2007年06月30日

直到拿在手里.
当初选择不要那么容易的得到,现在看来我还是没有后悔当初的决定. 

对电影里的正面人物,英雄们没有负出代价最后来个圆满的结局,一直都怀疑.

 

2007年05月13日

今天很高兴能和朋友们一起做事,只是这事我不会,帮不上忙,而朋友们又是来帮我的忙。一直鼓捣了一晚上。好像又回到了大二那时候,在网络中心一起讨论和做东西。马上毕业了,不知道还有多少这样的时候能和朋友们在一起。

当时突然有的感觉就是朋友们在一起就没有做不了的事。真希望将来我们这几个能在一起干些事情。

2007年04月18日

http://www.rootkit.com/vault/uty/FileExposure.rar

因为董老大说程序要到产品化,所以想还是放出来,这样估计bug就出来不少了

2007年04月12日

晚上出去的晚了点,9点半爸给我来电话,后来把电话交给了我妈,说了2句又是我爸接的,说刚做晚手术别让我妈多说话

接完电话往公司走的时候,这一刻我觉得很幸福

2007年03月10日

煮熟的米粒大

2007年03月08日

因为GFW,我们永远成了历史上的愚蠢代名词!

“焚书坑儒”行径、愚民政策、默认“焚书坑儒”的我们……电子储存将这些愚蠢记录成为历史,直到千百年,直到永远!

信息自由!若为自由故,生命爱情皆可抛!有人强奸了我们信息处女,然后把还带着血丝的过滤信息送到我们怀抱!

竟然这一切就是因为中国政府愚蠢的GFW!愚蠢啊!

用拆分URL(/search?q=cache:)的方法访问Google网页快照

不同浏览器不同的选择:

Firefox浏览器(推荐)

对于Firefox浏览器,立即安装绕过中国防火金长城(GFW)访问Google网页快照的Greasemonkey脚本!(直接点击可以查看脚本:恶意脚本?不是!)

此方法要求使用Firefox浏览器。该款浏览器也是本站强烈推荐的浏览器。这里是我们为什么选择Firefox而不再使用IE的理由

Greasemonkey脚本方法的安装步骤:

更新:如果在10月10日以前安装了脚本后近来发现不能够正常访问Google网页快照的,请更新脚本。步骤:通过菜单中“Tools”–> “Manage User Scripts”打开配置窗口,选择“Google Cached Pages”,然后点击“Uninstall”按钮卸载原有脚本,然后从下面步骤“安装脚本”开始,再安装一次脚本就好了。

  • 安装Firefox
    点击右边按钮安装带有Google工具条的Firefox浏览器
  • 安装Greasemonkey
    用Firefox浏览Greasemonkey主页,并依照提示(主要是点击安装“Install Greasemonkey”按钮)安装Greasemonkey扩展插件
  • 重启Firefox
    重启Firefox浏览器从而激活Greasemonkey,并重新浏览本页
  • 安装脚本
    右键点击上面的绕过中国防火金长城(GFW)访问Google网页快照的Greasemonkey脚本链接,选择右键菜单中的“Install This User Script”选项,或者直接点击上面的链接,然后对应点击右上角的“Install”按钮
  • 测试网页快照
    用Google进行搜索(如果你安装了“带Google工具条的Firefox”,则可以方便地在工具条中输入一关键字进行搜索了),然后检查网页快照是能正常打开了(如果你告诉我这个方法帮助你打开网页快照,我会感觉到很荣幸的)或者是不能打开(如果不能正常打开网页快照,请给我留言

Internet Explorer

对于Internet Explorer浏览器,本站强烈推荐改用Firefox浏览器;另外可以保存替换Google网页快照URL的JavaScript脚本为IE书签!

JavaScript脚本+IE书签方法的安装步骤:

更新:如果在10月10日以前收藏了JavaScript脚本IE书签后近来发现使用书签不能够正常访问Google网页快照的,请更新IE书签。步骤为:先删除原有的JavaScript脚本IE书签,再重新收藏书签。

  • 将JavaScript脚本保存到收藏夹
    右键点击替换Google网页快照URL的JavaScript脚本的链接,选择右键菜单中的“Add to Favorite”或者“添加到收藏夹”选项,如果IE提示说可能链接不安全是否继续,则选择“是”继续保存(实际上你可以查看这段JavaScript,是一段安全的代码!)
  • 测试网页快照
    用Google进行搜索(如果你安装了“Google工具条”,则可以方便地在工具条中输入一关键字进行搜索了),当搜索页面加载完毕之后,选择打开收藏夹中的“替换Google网页快照URL的JavaScript脚本”选项(你可以通过整理收藏夹,将此项放到所有收藏项的顶端)。然后检查网页快照是能正常打开了(如果你告诉我这个方法帮助你打开网页快照,我会感觉到很荣幸的)或者是不能打开(如果不能正常打开网页快照,请给我留言

更多技术细节,可以访问Google Cached Pages over GFW.

Split URL (/search?q=cache:) for Google cached pages

Different browsers different choices:

Firefox (Strongly Recommended)

For Firefox, install Google Cached Pages over China’s Great Fire Wall (GFW) Greasemonkey User Script Now!

This method requires Firefox browser, which is strongly recommended by us! Here is the reason why choosing Firefox over IE.

Greasemonkey in Firefox Installing Instructions:

Update: If you installed script before Oct 10th, and found Google Cached Page not working these days, try to update the script please: Menu "Tools" –> "Manage User Scripts", in the open dialog select "Google Cached Pages", and then click button "Uninstall" to uninstall the script, and then following "Install User Script" instruction and install it again.And Google Cached Pages will work again.

  • Install Firefox
    Click the right button to get Firefox with Google Toolbar, which is one of the most popular extension in Firefox
  • Install Greasemonkey
    Use Firefox to visit Greasemonkey and follow instructions there to install Greasemonkey extension
  • Restart Firefox
    Restart Firefox (Required for enabling Greasemonkey) and visit this page again
  • Install User Script
    Right click on the above Google Cached Pages over China’s Great Fire Wall (GFW) link and choose "Install This User Script" menu item, or click the link directly and then press "Install" button in the upper corner
  • Test "Cached" Pages
    Make a search on Google (Just input something in the search box and make a search if "Firefox with Google Toolbar" installed), and check the "cached" links are working (I would be glad if you tell me that this method works for you) or not (If not, try to report bugs by leaving a comment)

Internet Explorer

For Internet Explorer, we recommend you to use Firefox strongly. Besides you can bookmark the JavaScript for Google Cached Pages to do so.

JavaScript + IE Bookmark Installing Instruction:

Update: If you bookemark the JavaScript IE Bookmark before Oct 10th, and found Google Cached Page not working these days after using the IE bookmark, try to update JavaScript IE Bookmark please: First delete the old bookmark and then re-bookmark the JavaScript URL again.

  • Bookmark JavaScript URL
    Right click JavaScript for Google Cached Pages link and select the menuitem "Add to Favorite". If IE says the link is not safe and whether to continue or not, choose "Yes" to continue (You can check the JavaScript to see it safe or not. Actaully it’s SAFE!).
  • Test "Cached" Pages
    Make a search on Google (Just input something in the search box and make a search if "Google Toolbar" installed). When the search result is loaded, choose to load the selected bookmark "JavaScript for Google Cached Pages" (You can arrange your favorites to make the item in the top for convenience). And then check the "cached" links are working (I would be glad if you tell me that this method works for you) or not (If not, try to report bugs by leaving a comment)

For more technical details or for Chinese installing instructions, please visit Google Cached Pages over GFW.

Copyright 2006 Zhou Renjian

2007年02月03日
 
Device Installation: Windows DDK

Driver Information in the Registry

The operating system, drivers, and device installation components store information about drivers and devices in the registry. In general, drivers and device installation components should use the registry to store data that must be maintained across reboots of the system. Drivers can access the registry to obtain this information.

For more information about the registry in general, see the Platform SDK documentation.

The following trees in the registry are of particular interest to driver writers (where HKLM represents HKEY_LOCAL_MACHINE):

Drivers must access Plug and Play (PnP) keys in the registry using system routines such as IoGetDeviceProperty or IoOpenDeviceRegistryKey. User-mode setup components should use device installation functions such as SetupDiGetDeviceRegistryProperty or SetupDiOpenDevRegKey. The registry can be accessed from INF files using INF AddReg directives.

Drivers must not access these keys directly. This discussion of registry information is solely for debugging a device installation or configuration problem.

The keys under HKLM\SYSTEM\CurrentControlSet are a safe place to preserve data that is vital to your driver because the data is stored in the system hive. The system takes extra precautions to protect the system hive (for example, keeping multiple copies).

The HKLM\SYSTEM\CurrentControlSet\Services Tree

The HKLM\SYSTEM\CurrentControlSet\Services registry tree stores information about each service on the system. Each driver has a key of the form HKLM\SYSTEM\CurrentControlSet\Services\DriverName. The PnP Manager passes this path to a driver in the RegistryPath parameter when it calls the driver’s DriverEntry routine. A driver can store global driver-defined data under its key in the Services tree. Information stored under this key is available to the driver during its initialization.

The following keys and value entries are of particular interest:

ImagePath
A value entry that specifies the fully qualified path of the driver’s image file. Setup creates this value using the required ServiceBinary entry in the driver’s INF file. This entry is in the service-install-section referenced by the driver’s INF AddService directive. A typical value for this path is %windir%\system32\Drivers\DriverName.sys, where DriverName is the name of the driver’s Services key.
Parameters
A key used to store driver-specific data. For some types of drivers, the system expects to find specific value entries. You can add value entries to this subkey using AddReg entries in the driver’s INF file.
Performance
A key that specifies information for optional performance monitoring. The values under this key specify the name of the driver’s performance DLL and the names of certain exported functions in that DLL. You can add value entries to this subkey using AddReg entries in the driver’s INF file.

The HKLM\SYSTEM\CurrentControlSet\Control Tree

The HKLM\SYSTEM\CurrentControlSet\Control registry tree contains information for controlling system startup and some aspects of device configuration. The following subkeys are of particular interest:

Class
Contains information about the device setup classes on the system. There is a subkey for each class, named using the GUID of the setup class. Each subkey contains information about a setup class, such as the class installer (if there is one), registered class upper-filter drivers, registered class lower-filter drivers, and so forth.

Each class subkey contains other subkeys known as software keys (or, driver keys) for each device instance of that class installed in the system. Each of these software keys is named by using a device instance ID, which is a base-10, four-digit ordinal value.

CoDeviceInstallers
Contains information about the class-specific co-installers that are registered on the system.
DeviceClasses
Contains information about the device interfaces on the system. There is a subkey for each device interface class and entries under those subkeys for each instance of an interface that is registered for the device interface class.

The HKLM\SYSTEM\CurrentControlSet\Enum Tree

The HKLM\SYSTEM\CurrentControlSet\Enum registry tree contains information about the devices on the system. The PnP Manager creates a subkey for each device, with a name in the form of HKLM\SYSTEM\CurrentControlSet\Enum\enumerator\deviceID. Under each of these keys is a subkey for each device instance present on the system. This subkey, which is known as the device’s hardware key (or, device key), has information such as the device description, hardware IDs, compatible IDs, resource requirements, and so forth.

The Enum tree is reserved for use by operating system components, and its layout is subject to change. Drivers and user-mode Setup components must use system-supplied functions, such as IoGetDeviceProperty and SetupDiGetDeviceRegistryProperty, to extract information from this tree. Drivers and Setup applications must not access the Enum tree directly. You can view the Enum tree directly using the registry editor when debugging drivers.

The HKLM\SYSTEM\CurrentControlSet\HardwareProfiles Tree

The HKLM\SYSTEM\CurrentControlSet\HardwareProfiles registry tree contains information about the hardware profiles on the system.

2006年12月18日

    鼠标早就坏了,左键不能用,懒的跑出去买。再说就这么坏了就换就有点被鼠标打败了的感觉。最主要的原因还是懒人啥都能凑合。

    windows下还好说,我用鼠标键+左右键调换还能凑合着用。这两天突然想学学linux,x下没左键是寸步难行,只好改改了。我鼠标还有滚轮,可以
当左键往下按。
    linux下负责鼠标,键盘,及其它usb输入设备的被称做input subsystem。linux journAl上有两篇介绍的文章www.linuxjournal.com/article/6396
http://www.linuxjournal.com/article/6429
    在\drivers\input\mouse\psmouse-base.c里是ps/2鼠标的驱动,psmouse_process_byte()
 

/* * psmouse_process_byte() analyzes the PS/2 data stream and reports * relevant events to the input module once full packet has arrived. */  static psmouse_ret_t psmouse_process_byte(struct psmouse *psmouse, struct pt_regs *regs){ 	struct input_dev *dev = psmouse->dev; 	unsigned char *packet = psmouse->packet;  	if (psmouse->pktcnt < psmouse->pktsize) 		return PSMOUSE_GOOD_DATA;  /*  * Full packet accumulated, process it  */  	input_regs(dev, regs);  /*  * Scroll wheel on IntelliMice, scroll buttons on NetMice  */  	if (psmouse->type == PSMOUSE_IMPS || psmouse->type == PSMOUSE_GENPS) 		input_report_rel(dev, REL_WHEEL, -(signed char) packet[3]);  /*  * Scroll wheel and buttons on IntelliMouse Explorer  */  	if (psmouse->type == PSMOUSE_IMEX) { 		input_report_rel(dev, REL_WHEEL, (int) (packet[3] & 8) - (int) (packet[3] & 7)); 		input_report_key(dev, BTN_SIDE, (packet[3] >> 4) & 1); 		input_report_key(dev, BTN_EXTRA, (packet[3] >> 5) & 1);	}  /*  * Extra buttons on Genius NewNet 3D  */  	if (psmouse->type == PSMOUSE_GENPS) { 		input_report_key(dev, BTN_SIDE, (packet[0] >> 6) & 1); 		input_report_key(dev, BTN_EXTRA, (packet[0] >> 7) & 1);	}  /*  * Extra button on ThinkingMouse  */ 	if (psmouse->type == PSMOUSE_THINKPS) { 		input_report_key(dev, BTN_EXTRA, (packet[0] >> 3) & 1); 		/* Without this bit of weirdness moving up gives wildly high Y changes. */ 		packet[1] |= (packet[0] & 0x40) << 1;	}  /*  * Generic PS/2 Mouse  */  	input_report_key(dev, BTN_LEFT,    packet[0]       & 1); 	input_report_key(dev, BTN_MIDDLE, (packet[0] >> 2) & 1); 	input_report_key(dev, BTN_RIGHT,  (packet[0] >> 1) & 1);  	input_report_rel(dev, REL_X, packet[1] ? (int) packet[1] - (int) ((packet[0] << 4) & 0x100) : 0); 	input_report_rel(dev, REL_Y, packet[2] ? (int) ((packet[0] << 3) & 0x100) - (int) packet[2] : 0);  	input_sync(dev);  	return PSMOUSE_FULL_PACKET;} 
这个函数就是向input subsystem提交鼠标按键数据的地方。就改一个地方就可以了

/* * Generic PS/2 Mouse */  	input_report_key(dev, BTN_LEFT,    packet[0]       & 1); 	input_report_key(dev, BTN_LEFT, (packet[0] >> 2) & 1);  <----- 把BTN_MIDDLE改为BTN_LEFT 	input_report_key(dev, BTN_RIGHT,  (packet[0] >> 1) & 1);  	input_report_rel(dev, REL_X, packet[1] ? (int) packet[1] - (int) ((packet[0] << 4) & 0x100) : 0); 	input_report_rel(dev, REL_Y, packet[2] ? (int) ((packet[0] << 3) & 0x100) - (int) packet[2] : 0);  	input_sync(dev); 

input subsystem里的程序都还没有仔细看,就急着改了,到还真的工作了!以后慢慢看input subsystem。
 
 
该是windows了,windows的更是没仔细看,同学招呼我打魔兽,所以比较着急。ddk里有moufiltr,鼠标的过滤驱动。
里面说
        // Hook into the report chain.  Everytime a mouse packet is reported to
        // the system, MouFilter_ServiceCallback will be called
        //
那这样在MouFilter_ServiceCallback 里改就行了。

VOIDMouFilter_ServiceCallback(     IN PDEVICE_OBJECT DeviceObject,     IN PMOUSE_INPUT_DATA InputDataStart,     IN PMOUSE_INPUT_DATA InputDataEnd,     IN OUT PULONG InputDataConsumed     ) /*++  Routine Description:      Called when there are mouse packets to report to the RIT.  You can do      anything you like to the packets.  For instance:          o Drop a packet altogether     o Mutate the contents of a packet      o Insert packets into the stream                       Arguments:      DeviceObject - Context passed during the connect IOCTL          InputDataStart - First packet to be reported          InputDataEnd - One past the last packet to be reported.  Total number of                    packets is equal to InputDataEnd - InputDataStart          InputDataConsumed - Set to the total number of packets consumed by the RIT                         (via the function pointer we replaced in the connect                         IOCTL)  Return Value:      Status is returned.  --*/ {     PDEVICE_EXTENSION   devExt;      devExt = (PDEVICE_EXTENSION) DeviceObject->DeviceExtension;      //     // UpperConnectData must be called at DISPATCH     //     (*(PSERVICE_CALLBACK_ROUTINE) devExt->UpperConnectData.ClassService)(         devExt->UpperConnectData.ClassDeviceObject,         InputDataStart,         InputDataEnd,         InputDataConsumed         ); }

改成

{     PDEVICE_EXTENSION   devExt; 	int	i;      devExt = (PDEVICE_EXTENSION) DeviceObject->DeviceExtension; 	for(i = 0;i < (InputDataEnd - InputDataStart);i++) { 		if (InputDataStart[i].ButtonFlags == MOUSE_MIDDLE_BUTTON_DOWN){ 			InputDataStart[i].ButtonFlags = MOUSE_LEFT_BUTTON_DOWN;		} 		if (InputDataStart[i].ButtonFlags == MOUSE_MIDDLE_BUTTON_UP){ 			InputDataStart[i].ButtonFlags = MOUSE_LEFT_BUTTON_UP;		}	}      //     // UpperConnectData must be called at DISPATCH     //     (*(PSERVICE_CALLBACK_ROUTINE) devExt->UpperConnectData.ClassService)(         devExt->UpperConnectData.ClassDeviceObject,         InputDataStart,         InputDataEnd,         InputDataConsumed         ); } 

然后按它说的,通过.inf文件把这个驱动一装,重起后就行了。
 
 
又是一大堆东西等着看了。
2006年12月10日

http://writeblog.donews.com/login.aspx?ReturnUrl=/editposts.aspx
在教育网里点登陆就不是这个地址,奇怪

2006年10月29日

kernel tcp librAry

hi All :>

This dAys,i hAve been studying the protocol stAck,i’m A beginner :p. And I deside to mAke one,but it’s reAlly difficult for me to do the whole thing,so I port one from BSD’s tcp protocol for study perpose.(sorry for my Awful english -___-)

I hAve post my rootkit here like ten months Ago, it nAmed uay. thAt one’s tcp trAnsfer pArt is not good, I just mAde it run, but when trAnsfer some big files, it very slow And unstAble. so i rewrite it.

In this tcp lib, there Are some infAces like bind(), Listen(), Accept(), send(), recv(). It’s reAlly simple. it doesn’t contAins the options And urgent dAtA.

It still bAsed on NDIS protocol hooking for some reAsons. And I didn’t put connect() pArt into it, becAuse the wAy I got destinAtion mAc And locAl mAc is Awful. My computer use DHCP -___-. It’s not finish yet, it’s just the beginning, I wAnt implement more protocols, mAke it A complete protocol stAck. (I wAnnA leArn some LINUX stuff befor leAve school, so i stop for A little while :p) I hope this tcp thing is usefull, And i think open source cAn mAke it more stAble And becomes A reAl thing.
I Am A newbies here. so pleAse give me your Advices to improve it. 请高手多指教 :>
test.c is A test progrAm for it, only contAins one dir commAnd.

后面的太多,贴不上来了 https://www.rootkit.com/vault/uty/kernel_tcp.rar