125096-优快云博客

原创窗口抖动

#include #include #include VOID JitterWindow(HWND hwnd){ RECT rect; int cxWidth, cyHeight, iIdx; if (!IsWindow(hwnd))return; GetWindowRect(hwnd, &rect); cxWidth = rect.right-rect.left;

2017-11-30 09:32:05 643

原创自删除/删除目录下所有文件

#include #include #include #include #include #pragma comment(lib,"Shlwapi.lib")//获取文件名字 BOOL GetFileName(const wchar_t* pImageFilePath, wchar_t* pFileName) { if (IsBadReadPtr(pImageFi

2017-09-11 16:58:57 698

原创 GetWindowsProductKey

#include #include #include char* DecodeProductKey(BYTE digitalProductId[]){ static const char digits[] ={'B', 'C', 'D', 'F', 'G', 'H', 'J', 'K', 'M', 'P', 'Q', 'R', 'T', 'V', 'W', 'X', 'Y', '2

2017-08-16 19:36:19 840

原创 rc4

#include #include static UCHAR g_DeCryptKey[48] = {0xDB, 0x22, 0x98, 0x90, 0x5B, 0xCB, 0x3A, 0x91, 0x92, 0xCA, 0xC4, 0x33, 0x0E, 0xDB, 0xBB, 0x55, 0x78, 0x02, 0xD8, 0x24, 0x91, 0x5C, 0x25, 0xB

2017-08-03 17:13:03 509

原创 bin2cHex

#include #include #include #include #define BYTES_PER_LINE 0x10void main(void){ wchar_t binfilename[]=TEXT("d:\\x861.sys"); char cfilename[]="d:\\1234.h"; char* buffer=NULL; FILE *fp = NU

2017-07-04 17:43:08 489

原创获取系统位数

#include typedef struct _SYSTEM_PROCESSOR_INFORMATION { USHORT ProcessorArchitecture; USHORT ProcessorLevel; USHORT ProcessorRevision; USHORT Reserved; ULONG ProcessorFeatureBits;} SYSTEM_

2017-06-29 19:06:06 816

原创遍历_EPROCESS->Vm->WorkingSetExpansionLinks链表枚举进程

#include #include UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);HANDLE PsGetProcessInheritedFromUniqueProcessId(__in PEPROCESS Process);VOID HelloDDKUnload(IN PDRIVER_OBJECT pDrive

2017-06-19 17:47:57 511 1

原创遍历_EPROCESS->ObjectTable->HandleTableList链表枚举进程

#include #include UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);HANDLE PsGetProcessInheritedFromUniqueProcessId(__in PEPROCESS Process);VOID HelloDDKUnload(IN PDRIVER_OBJECT pDrive

2017-06-19 17:31:29 1503

原创遍历_EPROCESS->SessionProcessLinks链表枚举进程

#include #include UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);HANDLE PsGetProcessInheritedFromUniqueProcessId(__in PEPROCESS Process);VOID HelloDDKUnload(IN PDRIVER_OBJECT pDrive

2017-06-19 16:42:26 765

原创遍历_EPROCESS->ActiveProcessLinks链表枚举进程

#include UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);HANDLE PsGetProcessInheritedFromUniqueProcessId(__in PEPROCESS Process);VOID HelloDDKUnload(IN PDRIVER_OBJECT pDriverObject){

2017-06-18 19:13:12 1106

原创 TLS回调

#include #pragma comment(linker, "/INCLUDE:__tls_used") #pragma comment(lib, "User32.lib") void NTAPI TLS_CALLBACK(PVOID DllHandle, DWORD Reason, PVOID Reserved){ if (IsDebuggerPresent())

2017-05-25 13:56:29 391

原创 ShellExecute使用管理员身份执行

#include #include#includeint main(void){ SHELLEXECUTEINFO sei = { sizeof(SHELLEXECUTEINFO) }; sei.lpVerb = TEXT("runas"); sei.lpFile = TEXT("cmd.exe");//add application which you want to run

2017-05-22 15:33:36 4831

原创 BASE64加密算法

#include #include char Chars[65] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890+=";int GetIndex(BYTE b){ for (int i = 0; i < 64; i++) { if (b == Chars[i]) { return i;

2017-04-27 09:26:31 405

原创 inline hook

#include #include #include #include "ldasm.h"#ifdef _WIN64#define HOOKLEN 15#define ProxyJmpCodeLength 15 #else#define HOOKLEN 5#define ProxyJmpCodeLength 7 //siz

2017-04-22 17:41:40 492

原创防止调试事件被发往调试器

typedef NTSTATUS(*fnZwSetInformationThread)(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength); fnZwSetInformationThread ZwSetInform

2017-04-14 11:27:47 797

原创 RtlGetVersion获取操作系统版本

#include #include //操作系统版本#define WINXP 51#define WINXP2600 512600#define WIN7 61#define WIN77600 617600#define WIN77601 617601#define WIN8 62#define WIN89200 62920

2017-03-08 13:52:13 7642 1

原创遍历进程模块

#include #include #include #define ProcessBasicInformation 0#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; PVOID PebB

2017-01-22 15:31:48 2661

原创枚举系统模块信息

#include #include #include typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT Modul

2017-01-22 14:39:09 2651

原创 EXE和SYS通信(FltSendMessage+FilterReplyMessage)

#ifndef _HEADER_HEAD_FILE#define _HEADER_HEAD_FILE#pragma once#include #include #ifndef MAX_PATH#define MAX_PATH 260#endiftypedef struct _SCANNER_NOTIFICATION { BOOLEAN bCreate; ULONG Res

2017-01-04 13:11:43 5037 3

原创 EXE和SYS通信MiniFilter基于事件方式

#ifndef _HEADER_HEAD_FILE#define _HEADER_HEAD_FILE#pragma once#include #include #include #include #ifndef MAX_PATH#define MAX_PATH 260#endifNTKERNELAPI UCHAR * PsGetProcessImageFileN

2016-12-30 16:06:05 1609

原创 EXE和SYS基于事件同步消息通知

#ifndef _HEADER_HEAD_FILE#define _HEADER_HEAD_FILE#pragma once#include #include #ifndef MAX_PATH#define MAX_PATH 260#endifNTKERNELAPI UCHAR * PsGetProcessImageFileName(__in PEPROCESS Proce

2016-12-30 15:50:35 696

原创 EXE和SYS通信MiniFilter方式

#ifndef _HEADER_HEAD_FILE#define _HEADER_HEAD_FILE#pragma once#include #include #ifndef MAX_PATH#define MAX_PATH 260#endif#define EVENT_NAMEXP L"\\BaseNamedObjects\\FileMonEvent" //xp下

2016-12-30 15:21:27 930

原创 RtlSetProcessIsCritical将进程设置为系统严重状态(防止进程被结束)

#include #include bool EnableDebugPrivilege();typedef NTSTATUS(__cdecl *fnRtlSetProcessIsCritical)(IN BOOLEAN NewValue, OUT PBOOLEAN OldValue OPTIONAL, IN BOOLEAN CheckFlag);fnRtlSetProcessI

2016-12-11 11:28:29 4054

原创进程提权

#include #include bool EnableDebugPrivilege();bool UpPrivilege();BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable);int main(void){ if (EnableDebugPrivilege()) { wprintf(

2016-12-05 10:44:35 559

原创重载内核(x86)

#include #include #include #include #include #include #include #ifndef MAX_PATH#define MAX_PATH 256#endiftypedef unsigned char *PBYTE;typedef unsigned char BYTE;typedef unsigned int UIN

2016-11-17 17:09:55 2359

原创 SSDT HOOK

#include #include NTKERNELAPI UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);#pragma pack(1) typedef struct _SystemServiceEntry { ULONG *ServiceTableBase; ULONG *Ser

2016-11-17 17:08:15 431

原创内核隐藏进程

#include #include #include NTKERNELAPI UCHAR *PsGetProcessImageFileName(PEPROCESS Process);#ifndef MAX_PATH#define MAX_PATH 260#endifDWORD g_OsVersion;

2016-11-16 18:22:33 2559

原创为进程设置代理

#include #include #include #include #pragma comment (lib,"Wininet.lib")//为进程设置代理bool SetConnectionProxy(const TCHAR *proxy_server){ TCHAR temp_string[256]; _tcscpy_s(temp_string, proxy_serve

2016-10-28 13:02:57 4313

转载应用层蓝屏

#include #include typedef enum _HARDERROR_RESPONSE_OPTION { OptionAbortRetryIgnore, OptionOk, OptionOkCancel, OptionRetryCancel, OptionYesNo, OptionYesNoCancel, OptionShutdownSystem} HARD

2016-10-24 15:06:45 2180

转载隐藏驱动模块

#include typedef unsigned long DWORD;typedef struct _KLDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; PVOID ExceptionTable; ULONG ExceptionTableSize; PVOID GpValue; DWORD U

2016-10-20 19:46:02 2098 1

原创 C++调用本地js

#include #include #import "C:\\Windows\\SysWOW64\\msscript.ocx" // msscript.ocx using namespace MSScriptControl;#include #include using namespace std;/*test.js文件内容function add(a,b){return

2016-10-19 11:02:08 1675 2

原创驱动中全局hook应用层API函数

extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){ DbgBreakPoint(); DriverObject->DriverUnload = DriverUnload; NTSTATUS status; PEPROCESS Process =

2016-10-08 19:16:04 5041

原创 Intel XE 2016 + vs2013+ wdk8.1配置内嵌汇编

1.安装环境Intel XE 2016 + vs2013+ wdk8.12.工程属性 Platform toolset Intel C++ Compiler 16.0Base Platform Toolset WindowsKernelModeDriver8.1Configuration Driver

2016-09-13 11:07:47 1059

原创 inline hook IofCallDriver 调用ntfs时保护文件访问

#include #include NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject);int IsNeedProtect(DEVICE_OBJECT *DeviceObject, PIRP Irp);ULONG GetFunctionAddr(IN PCWSTR FunctionName);VOID InlineHook();

2016-09-05 14:33:00 705

原创 FSDHOOK恢复

WCHAR DriverName[] = L"\\FileSystem\\ntfs"; WCHAR DriverPath[] = L"\\??\\C:\\WINDOWS\\system32\\drivers\\ntfs.sys"; RestoreFSDMajorRoutine(&DriverName, &DriverPath, IRP_MJ_CREATE);//函数名: Resto

2016-08-30 16:10:57 631 1

原创 LSP网络监控

#include #include // 定义了WSCWriteProviderOrder函数#include #include #pragma comment(lib, "Ws2_32.lib")#pragma comment(lib, "Rpcrt4.lib") // 实现了UuidCreate函数// 要安装的LSP的硬编码，在移除的时候还要使用它GUID P

2016-08-09 16:21:58 2963 1

原创域名获取IP

#include #include #include #include #pragma comment (lib, "Ws2_32.lib")int main(void){ //LoadLibrary(TEXT("LockHome.dll")); printf("%d\n", htons(80)); printf("%d\n", ntohs(20480)); prin

2016-08-09 16:07:48 359

原创内核下文件操作

#include //创建文件NTSTATUS CreateFileText(void);//打开文件NTSTATUS OpenFileText(void);NTSTATUS OpenFileTest2(void);//写入文件NTSTATUS WriteFileText(void);//读取文件NTSTATUS ReadFileText(void);//文件属性

2016-08-01 18:02:59 951

原创 KdPrint使用方法

KdPrint使用方法类似printf，注意KdPrint((" ", ))；使用的是双括号。用KdPrint(())来代替printf 输出信息。这些信息可以在DbgView 中看到。KdPrint(())自身是一个宏，为了完整传入参数所以使用了两重括弧。这个比DbgPrint 调用要稍好。因为在free 版不被编译。DebugPrint格式说明符格式说明符

2016-07-20 16:15:42 1418

原创安全的等待线程结束

#include //卸载函数VOID HelloDDKUnload(IN PDRIVER_OBJECT pDriverObject);extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath);VOID Test(void);BOOLEAN bIs

2016-07-15 09:48:22 863 1

OllyDBG 入门系列

寒江独钓——Windows内核安全编程

函数多线安全性问题，大家帮我看看