Quick Search


Tibetan singing bowl music,sound healing, remove negative energy.

528hz solfreggio music -  Attract Wealth and Abundance, Manifest Money and Increase Luck



 
Your forum announcement here!

  Free Advertising Forums | Free Advertising Board | Post Free Ads Forum | Free Advertising Forums Directory | Best Free Advertising Methods | Advertising Forums > Other Methods of FREE Advertising > Auto Surf Traffic Exchanges

Auto Surf Traffic Exchanges This is a list of Auto Surf sites where you can get your site viewed by thousands of people a day. These are not Paid-to-Surf sites, those are listed in the classified's section. These are for traffic building only.

Reply
 
Thread Tools Search this Thread Display Modes
Old 11-09-2011, 02:52 AM   #11
3p3y5g7c6e
Commander In Chief
 
Join Date: Sep 2010
Posts: 614
3p3y5g7c6e is on a distinguished road
Default

| Back to logs list

152766 2010 年 12 月 10 日 10:03 Reading (loading. ..) Comments (0) Category: MSN-computer
from:

a program is ring3 debugger to debug, there are a lot of debugging features can be detected, the forum also has a special post in detail, but there is a very fundamental is able to detect signs ring3 The few people mentioned that _EPROCESS.DebugPort. DebugPort for ring3 debugger is very important, without it can not debug the normal ring3 conducted. Of course, this flag to test the premise that the program can read ring0 memory, more than in the XP system has a very simple way is to use ZwSystemDebugControl the SysDbgReadVirtualMemory method, we can also map physicalmemory to operate. DebugPort be detected before the first process eprocess address, which can be obtained by ZwQuerySystemInformation the SystemHandleInformation can also directly search ring0 memory eprocess structure.

ring3 for direct detection of DebugPort, we can prohibit access to ring0 memory of the process to deal with, but once the use of a driver to detect the target, then it is very cumbersome. Here are a hidden _EPROCESS.DebugPort the approach that the basic idea is to debug the process of a normal DebugPort be set to zero, the correction of all affected functions, so that our debugger can be normal. These functions are as follows:
PspCreateProcess, MmCreatePeb process creation, setting DebugPort
DbgkCreateThread thread or process is created to send debugging information
KiDispatchException, DbgkForwardException and DbgkpQueueMessage exception debugging information sent
PspExitThread, DbgkExitThread and DbgkExitProcess sending thread to exit, the process to exit the debugging information
; DbgkMapViewOfSection and DbgkUnMapViewOfSection debugging information to send the image loading and unloading and DbgkpMarkProcessPeb
DbgkpSetProcessDebugObject process as set when the debugger is attached DebugPort

; such functions very much, and if all HOOK deal, it was horrible, here using a very simple way: steal the Dragon turn phoenix. We look at the system access code DebugPort are like (XP)
8b89bc000000 mov ; ecx, dword ptr [ecx +0 BCh] / / 0BCh is offset DebugPort

DebugPort we can transfer to another _EPROCESS a place, for example, I use the +0 x070 CreateTime,paul smith sale, it is a time of record creation process, the process created, in the process to exit before the system will not make any changes to it, and we modified the system or process does not in any way. So that we can change the above code so
8b8970000000 mov ecx , dword ptr [ecx +070 h] / / point to CreateTime, the actual DebugPort has been moved to here
only need to modify a byte, very simple.

course, where this method is to locate the most trouble DebugPort reference to the function (I just made for the signature of different XP systems are too tired to spit blood), these functions are not exported, if a specific system, the easiest way is to WinDbg-> uf *** directly to address hard-coded, just a few minutes.

I would like to look winded, the code above we see a lot of functions there is a NOPCode, this is actually against the thread PS_CROSS_THREAD_FLAGS_HIDEFROMDBG of, NOP out the relevant local, even though the thread is set to ThreadHideFromDebugger can not stop the debugger to receive debugging information.

******************************************** ********************
I wish you all Ox technology more and more cattle, and other side dishes ready I could see the cattle in the Year of the Ox item can be back!





Saturn's note: This article may be time issues, now is not very applicable in this article, the first of 13 more than the above address, followed if Modify CreateTime causes blue screen
3p3y5g7c6e is offline   Reply With Quote

Sponsored Links
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off


All times are GMT. The time now is 07:00 PM.

 

Powered by vBulletin Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Free Advertising Forums | Free Advertising Message Boards | Post Free Ads Forum