置ApcState->Process 等于1
// 否则就正常 attach

if (Thread->ApcState.Process == Process) {
    ApcState->Process = (PRKPROCESS)1;

} else {

    //
    // Raise IRQL to dispatcher level and lock dispatcher database.
    // 提升 IRQL 等级到 dispatcher level 并锁定 dispatcher database。
	//
    // If the current thread is attached to a process, then save the
    // current APC state in the callers APC state structure. Otherwise,
    // save the current APC state in the saved APC state structure, and
    // return a NULL process pointer.
	// 如果当前线程已经 attach 了别的进程,那么保存当前 APC state 到调用者的 APC state 结构
	// 否则,保存当前 APC state 到 SavedApcState 结构,并设置 ApcState->Process = NULL
    //
    // N.B. The dispatcher lock is released ay the attach routine.
    // dispatcher lock 在 attach 函数中释放

    KiLockDispatcherDatabase(&OldIrql);
    if (Thread->ApcStateIndex != 0) {
		// 当前线程已经 attach 了一个进程
        KiAttachProcess(Thread, Process, OldIrql, ApcState);

    } else {
		// 当前线程的所属进程就是创建线程的进程
        KiAttachProcess(Thread, Process, OldIrql, &Thread->SavedApcState);
        ApcState->Process = NULL;
    }
}

return;

}

KiAttachProcess (真正的进程 attach 函数)
attach 进程最底层干活的函数,功能是把当前线程 attach 到目标进程中,并返回 SavedApcState 。

VOID
KiAttachProcess (
IN PRKTHREAD Thread,
IN PKPROCESS Process,
IN KIRQL OldIrql,
OUT PRKAPC_STATE SavedApcState
)

/*++

Routine Description:

This function attaches a thread to a target process' address space.

N.B. The dispatcher database lock must be held when this routine is
    called.

Arguments:

Thread - Supplies a pointer to a dispatcher object of type thread.

Process - Supplies a pointer to a dispatcher object of type process.

OldIrql - Supplies the previous IRQL.

SavedApcState - Supplies a pointer to the APC state structure that receives
    the saved APC state.

Return Value:

None.

–*/

{

PRKTHREAD OutThread;
KAFFINITY Processor;
PLIST_ENTRY NextEntry;
KIRQL HighIrql;

ASSERT(Process != Thread->ApcState.Process);

//
// Bias the stack count of the target process to signify that a
// thread exists in that process with a stack that is resident.
//

Process->StackCount += 1;

//
// Save current APC state and initialize a new APC state.
//

// KiMoveApcState 的功能是将参数1的APC队列复制一份到参数2
// 这里这么做的原因是 attach 前要把父进程的 APC 队列保存起来,保存到 SavedApcState
KiMoveApcState(&Thread->ApcState, SavedApcState);
// InitializeListHead 的功能是让链表头指向自己
InitializeListHead(&Thread->ApcState.ApcListHead[KernelMode]); // ApcListHead[0]
InitializeListHead(&Thread->ApcState.ApcListHead[UserMode]); // ApcListHead[1]
Thread->ApcState.Process = Process;
Thread->ApcState.KernelApcInProgress = FALSE;
Thread->ApcState.KernelApcPending = FALSE;
Thread->ApcState.UserApcPending = FALSE;
if (SavedApcState == &Thread->SavedApcState) {
    Thread->ApcStatePointer[0] = &Thread->SavedApcState; // 原进程的 APC state
    Thread->ApcStatePointer[1] = &Thread->ApcState; // attach 进程的 APC state
    Thread->ApcStateIndex = 1; // 表示现在已经 attach
}

//
// If the target process is in memory, then immediately enter the
// new address space by loading a new Directory Table Base. Otherwise,
// insert the current thread in the target process ready list, inswap
// the target process if necessary, select a new thread to run on the
// the current processor and context switch to the new thread.
//

if (Process->State == ProcessInMemory) {

    //
    // It is possible that the process is in memory, but there exist
    // threads in the process ready list. This can happen when memory
    // management forces a process attach.
    //

    NextEntry = Process->ReadyListHead.Flink;
    while (NextEntry != &Process->ReadyListHead) {
        OutThread = CONTAINING_RECORD(NextEntry, KTHREAD, WaitListEntry);
        RemoveEntryList(NextEntry);
        OutThread->ProcessReadyQueue = FALSE;
        KiReadyThread(OutThread);
        NextEntry = Process->ReadyListHead.Flink;
    }

    KiSwapProcess(Process, SavedApcState->Process);
    KiUnlockDispatcherDatabase(OldIrql);

} else {
    Thread->State = Ready;
    Thread->ProcessReadyQueue = TRUE;
    InsertTailList(&Process->ReadyListHead, &Thread->WaitListEntry);
    if (Process->State == ProcessOutOfMemory) {
        Process->State = ProcessInTransition;
        InterlockedPushEntrySingleList(&KiProcessInSwapListHead,
                                       &Process->SwapListEntry);

        KiSetSwapEvent();
    }

    //
    // Clear the active processor bit in the previous process and
    // set active processor bit in the process being attached to.
    //

#if !defined(NT_UP)

    KiLockContextSwap(&HighIrql);
    Processor = KeGetCurrentPrcb()->SetMember;
    SavedApcState->Process->ActiveProcessors &= ~Processor;
    Process->ActiveProcessors |= Processor;
    KiUnlockContextSwap(HighIrql);

#endif

    Thread->WaitIrql = OldIrql;
    KiSwapThread();
}

return;

}

MiDoMappedCopy
调用了 KeStackAttachProcess 函数,附加到目标进程,读取数据后 detach。

NTSTATUS
MiDoMappedCopy (
IN PEPROCESS FromProcess,
IN CONST VOID *FromAddress,
IN PEPROCESS ToProcess,
OUT PVOID ToAddress,
IN SIZE_T BufferSize,
IN KPROCESSOR_MODE PreviousMode,
OUT PSIZE_T NumberOfBytesRead
)

/*++

Routine Description:

This function copies the specified address range from the specified
process into the specified address range of the current process.

Arguments:

 FromProcess - Supplies an open handle to a process object.

 FromAddress - Supplies the base address in the specified process
               to be read.

 ToProcess - Supplies an open handle to a process object.

 ToAddress - Supplies the address of a buffer which receives the
             contents from the specified process address space.

 BufferSize - Supplies the requested number of bytes to read from
              the specified process.

 PreviousMode - Supplies the previous processor mode.

 NumberOfBytesRead - Receives the actual number of bytes
                     transferred into the specified buffer.

Return Value:

NTSTATUS.

–*/

{
KAPC_STATE ApcState;
SIZE_T AmountToMove;
ULONG_PTR BadVa;
LOGICAL Moving;
LOGICAL Probing;
LOGICAL LockedMdlPages;
CONST VOID *InVa;
SIZE_T LeftToMove;
PSIZE_T MappedAddress;
SIZE_T MaximumMoved;
PMDL Mdl;
PFN_NUMBER MdlHack[(sizeof(MDL)/sizeof(PFN_NUMBER)) + (MAX_LOCK_SIZE >> PAGE_SHIFT) + 1];
PVOID OutVa;
LOGICAL MappingFailed;
LOGICAL ExceptionAddressConfirmed;

PAGED_CODE();

MappingFailed = FALSE;

InVa = FromAddress;
OutVa = ToAddress;

//#define MAX_LOCK_SIZE ((ULONG)(14 * PAGE_SIZE))
MaximumMoved = MAX_LOCK_SIZE;
if (BufferSize <= MAX_LOCK_SIZE) {
    MaximumMoved = BufferSize;
}

Mdl = (PMDL)&MdlHack[0];

//
// Map the data into the system part of the address space, then copy it.
//

LeftToMove = BufferSize;
AmountToMove = MaximumMoved;

Probing = FALSE;

//
// Initializing BadVa & ExceptionAddressConfirmed is not needed for
// correctness but without it the compiler cannot compile this code
// W4 to check for use of uninitialized variables.
//

BadVa = 0;
ExceptionAddressConfirmed = FALSE;

#if 0

//
// It is unfortunate that Windows 2000 and all the releases of NT always
// inadvertently returned from this routine detached, as we must maintain
// this behavior even now.
//

KeDetachProcess();

#endif

while (LeftToMove > 0) {

    if (LeftToMove < AmountToMove) {

        //
        // Set to move the remaining bytes.
        //

        AmountToMove = LeftToMove;
    }

	// attach 到目标进程,返回 attach 前的进程的 APC 队列,即 SavedApcState 
    KeStackAttachProcess (&FromProcess->Pcb, &ApcState);

    MappedAddress = NULL;
    LockedMdlPages = FALSE;
    Moving = FALSE;
    ASSERT (Probing == FALSE);

    //
    // We may be touching a user's memory which could be invalid,
    // declare an exception handler.
    // 读3环内存,确保可读,设置异常处理

    try {

        //
        // Probe to make sure that the specified buffer is accessible in
        // the target process.
        //

        if ((InVa == FromAddress) && (PreviousMode != KernelMode)){
            Probing = TRUE;
            ProbeForRead (FromAddress, BufferSize, sizeof(CHAR));
            Probing = FALSE;
        }

        //
        // Initialize MDL for request.
        //

        MmInitializeMdl (Mdl, (PVOID)InVa, AmountToMove);

        MmProbeAndLockPages (Mdl, PreviousMode, IoReadAccess);

        LockedMdlPages = TRUE;

        MappedAddress = MmMapLockedPagesSpecifyCache (Mdl,
                                                      KernelMode,
                                                      MmCached,
                                                      NULL,
                                                      FALSE,
                                                      HighPagePriority);

        if (MappedAddress == NULL) {
            MappingFailed = TRUE;
            ExRaiseStatus(STATUS_INSUFFICIENT_RESOURCES);
        }

        //
        // Deattach from the FromProcess and attach to the ToProcess.
        // deattach  即分离,已经读好了

        KeUnstackDetachProcess (&ApcState);
        KeStackAttachProcess (&ToProcess->Pcb, &ApcState);

        //
        // Now operating in the context of the ToProcess.
        //
        if ((InVa == FromAddress) && (PreviousMode != KernelMode)){
            Probing = TRUE;
            ProbeForWrite (ToAddress, BufferSize, sizeof(CHAR));
            Probing = FALSE;
        }

        Moving = TRUE;
        RtlCopyMemory (OutVa, MappedAddress, AmountToMove);

    } except (MiGetExceptionInfo (GetExceptionInformation(),
                                  &ExceptionAddressConfirmed,
                                  &BadVa)) {


        //
        // If an exception occurs during the move operation or probe,
        // return the exception code as the status value.
        //

        KeUnstackDetachProcess (&ApcState);

        if (MappedAddress != NULL) {
            MmUnmapLockedPages (MappedAddress, Mdl);
        }
        if (LockedMdlPages == TRUE) {
            MmUnlockPages (Mdl);
        }

        if (GetExceptionCode() == STATUS_WORKING_SET_QUOTA) {
            return STATUS_WORKING_SET_QUOTA;
        }

        if ((Probing == TRUE) || (MappingFailed == TRUE)) {
            return GetExceptionCode();

        }

        //
        // If the failure occurred during the move operation, determine
        // which move failed, and calculate the number of bytes
        // actually moved.
        //

        *NumberOfBytesRead = BufferSize - LeftToMove;

        if (Moving == TRUE) {
            if (ExceptionAddressConfirmed == TRUE) {
                *NumberOfBytesRead = (SIZE_T)((ULONG_PTR)BadVa - (ULONG_PTR)FromAddress);
            }
        }

        return STATUS_PARTIAL_COPY;
    }

    KeUnstackDetachProcess (&ApcState);

    MmUnmapLockedPages (MappedAddress, Mdl);
    MmUnlockPages (Mdl);

    LeftToMove -= AmountToMove;
    InVa = (PVOID)((ULONG_PTR)InVa + AmountToMove);
    OutVa = (PVOID)((ULONG_PTR)OutVa + AmountToMove);
}

//
// Set number of bytes moved.
//

*NumberOfBytesRead = BufferSize;
return STATUS_SUCCESS;

}

txPNDGMCSY
关注
使用IDA反汇编系统NTReadVirtualMemory函数,模拟实现里边的部分函数
duhaomin的专栏
10-25 3603
首先是IDA的使用,打开VMware虚拟机,找到C:\Windows\system32\ntkrnlpa.exe,考到本地电脑,用IDA打开。 配置symbol标志文件:找到IDA文件下边的cfg\pdb.cfg,使用UltraEdit打开,第8行有个_NT_SYMBOL_PATH字符串,记住之后配置系统环境变量,计算机---属性---高级系统设置---高级---环境变量---系统变量---新建
5.SSDT再增加一个NtReadVirtualMemory函数
Mikasys的博客
11-04 469
代码如下,如果看不懂请看上一篇文章 Ring0 #include <ntifs.h> #include <ntstatus.h> typedef struct _KSYSTEM_SERVICE_TABLE { PULONG ServiceTableBase; //函数地址表基地址 PULONG ServiceCounterTableBase; //被访问了多少次 ULONG NumberOfService; //表中服务函数的总数 PUCHAR ParamTable
NT函数读内存 NtReadVirtualMemory
qq_35129925的博客
03-29 6091
typedef NTSTATUS(NTAPI*Ptr_NtReadVirtualMemory)( IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG NumberOfBytesToRead...
驱动编程:NtReadVirtualMemory
weixin_30443075的博客
05-18 446
NtReadVirtualMemory函数位于ntdll中,作用就是把用户态的函数调用翻译成相应的系统调用,进入内核态。内核中一般有一个相同名字的处理函数,接收到该类型的系统调用后做实际的工作。 NTSTATUS STDCALL NtReadVirtualMemory(IN HANDLE ProcessHandle, IN PVOID BaseAddr...
VS调试技巧之----Attach to Process
weixin_34071713的博客
11-04 185
attach to process: 用于和进程绑定,方便调试。 你有没有这样的经历:按F5开始调试时,程序需要好长时间才能启动,比如可能需要加载比较大的文件或资源,这时候你可能需要等很长时间,而下次调试时又不得不等很长时间以待程序启动。其实这浪费了很多的时间。那有没有比较好的解决方法呢,有,就是VS提供的Attach to Proces 的功能。你只要把待调试的程序启动,然后把程序和源码...
Pipeline-Trigger-2021-04-16T03-08-08.065Z:为工具链创建
04-16
标题“Pipeline-Trigger-2021-04-16T03-08-08.065Z:为工具链创建”表明这是一个关于构建自动化流程的项目,可能是一个持续集成/持续部署(CI/CD)的配置文件或者相关脚本,创建于2021年4月16日的特定时间。...
金融时报-2021-08-14&15.pdf
11-10
【金融时报-2021-08-14&15.pdf】的报告涵盖了全球主要股票市场、货币汇率、商品价格以及利率等关键经济指标,反映了2021年8月14日和15日两天的全球经济状况。 1. **股票市场**: - S&P 500指数在8月13日报收4464....
jzrecord_2021-08-27 16:03:52.mp4
08-27
学生
Demo-2021-08-04-09-29
04-08
GithubDemo 项目更新 Github演示。 如果您想了解更多信息,请查看 GitHub培训 我的GitHub培训课程列表 (第6小时) (16小时)
Toolint-tests-Empty-TC-Add-Tools-2021-04-08T16-30-49.137Z:为工具链创建
04-09
标题“Toolint-tests-Empty-TC-Add-Tools-2021-04-08T16-30-49.137Z:为工具链创建”表明这是一个关于构建或更新工具链的测试项目,创建时间是2021年4月8日。"Empty TC"可能是指一个空的测试用例或测试集,而"Add ...
驱动SSDT未导出函数NtReadVirtualMemory.rtf
08-05
windows10获取SSDT未导出函数NtReadVirtualMemory详细步骤和代码,其他未导出函数同理
x64内存读写驱动
03-27
可过tp读写大部分tp游戏
Linux——gdb调试时多进程切换方法(attach/follow-fork-mode)
weixin_61857742的博客
11-03 2906
当在linux下运行的代码中有创建子进程的操作时,当进行gdb调试时会默认选择父进程进行调试,假如需要对子进程进行调试就需要使用特殊方法。共有两种方法可供选择:这个方式就是当进程运行时,获取进程PID然后在进入gdb调试时,通过attach指令调试PID对用的进程。本质就是指定PID然后调试,并不是真正的进程切换调试。示例代码: 过程如下: mode的可供选择值有两个parent与child,对应父进程与子进程。 这个只能选择fork的第一个子进程作为child进行调试。还是使用上述示例代码,过程如
SylixOS---Attach 到进程调试方法
陈言陈语的小陈
01-05 606
Attach 到进程 一、启动应用程序 为便于定位突发问题,SylixOS 支持 Attach 到现有进程的调试方式。为演示 Attach 调试 方式,本例修改源码,如图让应用程序以死循环方式不间断运行。 部署应用程序(本例上传到“192.168.7.30”),在“Device”页面,右键“192.168.7.30” 设备,点击“Launch Device”打开设备信息界面,切换到“Process”页查看进程信息。右 键“192.168.7.30”设备,点击“Launch Terminal”,打开设备终端
linux的attach
weixin_42588672的博客
01-03 742
attach 指的是将当前终端连接到某个进程的会话中。这样,你就可以在当前终端控制这个进程。你可以使用 attach 命令将当前终端连接到一个正在运行的进程的会话中,例如: $ attach12345 这里,12345 是进程的 ID。你也可以使用 screen 命令来启动一个新的会话,然后连接到这个会话中,例如: $ screen -r 这样你就可以在当前终端控制这个会话中的进程了。 ...
为什么NtReadVirtualMemory 硬件断点无法下断
06-24 290
win7 x64为例 nt!NtReadVirtualMemory ----- nt!MmCopyVirtualMemory NTSTATUS NTAPI MmCopyVirtualMemory(IN PEPROCESS SourceProcess, IN PVOID SourceAddress, IN PEPROCESS TargetProcess, ...
驱动读写进程
ChinaPrc
04-20 1143
NTSTATUS KeReadVirtualMemory(PEPROCESS Process, PVOID SourceAddress, PVOID TargetAddress, SIZE_T Size) { PSIZE_T Bytes; if (NT_SUCCESS(MmCopyVirtualMemory(Process, SourceAddress, PsGetCurrentProcess...
某超级注入程序的驱动逆向
被遗弃的庸才博客
11-05 2558
1、起因 从哥们儿那找到了一个超级注入的工具,打开一看加了vmp,然后还有驱动的驱动,于是这里把驱动提取出来,简单分析一下。 1.1运行 让程序先把驱动释放出来,可以看到这里需要买卡,然后才会释放驱动加载(简单破解一下就行,不是重点) 1.2破解之后 下一个CreateServiceA断点,让它在加载驱动之前断下,接着将驱动拷贝出来。从下图可以看到虽然驱动有签名,但是个过期签名,高版本windows10上是加载不上的。 2、驱动分析 好消息是驱动没有加壳,可以f5分析一下 2.1W.
Windows系统调用学习笔记(一)—— API函数调用过程
qq_41988448的博客
10-29 6897
Windows系统调用学习笔记(一)—— API函数的调用过程前言Windows API实验:分析ReadProcessMemory第一步:定位函数第二步:开始分析 前言 一、学习自滴水编程达人中级班课程,官网:https://bcdaren.com 二、海东老师牛逼! Windows API 描述: Application Programming Interface,简称 API 函数。...
with tmp_order as ( select user_id, order_stats_struct.sku_id sku_id, order_stats_struct.order_count order_count from dws_user_action_daycount lateral view explode(order_detail_stats) tmp as order_stats_struct where date_format(dt,'yyyy-MM')=date_format('2021-08-16','yyyy-MM') ), tmp_sku as ( select id, tm_id, category1_id, category1_name from dwd_dim_sku_info where dt='2021-08-16' ) insert into table ads_sale_tm_category1_stat_mn select tm_id, category1_id, category1_name, sum(if(order_count>=1,1,0)) buycount, sum(if(order_count>=2,1,0)) buyTwiceLast, sum(if(order_count>=2,1,0))/sum( if(order_count>=1,1,0)) buyTwiceLastRatio, sum(if(order_count>=3,1,0)) buy3timeLast , sum(if(order_count>=3,1,0))/sum( if(order_count>=1,1,0)) buy3timeLastRatio , date_format('2021-08-16' ,'yyyy-MM') stat_mn, '2021-08-16' stat_date from ( select tmp_order.user_id, tmp_sku.category1_id, tmp_sku.category1_name, tmp_sku.tm_id, sum(order_count) order_count from tmp_order join tmp_sku on tmp_order.sku_id=tmp_sku.id group by tmp_order.user_id,tmp_sku.category1_id,tmp_sku.category1_name,tmp_sku.tm_id )tmp group by tm_id, category1_id, category1_name
最新发布
07-15
这段代码是一个SQL插入语句,将计算得到的数据插入到表 "ads_sale_tm_category1_stat_mn" 中。首先,使用子查询 "tmp_order" 从表 "dws_user_action_daycount" 中选择特定日期('2021-08-16')的用户订单统计数据。然后,使用子查询 "tmp_sku" 从表 "dwd_dim_sku_info" 中选择特定日期('2021-08-16')的SKU信息。接下来,将两个子查询的结果进行连接,并按照用户、分类ID、分类名称和品牌ID进行分组。最后,根据分组结果计算购买次数、购买两次以上的比例、购买三次以上的比例,并将结果插入到目标表中。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值