코드/kernel25 [WDK] NtShutdownSystem typedef enum _SHUTDOWN_ACTION { ShutdownNoReboot, ShutdownReboot, ShutdownPowerOff } SHUTDOWN_ACTION, *PSHUTDOWN_ACTION; Enumeration type SHUTDOWN_ACTION is used in a call to NtShutdownSystem function. ShutdownNoReboot Normal shutdown, after system closes, processor jump into infinite loop. ShutdownReboot BIOS Reset function is called, after system closes. ShutdownPowerOff BIOS Shutdown function.. 2008. 12. 30. [WDK] ZwDeleteFile로 파일 삭제 예 OBJECT_ATTRIBUTES oa; ANSI_STRING FileNameAnsi; UNICODE_STRING FileNameUnicode; PCHAR FilePath = (PCHAR)Irp->AssociatedIrp.SystemBuffer; CHAR szTemp[300] = "\\??\\"; HANDLE Directory = NULL; strcat( szTemp , FilePath ); RtlInitAnsiString(&FileNameAnsi, szTemp); ntStatus = RtlAnsiStringToUnicodeString(&FileNameUnicode, &FileNameAnsi, TRUE); if( ntStatus == STATUS_SUCCESS ) { InitializeObjectAttri.. 2008. 12. 23. [WDK] IoCreateDevice IoCreateDevice The IoCreateDevice routine creates a device object for use by a driver. NTSTATUS IoCreateDevice( IN PDRIVER_OBJECT DriverObject, IN ULONG DeviceExtensionSize, IN PUNICODE_STRING DeviceName OPTIONAL, IN DEVICE_TYPE DeviceType, IN ULONG DeviceCharacteristics, IN BOOLEAN Exclusive, OUT PDEVICE_OBJECT *DeviceObject ); Parameters DriverObject Pointer to the driver object for the caller.. 2008. 11. 12. [WDM] Device Driver -CodeProject- http://www.codeproject.com/system/driverdev.asp http://www.codeproject.com/system/driverdev2.asp http://www.codeproject.com/system/driverdev3.asp http://www.codeproject.com/system/driverdev4asp.asp http://www.codeproject.com/system/driverdev5asp.asp 2008. 10. 31. [kernel] void sleep( int dwms) 함수 만들기 void Sleep( ULONG dwms ) { KEVENT Event; LARGE_INTEGER sMs; KeInitializeEvent( &Event, NotificationEvent, FALSE ); sMs= RtlConvertLongToLargeInteger( dwms * -1 * 10000 ); KeWaitForSingleObject( &Event, Executive, KernelMode, FALSE, &sMs); } 간단한 딜레이를 주기 위해 위와 같은 함수를 만들어 사용하면 편하다..^^:; 2008. 10. 15. [Anti Protect] listing the dll by peb #include #define Peb 0X1b0 #define Ldr 0x00c #define Modulist 0xc #define FileName 0x030 NTKERNELAPI VOID KeAttachProcess ( PEPROCESS Process ); NTKERNELAPI VOID KeDetachProcess ( VOID ); NTSTATUS PsLookupProcessByProcessId(__in HANDLE ProcessId,__deref_out PEPROCESS *Process); VOID ShowModules() { ULONG PEB; ULONG LDR,p,Flink,BaseAddress; PEPROCESS TargetProcess; ULONG MODULIST; PUNICODE_STRING.. 2008. 10. 2. 이전 1 2 3 4 5 다음