﻿{"id":157,"date":"2009-07-28T19:39:13","date_gmt":"2009-07-28T19:39:13","guid":{"rendered":""},"modified":"2011-11-18T17:04:23","modified_gmt":"2011-11-18T09:04:23","slug":"157","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/157.html","title":{"rendered":"\u641c\u7d22\u9ad8\u7aef\u5185\u5b58\u679a\u4e3e\u8fdb\u7a0b"},"content":{"rendered":"<p><span style=\"font-size: x-small;\">\u4e4b\u524d\u5199\u4e86pspCidTable\u679a\u4e3e\u8fdb\u7a0b\uff0c\u6709\u670b\u53cbmail\u63d0\u5230\u4e86\u76f4\u63a5\u641c\u7d22\u5185\u5b58\u9ad8\u5730\u5740\u6765\u679a\u4e3e\u8fdb\u7a0b\u3002\u8bb0\u5f97\u597d\u50cf\u4ee5\u524duty\u63d0\u5230\u8fc7\u8fd9\u79cd\u65b9\u6cd5\uff0c\u987a\u5e26\u4e5f\u81ea\u5df1\u8bd5\u8bd5\u3002<\/span><\/p>\n<p>\u7b2c\u4e00\u90e8\u5206\uff1a\u5206\u9875\u5904\u7406<br \/>\n&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<\/p>\n<p>0x80000000-0xFFFFFFFF \u662f\u7cfb\u7edf\u5730\u5740\u7a7a\u95f4\u3002\u4e00\u822ckd debug\u7684\u65f6\u5019\u5f88\u5bb9\u6613\u770b\u5230EPROCESS\u90fd\u96c6\u4e2d\u57280x80000000-0x90000000\u3002\u6302\u9a71\u52a8\u8fdb\u53bb\u641c\u5427\u3002 \ud83d\ude42<br \/>\n\u55ef\uff0c\u4e0d\u8fc7\u65e2\u7136\u662fXP\u73af\u5883\u4e0b\uff0c\u5206\u9875\u662f\u5fc5\u7136\u4e86\uff08\u8981\u9a8c\u8bc1\u7684\u8bdd\uff0c\u7cfb\u7edf\u521d\u59cb\u5316\u7684\u65f6\u5019break\u4e0b\u6765\uff0cCR0\u91cc31\u4f4d\u662f1\uff09\u3002\u5206\u9875\u4e86\uff0c\u5fc5\u8981\u7684\u68c0\u67e5\u662f\u5c11\u4e0d\u4e86\u4e86\u3002\u56e0\u4e3a\u865a\u62df\u5730\u5740\u662f\u88ab\u6620\u5c04\u8fc7\u7684\uff0c\u4e00\u65e6\u641c\u7d22\u5230\u7684\u9875\u662f\u4ea4\u6362\u5230\u786c\u76d8\u4e0a\u7684\uff0c\u90a3\u5c31\u84dd\u7684\u6d77\u5929\u4e00\u8272\u4e86&#8230;<\/p>\n<p>\u68c0\u67e5\u4e5f\u4e0d\u590d\u6742\uff0c\u5982\u679c\u6211\u4eec\u8bbf\u95ee\u7684\u865a\u62df\u5730\u5740\u6240\u5728\u9875\u5728\u7269\u7406\u5185\u5b58\u91cc\uff0c\u865a\u62df\u5730\u5740\u6240\u5728\u9875\u76f8\u5e94\u7684 PDE\uff0cPTE \u5c31\u90fd\u662f\u6709\u6548\u7684\uff0c\u90a3\u4e48\u5176\u4ed6\u7684\u5c31\u6254\u7ed9CPU\u8f6c\u6362\u6210\u7269\u7406\u5730\u5740\u7136\u540e\u8bbf\u95ee\u5c31\u5b8c\u4e86\u3002\u5982\u679c\u9875\u4e0d\u5728\u7269\u7406\u5185\u5b58\u4e2d\uff08\u6700\u4e0d\u5e0c\u671b\u7684\u5c31\u662f\u5728\u786c\u76d8\u4e0a\u7684\u4ea4\u6362\u6587\u4ef6\u91cc\uff09\uff0c\u90a3\u5bf9\u5e94\u7684PDE\uff0cPTE \u90fd\u662f\u65e0\u6548\u7684\uff0c\u4e00\u8bbf\u95ee\u5fc5\u7136\u662fPage-Fault\u3002<\/p>\n<p>\u770b\u4e0b\u6709\u6548\u9875\u8868\u9879PTE\u7684\u7ed3\u6784\uff1a<br \/>\nkd&gt; dt _HARDWARE_PTE<br \/>\nnt!_HARDWARE_PTE<br \/>\n+0x000 Valid\u00a0 \u00a0\u00a0 \u00a0: Pos 0, 1 Bit<br \/>\n+0x000 Write\u00a0 \u00a0\u00a0 \u00a0: Pos 1, 1 Bit<br \/>\n+0x000 Owner\u00a0 \u00a0\u00a0 \u00a0: Pos 2, 1 Bit<br \/>\n+0x000 WriteThrough\u00a0 \u00a0: Pos 3, 1 Bit<br \/>\n+0x000 CacheDisable\u00a0 \u00a0: Pos 4, 1 Bit<br \/>\n+0x000 Accessed\u00a0 \u00a0\u00a0\u00a0: Pos 5, 1 Bit<br \/>\n+0x000 Dirty\u00a0 \u00a0\u00a0 \u00a0: Pos 6, 1 Bit<br \/>\n+0x000 LargePage\u00a0 \u00a0 : Pos 7, 1 Bit<br \/>\n+0x000 Global\u00a0 \u00a0\u00a0 \u00a0: Pos 8, 1 Bit<br \/>\n+0x000 CopyOnWrite\u00a0 \u00a0: Pos 9, 1 Bit<br \/>\n+0x000 Prototype\u00a0 \u00a0 : Pos 10, 1 Bit<br \/>\n+0x000 reserved\u00a0 \u00a0\u00a0\u00a0: Pos 11, 1 Bit<br \/>\n+0x000 PageFrameNumber : Pos 12, 20 Bits<\/p>\n<p>OK\uff0c\u8fd9\u4e9b\u591a\u7684\u4fe1\u606f\u5df2\u7ecf\u8db3\u591f\u4e86&#8230;\u5176\u5b9e\u6211\u4eec\u53ea\u5173\u5fc3\u91cc\u9762\u7684\u4e24\u4e2a\u4f4d\uff0c0\u4f4d\u548c7\u4f4d\u3002\u5f530\u4f4d\u4e3a1\u65f6\uff0c\u8bf4\u660ePTE\u6709\u6548\uff0c\u6211\u4eec\u904d\u5386\u7684\u9875\u5728\u7269\u7406\u5185\u5b58\u4e2d\uff0c\u4e00\u5207\u5b89\u5168&#8230;\u800c7\u4f4d\u7684LargePage\u8868\u793a\u5f53\u524d\u865a\u62df\u5730\u5740\u5927\u4e8e\u7b49\u4e8e0x80000000 \u5e76\u4e14\u5c0f\u4e8e0xa0000000\uff08\u51cf\u53bb0x80000000\u5c31\u5f97\u5230\u4e86\u7269\u7406\u5730\u5740\uff09\uff0c\u5f88\u548c\u8c10\uff0c\u8fd9\u90e8\u5206\u4e5f\u662f\u5b89\u5168\u7684&#8230;.<br \/>\n\u5b8c\u4e8b\u4e86\uff0c\u8f6c\u5230\u9875\u76ee\u5f55\u9879PDE\uff0c\u5bf9\u6211\u4eec\u6709\u7528\u7684\u4fe1\u606f\u4e0d\u591a\uff0c0\u4f4d\u662f1\u65f6\u4e3aValid\uff0c\u5176\u4ed6\u7684\u4e0d\u5173\u5fc3\u4e86\u3002 \ud83d\ude42<\/p>\n<p>\u5927\u6982\u60c5\u51b5\u662f\u8fd9\u6837\uff1a<br \/>\n4G\u5730\u5740\u7a7a\u95f4\u76841024\u4e2a\u9875\u8868\u6309\u987a\u5e8f\u88ab\u6620\u5c04\u5230\u4e860xC0000000~0xC03FFFFF\u76844M\u5730\u5740\u7a7a\u95f4\u3002\u7b2c\u4e00\u4e2a4M\u5730\u5740\u7a7a\u95f4\u7684\u9875\u8868\u5bf9\u5e940xC0000000\u5f00\u59cb\u76844K\uff0c\u4ee5\u6b64\u7c7b\u63a8\u3002\u800c\u9875\u76ee\u5f55\u88ab\u6620\u5c04\u5230\u4e860xC0300000\u5f00\u59cb\u5904\u76844K\u5730\u5740\u7a7a\u95f4\u3002<br \/>\n\u4e5f\u5c31\u662f\u8bf4\uff0cPTE\u662f\u63090x1000(4KB)\u6b65\u8fdb\uff0c\u800cPDE\u662f\u63090x400000(4mb)\u9012\u589e\u3002<\/p>\n<p>\u4ee3\u7801\u5982\u4e0b\uff1a<br \/>\nULONG ValidatePage(ULONG Addr)<br \/>\n{<br \/>\nULONG pte;<br \/>\nULONG pde;<\/p>\n<p>pde = 0xc0300000 + (Addr&gt;&gt;22)*4;<br \/>\nif((*(PULONG)pde &amp; 0x1) != 0)\u00a0 \u00a0\u00a0 \u00a0\/\/\u5224\u65ad0\u4f4d\u662f\u5426\u4e3a1<br \/>\n{<br \/>\nif((*(PULONG)pde &amp; 0x80) != 0)\u00a0 \u00a0\/\/\u5224\u65ad7\u4f4d\u662f\u5426\u4e3a1<br \/>\n{<br \/>\nreturn VALID;<br \/>\n}<\/p>\n<p>pte = 0xc0000000 + (Addr&gt;&gt;12)*4;<br \/>\nif((*(PULONG)pte &amp; 0x1) != 0)<br \/>\n{<br \/>\nreturn VALID;<br \/>\n}<br \/>\nelse<br \/>\n{<br \/>\nreturn PTE_INVALID;<br \/>\n}<br \/>\n}<\/p>\n<p>return PDE_INVALID;<br \/>\n}<\/p>\n<p>\u51e0\u4e2a\u5168\u5c40\u53d8\u91cf\u5982PDE_INVALID\u968f\u4fbf\u5b9a\u4e49\u4e2a\u503c\uff0c\u503c\u5f97\u5173\u6ce8\u7684\u662f\u600e\u4e48\u83b7\u53d6\u865a\u62df\u5730\u5740\u5bf9\u5e94\u7684PTE\u548cPDE\u3002<br \/>\n\u4eceWINDOWS\u5185\u6838\u52fe\u51fa\u6765\u7684\uff0c\u5982\u4e0b\uff1a<br \/>\n#define MiGetPteAddress(va) ((PMMPTE)(((((ULONG)(va)) &gt;&gt; 12) &lt;&lt; 2) + PTE_BASE))<br \/>\n#define MiGetPdeAddress(va) ((PMMPTE)(((((ULONG)(va)) &gt;&gt; 22) &lt;&lt; 2) + PDE_BASE))<br \/>\nPTE_BASE\u4e3a0xc0000000\uff0cPDE_BASE\u4e3a0xc0300000\u3002<\/p>\n<p>\u7b2c\u4e8c\u90e8\u5206\uff1a\u8fdb\u7a0b\u641c\u7d22<br \/>\n&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<br \/>\n\u53c2\u8003\u539f\u6765uty\u7684\u6587\u7ae0\uff0c\u6211\u4eec\u91cd\u5199\u4e4b\uff1a<\/p>\n<p>VOID SearchProcess(void)<br \/>\n{<br \/>\nULONG i;<br \/>\nULONG result;<br \/>\nULONG Address;<\/p>\n<p>for (i = 0x80000000 ;i&lt;0x90000000;i+=4)<br \/>\n{<br \/>\nresult = ValidatePage(i);<br \/>\nif (result == VALID)<br \/>\n{<br \/>\nAddress = *(PULONG)i;<br \/>\nif ((Address &amp; 0xffff0000) == 0x7ffd0000)<br \/>\n{<br \/>\nif(ValidateProcess(i))<br \/>\n{<br \/>\nDbgPrint(&#8220;EPROCESS: 0x%x &#8220;,i-PEB_OFFSET);<br \/>\nDbgPrint(&#8220;PID:%4d ProcessName: %s<br \/>\n&#8220;,<br \/>\n*(PULONG)(i-PEB_OFFSET+PROCESS_ID_OFFSET),<br \/>\n(PCHAR)(i-PEB_OFFSET+EPROCESS_NAME_OFFSET));<\/p>\n<p>i += EPROCESS_SIZE;<br \/>\n}<br \/>\n}<br \/>\n}<br \/>\nelse<br \/>\nif(result == PTE_INVALID)<br \/>\n{<br \/>\ni -=4;<br \/>\ni += 0x1000;<br \/>\n}<br \/>\nelse<br \/>\n{<br \/>\ni-=4;<br \/>\ni+= 0x400000;<br \/>\n}<br \/>\n}<\/p>\n<p>DbgPrint(&#8220;Done.&#8221;);<br \/>\n}<\/p>\n<p>\u6709\u51e0\u4e2a\u6709\u610f\u601d\u7684\u5730\u65b9\uff1a<\/p>\n<p>1. if ((Address &amp; 0xffff0000) == 0x7ffd0000)<br \/>\n\u6211\u6ca1\u82b1\u65f6\u95f4\u53bb\u60f3\u600e\u4e48\u5728\u5185\u6838\u91cc\u5f97\u5230PEB\uff0c\u6bd4\u5982EPROCESS\u904d\u5386\u94fe\u6216\u8005ZwQueryInformationProcess\uff0c\u800c\u662f\u76f4\u63a5\u786c\u7f16\u7801\uff0c\u56e0\u4e3a\u83b7\u53d6PEB\u5730\u5740\u7684\u65b9\u6cd5\u7b80\u5355\u7684\u8fc7\u5206\uff0c\u4ea4\u7ed9ring3\u90e8\u5206\u6765\u5904\u7406\uff0c\u5982\u4e0b\uff1a<\/p>\n<p>#include &lt;stdio.h&gt;<\/p>\n<p>__inline __declspec(naked) unsigned int GetPEB()<br \/>\n{<br \/>\n__asm<br \/>\n{<br \/>\nxor esi, esi<br \/>\nmov esi, fs:[esi + 30H]<br \/>\nmov eax, esi<br \/>\nret<br \/>\n}<br \/>\n}<\/p>\n<p>void main(void)<br \/>\n{<br \/>\nprintf(&#8220;located at: 0x%0.8X<br \/>\n&#8220;,GetPEB());<br \/>\ngetchar();<br \/>\n}<\/p>\n<p>\u53c2\u8003\u6211\u5199\u7684\u300aWIN\u4e0b\u83b7\u53d6kernel\u57fa\u5740\u7684shellcode\u63a2\u8ba8\u300b\u3002<br \/>\n\u5f97\u5230\u7684\u503c\u662f0x7ffd9000\uff0c\u5bf9\u4e0d\u540c\u7684\u8fdb\u7a0b\uff0cPEB\u9ad8\u4f4d\u662f\u4e00\u6837\u7684\uff0c\u6211\u4eec\u5c4f\u853d\u4f4e\u4f4d\u5c31\u53ef\u4ee5\u4e86\u3002<\/p>\n<p>2. \u548cXP\u5e73\u53f0\u76f8\u5173\u7684\u4e00\u4e9b\u503c\uff1a<br \/>\n#define EPROCESS_SIZE 0x25C<br \/>\n#define PEB_OFFSET 0x1b0<br \/>\n#define PROCESS_ID_OFFSET 0x084<br \/>\n#define OBJECT_HEADER_SIZE 0x18<br \/>\n#define OBJECT_TYPE_OFFSET 0x8<br \/>\n#define EPROCESS_NAME_OFFSET 0x174<br \/>\n\u8fd9\u4e9b\u90fd\u53ef\u4ee5\u7528KD\u81ea\u5df1\u770b\u5230\uff0c\u4e0d\u5e9f\u8bdd\u4e86\u3002 \ud83d\ude42<\/p>\n<p>3. \u5224\u65ad\u662f\u4e0d\u662f\u8fdb\u7a0b\uff0c\u8fd9\u4e2a\u6211\u6ca1\u505a\u4ec0\u4e48\u66f4\u6539\uff0c\u628auty\u725b\u725b\u7684\u4ee3\u7801\u76f4\u63a5\u642c\u8fc7\u6765\u7684 *\u3002*<\/p>\n<p>4. \u5173\u4e8e\u6539\u8fdb\uff1a<br \/>\n\u4f60\u53ef\u4ee5\u8003\u8651\u4e0b\u7a0b\u5e8f\u7684\u6548\u7387\uff0c\u5bf9\u5faa\u73af\u505a\u70b9\u4f18\u5316\uff0c\u56e0\u4e3a\u6bd5\u7adf\u4e0d\u53ef\u80fd\u52300x90000000\uff1b\u53e6\u5916\u4e00\u4e2a\u5c31\u662fsystem\u8fdb\u7a0b\uff0c\u679a\u4e3e\u5b83\u8fd8\u662f\u6709\u70b9\u95ee\u9898\u7684\uff0c\u81ea\u5df1PsGetCurrentProcess\u5427\u3002<br \/>\n\u5176\u4ed6\u7684\uff0c\u6682\u65f6\u60f3\u4e0d\u5230\u4e86&#8230;\u521a\u5403\u9971\u996d\uff0c\u5bb9\u6613\u5f97\u80c3\u75c5&#8230;<\/p>\n<p>\u5b8c\u6574\u7684\u4ee3\u7801\uff1a<br \/>\n=========================================================================<br \/>\n#include &lt;ntddk.h&gt;<\/p>\n<p>#define PDE_INVALID 2<br \/>\n#define PTE_INVALID 1<br \/>\n#define VALID 0<\/p>\n<p>#define EPROCESS_SIZE 0x25C<br \/>\n#define PEB_OFFSET 0x1b0<br \/>\n#define PROCESS_ID_OFFSET 0x084<br \/>\n#define OBJECT_HEADER_SIZE 0x18<br \/>\n#define OBJECT_TYPE_OFFSET 0x8<br \/>\n#define EPROCESS_NAME_OFFSET 0x174<\/p>\n<p>VOID WorkThread(IN PVOID pContext);<br \/>\nVOID DriverUnloAd(IN PDRIVER_OBJECT Driver_object);<br \/>\nVOID SearchProcess(VOID);<br \/>\nVOID ShowProcess(ULONG Addr);<br \/>\nULONG ValidatePage(ULONG Addr);<br \/>\nBOOLEAN ValidateProcess(ULONG i);<\/p>\n<p>NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)<br \/>\n{<br \/>\nNTSTATUS dwStAtus;<br \/>\nHANDLE hThreAd;<\/p>\n<p>DriverObject-&gt;DriverUnload = DriverUnloAd;<\/p>\n<p>dwStAtus = PsCreateSystemThread(<br \/>\n&amp;hThreAd,<br \/>\n(ACCESS_MASK)0,<br \/>\nNULL,<br \/>\n(HANDLE)0,<br \/>\nNULL,<br \/>\nWorkThread,<br \/>\nNULL<br \/>\n);<\/p>\n<p>return STATUS_SUCCESS;<br \/>\n}<br \/>\n\/\/&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\nVOID DriverUnloAd(IN PDRIVER_OBJECT Driver_object)<br \/>\n{<br \/>\n}<br \/>\n\/\/&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\nVOID WorkThread(IN PVOID pContext)<br \/>\n{<br \/>\nDbgPrint(&#8220;WorkThread is ready.&#8221;);<br \/>\nSearchProcess();<\/p>\n<p>PsTerminateSystemThread(STATUS_SUCCESS);<br \/>\n}<br \/>\n\/\/&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\nVOID SearchProcess(void)<br \/>\n{<br \/>\nULONG i;<br \/>\nULONG result;<br \/>\nULONG Address;<\/p>\n<p>DbgPrint(&#8220;WorkThread is working.&#8221;);<br \/>\nfor (i = 0x80000000 ;i&lt;0x90000000;i+=4)<br \/>\n{<br \/>\nresult = ValidatePage(i);<br \/>\nif (result == VALID)<br \/>\n{<br \/>\nAddress = *(PULONG)i;<br \/>\nif ((Address &amp; 0xffff0000) == 0x7ffd0000)<br \/>\n{<br \/>\nif(ValidateProcess(i))<br \/>\n{<br \/>\n\/\/DbgPrint(&#8220;EPROCESS: 0x%x &#8220;,i-PEB_OFFSET);<br \/>\nShowProcess(i);<br \/>\ni += EPROCESS_SIZE;<br \/>\n}<br \/>\n}<br \/>\n}<br \/>\nelse<br \/>\nif(result == PTE_INVALID)<br \/>\n{<br \/>\ni -=4;<br \/>\ni += 0x1000;\/\/4k<br \/>\n}<br \/>\nelse<br \/>\n{<br \/>\ni-=4;<br \/>\ni+= 0x400000;\/\/4mb<br \/>\n}<br \/>\n}<\/p>\n<p>for (i = 0xf0000000 ;i&lt;0xffbe0000;i+=4)<br \/>\n{<br \/>\nresult = ValidatePage(i);<br \/>\nif (result == VALID)<br \/>\n{<br \/>\nAddress = *(PULONG)i;<br \/>\nif ((Address &amp; 0xffff0000) == 0x7ffd0000)<br \/>\n{<br \/>\nif(ValidateProcess(i))<br \/>\n{<br \/>\n\/\/DbgPrint(&#8220;EPROCESS: 0x%x &#8220;,i-PEB_OFFSET);<br \/>\nShowProcess(i);<br \/>\ni += EPROCESS_SIZE;<br \/>\n}<br \/>\n}<br \/>\n}<br \/>\nelse<br \/>\nif(result == PTE_INVALID)<br \/>\n{<br \/>\ni -=4;<br \/>\ni += 0x1000;\/\/4k<br \/>\n}<br \/>\nelse<br \/>\n{<br \/>\ni-=4;<br \/>\ni+= 0x400000;\/\/4mb<br \/>\n}<br \/>\n}<\/p>\n<p>DbgPrint(&#8220;Searching is finished.&#8221;);<br \/>\n}<br \/>\n\/\/&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\nVOID ShowProcess(ULONG i)<br \/>\n{<br \/>\nDbgPrint(&#8220;PID:%4d ProcessName: %s<br \/>\n&#8220;,<br \/>\n*(PULONG)(i-PEB_OFFSET+PROCESS_ID_OFFSET),(PCHAR)(i-PEB_OFFSET+EPROCESS_NAME_OFFSET));<br \/>\n}<br \/>\n\/\/&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\nULONG ValidatePage(ULONG Addr)<br \/>\n{<br \/>\nULONG pte;<br \/>\nULONG pde;<\/p>\n<p>pde = 0xc0300000 + (Addr&gt;&gt;22)*4;<br \/>\nif((*(PULONG)pde &amp; 0x1) != 0)<br \/>\n{<br \/>\nif((*(PULONG)pde &amp; 0x80) != 0)<br \/>\n{<br \/>\nreturn VALID;<br \/>\n}<\/p>\n<p>pte = 0xc0000000 + (Addr&gt;&gt;12)*4;<br \/>\nif((*(PULONG)pte &amp; 0x1) != 0)<br \/>\n{<br \/>\nreturn VALID;<br \/>\n}<br \/>\nelse<br \/>\n{<br \/>\nreturn PTE_INVALID;<br \/>\n}<br \/>\n}<\/p>\n<p>return PDE_INVALID;<br \/>\n}<br \/>\n\/\/&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\nBOOLEAN ValidateProcess(ULONG i)<br \/>\n{<br \/>\nNTSTATUS stAtus;<br \/>\nPUNICODE_STRING pUnicode;<br \/>\nUNICODE_STRING Process;<br \/>\nULONG pObjectType;<br \/>\nULONG pObjectTypeProcess;<\/p>\n<p>pObjectTypeProcess = *(PULONG)((ULONG)PsGetCurrentProcess()<br \/>\n-OBJECT_HEADER_SIZE +OBJECT_TYPE_OFFSET);<\/p>\n<p>if (ValidatePage(i-PEB_OFFSET) != VALID)<br \/>\n{<br \/>\nreturn FALSE;<br \/>\n}<\/p>\n<p>if (ValidatePage(i-PEB_OFFSET &#8211; OBJECT_HEADER_SIZE + OBJECT_TYPE_OFFSET)<br \/>\n== VALID)<br \/>\n{<br \/>\npObjectType = *(PULONG)(i-PEB_OFFSET &#8211; OBJECT_HEADER_SIZE + OBJECT_TYPE_OFFSET);<br \/>\n}<br \/>\nelse<br \/>\n{<br \/>\nreturn FALSE;<br \/>\n}<\/p>\n<p>if(pObjectTypeProcess == pObjectType)<br \/>\n{<br \/>\nreturn TRUE;<br \/>\n}<\/p>\n<p>return FALSE;<br \/>\n}<br \/>\n\/\/&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4e4b\u524d\u5199\u4e86pspCidTable\u679a\u4e3e\u8fdb\u7a0b\uff0c\u6709\u670b\u53cbmail\u63d0\u5230\u4e86\u76f4\u63a5\u641c\u7d22\u5185\u5b58\u9ad8\u5730\u5740\u6765 &hellip;<\/p>\n<p class=\"read-more\"><a href=\"http:\/\/zerobox.org\/notes\/157.html\">\u7ee7\u7eed\u9605\u8bfb &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[134],"class_list":["post-157","post","type-post","status-publish","format-standard","hentry","tag-134"],"views":965,"_links":{"self":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/comments?post=157"}],"version-history":[{"count":0,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/157\/revisions"}],"wp:attachment":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media?parent=157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/categories?post=157"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/tags?post=157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}