还原NtTerminateProcess

最新推荐文章于 2025-09-05 16:39:55 发布
原创 最新推荐文章于 2025-09-05 16:39:55 发布 · 3.4k 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

本文详述了作者在闲暇时研究Windows XP Service Pack 3的内核过程中,如何还原NtTerminateProcess的代码。通过Windbg分析,发现PsTerminateProcess实际上依赖于NtTerminateProcess和ObReferenceObjectByHandle。作者对于为何不直接调用NtTerminateProcess而采用间接方式存在疑问,推测可能是为了防止函数被篡改,因为PsTerminateProcess并未导出。

在上课吃饱了没事干的情况下,花了点功夫还原了我电脑上的NtTerminateProcess的代码

我的系统是Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible(来自windbg)

nt!NtTerminateProcess:
mov     edi,edi
push    ebp
mov     ebp,esp
sub     esp,10h
push    ebx
push    esi
push    edi
mov     eax,KPCR.PrcbData.CurrentThread ;eax = CurrentThread
cmp     ProcessHandle,0
mov     edi,eax
mov     eax,CurrentThread.ApcState.Process
mov     Process,eax ;Process = CurrentThread.ApcState.Process
je      nt!NtTerminateProcess+0x25
;if(ProcessHandle)
;{
nt!NtTerminateProcess+0x1f:
mov     ebp_1,1 ;ebp_1 = 1
jmp     nt!NtTerminateProcess+0x2d
;}
;else
;{
nt!NtTerminateProcess+0x25:
or      ProcessHandle,0FFFFFFFFh ;ProcessHandle = NtCurrentProcess()
mov     ebp_1,0 ;ebp_1 = 0
;}
nt!NtTerminateProcess+0x2d:
mov     al,CurrentThread.PreviousMode
push    0
mov     PreviousMode,al ;ebp_8.PreviousMode = CurrentThread.PreviousMode
lea     eax,EPROCESS
push    eax
push    CurrentThread.PreviousMode
push    dword ptr [nt!PsProcessType]
push    1
push    ProcessHandle
call    nt!ObReferenceObjectByHandle ;NTSTATUS = ObReferenceObjectByHandle(ProcessHandle,1,PsProcessType,ebp_8.PreviousMode,&ebp_8.EPROCESS,NULL)
test    eax,eax
mov     esi,EPROCESS ;esi = EPROCESS
mov     ebx,esi ;ebx = esi
jl      nt!NtTerminateProcess+0x144
;if(NT_SUCCESS(NTSTATUS))
;{
nt!NtTerminateProcess+0x5c:
lea
最低0.47元/天 解锁文章
一、C++反作弊对抗实战 (基础篇 —— 8.在ring3调用NtTerminateProcess结束进程)
Koma的主页
03-02 571
在ring3调用NtTerminateProcess结束进程
检测当前进程是否被挂起
zhuhuibeishadiao
06-04 7918
KTHREAD的结构: +0x16c SuspendApc : _KAPC +0x19c SuspendSemaphore : _KSEMAPHORE +0x1b0 ThreadListEntry : _LIST_ENTRY +0x1b8 FreezeCount : Char +0x1b9 SuspendCount : Char
7.HOOK NtTerminateProcess驱动保护进程
Mikasys的博客
11-04 1786
1、项目说明 将系统服务表中某个函数改成自己的函数,使任务管理器右键无法关闭自己,只有点击自己的关闭按钮才可以正常关闭。 2、获取目标进程的进程名 kd> dt _Eprocess ntdll!_EPROCESS +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER +0x078 ExitTime
结束任务与结束进程
qq_45844442的博客
08-18 312
在进行HOOK NtTerminateProcess实验时,我们使用任务管理器的结束进程将无法直接将notepad.exe结束,原因是调用了NtTerminateProcess,而我们成功HOOK了,但是对于结束任务却失败了,根本原因是因为程序自己把自身退出了,退出任务只是关闭窗口,随后notepad自己调用NtTerminateProcess将自己退出。...
Windows驱动隐藏进程技术解析与安全防御实战
weixin_30533301的博客
09-05 755
NT式驱动是最基础的驱动模型,通常由一个函数开始,负责初始化驱动并注册分发例程(Dispatch Routines)。它不支持PnP和电源管理,开发复杂度较高,适用于简单的内核模块。// 设置驱动卸载例程// 设置IRP处理函数i++) {逐行分析:是驱动程序的入口函数。是驱动对象指针,用于注册驱动的各个回调函数。表示驱动在注册表中的路径。是驱动卸载时的回调函数。表示处理IRP(I/O请求包)的函数指针数组,每个索引对应不同的I/O请求类型。
进程与线程(八)进程保护(1) && 驱动逆向初步
Returns' Station
05-11 1182
INIT:00010D85 public start INIT:00010D85 start proc near INIT:00010D85 mov edi, edi INIT:00010D87 push ebp INIT:00010D88
NtTerminateProcess 终止进程
weixin_30699235的博客
12-07 1001
NtTerminateProcess真正终止进程. 首先,要使用Native API,要对它进行声名: typedef DWORD (CALLBACK* NTTERMINATEPROCESS)(HANDLE,UINT);NTTERMINATEPROCESS NtTerminateProcess;HMODULE hNtdll = NULL; hNtdll = LoadLibrary( "...
hook NtTerminateProcess进行应用的保护
weixin_30652491的博客
11-14 320
这段时间在学习驱动,然后看到hook ssdt的代码,找了一个写的清晰的学习了一下:http://www.netfairy.net/?post=218 这里是hook NtOpenProcess,但是想自己练手所以hookNtTerminateProcess,经过多次蓝屏后,然后这里记录一下 遇到的问题 由于所学的例子是通过应用程序获取pid来控制保护的进程,但...
内核态进程管理器Intercessor和实现细节
jingzu的专栏
11-27 2282
 标 题: 【原创】内核态进程管理器Intercessor和实现细节 作 者: greatcsk 时 间: 2007-09-05,20:20 链 接: http://bbs.pediy.com/showthread.php?t=51157 BLOG原文:http://www.csksoft.net/blog/post/Intercessor_taskmgr.html 相关文件: 已经修
进程隐藏与进程保护(SSDT Hook 实现)(二)
cmd1115的专栏
07-17 2405
Zachary.XiaoZhen - 梦想的天空 进程隐藏与进程保护(SSDT Hook 实现)(二) 文章目录:                   1. 引子 – Demo 实现效果: 2. 进程隐藏与进程保护概念: 3. SSDT Hook 框架搭建: 4. Ring0 实现进程隐藏: 5. Ring0 实现进程保护: 6. 隐藏进程列表和保护进程列
蓝屏 ************* Preparing the environment for Debugger Extensions Gallery repositories ************** ExtensionRepository : Implicit UseExperimentalFeatureForNugetShare : true AllowNugetExeUpdate : true NonInteractiveNuget : true AllowNugetMSCredentialProviderInstall : true AllowParallelInitializationOfLocalRepositories : true EnableRedirectToChakraJsProvider : false -- Configuring repositories ----> Repository : LocalInstalled, Enabled: true ----> Repository : UserExtensions, Enabled: true >>>>>>>>>>>>> Preparing the environment for Debugger Extensions Gallery repositories completed, duration 0.000 seconds ************* Waiting for Debugger Extensions Gallery to Initialize ************** >>>>>>>>>>>>> Waiting for Debugger Extensions Gallery to Initialize completed, duration 0.032 seconds ----> Repository : UserExtensions, Enabled: true, Packages count: 0 ----> Repository : LocalInstalled, Enabled: true, Packages count: 45 Microsoft (R) Windows Debugger Version 10.0.27871.1001 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\082925-9484-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available ************* Path validation summary ************** Response Time (ms) Location Deferred srv* Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 22621 MP (16 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Kernel base = 0xfffff806`6e400000 PsLoadedModuleList = 0xfffff806`6f0135f0 Debug session time: Fri Aug 29 00:08:43.013 2025 (UTC + 8:00) System Uptime: 0 days 0:01:27.674 Loading Kernel Symbols .. Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. ............................................................. ................................................................ ................................................................ ................................. Loading User Symbols Loading unloaded module list ......... For analysis of this file, run !analyze -v nt!KeBugCheckEx: fffff806`6e81dfe0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff9083`18dfed00=00000000000000ef 11: kd> !analyze -v Loading Kernel Symbols .. Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. ............................................................. ................................................................ ................................................................ ................................. Loading User Symbols Loading unloaded module list ......... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* CRITICAL_PROCESS_DIED (ef) A critical system process died Arguments: Arg1: ffffc783be0020c0, Process object or thread object Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died. Arg3: ffffc783be0020c0, The process object that initiated the termination. Arg4: 0000000000000000, Additional triage data. Debugging Details: ------------------ KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 1546 Key : Analysis.Elapsed.mSec Value: 4546 Key : Analysis.IO.Other.Mb Value: 0 Key : Analysis.IO.Read.Mb Value: 1 Key : Analysis.IO.Write.Mb Value: 0 Key : Analysis.Init.CPU.mSec Value: 281 Key : Analysis.Init.Elapsed.mSec Value: 43065 Key : Analysis.Memory.CommitPeak.Mb Value: 108 Key : Analysis.Version.DbgEng Value: 10.0.27871.1001 Key : Analysis.Version.Description Value: 10.2505.01.02 amd64fre Key : Analysis.Version.Ext Value: 1.2505.1.2 Key : Bugcheck.Code.LegacyAPI Value: 0xef Key : Bugcheck.Code.TargetModel Value: 0xef Key : CriticalProcessDied.ExceptionCode Value: 0xbe0350c0 Key : CriticalProcessDied.Process Value: csrss.exe Key : Dump.Attributes.AsUlong Value: 0x1008 Key : Dump.Attributes.DiagDataWrittenToHeader Value: 1 Key : Dump.Attributes.ErrorCode Value: 0x0 Key : Dump.Attributes.KernelGeneratedTriageDump Value: 1 Key : Dump.Attributes.LastLine Value: Dump completed successfully. Key : Dump.Attributes.ProgressPercentage Value: 0 Key : Failure.Bucket Value: 0xEF_csrss.exe_BUGCHECK_CRITICAL_PROCESS_be0350c0_nt!PspCatchCriticalBreak Key : Failure.Exception.Code Value: 0xbe0350c0 Key : Failure.Exception.Record Value: 0xfffffd8000000000 Key : Failure.Hash Value: {3c5c6c7c-1f71-69b4-48bc-df26b6dae18a} BUGCHECK_CODE: ef BUGCHECK_P1: ffffc783be0020c0 BUGCHECK_P2: 0 BUGCHECK_P3: ffffc783be0020c0 BUGCHECK_P4: 0 FILE_IN_CAB: 082925-9484-01.dmp DUMP_FILE_ATTRIBUTES: 0x1008 Kernel Generated Triage Dump FAULTING_THREAD: ffffc783be0350c0 PROCESS_NAME: csrss.exe CRITICAL_PROCESS: csrss.exe EXCEPTION_RECORD: fffffd8000000000 -- (.exr 0xfffffd8000000000) Cannot read Exception record @ fffffd8000000000 ERROR_CODE: (NTSTATUS) 0xbe0350c0 - <Unable to get error code text> BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXNTFS: 1 (!blackboxntfs) BLACKBOXPNP: 1 (!blackboxpnp) BLACKBOXWINLOGON: 1 CUSTOMER_CRASH_COUNT: 1 TRAP_FRAME: fffffdfeff7fb000 -- (.trap 0xfffffdfeff7fb000) Unable to read trap frame at fffffdfe`ff7fb000 Resetting default scope STACK_TEXT: ffff9083`18dfecf8 fffff806`6edb3e1b : 00000000`000000ef ffffc783`be0020c0 00000000`00000000 ffffc783`be0020c0 : nt!KeBugCheckEx ffff9083`18dfed00 fffff806`6ece1ad9 : ffffc783`be0020c0 00000000`00000002 00000000`00000000 fffff806`6e604847 : nt!PspCatchCriticalBreak+0x11b ffff9083`18dfed90 fffff806`6ea83abb : ffffc783`be0020c0 00000000`c0000005 ffffc783`be0020c0 00000000`00000001 : nt!PspTerminateAllThreads+0x174af9 ffff9083`18dfee00 fffff806`6ea83891 : ffffffff`ffffffff ffffc783`be0020c0 ffffc783`be0350c0 ffffc783`be0020c0 : nt!PspTerminateProcess+0xe7 ffff9083`18dfee40 fffff806`6e833605 : 000000d2`0000042c ffffc783`be0350c0 ffffc783`be0020c0 fffff806`6ed399c7 : nt!NtTerminateProcess+0xb1 ffff9083`18dfeec0 fffff806`6e823ad0 : fffff806`6e8b9957 ffffffff`ffffffff 000000d2`4ea80cb0 00000000`00000001 : nt!KiSystemServiceCopyEnd+0x25 ffff9083`18dff058 fffff806`6e8b9957 : ffffffff`ffffffff 000000d2`4ea80cb0 00000000`00000001 ffff9083`18dff090 : nt!KiServiceLinkage ffff9083`18dff060 fffff806`6e83407c : fffffd80`00000000 00000000`00000000 fffffdfe`ff7fb000 00000000`00000000 : nt!KiDispatchException+0x1ad317 ffff9083`18dff8c0 fffff806`6e82f363 : 00000000`00000800 00000000`00000000 000000d2`4ea81910 00000000`00000000 : nt!KiExceptionDispatch+0x13c ffff9083`18dffaa0 00007ffa`8952e67e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x463 000000d2`4ea80ef0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`8952e67e SYMBOL_NAME: nt!PspCatchCriticalBreak+11b MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe IMAGE_VERSION: 10.0.22621.5766 STACK_COMMAND: .process /r /p 0xffffc783be0020c0; .thread 0xffffc783be0350c0 ; kb BUCKET_ID_FUNC_OFFSET: 11b FAILURE_BUCKET_ID: 0xEF_csrss.exe_BUGCHECK_CRITICAL_PROCESS_be0350c0_nt!PspCatchCriticalBreak OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {3c5c6c7c-1f71-69b4-48bc-df26b6dae18a} Followup: MachineOwner ---------
08-30
打开“控制面板” - “恢复” - “打开系统还原”,按照向导选择合适的还原点进行系统还原。 ### 6. 检查病毒和恶意软件 使用可靠的杀毒软件和恶意软件清除工具,如 Windows Defender 或第三方杀毒软件,对计算机...
0: kd> !analyze -v Loading Kernel Symbols ............................................................... ................................................................ ................................................................ ........................................... Loading User Symbols Loading unloaded module list ............................... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* CRITICAL_PROCESS_DIED (ef) A critical system process died Arguments: Arg1: ffffca8dc71990c0, Process object or thread object Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died. Arg3: ffffca8dc71990c0, The process object that initiated the termination. Arg4: 0000000000000000, Additional triage data. Debugging Details: ------------------ KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 3453 Key : Analysis.Elapsed.mSec Value: 37518 Key : Analysis.IO.Other.Mb Value: 0 Key : Analysis.IO.Read.Mb Value: 4 Key : Analysis.IO.Write.Mb Value: 0 Key : Analysis.Init.CPU.mSec Value: 687 Key : Analysis.Init.Elapsed.mSec Value: 3986 Key : Analysis.Memory.CommitPeak.Mb Value: 109 Key : Analysis.Version.DbgEng Value: 10.0.29457.1000 Key : Analysis.Version.Description Value: 10.2506.23.01 amd64fre Key : Analysis.Version.Ext Value: 1.2506.23.1 Key : Bugcheck.Code.LegacyAPI Value: 0xef Key : Bugcheck.Code.TargetModel Value: 0xef Key : CriticalProcessDied.ExceptionCode Value: 0xd5228080 Key : CriticalProcessDied.Process Value: svchost.exe Key : Failure.Bucket Value: 0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_d5228080_nt!PspCatchCriticalBreak Key : Failure.Hash Value: {3abb66a8-bdf6-0b4c-6389-7633e2afb759} Key : Hypervisor.Enlightenments.ValueHex Value: 0x7497cf94 Key : Hypervisor.Flags.AnyHypervisorPresent Value: 1 Key : Hypervisor.Flags.ApicEnlightened Value: 1 Key : Hypervisor.Flags.ApicVirtualizationAvailable Value: 0 Key : Hypervisor.Flags.AsyncMemoryHint Value: 0 Key : Hypervisor.Flags.CoreSchedulerRequested Value: 0 Key : Hypervisor.Flags.CpuManager Value: 1 Key : Hypervisor.Flags.DeprecateAutoEoi Value: 0 Key : Hypervisor.Flags.DynamicCpuDisabled Value: 1 Key : Hypervisor.Flags.Epf Value: 0 Key : Hypervisor.Flags.ExtendedProcessorMasks Value: 1 Key : Hypervisor.Flags.HardwareMbecAvailable Value: 1 Key : Hypervisor.Flags.MaxBankNumber Value: 0 Key : Hypervisor.Flags.MemoryZeroingControl Value: 0 Key : Hypervisor.Flags.NoExtendedRangeFlush Value: 0 Key : Hypervisor.Flags.NoNonArchCoreSharing Value: 1 Key : Hypervisor.Flags.Phase0InitDone Value: 1 Key : Hypervisor.Flags.PowerSchedulerQos Value: 0 Key : Hypervisor.Flags.RootScheduler Value: 0 Key : Hypervisor.Flags.SynicAvailable Value: 1 Key : Hypervisor.Flags.UseQpcBias Value: 0 Key : Hypervisor.Flags.Value Value: 38408431 Key : Hypervisor.Flags.ValueHex Value: 0x24a10ef Key : Hypervisor.Flags.VpAssistPage Value: 1 Key : Hypervisor.Flags.VsmAvailable Value: 1 Key : Hypervisor.RootFlags.AccessStats Value: 1 Key : Hypervisor.RootFlags.CrashdumpEnlightened Value: 1 Key : Hypervisor.RootFlags.CreateVirtualProcessor Value: 1 Key : Hypervisor.RootFlags.DisableHyperthreading Value: 0 Key : Hypervisor.RootFlags.HostTimelineSync Value: 1 Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled Value: 0 Key : Hypervisor.RootFlags.IsHyperV Value: 1 Key : Hypervisor.RootFlags.LivedumpEnlightened Value: 1 Key : Hypervisor.RootFlags.MapDeviceInterrupt Value: 1 Key : Hypervisor.RootFlags.MceEnlightened Value: 1 Key : Hypervisor.RootFlags.Nested Value: 0 Key : Hypervisor.RootFlags.StartLogicalProcessor Value: 1 Key : Hypervisor.RootFlags.Value Value: 1015 Key : Hypervisor.RootFlags.ValueHex Value: 0x3f7 Key : WER.OS.Branch Value: ge_release Key : WER.OS.Version Value: 10.0.26100.1 Key : WER.System.BIOSRevision Value: 5.16.0.0 BUGCHECK_CODE: ef BUGCHECK_P1: ffffca8dc71990c0 BUGCHECK_P2: 0 BUGCHECK_P3: ffffca8dc71990c0 BUGCHECK_P4: 0 FILE_IN_CAB: 110625-16562-01.dmp FAULTING_THREAD: ffffca8dd5228080 PROCESS_NAME: svchost.exe CRITICAL_PROCESS: svchost.exe ERROR_CODE: (NTSTATUS) 0xd5228080 - <Unable to get error code text> BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXNTFS: 1 (!blackboxntfs) BLACKBOXPNP: 1 (!blackboxpnp) BLACKBOXWINLOGON: 1 (!blackboxwinlogon) CUSTOMER_CRASH_COUNT: 1 STACK_TEXT: ffff848b`254278f8 fffff801`da169810 : 00000000`000000ef ffffca8d`c71990c0 00000000`00000000 ffffca8d`c71990c0 : nt!KeBugCheckEx ffff848b`25427900 fffff801`da2ce66f : ffffca8d`c71990c0 00000000`00000000 00000000`00000000 fffff801`d9e857d1 : nt!PspCatchCriticalBreak+0x128 ffff848b`254279a0 fffff801`da3084ef : ffffca8d`c71990c0 ffffca8d`c7199288 ffffca8d`c71990c0 00000000`00000000 : nt!PspTerminateAllThreads+0x27b ffff848b`25427a20 fffff801`da46af4a : ffffca8d`c71990c0 00000000`00000001 ffffca8d`d5228080 ffffca8d`c71990c0 : nt!PspTerminateProcess+0xf7 ffff848b`25427a60 fffff801`da0b2058 : ffffca8d`c71990c0 ffffca8d`d5228080 01dc4e49`8072bd42 005a0000`00000013 : nt!NtTerminateProcess+0xca ffff848b`25427ae0 00007fff`7f362244 : 00007fff`7cb34d59 00000166`00000000 00000000`00000000 ffffffff`ffffffff : nt!KiSystemServiceCopyEnd+0x28 0000005f`3ce7bc78 00007fff`7cb34d59 : 00000166`00000000 00000000`00000000 ffffffff`ffffffff 0000d8c2`5844128e : 0x00007fff`7f362244 0000005f`3ce7bc80 00000166`00000000 : 00000000`00000000 ffffffff`ffffffff 0000d8c2`5844128e 0000005f`3ce7cb00 : 0x00007fff`7cb34d59 0000005f`3ce7bc88 00000000`00000000 : ffffffff`ffffffff 0000d8c2`5844128e 0000005f`3ce7cb00 00007fff`7cbda933 : 0x00000166`00000000 SYMBOL_NAME: nt!PspCatchCriticalBreak+128 MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe IMAGE_VERSION: 10.0.26100.7019 STACK_COMMAND: .process /r /p 0xffffca8dc71990c0; .thread 0xffffca8dd5228080 ; kb BUCKET_ID_FUNC_OFFSET: 128 FAILURE_BUCKET_ID: 0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_d5228080_nt!PspCatchCriticalBreak OS_VERSION: 10.0.26100.1 BUILDLAB_STR: ge_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {3abb66a8-bdf6-0b4c-6389-7633e2afb759} Followup: MachineOwner --------- 什么错
最新发布
11-07
好的,用户提供的这个错误信息是Windows的蓝屏错误分析结果,显示的是CRITICAL_PROCESS_DIED(0xEF)错误,导致svchost.exe进程终止。首先,我需要理解这个错误... - 若问题持续,尝试还原到稳定状态或重置系统。 ---
Win7-ring0-Kill360-AllProcess.zip_kill process win7_win7_win7 36
07-14
Win7下测试成功 xp自己去试验 前面的说明一定要看哦
IceLight V1.3.44[一线光-无驱,恢复SSDT,可杀IS,SS]
04-04
等等 还是还原不了SSDT,哎,菜鸟啊 Version 1.1.31:3月2日,加入线程枚举,显示模块数、检测更新、在线提问。+小改动,同时结束多个进程 Version 1.2.38:3月9日,放弃DLL注入结束进程,改用代码注入。另...
病毒攻杀编程技术资料!
09-19
[Ring0删除文件] [Ring3 Inline Hook NtTerminateProcess] [Ring3 Inline Hook Scan] [RUNDLL32使用方法] [Shadow SSDT] [SSTD] [VB中基于TCPIP协议的点对点文件传输代码] [Windows Script Host] [下载文件] [二进制...
不用驱动一行代码让自己蓝屏
KD的疯狂实验室
06-23 2959
蓝屏的钙好喝的钙
请大神帮忙看看windbg分析dump文件 解决windows蓝屏
m0_59138075的博客
07-17 1016
analyze -vnt!1: kd>!analyze -vArguments:Value: 1Value: 1Value: 7Value: 702Value: 94Value: cValue: 1Value: 1.ecxr;kb---------1: kd>!analyze -vArguments:Value: 1。
蓝屏总结(一) ——基本分析方法
热门推荐
VinWqx的博客
07-20 1万+
目录 一、蓝屏造成原因 二、通常的排查步骤 三、Debug步骤 四、使用Driver Verifier进行排查 五、Debug示例 1、分析示例 1 2、分析示例 2 一、蓝屏造成原因 关于停止错误(蓝屏或者错误检查)没有简单的解释,包含很多因素,目前大量研究表明停止错误通常不是由微软Windows组件导致的,而是厂商的硬件驱动或者三方软件的驱动,包括声卡、无线网卡、安全程序等等。 crash的根因一般都是由三方驱动代码引起的,另外一小部分是硬件问...
计算机蓝屏分析报告,电脑出现了蓝屏 用windbg分析了蓝屏报告 下面是蓝屏报告...
weixin_39616503的博客
07-23 1029
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64Copyright (c) Microsoft Corporation. All rights reserved.Loading Dump File [C:\Windows\Minidump\072216-140244-01.dmp]Mini Kernel Dump File: On...
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值