博客园-木桩的Blog-最新评论

博客园-木桩的Blog-最新评论http://www.cnblogs.com/bits/CommentsRSS.aspx慢慢整理自己的财富...zh-cnMon, 18 Jan 2010 06:05:18 GMTMon, 18 Jan 2010 06:05:18 GMTcnblogsRe:[原创]FreeBSD下千兆双口数据包捕获的性能分析(SMP Kernel)http://www.cnblogs.com/bits/archive/2010/08/19/1624550.html#1897019火星一号火星一号Thu, 19 Aug 2010 01:34:29 GMThttp://www.cnblogs.com/bits/archive/2010/08/19/1624550.html#1897019

火星一号 2010-08-19 09:34 发表评论

]]>Re:[原创] Ring3挂钩实现网址过滤、重定向——《另类挂钩-RING3数据包监视》应用http://www.cnblogs.com/bits/archive/2009/12/29/1598368.html#1736575阿呆sssssssssss阿呆sssssssssssTue, 29 Dec 2009 01:45:18 GMThttp://www.cnblogs.com/bits/archive/2009/12/29/1598368.html#1736575

阿呆sssssssssss 2009-12-29 09:45 发表评论

]]>Re:另类挂钩-RING3数据包监视（Delphi版）http://www.cnblogs.com/bits/archive/2009/12/28/1401024.html#1736213阿呆ssssssssss阿呆ssssssssssMon, 28 Dec 2009 12:42:18 GMThttp://www.cnblogs.com/bits/archive/2009/12/28/1401024.html#1736213

阿呆ssssssssss 2009-12-28 20:42 发表评论

]]>Re:[原创]FreeBSD下千兆双口数据包捕获的性能分析(SMP Kernel)http://www.cnblogs.com/bits/archive/2009/12/15/1624550.html#1724445木桩木桩Tue, 15 Dec 2009 05:18:05 GMThttp://www.cnblogs.com/bits/archive/2009/12/15/1624550.html#1724445

木桩 2009-12-15 13:18 发表评论

]]>Re:另类挂钩-RING3数据包监视（Delphi版）http://www.cnblogs.com/bits/archive/2009/11/16/1401024.html#1698905博雅z博雅zSun, 15 Nov 2009 16:39:36 GMThttp://www.cnblogs.com/bits/archive/2009/11/16/1401024.html#1698905

博雅z 2009-11-16 00:39 发表评论

]]>Re:怀念一下这些经常不记得的Delphi代码...http://www.cnblogs.com/bits/archive/2009/09/11/1404220.html#1643765LenicLenicFri, 11 Sep 2009 08:44:12 GMThttp://www.cnblogs.com/bits/archive/2009/09/11/1404220.html#1643765

Lenic 2009-09-11 16:44 发表评论

]]>Re:怀念一下这些经常不记得的Delphi代码...http://www.cnblogs.com/bits/archive/2009/09/03/1404220.html#1634557木桩木桩Thu, 03 Sep 2009 05:43:30 GMThttp://www.cnblogs.com/bits/archive/2009/09/03/1404220.html#1634557

木桩 2009-09-03 13:43 发表评论

]]>Re:怀念一下这些经常不记得的Delphi代码...http://www.cnblogs.com/bits/archive/2009/09/02/1404220.html#1633593QQ5555044QQ5555044Wed, 02 Sep 2009 08:22:43 GMThttp://www.cnblogs.com/bits/archive/2009/09/02/1404220.html#1633593

QQ5555044 2009-09-02 16:22 发表评论

]]>Re:编译 JWSCL(JEDI Windows Security Code Lib) 的方法（rev316）http://www.cnblogs.com/bits/archive/2009/08/31/1553892.html#1630567木桩木桩Mon, 31 Aug 2009 01:23:27 GMThttp://www.cnblogs.com/bits/archive/2009/08/31/1553892.html#1630567

木桩 2009-08-31 09:23 发表评论

]]>Re:[原创]把syslog接收的远程日志从/var/log/messages中分开http://www.cnblogs.com/bits/archive/2009/08/26/1407075.html#1626420qr_compaqqr_compaqWed, 26 Aug 2009 10:17:01 GMThttp://www.cnblogs.com/bits/archive/2009/08/26/1407075.html#1626420

qr_compaq 2009-08-26 18:17 发表评论

]]>Re:[原创]把syslog接收的远程日志从/var/log/messages中分开http://www.cnblogs.com/bits/archive/2009/08/26/1407075.html#1626403bbvbvbbbvbvbWed, 26 Aug 2009 10:01:52 GMThttp://www.cnblogs.com/bits/archive/2009/08/26/1407075.html#1626403

bbvbvb 2009-08-26 18:01 发表评论

]]>Re:一个开Telnet服务的脚本的分析（原来是这么给防火墙开洞的）http://www.cnblogs.com/bits/archive/2009/08/10/1414292.html#1610668？？？sdsada？？？sdsadaMon, 10 Aug 2009 08:36:43 GMThttp://www.cnblogs.com/bits/archive/2009/08/10/1414292.html#1610668

？？？sdsada 2009-08-10 16:36 发表评论

]]>re: 另类挂钩-RING3数据包监视（Delphi版）http://www.cnblogs.com/bits/archive/2009/04/17/1401024.html#1505315chjunkaichjunkaiFri, 17 Apr 2009 01:50:12 GMThttp://www.cnblogs.com/bits/archive/2009/04/17/1401024.html#1505315

chjunkai 2009-04-17 09:50 发表评论

]]>re: 另类挂钩-RING3数据包监视（Delphi版）http://www.cnblogs.com/bits/archive/2009/04/17/1401024.html#1505191木桩木桩Thu, 16 Apr 2009 16:00:12 GMThttp://www.cnblogs.com/bits/archive/2009/04/17/1401024.html#1505191这个代码是MJ0011的，原来的C语言版就没有提供卸载函数。不过从SuperHookDeviceIoControl()的挂钩过程可以大致看出还原方法：
uNtDeviceIoControl.pas:281

  OutputDebugString(PChar(Format('[HOOK] Lock "%s" for HOOK.', [StrPas(func_name)])));
  //
  // 如果是，那么记录原始函数地址
  // HOOK我们的函数地址
  //
  // 序号   RVA   偏移  Name
  //   9A  D8E3  CCE3  NtDeviceIoControlFile
  myaddr := DWORD(@MyNtDeviceIoControlFile);
  lpAddr := Pointer(hMod + ImportDescriptor^.FirstThunk + DWORD(iNum-1)*4);
  OldNtDeviceIoControl := PDWORD(lpAddr)^;

  OutputDebugString(PChar(Format('[HOOK] Base=%0.8X, Thunk=%0.8X, ID=%X', [hMod, ImportDescriptor^.FirstThunk, iNum-1])));
  OutputDebugString(PChar(Format('[HOOK] Orign[0x%0.8X]=0x%0.8X, new Addr=0x%0.8X', [DWORD(lpAddr), PDWORD(lpAddr)^, myaddr])));

  WriteProcessMemory(GetCurrentProcess(), lpAddr, @myaddr, 4, btw);

卸载时将WriteProcessMemory修改的4个字节给还原就行了，也就是把 OldNtDeviceIoControl 中保存的原始函数地址写回去。

木桩 2009-04-17 00:00 发表评论

]]>re: 另类挂钩-RING3数据包监视（Delphi版）http://www.cnblogs.com/bits/archive/2009/04/16/1401024.html#1504966chjunkaichjunkaiThu, 16 Apr 2009 09:25:23 GMThttp://www.cnblogs.com/bits/archive/2009/04/16/1401024.html#1504966

chjunkai 2009-04-16 17:25 发表评论

]]>