__Undefined1;ULONG64 __Undefined2;ULONG64 __Undefined3;ULONG64 NonPagedDebugInfo;ULONG64 DllBase;ULONG64...EntryPoint;ULONG SizeOfImage;UNICODE_STRING path;UNICODE_STRING name;ULONG Flags;USHORT LoadCount...;USHORT __Undefined5;ULONG64 __Undefined6;ULONG CheckSum;ULONG __padding1;ULONG TimeDateStamp;...{LIST_ENTRY listEntry;ULONG unknown1;ULONG unknown2;ULONG unknown3;ULONG unknown4;ULONG unknown5;ULONG...unknown6;ULONG unknown7;UNICODE_STRING path;UNICODE_STRING name;ULONG Flags;} KLDR_DATA_TABLE_ENTRY
ULONG32 PreferredNode : 6; // 12 BitPosition /*0x000*/ ULONG32...TotalNumberOfPtes;ULONG SegmentFlags;ULONG64 NumberOfCommittedPages;ULONG64 SizeOfSegment;union{struct..._MMEXTEND_INFO* ExtendInfo;void* BasedAddress;}u;ULONG64 SegmentLock;ULONG64 u1;ULONG64 u2;PVOID* PrototypePte...pVad;ULONG_PTR startVpn;ULONG_PTR endVpn;ULONG_PTR pFileObject;ULONG_PTR flags;}VAD_INFO, *PVAD_INFO...endptr = (ULONG64)Root->Core.EndingVpnHigh;endptr = endptr Core.StartingVpnHigh
SubSystemData;ULONG64 ProcessHeap;ULONG64 FastPebLock;ULONG64 AtlThunkSListPtr;ULONG64 IFEOKey;ULONG64...CrossProcessFlags;ULONG64 UserSharedInfoPtr;ULONG SystemReserved;ULONG AtlThunkSListPtr32;ULONG64 ApiSetMap...Mutant;ULONG ImageBaseAddress;ULONG Ldr;ULONG ProcessParameters;ULONG SubSystemData;ULONG ProcessHeap...;ULONG FastPebLock;ULONG AtlThunkSListPtr;ULONG IFEOKey;ULONG CrossProcessFlags;ULONG UserSharedInfoPtr...CheckSum;union{ULONG TimeDateStamp;ULONG LoadedImports;}u2;ULONG EntryPointActivationContext;ULONG PatchInformation
DbgEbp; ULONG DbgEip; ULONG DbgArgMark; ULONG DbgArgPointer; ULONG TempSegCs; ULONG...TempEsp; ULONG Dr0; ULONG Dr1; ULONG Dr2; ULONG Dr3; ULONG Dr6; ULONG Dr7; ULONG...SegGs; ULONG SegEs; ULONG SegDs; ULONG Edx; ULONG Ecx; ULONG Eax; ULONG PreviousPreviousMode...; ULONG ExceptionList; ULONG SegFs; ULONG Edi; ULONG Esi; ULONG Ebx; ULONG Ebp; ULONG...ErrCode; ULONG Eip; ULONG SegCs; ULONG EFlags; ULONG HardwareEsp; ULONG HardwareSegSs
Attributes; ACCESS_MASK GrantedAccess; ULONG HandleCount; ULONG PointerCount...ULONG PageFaultCount; //页故障数目 ULONG PeakWorkingSetSize; //工作集峰值大小...ULONG WorkingSetSize; //工作集大小 ULONG QuotaPeakPagedPoolUsage; //分页池使用配额峰值...ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS...Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown;
GenericMapping; // _GENERIC_MAPPING ULONG ValidAccessMask; // Uint4B ULONG RetainAccess;...// Uint4B POOL_TYPE PoolType; // _POOL_TYPE ULONG DefaultPagedPoolCharge; // Uint4B ULONG...GenericMapping; // _GENERIC_MAPPING ULONG ValidAccessMask; // Uint4B ULONG RetainAccess;...// Uint4B POOL_TYPE PoolType; // _POOL_TYPE ULONG DefaultPagedPoolCharge; // Uint4B ULONG...// Uint4B POOL_TYPE PoolType; // _POOL_TYPE ULONG DefaultPagedPoolCharge; // Uint4B ULONG
Mutant;ULONG ImageBaseAddress;ULONG Ldr;ULONG ProcessParameters;ULONG SubSystemData;ULONG ProcessHeap...;ULONG FastPebLock;ULONG AtlThunkSListPtr;ULONG IFEOKey;ULONG CrossProcessFlags;ULONG UserSharedInfoPtr...;ULONG SystemReserved;ULONG AtlThunkSListPtr32;ULONG ApiSetMap;} PEB32, *PPEB32;typedef struct _PEB_LDR_DATA32...DllBase;ULONG EntryPoint;ULONG SizeOfImage;UNICODE_STRING32 FullDllName;UNICODE_STRING32 BaseDllName...;ULONG Flags;USHORT LoadCount;USHORT TlsIndex;LIST_ENTRY32 HashLinks;ULONG TimeDateStamp;} LDR_DATA_TABLE_ENTRY32
ULONG32 WriteWatch : 1; // 21 BitPosition /*0x000*/ ULONG32...ULONG32 WriteWatch : 1; // 21 BitPosition /*0x000*/ ULONG32...TotalNumberOfPtes; ULONG SegmentFlags; ULONG64 NumberOfCommittedPages; ULONG64 SizeOfSegment...SegmentLock; ULONG64 u1; ULONG64 u2; PVOID* PrototypePte; ULONGLONG ThePtes[0x1]; };...pVad; ULONG_PTR startVpn; ULONG_PTR endVpn; ULONG_PTR pFileObject; ULONG_PTR flags;
gdiRgn; // 6DCh ULONG gdiPen; // 6E0h ULONG gdiBrush...GdiBatchCount; // F70h ULONG Spare2; // F74h ULONG Spare3...// 7Ch ULONG HeapDeCommitTotalFreeThreshold; // 80h ULONG HeapDeCommitFreeBlockThreshold...// B0h ULONG ImageSubSystem; // B4h ULONG ImageSubSystemMajorVersion...; // B8h ULONG ImageSubSystemMinorVersion; // C0h ULONG GdiHandleBuffer
对应封装接口 ULONG NT_Open(); ULONG NT_Close(); ULONG NT_StartPlay(); ULONG NT_StopPlay(); ULONG NT_SetMute...(LONG is_mute); ULONG NT_SetURL(LPCTSTR url); ULONG NT_SetBuffer(LONG buffer); ULONG NT_SetRTSPTcpMode...(ULONG size); ULONG NT_NT_SP_RecorderFileNameRuler(ULONG type, LPCTSTR file_name_prefix, LONG append_date...ULONG NT_StopRecorder(); ULONG NT_FullScreen(); void OnSDKEventReceived(BSTR object_id, ULONG event_id..., ULONG param1); void OnVideoSizeReceived(ULONG width, ULONG height); ULONG NT_SetLogPath(LPCTSTR log_path
TotalNumberOfObjects; ULONG TotalNumberOfHandles; ULONG TotalPagedPoolUsage; ULONG TotalNonPagedPoolUsage...; ULONG TotalNamePoolUsage; ULONG TotalHandleTableUsage; ULONG HighWaterNumberOfObjects; ULONG HighWaterNumberOfHandles...; ULONG HighWaterPagedPoolUsage; ULONG HighWaterNonPagedPoolUsage; ULONG HighWaterNamePoolUsage;...; ULONG TotalNamePoolUsage; ULONG TotalHandleTableUsage; ULONG HighWaterNumberOfObjects; ULONG HighWaterNumberOfHandles...; ULONG HighWaterPagedPoolUsage; ULONG HighWaterNonPagedPoolUsage; ULONG HighWaterNamePoolUsage;
__Undefined1;ULONG64 __Undefined2;ULONG64 __Undefined3;ULONG64 NonPagedDebugInfo;ULONG64 DllBase;ULONG64...;USHORT __Undefined5;ULONG64 __Undefined6;ULONG CheckSum;ULONG __padding1;ULONG TimeDateStamp;...{LIST_ENTRY listEntry;ULONG unknown1;ULONG unknown2;ULONG unknown3;ULONG unknown4;ULONG unknown5;ULONG...__Undefined1;ULONG64 __Undefined2;ULONG64 __Undefined3;ULONG64 NonPagedDebugInfo;ULONG64 DllBase;ULONG64...{LIST_ENTRY listEntry;ULONG unknown1;ULONG unknown2;ULONG unknown3;ULONG unknown4;ULONG unknown5;ULONG
;ULONG ReferenceCount;ULONG PagedPoolUsage;ULONG...NonPagedPoolUsage;ULONG Reserved[3];ULONG NameInformationLength;ULONG...; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY64 HashLinks; ULONG64 SectionPointer...; ULONG64 CheckSum; ULONG64 TimeDateStamp; ULONG64 LoadedImports; ULONG64 EntryPointActivationContext...[in] ULONG HandleAttributes, // 一个 ULONG,指定新句柄的所需属性。
)(*(data + 0))) << 8; xsum += ((ulong)(*(data + 1))) << 0; xsum += ((ulong)(*(data + 2))) <<...8; xsum += ((ulong)(*(data + 3))) << 0; xsum += ((ulong)(*(data + 4))) << 8; xsum += ((ulong...)(*(data + 5))) << 0; xsum += ((ulong)(*(data + 6))) << 8; xsum += ((ulong)(*(data + 7))) <<...)(*(data + 0))) << 8; xsum += ((ulong)(*(data + 1))) << 0; /* sum UDP content */ data = &...(ip->udp_src); while(len > 1) { xsum += ((ulong)(*(data + 0))) << 8; xsum +=
Mutant; ULONG ImageBaseAddress; ULONG Ldr; ULONG ProcessParameters; ULONG SubSystemData; ULONG...ProcessHeap; ULONG FastPebLock; ULONG AtlThunkSListPtr; ULONG IFEOKey; ULONG CrossProcessFlags;...ULONG UserSharedInfoPtr; ULONG SystemReserved; ULONG AtlThunkSListPtr32; ULONG ApiSetMap;} PEB32,...{ ULONG Length; UCHAR Initialized; ULONG SsHandle; LIST_ENTRY32 InLoadOrderModuleList; LIST_ENTRY32...; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY32 HashLinks; ULONG TimeDateStamp;}
所有的内核里上报的事件开头基本都是 ReportSize ReportType struct _Report_Common_Header { ULONG ReportType; ULONG ReportSize...ProcessPid; ULONG ParentPid; ULONG SessionId; ULONG UserSid; LARGE_INTEGER CreateTime; LUID AuthenticationId...; ULONG TokenIsAppContainer; LUID TokenId; ULONG HashingalgorithmRule; DWORD DataChunkLength[6]; CHAR...ThreadOwnerPidv; ULONG ThreadId; ULONG ThreadAddress; ULONG OpenProcessPid; WCHAR DllInfo[261]; WCHAR...MyThreadId; ULONG OpenPrcesid; ULONG AccessMask; LARGE_INTEGER CreateTime; ULONG StatckTrackInfoSize
Flage; ULONG Addr; ULONG WriteBufferAddr; ULONG Size; ULONG Pid; }_Hread, *PtrHread; typedef struct...Informaiton = 0; PVOID InputData = NULL; ULONG InputDataLength = 0; PVOID OutputData = NULL; ULONG...RetFlage = PtrBuff->Flage; ULONG RetAddr = PtrBuff->Addr; ULONG RetBufferAddr = PtrBuff->WriteBufferAddr...; ULONG Size = PtrBuff->Size; ULONG Pid = PtrBuff->Pid; DbgPrint("读取文件标志:%d", RetFlage);...Flage; ULONG Addr; ULONG WriteBufferAddr; ULONG Size; ULONG Pid; }_Hread, *PtrHread; int main(int
ImageUsesLargePages: 1; ULONG IsProtectedProcess: 1; ULONG IsLegacyProcess: 1; ULONG...CrossProcessFlags; ULONG ProcessInJob: 1; ULONG ProcessInitializing: 1; ULONG ReservedBits0...SystemReserved[1]; ULONG SpareUlong; PPEB_FREE_BLOCK FreeList; ULONG TlsExpansionCounter...; ULONG HeapSegmentCommit; ULONG HeapDeCommitTotalFreeThreshold; ULONG HeapDeCommitFreeBlockThreshold...; ULONG OSPlatformId; ULONG ImageSubsystem; ULONG ImageSubsystemMajorVersion; ULONG
Mutant; ULONG ImageBaseAddress; ULONG Ldr; ULONG ProcessParameters; ULONG SubSystemData; ULONG...ProcessHeap; ULONG FastPebLock; ULONG AtlThunkSListPtr; ULONG IFEOKey; ULONG CrossProcessFlags;...ULONG UserSharedInfoPtr; ULONG SystemReserved; ULONG AtlThunkSListPtr32; ULONG ApiSetMap; } PEB32,...+ 6) = (ULONG)(ULONG_PTR)pUserPath; *(ULONG*)((PUCHAR)InjectBuffer + 15) = (ULONG)((ULONG_PTR)LdrLoadDll...- ((ULONG_PTR)InjectBuffer + 15) - 5 + 1); *(ULONG*)((PUCHAR)InjectBuffer + 20) = (ULONG)(ULONG_PTR
Flage;ULONG Addr;ULONG WriteBufferAddr;ULONG Size;ULONG Pid;}_Hread, *PtrHread;typedef struct _DEVICE_EXTENSION...Informaiton = 0;PVOID InputData = NULL;ULONG InputDataLength = 0;PVOID OutputData = NULL;ULONG OutputDataLength...RetFlage = PtrBuff->Flage;ULONG RetAddr = PtrBuff->Addr;ULONG RetBufferAddr = PtrBuff->WriteBufferAddr...;ULONG Size = PtrBuff->Size;ULONG Pid = PtrBuff->Pid;DbgPrint("读取文件标志:%d", RetFlage);DbgPrint("读取写入地址...Flage;ULONG Addr;ULONG WriteBufferAddr;ULONG Size;ULONG Pid;}_Hread, *PtrHread;int main(int argc, char
领取专属 10元无门槛券
手把手带您无忧上云