mikenoodle's home

��ˣ�̸��ֵľ��

mikenoodle — 2009-11-28 20:20

��ߣ�oldjun

From oldjun(http://www.oldjun.com/)
��һ��仯�Ƚϴ󣬻��˺ü��ջ��ǻص��˰�ȫ�ĸ�λ��Ϻ��Լ��ְҵ�滮��
ƽʱ��ʱ�侭��Щվ��֣��ֳ��䶯��վ��һЩ֪��Ĵ�վ��2008��ĳɹ��ķ�ģ��ĳĳ��2��֪��̳��ĳĳ��վ��ĳĳ2��վ��ĳĳmobile��ĳĳ��վ�ȴ�վ��ٵ��Сվ��ҵ�Ӱ�١��Ҹ��˾��ûʲô��ҫ�ģ��û�滻��ҳ��û��º�ҳ��ǰ�Դ��ؼң�Ӳ�̳Բ��ˣ�׼��ƶ�Ӳ��˵��ʵ��滻һ��ҳ��ҳ��ĳĳ��ֹ��۵ķ��վ��л�Ƭ��ĳĳ��е��վ��Ҷ��ǰ��ˣ��Ҳ��~
��̸̸��ֵľ��飬��ԣ�̸ֻ��webshell��Ȩ��ﲻ˵��Ҳ��Ȩ��ȷʵ�б�Ҫ��~
1.��ʲôվ��ʲô��ԣ��Ҫ��͸��һ��¾��ɨĿ¼��һ��ɨ��ϴ��㣬ֱ��ϴ�shell��λ��ҪЦ��ʱ��㻨�ܾø�һ��վ��и��ֳɵ��ϴ��㣬��Һ��ײµ��asp�Ӷ࣡
2.asp��aspx��+MSSQL�ȿ��ע�룬һ��ע�붼��DBownerȨ�޿��ֱ��дshell��д��ˣ��web��ݿ��룬�ǾͲ��ݣ��Ӻ�̨��ˣ��̨��ϴ��߸��ļ��
3.asp��aspx��+ACCESS��shellһ��ֻ��3�ַ��һ��ǰ̨�ϴ��ע��̨�ϴ��ע��̨��ļ��ע��̨��ݿ��߱��֪��asp��asa��ݿ��ֱ��дһ�仰��
4.php+MYSQLһ��ע��̨�ϴ��ż��ЩȨ�޹��߿��ע��select into outfile��Ȼ��ֱ��Զ�̣�Զ�̰��ڸ߰汾php�ǲ�֧�ֵģ��취��ϴ�ͼƬ�ļ��д��log�Ȼ��php��ĳĳδ��©��ÿ��ֱ��дshell��
5.jsp+MYSQL��ݿ��Ȩ�޷��ͬphp��jsp��ϴ��ټ��ļ��׺��ֻҪ��ע��̨��shell�൱��ס�jsp+ORACLE��վ��Ĳ��࣬��Ҳ�ǲ³��û��Ӻ�̨��ֵġ�
6.��ʲô��վ��վһ�㶼�ܰ�ȫ��Ȼ�类��ˣ��һ��Ӷ��֣��³��վ��ĳЩ�û��߸㵽��վ��Դ��룬��ע�õ�ͬ��η��cain��arp��
7.һ��Ĵ�վ��ֳɵ�CMS�ģ��ҵ�Դ�룬��ͷ��ˣ�ע��©��ϴ�©��д�ļ�©���࿴��Щ��վ�³��Ĳ��Է�վ�㣬��Щվ��ڲ��У��Ժ��¡�
8.�ϴ��и��ļ��ضϣ��2��棬һ��00�ضϣ��ǳ��ļ��ضϣ��hw��Ȼ��ܶ�д�ļ��ĵط��00��Բ�ˬ��ϴ��.asp��Ȼ.asa��.cer��.cdx��Ŀ¼��á�
9.phpվ��windows��linux��magic_quotes_gpc��⣬magic_quotes_gpcΪon��ʱ��server��ע��ʱ��ǿ��select into outfile��Ҹ��ĳδ��Դcms��һ��Ϊon�ͱ��д�ļ��ˣ��Ȩ�ޱ��˶��ļ�Դ�룬��Ϊload_file�Ĳ��ǿ��Ա��ġ�
10.��·��ļ��зǳ��Ҫ��²��·��ʱ��google��baidu̫�ã�google��ȫ��Կ��ǿ�վ��µ�robot.txt��robots.txt��о�ϲ��
11.��ߵ�ʹ�ú��Ҫ��֮ǰ��WVSɨɨ��֣�ע�빤��Ȼ�ܶ࣬��ö��ʹ��ڵ��Ӳ��ǽ��ע��Խ��Խ��ʱ��ͱ�͵��ֹ��ɳ��
12.��һ��ô��post�ķ��ǽô��ʱ��һ�仰��ȥ�˶��޷��ʱ��ѧѧ��룬ѧѧ�任�ƹ��
13.��һ��Сվ��ǵò鿴��Сվ�İ�Ȩ��վ�Ĺ�˾��Ȼ��˾��վ��֣��õ�Դ��ٻ�ͷ�㣬��ͨ��ĳ֪��ҩ�Ĺ�˾վ��
14.��ע��˼·��Զ��ʱ��dbowner��ע�룬��Ժ��дshell��Ҫ��վ��ʡ��鷳��Ȩ�ˣ��ã��Ͱ��shell��Ȩ�õ��衣
15.��Զ��Ṥ��ѧ��繤��Լ��һ��ʲôҲ��ˣ��ĳĳվ��qq��֤��ȵ��֣�Ҳ��ʱ��ܻ��⣻��admin,admin��test,test��123456,123456��ּ򵥵ĳ��ԣ��Ȼ��Ҳ��Ա��ƽ⡣
16.��XSS��cookie��XSS��͵cookie��ã��Լ�ѧ��cookie��α��½��cookie��ע�룬cookieע��ƾ��ķ��ǽ��
17.ƽʱ��վ��Ѽ�·��Դ�밡��߰��ʵ�Լ��“��”�⣻��ð��Լ��ֲ��¼��º�˼�£��һ�㶼�Ǽ��txt���Ҫ��һ��
18.��ѧϰ��࿴Դ�룬�࿴��0day��ű��ֵ�ǰ�ᣬ��ǹ��ߣ��ù��߻�װB�㻹û��š�
��Ȱ��λ��û�¸��˼��ҳ��װB�ߣ��죬��Ҫ��ģ��Ƚ��˾��ٺ�ڡ��һ�㣬��Ҹ�N��վ��û�ҹ�һ��ںܶ��ˣ��Ҳ�֪��˵ʲô��Ϊ��Ҷ�ϲ��Ǯ��ǻ��Ϊ֮�ɡ�
��ͷһ�ȣ��һЩ��ǵõ��ĵ�д��ˣ�ϣ��ұ��ש��ֵ�ʱ��˼·�Ǻ��ģ�ֻҪ��壬��һ��ʹ�Լ��ɹ��·��ʲô��Ҫ��ӭ��http://www.oldjun.com��ۻ��߼��QQ��
��в�Ҫ��Ź��ȥ��վ��ȫ��˿��վ��Լ��ļ��뾭�飬Ҳ��԰��Լ��Ĳ�Ʒ��ĸ��ã��Ǽ��Ϊ��ʲô��棬��...��֪��ô˵...��˲�֪��Ĺ�˭��
ף��Ԫ��֣�
http://forum.eviloctal.com/thread-34512-1-3.html �Ķ�ȫ��
��hacker&cracker �鿴��

��εõ��õ��

mikenoodle — 2009-11-28 09:54

///

/// �ж�wifi��״̬��ź�ǿ��Ϊ0,��wifiΪoff,��Ϊon,��myAdaptersΪ��ҲΪoff
///

///
public static bool CheckWifiConnect()
{
bool result = false;
try
{
AdapterCollection myAdapters = Networking.GetAdapters();

foreach (OpenNETCF.Net.Adapter myAdapter in myAdapters)
{
if (myAdapter.IsWireless)
{
if (Convert.ToInt32(myAdapter.SignalStrength.ToString()) != 0)
{

result= true;
}
else
{ result= false; }
}
}
}
catch
{
result= false;
}
return result;

}

�Ķ�ȫ��
��wm�� 鿴��

Զ��gh0stԴ��ɱ

mikenoodle — 2009-11-28 09:35

Զ��gh0stԴ��ɱ Զ��gh0st3.6��Դ�ˣ��Դ��ζ��ǿ��ڴ˻��Ͻ��ж��ο��ͬʱҲ��ζ��ɱ��Խ��׵Ĳ�ɱ�ÿ�Զ��ľ��ȻҪ��ã��Ǿ��Դ��ϵ�ľ��ɱ�� þ�û��ˣ��Ұ��ɱ�ⲿ��һ�£��һשͷ��Ȥ��ѿ��Խ��Ҳ��Ժͱ��˽�� gh0stԶ��RESSDT��svchost��滻ϵͳ��ķ�ʽ��ģ��ʽ��Ϊ�Ƚ��в��Ĳ��û�н��û��أ��Ȼ�ⲿ�ֿ��ӽ�ȥ��VC�ı�̻�� һ�� 뻷��һ��Ҫ��úã�DDK+SDK+VC6��DDK��sys�ļ��ģ�SDK+VC6��빤�̵ģ��ò��ֱȽϼ򵥣��кܶ��ϣ��ﲻ��Ȥ��Ҳ��Բ鿴DDK��SDK��ذ�� 붨λ�� ɱ��ɱľ��ԭ��Ǹ��ɱ�ģ��ɱ�Ĳ��ǳ�֮Ϊ��룬��ǿ��붨λ��MyCLL��λ��λ�ã��λ��ԭ��ǽ��ɨ��ľ��ֿ飬��÷ֶ��ķ�ʽ��ƥ��ɱ��ֵ��ҵ�ɱ��ɱ��λ�á� ��λ��룬��η��ҵ�Դ��еĶ�Ӧλ��أ��뿴�� ļ��Դ�붨λ֮map�ļ�� map�ļ��Ƕ��ƺ�Դ��֮��Ӧ��һ��ӳ��ļ�� Ǽ��ݵ��Ƕ�λ��˲��룺 �� λ�� ڴ��ַ svchost.dll 000038AA_00000002 100044AA svchost.dll 00005F98_00000002 ��һ��VC��뻷��Map�ļ�� VC �У��˵�“Project -> Settings”ѡ��ҳ�� Alt+F7��ѡ�� C/C++ ѡ��� Project Options ��룺/Zd ��Ȼ��Ҫ�� Link ѡ���ѡ��“Generate mapfile”��ѡ�򣬲�� Project Options ��룺/mapinflines��ʾ�� MAP �ļ�ʱ��Ϣ��ɡ� �ڶ��VC��̣��û��̱��뼴�ɣ��˵��ɺ��release(��debug)Ŀ¼��һ��.map�ļ��svchost.map)�� map�ļ��UE��ı��༭��򿪶��У��ʽ��£� (begin) Timestamp is 488fcef2 (Wed Jul 30 10:16:18 2008) Preferred load address is 10000000 ---------------------------------------------------------------------------1----��Ϊ��˵��wrw��ӣ� Start Length Name Class 0001:00000000 00010a50H .text CODE 0001:00010a50 00000485H .text$x CODE 0002:00000000 000004c8H .idata$5 DATA ...... 0003:00000010 00000004H .CRT$XIZ DATA 0003:00000020 00001a50H .data DATA 0003:00001a70 00000688H .bss DATA 0004:00000000 000000a8H .rsrc$01 DATA 0004:000000b0 00000cf0H .rsrc$02 DATA ----------------------------------------------------------------------------2---��Ϊ��˵��wrw��ӣ� Address Publics by Value Rva+Base Lib:Object 0001:00000000 ??0CAudio@@QAE@XZ 10001000 f Audio.obj 0001:000000d0 ??_GCAudio@@UAEPAXI@Z 100010d0 f i Audio.obj 0001:000000d0 ??_ECAudio@@UAEPAXI@Z 100010d0 f i Audio.obj 0001:000000f0 ??1CAudio@@UAE@XZ 100010f0 f Audio.obj 0001:000001e0 ?getRecordBuffer@CAudio@@QAEPAEPAK@Z 100011e0 f Audio.obj 0001:00000240 ?playBuffer@CAudio@@QAE_NPAEK@Z 10001240 f Audio.obj 0001:000002c0 ?InitializeWaveIn@CAudio@@AAE_NXZ 100012c0 f Audio.obj ...... 0001:00003310 ?SendToken@CFileManager@@AAEHE@Z 10004310 f FileManager.obj 0001:00003320 ?UploadToRemote@CFileManager@@AAE_NPAE@Z 10004320 f FileManager.obj 0001:00003440 ?FixedUploadList@CFileManager@@AAE_NPBD@Z 10004440 f FileManager.obj 0001:00003670 ?StopTransfer@CFileManager@@AAEXXZ 10004670 f FileManager.obj 0001:00003730 ?CreateLocalRecvFile@CFileManager@@AAEXPAE@Z 10004730 f FileManager.obj ...... ----------------------------------------------------------------------------3---��Ϊ��˵��wrw��ӣ� Line numbers for .\Release\FileManager.obj(E:\vtmp\gh0st3src\Server\svchost\common\FileManager.cpp) segment .text 17 0001:00002630 20 0001:0000267f 21 0001:00002698 24 0001:000026d0 25 0001:000026f8 26 0001:0000273c 29 0001:000027d0 33 0001:000027ee 77 0001:000027f8 36 0001:000027fb 37 0001:00002803 77 0001:0000280d ...... 532 0001:0000340f 534 0001:00003414 537 0001:00003428 540 0001:00003440 546 0001:0000345d 547 0001:00003487 548 0001:00003490 549 0001:00003492 551 0001:0000349e 552 0001:000034b8 553 0001:000034cb 554 0001:000034d4 558 0001:000034de 560 0001:000034e9 563 0001:000034ee 564 0001:00003506 ...... (end) ��ǿ��£��λsvchost.dll �ĵ�һ��ڴ��ַΪ��100044AA��ڵ�2��У��ǿ��ҵ�RVA+BASE��֮�ܽӽ�� 0001:00003440 ?FixedUploadList@CFileManager@@AAE_NPBD@Z 10004440 f FileManager.obj ��ǿ��Զ�λ��FileManager.cpp�е�FixedUploadList��ǲ��Ƿ�Χ��С�ˣ� ��С�� ʽ��ƫ�� = ��ַ��Crash Address�� ַ��ImageBase Address�� 0x1000 ��ѣ��ʵ�ܼ򵥣��ǽ�100044AAȥ��ڴ��ַ10000000��ټ�1000��ΪPE�ܶ��1000��ʼ��Եõ��ƫ�Ƶ�ַΪ34AA��3��Ҷ�Ӧ�Ĵ��С� ƫ�Ƶ�ַ34AA�ڣ�551 0001:0000349e 552 0001:000034b8 ��м䣬Ҳ��551�к�552��м䣬��ǵ�Դ��в��ҵ�551�У� wsprintf(lpszFilter, %s%s*.*, lpPathName, lpszSlash); ��Ͷ�λ��Դ��ˣ�Ҫ��ô�޸ľ��ô�޸��Ϳ��ˡ� �ġ�ʵս��ɱ A��ɱ �״α��͵��ɱ��ɱsys�ļ��dll��ȻҲ��ɱ��װ��ǵ�install.exe��󿨰ͻ�ɱ��ɵ�sever��˵ɱ��ɺõ�server��Ǻ�ǰ��ص��ĵط��ɱ��Ϣ�� һ��sys��ɱ sys��±��ĺ��ͬʱϵͳ��ͬ��ɺܶ�ط��ͬ��ԭ��˳��ͨ��͡��ɽ��С��ɡ��ɱ�� ڶ��svchost.dll��ɱ ��붨λMultiByteToWideChar��gh0st update��λ�á��ͨ��3��map�ļ��ó��ġ� ��¼ӻ�ָ� ��MultiByteToWideChar�ĵ��ϣ��ǰ��Ӽ��Ч��Ϳ��ͨ��ɱ�� ַ��gh0st update ��ڸ��õ� ��Ҫ��߸��£�ֱ�Ӱ��ڴ��ɾ��ٺ٣��ʵ��滻��ַ��Ϊ��ַ��Ϳ��^_^��ͬʱ��Թ��ɽɱ�� server��ɱ ��Ͷ�λ��Ϣ��ȡ��ת��Ȼ�ǲ��еģ��üӻ��İ취��д��AAAAAA��Ϣ֮ǰ��дЩ��Ϳ��server��ɱ�� ɱ��ɣ� B��Avast��ɱ ��µ�avastɱ��ٲ�ɱ1�£�ɱinstall.exe��svchost.dll��Ҳ��ɱ��ɵ��ļ��е��Դ�ļ��Դ��ɱ�� λ��ַ��%02d/%02d/%02d��“SYSTEM\CurrentControlSet\Services\%s”��ط�� 1��svchost.dll��붨λ�ڼ��̼�¼KeyboardManager.cpp�ļ��е�SaveInfo(char *lpBuffer)��ַ��%02d/%02d/%02d,Ҳ��ǿ��̼�¼��ڣ��޸�֮��޸ĵķ��ܶ࣬��Ϊ[%d/%d/%d %d:%d:%d] ��뼴��ͨ��avastɱ�� 2��install��붨λ��“SYSTEM\CurrentControlSet\Services\%s”��Ӧ�ļ��install.cpp��InstallService��,�޸Ĵ�Сд��뼴��ͨ��ɱ�� 塢��С�� Ҫ�ƶ��ڵ�λ�ã��Ҫ�ܵ��ջ��ˣ��Ĵ��û��á��Բ�ȡ��forѭ��ͳ�ƣ��þֲ��ı��߼�Ϊ�ˡ� ��ķ�� ɱ��ģ��ɵ�svchost.dll��ӿպ�� ÿ�α��붼Ҫ�޸�1��Դ ��ʵ��Դ��䣺 extern C __declspec(dllexport) bool JustTempFun();//�� extern C __declspec(dllexport) bool JustTempFun() //ʵ�� { return false; } ��ͱ��ı��ˣ��е�ɱ��Ϳ��ɱ�� gh0st�Զ��6to4ex.dll��޸� ��ö�վ��Զ��6to4ex.dll��⣬��վ��Ҳ��Լ��ļ�� Ҹо��Щ��Ľ��ȫ��ȷ��п��ɸ��⣬�Ҹ��Լ��˵��1�¡� gh0st��ͨsvchost -netsvcs��ģ��Գ��Ҫ��netsvcs ��񣬷��Ҳ��Ǹ��netsvcs��ɵģ��ʲ��˵��ģ��ڴ��ϵͳ��ǹ̶��ģ��濴�� 鿴install.cpp��InstallService()��ȱ��HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\Svchost�еķ����ҵ�һ��󣬳��ȡ�滻��ķ��ԭ��ɾ��Ȼ��ɶ�Ӧ��+ ex.dll��ļ��滻ԭ��6to4��һ��ڵ�һλ��6to4��һ��Զ��ķ�ʽ��ֻ��Ҫһ��ȫ��Ωһ��IPv4��ַ��ʹ��վ��IPv6 ��ӣ��һ��ã��ǵĳ��Ͱ�6to4��滻��ͬʱ��windows\system32\Ŀ¼�� 6to4ex.dll��Ժ��6to4ex�ˣ��ȥ��Ias��Iprip�ȷ��netsvcs��û�п��滻�ķ��Լ��1��ƾ�� AddsvchostService()��netsvcs_0x%d�� ˵��֪��ķ��Ƶ��˲�� ˵�Ǽ��⣬��С��Դ��Ҳ�֪��˵�360��ô��ģ��Ҿ��ÿ��ʾ1�µ��ǣ��360Ĭ��ϵͳ��ȫ�ķ��϶��ᱨ��ȫ��滻��õ�ϵͳ��ȫ�ķ��ͨ��360��Ч��Ҫ�õĶ�
��: IXPUB��(www.ixpub.net) ��ϸ��ο��http://www.ixpub.net/viewthread.php?tid=891005&extra=&page=1 �Ķ�ȫ��
��hacker&cracker �鿴��

��䴮��ͨ��CSerialPort ��һ��bug

mikenoodle — 2009-11-27 00:34

CSerialPort ��һ��д�ģ��ǳ��C++�࣬��࣬��΢��Լ��MSComm�ؼ��Ҫ��ַ��ͷ��ַ�ʱ��ת��

��ǽ��췢��е�һ��bug��ѭ��

��룺
BOOL CSerialPort::InitPort(CWnd* pPortOwner,    // the owner (CWnd) of the port (receives message)
UINT portnr,        // portnumber (1..4)
UINT baud,            // baudrate
char parity,        // parity
UINT databits,        // databits
UINT stopbits,        // stopbits
DWORD dwCommEvents,    // EV_RXCHAR, EV_CTS etc
UINT writebuffersize)    // size to the writebuffer
{
assert(portnr > 0 && portnr < 5);
assert(pPortOwner != NULL);

// if the thread is alive: Kill
if (m_bThreadAlive)
{
do
{
SetEvent(m_hShutdownEvent);
} while (m_bThreadAlive);
TRACE("Thread ended\n");
}
=========
��ͳ��ں�ɫ��ʾ��룬�ô��һ�ε��ʱ��m_bThreadAlive == false,��ִ��һ��do whileѭ��ǵڶ��ε��ã��ҽ��ڵڶ��ε��ʱ��ֵģ��Ϊ�ҵĴ��ò��˸��ģ��Ҫ��һ�γ�ʼ��ڣ��ڶ��ε��ú󣬳��ˡ��
�ͻ��ѭ��

http://hi.baidu.com/isafesoft/blog/item/44993599fa45a2bcc8eaf45c.html

�Ķ�ȫ��
��Win32 �鿴��

�Լ��ͼ��ƶԻ��ʱע��

mikenoodle — 2009-11-27 00:25

��Լ��ͼ��Ի��Ҫȥ��Title Bar��ô��ڴ��С��ʱ��Ȼ��ִ��С��ԭ�Ĺ��ѭ��أ�

��֮�ã��̳��vckbase, codeproject��csdn��֪��̳��ʹ��Σ��Ƕ�û�еõ�һ��ȷ�Ĵ𰸡�

��ҷ��֣�ֻҪ��OnInitialDialog��ӣ�

ModifyStyle(WS_CAPTION, WS_MINIMIZEBOX, SWP_DRAWFRAME );//��ͼ��
SetWindowText("www.isafesoft.com , isafe computer watch, ��̽��Լ�� ");//��öԻ��ı��

��䣬��ܱ��ֵ��ʱ��С��ͻ�ԭ��ܣ�
��ǹ��򲻸��˰��

2��α��ֵ��Ҽ�ʱ��ϵͳ�˵��ܣ�ϵͳ�˵��Ǹ��“��󻯣��С��رգ��”��

��Ҹ��ǿ��Ѱ��˺þã��һ��ʡ�Ĵ�Ҹ��һ��·��ָо��Ƶ�ȷ��ಡ��

��.rc,Ȼ��ҵ��Ӧ��Dialog,��ӣ�
STYLE WS_POPUP | WS_SYSMENU

��ˣ��Լ��ƶԻ��򴰿ڵ�ϸ�ڻ��кܶ࣬��ͼ��˸��϶��ڵ��⣬
�Ժ��ټ��һ��ˡ�� Ķ�ȫ��
��Win32 �鿴��

��ζ�̬��ؼ��̹��

mikenoodle — 2009-11-27 00:24

��д��̹��Ƕ�̬��غ��а��ͻ��Щ��ԭ��д��Ҳο��ú��ظ��ƵĹ��̡�

Ҫ��̬��ؼ��̹��乤��е�ԭ��Ǻ��Ҫ�ġ��ȱ��Ҫ֪��̹��ǹ��첽ģʽ�µģ��һ��Ҫ��Ϊ�˵õ�һ��Ҫ��һ��IRP_MJ_READ��豸ջ��յ��irp��ʲô��Ĵ��أ��һֱ��irpΪpendingδȷ��״̬��Ϊ��ʵ��һֱû�а��ֱ��һ��İ��£��ʱ�ͻ��irp��հ��µļ��Ϊ��irp�ķ��ֵ��ڸ�irp��Ŷ�Ӧ��ݷ��غ󣬲��ϵͳ��Щֵ��ݸ��Ӧ��¼�ϵͳ��Ȼ��ʲô�أ��ϵͳ��ֻ��̷��һ��IRP_MJ_READ��󣬵ȴ��´εİ��ظ��ϵĲ��衣Ҳ��˵��κ�ʱ��豸ջ�׶��һ��̵�IRP_MJ_READ��pendingδȷ��״̬��ζ��ֻ��ڸ�irp��ɷ��أ��ȴ�µ�irp��δ��͵��ʱ��Ż��һ��ܶ��ݵ�ʱ�䡣�ɴ��뵽��ǰ��һ��ķ�ʽ��̬��ؼ��̹��ʱ�򣬻��IRP_MJ_READ��pendingδȷ��״̬��ȴ��Ժ󰴼��ʱ��Ҫ��irpȴ�Ҳ��Ӧ��Ȼ��

��Ϸ��˶�̬��ؼ��̹��ԭ�򣬷��м��һ��ݵ�ʱ��ջ��û��irp�ģ��ô��취��

��һ��e��ʾ��ֻ��ʹ��IoAttachDevice�ҽ�\Device\KeyboardClass0(or others)�ſ��Զ�̬��أ��ص�UpperFilters��ȴ��ܡ��Ǹöε�ԭ�ģ�

This problem occurs in most of the keyloggers based on the sysinternals Ctrl2cap model, which has been widely adopted and adapted. It applies to the earlier versions of the filter, which manually attach to \Device\KeyboardClass0 (or others) using IoAttachDevice. (If you install your filter by adding it to the UpperFilters value of HKCR\CCS\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318} key as more recent versions of Ctrl2cap do, you just can't unload: your filter is wedged into the stack for as long as the system is running and can't get out. But if you wedge by IoAttachDevice, unloading is still possible in theory.)��

��ԭ��ջ��irpΪʲô��ǵ��ؾͻ��أ��IRM_MJ_READ��첽�ģ��첽��󣬻��ǻ��첽��Ľ��εõ��ɺ��أ��һ��뵽�ˣ��̡��ԣ��Ǹ�IRP_MJ_READ��̣��irp��ɺ��ǵ��̣�ʹ��д��ݵĻ��ᡣ��£��Ƕ�̬��˼��̹��Ҳ��˵��Ѿ��ص��ˣ��Ժ��ٴΰ��irp��Ѿ��˵Ķ��Ϳ��֪�ˡ�

��Ƿ��ǲ��̾Ͳ��أ��ǿ϶��ġ��û��Ǿ�û�а취��ص��ݣ�Ҳ��ںܴ�̶��ʧȥ�˼��̹��ˡ��ֿ��ʵ�ֶ�̬��أ��룬��IRP_MJ_READ��ʱ��Ҳ�Ϊ��irp��̣�Ҳ��irp��´��ݣ��Ǵ��һ��Լ��irp��ο�ǰ��IRP_MJ_READ��Ӧ��ã�Ȼ��Ϊ��Լ��irp��̺��ҵ�irp��´��ݣ��ԭ��IRP_MJ_READΪpending״̬��а��ʱ��ҵ�irp��ش��Ϊ��õ��̣��ȡ�÷��ص��ǰ��IRP_MJ_READ�󽫸�IRP_MJ_READ��ɷ��ء��൱��ʹ��һ��һ�ж��͸��ġ��ʵ��̣�Ҳ��˴��ݵĻ��ᡣ��˵��ص��ˣ��Ǿ��ʵ�ֶ�̬��أ�

��յ��ص��ǿ��ǰ��е�irp��ں��״̬��
(1)һ��Ǳ��ԭ��IRP_MJ_READ��pending,ע��û��´��,Ҳδ��̡�
(2)һ��Լ��irp��ջ�ף��ע��Ϊ�Լ��irp��̡�
��2��irp��Լ��irp��̣��ֱ��ػ��ֺ��һ��δ��أ��ע�⵽��Լ��irp��ǿ��Խ��ȡ��̫��Ӱ�졣��ȡ��ջ�ױ��е�IRP_MJ_READ��û��ˣ�ע�⵽(1),��ǲ��ǻ��ԭ��IRP_MJ_READ�𣿶ԣ��ǽ�ԭ��IRP_MJ_READ��´��ݣ��ǧ��ע�⣬��Լ��Ҫ��أ��Ǵ��ԭ��IRP_MJ_READ��ʱ��Ҫ��̡��´��ݺ��ǵ��ɹ��

��Ȼ,��ﻹ�и��򵥵İ취,ʹ�ü��Ҳ��ʵ��,��򵥵Ķ�:)

http://hi.baidu.com/isafesoft/blog/item/a742770b8db9e0a52fddd42d.html

�Ķ�ȫ��
��Win32 �鿴��

��д��NT��APIʵ��ļ�Ŀ¼

mikenoodle — 2009-11-27 00:16

ĿǰNT��кܶ��ļ��Ŀ¼�ķ��򵥵�һ��Ǹ��ļ��ļ��м��ϵͳ��Ժ��ԣ��ϵͳ�ͻ᲻��ʾ�ˣ��Ҳ��Ҳ�Ҳ��ˣ��ַ��һ�㶼��ף�û�п��ԣ��NT��NTAPI��ʵ�ֳ��ļ��Ŀ¼��Ŀ�ġ�NT��һ��ļ�NTDLL.DLL��󲿷�NTAPI��з�װ�ġ��ʵ�ֲ��ļ��Ŀ¼��API�ӿ��ZwQueryDirectoryFile��ֻҪ��API�Ļ��ļ��Ŀ¼�Ϳ��ȫ��ˣ��һ��ʵ�֣�׼��NTDDK��һ��WDM��ģ�ͣ�Ҳ��򵥵��ˣ��

1.��FILE_INFORMATION_CLASS�ĵ�3�Žṹ��_FILE_BOTH_DIR_INFORMATION��ṹ��ZwQueryDirectoryFile��

typedef struct _FILE_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName[12];
WCHAR FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;

2.��ZwQueryDirectoryFile��Ȼ��ZwQueryDirectoryFile��ԭ�ͣ�

extern NTSYSAPI NTSTATUS NTAPI ZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery);

//��ZwQueryDirectoryFile��ԭ��

typedef NTSTATUS (*REALZWQUERYDIRECTORYFILE)(IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery);

//��һ��ԭ��ָ��
REALZWQUERYSYSTEMINFORMATION RealZwQuerySystemInformation;

3.��滻API��ԭ�ͣ�

NTSTATUS HookZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery);

4.��DriverEntry��ڣ��м��

//��ZwQueryDirectoryFile��ַ

RealZwQueryDirectoryFile=(REALZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));

//��Զ��滻��ָ��ָ��ZwQueryDirectoryFile��

(REALZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile))=HookZwQueryDirectoryFile;

5.��DriverUnload��ж�غ��м��ָ��룺

//�ָ�ԭ��ĺ��ָ��

(REALZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile))=RealZwQueryDirectoryFile;

6.��׼��ˣ��ָ�붼�Ѿ��ת��ˣ�ʣ�µ��ʵ��Զ��滻��HookZwQueryDirectoryFile��£�

NTSTATUS HookZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery)
{
NTSTATUS rc;
ULONG CR0VALUE;

ANSI_STRING ansiFileName,ansiDirName,HideDirFile;
UNICODE_STRING uniFileName;

//��ʼ��Ҫ��ǵ��ļ��debug.exe
RtlInitAnsiString(&HideDirFile,"DBGVIEW.EXE");

// ִ��ZwQueryDirectoryFile��
rc = ((REALZWQUERYDIRECTORYFILE)(RealZwQueryDirectoryFile))(
hFile,
hEvent,
IoApcRoutine,
IoApcContext,
pIoStatusBlock,
FileInformationBuffer,
FileInformationBufferLength,
FileInfoClass,
bReturnOnlyOneEntry,
PathMask,
bRestartQuery);
/*��ִ�гɹ��FILE_INFORMATION_CLASS��ֵΪFileBothDirectoryInformation��Ǿͽ��д��*/
if(NT_SUCCESS(rc)&& (FileInfoClass == FileBothDirectoryInformation))
{
PFILE_BOTH_DIR_INFORMATION pFileInfo;
PFILE_BOTH_DIR_INFORMATION pLastFileInfo;
BOOL bLastOne;
//��ִ�н��pFileInfo
pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformationBuffer;
pLastFileInfo = NULL;
//ѭ��
do
{
bLastOne = !( pFileInfo->NextEntryOffset );
RtlInitUnicodeString(&uniFileName,pFileInfo->FileName);
RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);
RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE);
RtlUpperString(&ansiFileName,&ansiDirName);
//��ӡ��debugview��Բ鿴��ӡ��
DbgPrint("ansiFileName :%s\n",ansiFileName.Buffer);
DbgPrint("HideDirFile :%s\n",HideDirFile.Buffer);

// ��ʼ��бȽϣ��ҵ��˾��ļ��Ŀ¼
if( RtlCompareMemory(ansiFileName.Buffer,HideDirFile.Buffer,HideDirFile.Length ) == HideDirFile.Length)
{
DbgPrint("This is HideDirFile!\n");
if(bLastOne)
{
if(pFileInfo == (PFILE_BOTH_DIR_INFORMATION)FileInformationBuffer )
{
rc = 0x80000006; //��ļ��Ŀ¼��
}
else
{
pLastFileInfo->NextEntryOffset = 0;
}
break;
}
else //ָ��ƶ�
{
int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformationBuffer;
int iLeft = (DWORD)FileInformationBufferLength - iPos - pFileInfo->NextEntryOffset;
RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (DWORD)iLeft );
continue;
}
}
pLastFileInfo = pFileInfo;
pFileInfo = (PFILE_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset);

}while(!bLastOne);
RtlFreeAnsiString(&ansiDirName);
RtlFreeAnsiString(&ansiFileName);
}
return(rc);
}

��ڿ��WINXP+SP1+XPDDK��ϲ��ͨ��

�� | ��ӵ��Ѳ� | ��(54) | �� (0)

��һƪ��ѧϰдһ��Hello World�� һƪ��Ӧ�ò��ͬ��¼��

http://hi.baidu.com/isafesoft/blog/item/c1c3dcc64eb2d7c138db4945.html

�Ķ�ȫ��
��Win32 �鿴��

Windowsƽ̨�ں˼��ļ��

mikenoodle — 2009-11-27 00:11

Windowsƽ̨�ں˼��ļ��

1.��
��windowsƽ̨�£�Ӧ�ó��ͨ��ʹ��API��ļ��ʣ��򿪣��д�ļ��kernel32�� CreateFile/ReadFile/WriteFile��ϵͳ��ٵ�FileSystem��FilterDriver��˺ܶ� ��Ρ��ÿ��ϣ��Ű�ȫ��ߺ��ӻ��߹��˵Ļ��ᡣ��Ϊ��ȫ��Ʒ��ߣ��Ҫ�ȱ��ߵø�Զ��Ҫһ��ײ�� “windowsƽ̨�ں˼��ļ��”�ķ��ȷ��ܹ��ȷ�ĸɾ��ļ�ϵͳ��

2.��;
ֱ�ӵ��ں˼��ļ��ʣ��Ϣ��ȫ��й㷺��;��ߵķ��棬��ƹ�ɱ��IDS�Ȱ�ȫ��ϵͳ�ļ��ӡ��ڼ��ߵķ� �棬��Կ��һ��ɾ��ϵͳ��Դ��ɱ��صĺ��Ż��rootkit��ڼ��ߵķ��棬��˽��µ��ƹ��صļ��Ը��Ƹ��µļ�ط� ��

3.ֱ�ӷ��FSD��ں˼��ļ��
FSD(FileSystemDriver)��ļ�API��ϵͳ��(native API)��󵽴��Ρ��ǿ��ģ �²��ϵͳ��Լ��ֱ��FSD��IRP��Ϳ��ƹ��Щnative API ��win32 API�ˣ�Ҳ�Ϳ��ƹ��Щ�� API��ӵȼ�ش�ʩ��

3.1�ļ��Create��Open
�ļ��Create��Open��ͨ��IRP_MJ_CREATE��FSD��ߵ��IoCreateFile��ɡ�Create�� Open��ʵ��IoCreateFile/IRP_MJ_CREATE��һ��Disposition��ȡֵ��ʹ��IoCreateFile ��룺

HANDLE openfile(WCHAR* name,ACCESS_MASK access,ULONG share)
{
//return 0 for error.
HANDLE hfile;
IO_STATUS_BLOCK iosb;
int stat;
OBJECT_ATTRIBUTES oba;
UNICODE_STRING nameus;
///
if(KeGetCurrentIrql()>PASSIVE_LEVEL){return 0;}
RtlInitUnicodeString(&nameus,name);
InitializeObjectAttributes(&oba,&nameus,OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE,0,0);
stat=IoCreateFile(&hfile,access,&oba,&iosb,0,FILE_ATTRIBUTE_NORMAL,share,FILE_OPEN,0,0,0,0,0,0);
if(!NT_SUCCESS(stat)){return 0;}
return hfile;
}

HANDLE createnewfile(WCHAR* name,ACCESS_MASK access,ULONG share)
{
//return 0 for error.
HANDLE hfile;
IO_STATUS_BLOCK iosb;
int stat;
OBJECT_ATTRIBUTES oba;
UNICODE_STRING nameus;
///
if(KeGetCurrentIrql()>PASSIVE_LEVEL){return 0;}
RtlInitUnicodeString(&nameus,name);
InitializeObjectAttributes(&oba,&nameus,OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE,0,0);
stat=IoCreateFile(&hfile,access,&oba,&iosb,0,//AllocationSize this set to 0 that when file opened it was zeroed.
FILE_ATTRIBUTE_NORMAL,share,FILE_OVERWRITE_IF,0,0,0,0,0,0);
if(!NT_SUCCESS(stat)){return 0;}
return hfile;
}

ͨ��IRP_MJ_CREATE��FSD�ķ��ƣ��Բο�IFSDDK document��IRP_MJ_CREATE˵��ͬ�� 淽��Ҫ�Լ��һ��FILE_OBJECT��淽��ַ��Ҫһ��HANDLE��HANDLE��߳�� ,FileObject��߳��޹ء�

3.2�ļ��Read��Write
��ͨ��FSD��IRP_MJ_READ��ȡ�ļ��FSD��IRP_MJ_WRITE��д�ļ��
��ͨ��һ��HANDLE��ִ��(��ʹ��IoCreateFile�򿪵��ļ�)��Ҫ�� ObReferenceObjectByHandle��Handle��Ӧ��FileObject��ֻ�ܸ�FileObject�� IRP��

stat=ObReferenceObjectByHandle(handle,GENERIC_READ,*IoFileObjectType,KernelMode,(PVOID*)&fileob,0);

֮��ʹ��IoAllocateIrp��һ��IRP��FileObject->DeviceObject->Flags�� ֵ��ж�Ŀ��ļ�ϵͳʹ��ʲô��IO��ʽ��

if(fileob->DeviceObject->Flags & DO_BUFFERED_IO)
{
irp->AssociatedIrp.SystemBuffer=buffer;//buffered io
}
else if(fileob->DeviceObject->Flags & DO_DIRECT_IO)
{
mdl=IoAllocateMdl(buffer,count,0,0,0);
MmBuildMdlForNonPagedPool(mdl);
irp->MdlAddress=mdl;//direct io
}
else
{
irp->UserBuffer=buffer;//neither i/o, use kernel buffer
}

��ÿ�ֲ�ͬ��IO��ʽʹ�ò�ͬ�ĵ�ַ��ݷ�ʽ��IRP�ڵĸ��򣬾Ϳ��Է��IRP�ˡ��ReadΪ��

irpsp->FileObject=fileob;
irpsp->MajorFunction=IRP_MJ_READ;
irpsp->MinorFunction=IRP_MN_NORMAL;//0
irpsp->Parameters.Read.ByteOffset=offsetused;
irpsp->Parameters.Read.Key=0;
irpsp->Parameters.Read.Length=count;

��Ҫ��IRP��ܼ�ʱ��ɣ��첽�ķ��ص��ǰ�װһ��CompletionRoutine�� CompletionRoutine��һ���¼�Ϊ�Ѽ��֪ͨ��ǵ��̶߳�ȡ��д��Ѿ��ɡ�

IoSetCompletionRoutine(irp,IoCompletion,&event,1,1,1);

NTSTATUS
IoCompletion(
IN PDEVICE_OBJECT   DeviceObject,
IN PIRP   Irp,
IN PVOID   Context
)
{
KeSetEvent((PRKEVENT)Context, IO_DISK_INCREMENT, 0);
return STATUS_MORE_PROCESSING_REQUIRED;
}

��ڿ��Է��IRP�ˡ��ȡ��Ĵ�ʩ�Ļ��IRP��Ŀ��FileObject��Ӧ��DeviceObject��ͺ󣬵ȴ�IRP�� ɲ��ͷ��Դ��ء�

stat=IoCallDriver(fileob->DeviceObject,irp);
if(stat==STATUS_PENDING){
KeWaitForSingleObject(&event, Executive,KernelMode,0,0);
stat=irp->IoStatus.Status;
}
if(!NT_SUCCESS(stat))
{
IoFreeIrp(irp);
if(mdl){IoFreeMdl(mdl);}//if DO_DIRECT_IO
return -1;
}
stat=irp->IoStatus.Information;//bytes read
IoFreeIrp(irp);
if(mdl){IoFreeMdl(mdl);}//if DO_DIRECT_IO
return stat;

3.3�ļ��Delete
Deleteʵ��ͨ��FSD��IRP_MJ_SET_INFORMATION��IRP�� IrpSp->Parameters.SetFile.FileInformationClass��Ϊ FileDispositionInformation��һ��FILE_DISPOSITION_INFORMATION�ṹ��buffer��ִ�� ġ�

fdi.DeleteFile=TRUE;

irpsp->MajorFunction=IRP_MJ_SET_INFORMATION;
irpsp->Parameters.SetFile.Length = sizeof(FILE_DISPOSITION_INFORMATION);
irpsp->Parameters.SetFile.FileInformationClass = FileDispositionInformation;
irpsp->Parameters.SetFile.DeleteHandle = (HANDLE)handle;

3.4�ļ��Rename
��Delete��Rename��FSD��IRP_MJ_SET_INFORMATION��IRP�� IrpSp->Parameters.SetFile.FileInformationClass��Ϊ FileRenameInformation��bufferΪFILE_RENAME_INFORMATION�ṹ��

fri.ReplaceIfExists=TRUE;
fri.RootDirectory=0;//Set fri.FileName to full path name.
fri.FileNameLength=wcslen(filename)*2;
wcscpy(fri.FileName,filename);//If the RootDirectory member is NULL, and the file is being moved to a different directory, this member specifies the full pathname to be assigned to the file.

irpsp->MajorFunction=IRP_MJ_SET_INFORMATION;
irpsp->Parameters.SetFile.Length = sizeof(FILE_FILE_RENAME_INFORMATION);
irpsp->Parameters.SetFile.FileInformationClass = FileRenameInformation;

��ϣ��ǿ��ͨ��IRP��ֱ�ӷ��ļ�ϵͳ�ˣ��ƹ��native API ��win32 API��Ρ�

4.�ƹ��ļ�ϵͳ��͹��

��˵��ֵ��ݣ��Ŀǰ��ֱ�Ӹ�FSD��ļ��⻹��Ϊ�кܶ��ɱ��߼��ӹ��ʹ�� FSD Filter Driver��FSD Hook�İ취��ļ��ڽ��ƪ��ҽ�һЩԭ��ԵĶ��ṩ�ƹ� FSD Filter Driver / FSD Hook��˼·��

4.1�Ը��ļ�ϵͳ��

�ļ�ϵͳ��Attach��ļ�ϵͳ֮�ϣ��Ӻ͹��ǵ��ļ��ʡ��ļ�ϵͳ��ջ��һ��Attach��Ĺ�� ɡ��ǿ��IoGetRelatedDeviceObject��һ��FileObject��Ӧ��ײ��Ǹ��(FDO)�� Ȼ�ƹ��Щ��ȴͬʱҲ�ƹ��FSD��Ntfs/Fastfat��Ϊ��FSDҲ��Ϊһ��ڵġ��ļ��Ķ� Ӧ��ײ��FDO��Ftdisk.sys��Ѿ��Ϊ��ڵײ��ܴ��Ͷ�ݵ�IRP��
��ʵ��FSD��Ϣ�洢��һ��Vpb�ṹ�У��ǿ��ʹ��IoGetBaseFileSystemDeviceObject��δ��ں˺� ��õ��Ƿ��IRP��Ŀ��ˡ�

4.2�Ը��滻DispatchRoutine��FSD Hook

��һ�ֳ��õ�FSD Hook��ʽ��Ҫ�õ�ԭ��DispatchRoutine��ԭ��DispatchRoutine��ǵ� IRP��ṩһ��˼·��ǿ��Զ�ȡԭ��FSD��.INIT�λ��.TEXT�Σ��DriverEntry�� DriverEntry��п϶��Լ��DriverObject�ĸ��DispatchRoutine��Ǿ��ҵ��Ҫ�� DispatchRoutine�ĵ�ַ��ֻ��Ҫʹ��ķ��Ϳ��ֵ��

4.3�Ը�Inline Hook DispatchRoutine��FSD Hook

��Hook��ȽϺݶ��Ƿǳ��ڰ�ȫ��Ʒ�У�һ��Ӧ��ľ��rootkit�ϣ��Լ�д��rootkit��û�и�� DriverObject��DispatchRoutine�ĺ��ָ�룬��ͷд��ָ��JMP��ת��Ը��Ļ��˼·��Ƕ�ȡ�� ڴ��ϵ�FSD��ļ��ص��ڴ�һ�ݸɾ��ı��ݣ��쿴��Ҫ��õ�DispatchRoutine��ͷ�ļ��ֽں��ɾ��Ƿ�һ�¡��һ �£��Ǵ��JMP,RET,INT3һ��Ļ��ָ��ʱ�򣬺ܿ��ܾ��Ǵ��Inline Hook��Ҫ��ֿ��ض�λ�� Inline Hook��ǾͰѸɾ��ĺ��ͷ��ǵ��Ⱦ�ĺ��ͷ��Ȼ��ڷ��IRP��Ͳ��ᱻInline Hook��ӻ�۸��ˡ�

http://hi.baidu.com/isafesoft/blog/item/fd22a1ee5bff2b37269791db.html

�Ķ�ȫ��
��Win32 �鿴��

Win32Ӧ�ó��н��̼�ͨ�ŷ��Ƚ�

mikenoodle — 2009-11-27 00:09

1 ��ͨ��

��װ��ڴ沢׼��ִ�еĳ��ÿ��̶��˽�е��ַ�ռ䣬�ɴ��롢��Լ�� õ�ϵͳ��Դ(��ļ��ܵ��)��ɡ��/��߳��Windows��ϵͳ��һ��Microsoft Win32Ӧ�ñ�̽ӿ� (Application Programming Interface, API)�ṩ�˴��֧��Ӧ�ó��ݹ��ͽ��Ļ��ƣ��Щ��ʹ�Ļ ��Ϊ��̼�ͨ��(InterProcess Communication, IPC)��ͨ�ž��ָ��ͬ��̼��ݹ��ݽ��
��Ϊʹ��Win32 API��н��ͨ�ŷ�ʽ�ж��֣��ѡ��ǡ��ͨ�ŷ�ʽ�ͳ�ΪӦ�ÿ��е�һ��Ҫ��⣬��汾�Ľ��Win32�н��ͨ�ŵ� ��ַ��Է��ͱȽϡ�

2 ��ͨ�ŷ��

2.1 �ļ�ӳ��
�ļ�ӳ��(Memory-Mapped Files)��ʹ��̰��ļ��ݵ��̵�ַ��һ��ڴ��Դ��ˣ��̲��ʹ��ļ�I/O��ֻ ��򵥵�ָ��Ϳɶ�ȡ��޸��ļ��ݡ�
Win32 API��̷��ͬһ�ļ�ӳ��󣬸��Լ��ĵ�ַ�ռ��ڴ��ָ�롣ͨ��ʹ��Щָ�룬��ͬ��̾Ϳ��Զ��޸��ļ� ��ݣ�ʵ��˶��ļ��ݵĹ��
Ӧ�ó��ַ��ʹ��̹��һ��ļ�ӳ��
(1)�̳У��һ��̽��ļ�ӳ��ӽ��̼̳иö��ľ��
(2)��ļ�ӳ�䣺��һ��ڽ��ļ�ӳ��ʱ��Ը��ö��ָ��һ��(��ļ��ͬ)��ڶ��̿�ͨ��ִ򿪴��ļ�ӳ�� ⣬��һ��Ҳ��ͨ��һЩ��IPC��(��ܵ��ʼ��۵�)��ִ��ڶ��̡�
(3)��ƣ��һ��̽��ļ�ӳ��Ȼ��ͨ��IPC��(��ܵ��ʼ��۵�)�Ѷ��ݸ��ڶ��̡��ڶ��̸��Ƹþ��ȡ �öԸ��ļ�ӳ��ķ��Ȩ�ޡ�
�ļ�ӳ��ڶ��̼乲��ݵķǳ��Ч��нϺõİ�ȫ�ԡ��ļ�ӳ��ֻ��ڱ��ػ��Ľ��֮�䣬��У��߻��ƽ��̼� ��ͬ��
2.2 ��ڴ�
Win32 API�й��ڴ�(Shared Memory)ʵ�ʾ��ļ�ӳ��һ��ڴ��ļ�ӳ��ʱ��0xFFFFFFFF�� ļ��(HANDLE)��ͱ�ʾ�˶�Ӧ��ļ�ӳ��ǴӲ��ϵͳҳ��ļ��ڴ棬��̴򿪸��ļ�ӳ��Ϳ��Է��ʸ��ڴ�顣��ڹ��ڴ�� ļ�ӳ��ʵ�ֵģ��Ҳ�нϺõİ�ȫ�ԣ�Ҳֻ��ͬһ��ϵĽ��֮�䡣
2.3 ��ܵ�
�ܵ�(Pipe)��һ�־��˵��ͨ��ͨ��һ�˾��Ľ��̿��Ժ��һ�˾��Ľ��ͨ�š��ܵ��ǵ��һ��ֻ��ģ��һ�˵��ֻд�ģ� Ҳ��˫��һ�ܵ��˵�ȿɶ�Ҳ��д��
��ܵ�(Anonymous Pipe)��ڸ��̺��ӽ��֮�䣬��ͬһ��̵��ӽ��֮�䴫��ݵ��ֵĵ��ܵ��ͨ��ɸ��̴�� Ȼ��Ҫͨ�ŵ��ӽ��̼̳�ͨ��Ķ��˵��д�˵��Ȼ��ʵ��ͨ�š��̻��Խ��̳��ܵ��д��ӽ��̡��Щ�ӽ��̿� ��ʹ�ùܵ�ֱ��ͨ�ţ��Ҫͨ��̡�
��ܵ��ǵ��ʵ��ӽ��̱�׼I/O�ض��Ч��ʹ�ã�Ҳ��صĽ��֮�䡣
2.4 ��ܵ�
��ܵ�(Named Pipe)�Ƿ��̺�һ��ͻ��֮��ͨ�ŵĵ��˫��ܵ��ͬ��ܵ��ܵ��ڲ��صĽ��֮�� ͬ��֮��ʹ�ã��ܵ�ʱ��ָ��һ��֣��κν��̶��ͨ��ִ򿪹ܵ��һ�ˣ��ݸ��Ȩ�޺ͷ��ͨ�š�
��ܵ��ṩ��Լ򵥵ı�̽ӿڣ�ʹͨ��紫��ݲ��ͬһ��֮��ͨ�Ÿ��ѣ��Ҫͬʱ�Ͷ��ͨ��ˡ�
2.5 �ʼ��
�ʼ��(Mailslots)�ṩ��̼䵥��ͨ��κν��̶��ܽ��ʼ��۳�Ϊ�ʼ��۷��̣��Ϊ�ʼ��ۿͻ��ͨ��ʼ��۵��ָ� �ʼ��۷��̷��Ϣ��Ϣһֱ��ʼ��У�ֱ��̶�ȡ��Ϊֹ��һ��̼ȿ��ʼ��۷��Ҳ��ʼ��ۿͻ��˿ɽ�� ʵ�ֽ��̼��˫��ͨ�š�
ͨ��ʼ��ۿ��Ը��ؼ��ϵ��ʼ��ۡ��ϵ��ʼ��ۻ�ָ��м��ͬ��ֵ��ʼ��۷��Ϣ��㲥ͨ�ŵ��Ϣ��Ȳ��ܳ�� 400�ֽڣ��ǹ㲥��Ϣ�ĳ��ʼ��۷��ָ��Ϣ��ȵ��ơ�
�ʼ��ܵ��ƣ��ͨ��ɿ��ݱ�(��TCP/IPЭ��е�UDP��)��ɵģ�һ��緢��޷��֤��Ϣ��ȷ�ؽ��գ� ��ܵ��ǽ��ڿɿ��ӻ��ϵġ��ʼ��м򻯵ı�̽ӿں͸�ָ��ڵ��м��㲥��Ϣ��ʼ��۲�ʧΪӦ�ó�� ͺͽ��Ϣ��һ��ѡ��
2.6 ��
��(Clipped Board)ʵ��Win32 API��һ��ݵĺ��Ϣ��ΪWindowsӦ�ó��֮��ݹ��ṩ��һ ��н飬Windows�ѽ��ļ��(��)��ճ��Ļ��Ϊ��ͬӦ�ó��֮�乲��ͬ��ʽ��ṩ��һ��ݾ��û��Ӧ�ó��ִ�м��л��Ʋ��ʱ�� Ӧ�ó��ѡȡ��һ�ֻ��ָ�ʽ��ڼ��ϡ�Ȼ��κ��Ӧ�ó��򶼿��ԴӼ��ʰȡ��ݣ��Ӹ��ʽ��ѡ��ʺ��Լ��ĸ�ʽ��
��һ��ǳ��ɢ�Ľ��ý�飬��֧��κ��ݸ�ʽ��ÿһ��ʽ��һ�޷��ʶ��Ա�׼(Ԥ��)��ʽ��ֵ��Win32 API�� ԷǱ�׼��ʽ��ʹ��Register Clipboard Format��ע��Ϊ�µļ��ʽ��ü��н��ֻ��ݸ�ʽ��һ �»򶼿��ת��Ϊĳ�ָ�ʽ��С��ֻ��ڻ��Windows�ĳ��ʹ�ã��ʹ�á�
2.7 ��̬��ݽ��
��̬��ݽ��(DDE)��ʹ�ù��ڴ��Ӧ�ó��֮��ݽ��һ�ֽ��̼�ͨ��ʽ��Ӧ�ó��ʹ��DDE��һ��ݴ��䣬Ҳ��Ե�� ʱ��ͨ��͸��ֵ��Ӧ�ó��䶯̬��ݡ�
DDE�ͼ��һ��֧�ֱ�׼��ݸ�ʽ(��ı��λͼ��)��ֿ��֧��Լ��ݸ�ʽ��ǵ��ݴ��ȴ��ͬ��һ��Ǽ�� û�ָ��һ��Ӧ��Ӳ˵��ѡ��Paste����DDEҲ��û��һ�㲻��û��һ��Ԥ��DDE�� ݽ��ʽ��
(1) ��ݽ��һ��ݴ��䣬��ͬ��
(2) ��ݽ��ʱ��֪ͨ�ͻ��Ȼ��ͻ��µ��ݡ�
(3) ��ݽ��ʱ��Զ��ͻ��ݡ�
DDE��Է��ڵ��в�ͬ��Ӧ�ó��֮�䡣��߻��Զ��嶨�Ƶ�DDE��ݸ�ʽ��Ӧ�ó��֮��ر�Ŀ��IPC��и�� ϵ�ͨ��Ҫ�󡣴��Windows��Ӧ�ó��֧��DDE��
2.8 ��Ƕ��
Ӧ�ó��ö��Ƕ��(OLE)��ĵ�(�ɶ��ݸ�ʽ��ɵ��ĵ�)��OLE�ṩʹĳӦ�ó��׵��Ӧ�ó��ݱ༭�� 磬OLE֧�ֵ��ִ��Ƕ�׵��ӱ��񣬵��û�Ҫ�༭��ӱ��ʱOLE��Զ��ӱ��༭��û��˳��ӱ��༭��ʱ��ñ�� ԭʼ�ִ��ĵ��еõ��¡��ӱ��༭��ִ��չ��ʹ��DDE��û�Ҫ��ʽ��ӱ��༭��
ͬDDE��ͬ��Windows��Ӧ�ó��֧��OLE��
2.9 ��̬��ӿ�
Win32��̬��ӿ�(DLL)�е�ȫ��ݿ��Ա��DLL��н��̹��ָ��̼�ͨ�ſ��һ��µ�;��Ȼ��ʱҪע��ͬ��⡣
��Ȼ��ͨ��DLL��н��̼��ݹ��ݰ�ȫ�ĽǶȿ��ǣ��ǲ��ᳫ��ַ��ʹ�ô��з��Ȩ�޿��ƵĹ��ڴ�ķ��һЩ��
2.10 Զ�̹��̵��
Win32 API�ṩ��Զ�̹��̵��(RPC)ʹӦ�ó��ʹ��Զ�̵��ú��ʹ��RPC��н��ͨ�ž��򵥡�RPC�� ڵ��ͬ��̼�ʹ��Ҳ��ʹ�á�
��Win32 API�ṩ��RPC��OSF- DCE(Open Software Foundation Distributed Computing Environment)��׼��ͨ�� Win32 API��д��RPCӦ�ó��ϵͳ��֧��DEC��RPCӦ�ó��ͨ�š�ʹ��RPC��߿��Խ��ܡ��ϵķֲ�ʽӦ�ó� ��
2.11 NetBios��
Win32 API�ṩNetBios��ڴ��ͼ��ƣ��Ҫ��ΪIBM NetBiosϵͳ��д��Windows�Ľӿڡ��Щ�� ͼ��繦��Ҫ��Ӧ�ó��Ӧ�ó��ò�Ҫʹ��NetBios��н��̼�ͨ�š�
2.12 Sockets
Windows Sockets�淶��U.C.Berkeley��ѧBSD UNIX��е�Socket�ӿ�Ϊ��һ��Windows�µ� ��̽ӿڡ��Berkeley Socketԭ�еĿ⺯��⣬��չ��һ��Windows�ĺ��ʹ��Ա��Գ��Windows��Ϣ ��ƽ��б�̡�
��ͨ��Socketsʵ�ֽ��ͨ�ŵ��Ӧ��Խ��Խ�࣬��Ҫ��ԭ��Sockets�Ŀ�ƽ̨��Ҫ��IPC��ƺõö࣬�� WinSock 2.0��֧��TCP/IPЭ�飬��һ�֧��Э��(��IPX)��Sockets��Ψһȱ��֧�ֵ��ǵײ�ͨ�Ų��ʹ��ڵ�� ̼��м��ݴ��ݲ�̫��㣬��ʱʹ��潫��ܵ�WM_COPYDATA��Ϣ��Щ��
2.13 WM_COPYDATA��Ϣ
WM_COPYDATA��һ�ַǳ�ǿ��ȴ��Ϊ��֪��Ϣ��һ��Ӧ��һ��Ӧ�ô��ʱ��ͷ�ֻ��ʹ�õ��SendMessage�� Ŀ�Ĵ��ڵľ��ݵ��ʼ��ַ��WM_COPYDATA��Ϣ��շ�ֻ��Ϣ��WM_COPY DATA��Ϣ��շ�˫��ʵ�� ݹ��
WM_COPYDATA��һ�ַǳ��򵥵ķ��ڵײ�ʵ��ͨ��ļ�ӳ��ʵ�ֵġ��ȱ��Բ��ߣ��ֻ��Windowsƽ̨�ĵ� ��¡�

3 ��

��Win32 APIΪӦ�ó��ʵ�ֽ��̼�ͨ��ṩ��˶��ѡ�񷽰��ô��ν�� ѡ��أ�ͨ��ھ��ʹ��IPC��֮ǰӦ��һЩ��⣺
(1)Ӧ�ó��绷��»��ڵ��¹��
(2)Ӧ�ó��Ƿ��Ҫ��ϵͳ�ĳ��ͨ�š�
(3)Ӧ�ó��Ƿ��Ҫ��̬ѡ��ͨ�ŵ�Ӧ�ó��
(4)Ӧ�ó��Ƿ��Ҫ�ṩ��ݸ�ʽ��಻ͬ��Ӧ�ó��ͨ�ţ��ʹ��Ӧ�ó��ļ��к�ճ��ܡ�
(5)��Ӧ�ó��Ĺؼ��е�IPC��ƶ��һ��ͨ�ſ��ͬ�Ļ��Ƽ��ܴ�
��ѡ��IPC��ƽ��ͨ��Ҫ�Ǹ��Ӧ�õ��ͺ��л��ѡ��ʵ��Ե�ǰ��£��ͨ��ԡ��Ժ͸�Ч�ԡ��ʵ��Ӧ��У�һ�� Ӧ��Ҫ�õ��IPC��ͨ��

�Ķ�ȫ��
��Win32 �鿴��

�� Ĭ��Ŀ¼ SetcurrentDirectory

mikenoodle — 2009-11-27 00:05

��һ��Ī��⽫�Ҳ��׵��

��Ҫ�濪��ģ��Ὺ��µĽ��̡��˫��úõģ��һ��װ��濪��ͻᵯ��“ϵͳ��ҵ�ָ��ļ��Ĵ��”��

ԭ�� ϵͳ��ǰĿ¼��Ĺ��

��濪��̵ĵ�ǰĿ¼Ϊ��C:\Documents and Settings\Administrator ��ϵͳ��û��Ŀ¼��

��ʱ�� Ҫʹ��SetCurrentDirectory ��ϵͳ��ǰĿ¼��Ϊ��Ҫ�ģ��ڿ��ʱ��ܹ��ҵ��Ŀ¼��õĿ�ִ��ļ��·��

http://hi.baidu.com/isafesoft/blog/item/94b4871a0fbcabbe4bedbce4.html

�Ķ�ȫ��
��Win32 �鿴��

vc ʵ�ּ�ش�ӡ�� ӡ��ĵ�

mikenoodle — 2009-11-27 00:03

Ҫʵ�ּ�ش�ӡ��ĵ��ô�ӡ��ĵ��Ŀ¼��ƣ��ļ��ƣ��Լ��ļ��ݣ��Ҽ��о��ȷ��·��
1.ö��ϵͳ�ϵ��д�ӡ��
EnumPrinters ö��ϵͳ�а�װ�Ĵ�ӡ��
2.
�򿪸ô�ӡ��
OpenPrinter(printerName, &hPrinter, NULL) ,
PrinterNameΪ��ӡ��ơ�
3��
GetPrinter(hPrinter, 2, (LPBYTE)(&pPrinterStatus), 0, &iLenPrinterBNeeded);
pPrinterStatus = (PRINTER_INFO_2*)malloc(iLenPrinterBNeeded);

while(1)
{
if ( GetPrinter(hPrinter, 2, (LPBYTE)pPrinterStatus, iLenPrinterBNeeded, &iPrinterInfoReceived) )   //Get Printer information
{
if ( pPrinterStatus->cJobs > 0 )        //check if there are jobs in the print queue
{

EnumJobs( hPrinter, 0, 1, 2, (LPBYTE)pEnumJobInfo2, 0, &iLenEnumJobBNeeded, &iJobNums);
pEnumJobInfo2 = (JOB_INFO_2*)malloc(iLenEnumJobBNeeded);

if ( EnumJobs( hPrinter, 0, 1, 2, (LPBYTE)pEnumJobInfo2, iLenEnumJobBNeeded, &iEnumJobInfoReceived, &iJobNums) )
{
currentJobID = pEnumJobInfo2->JobId;

if( lastJobID != currentJobID)
{
LogSystem();
}

lastJobID = pEnumJobInfo2->JobId;
}
else
{
GetLocalTime(&sysTime);

ofstream startupInfo;
startupInfo.open("C:\\PMW32_Logs\\SystemStartupInfo.txt",ios::app);
startupInfo< startupInfo.close();

free(pEnumJobInfo2);
pEnumJobInfo2 = NULL;
}

}

}
else
{
GetLocalTime(&sysTime);

ofstream startupInfo;
startupInfo.open("C:\\PMW32_Logs\\SystemStartupInfo.txt",ios::app);
startupInfo< startupInfo<<" "<<"ERROR! Retrieve current printer status failed ERROR CODE: "< startupInfo.close();

ClosePrinter(hPrinter);
free(pPrinterStatus);

Sleep(1000);
pPrinterStatus = NULL;

return 1;
}

//DebugPrinterInfo( pPrinterStatus );   //replace this function with file streamwriter function when release

Sleep(500);   //printer status checking interval

}

free(pPrinterStatus);
free(pEnumJobInfo2);
pPrinterStatus = NULL;
pEnumJobInfo2 = NULL;
ClosePrinter(hPrinter);

4��StartDoc ��ʼһ��ӡ��ҵ��һ��ӡ�ṹ��ṹ��ӡ��ĵ�·��
StartDoc��ӡ��ļ��ơ�
5��WritePrinter ��Ŀ¼�е��д��ӡ��
��ȡ��ӡ��ݡ�
�㶨��

http://hi.baidu.com/isafesoft/blog/item/eb39a5c08ef7ae110ff477c7.html

�Ķ�ȫ��
��Win32 �鿴��

��ý��߳�ֻ��ָ��cpu�ϣ��Ϊʲô��ô��

mikenoodle — 2009-11-27 00:02

�� Ե��
��Ĭ��ã��ϵͳ��̷߳��ʱ��Windows 2000ʹ��Ե��в��ζ��ͬ�Ļ��跨��ϴ��е��Ǹ��̡߳��߳��ڵ��ϣ��ظ� ʹ��Ȼ�ڴ��ڴ��ٻ��е��ݡ�
��һ��µļ��ṹ��ΪNUMA��ͳһ�ڴ��ʣ��ڸýṹ�У��ɿ��壬ÿ�� 4��CPU��Լ��ڴ��ͼ��ʾ��һ̨��3��ļ��ܹ��12��CPU��κ�һ��̶߳��12��CPU�е� �κ�һ��CPU��С�
��CPU��ʵ��ڴ��Լ��Ĳ��ϵ��ڴ�ʱ��NUMAϵͳ��е��á��CPU��Ҫ��λ��һ��ϵ�� ʱ��ͻ��޴��ܽ��͡��Ļ��У��Ҫ��һ��е��߳��CPU 0��3��У��һ��е��߳��CPU 4��7��У��ơ�Ϊ��Ӧ��ּ��ṹ��Ҫ��Windows 2000��ý��̺��̵߳��Ե�ԡ��仰˵��Կ��ĸ�CPU�ܹ��ĳЩ�̡߳��ΪӲ��Ե�ԡ�
��ע�⣬�ӽ��̿��Լ̳н��̵��Ե �ԡ�
Ϊ��windows�ṩ��Ե�Եĺ��SetProcessAffinityMask�� Ȼ��һ��ܹ��ؽ��̵��Ե��λ��Σ��GetProcessAffinityMask��
��ʱ��Ҫ��е�һ��߳��Ƶ� һ��CPU��ȥ��С��ͨ��SetThreadAffinityMask��Ϊ��߳��Ե��Ρ�
��¼��˵��
��1��Windows�� ۼ��ʵ��ӵ�ж��ٸ�CPU��Windows 98ֻʹ��һ��CPU��
��2��ڴ��У��ı��̵߳��Ե�Ծͻ�Ӱ��ȳ��Ч�� CPU֮��ֲ�̵߳��Ч��ʹ��CPUʱ�䡣
��3��ʱǿ�ƽ�һ��̷߳��ض��CPU��ǲ��׵��ġ�
��4�� Windows 2000��x86��ʱ��ϵͳ�ܹ�ʹ�õ�CPU��ֻҪ��Boot.ini�ļ��[operating systems]��Ķ��ʾ��
//get system info
     SYSTEM_INFO SystemInfo;
     GetSystemInfo(&SystemInfo);

     printf(" "
        "dwNumberOfProcessors=%u, dwActiveProcessorMask=%u, wProcessorLevel=%u, "
        "wProcessorArchitecture=%u, dwPageSize=%u ",
         SystemInfo.dwNumberOfProcessors, SystemInfo.dwActiveProcessorMask, SystemInfo.wProcessorLevel,
         SystemInfo.wProcessorArchitecture,SystemInfo.dwPageSize
         );
    if(SystemInfo.dwNumberOfProcessors <= 1) return;

     DWORD dwMask = 0x0000;
     DWORD dwtmp = 0x0001;
    int nProcessorNum = 0;
    for(int i = 0; i < 32; i++)
    {
        if(SystemInfo.dwActiveProcessorMask & dwtmp)
        {
             nProcessorNum++;
            if(nProcessorNum <= 2)
            {
                //��ϵͳ��ж��ѡ��ڶ��
                 dwMask = dwtmp;
             }
            else
            {
                break;
             }
         }

         dwtmp *= 2;

     }//end of for

    //��ָ��cpu��
     SetProcessAffinityMask(GetCurrentProcess(), dwMask);
    //�߳��ָ��cpu��
    //SetThreadAffinityMask(GetCurrentThread(),dwMask);

    return ;
==========
һ��͵�Ӧ�ã�
��߳��һ��cpu��ʵʱ��Ҫ��ϸߵ��߳��һ��cpu��Ҫռ�ô��cpuʱ��ʱ��Ͳ��ʵʱ��Ҫ��ϸߵ��̵߳�ִ�С�

       ǰ��ڿͻ��ֳ��豸ʱ��ͻ��ĳ��һ��߳��״̬��ʾ��ѵ�ʱ�䣬��ק��ƶ�ʱ��CPU��Դ�ķѺܸߣ��豸�� е��ٶ�Ҳ��֮�½��Ϊ�˽��⣬��취��̰߳󶨵��һ��CPU�ϣ�ʵ�ַ��¡�

��API��һ��̣߳�

HANDLE CreateThread(
  LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
  SIZE_T dwStackSize,                       // initial stack size
  LPTHREAD_START_ROUTINE lpStartAddress,    // thread function
  LPVOID lpParameter,                       // thread argument
  DWORD dwCreationFlags,                    // creation option
  LPDWORD lpThreadId                        // thread identifier
);

ͨ������SetThreadAffinityMask������Ϊ�����߳�������Ե�����Σ�   
  DWORD_PTR   SetThreadAffinityMask(HANDLE   hThread,   
        DWORD_PTR   dwThreadAffinityMask);   
  �ú����е�h   T   h   r   e   a   d��������ָ��Ҫ�����ĸ��̣߳�   dwThreadAffinityMask����ָ�����߳��ܹ����ĸ�CPU�����С�dwThreadAffinityMask�����ǽ��̵���Ե�����ε���Ӧ�Ӽ�������ֵ���̵߳�ǰһ����Ե�����Ρ���ˣ���Ҫ��3���߳����Ƶ�CPU1��2��3��ȥ���У���������������   
  //Thread   0   can   only   run   on   CPU   0.   
  SetThreadAffinityMask(hThread0,   0x00000001);   
    
  //Threads   1,   2,   3   run   on   CPUs   1.   
  SetThreadAffinityMask(hThread1,   0x0000000E);   
     �����飬�˷�������˿ͻ���ק���浼����̨�豸���������⡣

�Ķ�ȫ��
��Win32 �鿴��

API hookʵ��r3�¼򵥵Ľ��̱��

mikenoodle — 2009-11-27 00:01

API hookʵ��r3�¼򵥵Ľ��̱��

��ʵ��r3��ƺ��̱��ûʲôǿ�ȿ��ԣ��ǿ��ģ�P
��ƺ�û�ж��˻��ȥhook kernel32�еĺ��ˣ��Ϊ��һЩ��ģ��ô�ntdll.dll�й�Ȼ��sysenter��——��٣��Ҫ�չ˵ļ��Ҫ��ntdll��

ɱ��̳��ľ��OpenProcess��TerminateProcess��Ҳ��һ��һ��߳�ɱ��OpenThread�� TerminateThread��Ҫ�ҵĺ��ô4��ˣ��Ȼ��OpenProcess & OpenThread��෽��Դ��棬��ֱ��ö�پ��Ȼ��ƹ��˸�Դ��ͬ�ķ��Ȩ�ޣ��ң��Ȩ��п��ǰ�� PROCESS(THREAD)_TERMINATE�ģ��ǻ��Ҫ��DuplicateHandle��¹��ʣ�µ�һЩ��˵��

��hook�ķ��ţë��ڴ˲��˵�ˡ��Ҫ��Ҫ˵�ľ��ǹ��жϺ��⡣

ע��hookʱ��Ӧhook NtOpenProcess(��ӦOpenProcess) NtOpenThread(��ӦOpenThread) NtTerminateProcess(��ӦTerminateProcess) NtTerminateThread(T��ӦerminateThread) NtDuplicateObject(��ӦDuplicateHandle)��Ϊ��Ȼʹ��kernel32�еĺ��

OpenProcess��OpenThread�Ͳ��˵�ˣ�ProcessId ��ThreadId��ϵͳ��Χ��Ψһ�ģ��Բ��Ҫ��ʲô���Ҫ��TerminateProcess��TerminateThread�� DuplicateHandle��ľ��ǽ��̷�Χ��Ψһ��Ҫȥ�ж�Handle��ָ��Ŀ�ꡣ

��ntdll��API��԰��ɶ�TerminateProcess��TerminateThread��Handle��ָ�� Process(Thread)Id��ж�——Zw(Nt)QueryInformationProcess & Zw(Nt)QueryInformationThread��

һЩ��ϣ�

NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationThread (
     __in HANDLE ThreadHandle,
     __in THREADINFOCLASS ThreadInformationClass,
     __out_bcount(ThreadInformationLength) PVOID ThreadInformation,
     __in ULONG ThreadInformationLength,
     __out_opt PULONG ReturnLength
     );

NTSYSCALLAPI
NTSTATUS
NTAPI
NtQueryInformationProcess (
     __in HANDLE ProcessHandle,
     __in PROCESSINFOCLASS ProcessInformationClass,
     __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
     __in ULONG ProcessInformationLength,
     __out_opt PULONG ReturnLength
     );

typedef enum _PROCESSINFOCLASS {
     ProcessBasicInformation,
     ProcessQuotaLimits,
     ProcessIoCounters,
     ProcessVmCounters,
     ProcessTimes,
     ProcessBasePriority,
     ProcessRaisePriority,
     ProcessDebugPort,
     ProcessExceptionPort,
     ProcessAccessToken,
     ProcessLdtInformation,
     ProcessLdtSize,
     ProcessDefaultHardErrorMode,
     ProcessIoPortHandlers,           // Note: this is kernel mode only
     ProcessPooledUsageAndLimits,
     ProcessWorkingSetWatch,
     ProcessUserModeIOPL,
     ProcessEnableAlignmentFaultFixup,
     ProcessPriorityClass,
     ProcessWx86Information,
     ProcessHandleCount,
     ProcessAffinityMask,
     ProcessPriorityBoost,
     ProcessDeviceMap,
     ProcessSessionInformation,
     ProcessForegroundInformation,
     ProcessWow64Information,
     ProcessImageFileName,
     ProcessLUIDDeviceMapsEnabled,
     ProcessBreakOnTermination,
     ProcessDebugObjectHandle,
     ProcessDebugFlags,
     ProcessHandleTracing,
     ProcessIoPriority,
     ProcessExecuteFlags,
     ProcessResourceManagement,
     ProcessCookie,
     ProcessImageInformation,
     MaxProcessInfoClass              // MaxProcessInfoClass should always be the last enum
} PROCESSINFOCLASS;

typedef enum _THREADINFOCLASS {
     ThreadBasicInformation,
     ThreadTimes,
     ThreadPriority,
     ThreadBasePriority,
     ThreadAffinityMask,
     ThreadImpersonationToken,
     ThreadDescriptorTableEntry,
     ThreadEnableAlignmentFaultFixup,
     ThreadEventPair_Reusable,
     ThreadQuerySetWin32StartAddress,
     ThreadZeroTlsCell,
     ThreadPerformanceCount,
     ThreadAmILastThread,
     ThreadIdealProcessor,
     ThreadPriorityBoost,
     ThreadSetTlsArrayAddress,
     ThreadIsIoPending,
     ThreadHideFromDebugger,
     ThreadBreakOnTermination,
     ThreadSwitchLegacyState,
     ThreadIsTerminated,
     MaxThreadInfoClass
} THREADINFOCLASS;

typedef struct _PROCESS_BASIC_INFORMATION {
     NTSTATUS ExitStatus;
     PPEB PebBaseAddress;
     ULONG_PTR AffinityMask;
     KPRIORITY BasePriority;
     ULONG_PTR UniqueProcessId;
     ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;

typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID;
typedef CLIENT_ID *PCLIENT_ID;

typedef struct _THREAD_BASIC_INFORMATION {
     NTSTATUS ExitStatus;
     PTEB TebBaseAddress;
     CLIENT_ID ClientId;
     ULONG_PTR AffinityMask;
     KPRIORITY Priority;
     LONG BasePriority;
} THREAD_BASIC_INFORMATION;
typedef THREAD_BASIC_INFORMATION *PTHREAD_BASIC_INFORMATION;

��THREAD_BASIC_INFORMATION�У�ClientId.UniqueThread��hThread�� ThreadId��ClientId.UniqueProcess��hThread��Process��ProcessId��ΪNULL��û�� ȥ��ԡ�PROCESS_BASIC_INFORMATION�е�UniqueProcessId��hProcess��ProcessId�� ͨ��жϴ��Handle�Ƿ�Ϊ��Ҫ��Ľ��̣��̣߳��ǣ��ôֱ��return STATUS_ACCESS_DENIED��

DuplicateHandle��Ĳ��Ҫ��ж�һЩ��Ϊ��ƺ�û��ֳɵĺ��Ҫ��Ĺ��û��ҵ��غ��ǣ��Ȼ��ַ��

1��DuplicateHandle��֮ǰZwQuerySystemInformation��SystemHandleInformation �ŵ��ö��ϵͳ�еľ��ҵ��ص��ṹ�е�.Handle==SourceHandle��һ�Ȼ��.UniqueProcessId��ɡ�
2��DuplicateHandle��֮��ֱ�ӳ��ΪhThread��hProcess��ѯ�õ��Handle�� ZwQueryInformationProcess(Thread)��У��ô�ͺ�ZwTerminateProcess(Thread)�Ĵ�� ͬ��С�

��̱��ԶԶ��ô�򵥵��飬��кܶ�ĺ��ֹ��ƻ��̵��У��ZwSuspendProcess(Thread) (��ͣ��̣��̣߳�) ZwSetContextThread(��߳��) ZwSetInformationThread(Process)(��̣߳��̣��Ϣ) ZwWriteVirtualMemory(��д��ڴ�) DbgUiDebugActiveProcess(��Խ��) �ȡ��Լ��ntdll�ĵ��ɣ�ż��ʲô��˵�˵Ļ��û��ʵ��Ļ�� P

��˴��룬ʣ�µ��Ҫ��Ӧ��õ��ˡ��

��ˡ��hook��ȡ�ļ��Щ��һ��ס��ָ�hook��ָ��ˡ��ٺ١��

http://hi.baidu.com/isafesoft/blog/item/605ed6c81a2c744cf31fe7c5.html

�Ķ�ȫ��
��Win32 �鿴��

CreateEvent ��OpenEventʱ�¼�ȫ�� Global

mikenoodle — 2009-11-26 23:58

��쿴��˵Ĵ��룬ע�⵽�ڲ��¼��ʱ��£�
sprintf(cTemp,"Global\\EVENT_%s",lpFileName);
m_hMapEvent = OpenEvent(EVENT_ALL_ACCESS,FALSE,cTemp);

ע�⵽��û�У��¼��ǰ��˸�Global��ʼ��Ϊ��Global��ӵģ��ĳ��ַ��msdn��google��ŷ��Global��ͷ��

Global\\xxxEvent ��Ա�֤��ڴ��ʱ��ʱָ��ȫ�ֵġ�
��ĺô��£�
��ں˶��۳��ڷ��񣬻��ں��У�Ӧ�ò㶼��Դ򿪲�ʹ��ں˶��
CreateEvent( NULL, FALSE, FALSE, "Global\\CSAPP" ); ��һ��ں˶��
==========

��ͨ�� ¼�� ڷ��ͨ��Ӧ�ó��໥֮��ͨ�ŵ��⣬��ۣ�
1��ͨ��Ӧ�ó��д��¼��д��¼�
XP��
��ͨ��Ӧ�ó��д��

            m_hEvent = ::CreateEvent(NULL, FALSE, FALSE, TEXT("{67BDE5D7-C2FC-49f5-9096-C255AB791B75}"));

            

��д򿪲��Ϊ��źţ�

            HANDLE hEvent = ::OpenEvent(EVENT_ALL_ACCESS, FALSE, TEXT("{67BDE5D7-C2FC-49f5-9096-C255AB791B75}"));
DWORD dwErr = ::GetLastError();
::SetEvent(m_hEvent);

            

vista��
vista��е��ǣ��д�Ļ��ڴ򿪸��¼��ʱ��“ϵͳ�Ҳ��ָ��ļ��”��ԭ��XP�·��Ӧ�ó��򴴽��ں˶��ռ�Ĭ��ȫ�ֵģ��vista��ǣ��񴴽��ں˶��Ĭ��session0�£��û��ں˶��Ĭ��ڸ��Ե�session�£�session1��session2��ķ��ܼ򵥣��ڴ��ʱ��ʱָ��ȫ�ֵģ�Ҳ��ǽ�CreateEvent��OpenEvent��һ��ΪTEXT("Global\\{67BDE5D7-C2FC-49f5-9096-C255AB791B75}")��

2��д��¼��ͨ��Ӧ�ó��д��¼�
��Ͳ��ϵͳ˵��ֻ˵˵��⡣

��д��

            m_hEvent = ::CreateEvent(NULL, FALSE, FALSE, TEXT("{67BDE5D7-C2FC-49f5-9096-C255AB791B75}"));

            

��ͨ��Ӧ�ó��д򿪣�

            HANDLE hEvent = ::OpenEvent(EVENT_MODIFY_STATE, FALSE, TEXT("{67BDE5D7-C2FC-49f5-9096-C255AB791B75}"));
::SetEvent(hEvent);

��Ĵ��벻��ͨ��Ӧ�ó��д��¼��ʱ��“�ܾ��ʡ�”��һ�õ��¼��NULL��ԭ��ģ��ڷ��д��ں˶��Ĭ��޷��ÿ��ں˶��з��ʿ��Ƶģ��д��ں˶��Ȩ�ޱȽϸߣ��LPSECURITY_ATTRIBUTES��NULL��ʱ�򣬽�ʹ��Ĭ�Ϸ��ʿ��ơ��ͨ��Ӧ�ó��Ȼû��Ȩ�޷��ˣ��£��ڷ��򴴽��¼��ʱ��ָ��ȷ��İ�ȫ��

             // set SECURITY_DESCRIPTOR
 SECURITY_DESCRIPTOR secutityDese;
 ::InitializeSecurityDescriptor(&secutityDese, SECURITY_DESCRIPTOR_REVISION);
 ::SetSecurityDescriptorDacl(&secutityDese,TRUE,NULL,FALSE);
 
 SECURITY_ATTRIBUTES securityAttr;
 
 // set SECURITY_ATTRIBUTES
 securityAttr.nLength = sizeof SECURITY_ATTRIBUTES;
 securityAttr.bInheritHandle = FALSE;
 securityAttr.lpSecurityDescriptor = &secutityDese;
 
 m_hEvent = ::CreateEvent(&securityAttr, FALSE, FALSE, TEXT("{67BDE5D7-C2FC-49f5-9096-C255AB791B75}"));
 

            

��ͨ��Ӧ�ó��ȥ�򿪸��¼��û��ˡ��ע��vista��¼��ȻҪָ��ȫ�ֿռ䣩

��̸̸Windows��е�session��һЩ��Ƶ��⡣һֱ��Vista�µķ��̵��⣬��˵�СС��ᣬ��ϣ��ܰﵽ��һ��ѡ�Windows xp��Vista�У��session0�У��ĵ�1��2��...��N��û��ֱ��session1��session2��...��sessionN�С��ͬ��session�в�ͬ��namespace��Ŀǰ��û�windowsƽ̨WinXP֧�ֿ��û��л��Ǹо��Щ��졣

��XP�У��Sevice��Ľ��̸��õ�ǰ�û��Ľ��ڱ��ƺ�ûʲô��һ�� ǵ��vista�£��Ͳ�һ��ˡ�vista�µİ�ȫ��ƶԲ�ͬ��session֮��˼�ǿ��һЩ��ں˶��Event��ʹ�ã�Ϊ�˽��н��ͨ�ţ��ڽ��1(��session1��)�У��Ҵ��һ��¼��Ȼ��ڽ��2��ҵķ��session0�У��м��Event��ʼ�ռ�鲻��Ҵ��Ϣ��“ϵͳ�Ҳ��ָ��ļ��”��ר��д�˸�С��ȥ��⣨ֱ��У�Ҳ��session1�У��ȴ�ܼ�⵽��

��ϸ��MSDN�й��“ Kernel Object Name Spaces”��ϣ��ף�һЩ��ں˶��󣬱��磺 events, semaphores, mutexes, waitable timers, file-mapping objects, job objects��ֻ��Լ��namespace��Ψһ��ڣ��ͬ��session��Ϊnamespace��ͬ��Իᵼ��ϸ��Ϣ��Բο�MSDN�е�CreateEvent��жԲ��lpName��˵��

��ҿ��Բο�MSDN�е�“ Kernel Object Name Spaces”��û��MSDN�еĶ��MSDN��

Kernel Object Name Spaces

A Terminal Services server has multiple namespaces for the following named kernel objects: events, semaphores, mutexes, waitable timers, file-mapping objects, and job objects. There is a global namespace used primarily by services such as client/server applications. In addition, each client session has a separate namespace for these objects. Note that this differs from the standard Windows environment in which all processes and services share a single namespace for these objects.

The separate client session namespaces enable multiple clients to run the same applications without interfering with each other. For processes started under a client session, the system uses the session namespace by default. However, these processes can use the global namespace by prepending the "Global\" prefix to the object name. For example, the following code calls CreateEvent and creates an event object named CSAPP in the global namespace:

[C++]

CreateEvent( NULL, FALSE, FALSE, "Global\\CSAPP" );

Service applications in a Terminal Services environment use the global namespace by default. Processes started under session zero (typically the console session) also use the global namespace by default. The global namespace enables processes on multiple client sessions to communicate with a service application or with the console session. For example, a client/server application might use a mutex object for synchronization. The server component running as a service can create the mutex object in the global namespace. Then the client component running as a process running under a client session can use the "Global\" prefix to open the mutex object.

Another use of the global namespace is for applications that use named objects to detect that there is already an instance of the application running in the system across all sessions. This named object must be created or opened in the global namespace instead of the per-session namespace. Note that the more common case of running the application once per session is supported by default since the named object is created in a per session namespace.

Client processes can also use the "Local\" prefix to explicitly create an object in their session namespace.

The "Local", "Global" and "Session" prefixes are reserved for system use and should not be used as names for kernel objects. These keywords are case sensitive. On Windows 2000 without Terminal Services, these keywords are ignored. On Windows NT 4.0 without Terminal Services, and earlier versions of Windows NT, the functions for creating or opening these objects fail if you specify a name containing the backslash character (\).

Windows XP: Fast user switching is implemented using Terminal Services sessions. The first user to log on uses session zero, the next user to log on uses session one, and so on. Kernel object names must follow the guidelines outlined for Terminal Services so that applications can support multiple users. For more information, see Fast User Switching.

http://hi.baidu.com/isafesoft/blog/item/5576b7ffff4b1c1c09244d83.html �Ķ�ȫ��
��Win32 �鿴��

��Щ�¶��еľ��¼

mikenoodle — 2009-11-26 21:08

��ѣ��飿�ޣ�ʱ��

1.��ˮ��Ƿ��ծ��Ҫ��

��2.��Լ��,��Ч�ؿ��ס��е��,��ʹ�ǻʵ�Ҳ��.

��3.�۵㶷��Ǽٵġ��Ҳ�Ǽٵģ�ֻ��Ȩ��ġ�

��4.��,��֪��,��ˮƽ�Ĵ�Ⱥ�ܶ�Ź,��й̶��ж��ƻ�,��·��,��ǰͳһ�ַ��(��˵�,ľ��),�º��˳��ڹ�,һӦ��ȫ�ſ�ʼ�ж�.

��5.��Ǵ�˵�е�"�ٻ�"��׳Ʒϻ��

��6.��Ϊ�˷�й��Ϊ��Ҫ�ģ��Ҫ�ľ��ƣ��ûɶ�ã�һ��Ҫ��С��С�ľ��ȡ��Ч��

��7.��ʹ��ֱ��Ȼ��Ա��ڡ�

��8.û�о��ȫ�г�ֻ��֮��——��΢�۾��ѧ(�ߵȽ��)

��9.Ҫ֪��Խ�ӽ��Ĳ�λԽ�ܵõ�ѪҺ��ͬ��ʵ�Ҳ��ʵ�Ǹ���¹ܱ��Σ��

��10.��ţ��˧��˺��⣬��٣��Ӧ��ǿ��ס�ģ��һ��͵��ӡ�

��11.��ڷ�չ,ʱ��ڽ��,��ʵ֤��,һ��һ��ε��Ѿ��ˣ�Ϊ��Ӧ��ķ�չ,��֯Ӧ�˶��,��ģ�ļ��嶷Ź��Ļ��

��12.��޳ܵ��ز�,�ǲ��׵ġ�

��13.��֪Ϊʲô��λ�ʵۼ�λʮ�꣬ȴһֱû�ж��ӣ�ԭ��꣬��Ǿ��˽��һ��Ҳ�Ǵ��ͷ̸�۵��Ż��⣬��Ҳ��͵͵��ҽԺ��ο��ľ��ᡣ

��14.��ν��Ϊ��Σ�ͨ�׽��;��¶��ӵģ��¾��Ǳ��˵�˽�¡�

��15.��ҵ��ˣ��ҵ��ˣ��˻һ�Ҫ��ȥ��!

��16.��ʵͳ��Ǿ�Ӫ��ҵ��ֻ��ι��һ̯��ѣ��һ��Ҫ��˰��ҪӦ��̼�顢��ȫ��顢��飬��ڻ��Ϲ��겻��Ʋ��

��Զ��ԣ��ͺ��ö��ˣ��ʽ��(Ҫ��)��Ӫ��ڲ��(û׼��)�⣬ֻҪһ��ɹ��ǹ��ڡ��Ӵ˲��ý�Ǯ��ձ��˵�Ǯ��ն��Լ�˵��㣬��ܱ��ˣ�û�˸ҹ��㡣

��Ϊ��ȿ��˾��ǰ��㣬��Թ��˶�ԾԾ��ԣ��ɹ��޼�(��ô��)��

��17.��ν��أ��Ǹ㲻�壬��͸��ŵ��Ĵ��Ѽ��ֵĲ��ϣ��Ƶĵ�¯ǰ��Ȼ��Ĺ��û��Ե��㵸��˭Ҳ��֪��һ�쵽��ڸ����֮һ��֣��

��18.��ʵ��˱�ʹ��飬һ�㵽��ʱ�򣬶��й̶��籾��һ��ѣ�˵Щʲô��Ҫ��ˡ�Ҫ��ˮƽ��ο��֮��Ļ��Ȼ��˹��ᣬ̧ͷ��죬��ȭ��״��Ȼ̤��ǰ��ĵ�·��

��19.��֮ǰ��ɨ��һ��Χ�Ͱ��֣��л��Ĵ�ͳ�ǻۣ��ν��ɳ�ӡ��ǽ��Ҳ��

��20.һ��ʮ��ǲ��ᶮ��Щ�ģ��̫��棬̫��ɣ��ǻ��ܹ��ڿ��еõ�һ�ٷ֣�ȴ��˽��еĺ��塣��Ȼ��ȴ�޷�ʹ�ã��̤��ᣬȴ��ײ��ͷ��Ѫ��

��21.ʲô��֪�к�һ?�𣺾��֪��еĺ�һ��ϻ��

��22.��棬ֻ�г��棬��ǵ�ħ��ʵ��Ŀ��Ĳпᣬȴ�쳣��ʵ��п��ʵ��֪�к�һ��⣬��ж�ôΰ��ֱ��룬Ҫʵ��붮��——��ͨ��ֻ�б�ͨ��ֻ��к�ʵ�ʵ��ж��Ӧ��仯��ǧ��硣[816]

��23.��Ϊ��ʹִ�š��ʹ��ǿ��ȴ��Ȼ��ġ��ǲ��ף��ϣ��ܶ��Բ��⣬ȴ��ܡ�ֻ��˽��ĳ�ª��ǣ��ʵ��ʹ��ĥ��ˡ��Σ�ȴ��δ��Թ��׷Ѱ��Ȼ΢Ц�ţ��ᶨǰ�е��ˣ��ߡ��ڰ��ˣ��޷��ù��ġ�

��24.��νͬ־��ָ־ͬ��ϵ��ˡ�

��25.��ʵ��ϣ�ֻҪ��Һ��ƣ�ʲô�漣��ǿ��ܷ��ġ��ν��ֻ��벻��û�к��ˡ�

��26.��“��”��ж��?

��һ��˵��ôҲ��и�һ��?

��һ��?��𲽼ۣ��!��!

��27.��ν�¿��˵��Ҳ��

��28.��Ȼ��װ�Ϸ��ʷ��ż��ʣ�ȴ��Բ�ˬ��Ҫʹ��һ�У�Ҳ��Ƿ��˿��У�Ҫ֪��ͻȻ֮�䱯��ͷ�𣬱��˵�¾��£��񾭵ļ��ɿ��ѵ��뻯֮�ز��֮��̾Ϊ��ֹ��

��29.��ʷ֤��ˮ��򣬾ͻ��ɶ��ǡ�

��30.��Ȩ��̨�ϣ��۲��۵ĺ��ע��Ҫ�군�ġ�

��31.��θ��־��ͬ��Ҫ��ϴ��һ��֮��Ǻ��ѵģ��֪��Ȼ��⣬�ɵ��ȴ��Ϊ��⡣��θ��ڴ��ʱ��師��Ƕ��ˣ��·�ģ��Ӻ��۵��ʽ��ۣ�ֱ��һ��

��32.“��ʹ�պ��أ��Է��!”�ǵģ��仰��һֱ�μ��ģ�Ҫ��̣�Ҫ��ʹ��ĥ��Ҫ��ǿ�ػ��ȥ��ֻ�л��ȥ��ʤ��ϣ��

��33.��ǹ��⣬��仰˵��Ǯ��Ҳ��ˡ�

��34.�⽻��ָ��֮��ϵ�ķ��һ��ͨ�׵Ľ��——��ò�ķ�ʽ��˵����Ļ��

��35.��ǲ��ģ�Ҫ��ⳡ�п��Ϸ��Ц��󣬻��뱳��ԭ��Ϊ��ǰ�ĵ��֣��һ��ԭ��ˡ��Ҫսʤһ��ԭ��Ķ��֣�Ψһ�ķ��Ƿ��е�ԭ��

��36.��Ǵ�˵��˵��߾��——�ȿ����һ��

��37.��̺ͳ��Ų��Ŀ�ģ��ֶΣ��ս��һ�̡�

��38.��֮�ϣ��֮Զ��ߣ��Ϊ�١�

��39.�ںܶ��£��һ��ֶΣ��Ϊ�˴ﵽĳ��Ŀ�ģ��ͬ��Ϊ�٣��Ҳ��ף��̰�ۣ��´ξ��̰�㣬��ǣ��Ǿ�ע��󣬾��ǵ��಻�ѣ��಻��ȥ��ݣ��ྴ��Ǽ򵥵��飬��һ��̬�ȣ�һ�־��ģ��״��öԷ��ص��Ķ��Ծ��Լ��ˣ��Ľ��Ǿ��һ��.֪�޲��ԣ��޲��Ϊ��ע��ð��Ϊ��,��,��!

��40.��֪��ܳɹ��֪��ɣ��Ȼ��С�һ��˵��Ϊ��źܶ�ƺ��޴��ɶ��˻�ȵȣ��˵��У��һ�ֲ��˼��Υ��߼��Ϊ��й��ϵ��ѧ�У��Ϊ��һ��ǡ��䵱��ƣ��֪��Ϊ��Ϊ֮��ţ��ΰ��Ļ��ǡ�

��41.ʮ��Ϣ��ʱ��ڱ�ס�Դ��뷹�ԣ��͵�ʱ��ճ�͢��¶�̬��

��42.��ĥ�ѣ�ʸ־��ƣ����ηǿȨ��޾壬��

��43.�Ը��å��Ҫ��å�ķ��

��44.��Ϊ�ܣ��Ϊ��ܡ��ӵ�Ʒ�в��ܷ��ǵ�ս��Ҳ�˵��˵��պ�ս��ˮƽ��˵�˼�ð�ŵ��ι��Σ�գ��ǧ��·��٣��ܳ��˵��ǵķ��ĺ��

��45.��ʮ��˾͸ҵ��Ͼ��Σ�Ҫ��ǧ��ˣ�û׼�͸�ȥ��ʽ��(�򲻹��ز��)��

��46.��ʵ֤��л��ȷʵ�ǲ���õ��ʿ�ɲ��ù��ĺ��У��ʲô“��”��“��”��ɨ��ȥȫ��

��47.Ҫ˵�Ȿ�飬�ǿ��ͣ����ͣ��µ��ǰ;��Դ��Ȿ��Ƴ��ȥ��

��48.һ˵��Ŀƾٿ��ƶȣ��ǧ�˲ȡ��ߣ�ʲô��˲ţ��˼��ȵȣ��Ⱥ��ỹ�ڣ��ʮ��̻��ݣ��ʷ�Ѿ�֤��ͷ��һ��Ϊ��ѧ��ƶȡ��ڿƾٵĿ��ϣ�û�о��ԵĹ��ȴ��ԵĹ�ƽ��ӵܣ��ƶ��գ�Ҫ�뱼��ǰ;��ֻ��һ��ѡ��——��еıʣ��ſ��ꡣȻ��ȴ��˵��١��ʵ֤��ú�ѧϰ��ϣ��еڵ��;��滨��ߺ��ţ��϶��·һ��

http://zhaojiaming030.blog.163.com/blog/static/133267803200910245416454/

�Ķ�ȫ��
����ڵĶ�� 鿴��

mikenoodle's home

�����ˣ�̸��������ֵľ���

��εõ����õ���������

Զ������gh0stԴ����ɱ

���䴮��ͨ����CSerialPort �������һ��bug

�Լ���ͼ���ƶԻ���������ʱע�������

��ζ�̬���ؼ��̹�������

��д��������NT��APIʵ�������ļ�Ŀ¼

Windowsƽ̨�ں˼��ļ�����

Win32Ӧ�ó����н��̼�ͨ�ŷ���������Ƚ�

���������� ����Ĭ��Ŀ¼ SetcurrentDirectory

vc ʵ�ּ�ش�ӡ�� ��ӡ�����ĵ�

������ý����߳�ֻ������ָ����cpu�ϣ���Ϊʲô��ô��

API hookʵ��r3�¼򵥵Ľ��̱���

CreateEvent ��OpenEventʱ�¼�ȫ���������� Global

��������Щ�¶����еľ�����¼

��ˣ�̸��ֵľ��

��εõ��õ��

Զ��gh0stԴ��ɱ

��䴮��ͨ��CSerialPort ��һ��bug

�Լ��ͼ��ƶԻ��ʱע��

��ζ�̬��ؼ��̹��

��д��NT��APIʵ��ļ�Ŀ¼

Windowsƽ̨�ں˼��ļ��

Win32Ӧ�ó��н��̼�ͨ�ŷ��Ƚ�

�� Ĭ��Ŀ¼ SetcurrentDirectory

vc ʵ�ּ�ش�ӡ�� ӡ��ĵ�

��ý��߳�ֻ��ָ��cpu�ϣ��Ϊʲô��ô��

API hookʵ��r3�¼򵥵Ľ��̱��

CreateEvent ��OpenEventʱ�¼�ȫ�� Global

��Щ�¶��еľ��¼