http://nokyo.blogbus.com/Wed, 10 Jun 2009 01:22:19 GMT灰狐 [iCoodle]潜心静待风雷动,蛰伏十年一朝起!博客大巴http://nokyo.blogbus.com/atom.xmlWed, 10 Jun 2009 01:26:06 GMT灰狐 [iCoodle]http://public.blogbus.com/profile/7/3/0/4718037/avatar_4718037_96.jpghttp://nokyo.blogbus.com/【乱弹】关于编程学习,我也扯几句http://nokyo.blogbus.com/logs/40791457.htmlgrayfoxhttp://nokyo.blogbus.com/logs/40791457.html<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 最近在群里见到越来越多这样的情况,没办法说了。新手嘛,谁不是从新手起来的,就怎么就知道人家不理解你们新手?<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;学习,关键是要找对方向,要知道如何去学习!!!这一点做不到,别人哪怕手把手教你也是没多大进展的。</p><!--sp--><div class="relpost"><br/><h3>随机文章:</h3><div><a href="/logs/34018521.html">【驱动笔记11】使用DeviceIoControl通信</a> 2009-01-17</div><div><a href="/logs/34005738.html">【驱动笔记9】初探IRP</a> 2009-01-17</div><div><a href="/logs/33851908.html">【乱弹】鄙视短信和电话骗子</a> 2009-01-14</div><div><a href="/logs/33484395.html">【驱动笔记6】在内核中创建线程</a> 2009-01-06</div><div><a href="/logs/33385676.html">【乱弹】话说考试的烦恼</a> 2009-01-04</div></div><br /><br /><div class="sysmsg"><b><a href="http://www.blogbus.com" target="_blank">博客大巴,你的个人传媒早班车</a></b></div><br /><br /><img src="http://www1.feedsky.com/t1/229591830/nokyo_blogbus_com/blogbus.com/s.gif?r=http://nokyo.blogbus.com/logs/40791457.html" border="0" height="0" width="0" style="position:absolute" /><p class="fswww1"><a href="http://www1.feedsky.com/r/l/blogbus.com/nokyo_blogbus_com/229591830/art01.html" target="_blank"><img border="0" ismap="ismap" src="http://www1.feedsky.com/r/i/blogbus.com/nokyo_blogbus_com/229591830/art01.gif" onerror="this.style.display='none'" /></a></p>未分类Wed, 10 Jun 2009 09:22:19 +0800http://nokyo.blogbus.com/logs/40791457.htmlgrayfoxhttp://nokyo.blogbus.com/logs/40791457.htmlhttp://nokyo.blogbus.com/atom.xmlblogbus.com/nokyo_blogbus_com/~7244465/229591830/5353899【原创】关于LSP的一点记录http://nokyo.blogbus.com/logs/39936957.htmlgrayfoxhttp://nokyo.blogbus.com/logs/39936957.html<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 关于LSP是什么我就不多说了,假定大家都知道,不知道的可以去Google问问。<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LSP其实还是很有用的,不过最近看到许多人在学习过程中老遇到一些问题,下面就把我的一些经验说出来,纯属个人理解,有错勿怪。<br /><br />1,安装LSP后系统逐渐卡死?<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 额,我当时学习的时候曾经遇到过这个问...</p><!--sp--><div class="relpost"><br/><h3>随机文章:</h3><div><a href="/logs/35243687.html">【原创】Detours API HOOK快速入门</a> 2009-02-16</div><div><a href="/logs/34010655.html">【驱动笔记10】再谈IRP</a> 2009-01-17</div><div><a href="/logs/33021454.html">【原创】另类的水晶连连看外挂</a> 2008-12-27</div><div><a href="/logs/33027622.html">【原创】简述过滤文件传输的实现</a> 2008-12-26</div><div><a href="/logs/32976571.html">【原创】网络数据包捕获与发送的多重实现</a> 2008-12-26</div></div><br /><br /><div class="sysmsg"><b><a href="http://www.blogbus.com" target="_blank">博客大巴,你的个人传媒早班车</a></b></div><br /><br /><img src="http://www1.feedsky.com/t1/229591831/nokyo_blogbus_com/blogbus.com/s.gif?r=http://nokyo.blogbus.com/logs/39936957.html" border="0" height="0" width="0" style="position:absolute" /><p class="fswww1"><a href="http://www1.feedsky.com/r/l/blogbus.com/nokyo_blogbus_com/229591831/art01.html" target="_blank"><img border="0" ismap="ismap" src="http://www1.feedsky.com/r/i/blogbus.com/nokyo_blogbus_com/229591831/art01.gif" onerror="this.style.display='none'" /></a></p>未分类Mon, 25 May 2009 17:38:21 +0800http://nokyo.blogbus.com/logs/39936957.htmlgrayfoxhttp://nokyo.blogbus.com/logs/39936957.htmlhttp://nokyo.blogbus.com/atom.xmlblogbus.com/nokyo_blogbus_com/~7244465/229591831/5353899【驱动笔记17】SSDT HOOK实现文件保护http://nokyo.blogbus.com/logs/39619292.htmlgrayfoxhttp://nokyo.blogbus.com/logs/39619292.html&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 很久没写点什么了,最近在忙着做一些零碎的程序,过一段儿时间一定放新东西。<br />现在手头上的其中一件事情就是帮同学做一个文件保护的毕业设计,考虑再三还是使用SSDT HOOK,因为这个最简单,而且比较稳定,也容易理解。<br /><br /> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 提到文件保护,无非就是文件隐藏、文件打开、读写、删除保护等。<br /><br /> 一、文件隐藏<br />&nbsp;&nb...<!--sp--><div class="relpost"><br/><h3>随机文章:</h3><div><a href="/logs/37252170.html">【驱动笔记16】读取文件和注册表句柄信息</a> 2009-03-30</div><div><a href="/logs/35320995.html">【驱动笔记12】SSDT HOOK实现进程保护</a> 2009-02-17</div><div><a href="/logs/34010655.html">【驱动笔记10】再谈IRP</a> 2009-01-17</div><div><a href="/logs/33636725.html">【驱动笔记8】通过EPROCESS链表枚举进程</a> 2009-01-09</div><div><a href="/logs/33484395.html">【驱动笔记6】在内核中创建线程</a> 2009-01-06</div></div><br /><br /><div class="sysmsg"><b><a href="http://www.blogbus.com" target="_blank">博客大巴,你的个人传媒早班车</a></b></div><br /><br /><img src="http://www1.feedsky.com/t1/229591832/nokyo_blogbus_com/blogbus.com/s.gif?r=http://nokyo.blogbus.com/logs/39619292.html" border="0" height="0" width="0" style="position:absolute" /><p class="fswww1"><a href="http://www1.feedsky.com/r/l/blogbus.com/nokyo_blogbus_com/229591832/art01.html" target="_blank"><img border="0" ismap="ismap" src="http://www1.feedsky.com/r/i/blogbus.com/nokyo_blogbus_com/229591832/art01.gif" onerror="this.style.display='none'" /></a></p>未分类Wed, 20 May 2009 09:37:06 +0800http://nokyo.blogbus.com/logs/39619292.htmlgrayfoxhttp://nokyo.blogbus.com/logs/39619292.htmlhttp://nokyo.blogbus.com/atom.xmlblogbus.com/nokyo_blogbus_com/~7244465/229591832/5353899【原创】SSDT HOOK拦截远线程的创建(下)http://nokyo.blogbus.com/logs/37850401.htmlgrayfoxhttp://nokyo.blogbus.com/logs/37850401.html<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;在第二部分我们使用了一个前提:可以通过进程句柄得到PID等信息。<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 事实上这是可行的,这一部分我们就进行介绍。我这里使用的是炉子大虾的《API HOOK实现ring3的进程保护》一文中提到的方法。</p><!--sp--><div class="relpost"><br/><h3>随机文章:</h3><div><a href="/logs/39619292.html">【驱动笔记17】SSDT HOOK实现文件保护</a> 2009-05-20</div><div><a href="/logs/36654356.html">【驱动笔记14】初步认识MDL</a> 2009-03-17</div><div><a href="/logs/36616151.html">【驱动笔记13】有关cr0的一点记录</a> 2009-03-16</div><div><a href="/logs/33636725.html">【驱动笔记8】通过EPROCESS链表枚举进程</a> 2009-01-09</div><div><a href="/logs/33271026.html">【驱动笔记2】在驱动中使用链表</a> 2009-01-01</div></div><br /><br /><div class="sysmsg"><b><a href="http://www.blogbus.com" target="_blank">博客大巴,你的个人传媒早班车</a></b></div><br /><br /><p class="fswww1"><a href="http://www1.feedsky.com/r/l/blogbus.com/nokyo_blogbus_com/229591833/art01.html" target="_blank"><img border="0" ismap="ismap" src="http://www1.feedsky.com/r/i/blogbus.com/nokyo_blogbus_com/229591833/art01.gif" onerror="this.style.display='none'" /></a></p>未分类Mon, 13 Apr 2009 17:02:01 +0800http://nokyo.blogbus.com/logs/37850401.htmlgrayfoxhttp://nokyo.blogbus.com/logs/37850401.htmlhttp://nokyo.blogbus.com/atom.xmlblogbus.com/nokyo_blogbus_com/~7244465/229591833/5353899【原创】SSDT HOOK拦截远线程的创建(上)http://nokyo.blogbus.com/logs/37787913.htmlgrayfoxhttp://nokyo.blogbus.com/logs/37787913.html<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 在ring3的API HOOK中,怎样迫使目标进程调用我们的傀儡DLL是我们非常重视的一个问题。在多数情况下,我们都喜欢使用CreateRemoteThread在目标进程中创建一个远程线程来迫使它加载我们的DLL。<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 因为CreateRemoteThread的使用方法并不复杂,而且与其他方式相比,它可以称得上是一种相当&ldquo;优雅&rdquo;的做法。各种因素的汇集就导致了这种方法的泛滥,致使很多具备主动防御或行为监控的安全软件都加强了对这个函数的照顾。</p><!--sp--><div class="relpost"><br/><h3>随机文章:</h3><div><a href="/logs/39619292.html">【驱动笔记17】SSDT HOOK实现文件保护</a> 2009-05-20</div><div><a href="/logs/37850401.html">【原创】SSDT HOOK拦截远线程的创建(下)</a> 2009-04-13</div><div><a href="/logs/34005738.html">【驱动笔记9】初探IRP</a> 2009-01-17</div><div><a href="/logs/33542878.html">【驱动笔记7】再谈ZwQuerySystemInformation</a> 2009-01-07</div><div><a href="/logs/33347925.html">【驱动笔记5】获取系统时间和启动毫秒数</a> 2009-01-03</div></div><br /><br /><div class="sysmsg"><b><a href="http://www.blogbus.com" target="_blank">博客大巴,你的个人传媒早班车</a></b></div><br /><br /><p class="fswww1"><a href="http://www1.feedsky.com/r/l/blogbus.com/nokyo_blogbus_com/229591834/art01.html" target="_blank"><img border="0" ismap="ismap" src="http://www1.feedsky.com/r/i/blogbus.com/nokyo_blogbus_com/229591834/art01.gif" onerror="this.style.display='none'" /></a></p>未分类Sun, 12 Apr 2009 12:42:25 +0800http://nokyo.blogbus.com/logs/37787913.htmlgrayfoxhttp://nokyo.blogbus.com/logs/37787913.htmlhttp://nokyo.blogbus.com/atom.xmlblogbus.com/nokyo_blogbus_com/~7244465/229591834/5353899【原创】内核模式简单实现进程监控http://nokyo.blogbus.com/logs/37582490.htmlgrayfoxhttp://nokyo.blogbus.com/logs/37582490.html<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 在使用冰刃的时候我们可以发现它有一个&ldquo;监视进线程创建&rdquo;的功能,这个功能挺有用的,在用户模式下我们可以注册一个shell钩子来监视,或者通过挂钩一些进程创建的Win32 API来实现。<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 在内核模式下我们同样可以使用API HOOK来实现,但是还有一些简单的做法,比如我们今天要介绍的PsSetCreateProcessNotifyRoutine函数。</p><!--sp--><div class="relpost"><br/><h3>随机文章:</h3><div><a href="/logs/37850401.html">【原创】SSDT HOOK拦截远线程的创建(下)</a> 2009-04-13</div><div><a href="/logs/36697074.html">【驱动笔记15】键盘过滤驱动学习笔记</a> 2009-03-18</div><div><a href="/logs/36616151.html">【驱动笔记13】有关cr0的一点记录</a> 2009-03-16</div><div><a href="/logs/33542878.html">【驱动笔记7】再谈ZwQuerySystemInformation</a> 2009-01-07</div><div><a href="/logs/33347925.html">【驱动笔记5】获取系统时间和启动毫秒数</a> 2009-01-03</div></div><br /><br /><div class="sysmsg"><b><a href="http://www.blogbus.com" target="_blank">博客大巴,你的个人传媒早班车</a></b></div><br /><br /><p class="fswww1"><a href="http://www1.feedsky.com/r/l/blogbus.com/nokyo_blogbus_com/229591835/art01.html" target="_blank"><img border="0" ismap="ismap" src="http://www1.feedsky.com/r/i/blogbus.com/nokyo_blogbus_com/229591835/art01.gif" onerror="this.style.display='none'" /></a></p>未分类Tue, 07 Apr 2009 17:43:07 +0800http://nokyo.blogbus.com/logs/37582490.htmlgrayfoxhttp://nokyo.blogbus.com/logs/37582490.htmlhttp://nokyo.blogbus.com/atom.xmlblogbus.com/nokyo_blogbus_com/~7244465/229591835/5353899【驱动笔记16】读取文件和注册表句柄信息http://nokyo.blogbus.com/logs/37252170.htmlgrayfoxhttp://nokyo.blogbus.com/logs/37252170.html<p>从文件句柄和注册表句柄中读取文件及注册表键完整路径的方法。</p><!--sp--><div class="relpost"><br/><h3>随机文章:</h3><div><a href="/logs/39619292.html">【驱动笔记17】SSDT HOOK实现文件保护</a> 2009-05-20</div><div><a href="/logs/37787913.html">【原创】SSDT HOOK拦截远线程的创建(上)</a> 2009-04-12</div><div><a href="/logs/36697074.html">【驱动笔记15】键盘过滤驱动学习笔记</a> 2009-03-18</div><div><a href="/logs/36654356.html">【驱动笔记14】初步认识MDL</a> 2009-03-17</div><div><a href="/logs/36616151.html">【驱动笔记13】有关cr0的一点记录</a> 2009-03-16</div></div><br /><br /><div class="sysmsg"><b><a href="http://www.blogbus.com" target="_blank">博客大巴,你的个人传媒早班车</a></b></div><br /><br /><p class="fswww1"><a href="http://www1.feedsky.com/r/l/blogbus.com/nokyo_blogbus_com/229591836/art01.html" target="_blank"><img border="0" ismap="ismap" src="http://www1.feedsky.com/r/i/blogbus.com/nokyo_blogbus_com/229591836/art01.gif" onerror="this.style.display='none'" /></a></p>未分类Mon, 30 Mar 2009 16:58:30 +0800http://nokyo.blogbus.com/logs/37252170.htmlgrayfoxhttp://nokyo.blogbus.com/logs/37252170.htmlhttp://nokyo.blogbus.com/atom.xmlblogbus.com/nokyo_blogbus_com/~7244465/229591836/5353899【驱动笔记15】键盘过滤驱动学习笔记http://nokyo.blogbus.com/logs/36697074.htmlgrayfoxhttp://nokyo.blogbus.com/logs/36697074.html<p>并不是所有的驱动都需要直接访问硬件的,事实上几乎所有的硬件设备都存在着驱动程序链,最底层的驱动程序可以直接访问硬件,并对上层提供透明服务,最上层的驱动程序只要对接收到的数据进行过滤、格式化等处理即可,这样大大减少了开发的难度。</p><!--sp--><div class="relpost"><br/><h3>随机文章:</h3><div><a href="/logs/39619292.html">【驱动笔记17】SSDT HOOK实现文件保护</a> 2009-05-20</div><div><a href="/logs/37850401.html">【原创】SSDT HOOK拦截远线程的创建(下)</a> 2009-04-13</div><div><a href="/logs/36616151.html">【驱动笔记13】有关cr0的一点记录</a> 2009-03-16</div><div><a href="/logs/34010655.html">【驱动笔记10】再谈IRP</a> 2009-01-17</div><div><a href="/logs/33484395.html">【驱动笔记6】在内核中创建线程</a> 2009-01-06</div></div><br /><br /><div class="sysmsg"><b><a href="http://www.blogbus.com" target="_blank">博客大巴,你的个人传媒早班车</a></b></div><br /><br /><p class="fswww1"><a href="http://www1.feedsky.com/r/l/blogbus.com/nokyo_blogbus_com/229591837/art01.html" target="_blank"><img border="0" ismap="ismap" src="http://www1.feedsky.com/r/i/blogbus.com/nokyo_blogbus_com/229591837/art01.gif" onerror="this.style.display='none'" /></a></p>未分类Wed, 18 Mar 2009 09:19:26 +0800http://nokyo.blogbus.com/logs/36697074.htmlgrayfoxhttp://nokyo.blogbus.com/logs/36697074.htmlhttp://nokyo.blogbus.com/atom.xmlblogbus.com/nokyo_blogbus_com/~7244465/229591837/5353899【驱动笔记14】初步认识MDLhttp://nokyo.blogbus.com/logs/36654356.htmlgrayfoxhttp://nokyo.blogbus.com/logs/36654356.html<p>我们知道,系统中一些重要的表项如SSDT是只读的,如果我们强行对其进行修改就会造成BSOD的严重后果。当然这种保护方式很容易被绕过,我们曾经介绍了通过修改cr0来禁用WP(Write Protect,写保护)位的方法,现在再介绍一种不需要使用汇编的方法,就是MDL。</p><!--sp--><div class="relpost"><br/><h3>随机文章:</h3><div><a href="/logs/39619292.html">【驱动笔记17】SSDT HOOK实现文件保护</a> 2009-05-20</div><div><a href="/logs/37787913.html">【原创】SSDT HOOK拦截远线程的创建(上)</a> 2009-04-12</div><div><a href="/logs/37252170.html">【驱动笔记16】读取文件和注册表句柄信息</a> 2009-03-30</div><div><a href="/logs/36616151.html">【驱动笔记13】有关cr0的一点记录</a> 2009-03-16</div><div><a href="/logs/34010655.html">【驱动笔记10】再谈IRP</a> 2009-01-17</div></div><br /><br /><div class="sysmsg"><b><a href="http://www.blogbus.com" target="_blank">博客大巴,你的个人传媒早班车</a></b></div><br /><br /><p class="fswww1"><a href="http://www1.feedsky.com/r/l/blogbus.com/nokyo_blogbus_com/229591838/art01.html" target="_blank"><img border="0" ismap="ismap" src="http://www1.feedsky.com/r/i/blogbus.com/nokyo_blogbus_com/229591838/art01.gif" onerror="this.style.display='none'" /></a></p>未分类Tue, 17 Mar 2009 09:37:45 +0800http://nokyo.blogbus.com/logs/36654356.htmlgrayfoxhttp://nokyo.blogbus.com/logs/36654356.htmlhttp://nokyo.blogbus.com/atom.xmlblogbus.com/nokyo_blogbus_com/~7244465/229591838/5353899【驱动笔记13】有关cr0的一点记录http://nokyo.blogbus.com/logs/36616151.htmlgrayfoxhttp://nokyo.blogbus.com/logs/36616151.html<p>cr0是系统内的控制寄存器之一。控制寄存器是一些特殊的寄存器,它们可以控制CPU的一些重要特性。</p><!--sp--><div class="relpost"><br/><h3>随机文章:</h3><div><a href="/logs/39619292.html">【驱动笔记17】SSDT HOOK实现文件保护</a> 2009-05-20</div><div><a href="/logs/37252170.html">【驱动笔记16】读取文件和注册表句柄信息</a> 2009-03-30</div><div><a href="/logs/35320995.html">【驱动笔记12】SSDT HOOK实现进程保护</a> 2009-02-17</div><div><a href="/logs/34005738.html">【驱动笔记9】初探IRP</a> 2009-01-17</div><div><a href="/logs/33484395.html">【驱动笔记6】在内核中创建线程</a> 2009-01-06</div></div><br /><br /><div class="sysmsg"><b><a href="http://www.blogbus.com" target="_blank">博客大巴,你的个人传媒早班车</a></b></div><br /><br /><p class="fswww1"><a href="http://www1.feedsky.com/r/l/blogbus.com/nokyo_blogbus_com/229591839/art01.html" target="_blank"><img border="0" ismap="ismap" src="http://www1.feedsky.com/r/i/blogbus.com/nokyo_blogbus_com/229591839/art01.gif" onerror="this.style.display='none'" /></a></p>未分类Mon, 16 Mar 2009 10:12:13 +0800http://nokyo.blogbus.com/logs/36616151.htmlgrayfoxhttp://nokyo.blogbus.com/logs/36616151.htmlhttp://nokyo.blogbus.com/atom.xmlblogbus.com/nokyo_blogbus_com/~7244465/229591839/5353899