/*********************************************************************************************
ر𾯸棺ǰѾ˾ɰ汾WIN64AST°汾ܻ
*********************************************************************************************/


˵
==================
ܲ鿴64λWINDOWSϵͳĸںϢֹɱԡںоȡ
˼ǣײȣ˰ȫԭܵʧˡ



========
1./ڴ/߳/ģ//ڹ
2.ںģ鿴
3.Ӳ鿴ͽֹ
4.鿴/ָSSDTShadow SSDT
5.ɨ/ָRING3RING0
6.鿴ɾϢ
7.鿴/ָҪַ
8.鿴/ָں˶̹
9.öٸͨͻص
10.öI/Oʱ
11.öDPCʱ
12.öMiniFilter/ʧЧMiniFilterĻص
13.ö/ժ
14.鿴//ָ/Զ޸¼(MBR)
15.Ϊӣ/߳//޸ע/Ķļϵͳ//޸ʱ䣩
16.ںڴ༭
17.öļǿ½//ɾ/ƻļ
18.öעǿɾ/½/ע(KEY)עֵ(VALUE)
19.ֹ/ֹļ/ֹע(KEY)עֵ(VALUE)/ֹ
20.Уļǩ
21.ö/ָж
22.öȫ
23.ʾĴֵ
24.̵IATӺEAT
25.鿴//ָ/Զ޸¼(VBR)
26.ǽ
27.ö/ɾSPIBHOIEҼ˵WFP CALLOUT
28.DLL/
29.̬/رLKDں˵ԣDSEǩǿƣ棺˹ܻᴥPatchGuardޡں˿Աʹá
30.һЩȤġܡ棺֡Ȥġܽ޸ûʹã



========
1.ֵ֧ϵͳWin7x64/Win2008R2/Win8x64/Win2012/Win8.1x64/Win2012R27600/7601/9200/9600
2.п⣺Win7x64Win2008R2ҪװMicrosoft .NET Framework 4УWIN8/WIN8.1/WIN2012/WIN2012R2ãٷصַhttp://www.microsoft.com/zh-cn/download/details.aspx?id=17718
3.ҪԱȨޣWin64AST.exeҼѡԹԱС
4.ʱʹáΪܣƼĺCPU8GBϵڴ


ʼ
========
1.вޡ
2.һʱǿҽȴ򿪡áѡҪķļ


Ϣ
========
QQȺ173718777
ߣTesla.Angela
°أhttp://win64ast.m5home.com
BUG/tesla.angela@qq.com
𣨲ϸ£http://m5home.blog.163.com/blog/static/209122181201210137024457


Ŀǰ֪
==============
1.ĳЩõ͵ĻϿܻῨҲԵûAMD X2 245 + 2GB DDR2
2.ڴй©ҵҵƷʱûʱ⣩


ʷ
========
2015-01-011.10[BETA2]
1.ϵͳû̬HOOKɨ費ȫ
2.ں̬INLINE HOOKɨ費ȫ
3.ɨں̬EAT/IAT HOOKĹ
4.ɨȫǩDLLĹ
5.ǿļƻܣִֶ֧ͲӴ󲿷HOOK
6.ʾIRPַϢ
7.ʾOBJECT͵Ϣ
8.ǿǩDLL/SYSܣ֧CALL룩
9.ͻWIN7/8/8.1X64PATCHGUARDĹ
10.ӸǽĹ˿ڡĿ¼[ԽֹĿ¼µĳ]
11.ָơΪ
12.һЩСĸĽ
һЩȤġܣɷڵؽ̡ļע޸Ľ/DLL·޸·
ע֡ȤġܽԸûţ蹺ֱϵQQ(1923208126)Ѱҳ

2014-06-151.10[BETA1]
1.[+]дUIӿٶȡ޸ڶܵBUGرлٴBUG
2.[+]öWFP CALLOUTWFP Driver
3.[+]鿴IRPַ
4.[+]Զ̬WIN8/8.1LKD֧
5.[+]ϵͳĿ飨ĿǰֻIFEOԺӣ
6.[-]ȡؽ̹ܣǽعߣȡĽ棨˿ʱ޲޵ľϣ

2014-02-221.04[ȶ]
1.鿴
2.ϵͳؼλ
3.λںģ鵽Ӧע
4.öںģʱɨ
5.ȫֹֽ
6.ֹдMBR
7.ǿԱܡеأֱӼǩ
8.MINIFILTER˺ʱܵBUG
9.ע༭һBUG
10.ö/ɾĿ¼ʱBUG
11.ΪлȡעϢȷBUG
12.ĳЩϡǿƹػõBUG

2013-11-291.03B[ʽ]
1.ط
2.ϵͳʱı
3.//ָVBR
4.׷ǽ
5.ö/ɾSPIBHOIEҼ˵
6.DLL
7.̬رLKDں˵ԣ
8.ǿʾöپϢ
9.ǿ̬رDSEǩǿƣ
10.ָؽ̹ܣӻᴥPGľ棩
11.WINDBGĸʽ޸eb/ew/ed/eq÷
12.޸ڶminifilteröļ޷/ļBUG
13.ǿײ㷽ʽдļ/̹
14.޸һЩСBUG͸ӽѺԣ֧Ϸļ

2013-09-151.03A[ʽ]
1.޸BUGWIN8.1ϵȶ
2.С

2013-09-081.03[԰]
1.[+]֧Windows 8.1
2.[+]̬Driver Signature Enforcementǩǿƣ
3.[*]˵ײ㷽ʽд̵߼ֵ޷дMBR⣬GPTʾ
4.[*]˾ö

2013-08-071.02[ʽ]
01.ɾؽ̡
02.޸ĳЩlistviewϢȫ
03.޸ںģ鶨λ
04.޸עĳЩĿʾȫ
05.޸ļBUG
06.޸жDLLBUG
07.̡ʱ䡻
08.עDLLϵͳ̣SMSS.EXECSRSS.EXE⣩
09.ʶ̣߳Ϣ֤ȷ
10.дڴʱCOPY-ON-WRITE
11.ں̽ַתַӳȣ
12.ļܣļȨޡӲӡ鿴ռϢ鿴ɾб

2013-02-211.01[ʽ]
01.ݣڡӵİȫģʽУֺminifilterйصĹ޷ʹã
02.ݣĳHIPSʱ»ȡSSDTԭʼַ
03.޸ģֶMBR RootkitΪԶ
04.޸ģ΢Ŀб
05.ǿʹáļֹĳЩļֹ
06.ǿ
07.ǿöٽģ
08.ǿINLINE HOOKһЩҪδKiSystemCall64ȣ
09.̽Ϣˮ
10.Զ޸MBRֻԭܹ20130111
11.ļ㣨ֻԭܹ201301117.51.20.4170Ӱʿ1.2.0.355Returnil 2011(1.0.5.5400)
12.ע
13.λļ/עΪ
14.вnosafecheckʱаȫӿٶȣ
15.ʾɾļԼעĿж
16.ö//ͷ/ת/ڴ桢޸Ľڴԡڴݲ
17.ΪصʱļƵC̸Ŀ¼
18.ݽ
19.ʾָļļļм/ȥֻ//ϵͳԡ
20.ͼ껻˴ALIENWAREƷƵͼ

2013-01-221.00[ʽ]
1.ļ
2.ע༭

2013-01-011.00[BETA6]
1.ϳص
2.ö/ָIDT
3.ɨ/̵ָIATӺEAT
4.ö/ָClassPNP.sysATAPI.sysNDIS.sysTCPIP.sysķַ
5.鿴Ĵֵ
6.öȫ
7.ں̽10
8.ΪųָPIDܣϢʾϸϸ

2012-12-101.00[BETA5]
1.öFSDַ
2.öں˶
3.öI/OʱDPCʱ
4.öMiniFilter͹
5.öObjectص
6.ԶIPַ
7.MBR ROOTKIT(ĿǰԺǿ)

2012-11-101.00[BETA4]
1.֧WINDOWS 8 X64(9200)

2012-11-041.00[BETA3]
1.öٻص
2.Ϊ
3.Խ

2012-09-161.00[BETA2]
1.עDLLSHELLCODE
2.ֽڴй©
3.Ҫƽں˲

2012-09-071.00[BETA1]
1.ǿɾע/ֵ
2.̱
3.INLINE HOOKɨ
4.ںڴ鿴

֮ǰĸ£
2012-07-060.04[C0/QS]һһЩBUGԼн΢ûйԸ¡
2012-07-020.04[B3/QS]öٲɾϢӡļһһЩBUG
2012-03-100.04[B2/QS]ؽԼǿƶдڴ棬һһЩBUG
2012-02-260.04[B1/ES]鿴/ָShadow SSDT
2012-02-230.04[A2/QS]һһЩBUG
2012-02-190.04[A1/ES]ֲ֧鿴/ָSSDTǿɾļ
2011-08-220.03[A2/ES]޸BUGͽ΢
2011-07-110.03[A1/ES]޸BUGͽ΢
2011-05-080.02[ES]   ޸BUGͽ΢
2011-02-030.01       һ汾


¼Kernel Explorer
=========================
˵
1.ֽʹ10֣123416֣0xABCD
2.win32k.sysntoskrnl.exeĺ
3.ʹ֮ǰǿҽʹsyminitʼ
4.
------
db ַ/              ʾһBYTE ָĬϸΪ128
磺db 0xFFFFF8001234567 0x64db NtUserPostMessagedb ntopenprocess 2048
------
dw ַ/              ʾһWORD ָĬϸΪ64
磺dw 0xFFFFF8001234567 0x64dw NtUserPostMessagedw ntopenprocess 2048
------
dd ַ/              ʾһDWORDָĬϸΪ32
磺dd 0xFFFFF8001234567 0x64dd NtUserPostMessagedd ntopenprocess 2048
------
dq ַ/              ʾһQWORDָĬϸΪ16
磺dq 0xFFFFF8001234567 0x64dq NtUserPostMessagedq ntopenprocess 2048
------
eb ַ/ b1 b2 b3 ... bN  ַָдһBYTEһֽ飩
磺eb 0xFFFFF8001234567 0x64eb NtUserPostMessage 0x90 0xC3
------
ew ַ/ w1 w2 w3 ... wN  ַָдһWORD
磺ew 0xFFFFF8001234567 0x6464ew NtUserPostMessage 0x90C3 0xC390
------
ed ַ/ d1 d2 d3 ... dN  ַָдһDWORD
磺ed 0xFFFFF8001234567 0x64646464ed NtUserPostMessage 0x909090C3 0x909090C3
------
eq ַ/ q1 q2 q3 ... qN  ַָдһQWORD
磺eq 0xFFFFF8001234567 0x6464646464646464eq NtUserPostMessage 0x90909090909090C3 0x90909090909090C3
------
u ַ/ ָ          һַָָĬΪ80򷴻ൽret߳ȴPAGE_SIZEΪֹ
磺ub 0xFFFFF8001234567 0x64ub NtUserPostMessage
------
uf ַ/                  retjmpֹͣ
磺uf 0xFFFFF8001234567uf NtUserPostMessage
------
dt ṹ                     ݽṹؽṹС
磺dt eprocessdt _list_entry
-------
dtx ṹ                    ݽṹýṹС֧ͨͨҪļ֧֣磺XX*ͷΪXX*YYβΪYYXX*YYͷΪXXβΪYY*XX*XXַ*зšnt!*NTšwin32k!*WIN32Kš
磺dtx *INFOdtx *dtx win32k!*
------
x                         ݺúַ֧ͨͨҪļ֧֣磺XX*ͷΪXX*YYβΪYYXX*YYͷΪXXβΪYY*XX*XXַ*зšnt!*NTšwin32k!*WIN32Kš
磺x ntopenprocessx NtUserPostMessagex *Processx Ki*Servicex *Terminate*
------
ln ַ	                        ݵַڵģͺ
磺ln 0xFFFFF8001234567
-------
kma                         ںڴ棬ʼַ
磺kma 20
-------
kfr ʼַ                    ͷŷںڴ棩
磺kfr 0xFFFFF8001234567
-------
kms ʼַ ֽ           ںڴֵ
磺kms 0xFFFFF8001234567 0 20
-------
kmc Ŀַ ԭʼַ       ںڴ棩
磺kmc 0xFFFFF8001234567 0xFFFFF8007654321 20
-------
kec ʼַ                    ִںshellcode
磺kec 0xFFFFF8001234567
------
vtop EPROCESS ַ          ַתΪַ
磺vtop 0xFFFFF8001234567 0x12345678
------
mpa ַ                ӳַ
磺mpa 0x0 64
------
umpa ַ               ȡӳַ
磺umpa 0xFFFFF8001234567 64
------
syminit                         ʼţ
޷
------
help                            ðϢ
޷
------
cls                             
޷
------
option ѡ ֵ                ѡ
|-option chkmemsafe 1/0/رڴЧԼ飩


¼΢
==================
WINDBG X64http://download.microsoft.com/download/A/6/A/A6AC035D-DA3F-4F0C-ADA4-37C8E5D34E3D/setup/WinSDKDebuggingTools_amd64/dbg_amd64.msi
DBGVIEW   http://download.sysinternals.com/files/DebugView.zip