We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
系统版本 win10 18362.30 (1903 专业版) (根据issues来说似乎目前支持的最高系统是 这个版本.) 直接下载最新源码,编译,扔到虚拟机测试, 跑了shark后提示 success,加载成功, 自写了个测试inline hook ntopenprocess ,初期工作正常,一段时间后蓝了(5-10分钟?) 代码 109 PG,驱动只写了一个测试hook,没有其他的功能.
NTSTATUS NTAPI Hooked_NtOpenProcess( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId ) { mydbg("use here \r\n"); //可以正常打印 return ((fn_NtOpenProcess)ori_NtOpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId); }
reload /i Shark.sys=FFFF858BBA535000 < FFFF858BBA535000 - 00020000 > [SHARK] < 00000000000047BA > BuildNumber [SHARK] < FFFF858BBAA7C380 > PsInitialSystemProcess [SHARK] < 0000000000000002 > NumberProcessors [SHARK] < FFFFF80405AECC80 > KeEnterCriticalRegion [SHARK] < FFFFF80405AE78F0 > KeLeaveCriticalRegion [SHARK] < FFFFF80405AEDDF0 > ExAcquireSpinLockShared [SHARK] < FFFFF80405BC1760 > ExReleaseSpinLockShared [SHARK] < FFFFF80405BDDF30 > DbgPrint [SHARK] < FFFFF80405AE94A0 > KeWaitForSingleObject [SHARK] < FFFFF80405C7DE00 > RtlCompareMemory [SHARK] < FFFFF80405C7D9D0 > RtlRestoreContext [SHARK] < FFFFF80405B69060 > ExQueueWorkItem [SHARK] < FFFFF80405E230A0 > ExFreePoolWithTag [SHARK] < FFFFF80405C75810 > KeBugCheckEx [SHARK] < FFFFF80405BC8790 > ExInterlockedRemoveHeadList [SHARK] < FFFFF80405BBBE30 > ExAcquireRundownProtection [SHARK] < FFFFF80405BC3D50 > ExReleaseRundownProtection [SHARK] < FFFFF80405B0D550 > ExWaitForRundownProtectionRelease [SHARK] < FFFF858BBA5515C0 > Block [SHARK] < 00000000000000C0 > SizeCmpAppendDllSection [SHARK] < 0000000000000001 > BtcEnable [SHARK] < FFFF858BBA551F48 > OriginalCmpAppendDllSection [SHARK] < 00000000000007E8 > OffsetEntryPoint [SHARK] < 0000000000019000 > SizeINITKDBG [SHARK] < FFFF858BBA555000 > INITKDBG [SHARK] < FFFFF80405E230A0 > ntoskrnl.exe!ExGetPreviousMode [SHARK] < FFFFF804060E29E0 > ntoskrnl.exe!ObDereferenceSecurityDescriptor + 140 [SHARK] < FFFFF80405B69060 > ntoskrnl.exe!ExReInitializeRundownProtectionCacheAware [SHARK] < FFFFF80405AE52A0 > ntoskrnl.exe!ExReleaseSpinLockSharedFromDpcLevel [SHARK] < FFFFF80405BB9E90 > MmAllocateIndependentPages [SHARK] < FFFFF80405BD34A0 > MmFreeIndependentPages [SHARK] < FFFFF80405BE58F0 > MmSetPageProtection [SHARK] < FFFFC44E00E74D20 > test independent page < FFFF9C01CE9A4000 - 00001000 > [SHARK] < FFFFF80405C5E770 > KiScbQueueScanWorker [SHARK] < FFFFF80405C5E7C0 > KiScbQueueScanWorker end [SHARK] < FFFFF8040603F010 > PsInvertedFunctionTable [SHARK] < 0000000059006860 > BranchKey[10] [SHARK] < 00000000E0006CF1 > BranchKey[0] [SHARK] < 0000000020006B15 > BranchKey[1] [SHARK] < 0000000060006938 > BranchKey[2] [SHARK] < 00000000160068D0 > BranchKey[3] [SHARK] < 000000007E006894 > BranchKey[4] [SHARK] < 0000000000007730 > BranchKey[5] [SHARK] < 0000000000000000 > BranchKey[6] [SHARK] < 0000000080007376 > BranchKey[7] [SHARK] < 00000000280069EB > BranchKey[8] [SHARK] < 0000000000006FBD > BranchKey[9] [SHARK] < 0000000000095486 > BranchKey[11] [SHARK] < FFFFF80405C7CD3E > KiStartSystemThread [SHARK] < FFFFF80405BE98D0 > PspSystemThreadStartup [SHARK] < FFFFF804060286F8 > KiWaitNever [SHARK] < FFFFF804060288E0 > KiWaitAlways [SHARK] < FFFFF80405D7B310 > MmIsNonPagedSystemAddressValid [SHARK] < FFFFF80405EE5410 > PoolBigPageTable [SHARK] < FFFFF80405EE7C28 > PoolBigPageTableSize [SHARK] < 0000000000E95000 > NumberOfPtes [SHARK] < FFFFC44E00000000 > BasePte [SHARK] < FFFFF80405D7B2F0 > MmIsAddressValid [SHARK] < FFFFF80405B70450 > RtlLookupFunctionEntry [SHARK] < FFFFF80405BEEB20 > RtlVirtualUnwind [SHARK] < FFFFF80405B69060 > ExQueueWorkItem [SHARK] < FFFF858BBA547B10 > CaptureContext [SHARK] < FFFF858BBA53D0B0 > FreeWorker [SHARK] < FFFF858BBA53AEA0 > ClearCallback [SHARK] < 00000000000006E4 > OffsetSameThreadPassive [SHARK] < 0000000000000001 > BigPool < FFFF858BBC010000 - 00008000 > [SHARK] < 0000000000000001 > scan < FFFF858BBA555000 - 00019000 > < CCCCCCCCCCCCCCCC, CCCCCCCCCCCCCCCC, 56535508244C8948, 4156415541544157...> [SHARK] < 0000000000000001 > SystemPtes < FFFFC44E00000000 - FFFFC44E074A8000 > [SHARK] < FFFF858BBA534000 > shark load success
dump: 022823-13078-01.zip
The text was updated successfully, but these errors were encountered:
No branches or pull requests
系统版本 win10 18362.30 (1903 专业版) (根据issues来说似乎目前支持的最高系统是 这个版本.)
直接下载最新源码,编译,扔到虚拟机测试,
跑了shark后提示 success,加载成功,
自写了个测试inline hook ntopenprocess ,初期工作正常,一段时间后蓝了(5-10分钟?) 代码 109 PG,驱动只写了一个测试hook,没有其他的功能.
NTSTATUS NTAPI Hooked_NtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
)
{
mydbg("use here \r\n"); //可以正常打印
return ((fn_NtOpenProcess)ori_NtOpenProcess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}
reload /i Shark.sys=FFFF858BBA535000 < FFFF858BBA535000 - 00020000 >
[SHARK] < 00000000000047BA > BuildNumber
[SHARK] < FFFF858BBAA7C380 > PsInitialSystemProcess
[SHARK] < 0000000000000002 > NumberProcessors
[SHARK] < FFFFF80405AECC80 > KeEnterCriticalRegion
[SHARK] < FFFFF80405AE78F0 > KeLeaveCriticalRegion
[SHARK] < FFFFF80405AEDDF0 > ExAcquireSpinLockShared
[SHARK] < FFFFF80405BC1760 > ExReleaseSpinLockShared
[SHARK] < FFFFF80405BDDF30 > DbgPrint
[SHARK] < FFFFF80405AE94A0 > KeWaitForSingleObject
[SHARK] < FFFFF80405C7DE00 > RtlCompareMemory
[SHARK] < FFFFF80405C7D9D0 > RtlRestoreContext
[SHARK] < FFFFF80405B69060 > ExQueueWorkItem
[SHARK] < FFFFF80405E230A0 > ExFreePoolWithTag
[SHARK] < FFFFF80405C75810 > KeBugCheckEx
[SHARK] < FFFFF80405BC8790 > ExInterlockedRemoveHeadList
[SHARK] < FFFFF80405BBBE30 > ExAcquireRundownProtection
[SHARK] < FFFFF80405BC3D50 > ExReleaseRundownProtection
[SHARK] < FFFFF80405B0D550 > ExWaitForRundownProtectionRelease
[SHARK] < FFFF858BBA5515C0 > Block
[SHARK] < 00000000000000C0 > SizeCmpAppendDllSection
[SHARK] < 0000000000000001 > BtcEnable
[SHARK] < FFFF858BBA551F48 > OriginalCmpAppendDllSection
[SHARK] < 00000000000007E8 > OffsetEntryPoint
[SHARK] < 0000000000019000 > SizeINITKDBG
[SHARK] < FFFF858BBA555000 > INITKDBG
[SHARK] < FFFFF80405E230A0 > ntoskrnl.exe!ExGetPreviousMode
[SHARK] < FFFFF804060E29E0 > ntoskrnl.exe!ObDereferenceSecurityDescriptor + 140
[SHARK] < FFFFF80405B69060 > ntoskrnl.exe!ExReInitializeRundownProtectionCacheAware
[SHARK] < FFFFF80405AE52A0 > ntoskrnl.exe!ExReleaseSpinLockSharedFromDpcLevel
[SHARK] < FFFFF80405BB9E90 > MmAllocateIndependentPages
[SHARK] < FFFFF80405BD34A0 > MmFreeIndependentPages
[SHARK] < FFFFF80405BE58F0 > MmSetPageProtection
[SHARK] < FFFFC44E00E74D20 > test independent page < FFFF9C01CE9A4000 - 00001000 >
[SHARK] < FFFFF80405C5E770 > KiScbQueueScanWorker
[SHARK] < FFFFF80405C5E7C0 > KiScbQueueScanWorker end
[SHARK] < FFFFF8040603F010 > PsInvertedFunctionTable
[SHARK] < 0000000059006860 > BranchKey[10]
[SHARK] < 00000000E0006CF1 > BranchKey[0]
[SHARK] < 0000000020006B15 > BranchKey[1]
[SHARK] < 0000000060006938 > BranchKey[2]
[SHARK] < 00000000160068D0 > BranchKey[3]
[SHARK] < 000000007E006894 > BranchKey[4]
[SHARK] < 0000000000007730 > BranchKey[5]
[SHARK] < 0000000000000000 > BranchKey[6]
[SHARK] < 0000000080007376 > BranchKey[7]
[SHARK] < 00000000280069EB > BranchKey[8]
[SHARK] < 0000000000006FBD > BranchKey[9]
[SHARK] < 0000000000095486 > BranchKey[11]
[SHARK] < FFFFF80405C7CD3E > KiStartSystemThread
[SHARK] < FFFFF80405BE98D0 > PspSystemThreadStartup
[SHARK] < FFFFF804060286F8 > KiWaitNever
[SHARK] < FFFFF804060288E0 > KiWaitAlways
[SHARK] < FFFFF80405D7B310 > MmIsNonPagedSystemAddressValid
[SHARK] < FFFFF80405EE5410 > PoolBigPageTable
[SHARK] < FFFFF80405EE7C28 > PoolBigPageTableSize
[SHARK] < 0000000000E95000 > NumberOfPtes
[SHARK] < FFFFC44E00000000 > BasePte
[SHARK] < FFFFF80405D7B2F0 > MmIsAddressValid
[SHARK] < FFFFF80405B70450 > RtlLookupFunctionEntry
[SHARK] < FFFFF80405BEEB20 > RtlVirtualUnwind
[SHARK] < FFFFF80405B69060 > ExQueueWorkItem
[SHARK] < FFFF858BBA547B10 > CaptureContext
[SHARK] < FFFF858BBA53D0B0 > FreeWorker
[SHARK] < FFFF858BBA53AEA0 > ClearCallback
[SHARK] < 00000000000006E4 > OffsetSameThreadPassive
[SHARK] < 0000000000000001 > BigPool < FFFF858BBC010000 - 00008000 >
[SHARK] < 0000000000000001 > scan < FFFF858BBA555000 - 00019000 > < CCCCCCCCCCCCCCCC, CCCCCCCCCCCCCCCC, 56535508244C8948, 4156415541544157...>
[SHARK] < 0000000000000001 > SystemPtes < FFFFC44E00000000 - FFFFC44E074A8000 >
[SHARK] < FFFF858BBA534000 > shark load success
dump:
022823-13078-01.zip
The text was updated successfully, but these errors were encountered: