阅读:1798回复:12
话题换了。本地访问还是远程访问?(9x) -> 呵呵,刺激一下50分
请教一个问题。
9x下我用ifs hook做了一个filter vxd. 我希望知道对于一次具体的读写要求来说,他是本地的访问还是来自于从网络对share目录做的访问。 退一步,文件打开的时候也可以。 盼望大家帮忙。 [编辑 - 5/23/02 by zdhe] --------------------------------------- 看来没有人回答。换个简单些的。 在9x下,一个16bit dos 程序运行在自己的vm(非系统vm)中,如何取得这个vm的启动路径? (或者说image名) [编辑 - 5/25/02 by zdhe] |
|
最新喜欢:ljmmar... |
沙发#
发布于:2002-05-22 09:56
The route is different.
|
|
|
板凳#
发布于:2002-05-22 10:20
参见vtoolsd 中的一个c例子.
|
|
|
地板#
发布于:2002-05-22 10:21
can you tell me where is difference?
I Know the route is different, when access from net, the caller is share server.How let code know this difference? now , I am the filter driver, I am accessed. in win2k, I can check Security Token in IRP_MJ_CREATE(caller always be System). in 9x, how ? |
|
地下室#
发布于:2002-05-22 10:23
znsoft , I am finding that sample in vtoold.
by the way , can you tell me detail directory name? ifshook is so simple , there is no use for me. [编辑 - 5/22/02 by zdhe] |
|
5楼#
发布于:2002-05-25 22:16
看来没有人回答。换个简单些的。
在9x下,一个16bit dos 程序运行在自己的vm(非系统vm)中,如何取得这个vm的启动路径? (或者说image名) 有些建议就可以的。先谢过了。 |
|
6楼#
发布于:2002-05-27 09:41
老兄你是不是跟我以前一样从不看“收件箱”呀?hehe
|
|
7楼#
发布于:2002-05-27 10:16
just check it.
i give my email to you. I will soon reply your mail. xp os static unsamble.(wasm) * Reference To: ntoskrnl.ZwClose --can not beleive | :00430DD0 E885A20000 call 0043B05A :00430DD5 A190054000 mov eax, dword ptr [00400590] :00430DDA 894328 mov dword ptr [ebx+28], eax :00430DDD C70370000000 mov dword ptr [ebx], 00000070 :00430DE3 897304 mov dword ptr [ebx+04], esi :00430DE6 8DBBB0000000 lea edi, dword ptr [ebx+000000B0] :00430DEC 8B07 mov eax, dword ptr [edi] :00430DEE 894338 mov dword ptr [ebx+38], eax :00430DF1 8B4704 mov eax, dword ptr [edi+04] :00430DF4 89433C mov dword ptr [ebx+3C], eax :00430DF7 8B4708 mov eax, dword ptr [edi+08] :00430DFA 894340 mov dword ptr [ebx+40], eax :00430DFD 8B4568 mov eax, dword ptr [ebp+68] :00430E00 898380000000 mov dword ptr [ebx+00000080], eax :00430E06 8B854CFFFFFF mov eax, dword ptr [ebp+FFFFFF4C] :00430E0C 894370 mov dword ptr [ebx+70], eax :00430E0F 8B8550FFFFFF mov eax, dword ptr [ebp+FFFFFF50] :00430E15 894374 mov dword ptr [ebx+74], eax :00430E18 B800200000 mov eax, 00002000 :00430E1D 89B3A8000000 mov dword ptr [ebx+000000A8], esi :00430E23 394718 cmp dword ptr [edi+18], eax :00430E26 7303 jnb 00430E2B :00430E28 894718 mov dword ptr [edi+18], eax from softice dump: ================ Sun May 26 19:20:12 2002 :wc :u zwClose ntoskrnl!ZwClose 0008:8050B05A MOV EAX,00000019 0008:8050B05F LEA EDX,[ESP+04] 0008:8050B063 PUSHFD 0008:8050B064 PUSH 08 0008:8050B066 CALL 804D4DCD 0008:8050B06B RET 0004 ntoskrnl!ZwCloseObjectAuditAlarm :u zwProtectVirtualMemory ntdll!NtProtectVirtualMemory 001B:77F7EC43 MOV EAX,00000089 001B:77F7EC48 MOV EDX,7FFE0300 001B:77F7EC4D CALL EDX 001B:77F7EC4F RET 0014 001B:77F7EC52 NOP ntdll!NtPulseEvent 001B:77F7EC53 MOV EAX,0000008A :u zwCreateFile ntoskrnl!ZwCreateFile 0008:8050B14A MOV EAX,00000025 0008:8050B14F LEA EDX,[ESP+04] 0008:8050B153 PUSHFD 0008:8050B154 PUSH 08 0008:8050B156 CALL 804D4DCD 0008:8050B15B RET 002C 0008:8050B15E MOV EAX,00000026 :u zwReadVirtualMemory ntdll!NtReadVirtualMemory 001B:77F7EF53 MOV EAX,000000BA 001B:77F7EF58 MOV EDX,7FFE0300 001B:77F7EF5D CALL EDX 001B:77F7EF5F RET 0014 001B:77F7EF62 NOP ntdll!NtRegisterThreadTerminatePort 001B:77F7EF63 MOV EAX,000000BB it does not help much i think. if you need, i can give your a ftp site to donwload xp install disk image.give me mail. |
|
8楼#
发布于:2002-05-27 10:44
ntoskrnl!ZwClose
0008:8050B05A MOV EAX,00000019 0008:8050B05F LEA EDX,[ESP+04] 0008:8050B063 PUSHFD 0008:8050B064 PUSH 08 0008:8050B066 CALL 804D4DCD 看看上面三句,就是模拟了一个int(对内核而言,由于段设置的缘故sysenter/sysexit无法正常工作),想必返回时用的是IRET,或许804D4DCD就是int2eh处理程序或在其中(对我朋友那台机器而言,应该是这样,因为我的确用int2eh使用了ZwProtectVirtualMemory )。你是不是也用它的程序段试过了,还不行的话多半是该服务中专门加了对内核与应用来的调用分别处理的代码,MS这样做值吗,疑问。 0008:8050B06B RET 0004 |
|
9楼#
发布于:2002-05-27 11:01
I also send a screte message to you.please check.
I had never met problem for ZwClose. it\'s zwprotectvirtualmemory. ================ Sun May 26 20:01:42 2002 :u zwprotectvirtualmemory ntdll!NtProtectVirtualMemory 001B:77F7EC43 MOV EAX,00000089 001B:77F7EC48 MOV EDX,7FFE0300 001B:77F7EC4D CALL EDX 001B:77F7EC4F RET 0014 001B:77F7EC52 NOP ntdll!NtPulseEvent 001B:77F7EC53 MOV EAX,0000008A :u7FFE0300 001B:7FFE0300 MOV EDX,ESP 001B:7FFE0302 SYSENTER 001B:7FFE0304 RET 001B:7FFE0305 PUSHFD 001B:7FFE0306 OR DWORD PTR [ESP],00000100 001B:7FFE030D POPFD 001B:7FFE030E RET 001B:7FFE030F MOV EDX,ESP :g most ntdll export api call 7FFE0300,.by sysenter, they change mode from ring3 to ring0. ================ Sun May 26 20:03:36 2002 :u zwclose ntoskrnl!ZwClose 0008:8050B05A MOV EAX,00000019 0008:8050B05F LEA EDX,[ESP+04] 0008:8050B063 PUSHFD 0008:8050B064 PUSH 08 0008:8050B066 CALL 804D4DCD 0008:8050B06B RET 0004 ntoskrnl!ZwCloseObjectAuditAlarm :u 804D4DCD L 200 0008:804D4DCD PUSH 00 0008:804D4DCF PUSH EBP 0008:804D4DD0 PUSH EBX 0008:804D4DD1 PUSH ESI 0008:804D4DD2 PUSH EDI 0008:804D4DD3 PUSH FS 0008:804D4DD5 MOV EBX,00000030 0008:804D4DDA MOV FS,BX 0008:804D4DDD PUSH DWORD PTR [FFDFF000] 0008:804D4DE3 MOV DWORD PTR [FFDFF000],FFFFFFFF 0008:804D4DED MOV ESI,[FFDFF124] 0008:804D4DF3 PUSH DWORD PTR [ESI+00000140] 0008:804D4DF9 SUB ESP,48 0008:804D4DFC MOV EBX,[ESP+6C] 0008:804D4E00 AND EBX,01 0008:804D4E03 MOV [ESI+00000140],BL 0008:804D4E09 MOV EBP,ESP 0008:804D4E0B MOV EBX,[ESI+00000134] 0008:804D4E11 MOV [EBP+3C],EBX 0008:804D4E14 MOV [ESI+00000134],EBP 0008:804D4E1A CLD 0008:804D4E1B TEST BYTE PTR [ESI+2C],FF 0008:804D4E1F JNZ 804D4CEC 0008:804D4E25 STI 0008:804D4E26 MOV EDI,EAX 0008:804D4E28 SHR EDI,08 0008:804D4E2B AND EDI,30 0008:804D4E2E MOV ECX,EDI 0008:804D4E30 ADD EDI,[ESI+000000E0] 0008:804D4E36 MOV EBX,EAX 0008:804D4E38 AND EAX,00000FFF 0008:804D4E3D CMP EAX,[EDI+08] 0008:804D4E40 JAE 804D4CA2 0008:804D4E46 CMP ECX,10 0008:804D4E49 JNZ 804D4E65 0008:804D4E4B MOV ECX,[FFDFF018] 0008:804D4E51 XOR EBX,EBX 0008:804D4E53 OR EBX,[ECX+00000F70] 0008:804D4E59 JZ 804D4E65 0008:804D4E5B PUSH EDX 0008:804D4E5C PUSH EAX 0008:804D4E5D CALL [80544C44] 0008:804D4E63 POP EAX 0008:804D4E64 POP EDX 0008:804D4E65 INC DWORD PTR [FFDFF638] 0008:804D4E6B MOV ESI,EDX 0008:804D4E6D MOV EBX,[EDI+0C] 0008:804D4E70 XOR ECX,ECX 0008:804D4E72 MOV CL,[EBX+EAX] 0008:804D4E75 MOV EDI,[EDI] 0008:804D4E77 MOV EBX,[EAX*4+EDI] 0008:804D4E7A SUB ESP,ECX 0008:804D4E7C SHR ECX,02 0008:804D4E7F MOV EDI,ESP 0008:804D4E81 CMP ESI,[ntoskrnl!MmUserProbeAddress] 0008:804D4E87 JAE 804D5033 0008:804D4E8D REPZ MOVSD 0008:804D4E8F CALL EBX 0008:804D4E91 MOV ESP,EBP 0008:804D4E93 MOV ECX,[FFDFF124] 0008:804D4E99 MOV EDX,[EBP+3C] 0008:804D4E9C MOV [ECX+00000134],EDX 0008:804D4EA2 CLI 0008:804D4EA3 TEST DWORD PTR [EBP+70],00020000 0008:804D4EAA JNZ 804D4EB2 0008:804D4EAC TEST BYTE PTR [EBP+6C],01 0008:804D4EB0 JZ 804D4F08 0008:804D4EB2 MOV EBX,[FFDFF124] 0008:804D4EB8 MOV BYTE PTR [EBX+2E],00 0008:804D4EBC CMP BYTE PTR [EBX+4A],00 0008:804D4EC0 JZ 804D4F08 0008:804D4EC2 MOV EBX,EBP 0008:804D4EC4 MOV [EBX+44],EAX 0008:804D4EC7 MOV DWORD PTR [EBX+50],0000003B 0008:804D4ECE MOV DWORD PTR [EBX+38],00000023 0008:804D4ED5 MOV DWORD PTR [EBX+34],00000023 0008:804D4EDC MOV DWORD PTR [EBX+30],00000000 0008:804D4EE3 MOV ECX,00000001 0008:804D4EE8 CALL [HAL!KfRaiseIrql] 0008:804D4EEE PUSH EAX 0008:804D4EEF STI 0008:804D4EF0 PUSH EBX 0008:804D4EF1 PUSH 00 0008:804D4EF3 PUSH 01 0008:804D4EF5 CALL ntoskrnl!KiDeliverApc 0008:804D4EFA POP ECX 0008:804D4EFB CALL [HAL!KfLowerIrql] 0008:804D4F01 MOV EAX,[EBX+44] 0008:804D4F04 CLI 0008:804D4F05 JMP 804D4EB2 0008:804D4F07 NOP 0008:804D4F08 MOV EDX,[ESP+4C] 0008:804D4F0C MOV EBX,FS:[00000050] 0008:804D4F13 MOV FS:[00000000],EDX 0008:804D4F1A MOV ECX,[ESP+48] 0008:804D4F1E MOV ESI,FS:[00000124] 0008:804D4F25 MOV [ESI+00000140],CL 0008:804D4F2B TEST EBX,0000000F 0008:804D4F31 JNZ 804D4FA8 0008:804D4F33 TEST DWORD PTR [ESP+70],00020000 0008:804D4F3B JNZ 804D57EA 0008:804D4F41 TEST WORD PTR [ESP+6C],FFF8 0008:804D4F48 JZ 804D5001 0008:804D4F4E CMP WORD PTR [ESP+6C],1B 0008:804D4F54 BT DWORD PTR [ESP+6C],00 0008:804D4F5B CMC 0008:804D4F5C JA 804D4FEF 0008:804D4F62 CMP WORD PTR [EBP+6C],08 0008:804D4F67 JZ 804D4F6E 0008:804D4F69 LEA ESP,[EBP+50] 0008:804D4F6C POP FS 0008:804D4F6E LEA ESP,[EBP+54] 0008:804D4F71 POP EDI 0008:804D4F72 POP ESI 0008:804D4F73 POP EBX 0008:804D4F74 POP EBP 0008:804D4F75 CMP WORD PTR [ESP+08],0080 0008:804D4F7C JA 804D5806 0008:804D4F82 ADD ESP,04 0008:804D4F85 TEST DWORD PTR [ESP+04],00000001 0008:804D4F8D JNZ 804D4F95 0008:804D4F8F POP EDX 0008:804D4F90 POP ECX 0008:804D4F91 POPFD 0008:804D4F92 JMP EDX 0008:804D4F94 IRETD 0008:804D4F95 POP EDX 0008:804D4F96 ADD ESP,08 0008:804D4F99 POP ECX 0008:804D4F9A STI 0008:804D4F9B SYSEXIT 0008:804D4F9D POP ECX 0008:804D4F9E ADD ESP,08 0008:804D4FA1 POP ESP 0008:804D4FA2 SYSRET 0008:804D4FA4 IRETD 0008:804D4FA5 LEA ECX,[ECX+00] 0008:804D4FA8 TEST DWORD PTR [EBP+70],00020000 0008:804D4FAF JNZ 804D4FBE 0008:804D4FB1 TEST DWORD PTR [EBP+6C],00000001 0008:804D4FB8 JZ 804D4F33 0008:804D4FBE MOV EBX,00000000 0008:804D4FC3 MOV ESI,[EBP+18] 0008:804D4FC6 MOV EDI,[EBP+1C] 0008:804D4FC9 MOV DR7,EBX 0008:804D4FCC MOV DR0,ESI : g |
|
10楼#
发布于:2002-05-27 16:05
I also send a screte message to you.please check.
I had never met problem for ZwClose. it\'s zwprotectvirtualmemory. ================ Sun May 26 20:01:42 2002 :u zwprotectvirtualmemory ntdll!NtProtectVirtualMemory 001B:77F7EC43 MOV EAX,00000089 001B:77F7EC48 MOV EDX,7FFE0300 001B:77F7EC4D CALL EDX 001B:77F7EC4F RET 0014 001B:77F7EC52 NOP ntdll!NtPulseEvent 001B:77F7EC53 MOV EAX,0000008A :u7FFE0300 001B:7FFE0300 MOV EDX,ESP 001B:7FFE0302 SYSENTER 001B:7FFE0304 RET 001B:7FFE0305 PUSHFD 001B:7FFE0306 OR DWORD PTR [ESP],00000100 001B:7FFE030D POPFD 001B:7FFE030E RET 001B:7FFE030F MOV EDX,ESP :g most ntdll export api call 7FFE0300,.by sysenter, they change mode from ring3 to ring0. ================ Sun May 26 20:03:36 2002 :u zwclose ntoskrnl!ZwClose 0008:8050B05A MOV EAX,00000019 0008:8050B05F LEA EDX,[ESP+04] 0008:8050B063 PUSHFD 0008:8050B064 PUSH 08 0008:8050B066 CALL 804D4DCD 0008:8050B06B RET 0004 ntoskrnl!ZwCloseObjectAuditAlarm :u 804D4DCD L 200 0008:804D4DCD PUSH 00 0008:804D4DCF PUSH EBP 0008:804D4DD0 PUSH EBX 0008:804D4DD1 PUSH ESI 0008:804D4DD2 PUSH EDI 0008:804D4DD3 PUSH FS 0008:804D4DD5 MOV EBX,00000030 0008:804D4DDA MOV FS,BX 0008:804D4DDD PUSH DWORD PTR [FFDFF000] 0008:804D4DE3 MOV DWORD PTR [FFDFF000],FFFFFFFF 0008:804D4DED MOV ESI,[FFDFF124] ETHREAD=>ESI 0008:804D4DF3 PUSH DWORD PTR [ESI+00000140] 0008:804D4DF9 SUB ESP,48 0008:804D4DFC MOV EBX,[ESP+6C] byte ptr[ESP+6C]=08 0008:804D4E00 AND EBX,01 0008:804D4E03 MOV [ESI+00000140],BL BL(0)=>ETHREAD.PreviousMode 0008:804D4E09 MOV EBP,ESP 0008:804D4E0B MOV EBX,[ESI+00000134] old ETHREAD.TrapFrame=>EBX 0008:804D4E11 MOV [EBP+3C],EBX 0008:804D4E14 MOV [ESI+00000134],EBP 0008:804D4E1A CLD 0008:804D4E1B TEST BYTE PTR [ESI+2C],FF debug flag is active? 0008:804D4E1F JNZ 804D4CEC 0008:804D4E25 STI 0008:804D4E26 MOV EDI,EAX 0008:804D4E28 SHR EDI,08 0008:804D4E2B AND EDI,30 0008:804D4E2E MOV ECX,EDI 0008:804D4E30 ADD EDI,[ESI+000000E0] get ServiceTable 0008:804D4E36 MOV EBX,EAX 0008:804D4E38 AND EAX,00000FFF 0008:804D4E3D CMP EAX,[EDI+08] correct ServiceId? 0008:804D4E40 JAE 804D4CA2 0008:804D4E46 CMP ECX,10 extended Service? 0008:804D4E49 JNZ 804D4E65 0008:804D4E4B MOV ECX,[FFDFF018] 0008:804D4E51 XOR EBX,EBX 0008:804D4E53 OR EBX,[ECX+00000F70] 0008:804D4E59 JZ 804D4E65 0008:804D4E5B PUSH EDX 0008:804D4E5C PUSH EAX 0008:804D4E5D CALL [80544C44] 0008:804D4E63 POP EAX 0008:804D4E64 POP EDX 0008:804D4E65 INC DWORD PTR [FFDFF638] 0008:804D4E6B MOV ESI,EDX 0008:804D4E6D MOV EBX,[EDI+0C] 0008:804D4E70 XOR ECX,ECX 0008:804D4E72 MOV CL,[EBX+EAX] get bytes of parameters 0008:804D4E75 MOV EDI,[EDI] 0008:804D4E77 MOV EBX,[EAX*4+EDI] get the service function address 0008:804D4E7A SUB ESP,ECX 0008:804D4E7C SHR ECX,02 0008:804D4E7F MOV EDI,ESP 0008:804D4E81 CMP ESI,[ntoskrnl!MmUserProbeAddress] 0008:804D4E87 JAE 804D5033 do something if ... from ring0 0008:804D4E8D REPZ MOVSD copy parameters 0008:804D4E8F CALL EBX call service function 0008:804D4E91 MOV ESP,EBP 0008:804D4E93 MOV ECX,[FFDFF124] 0008:804D4E99 MOV EDX,[EBP+3C] 0008:804D4E9C MOV [ECX+00000134],EDX 0008:804D4EA2 CLI 0008:804D4EA3 TEST DWORD PTR [EBP+70],00020000 v86 mode? 0008:804D4EAA JNZ 804D4EB2 0008:804D4EAC TEST BYTE PTR [EBP+6C],01 ring0 or ring3? 0008:804D4EB0 JZ 804D4F08 0008:804D4EB2 MOV EBX,[FFDFF124] 0008:804D4EB8 MOV BYTE PTR [EBX+2E],00 0008:804D4EBC CMP BYTE PTR [EBX+4A],00 ContextSwitches? 0008:804D4EC0 JZ 804D4F08 0008:804D4EC2 MOV EBX,EBP 0008:804D4EC4 MOV [EBX+44],EAX 0008:804D4EC7 MOV DWORD PTR [EBX+50],0000003B 0008:804D4ECE MOV DWORD PTR [EBX+38],00000023 0008:804D4ED5 MOV DWORD PTR [EBX+34],00000023 0008:804D4EDC MOV DWORD PTR [EBX+30],00000000 0008:804D4EE3 MOV ECX,00000001 0008:804D4EE8 CALL [HAL!KfRaiseIrql] 0008:804D4EEE PUSH EAX 0008:804D4EEF STI 0008:804D4EF0 PUSH EBX 0008:804D4EF1 PUSH 00 0008:804D4EF3 PUSH 01 0008:804D4EF5 CALL ntoskrnl!KiDeliverApc 0008:804D4EFA POP ECX 0008:804D4EFB CALL [HAL!KfLowerIrql] 0008:804D4F01 MOV EAX,[EBX+44] 0008:804D4F04 CLI 0008:804D4F05 JMP 804D4EB2 0008:804D4F07 NOP go on 0008:804D4F08 MOV EDX,[ESP+4C] 0008:804D4F0C MOV EBX,FS:[00000050] 0008:804D4F13 MOV FS:[00000000],EDX 0008:804D4F1A MOV ECX,[ESP+48] 0008:804D4F1E MOV ESI,FS:[00000124] 0008:804D4F25 MOV [ESI+00000140],CL 0008:804D4F2B TEST EBX,0000000F 0008:804D4F31 JNZ 804D4FA8 0008:804D4F33 TEST DWORD PTR [ESP+70],00020000 0008:804D4F3B JNZ 804D57EA 0008:804D4F41 TEST WORD PTR [ESP+6C],FFF8 0008:804D4F48 JZ 804D5001 0008:804D4F4E CMP WORD PTR [ESP+6C],1B 0008:804D4F54 BT DWORD PTR [ESP+6C],00 0008:804D4F5B CMC 0008:804D4F5C JA 804D4FEF ;if(DT!=1B&ÐREAD.PreviousMode==UserMode) error; 0008:804D4F62 CMP WORD PTR [EBP+6C],08 0008:804D4F67 JZ 804D4F6E 0008:804D4F69 LEA ESP,[EBP+50] 0008:804D4F6C POP FS 0008:804D4F6E LEA ESP,[EBP+54] 0008:804D4F71 POP EDI 0008:804D4F72 POP ESI 0008:804D4F73 POP EBX 0008:804D4F74 POP EBP 0008:804D4F75 CMP WORD PTR [ESP+08],0080 0008:804D4F7C JA 804D5806 0008:804D4F82 ADD ESP,04 0008:804D4F85 TEST DWORD PTR [ESP+04],00000001 0008:804D4F8D JNZ 804D4F95 0008:804D4F8F POP EDX 0008:804D4F90 POP ECX 0008:804D4F91 POPFD 0008:804D4F92 JMP EDX return to ring0 (edx=>eip) 0008:804D4F94 IRETD 0008:804D4F95 POP EDX 0008:804D4F96 ADD ESP,08 0008:804D4F99 POP ECX 0008:804D4F9A STI 0008:804D4F9B SYSEXIT return to ring3 (edx=>eip,ecx=>esp) 0008:804D4F9D POP ECX 0008:804D4F9E ADD ESP,08 0008:804D4FA1 POP ESP 0008:804D4FA2 SYSRET ?\"SYSRET\"?? machine code is? 0008:804D4FA4 IRETD 0008:804D4FA5 LEA ECX,[ECX+00] 0008:804D4FA8 TEST DWORD PTR [EBP+70],00020000 0008:804D4FAF JNZ 804D4FBE 0008:804D4FB1 TEST DWORD PTR [EBP+6C],00000001 0008:804D4FB8 JZ 804D4F33 0008:804D4FBE MOV EBX,00000000 0008:804D4FC3 MOV ESI,[EBP+18] 0008:804D4FC6 MOV EDI,[EBP+1C] 0008:804D4FC9 MOV DR7,EBX 0008:804D4FCC MOV DR0,ESI : g 在PROCESS context里将 __declspec(naked)DWORD __stdcall ZwProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG ProtectSize, IN ULONG NewProtect, OUT PULONG OldProtect) { _asm{ mov eax,089h lea edx,[esp+4] int 2eh ret 14h } } 与 __declspec(naked)DWORD __stdcall ZwProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG ProtectSize, IN ULONG NewProtect, OUT PULONG OldProtect) { _asm{ MOV EAX,00000089H LEA EDX,[ESP+04] PUSHFD PUSH 08 CALL 804D4DCD RET 14H } } 调用运行一下 在804D4E8F、804D4F08、804D4F69等处设断点看看. 2000上int2e处理程序一开始就push了与此段代码类似的代码地址,经过一些处理后ret至此段代码,XP可能也一样,究竟出错大致在何处?(返回之后?)。还有最好看看MSR中sysenter处理地址、代码以及int2e的。若都没问题,以后再检查那个服务有什么问题吧。 |
|
11楼#
发布于:2002-05-27 17:05
谢谢你花时间看我贴的代码。
贴的代码不过是参考用的,不是要你帮我分析代码的意思。不过,贴在这里,总是有人受益的。 在PROCESS context里将 __declspec(naked)DWORD __stdcall ZwProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG ProtectSize, IN ULONG NewProtect, OUT PULONG OldProtect) { _asm{ mov eax,089h lea edx,[esp+4] int 2eh ret 14h } } 与 __declspec(naked)DWORD __stdcall ZwProtectVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG ProtectSize, IN ULONG NewProtect, OUT PULONG OldProtect) { _asm{ MOV EAX,00000089H LEA EDX,[ESP+04] PUSHFD PUSH 08 CALL 804D4DCD RET 14H } } 调用运行一下 在804D4E8F、804D4F08、804D4F69等处设断点看看. 2000上int2e处理程序一开始就push了与此段代码类似的代码地址,经过一些处理后ret至此段代码,XP可能也一样,究竟出错大致在何处?(返回之后?)。还有最好看看MSR中sysenter处理地址、代码以及int2e的。若都没问题,以后再检查那个服务有什么问题吧。 我以前调试过。记忆中是 INT 2E 是BOSD. CALL 804D4DCD 是在syseNTER执行时CALLER死亡。对系统的继续运行没有什么明显影响。 具体的确认不能马上做。今天要交活不能花时间干这些事情。 多谢。 |
|
12楼#
发布于:2002-06-02 19:21
这个话题不继续扯了,有时间了自己好好汇编一下。
多谢大家帮忙 |
|