#include <iostream> using namespace std; class A { public: int a; friend ostream& operator<<(ostream& os, A); }; //友元函数定义在外部 不在某个类的作用域内 //ostream& A::operator<<(ostream& os, A A) ostream& operator<<(ostream& os, A A) { cout << A.a << endl; return cout; } int main() { A a{}; cout << a; return 0; }

#include<ntifs.h> #include<ntddk.h> #include<wdm.h> #include<intrin.h> #include "ia32.hpp" template<typename... types> void print(types... args) { DbgPrintEx(DPFLTR_DEFAULT_ID, DPFLTR_ERROR_LEVEL, args...); } void unload(PDRIVER_OBJECT DriverUnload) { return; } extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT drv, PUNICODE_STRING reg) { drv->DriverUnload = unload; cpuid_eax_01 eax; __cpuid(reinterpret_cast<int*>(&eax), 1); if (eax.cpuid_feature_information_ecx.reserved2) { print("[+] 存在虚拟机监控程序\n"); int t[4]; __cpuid(t, 0x40000001); //管理程序接口标识 print("[+] cpuid…

#include<ntifs.h> #include<ntddk.h> #include<wdm.h> #include<intrin.h> //#include "ia32.hpp" template<typename... types> void print(types... args) { DbgPrintEx(DPFLTR_DEFAULT_ID, DPFLTR_ERROR_LEVEL, args...); } void unload(PDRIVER_OBJECT DriverUnload) { return; } extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT drv, PUNICODE_STRING reg) { drv->DriverUnload = unload; __try { __readmsr(0x400000F0); print("[+] 没有异常\n"); } __except (1) { print("[+] 发生异常\n"); } return STATUS_SUCCESS; }

利用宏解决这个问题 #define DbgPrint(...) DbgPrintEx(DPFLTR_DEFAULT_ID, DPFLTR_ERROR_LEVEL,__VA_ARGS__)

#include<ntifs.h> #include<ntddk.h> #include<wdm.h> template<typename... types> void print(types... args) { DbgPrintEx(DPFLTR_DEFAULT_ID, DPFLTR_ERROR_LEVEL, args...); } void unload(PDRIVER_OBJECT DriverUnload) { return; } extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT drv, PUNICODE_STRING reg) { drv->DriverUnload = unload; HANDLE FileHandle; OBJECT_ATTRIBUTES oa1; UNICODE_STRING path1 = RTL_CONSTANT_STRING(L"\\??\\C:\\Users\\123\\Desktop\\KmdManager.exe"); UNICODE_STRING path2 = RTL_CONSTANT_STRING(L"\\Device\\HarddiskVolume2\\Users\\123\\Desktop\\KmdManager.exe"); UNICODE_STRING path3 = RTL_CONSTANT_STRING(L"C:\\Users\\123\\Desktop\\KmdManager…

#include "plugin.h" #include <string> using namespace std; const char* EmotetCmd = "Emotet"; //Emotet 1234 static bool cbEmotetDumpIAT(int argc, char* argv[]) { //dprintf("[++++]argc count is %d\n", argc); //dputs(argv[0]); if (argc < 2) return false; //需要import_api_address_table的基地址 //解析基地址 string full_cmd = argv[0]; auto blank_pos = full_cmd.find(' '); if (blank_pos == string::npos) return false; string base = full_cmd.substr(blank_pos + 1); auto ullbase = stoull(base, nullptr, 16); dprintf("[++++]import_api_address_table base : 0x%p\n…

.text:FFFFF802560B274B mov ecx, 8664h //64位一般是这个,32位一般是0x14C .text:FFFFF802560B2750 cmp cx, [rax+_IMAGE_NT_HEADERS64.FileHeader.Machine] .text:FFFFF802560B2754 jz short loc_FFFFF802560B2767 .text:FFFFF802560B2756 mov ecx, 200h .text:FFFFF802560B275B cmp cx, [rax+_IMAGE_NT_HEADERS64.FileHeader.Machine] .text:FFFFF802560B275F jz short loc_FFFFF802560B2767 .text:FFFFF802560B2761 add rax, 78h ; 'x' .text:FFFFF802560B2765 jmp short loc_FFFFF802560B276D .text:FFFFF802560B2767 ; --------------------------------------------------------------------------- .text:FFFFF802560B2767 .text:FFFFF802560B2767 loc_FFFFF802560B2767: ; CODE XREF: sub_FFFFF802560B270C+48↑j .text:FFFFF802560B2767 ; sub_FFFFF802560B270C+53↑j .text:FFFFF802560B2767 add rax, 88h

#include<ntifs.h> #include<ntddk.h> #include<wdm.h> #include<intrin.h> #include"slist.h" namespace dbg { template<typename... types> void print(types... args) { DbgPrintEx(DPFLTR_DEFAULT_ID, DPFLTR_ERROR_LEVEL, args...); } __inline void dbgbreak() { if (*KdDebuggerNotPresent) print("breakpoint trigger\n"); else DbgBreakPoint(); } } // //nonpaged pool 16byte align // #pragma(pack,16) LOOKASIDE_LIST_EX lalist{}; struct test { SLIST_ENTRY et; int a; int b; int c; }; void unload(PDRIVER_OBJECT DriverObject) { return; } extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegPath) { NTSTATUS Status = STATUS_SUCCESS; int t1 = 0…

/*++ 1: kd> dt _FLT_VOLUME FFFFAC07058A8010 FLTMGR!_FLT_VOLUME +0x000 Base : _FLT_OBJECT +0x030 Flags : 0x1e5 (No matching name) +0x034 FileSystemType : d ( FLT_FSTYPE_MUP ) +0x038 DeviceObject : 0xffffac07`05978860 _DEVICE_OBJECT +0x040 DiskDeviceObject : (null) +0x048 FrameZeroVolume : 0xffffac07`058a8010 _FLT_VOLUME +0x050 VolumeInNextFrame : (null) +0x058 Frame : 0xffffac07`059c3470 _FLTP_FRAME +0x060 DeviceName : _UNICODE_STRING "\Device\Mup" +0x070 GuidName : _UNICODE_STRING "" +0x080 CDODeviceName : _UNICODE_STRING "\Device\Mup" +0x090 CDODriverName : _UNICODE_STRING "\FileSystem\Mup" +0x0a0 InstanceList : _FLT_RESOURCE_LIST_HEAD +0x120 Callbacks : _CALLBACK_CTRL +0x508 ContextLock : _EX_PUSH_LOCK +0x510 VolumeContexts : _CONTEXT_LIST_CTRL +0x518 StreamListCtrls : _FLT_RESOURCE_LIST_HEAD +0x598…

#include<ntifs.h> #include<ntddk.h> #include<wdm.h> template<typename... types> void print(types... args) { DbgPrintEx(DPFLTR_DEFAULT_ID, DPFLTR_ERROR_LEVEL, args...); } extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT drv, PUNICODE_STRING reg) { return STATUS_SUCCESS; }

#include <iostream> #include <memory> #include <assert.h> using namespace std; struct fa { virtual void f() { cout << "fa:f" << endl; } }; struct so :public fa { virtual void f() { cout << "son:f" << endl; fa::f();} }; struct thr { virtual void f() { cout << "thr:f" << endl; } }; typedef const struct _s_RTTICompleteObjectLocator { unsigned long signature; unsigned long offset; unsigned long cdOffset; int pTypeDescriptor; // Image relative offset of TypeDescriptor int pClassDescriptor; // Image relative offset of _RTTIClassHierarchyDescriptor int pSelf; // Image relative offset of this object } _RTTICompleteObjectLocator; int main() { so a…

#include "general.h" void ConsoleBase(enum ConsoleColor color, const char* prefix, const char* text, va_list args) { const HANDLE consoleHandle = GetStdHandle(STD_OUTPUT_HANDLE); SetConsoleTextAttribute(consoleHandle, White); printf("["); SetConsoleTextAttribute(consoleHandle, color); printf("%s", prefix); SetConsoleTextAttribute(consoleHandle, White); printf("] "); SetConsoleTextAttribute(consoleHandle, DarkWhite); vprintf(text, args); printf("\n"); } void ConsoleInfo(const char* text, ...) { va_list args; va_start(args, text); ConsoleBase(Cyan, "i", text, args); va_end(args); } void ConsoleWarning(const char* text, ...) { va_list args; va_start(args, text); ConsoleBase(Yellow, "w", text, args); va_end(args); } void ConsoleError(const char* text, ...) { va_list args; va_start(args, text); ConsoleBase…

0: kd> !idt Dumping IDT: fffff80727868000 00: fffff8072565fd00 nt!KiDivideErrorFault 除0异常 01: fffff80725660000 nt!KiDebugTrapOrFault 硬件断点或者硬件读写访问断点 02: fffff807256604c0 nt!KiNmiInterrupt Nmi异常 03: fffff80725660980 nt!KiBreakpointTrap 软件断点 04: fffff80725660c80 nt!KiOverflowTrap 移除 05: fffff80725660f80 nt!KiBoundFault 边界检查 06: fffff80725661480 nt!KiInvalidOpcodeFault 不合法指令 07: fffff80725661940 nt!KiNpxNotAvailableFault 08: fffff80725661c00 nt!KiDoubleFaultAbort 双重异常 09: fffff80725661ec0 nt!KiNpxSegmentOverrunAbort 0a: fffff80725662180 nt!KiInvalidTssFault 0b: fffff80725662440 nt!KiSegmentNotPresentFault 0c: fffff807256627c0 nt!KiStackFault 0d: fffff80725662b00 nt!KiGeneralProtectionFault #GP 0e: fffff80725662e40 nt!KiPageFault 页错误 10: fffff80725663480 nt!KiFloatingErrorFault 11: fffff80725663800 nt!KiAlignmentFault 对齐…

1: kd> dps HalPrivateDispatchTable l100 fffff802`dc9234f0 fffff807`258a38e0 nt!HalPrivateDispatchTable fffff802`dc9234f8 fffff807`25cc57f0 nt!IoAssignResources fffff802`dc923500 fffff807`25b91740 nt!IoSetDevicePropertyData fffff802`dc923508 fffff807`256126e0 nt!KeIpiGenericCall fffff802`dc923510 fffff807`25520aa0 nt!RtlNumberOfSetBitsUlongPtr fffff802`dc923518 fffff807`254aa740 nt!MmMapIoSpaceEx fffff802`dc923520 fffff807`256303d0 nt!_C_specific_handler fffff802`dc923528 fffff807`25a75390 nt!PsCreateSystemThread fffff802`dc923530 fffff807`25ac0f20 nt!ObReferenceObjectByHandle fffff802`dc923538 fffff807`25b96130 nt!EtwSetInformation fffff802`dc923540 fffff807`2553d2c0 nt!IoGetAttachedDeviceReference fffff802`dc923548 fffff807`25a51750 nt!IoBuildSynchronousFsdRequest fffff802`dc923550 fffff807`2558f460 nt!IoBuildDeviceIoControlRequest fffff802`dc923558 fffff807`25652000 nt!ZwQueryValueKey fffff802`dc923560 fffff807`256378d0 nt!memcpy_s fffff802…

#include <iostream> //c++17 #include<filesystem> using namespace std; /* 这个filesystem基本是在msvc下测试 g++此时还把filesystem放在expermental里，cppref上的测试代码也报错，无语 */ int main() { //https://en.cppreference.com/w/cpp/filesystem/path // //在windows上，理论上是使用反斜杠的，但是其实也会帮你转化正斜杠 // //获得当前程序所在目录 // filesystem::path current_path("./"); filesystem::path canonical_path; //获得绝对路径 //"C:\\Users\\sbb\\source\\repos\\c++io\\c++io17" cout << (canonical_path = filesystem::canonical(current_path)) << '\n…

main.cpp #define _CRT_SECURE_NO_WARNINGS #include <iostream> #include <filesystem> #include "xtils.hpp" int __cdecl main(int argc, const char** argv) { auto utils = xtils::um_t::get_instance(); const auto explorer_pid = utils->get_pid(L"explorer.exe"); const auto explorer_module_base = utils->get_process_base(utils->get_handle(explorer_pid).get()); std::printf("> explorer pid = 0x%x, module base = 0x%p\n", explorer_pid, explorer_module_base); std::map<std::wstring, std::uintptr_t> modules; if (!utils->get_modules(explorer_pid…

此问题导致pre op或者post op不被调用 0: kd> !fltkd.filters Filter List: ffffb9016d9430c0 "Frame 0" //问题所在，高度值不对，inf文件中改成适当的altitude就可以了 FLT_FILTER: ffffb90171ce0010 "replace" "_TODO_Change_Altitude_appropriately_" FLT_FILTER: ffffb9016cec29a0 "storqosflt" "244000" FLT_FILTER: ffffb901712ef010 "wcifs" "189900" FLT_INSTANCE: ffffb9016cf25010 "wcifs Instance" "189900" FLT_FILTER: ffffb9016ddec270 "CldFlt" "180451" FLT_FILTER: ffffb9016ceb5050 "FileCrypt" "141100" FLT_FILTER: ffffb9016cee8010 "luafv" "135000" FLT_INSTANCE: ffffb9016ceef010 "luafv" "135000" FLT_FILTER: ffffb9016d4c1350 "npsvctrig" "46000" FLT_INSTANCE: ffffb9016daadc90 "npsvctrig" "46000" FLT_FILTER: ffffb9016d9a4220 "Wof" "40700" FLT_INSTANCE: ffffb9016da048a0 "Wof Instance…

@B向上找最近的@@ @F向下找最近的@@ 汇编程序如果太长了的话标号太多写的累看的也累。这时候可以采用，看win内核源码的时候学到的。应该只适用于微软的masm。

这个网上资料很多，挑选个熟悉的url。 https://blog.csdn.net/qq_21000273/article/details/52027708

.hh 打开windbg的帮助文档 Symbol path https://www.csdn.net/tags/OtTaYgysNDMzNTUtYmxvZwO0O0OO0O0O.html ，讲的很全面。 打印出指定结构中的指定字段 dt 结构 -a 指定字段名 例： 0: kd> dt _KPRCB fffff8072db5d180 -a KernelDirectoryTableBase nt!_KPRCB +0x6e80 KernelDirectoryTableBase : 0x80000000`001aa002 直接 [dt 结构 字段名 地址] 就行了 获得当前cpu core的kprcb 和 kpcr !prcb !pcr 获得指定进程名的一些信息 !process 0 0 进程名 挂靠某个进程 .process /i 指定进程的eprocess 加载某个模块的符号 .reload /f C:\Windows\System32\drivers\ndis.sys 显示某个…