Copy-On-Write机制,全局hook(二)
来源:互联网 发布:家装颜色搭配技巧知乎 编辑:程序博客网 时间:2024/05/17 23:24
如果仔细阅读前一篇文章的话,就知道只要PTE的write(bit 1)位置1,就废掉了Copy-On-Write机制(解释一下,因为不可能产生异常了嘛),为了不影响系统的运行,我找了ntdll的文件头(7c800000)做实验:
!process 0 0
.
.
PROCESS 811ae9e0 SessionId: 0 Cid: 015c Peb: 7ffde000 ParentCid: 036c
DirBase: 0997f000 ObjectTable: e15114b0 HandleCount: 126.
Image: svchost.exe
.
.
PROCESS ffa4fd88 SessionId: 0 Cid: 0258 Peb: 7ffd4000 ParentCid: 0104
DirBase: 0712c000 ObjectTable: e104d8e0 HandleCount: 28.
Image: EzDriverInstaller.exe
kd> !vtop 0712c000 7c800000 (随便找个进程,EzDriverInstaller.exe)
X86VtoP: Virt 7c800000, pagedir 712c000
X86VtoP: PDE 712c7c8 - 0b237867
X86VtoP: PTE b237000 - 0f7bd025
X86VtoP: Mapped phys f7bd000
Virtual address 7c800000 translates to physical address f7bd000.
kd> !ed b237000 0f7bd027(关键,5改7)
kd> !vtop 0712c000 7c800000
X86VtoP: Virt 7c800000, pagedir 712c000
X86VtoP: PDE 712c7c8 - 0b237867
X86VtoP: PTE b237000 - 0f7bd027
X86VtoP: Mapped phys f7bd000
Virtual address 7c800000 translates to physical address f7bd000.
kd> g
有一个问题必须要注意,这时只有进程EzDriverInstaller.exe的7c800000页才失去了CopyOnWrite性质,因为各个进程PTE的地址不同,我才改了一个嘛!然后,随便写个程序向EzDriverInstaller.exe的7c800003写入62('b')
(!!注意千万不要用内核调试器eb 7c800003 62这样写,因为KWinDBG本来就是全局的!!还有也千万不用OD之类的调试器,因为它在修改前会先修改页的属性,这样之前的工作就白搭了!!)
kd> .process /p 811ae9e0 (随便找个进程,svchost.exe)
Implicit process is now 811ae9e0
.cache forcedecodeuser done
kd> db 7c800000
7c800000 4d 5a 61 62 03 00 00 00-04 00 00 00 ff ff 00 00 MZab............
7c800010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
7c800020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
7c800030 00 00 00 00 00 00 00 00-00 00 00 00 d0 00 00 00 ................
7c800040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
7c800050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
7c800060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
7c800070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
可以看到无论哪个进程,7c800003处多了个'b',当然这时候可以用OD或其它工具验证!!
如果是修改系统dll代码的话一定要小心,当修改完成后最好改回只读属性(7改5)。如果你不幸找了个正在调试的进程下手,然后又在那代码页中下了个断点!@#¥%…&* 哈哈,那就不幸了O(∩_∩)O~
- Copy-On-Write机制,全局hook(二)
- Copy-On-Write机制,全局hook(一)
- (转载)绕过Copy-On-Write机制安装全局Hook
- 绕过Copy-On-Write机制安装全局Hook
- JUC(二)—— 聊聊 Copy-On-Write
- copy-on-write(写时复制)
- linux的COW(Copy-On-Write)
- COW(copy on write)探析
- Copy-On-Write Access
- Copy-on-write
- copy-on-write 原理
- Copy-On-Write
- copy-on-write原理
- Copy-on-write(COW)
- copy- on-write
- copy on write
- Copy-on-write
- copy on write
- 自定义Ext/Coolite的GridPanel的交替行颜色
- SecureCRT连接Linux,终端显示中文乱码问题,全方面解决
- c语言谜题
- 显式事务控制的隐式提交
- java连接sqlserver
- Copy-On-Write机制,全局hook(二)
- Auriga降低展讯评级有点早
- 9月手记
- Divisors pku 2992
- 组播(IGMP,IGMP SNOOPING,PIM-DM,PIM-SM,MSDP,MBGP)
- 跟自己说声对不起
- 并查集
- 更改debian下mysql数据库的存放路径
- Express, Express, Express
