InlineHookSwapContext

最新推荐文章于 2022-08-21 12:50:09 发布
最新推荐文章于 2022-08-21 12:50:09 发布
阅读量124 收藏
点赞数
原文链接:http://blog.51cto.com/haidragon/2307176
版权

作用:
枚举进程, 获取隐藏进程的EPROCESS
源码地址:
https://github.com/haidragon/HookSwapContext

#include <ntddk.h>
#include <ntimage.h>
#include <ntdef.h>
#include "hash.h"
#include "xde.h"
#include "main.h"

typedef struct _BYTECODE
{
    BYTE *pAddress;
    SIZE_T size;
} BYTECODE, *PBYTECODE;

typedef struct _OFFSETS
{
    BYTE threadsProcess;
    BYTE CID;
    BYTE imageFilename;
    BYTE crossThreadFlags;
    unsigned  PID;
    unsigned PPID;

    unsigned pecreatetimeoff;
    unsigned peexittimeoff;
} OFFSETS, *POFFSETS;

#define JMP_SIZE 5
#define SIG_SIZE 20
#define HASHTABLE_SIZE 256
#define MAINTAG1 'NIAM'

// NOTICE: WinDbg gives offsets in BYTEs, we use DWORDS.
OFFSETS offsets;
// The beginning of the SwapContext function is stored here.
BYTE *pSwapContext = NULL;
// The trampoline function which executes the replaced code and
// passes control to the hooked function.
BYTECODE trampoline;
// Inline assembler does not support structures, so this points
// directly to the pCode of the _BYTECODE structure.
BYTE *pTrampoline = NULL;
// The hashtable where we store the data.
PHASHTABLE pHashTable = NULL;
DWORD num = 0;

extern  USHORT  *NtBuildNumber;

const WCHAR deviceLinkBuffer[]  = L"\\DosDevices\\SwapContextDrv";
const WCHAR deviceNameBuffer[]  = L"\\Device\\SwapContextDrv";

PDEVICE_OBJECT g_HookDevice;

ULONG gNameOffset = 0x174;
PsLookupThreadByThreadId(
        IN PVOID UniqueThreadId,
        OUT PETHREAD *ppEthread
);
KIRQL           OldIrql;
KSPIN_LOCK      DpcSpinLock;

ULONG GetLocationOfProcessName(PEPROCESS CurrentProc)
{
    ULONG ul_offset;

    for(ul_offset = 0; ul_offset < PAGE_SIZE; ul_offset++) // This will fail if EPROCESS
                                                           // grows bigger than PAGE_SIZE
    {
        if( !strncmp( "System", (PCHAR) CurrentProc + ul_offset, strlen("System")))
        {
            return ul_offset;
        }
    }

    return (ULONG) 0;
}

// This function returns an MDL to an nonpaged virtual memory area.
// 
// IN pVirtualAddress Virtual address to the start of the memory area.
// IN length Length of the memory area in bytes.
//
// OUT PMDL Mdl to the nonpaged virtual memory area.
//
PMDL GetMdlForNonPagedMemory(PVOID pVirtualAddress, SIZE_T length)
{
    PMDL pMdl;

    if (length >= (PAGE_SIZE * (65535 - sizeof(MDL)) / sizeof(ULONG_PTR)))
    {
        DbgPrint("Size parameter passed to IoAllocateMdl is too big!\n");
        return NULL;
    }

    pMdl = IoAllocateMdl((PVOID)pVirtualAddress, length, FALSE, FALSE, NULL);
    if (NULL == pMdl)
    {
        DbgPrint("IoAllocateMdl returned NULL!\n");
        return NULL;
    }

    MmBuildMdlForNonPagedPool(pMdl);

    return pMdl;
}

// This function returns an MDL to a paged virtual memory area while
// making sure the pages are not paged out to the disk.
// 
// IN pVirtualAddress Virtual address to the start of the memory area.
// IN length Length of the memory area in bytes.
// IN operation Desired mode of operation.
//
// OUT PMDL Mdl to the locked and nonpaged memory area.
//
PMDL GetMdlForPagedMemory(PVOID pVirtualAddress, SIZE_T length, LOCK_OPERATION operation)
{
    PMDL pMdl;

    if (length >= (PAGE_SIZE * (65535 - sizeof(MDL)) / sizeof(ULONG_PTR)))
    {
        DbgPrint("Size parameter passed to IoAllocateMdl is too big!\n");
        return NULL;
    }

    pMdl = IoAllocateMdl((PVOID)pVirtualAddress, length, FALSE, FALSE, NULL);
    if (NULL == pMdl)
    {
        DbgPrint("IoAllocateMdl returned NULL!\n");
        return NULL;
    }

    // Make sure the memory is not paged on the disk.
    try
    {
        MmProbeAndLockPages(pMdl, KernelMode, operation);
    }
    except (EXCEPTION_EXECUTE_HANDLER)
    {
        DbgPrint("MmProbeAndLockPages caused an exception!\n");
        IoFreeMdl(pMdl);
        return NULL;
    }

    return pMdl;
}

// This function writes the given data to the given non-paged kernel memory location.
// It makes sure that no other instance can access it in any way until we have finished
// our job.
//
// IN pDestination Pointer to the kernel memory where we want to write.
// IN pSource Pointer to the data we want to write.
// IN length Length of data we want to write in bytes.
//
// OUT NTSTATUS return code.
//
NTSTATUS WriteKernelMemory(BYTE *pDestination, BYTE *pSource, SIZE_T length)
{
    KSPIN_LOCK spinLock;
    KLOCK_QUEUE_HANDLE lockHandle;
    PMDL pMdl;
    PVOID pAddress;

    pMdl = GetMdlForNonPagedMemory(pDestination, length);
    if (NULL == pMdl)
    {
        DbgPrint("GetMdlForSafeKernelMemoryArea returned NULL!\n");
        return STATUS_UNSUCCESSFUL;
    }

    pAddress = MmGetSystemAddressForMdlSafe(pMdl, HighPagePriority);

    if (pAddress == NULL)
    {
        IoFreeMdl(pMdl);
        DbgPrint("MmGetSystemAddressForMdlSafe returned NULL!\n");
        return STATUS_UNSUCCESSFUL;
    }

    KeInitializeSpinLock(&spinLock);
    // Only supported on XP and later. For Windows 2000 compatibility you can
    // use the older, less efficient and less reliable KeAcquireSpinLock function.
    KeAcquireInStackQueuedSpinLock (&spinLock, &lockHandle);
    // We have the spinlock, so we can safely overwrite the kernel memory.
    RtlCopyMemory(pAddress, pSource, length);
    KeReleaseInStackQueuedSpinLock(&lockHandle);

    IoFreeMdl(pMdl);

    return STATUS_SUCCESS;
}

void __stdcall ProcessData(DWORD *pEthread)
{
    DWORD   *pEprocess  = (DWORD *)*(pEthread + offsets.threadsProcess);
    DWORD   *pCid       = (DWORD *)(pEthread+offsets.CID);
    DWORD   key         = 0;
    DATA    data        = {0};

    data.processID = 0x0;
    data.threadID = 0x0;
    data.imageName = "NONE";

    key = (DWORD)pEthread;

    if (pCid != NULL)
    {
        data.processID = *pCid;
        data.threadID = *(pCid + 0x1);
    }

    if (pEprocess != NULL)
    {
        data.imageName = (BYTE *)(pEprocess+offsets.imageFilename);
        data.xlow = *(DWORD *)(pEprocess+offsets.peexittimeoff);
        data.xhigh = *(DWORD *)(pEprocess+offsets.peexittimeoff+4);
    }
    if (*(pEthread + offsets.crossThreadFlags) & 1)
    {
        KeAcquireSpinLock(&DpcSpinLock,&OldIrql);
        Remove(key, pHashTable);
        KeReleaseSpinLock(&DpcSpinLock,OldIrql);
    }
    else
    {
        KeAcquireSpinLock(&DpcSpinLock,&OldIrql);
        Insert(key, &data, pHashTable);
        KeReleaseSpinLock(&DpcSpinLock,OldIrql);
    }
}

void __declspec(naked) DetourFunction()
{
    __asm 
    {
        // Save parameters we will overwrite. We save all data to play it safe.
        pushad
        pushfd
        // Disable interrupts. Assume single processor machine.
        // cli
        // EDI holds the thread whose context we will switch out.
        push edi//edi寄存器中存放的是要切换出去的线程
        call ProcessData
        // ESI holds the thread whose context we will switch in.
        push esi
        call ProcessData
        // Enable interrupts.
        // sti
        // Restore the saved state.
        popfd
        popad

        // Jump to the trampoline function.
        jmp dword ptr pTrampoline//弹簧床
    }
}

BYTE * GetSwapAddr()
{
    BYTE        *res = 0;
    NTSTATUS    Status;
    PETHREAD    Thread;

    if (*NtBuildNumber <= 2195)
        Status = PsLookupThreadByThreadId((PVOID)4, &Thread);
    else
        Status = PsLookupThreadByThreadId((PVOID)8, &Thread);

    if (NT_SUCCESS(Status))
    {
        if (MmIsAddressValid(Thread))
            res = (BYTE *)(*(ULONG *)((BYTE *)(Thread)+0x28));
        if (MmIsAddressValid(res+8))
            res = (BYTE *)(*(ULONG *)(res+8));
        else
            res = 0;
    }

    return res;
}
ULONG GetFunctionAddr( IN PCWSTR FunctionName)
{
        UNICODE_STRING UniCodeFunctionName;

        RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );
        return (ULONG)MmGetSystemRoutineAddress( &UniCodeFunctionName );    

}
VOID DoFindSwap(IN PVOID pContext)
    {
        NTSTATUS ret;
        PSYSTEM_MODULE_INFORMATION  module = NULL;
        ULONG n=0;
        void  *buf    = NULL;
        ULONG ntosknlBase;
        ULONG ntosknlEndAddr;
        ULONG curAddr;

        ULONG code1_sp1=0xc626c90a,code2_sp1=0x9c022d46,code3_sp1=0xbb830b8b,code4_sp1=0x00000994;

        ULONG code1,code2,code3,code4;
        ULONG i;

        NtQuerySystemInformation=(NTQUERYSYSTEMINFORMATION)GetFunctionAddr(L"NtQuerySystemInformation");
        if (!NtQuerySystemInformation) 
        {
            DbgPrint("Find NtQuerySystemInformation faild!");
            goto Ret;
        }
        ret=NtQuerySystemInformation(SystemModuleInformation,&n,0,&n);
        if (NULL==( buf=ExAllocatePoolWithTag(NonPagedPool, n, 'PAWS')))
        {
            DbgPrint("ExAllocatePool() failed\n" );
            goto Ret;
        }
        ret=NtQuerySystemInformation(SystemModuleInformation,buf,n,NULL);
        if (!NT_SUCCESS(ret))   {
            DbgPrint("NtQuerySystemInformation faild!");
            goto Ret;
        } 
        module=(PSYSTEM_MODULE_INFORMATION)((PULONG)buf+1);
        ntosknlEndAddr=(ULONG)module->Base+(ULONG)module->Size;
        ntosknlBase=(ULONG)module->Base;
        curAddr=ntosknlBase;
        ExFreePool(buf);

        code1 = code1_sp1;
        code2 = code2_sp1;
        code3 = code3_sp1;
        code4 = code4_sp1;

        for (i=curAddr;i<=ntosknlEndAddr;i++)
        {
            if (*((ULONG *)i)==code1) 
            {
                if (*((ULONG *)(i+4))==code2) 
                {
                    if (*((ULONG *)(i+8))==code3) 
                    {
                        if (*((ULONG *)(i+12))==code4) 
                        {

                                pSwapContext=(BYTE *)i;
                                break;

                        }
                    }
                }
            }
        }
Ret:
    PsTerminateSystemThread(STATUS_SUCCESS);
    }

void FindSwapAddr()
{
        HANDLE  hThread     = NULL;
        PVOID   objtowait   = 0;

        NTSTATUS dwStatus = 
            PsCreateSystemThread(
            &hThread,
                  0,
               NULL,
            (HANDLE)0,
                  NULL,
               DoFindSwap,
            NULL
            );
        if ((KeGetCurrentIrql())!=PASSIVE_LEVEL)
        {
            KfRaiseIrql(PASSIVE_LEVEL);

        }
        if ((KeGetCurrentIrql())!=PASSIVE_LEVEL)
        {
            return;
        }

        ObReferenceObjectByHandle(
            hThread,
            THREAD_ALL_ACCESS,
            NULL,
            KernelMode,
            &objtowait,
            NULL
            ); 

        KeWaitForSingleObject(objtowait,Executive,KernelMode,FALSE,NULL); //NULL表示无限期等待.
        return;

}

NTSTATUS InstallSwapContextHook()
{
    NTSTATUS rc;
    int length = 0;
    int totalLength = 0;
    struct xde_instr instr;
    BYTE *pJmpCode = NULL;
    long displacement = 0;

    __asm
    {
            push    eax
            mov        eax, CR0
            and        eax, 0FFFEFFFFh
            mov        CR0, eax
            pop        eax
    }

    // Disassemble the code to get how many bytes we have to replace.
    // We use XDE v1.01 by Z0MBie (http://z0mbie.host.sk/).
    while (totalLength < 5)
    {
        length = xde_disasm(pSwapContext + totalLength, &instr);
        if (length == 0)
        {
            DbgPrint("xde_disasm returned 0!\n");
            return STATUS_UNSUCCESSFUL;
        }
        totalLength += length;
    }

    DbgPrint("Hook will replace the first %d bytes.\n", totalLength);

    // Allocate the required bytes for the trampoline function.
    //pTrampoline:是保存原来的被替换的指令+JMP指令
    pTrampoline = trampoline.pAddress = ExAllocatePoolWithTag(NonPagedPool, totalLength + 5, MAINTAG1);
    if (trampoline.pAddress == NULL)
    {
        DbgPrint("ExAllocatePoolWithTag returned NULL!\n");
        return STATUS_UNSUCCESSFUL;
    } 

    DbgPrint("Trampoline is at 0x%x\n", pTrampoline);

    // This tells how many bytes we replaced from the original function.
    //备份原来的指令
    trampoline.size = totalLength;
    RtlCopyMemory(trampoline.pAddress, pSwapContext, totalLength);

    // We are using JMP rel32 instruction to jump to the rest of the
    // swapcontext function, so we first calculate the 32bit displacement
    // and then create the five byte JMP instruction.
    //在备份完原来的指令后,在后面构造一个跳回去的jmp指令
    //displacement是跳回去的偏移
    displacement = (pSwapContext + totalLength) - (trampoline.pAddress + totalLength + JMP_SIZE);
    pJmpCode = trampoline.pAddress + totalLength;

    //直接的jmp分3种 
    //Short Jump(短跳转)机器码 EB rel8 
    //只能跳转到256字节的范围内 
    //Near Jump(近跳转)机器码 E9 rel16/32 
    //可跳至同一个段的范围内的地址 
    //Far Jump(远跳转)机器码EA ptr 16:16/32 
    //可跳至任意地址,使用48位/32位全指针 
    *pJmpCode = 0xe9;
    RtlCopyMemory(pJmpCode+1, &displacement, 4);
    //执行这个时候,被替换的指令备份就已经完成
    //接下来,就应该生成一个jmp指令,覆盖原来的指令

    // Allocate the required bytes for the jmp code to the detour function.
    pJmpCode = ExAllocatePoolWithTag(NonPagedPool, totalLength, MAINTAG1);
    if (pJmpCode == NULL)
    {
        DbgPrint("ExAllocatePoolWithTag returned NULL!\n");
        return STATUS_UNSUCCESSFUL;
    }

    // Initialize the jmp-code with NOPs.
    RtlFillMemory(pJmpCode, totalLength, 0x90);

    // We are using JMP rel32 instruction to jump to our hook function,
    // so we first calculate the 32bit displacement and then create the
    // five byte JMP instruction.
    displacement = ((BYTE *)&DetourFunction) - (pSwapContext + JMP_SIZE);
    *pJmpCode = 0xe9;
    RtlCopyMemory(pJmpCode+1, &displacement, 4);

    //inline hook完成
    rc = WriteKernelMemory(pSwapContext, pJmpCode, totalLength);
    ExFreePoolWithTag(pJmpCode, MAINTAG1);
    __asm
    {
        push    eax
            mov        eax, CR0
            or        eax, NOT 0FFFEFFFFh
            mov        CR0, eax
            pop        eax
    }
    return rc;
}

// This function removes our hook by restoring the bytes we have replaced
// from the original SwapContext function.
//
// OUT NTSTATUS return value.
//
NTSTATUS UninstallSwapContextHook()
{
    return WriteKernelMemory(pSwapContext, trampoline.pAddress, trampoline.size);
}

NTSTATUS OnUnload(IN PDRIVER_OBJECT DriverObject)
{
    NTSTATUS rc;
    UNICODE_STRING          deviceLinkUnicodeString;
    PDEVICE_OBJECT          p_NextObj;
    PPROCLIST pTemp = NULL, pt = NULL;
    PThreadData pTempT = NULL, pp = NULL;
    PDriverData pTempD = NULL, pd = NULL;
    PFileList pTempF = NULL, pf = NULL;

    DbgPrint("OnUnload called\n");

    rc = UninstallSwapContextHook();

    if (STATUS_SUCCESS == rc)
    {
        DbgPrint("UninstallSwapContextHook succeeded.\n");
    }
    else
    {
        DbgPrint("UninstallSwapContextHook failed!\n");
    }

    // Show the collected data and release all resources.
    //DumpTable(pHashTable);
    KeAcquireSpinLock(&DpcSpinLock,&OldIrql);
    DestroyTable(pHashTable);
    KeReleaseSpinLock(&DpcSpinLock,OldIrql);
    //num = 0;
    ExFreePoolWithTag(pTrampoline, MAINTAG1);

    // Delete the symbolic link for our device
    //
    RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
    IoDeleteSymbolicLink( &deviceLinkUnicodeString );
    // Delete the device object
    //
    IoDeleteDevice( DriverObject->DeviceObject );
    //return STATUS_SUCCESS;
    return rc;
}

NTSTATUS DispatchCreate (
        IN PDEVICE_OBJECT   pDevObj,
        IN PIRP             pIrp            )
{

    pIrp->IoStatus.Status = STATUS_SUCCESS;
    pIrp->IoStatus.Information = 0; // no bytes xfered
    IoCompleteRequest( pIrp, IO_NO_INCREMENT );
    return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{

    RTL_OSVERSIONINFOW      osvi;
    NTSTATUS                ntStatus;
    UNICODE_STRING          deviceNameUnicodeString;
    UNICODE_STRING          deviceLinkUnicodeString;   
    RTL_OSVERSIONINFOEXW    VersionInfo;
    ULONGLONG               ConditionMask = 0;

    memset(&VersionInfo,0,sizeof(VersionInfo));

    VER_SET_CONDITION (
           ConditionMask,
            VER_SERVICEPACKMAJOR,
            VER_EQUAL
            );

    DbgPrint("DriverEntry called.\n");

    RtlZeroMemory(&osvi, sizeof(RTL_OSVERSIONINFOW));
    osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);

    // Initialize the OS specific data.
//  gNameOffset = GetLocationOfProcessName(PsGetCurrentProcess());
//  if (!gNameOffset)
//      return STATUS_UNSUCCESSFUL;
    if (STATUS_SUCCESS == RtlGetVersion(&osvi))
    {
        if (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1) //Windows XP
        {
            offsets.pecreatetimeoff = 0x070;
            offsets.peexittimeoff = 0x078;
            offsets.CID = 0x7b;
            offsets.threadsProcess = 0x88;
            offsets.crossThreadFlags = 0x92;
            offsets.imageFilename = 0x5d;
        }

        //VersionInfo.wServicePackMajor = 3;
        //if( STATUS_SUCCESS==RtlVerifyVersionInfo(&VersionInfo,VER_SERVICEPACKMAJOR,ConditionMask))//sp3
        //{
        //
        //}

        else
        {
            //更多的调试
            DbgPrint("Unsupported OS version!\n");
            return STATUS_UNSUCCESSFUL;
        }

    }
    else
    {
        DbgPrint("RtlGetVersion failed!\n");
        return STATUS_UNSUCCESSFUL;
    }

    RtlInitUnicodeString (&deviceNameUnicodeString,
                              deviceNameBuffer );
    RtlInitUnicodeString (&deviceLinkUnicodeString, deviceLinkBuffer);

    ntStatus = IoCreateDevice ( DriverObject,
                                    0, // For driver extension
                                    &deviceNameUnicodeString,
                                    FILE_DEVICE_UNKNOWN,
                                    0,
                                    TRUE,
                                    &g_HookDevice );

    if(! NT_SUCCESS(ntStatus))
    {
            DbgPrint(("Failed to create device!\n"));
            return ntStatus;
    }

    ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
                                            &deviceNameUnicodeString );
    if(! NT_SUCCESS(ntStatus)) 
    {
         IoDeleteDevice(DriverObject->DeviceObject);
            DbgPrint("Failed to create symbolic link!\n");
            return ntStatus;
    }

    DriverObject->DriverUnload  = OnUnload;

    pHashTable = InitializeTable(HASHTABLE_SIZE);
    if (pHashTable == NULL)
    {
        DbgPrint("InitializeTable failed!\n");
        return STATUS_UNSUCCESSFUL;
    }

    //pSwapContext = GetSwapAddr();

    FindSwapAddr();

    if(NULL==pSwapContext)
    {
        DbgPrint("SwapContext addr not found!\n");
        return STATUS_UNSUCCESSFUL;
    }
    else
    {
        DbgPrint("SwapContext found at 0x%x\n", pSwapContext);

        ntStatus = InstallSwapContextHook();
    }

    if (STATUS_SUCCESS == ntStatus)
    {
        DbgPrint("InstallSwapContextHook succeeded.\n");
        DbgPrint("DetourFunction is at 0x%x\n", DetourFunction);
    }
    else
    {
        DbgPrint("InstallSwapContextHook failed!\n");
        return STATUS_UNSUCCESSFUL;
    }

    return STATUS_SUCCESS;

}

转载于:https://blog.51cto.com/haidragon/2307176

weixin_34364071
关注
HOOK SwapContext 枚举隐藏进程(学习笔记4)
01-08 3878
 作 者: bzhkl 时 间: 2008-12-11,12:01 链 接: http://bbs.pediy.com/showthread.php?t=78464 以前想检测一个被隐藏的进程 后来用暴力枚举的方法解决了 但是HOOK SwapContext没有看到有完整的代码 所以搜集了点网上有用的模块 自己整合实现了下 确定支持XP3, XP2没测试 应该也能支持 附完整工程代
r0下多核hook
hongduilanjun的博客
03-23 1711
文章首发奇安信攻防社区:https://forum.butian.net/share/1361 r0层多核下hook高并发函数存在的问题是:在使用如memcpy的时候,无法一次性拷贝5个字节的硬编码。即有可能拷贝到一半,别的线程去执行了代码导致蓝屏。 解决的办法有: 短跳中转 中断门 找一条一次性修改8字节的指令 这里将使用第三种方法实现。 SwapContext 这是线程切换核心函数,Windows几乎无时无刻在执行这个函数,所以属于是高并发函数。 本文将在多核环境下通过hook SwapCont
[C/C++]windows下实现swapcontext等函数实践
weixin_34391445的博客
07-02 634
2019独角兽企业重金招聘Python工程师标准>>> ...
HOOK SwapContext 枚举隐藏进程(学习笔记4)(3)
多媒体编程、网络编程、系统编程、网络安全编程、驱动编程
07-26 617
190   191 void  klisterUnload(IN PDRIVER_OBJECT pDriverObject) 192 { 193   BeTerminate = 1; 194   while(B
HOOK SwapContext 枚举隐藏进程(学习笔记4)(2)
多媒体编程、网络编程、系统编程、网络安全编程、驱动编程
07-26 867
下面是主要代码   01 DWORD gThreadsProcessOffset =0x220;    // ETHREAD 在 EPROCESS偏移 02 /* 03   04 +0x218 TopLev
HOOK SwapContext 枚举隐藏进程(学习笔记4)(1)
多媒体编程、网络编程、系统编程、网络安全编程、驱动编程
07-26 1177
HOOK SwapContext 枚举隐藏进程(学习笔记4) 作者:windows内核安全技术站A盾电脑防护 dump 文件接收:asm32asm@gmail.com " style="text-decoration:none; color:rgb(69,82,95)">A盾电脑防护 | 分类: 分类:进程 | 标签: | 2012-2-21 作 者: bzhkl
(24)[进程与线程] 分析SwapContext
qq_50332504的博客
08-21 849
SwapContext有几个参数? SwapContext在哪里实现了线程切换? 哪里进行了进程切换(修改CR3)? TSS存储当前的 SS0 : ESP0。 FS:[0]在3环总能正确指向当前TEB。 异常链表的切换。 完整分析代码。
32位下如何HOOK高并发函数
SharenFish的博客
11-30 285
#include<NTDDK.H> /********************************************************************* ****** “多核环境下,如何保证对一个高并发的内核函数进行HOOK而不会出错?” ****** **********************************************************************/ LONG AddressOfSwapContext = 0x8
linux ucontext族函数的原理及使用
WhiteShirtI的博客
06-09 4366
ucontext函数族 这里的context族是偏向底层的,其实底层就是通过汇编来实现的,但是我们使用的时候就和平常使用变量和函数一样使用就行,因为大佬们已经将它们封装成C库里了的 我们先来看看寄存器 寄存器:寄存器是CPU内部用来存放数据的一些小型存储区域,用来暂时存放参与运算的数据和运算结果 我们常用的寄存器是X86-64中的其中16个64位的寄存器,它们分别是 %rax, %rbx, %rcx, %rdx, %esi, %edi, %rbp, %rsp %r8, %r9, %r10, %r11, %r
云渲染、云游戏核心技术之视频hook引擎的OpenGL(一)
永远积极向上、永远热泪盈眶、永远豪情满怀、永远坦坦荡荡
05-11 1321
云渲染、云游戏之视频hook引擎的OpenGL(一) 云渲染、云游戏之视频hook引擎的OpenGL(一)云渲染、云游戏之视频hook引擎的OpenGL(一)前言一、 采集端hook的流程二、hook到视频渲染前回调函数注册三、 拷贝数据到共享GPU中四、 共享GPU 云端共享GPU资源 前言 云渲染客户端 采集的工作 提示:以下是本篇文章正文内容,下面案例可供参考 一、 采集端hook的流程 在渲染前一帧的数据拿到 拷贝同享GPU中去,编码从共享GPU中读取数据 在这里面有GPU同享时,
win10 x64 内核结构体
sanqiuai的博客
08-27 982
nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x2d8 ProcessLock : _EX_PUSH_LOCK +0x2e0 UniqueProcessId : Ptr64 Void +0x2e8 ActiveProcessLinks : _LIST_ENTRY +0x2f8 RundownProtect : _EX_RUNDOWN_REF +0x300 Flags2 : Uint
自己Swap自己,Ring0下做测试器时用的代码
05-10 1026
作者:vxk#include "vx_main.h"#include "mem.h"#include #include void MySwapContextHook();void MySwapContextEndHook();static DWORD SwapContextPtr=0;static DWORD SwapContextCnt=0;extern HANDLE CurrentProc
38进程与线程之线程切换----时钟中断切换
qq_18059143的博客
12-05 931
绝大部分系统内核函数都会调用SwapContext函数,来实现线程的切换,那么这种切换是线程主动调用的。 如何中断一个正在执行的程序? 异常 比如缺页,或者INT N指令 中断 比如时钟中断 Windows系列操作系统: 10-20毫秒 如要获取当前的时钟间隔值,可使用Win32API: GetSystemTimeAdjustment 线程切换的几种情况: 1) 主动调用AP...
40 进程与线程之Windows线程切换——FS段寄存器
qq_18059143的博客
12-05 587
FS:[0]寄存器在3环时指向TEB.进入0环后FS:[0]指向KPCR 系统中同时存在很多个线程,这就意味着FS:[0]在3环时指向的TEB要有多个(每个线程一份)。 但在实际的使用中我们发现,当我们在3环查看不同线程的FS寄存器时, FS的段选择子都是相同的,那是如何实现通过一个FS寄存器指向多个TEB呢? 下面是ida的分析SwapContext代码 ; CODE XREF: Sw...
优化总结:有哪些APP启动提速方法?
阿里云技术
02-18 700
一 通过 Universal Links 和 App Links 优化唤端启动体验 App 都会存在拉新和导流的诉求,如何提高这些场景下的用户体验呢?这里会用到唤端技术。包含选择什么样的换端协议,我们先看看唤端路径,如下: 唤端的协议分为自定义协议和平台标准协议,自定义协议在 iOS 端会有系统提示弹框,在 Android 端 chrome 25 后自定义协议失效,需用 Intent 协议包装才能打开 App。如果希望提高体验最好使用平台标准协议。平台标准协议在 iOS 平台叫 Universa..
关于Win7 x64 Shadow SSDT 的探索和 Inline HOOK
fyfy
05-15 4031
http://bbs.pediy.com/thread-210481.htm 来看雪一年了,在这里面学到了很多知识,非常感谢各位前辈对知识的分享和不懈的研究,也非常感谢各位大神对我们这些小白的照顾,特别要感谢MaMy、hksoobe、luolinlove等大神的指导。我也一直非常希望能为看雪贡献一点什么,但是小白的理解估计大神也看不上,这次也是注册看雪一周年,冲着这个也来发表一点自己的理
inline hook
zhuhuibeishadiao
04-10 1841
Inline hook的步骤 1。获得要inline hook的函数在内存中的地址 2。实现T_MyFunc()与MyFunc函数,在该函数中将参数压栈并调用MyFunc函数处理。 3。HOOK。保存函数开头的指令到某个内存中,并在该内存末尾附加JMP指令到开头指令的后面的指令。并将开头的指令替换为JMP T_MyFunc地址。 4。在T_MyFunc执行完MyFunc之后,调用保存的指令
PsSetCreateProcessNotifyRoutine妙用
热门推荐
yushiqiang1688的专栏
01-18 1万+
最近要做一个进程监控的程序,功能很简单,就是创建和退出进程的时候,能触发我们的事件。首先的第一想法,是Hook ZwCreateProcess,结果调试的时候发现,很多创建进程的动作,并没有通过这个API执行,所以自然就是没办法监控进程的创建,于是回到本质,从创建进程的动作过程来分析,创建新的进程,其大致要经历以下步骤:(1)打开可执行文件,以FILE_EXECUTE权限打开;(2)将
检测API函数的InlineHook
weixin_30500663的博客
07-28 205
检测API函数的InlineHook 1 BOOL GetProcHookStatus(LPCSTR lpModuleName, LPCSTR lpProcName) 2 { 3 HMODULE hModule = GetModuleHan...
重庆对外经贸学院在四川2020-2024各专业最低录取分数及位次表.pdf
最新发布
10-31
那些年,与你同分同位次的同学都去了哪里?全国各大学在四川2020-2024年各专业最低录取分数及录取位次数据,高考志愿必备参考数据
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值