- 博客(185)
- 资源 (5)
- 收藏
- 关注
RSS订阅转载 PE文件学习笔记(五):导入表、IAT、绑定导入表解析
fromhttp://blog.youkuaiyun.com/apollon_krj/article/details/774170631、导入表(Import Descriptor)结构解析:导入表是记录PE文件中用到的动态连接库的集合,一个dll库在导入表中占用一个元素信息的位置,这个元素描述了该导入dll的具体信息。如dll的最新修改时间、dll中函数的名字/序号、dll加载后的函数地址等
2017-12-08 01:04:10
641
翻译 windows 10驱动签名相关问题
这篇文章绝大部分翻译自几篇英文文档,包括osronline和msdn。希望对windows 10驱动签名有困惑的同学有所帮助:Build 2017开发者大会上,微软官方宣布,将在今年秋天推出的Windows 10第四次重大更新“Redstone 3”,已经定名为“Fall Creators Update”(秋季创意者更新)。Windows 10此前已经进行了三次重大升级,其中2
2017-06-02 18:40:51
4309
翻译 Calling Other Windows Filtering Platform Functions
Many of the other Windows Filtering Platform functions that are available to user-mode management applications are also available to callout drivers. This enables a callout driver to perform managemen
2017-02-07 18:33:14
706
翻译 Using a Callout for Deep Inspection of Stream Data
Packet Inspection PointsIncoming packets that are destined for an address that is assigned to the receiving computer (local host traffic) traverse up WFP layers in the following order:计算机接收的数据包按照下
2017-02-07 18:26:39
741
翻译 Processing Classify Callouts
The filter engine calls a callout's classifyFn callout function when there is network data to be processed by the callout. This occurs when all the filtering conditions are true for a filter that sp
2017-02-07 17:08:05
671
翻译 Processing Notify Callouts
The filter engine calls a callout's notifyFn callout function to notify the callout driver about events that are associated with the callout.当发生与某个callout关联的事件时,过滤引擎调用这个callout的notifyFn函数通知callout d
2017-02-07 15:45:47
364
翻译 Initializing a Callout Driver
A callout driver initializes itself within its DriverEntry function. The main initialization tasks are as follows:callout driver在DriverEntry函数中初始化自己,主要的初始化功能如下:Specifying an Unload Function Cr
2017-02-07 15:14:29
425
翻译 Definitions
CalloutA callout provides functionality that extends the capabilities of the Windows Filtering Platform. A callout consists of a set ofcallout functions and a GUID key that uniquely identifies the
2017-02-07 14:51:55
525
翻译 Introduction to Windows Filtering Platform Callout Drivers
Purpose of Callout DriversA callout driver implements one or more callouts. Callouts extend the capabilities of the Windows Filtering Platform by processing TCP/IP-based network data in ways that ar
2017-02-07 14:18:32
499
翻译 Processing I/O Operations
过滤管理器简化了minifilter驱动处理IO操作的过程,传统过滤驱动必须将IO请求传递至下一层驱动、正确处理挂起、同步、IO完成等,而minifilter只注册必须处理的IO请求。对于一个给定的IO操作,只有当minifilter驱动注册了preoperation回调函数时,过滤管理器才会调用minifilter驱动。过滤管理器会代表minifilter驱动拷贝栈参数、传递IRP Pend
2016-12-17 16:46:06
1126
翻译 Filter Manager and Minifilter Driver Architecture
The filter manager is a kernel-mode driver that conforms to the legacy file system filter model and exposes functionality commonly required in file system filter drivers. By taking advantage of this f
2016-12-17 15:36:29
777
原创 如何设置对话框的最大(小)高度与宽度
关于如何设置对话框的最大(小)高度与宽度,网上有很多blog介绍了这个方面,我觉得有一篇写的比较好,先扒过来凑点字数以下内容转自http://www.youranshare.com/push/code/win-c-cpp/427.html:在MFC中,没有像QT那样的函数可以直接通过某个函数就可以完成对窗口的最大最小SIZE信息进行设置,但是这么强大的MFC,这种弱鸡的问题
2016-12-05 16:44:24
5204
原创 windows钩子在64位系统下行为分析
很多人对windows钩子比较熟悉,也可以轻易的写出一个全局钩子程序。但是一个32位钩子是否可以捕获64位进程的消息呢?又或者64位钩子能否捕获32位进程的消息呢?下面我们分析一下。MSDN在对SetWindowsHookEx函数有如下说明:SetWindowsHookEx can be used to inject a DLL into another process. A 32-bit
2016-11-20 14:48:58
3527
2
原创 WM_ERASEBKGND与WM_PAINT
最近开发一个Wtl自绘界面程序。我在WM_ERASEBKGND消息中绘制背景图,在客户区域的右上角绘制控制按钮。最初对话框是不可改变大小的,后来由于需求需要支持拖拉改变对话框大小,相应的控制按钮的位置也要随着对话框的大小变化而变化。于是我在WM_SIZE消息中改变控制按钮的位置: void OnSize(UINT nType, CSize size) { ::OutputDebugStr
2016-11-17 18:10:50
970
原创 WM_SETCURSOR消息
最近写一个拖拉无标题对话框改变大小的程序,这就需要用到改变程序的光标。最开始设想在消息WM_MOUSEMOVE中判断光标位置,改变光标形状,但是发现有光标的闪烁现象。baidu了一下,说是应该在WM_SETCURSOR消息中设置光标。这在Using Cursor文档中有说明。Your application can change the design of the cursor by us
2016-11-16 16:04:53
8664
转载 SAMPLE: Using HttpSendRequestEx for Large POST Requests
SummaryThis sample demonstrates proper usage of the HttpSendRequestEx function introduced in the Internet Explorer 4.0 WinInet.dll and documented in the Internet Client SDK. The original Htt
2016-10-13 15:26:31
985
原创 WinInet异步处理
wininet不仅支持同步的处理方式,也支持异步的处理方式。具体方法如下1. 调用InternetOpen时设置参数INTERNET_FLAG_ASYNChSession = InternetOpen(szAgent, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, INTERNET_FLAG_ASYNC);2. 设置回调函数INTERNET_STA
2016-10-13 14:17:22
3088
原创 Wininet中Cookie管理
默认情况下,Wininet会根据自动的在请求中添加cookie头,并且自动的将返回的Cookie信息添加到Cookie数据库中。Cookie分为两种,持久化Cookie及会话Cookie。持久化Cookie就是带有失效日期的Cookie,根据进程的完整性级别,会被保存到Users\"username"\AppData\Roaming\Microsoft\Windows\Cookies目录或者Use
2016-10-11 14:42:18
2650
原创 WinInet随笔
Wininet是微软提供的利用FTP、HTTP协议访问Internet资源的API接口,接口处理底层协议的的变化,例如代理服务器,从而使利用winiet的应用程序具有一直的行为。使用Wininet最知名的程序就是IE,而很多第三方应用也使用它来方位互联网。最近做了些工作,特记录下一些随笔。Wininet利用HINTERNET句柄保存协议相关信息,并且HINTERNET句柄以树状的形式保存,其中
2016-10-10 17:54:15
2022
转载 Why do some structures end with an array of size 1?
from:https://blogs.msdn.microsoft.com/oldnewthing/20040826-00/?p=38043/Some Windows structures are variable-sized, beginning with a fixed header, followed by a variable-sized array. When these str
2016-09-30 11:48:35
606
翻译 minifilter -- User Mode Communication
Filter Communication Port ObjectTo implement security and enable multiplecommunication channels, a new object has been introduced called a minifiltercommunication port. It is intended to beused for
2016-09-29 17:05:59
1223
原创 绘制树结构
树的表示方法有双亲表示法、孩子表示法、双亲孩子表示法、孩子兄弟表示法,其中前三种基于数组,最后一种基于链表。我定义的数节点数据结构为typedef struct _TREENODE { char val; _TREENODE* Parent; _TREENODE* Child; _TREENODE* Sibling;}TREENODE, *PTREENODE;也就是孩子兄弟表示法,
2016-09-28 17:12:31
743
翻译 Filter Initiated I/O
Certain minifilters need to perform I/O of theirown. This I/O is only seen byminifilters below the current minifilter in the minifilter stack of theVolume. For instance, an anti-virusminifilter may
2016-09-27 20:36:24
683
翻译 Minifilter - File Name Support
The Filter Manager provides library routinesthat retrieve the name of the object in the current operation through lookingat the operation parameters or querying the file system. For improved efficien
2016-09-25 23:24:34
1224
翻译 String buffers and IRQL
from https://blogs.msdn.microsoft.com/doronh/2006/03/03/string-buffers-and-irql/If you look at the docs for many Rtl string functions, you will see that they are callable only at IRQL == PASSIVE
2016-09-23 21:59:15
472
原创 windows消息处理
事先声明,本文大部分为拷贝内容,本文的目的是验证这些内容。根据windows核心编程所述,线程调用一个与图形用户界面有关的函数(例如检查它的消息队列或建立一个窗口),系统就会为该线程分配一些另外的资源,以便它能够执行与用户界面有关的任务。特别是,系统分配一个THREADINFO结构,并将这个数据结构与线程联系起来。当一个线程等待SendMessage返回时,它基本上是处于空闲状态。但它可以
2016-09-22 21:55:04
329
翻译 Modifying the Parameters for an I/O Operation
A minifilter driver can modify the parameters for an I/O operation. For example, a minifilter driver'spreoperation callback routine can redirect an I/O operation to a different volume by changing th
2016-09-16 11:51:19
507
翻译 Writing Postoperation Callback Routines
Like a completion routine, a postoperation callback routine is called at IRQL <= DISPATCH_LEVEL, in an arbitrary thread context.Because it can be called at IRQL = DISPATCH_LEVEL, a postoperation c
2016-09-14 17:41:24
1011
翻译 Writing Preoperation and Postoperation Callback Routines
In its DriverEntry routine, a minifilter driver can register up to onepreoperation callback routine and up to one postoperation callback routine for each type of I/O operation that it needs to filte
2016-09-14 00:02:42
1342
翻译 Writing a FilterUnloadCallback Routine for a Minifilter Driver
A file system minifilter driver can optionally register a PFLT_FILTER_UNLOAD_CALLBACK-typed routine as the minifilter driver'sFilterUnloadCallback routine. This callback routine is also referred to
2016-09-12 22:34:03
1016
转载 Com 组件的装载和卸载
转自http://www.cnblogs.com/zcgao/archive/2011/07/18/2109220.html进程内组件的装载: 客户程序调用COM 库的 CoCreateInstance 或 CoGetClassObject 函数创建 COM 对象,在 CoGetClassObject 函数中,COM 库根据系统注册表中的信息,找到类标识符 CLSID 对应的组
2016-08-17 14:49:59
3421
翻译 增量备份与差异备份的区别(Incremental vs. differential backup: A comparison)
Differential backup -- 差异备份Differential backups copy those files that have been changed since the last full backup took place. So if a full backup was done on Day 1, Day 2's differential will copy
2016-08-10 15:46:05
10020
1
转载 What really happens when you navigate to a URL
转自http://igoro.com/archive/what-really-happens-when-you-navigate-to-a-url/As a software developer, you certainly have a high-level picture of how web apps work and what kinds of technologies are i
2016-08-10 09:56:44
447
转载 win10 系统版本号获取
转自http://www.07net01.com/2015/04/813058.html 微软在Windows 10的版本号获取上留下一个坑,如果用GetversionEx获取版本号,则获取到的是6.2.9200 官方有如下说明[GetVersionEx may be altered or unavailable for releases
2016-08-08 16:41:47
3571
1
转载 WM_QUIT, WM_CLOSE, WM_DESTROY的一些区别
转自http://blog.chinaunix.net/uid-16318340-id-2748753.htmlWM_CLOSE: 在系统菜单里选择了“关闭”或者点击了窗口右上角的“X”按钮,你的窗口过程就会收到WM_CLOSE。DefWindowProc对 WM_CLOSE的处理是调用DestroyWindow。当然,你可以不让DefWindowProc处理,而是自己处理,例如
2016-08-08 15:11:51
5062
1
转载 COM套间和线程模型
转自http://blog.itpub.net/23410886/viewspace-1032239/在看组件的注册表时,对TreadingModel很不理解,所以网上查阅总结了下。大部分内容摘自《理解 COM 套间》,谢谢原作者。[@more@]套间的提出是为了组件在多线程环境下安全执行,因为有跨线程调用同一个组件方法的状况存在。若该组件接口是线程安全的,则无须套间,
2016-08-08 15:10:51
1097
原创 注册Com组件提示找不到指定的模块解决办法
开发了一个com模块,拿到一个干净的虚拟机上使用regsvr32注册,提示“xxxx加载失败.......找不到指定的模块。",见下图找不到指定的路径?莫非是我给的注册文件路径不对?可是我把我的钛合金狗眼都看瞎了,发现文件路径没错啊,妈的,自己写个注册程序,发现在Load这个com dll时提示无法启动此程序,计算机丢失ATL100.dll。至此,原因清楚了。原来是我的Com Dll没
2016-08-06 23:04:11
7704
1
原创 windbg设置调用堆栈显示深度
使用windbg调试进程调用堆栈时,有时候会发现调用堆栈显示的不完全,这是因为windbg默认最多显示20帧调用堆栈,可以使用.kframe [StackCount]设置最大的堆栈显示深度。另外也可以使用k系列命令时附加要显示的堆栈深度,k [FrameCount]设置要显示的栈帧数量。之前用的不太熟练,被逼的使用!for_each_frame ["CommandString"] 显示完整的堆
2016-08-01 14:38:35
3233
原创 scsi设备扫描特征分析
当驱动发现一个scsi适配器后,会扫描与其连接的scsi设备。每一个scsi设备的路径可以通过(PathId,TargetId,Lun)表示,当存储miniport驱动收到scsi指令SCSIOP_INQUIRY后,需要判断当前的查询路径上是否有scsi设备连接。 我们配置scsi适配器时会设置其支持的最大总线数(NumberOfBuses)、最大对应ID设备(MaximumNumberO
2016-07-21 15:58:08
1911
1
空空如也
TA创建的收藏夹 TA关注的收藏夹
TA关注的人