12 2016 档案
摘要:http://blogs.msdn.com/b/ntdebugging/archive/2010/04/14/understanding-pte-part2-flags-and-large-pages.aspx Hello, it's Ryan Mangipano with part two of my PTE series. Today I'll discuss PDE/PTE flags, t...
阅读全文
摘要:http://blogs.msdn.com/b/ntdebugging/archive/2010/06/22/part-3-understanding-pte-non-pae-and-x64.aspxHello, Ryan Mangipano (ryanman) again with part three of my series on understanding the output of th...
阅读全文
摘要:之前想手动查找线性地址对应的物理地址,以更好的理解操作系统的分页机制,cr3的值和指定进程的EPROCESS的值总是对不上。 具体参考笔记[原]线性地址到物理地址转换 今天突然灵光一闪,想起来张老师说过的关于CR3的相关知识,CR3是操作系统在切换进程的时候才会更新的,我们用.process /p
阅读全文
摘要:http://blogs.msdn.com/b/ntdebugging/archive/2010/02/05/understanding-pte-part-1-let-s-get-physical.aspx Hello. It’s Ryan Mangipano again (Ryanman). To
阅读全文
摘要:参考 [转]Part1: Understanding !PTE , Part 1: Let’s get physical [转]Part2: Understanding !PTE, Part2: Flags and Large Pages [转]Part 3: Understanding !PTE
阅读全文
摘要:原调试debugwindbgcrash崩溃COM 前言这是几年前在项目中遇到的一个崩溃问题,崩溃在了ComFriendlyWaitMtaThreadProc()里,没有源码。耗费了我很大精力,最终通过反汇编并结合原代码才最终搞清楚了事情的来龙去脉。本文的分析还是基于真实项目进行的,中间略去了很多反汇编的分析工作。文末有我整理的测试代码,大家可以实际体验一把TerminateThread()的杀...
阅读全文
摘要:c++代码(大体逻辑没问题,细节需要确认) DWORD __stdcall *ComFriendlyWaitMtaThreadProc(LPVOID lpThreadParameter) { CoInitializeEx(0,0); ThreadParam* pParam =(ThreadParam
阅读全文
摘要:structThreadParam { unsignedint p1;// +00h ebp-24h unsignedint p2;// +04h ebp-20h unsignedint cookie;// +08h ebp-1Ch LPSTREAM xxx;// +0Ch ebp-18h HAND
阅读全文
