코드/kernel25 KeIsAttachProcess http://www.reactos.org/pipermail/ros-diffs/2005-March/004331.html 현재 쓰래드가 Attach가 된 상황인지를 알려주는 함수이다. 링크에 기록되어있는 RecOs의 코드를 보면 현제 쓰래드의 ApcStateIndex를 통해 알수 있다. KeIsAttachedProcess(VOID) { return KeGetCurrentThread()->ApcStateIndex; } 2010. 6. 22. Kernel Data and Filtering Support for Windows Server 2008 Document 문서 중 ObRegisterCallbacks() 함수 사용시 0x0000022 에로 코드를 만나는 경우 1. 드라이버가 Signing 이 안되어 있는 경우 2. INTERGRITY_CHECK 가 안되어 있는 경우 참고 : http://bugtruck.tistory.com/33 참고 : http://winprogger.com/?p=23 Process vigilance via PsSetCreateProcessNotifyRoutineEx Posted by Satya Das October 9, 2007 PsSetCreateProcessNotifyRoutineEx is the newest kid in block if you wish to keep a watch on process creation or destru.. 2010. 6. 1. Trampolines In x64 Trampolines In x64 We got a few nice features from the new architecture of x64, like larger memory addressing, more registers (so fast call is the standard up to three registers and the rest get on the stack), and of course, a wider bandwidth of 64 bits, etc. AMD had a once in a life opportunity to change the ISA (instruction set architecture) a bit and to make it much better, but instead, they .. 2010. 5. 6. LIST_ENTRY 사용 /******************************************************************************* linked list ********************************************************************************/ typedef struct _ListHandle { LIST_ENTRY link; HWND hWnd; }ListHandle, *PListHandle; LIST_ENTRY g_handleList; /******************************************************************************* 초기화 *****************************.. 2009. 11. 26. [WDK]unlinkInCsrss /* .text:75AD52D3 _CsrLockProcessByClientId@8 proc near ; CODE XREF: CsrCreateRemoteThread(x,x)+2Fp .text:75AD52D3 .text:75AD52D3 arg_0 = dword ptr 8 .text:75AD52D3 arg_4 = dword ptr 0Ch .text:75AD52D3 .text:75AD52D3 8B FF mov edi, edi .text:75AD52D5 55 push ebp .text:75AD52D6 8B EC mov ebp, esp .text:75AD52D8 53 push ebx .text:75AD52D9 56 push esi .text:75AD52DA 57 push edi .text:75AD52DB BF A0.. 2009. 4. 11. [WDK] ZwCreateFile , ZwReadFile, ZwWriteFile Refer to a file by its object name Kernel-mode device drivers refer to a file by its object name. This name is \DosDevices together with the full path of the file. For example, the object name of the C:\Windows\Example.txt file is \DosDevices\C:\Windows\Example.txt. Then the object name is encapsulated into an OBJECT_ATTRIBUTES structure by calling the InitializeObjectAttributes function. Note I.. 2009. 4. 1. 이전 1 2 3 4 5 다음