本人想开发一个软件，希望高手能提些意见，请进

123456789012 驱动牛犊注册日期2006-04-07 最后登录2009-11-08 粉丝0 关注0 积分80分威望61点贡献值0点好评度60点原创分1分专家分0分加关注写私信	20楼^# 发布于：2007-01-27 15:27 我倒是想知道Ring3下老V能想到多少种方法～老V似乎总是能想到常人想不到的，佩服～
	回复(0) 喜欢(0)

killvxk

论坛版主

注册日期2005-10-03
最后登录2014-04-14
粉丝3
关注1
积分1082分
威望2003点
贡献值0点
好评度1693点
原创分2分
专家分0分

加关注写私信

21楼^#

发布于：2007-01-27 16:45

r3貌似很困难~不过大家都r0了，你r3干什么呢？
嘿嘿~

没有战争就没有进步 X3工作组为您提供最好的军火

回复喜欢

frankvista 驱动牛犊注册日期2006-06-28 最后登录2007-02-17 粉丝0 关注0 积分230分威望24点贡献值0点好评度23点原创分0分专家分0分加关注写私信	22楼^# 发布于：2007-01-30 15:07 还是搜索KiDispatcherReadyListHead(List)吧！这表你从里面删掉你就别想切换到其他线程继续活希望大家到www.whitecell.org/forums讨论
	回复(0) 喜欢(0)

wowocock

VIP专家组

注册日期2002-04-08
最后登录2016-01-09
粉丝16
关注2
积分601分
威望1651点
贡献值1点
好评度1227点
原创分1分
专家分0分

加关注写私信

23楼^#

发布于：2007-01-30 15:47

现在趋向于流行,不用驱动,不用进程,直接搞块内存,加上各种类型听说过,没听说过的,过滤,回调,HOOK ==,就直接开干了.

花开了，然后又会凋零，星星是璀璨的，可那光芒也会消失。在这样一瞬间，人降生了，笑者，哭着，战斗，伤害，喜悦，悲伤憎恶，爱。一切都只是刹那间的邂逅，而最后都要归入死亡的永眠

回复喜欢

killvxk

论坛版主

注册日期2005-10-03
最后登录2014-04-14
粉丝3
关注1
积分1082分
威望2003点
贡献值0点
好评度1693点
原创分2分
专家分0分

加关注写私信

24楼^#

发布于：2007-01-31 11:08

引用第23楼wowocock于2007-01-30 15:47发表的“”:
现在趋向于流行,不用驱动,不用进程,直接搞块内存,加上各种类型听说过,没听说过的,过滤,回调,HOOK ==,就直接开干了.

郁闷~

没有战争就没有进步 X3工作组为您提供最好的军火

回复喜欢

frankvista

驱动牛犊

注册日期2006-06-28
最后登录2007-02-17
粉丝0
关注0
积分230分
威望24点
贡献值0点
好评度23点
原创分0分
专家分0分

加关注写私信

25楼^#

发布于：2007-02-06 14:30

代码及错误

错误代码：mov eax,edx

=========================================
DispatchControl proc pDeviceObject,pIrp
local status,dwBytesReturned
   push 0
   pop dwBytesReturned
   mov esi,pIrp
   assume esi:ptr _IRP
   IoGetCurrentIrpStackLocation esi
   mov edi,eax
   assume edi:ptr IO_STACK_LOCATION
   .if [edi].Parameters.DeviceIoControl.IoControlCode == IOCTL_GET_THREAD
   mov edi,[esi].AssociatedIrp.SystemBuffer
   assume edi:ptr DWORD
   KdPrint GetThreadList Start Successed
   push 0
   pop status
   ;**************************************************************
   ; GetThreadList Kernel Code
   ; Fixme
   ;**************************************************************
   mov eax,[edi]
   lea eax,[eax*sizeof LIST_ENTRY]
   add edx,KiDispatcherReadyListHead
   invoke ProbeForRead,edx,sizeof LIST_ENTRY,sizeof ULONG
   mov eax,edx
   xor ebx,ebx
   assume eax:ptr LIST_ENTRY
   assume edx:ptr LIST_ENTRY
   .while ([eax].Flink != edx) || ([eax].Flink != 0)
   mov eax,[eax].Flink
   push eax
   invoke ProbeForRead,eax,sizeof LIST_ENTRY,sizeof ULONG
   pop eax
   push eax
   lea eax,[eax-OFFSET_WAITLISTENTRY+OFFSET_CID+OFFSET_UNIQUETHREAD]
   lea edi,[edi+4]
   inc ebx
   mov [edi],eax
   .endw
   mov dwBytesReturned,ebx
   assume edx:nothing
   assume eax:nothing
   invoke DbgPrint,CTEXT("GetThreadList End")
   assume edi:nothing
   .else
   KdPrint Control Code Error
   mov status, STATUS_INVALID_DEVICE_REQUEST
   .endif
   assume edi:nothing
   push status
   pop [esi].IoStatus.Status
   push dwBytesReturned
   pop [esi].IoStatus.Information
   assume esi:nothing
   fastcall IofCompleteRequest, esi, IO_NO_INCREMENT
   mov eax,status
ret
DispatchControl endp

DispatchCreateClose proc pDeviceObject, pIrp

   mov eax, pIrp
   assume eax:ptr _IRP
   mov [eax].IoStatus.Status, STATUS_SUCCESS
   and [eax].IoStatus.Information, 0
   assume eax:nothing

   fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT

   mov eax, STATUS_SUCCESS
   ret

DispatchCreateClose endp
================================================

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [F:\WINDOWS\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: F:\WINDOWS\system32
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055bb20
Debug session time: Tue Feb 6 13:29:16.519 2007 (GMT+8)
System Uptime: 0 days 23:08:12.032
Loading Kernel Symbols
.......................................................................................................................................
Loading User Symbols
.................
Loading unloaded module list
........................*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {80000002, 806477bf, f77a8860, 0}

*** ERROR: Module load completed but symbols could not be loaded for DChecker.sys
*** WARNING: Unable to verify checksum for Dialog.exe
Probably caused by : DChecker.sys ( DChecker+2cc )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: 80000002, The exception code that was not handled
Arg2: 806477bf, The address that the exception occurred at
Arg3: f77a8860, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

EXCEPTION_CODE: (HRESULT) 0x80000002 (2147483650) - <Unable to get error code text>

FAULTING_IP:
nt!ExRaiseDatatypeMisalignment+a
806477bf c3 ret

TRAP_FRAME: f77a8860 -- (.trap fffffffff77a8860)
ESP EDITED! New esp=f77a8c10
ErrCode = 00000000
eax=8055b41d ebx=ff37e958 ecx=00000008 edx=00000003 esi=ff37e958 edi=fed61578
eip=806477bf esp=f77a88d4 ebp=f77a8c18 iopl=0 nv up ei pl nz na po nc
cs=0000 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!ExRaiseDatatypeMisalignment+0xa:
806477bf c3 ret
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: Dialog.exe

LAST_CONTROL_TRANSFER: from 8051eea6 to 805349ae

STACK_TEXT:
f77a80e4 8051eea6 0000008e 80000002 806477bf nt!KeBugCheckEx+0x1b
f77a84ac 804fdbfe f77a88e4 00000000 f77a8860 nt!KiDispatchException+0x3b1
f77a8830 804e397d f77a88e4 f77a8934 00000000 nt!KiRaiseException+0x175
f77a884c 804e006b f77a88e4 f77a8934 00000001 nt!NtRaiseException+0x31
f77a884c 806477bf f77a88e4 f77a8934 00000001 nt!KiFastCallEntry+0xf8
f77a8c10 806090e8 f77a8c34 f7ddc2cc 8055b41d nt!ExRaiseDatatypeMisalignment+0xa
f77a8c18 f7ddc2cc 8055b41d 00000008 00000004 nt!ProbeForRead+0x1e
WARNING: Stack unwind information not available. Following frames may be wrong.
f77a8c34 804e4d77 ff9b6040 ff37e958 806ee070 DChecker+0x2cc
f77a8c44 8056b9ab ff37e9c8 fe912a48 ff37e958 nt!IopfCallDriver+0x31
f77a8c58 8057e9f7 ff9b6040 ff37e958 fe912a48 nt!IopSynchronousServiceTail+0x60
f77a8d00 80580bfa 000000a4 00000000 00000000 nt!IopXxxControlFile+0x611
f77a8d34 804e006b 000000a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f77a8d34 7c92eb94 000000a4 00000000 00000000 nt!KiFastCallEntry+0xf8
0012f624 00401278 000000a4 00222000 004046f8 ntdll!KiFastSystemCallRet
0012f6a0 77d18709 0008020c 00000111 00000001 Dialog!DlgThreadManagement+0xc8 [E:\MASMPlus\Project\DChecker\Dialog.ASM @ 165]
0012f6cc 77d24ca6 00401005 0008020c 00000111 user32!InternalCallWinProc+0x28
0012f738 77d24af2 00000000 00401005 0008020c user32!UserCallDlgProcCheckWow+0x146
0012f780 77d3bf51 00000000 00000111 00000001 user32!DefDlgProcWorker+0xa8
0012f7b0 77d1b7ab 00606e38 00604e40 00000001 user32!SendMessageWorker+0x384
0012f7d0 77d4fc9d 0008020c 00000111 00000001 user32!SendMessageW+0x7f
0012f7e8 77d46530 00607088 00000000 00607088 user32!xxxButtonNotifyParent+0x41
0012f804 77d28386 0014ac40 00000001 00000000 user32!xxxBNReleaseCapture+0xf8
0012f888 77d2887a 00607088 00000202 00000000 user32!ButtonWndProcWorker+0x6d5
0012f8a8 77d18709 000b01c8 00000202 00000000 user32!ButtonWndProcA+0x5d
0012f8d4 77d187eb 77d2882e 000b01c8 00000202 user32!InternalCallWinProc+0x28
0012f93c 77d189a5 00000000 77d2882e 000b01c8 user32!UserCallWinProcCheckWow+0x150
0012f99c 77d189e8 0012f9ec 00000000 0012f9d0 user32!DispatchMessageWorker+0x306
0012f9ac 77d3e819 0012f9ec 00000000 00606e38 user32!DispatchMessageW+0xf
0012f9d0 77d3e956 0008020c 00607088 00000000 user32!IsDialogMessageW+0x572
0012fa0c 77d2688a 0008020c 00000000 00000001 user32!DialogBox2+0x144
0012fa34 77d268cc 00400000 004063c8 00000000 user32!InternalDialogBox+0xd0
0012fa54 77d2892d 00400000 004063c8 00000000 user32!DialogBoxIndirectParamAorW+0x37
0012fa80 004013ce 00400000 00000065 00000000 user32!DialogBoxParamA+0x4c
0012fa9c 77d18709 000301e4 00000111 000003ea Dialog!DlgProc+0x96 [E:\MASMPlus\Project\DChecker\Dialog.ASM @ 220]
0012fac8 77d24ca6 0040100a 000301e4 00000111 user32!InternalCallWinProc+0x28
0012fb34 77d24af2 00000000 0040100a 000301e4 user32!UserCallDlgProcCheckWow+0x146
0012fb7c 77d3bf51 00000000 00000111 000003ea user32!DefDlgProcWorker+0xa8
0012fbac 77d1b7ab 006057c8 00604e40 000003ea user32!SendMessageWorker+0x384
0012fbcc 77d4fc9d 000301e4 00000111 000003ea user32!SendMessageW+0x7f
0012fbe4 77d46530 006069d0 00000000 006069d0 user32!xxxButtonNotifyParent+0x41
0012fc00 77d28386 0014a9c0 00000001 00000000 user32!xxxBNReleaseCapture+0xf8
0012fc84 77d2887a 006069d0 00000202 00000000 user32!ButtonWndProcWorker+0x6d5
0012fca4 77d18709 00050214 00000202 00000000 user32!ButtonWndProcA+0x5d
0012fcd0 77d187eb 77d2882e 00050214 00000202 user32!InternalCallWinProc+0x28
0012fd38 77d189a5 00000000 77d2882e 00050214 user32!UserCallWinProcCheckWow+0x150
0012fd98 77d189e8 0012fde8 00000000 0012fdcc user32!DispatchMessageWorker+0x306
0012fda8 77d3e819 0012fde8 00000000 006057c8 user32!DispatchMessageW+0xf
0012fdcc 77d3e956 000301e4 006069d0 00000000 user32!IsDialogMessageW+0x572
0012fe08 77d2688a 000301e4 00000000 00000010 user32!DialogBox2+0x144
0012fe30 77d268cc 00400000 00406290 00000000 user32!InternalDialogBox+0xd0
0012fe50 77d2892d 00400000 00406290 00000000 user32!DialogBoxIndirectParamAorW+0x37
0012fe7c 0040114a 00400000 00000064 00000000 user32!DialogBoxParamA+0x4c
0012ffc0 7c816d4f 00340031 00340035 7ffdc000 Dialog!START+0xa9 [E:\MASMPlus\Project\DChecker\Dialog.ASM @ 117]
0012fff0 00000000 00401014 00000000 78746341 kernel32!BaseProcessStart+0x23

STACK_COMMAND: kb

FOLLOWUP_IP:
DChecker+2cc
f7ddc2cc 8bc2 mov eax,edx

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: DChecker+2cc

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: DChecker

IMAGE_NAME: DChecker.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45c6cc9c

FAILURE_BUCKET_ID: 0x8E_DChecker+2cc

BUCKET_ID: 0x8E_DChecker+2cc

Followup: MachineOwner
---------

kd> !bugcheck 8e
No export bugcheck found
kd> bugcheck 8e
   ^ Operation not supported by current debuggee error in 'bugcheck 8e'
kd> .bugcheck 8e
Bugcheck code 0000008E
Arguments 80000002 806477bf f77a8860 00000000
   ^ Extra character error in '.bugcheck 8e'
kd> lmvm DChecker
start end module name
f7ddc000 f7ddc6a0 DChecker (no symbols)
   Loaded symbol image file: DChecker.sys
   Image path: \??\E:\MASMPlus\Project\DChecker\DChecker.sys
   Image name: DChecker.sys
   Timestamp: Mon Feb 05 14:20:12 2007 (45C6CC9C)
   CheckSum: 0000797C
   ImageSize: 000006A0
   Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

回复喜欢

frankvista

驱动牛犊

注册日期2006-06-28
最后登录2007-02-17
粉丝0
关注0
积分230分
威望24点
贡献值0点
好评度23点
原创分0分
专家分0分

加关注写私信

26楼^#

发布于：2007-02-08 13:48

还是问题：

DispatchControl proc pDeviceObject,pIrp
local status,dwBytesReturned
mov status,STATUS_DEVICE_CONFIGURATION_ERROR

   push 0
   pop dwBytesReturned
   mov esi,pIrp
   assume esi:ptr _IRP
   IoGetCurrentIrpStackLocation esi
   mov edi,eax
_try
DBGINT3
   assume edi:ptr IO_STACK_LOCATION
   .if [edi].Parameters.DeviceIoControl.IoControlCode == IOCTL_GET_THREAD
   mov edi,[esi].AssociatedIrp.SystemBuffer
   assume edi:ptr DWORD
   KdPrint GetThreadList Start Successed
   push 0
   pop status
   ;**************************************************************
   ; GetThreadList Kernel Code
   ; eax:LIST_ENTRY nowstate
   ;**************************************************************
   mov eax,[edi]
   lea eax,[eax*sizeof LIST_ENTRY]
   add eax,KiDispatcherReadyListHead ;Find Offset
   mov ecx,eax ;Error and jump to SEH
   xor ebx,ebx
   assume eax:ptr LIST_ENTRY
   assume edx:ptr LIST_ENTRY
   .while ([eax].Flink != ecx) || ([eax].Flink != 0)
   mov eax,[eax].Flink
   push eax
   lea eax,[eax-OFFSET_WAITLISTENTRY+OFFSET_CID+OFFSET_UNIQUETHREAD]
   lea edi,[edi+4]
   inc ebx
   mov [edi],eax
   .endw
   mov dwBytesReturned,ebx
   assume edx:nothing
   assume eax:nothing
   invoke DbgPrint,CTEXT("GetThreadList End")
   assume edi:nothing
   .else
   KdPrint Control Code Error
   mov status, STATUS_INVALID_DEVICE_REQUEST
   .endif
   assume edi:nothing
_finally
   push status
   pop [esi].IoStatus.Status
   push dwBytesReturned
   pop [esi].IoStatus.Information
   assume esi:nothing
   fastcall IofCompleteRequest, esi, IO_NO_INCREMENT
   mov eax,status
ret
DispatchControl endp

回复喜欢

frankvista 驱动牛犊注册日期2006-06-28 最后登录2007-02-17 粉丝0 关注0 积分230分威望24点贡献值0点好评度23点原创分0分专家分0分加关注写私信	27楼^# 发布于：2007-02-08 15:02 线程枚举测试版（输入内核优先级，输出ETHREAD地址）对照SoftICE,WinDBG看看 http://www.live-share.com/files/154867/DChecker.rar.html 修正一个问题： Dialog.asm第174行后面加一条语句： xor eax,eax 然后用MASMPlus编译，运行
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册