Today, it has brought Manticore ...
Says the following sources:
http://forum.sysinternals.com/uploads/Napalm/2006-04-20_211055_HandleList.zip
Well ...
Manticore: Well ... the source to find out the handle from the system inter-day pecking
Then I go to the source.
NtQuerySystemInformation ()
NtDuplicateHandle ()
NtQueryObject ()
Manticore: Use this function to find out the handle, the handle deoraguyo find out information ~~
Oh I see ....
So good ...
So using that function ........
Try to find out the handles information .....
It's a real game ...
This is a real game ....
Game room or game room games are going jinkka not games ...
That function is plotting a monster.
That monster eats ~~
The SP index (Sysmtem Power) index would go up .... okay?
We're in a real game of our lives ....
Imjaehae revelation in Jesus as the Lord of the power of the Holy of Holies in the ark
Plotting to defeat this guy is the real thing ... ~~
Okay ...?
And they're coming along very well ~~ !!!
Today yigijago ~~ from the devil ....
What we are fighting, not the flesh and blood
I fight the devil are you ~~!
Now ....
Well ... uh ... Today
I'll explain how NtDuplicateHandle () and why ...
It's not that the moment the process of creating a program called Click a.exe ~~
So, what did I say?
The environment in which the process can be executed jindago did you make?
In that environment, es ...
There is ~~ table dining table dining table (Table) ~~ !! What's dining table?
Folks handle ~~
Handle table
The handle table is given for each process
Who? ~~~ Side someone kernel
That's why the handle value in the handle table of another process, as it will never be used ...
Damn copy him -
Calling NtDuplicateHandle () function,
Side of the kernel ...
I teach object handles Please enable ~~~
So (I do not know who ~~~) kernel side someone for pointing objects that handle
Assigning a handle to be used again and stored in the handle table haejugo
Geojwi passing the index value of the handle table ~~
Do you understand?
Well ....
In addition, the function of NTDLL.DLL I can not be invoked directly by the compiler ...
Slow in order to use the functions in the program of NTDLL.DLL
Tell the compiler to the shape of the function, the function must be loaded ~~ that yourself!
Then, there can figure out the address of a function
~~ That by using this function to store a pointer to a function address!
Yet, I explained the LoadLibrary () function and GetProcAddress () function.
LoadLibrary () receives the path to the input (Input), were that receives the memory address to the output (Output).
The memory address is called the address for the module is loaded.
And, the function using the address
ntdll.dll is loaded addresses 0x77a1000
Then LoadLibrary () also eonaen address this guy he gets?
0x77a10000
Well ....
In other words ... LoardLibrary () that he is a perfect idea to return the memory address to which the module is loaded!
And, GetProcAddress () returns the address of the function is haejugo ~~ !!
FARPROC WINAPI GetProcAddress (
_In_ HMODULE hModule,
_In_ LPCSTR lpProcName
);
_In_ HMODULE hModule,
_In_ LPCSTR lpProcName
);
And that if you use the function takes a function pointer address ~~
How do you create a function pointer?
The parameters for each function address, name, type, close, open landscape horizontal return type ~~
Just Do It by.
Says it this way.
DWORD (* pMyFun) (INT nData);
pMyFun = GetProcAddress (hModule, "Test");
So that you can use it any dll when ~~ !!
No comments:
Post a Comment