2006年03月30日

#include <stdio.h>
#include <windows.h>

void main( void )
{

	FILE*	pFile;
	char	buffer[15] = {"sdfsdfsdfdfsdf"};

	pFile = fopen("tempfile","w+");
	buffer[1] = 0x0A;

	printf("strlen(buffer): 0x%x\n",strlen(buffer));
	printf("ftell 0x%x \n",ftell(pFile));
	fwrite(buffer,strlen(buffer),1,pFile);
	printf("ftell 0x%x \n",ftell(pFile));
}
//--------------------------------------------------------------------

结果:

strlen(buffer): 0xe
ftell 0×0
ftell 0xf

还以为见鬼了,郁闷了我很久,后来才发现pFile = fopen("tempfile","w+");  -____-

没按2进制模式,把0×0A当回车了,,应该是"w+b",,,一个类似的错误加在一大段程序里了,,,郁闷了很久才找到

2006年03月24日

爱情有时候就像一个spinlock,当自己只有一颗芯的时候,需要另一颗芯来解开它.没学会preemption,结果就是……

2006年03月15日
找隐藏进程的方法很多,系统中有那么多个链表把进程们连在一起.所以隐藏进程总觉得太不划算了

    搜索virtuAl memory这个方法比较懒,本想从NonpAgedPool分配出去的内存的链表中找,可他们并不全连来一起,还不怎么了解.偷个懒,没定位几个表示nonpAged位置的变量,直接从头搜到尾了 -____- 留着以后改进
    windbg中!zombies感觉就是在搜nonpAged pool的链表,,找tAg是pro的内存块.
    这里搜0×7ffdf000,然后得到eprocess的object heAder ,判断其中的type是否是process,这两个位置改动都会影响到进程,当然搜其他的地方或者通过别的部分判断也可以.在搜virtuAl memory的时候先判断pte和pde中的entry时候vAlid,不分页内存这个位应该总是1,在pAsssive level上访问被置换到pAge file的内存直接就蓝了,,mm的部分还没搞清楚,,唉…为何是mm都要和我过不去 :“|
    一般进程结束后EPROCESS的peb的部分就变了. 有一回搜出三个csrss.exe,其中有一个是正常的,其他的两个eprocess块也有数据,nAme的地方也是csrss.exe.object heAder的PointerCount和HAndleCount都不为0.type也是process..很奇怪
 
程序很简单,在虚拟机xp sp1下ok
结果
i’m coming :>
EPROCESS: 0×80d85da8  process nAme: smss.exe
EPROCESS: 0×80e33578  process nAme: csrss.exe
EPROCESS: 0xffad98d8  process nAme: ctfmon.exe
EPROCESS: 0xffae38b8  process nAme: VMwareUser.exe
EPROCESS: 0xffae4850  process nAme: VMwareTray.exe
EPROCESS: 0xffaf0020  process nAme: cmd.exe
EPROCESS: 0xffb0bb88  process nAme: explorer.exe
EPROCESS: 0xffb19da8  process nAme: VMwareService.e
EPROCESS: 0xffb65da8  process nAme: spoolsv.exe
EPROCESS: 0xffb7ada8  process nAme: conime.exe
EPROCESS: 0xffb881c0  process nAme: svchost.exe
EPROCESS: 0xffb90020  process nAme: svchost.exe
EPROCESS: 0xffb9e5d8  process nAme: svchost.exe
EPROCESS: 0xffbaeda8  process nAme: svchost.exe
EPROCESS: 0xffbc3020  process nAme: lsass.exe
EPROCESS: 0xffbcf2a0  process nAme: services.exe
EPROCESS: 0xffbd19f8  process nAme: winlogon.exe
seArching finish
哦,没有0,4号进程
回找到重复的进程,就像csrss.exe那样的……还不清楚是那些是干什么的

//findprocess.c//		by uty@uaty//#include <ntddk.h>

#define PDE_INVALID 2#define PTE_INVALID 1#define VALID		0

#define PEB_OFFSET					0x1b0#define OBJECT_HEADER_SIZE			0x18#define OBJECT_TYPE_OFFSET			0x8#define EPROCESS_NAME_OFFSET		0x174VOID WorkThreAd(IN PVOID pContext);VOID DriverUnloAd(IN PDRIVER_OBJECT Driver_object);VOID seArchprocess(VOID);VOID getnAme(ULONG Addr);ULONG vAlidpAge(ULONG Addr);BOOLEAN IsAReAlProcess(ULONG i);

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath){	NTSTATUS	dwStAtus;	HANDLE		hThreAd;	DbgPrint("i'm coming :>\n");

	DriverObject->DriverUnload = DriverUnloAd;

	dwStAtus = PsCreateSystemThread(&hThreAd,		(ACCESS_MASK)0,		NULL,		(HANDLE)0,		NULL,		WorkThreAd,		NULL		);

	return STATUS_SUCCESS;}//--------------------------------------------------------------------VOID DriverUnloAd(IN PDRIVER_OBJECT Driver_object){}//--------------------------------------------------------------------VOID WorkThreAd(IN PVOID pContext){	seArchprocess();

	PsTerminateSystemThread(STATUS_SUCCESS);	DbgPrint("Never be here ?\n");}//--------------------------------------------------------------------VOID seArchprocess(void){	ULONG	i;	ULONG	result;

	for (i = 0x80000000 ;i<0x90000000;i+=4){		result = vAlidpAge(i);		if (result == VALID){			if (*(PULONG)i == 0x7ffdf000){				if(IsAReAlProcess(i)){					DbgPrint("EPROCESS: 0x%x  ",i-PEB_OFFSET);					getnAme(i);				}			}		}		else if(result == PTE_INVALID){			i -=4;			i += 0x1000;//4k		}		else{			i-=4;			i+= 0x400000;//4mb		}

	}

	for (i = 0xf0000000 ;i<0xffbe0000;i+=4){		result = vAlidpAge(i);		if (result == VALID){			if (*(PULONG)i == 0x7ffdf000){				if(IsAReAlProcess(i)){					DbgPrint("EPROCESS: 0x%x  ",i-PEB_OFFSET);					getnAme(i);				}			}		}		else if(result == PTE_INVALID){			i -=4;			i += 0x1000;//4k		}		else{			i-=4;			i+= 0x400000;//4mb		}			}

	DbgPrint("seArching finish \n");}//--------------------------------------------------------------------VOID getnAme(ULONG Addr){	DbgPrint("process nAme: %s\n",(PCHAR)(Addr-PEB_OFFSET+EPROCESS_NAME_OFFSET));}//--------------------------------------------------------------------ULONG vAlidpAge(ULONG Addr){	ULONG	pte;	ULONG	pde;

	pde = 0xc0300000 + (Addr>>22)*4;	if((*(PULONG)pde & 0x1) != 0){		//lArge pAge		if((*(PULONG)pde & 0x80) != 0){			return VALID;		}		pte = 0xc0000000 + (Addr>>12)*4;		if((*(PULONG)pte & 0x1) != 0){			return VALID;		}		else{			return PTE_INVALID;		}	}	return PDE_INVALID;}//--------------------------------------------------------------------BOOLEAN IsAReAlProcess(ULONG i){	NTSTATUS			stAtus;	PUNICODE_STRING		pUnicode;	UNICODE_STRING		Process;	ULONG				pObjectType;	ULONG				pObjectTypeProcess;

	pObjectTypeProcess = *(PULONG)((ULONG)PsGetCurrentProcess() -OBJECT_HEADER_SIZE +OBJECT_TYPE_OFFSET);	if (vAlidpAge(i-PEB_OFFSET) != VALID){		return FALSE;	}

	if (vAlidpAge(i-PEB_OFFSET - OBJECT_HEADER_SIZE + OBJECT_TYPE_OFFSET) == VALID){		pObjectType = *(PULONG)(i-PEB_OFFSET - OBJECT_HEADER_SIZE + OBJECT_TYPE_OFFSET);	}	else{		return FALSE;	}

	if(pObjectTypeProcess == pObjectType){				return TRUE;	}	return FALSE;

}//--------------------------------------------------------------------