Slow.More��BLOG

ASCII��ձ�

gk — Tue, 24 Jun 2008 21:00:33 +0800

��

ASCII, American Standard Code for Information Interchange �� "��˹key"�� 0 �� 127 ��һ�ٶ�ʮ�˸��Ӣ��ĸ��һ��Ľ��塣��ֻʹ��7��λԪ(bit)�Ϳ��Ա�ʾ��0��127��֣��󲿷ֵĵ��Զ�ʹ��8��λԪ��ȡ��Ԫ��(character set)��Դ�128��255֮��ֿ��һ��һ�ٶ�ʮ�˸��ţ��Ϊ extended ASCII��
ASCII��	��	ASCII ��	��	ASCII��	��	ASCII ��	��
27	ESC	32	SPACE	33	!	34	"
35	#	36	$	37	%	38	&
39	'	40	(	41	)	42	*
43	+	44	'	45	-	46	.
47	/	48	0	49	1	50	2
51	3	52	4	53	5	54	6
55	7	56	8	57	9	58	:
59	;	60	<	61	=	62	>
63	?	64	@	65	A	66	B
67	C	68	D	69	E	70	F
71	G	72	H	73	I	74	J
75	K	76	L	77	M	78	N
79	O	80	P	81	Q	82	R
83	S	84	T	85	U	86	V
87	W	88	X	89	Y	90	Z
91	[	92	\	93	]	94	^
95	_	96	`	97	a	98	b
99	c	100	d	101	e	102	f
103	g	104	h	105	i	106	j
107	k	108	l	109	m	110	n
111	o	112	p	113	q	114	r
115	s	116	t	117	u	118	v
119	w	120	x	121	y	122	z
123	{	124	\|	125	}	126	~

��Ŀǰ��õ��㷺��ַ��룬��ұ�׼��(ANSI)�ƶ��ASCII�루American Standard Code for Information Interchange��׼��Ϣ��룩��ѱ��ʱ�׼��֯��ISO��Ϊ��ʱ�׼��ΪISO 646��׼��ĸ��ASCII��7λ��8λ��ʽ��

��Ϊ1λ��Ա�ʾ��21=��2��״̬��0��1��2λ��Ա�ʾ��22��=4��״̬��00��01��10��11��ƣ�7λ��Ա�ʾ��27=��128��״̬��ÿ��״̬��Ψһ�ر�Ϊһ��7λ�Ķ��룬��Ӧһ��ַ��룩��Щ��г�һ��ʮ��0��127��ԣ�7λASCII��λ��б��ģ��Ա�ʾ128��ַ��

��0��32�ż��127��(��34��)�ǿ��ַ��ͨѶר��ַ��Ʒ��LF��У��CR��س��FF��ҳ��DEL��ɾ��BEL��壩�ȣ�ͨѶר��ַ��SOH��ͷ��EOT��β��ACK��ȷ�ϣ��ȣ�

��33��126��(��94��)��ַ��е�48��57��Ϊ0��9ʮ��֣�65��90��Ϊ26��дӢ��ĸ��97��122��Ϊ26��СдӢ��ĸ��ΪһЩ��š��ŵȡ�

��ע�⣺�ڼ��Ĵ洢��Ԫ�У�һ��ASCII��ֵռһ��ֽ�(8��λ)��λ(b7)��żУ��λ��ν��żУ�飬��ָ�ڴ��봫�͹��Ƿ��ִ��һ�ַ��һ��У��żУ��֡��У��涨��ȷ�Ĵ��һ��ֽ��1�ĸ��λb7��1��żУ��涨��ȷ�Ĵ��һ��ֽ��1�ĸ��ż��ż��λb7��1��

��

ASCII��

ASCIIֵ	��ַ�	ASCIIֵ	��ַ�	ASCIIֵ	��ַ�	ASCIIֵ	��ַ�
0	NUT	32	(space)	64	@	96	��
1	SOH	33	��	65	A	97	a
2	STX	34	��	66	B	98	b
3	ETX	35	#	67	C	99	c
4	EOT	36	$	68	D	100	d
5	ENQ	37	%	69	E	101	e
6	ACK	38	&	70	F	102	f
7	BEL	39	,	71	G	103	g
8	BS	40	(	72	H	104	h
9	HT	41	)	73	I	105	i
10	LF	42	*	74	J	106	j
11	VT	43	+	75	K	107	k
12	FF	44	,	76	L	108	l
13	CR	45	-	77	M	109	m
14	SO	46	.	78	N	110	n
15	SI	47	/	79	O	111	o
16	DLE	48	0	80	P	112	p
17	DCI	49	1	81	Q	113	q
18	DC2	50	2	82	R	114	r
19	DC3	51	3	83	X	115	s
20	DC4	52	4	84	T	116	t
21	NAK	53	5	85	U	117	u
22	SYN	54	6	86	V	118	v
23	TB	55	7	87	W	119	w
24	CAN	56	8	88	X	120	x
25	EM	57	9	89	Y	121	y
26	SUB	58	:	90	Z	122	z
27	ESC	59	;	91	[	123	{
28	FS	60	<	92	\	124	\|
29	GS	61	=	93	]	125	}
30	RS	62	>	94	^	126	~
31	US	63	?	95	��	127	DEL

NUL	VT ��ֱ�Ʊ�	SYN ��תͬ��
SOH ��⿪ʼ	FF ��ֽ��	ETB ��Ϣ�鴫�ͽ��
STX ��Ŀ�ʼ	CR �س�	CAN ��
ETX ��Ľ��	SO ��λ��	EM ֽ��
EOY ��	SI ��λ��	SUB ��
ENQ ѯ��ַ�	DLE �ո�	ESC ��
ACK ��	DC1 �豸��1	FS ��ַָ��
BEL ��	DC2 �豸��2	GS ��ָ��
BS ��һ��	DC3 �豸��3	RS ��¼�ָ��
HT ��б�	DC4 �豸��4	US ��Ԫ�ָ��
LF ��	NAK ��	DEL ɾ��

��̳��ASCII��

ESC�� VK_ESCAPE (27)

�س�� VK_RETURN (13)

TAB�� VK_TAB (9)

Caps Lock�� VK_CAPITAL (20)

Shift�� VK_SHIFT ($10)

Ctrl�� VK_CONTROL (17)

Alt�� VK_MENU (18)

�ո�� VK_SPACE ($20/32)

�˸�� VK_BACK (8)

��ձ�� VK_LWIN (91)

�һձ�� VK_LWIN (92)

��Ҽ��ݼ��VK_APPS (93)

Insert�� VK_INSERT (45)

Home�� VK_HOME (36)

Page Up�� VK_PRIOR (33)

PageDown�� VK_NEXT (34)

End�� VK_END (35)

Delete�� VK_DELETE (46)

��(��)�� VK_LEFT (37)

��(��)�� VK_UP (38)

��(��)�� VK_RIGHT (39)

��(��)�� VK_DOWN (40)

F1�� VK_F1 (112)

F2�� VK_F2 (113)

F3�� VK_F3 (114)

F4�� VK_F4 (115)

F5�� VK_F5 (116)

F6�� VK_F6 (117)

F7�� VK_F7 (118)

F8�� VK_F8 (119)

F9�� VK_F9 (120)

F10�� VK_F10 (121)

F11�� VK_F11 (122)

F12�� VK_F12 (123)

Num Lock�� VK_NUMLOCK (144)

С��0�� VK_NUMPAD0 (96)

С��1�� VK_NUMPAD0 (97)

С��2�� VK_NUMPAD0 (98)

С��3�� VK_NUMPAD0 (99)

С��4�� VK_NUMPAD0 (100)

С��5�� VK_NUMPAD0 (101)

С��6�� VK_NUMPAD0 (102)

С��7�� VK_NUMPAD0 (103)

С��8�� VK_NUMPAD0 (104)

С��9�� VK_NUMPAD0 (105)

С��.�� VK_DECIMAL (110)

С��*�� VK_MULTIPLY (106)

С��+�� VK_MULTIPLY (107)

С��-�� VK_SUBTRACT (109)

С��/�� VK_DIVIDE (111)

Pause Break�� VK_PAUSE (19)

Scroll Lock�� VK_SCROLL (145)

windows��

gk — Tue, 24 Jun 2008 13:06:17 +0800

��Դmsdn

Windows Data Types

The data types supported by Microsoft® Windows® are used to define function return values, function and message parameters, and structure members. They define the size and meaning of these elements. For more information about the underlying C/C++ data types, see Data Type Ranges.

The following table contains the following types: character, integer, Boolean, pointer, and handle. The character, integer, and Boolean types are common to most C compilers. Most of the pointer-type names begin with a prefix of P or LP. Handles refer to a resource that has been loaded into memory.

For more information about handling 64-bit integers, see Large Integers.

Type	Description
ATOM	Atom. For more information, see Atoms. This type is declared in WinDef.h as follows: typedef WORD ATOM;
BOOL	Boolean variable (should be TRUE or FALSE). This type is declared in WinDef.h as follows: typedef int BOOL;
BOOLEAN	Boolean variable (should be TRUE or FALSE). This type is declared in WinNT.h as follows: typedef BYTE BOOLEAN;
BYTE	Byte (8 bits). This type is declared in WinDef.h as follows: typedef unsigned char BYTE;
CALLBACK	Calling convention for callback functions. This type is declared in WinDef.h as follows: #define CALLBACK __stdcall
CHAR	8-bit Windows (ANSI) character. For more information, see Character Sets Used By Fonts. This type is declared in WinNT.h as follows: typedef char CHAR;
COLORREF	Red, green, blue (RGB) color value (32 bits). See COLORREF for information on this type. This type is declared in WinDef.h as follows: typedef DWORD COLORREF;
CONST	Variable whose value is to remain constant during execution. This type is declared in WinDef.h as follows: #define CONST const
DWORD	32-bit unsigned integer. This type is declared in WinDef.h as follows: typedef unsigned long DWORD;
DWORDLONG	64-bit unsigned integer. This type is declared in WinNT.h as follows: typedef ULONGLONG DWORDLONG;
DWORD_PTR	Unsigned long type for pointer precision. Use when casting a pointer to a long type to perform pointer arithmetic. (Also commonly used for general 32-bit parameters that have been extended to 64 bits in 64-bit Windows. ) This type is declared in BaseTsd.h as follows: typedef ULONG_PTR DWORD_PTR;
DWORD32	32-bit unsigned integer. This type is declared in BaseTsd.h as follows: typedef unsigned int DWORD32;
DWORD64	64-bit unsigned integer. This type is declared in BaseTsd.h as follows: typedef unsigned __int64 DWORD64;
FLOAT	Floating-point variable. This type is declared in WinDef.h as follows: typedef float FLOAT;
HACCEL	Handle to an accelerator table. This type is declared in WinDef.h as follows: typedef HANDLE HACCEL;
HALF_PTR	Half the size of a pointer. Use within a structure that contains a pointer and two small fields. This type is declared in Basetsd.h as follows: #ifdef _WIN64 typedef int HALF_PTR; #else typedef short HALF_PTR; #endif
HANDLE	Handle to an object. This type is declared in WinNT.h as follows: typedef PVOID HANDLE;
HBITMAP	Handle to a bitmap. This type is declared in WinDef.h as follows: typedef HANDLE HBITMAP;
HBRUSH	Handle to a brush. This type is declared in WinDef.h as follows: typedef HANDLE HBRUSH;
HCOLORSPACE	Handle to a color space. This type is declared in WinDef.h as follows: #if(WINVER >= 0x0400) typedef HANDLE HCOLORSPACE; #endif
HCONV	Handle to a dynamic data exchange (DDE) conversation. This type is declared in Ddeml.h as follows: typedef HANDLE HCONV;
HCONVLIST	Handle to a DDE conversation list. This type is declared in Ddeml.h as follows: typedef HANDLE HCONVLIST;
HCURSOR	Handle to a cursor. This type is declared in WinDef.h as follows: typedef HICON HCURSOR;
HDC	Handle to a device context (DC). This type is declared in WinDef.h as follows: typedef HANDLE HDC;
HDDEDATA	Handle to DDE data. This type is declared in Ddeml.h as follows: typedef HANDLE HDDEDATA;
HDESK	Handle to a desktop. This type is declared in WinDef.h as follows: typedef HANDLE HDESK;
HDROP	Handle to an internal drop structure. This type is declared in ShellApi.h as follows: typedef HANDLE HDROP;
HDWP	Handle to a deferred window position structure. This type is declared in WinUser.h as follows: typedef HANDLE HDWP;
HENHMETAFILE	Handle to an enhanced metafile. This type is declared in WinDef.h as follows: typedef HANDLE HENHMETAFILE;
HFILE	Handle to a file opened by OpenFile, not CreateFile. This type is declared in WinDef.h as follows: typedef int HFILE;
HFONT	Handle to a font. This type is declared in WinDef.h as follows: typedef HANDLE HFONT;
HGDIOBJ	Handle to a GDI object. This type is declared in WinDef.h as follows: typedef HANDLE HGDIOBJ;
HGLOBAL	Handle to a global memory block. This type is declared in WinDef.h as follows: typedef HANDLE HGLOBAL;
HHOOK	Handle to a hook. This type is declared in WinDef.h as follows: typedef HANDLE HHOOK;
HICON	Handle to an icon. This type is declared in WinDef.h as follows: typedef HANDLE HICON;
HINSTANCE	Handle to an instance. This type is declared in WinDef.h as follows: typedef HANDLE HINSTANCE;
HKEY	Handle to a registry key. This type is declared in WinDef.h as follows: typedef HANDLE HKEY;
HKL	Input locale identifier. This type is declared in WinDef.h as follows: typedef HANDLE HKL;
HLOCAL	Handle to a local memory block. This type is declared in WinDef.h as follows: typedef HANDLE HLOCAL;
HMENU	Handle to a menu. This type is declared in WinDef.h as follows: typedef HANDLE HMENU;
HMETAFILE	Handle to a metafile. This type is declared in WinDef.h as follows: typedef HANDLE HMETAFILE;
HMODULE	Handle to a module. The value is the base address of the module. This type is declared in WinDef.h as follows: typedef HINSTANCE HMODULE;
HMONITOR	Handle to a display monitor. This type is declared in WinDef.h as follows: if(WINVER >= 0x0500) typedef HANDLE HMONITOR;
HPALETTE	Handle to a palette. This type is declared in WinDef.h as follows: typedef HANDLE HPALETTE;
HPEN	Handle to a pen. This type is declared in WinDef.h as follows: typedef HANDLE HPEN;
HRESULT	Return code used by interfaces. It is zero upon success and nonzero to represent an error code or status information. This type is declared in WinNT.h as follows: typedef LONG HRESULT;
HRGN	Handle to a region. This type is declared in WinDef.h as follows: typedef HANDLE HRGN;
HRSRC	Handle to a resource. This type is declared in WinDef.h as follows: typedef HANDLE HRSRC;
HSZ	Handle to a DDE string. This type is declared in Ddeml.h as follows: typedef HANDLE HSZ;
HWINSTA	Handle to a window station. This type is declared in WinDef.h as follows: typedef HANDLE WINSTA;
HWND	Handle to a window. This type is declared in WinDef.h as follows: typedef HANDLE HWND;
INT	32-bit signed integer. This type is declared in WinDef.h as follows: typedef int INT;
INT_PTR	Signed integer type for pointer precision. Use when casting a pointer to an integer to perform pointer arithmetic. This type is declared in BaseTsd.h as follows: #if defined(_WIN64) typedef __int64 INT_PTR; #else typedef int INT_PTR; #endif
INT32	32-bit signed integer. This type is declared in BaseTsd.h as follows: typedef signed int INT32;
INT64	64-bit signed integer. This type is declared in BaseTsd.h as follows: typedef signed __int64 INT64;
LANGID	Language identifier. For more information, see Locales. This type is declared in WinNT.h as follows: typedef WORD LANGID;
LCID	Locale identifier. For more information, see Locales. This type is declared in WinNT.h as follows: typedef DWORD LCID;
LCTYPE	Locale information type. For a list, see Locale and Language Information. This type is declared in WinNls.h as follows: typedef DWORD LCTYPE;
LGRPID	Language group identifier. For a list, see EnumLanguageGroupLocales. This type is declared in WinNls.h as follows: typedef DWORD LGRPID;
LONG	32-bit signed integer. This type is declared in WinNT.h as follows: typedef long LONG;
LONGLONG	64-bit signed integer. This type is declared in WinNT.h as follows: #if !defined(_M_IX86) typedef __int64 LONGLONG; #else typedef double LONGLONG; #endif
LONG_PTR	Signed long type for pointer precision. Use when casting a pointer to a long to perform pointer arithmetic. This type is declared in BaseTsd.h as follows: #if defined(_WIN64) typedef __int64 LONG_PTR; #else typedef long LONG_PTR; #endif
LONG32	32-bit signed integer. This type is declared in BaseTsd.h as follows: typedef signed int LONG32;
LONG64	64-bit signed integer. This type is declared in BaseTsd.h as follows: typedef __int64 LONG64;
LPARAM	Message parameter. This type is declared in WinDef.h as follows: typedef LONG_PTR LPARAM;
LPBOOL	Pointer to a BOOL. This type is declared in WinDef.h as follows: typedef BOOL far *LPBOOL;
LPBYTE	Pointer to a BYTE. This type is declared in WinDef.h as follows: typedef BYTE far *LPBYTE;
LPCOLORREF	Pointer to a COLORREF value. This type is declared in WinDef.h as follows: typedef DWORD *LPCOLORREF;
LPCSTR	Pointer to a constant null-terminated string of 8-bit Windows (ANSI) characters. For more information, see Character Sets Used By Fonts. This type is declared in WinNT.h as follows: typedef __nullterminated CONST CHAR *LPCSTR;
LPCTSTR	An LPCWSTR if UNICODE is defined, an LPCSTR otherwise. This type is declared in WinNT.h as follows: #ifdef UNICODE typedef LPCWSTR LPCTSTR; #else typedef LPCSTR LPCTSTR; #endif
LPCVOID	Pointer to a constant of any type. This type is declared in WinDef.h as follows: typedef CONST void *LPCVOID;
LPCWSTR	Pointer to a constant null-terminated string of 16-bit Unicode characters. For more information, see Character Sets Used By Fonts. This type is declared in WinNT.h as follows: typedef CONST WCHAR *LPCWSTR;
LPDWORD	Pointer to a DWORD. This type is declared in WinDef.h as follows: typedef DWORD *LPDWORD;
LPHANDLE	Pointer to a HANDLE. This type is declared in WinDef.h as follows: typedef HANDLE *LPHANDLE;
LPINT	Pointer to an INT. This type is declared in WinDef.h as follows: typedef int *LPINT;
LPLONG	Pointer to a LONG. This type is declared in WinDef.h as follows: typedef long *LPLONG;
LPSTR	Pointer to a null-terminated string of 8-bit Windows (ANSI) characters. For more information, see Character Sets Used By Fonts. This type is declared in WinNT.h as follows: typedef CHAR *LPSTR;
LPTSTR	An LPWSTR if UNICODE is defined, an LPSTR otherwise. This type is declared in WinNT.h as follows: #ifdef UNICODE typedef LPWSTR LPTSTR; #else typedef LPSTR LPTSTR; #endif
LPVOID	Pointer to any type. This type is declared in WinDef.h as follows: typedef void *LPVOID;
LPWORD	Pointer to a WORD. This type is declared in WinDef.h as follows: typedef WORD *LPWORD;
LPWSTR	Pointer to a null-terminated string of 16-bit Unicode characters. For more information, see Character Sets Used By Fonts. This type is declared in WinNT.h as follows: typedef WCHAR *LPWSTR;
LRESULT	Signed result of message processing. This type is declared in WinDef.h as follows: typedef LONG_PTR LRESULT;
PBOOL	Pointer to a BOOL. This type is declared in WinDef.h as follows: typedef BOOL *PBOOL;
PBOOLEAN	Pointer to a BOOL. This type is declared in WinNT.h as follows: typedef BOOLEAN *PBOOLEAN;
PBYTE	Pointer to a BYTE. This type is declared in WinDef.h as follows: typedef BYTE *PBYTE;
PCHAR	Pointer to a CHAR. This type is declared in WinNT.h as follows: typedef CHAR *PCHAR;
PCSTR	Pointer to a constant null-terminated string of 8-bit Windows (ANSI) characters. For more information, see Character Sets Used By Fonts. This type is declared in WinNT.h as follows: typedef CONST CHAR *PCSTR;
PCTSTR	A PCWSTR if UNICODE is defined, a PCSTR otherwise. This type is declared in WinNT.h as follows: #ifdef UNICODE typedef LPCWSTR PCTSTR; #else typedef LPCSTR PCTSTR; #endif
PCWSTR	Pointer to a constant null-terminated string of 16-bit Unicode characters. For more information, see Character Sets Used By Fonts. This type is declared in WinNT.h as follows: typedef CONST WCHAR *PCWSTR;
PDWORD	Pointer to a DWORD. This type is declared in WinDef.h as follows: typedef DWORD *PDWORD;
PDWORDLONG	Pointer to a DWORDLONG. This type is declared in WinNT.h as follows: typedef DWORDLONG *PDWORDLONG;
PDWORD_PTR	Pointer to a DWORD_PTR. This type is declared in BaseTsd.h as follows: typedef DWORD_PTR *PDWORD_PTR;
PDWORD32	Pointer to a DWORD32. This type is declared in BaseTsd.h as follows: typedef DWORD32 *PDWORD32;
PDWORD64	Pointer to a DWORD64. This type is declared in BaseTsd.h as follows: typedef DWORD64 *PDWORD64;
PFLOAT	Pointer to a FLOAT. This type is declared in WinDef.h as follows: typedef FLOAT *PFLOAT;
PHALF_PTR	Pointer to a HALF_PTR. This type is declared in Basetsd.h as follows: #ifdef _WIN64 typedef HALF_PTR PHALF_PTR; #else typedef HALF_PTR PHALF_PTR; #endif
PHANDLE	Pointer to a HANDLE. This type is declared in WinNT.h as follows: typedef HANDLE *PHANDLE;
PHKEY	Pointer to an HKEY. This type is declared in WinDef.h as follows: typedef HKEY *PHKEY;
PINT	Pointer to an INT. This type is declared in WinDef.h as follows: typedef int *PINT;
PINT_PTR	Pointer to an INT_PTR. This type is declared in BaseTsd.h as follows: typedef INT_PTR *PINT_PTR;
PINT32	Pointer to an INT32. This type is declared in BaseTsd.h as follows: typedef INT32 *PINT32;
PINT64	Pointer to an INT64. This type is declared in BaseTsd.h as follows: typedef INT64 *PINT64;
PLCID	Pointer to an LCID. This type is declared in WinNT.h as follows: typedef PDWORD PLCID;
PLONG	Pointer to a LONG. This type is declared in WinNT.h as follows: typedef LONG *PLONG;
PLONGLONG	Pointer to a LONGLONG. This type is declared in WinNT.h as follows: typedef LONGLONG *PLONGLONG;
PLONG_PTR	Pointer to a LONG_PTR. This type is declared in BaseTsd.h as follows: typedef LONG_PTR *PLONG_PTR;
PLONG32	Pointer to a LONG32. This type is declared in BaseTsd.h as follows: typedef LONG32 *PLONG32;
PLONG64	Pointer to a LONG64. This type is declared in BaseTsd.h as follows: typedef LONG64 *PLONG64;
POINTER_32	32-bit pointer. On a 32-bit system, this is a native pointer. On a 64-bit system, this is a truncated 64-bit pointer. This type is declared in BaseTsd.h as follows: #if defined(_WIN64) #define POINTER_32 __ptr32 #else #define POINTER32 #endif
POINTER_64	64-bit pointer. On a 64-bit system, this is a native pointer. On a 32-bit system, this is a sign-extended 32-bit pointer. Note that it is not safe to assume the state of the high pointer bit. This type is declared in BaseTsd.h as follows: #define POINTER_64 __ptr64
POINTER_SIGNED	A signed pointer. This type is declared in BaseTsd.h as follows: #define POINTER_SIGNED __sptr
POINTER_UNSIGNED	An unsigned pointer. This type is declared in BaseTsd.h as follows: #define POINTER_UNSIGNED __uptr
PSHORT	Pointer to a SHORT. This type is declared in WinNT.h as follows: typedef SHORT *PSHORT;
PSIZE_T	Pointer to a SIZE_T. This type is declared in BaseTsd.h as follows: typedef SIZE_T *PSIZE_T;
PSSIZE_T	Pointer to a SSIZE_T. This type is declared in BaseTsd.h as follows: typedef SSIZE_T *PSSIZE_T;
PSTR	Pointer to a null-terminated string of 8-bit Windows (ANSI) characters. For more information, see Character Sets Used By Fonts. This type is declared in WinNT.h as follows: typedef CHAR *PSTR;
PTBYTE	Pointer to a TBYTE. This type is declared in WinNT.h as follows: typedef TBYTE *PTBYTE;
PTCHAR	Pointer to a TCHAR. This type is declared in WinNT.h as follows: typedef TCHAR *PTCHAR;
PTSTR	A PWSTR if UNICODE is defined, a PSTR otherwise. This type is declared in WinNT.h as follows: #ifdef UNICODE typedef LPWSTR PTSTR; #else typedef LPSTR PTSTR; #endif
PUCHAR	Pointer to a UCHAR. This type is declared in WinDef.h as follows: typedef UCHAR *PUCHAR;
PUHALF_PTR	Pointer to a UHALF_PTR. This type is declared in Basetsd.h as follows: #ifdef _WIN64 typedef UHALF_PTR PUHALF_PTR; #else typedef UHALF_PTR PUHALF_PTR; #endif
PUINT	Pointer to a UINT. This type is declared in WinDef.h as follows: typedef UINT *PUINT;
PUINT_PTR	Pointer to a UINT_PTR. This type is declared in BaseTsd.h as follows: typedef UINT_PTR *PUINT_PTR;
PUINT32	Pointer to a UINT32. This type is declared in BaseTsd.h as follows: typedef UINT32 *PUINT32;
PUINT64	Pointer to a UINT64. This type is declared in BaseTsd.h as follows: typedef UINT64 *PUINT64;
PULONG	Pointer to a ULONG. This type is declared in WinDef.h as follows: typedef ULONG *PULONG;
PULONGLONG	Pointer to a ULONGLONG. This type is declared in WinDef.h as follows: typedef ULONGLONG *PULONGLONG;
PULONG_PTR	Pointer to a ULONG_PTR. This type is declared in BaseTsd.h as follows: typedef ULONG_PTR *PULONG_PTR;
PULONG32	Pointer to a ULONG32. This type is declared in BaseTsd.h as follows: typedef ULONG32 *PULONG32;
PULONG64	Pointer to a ULONG64. This type is declared in BaseTsd.h as follows: typedef ULONG64 *PULONG64;
PUSHORT	Pointer to a USHORT. This type is declared in WinDef.h as follows: typedef USHORT *PUSHORT;
PVOID	Pointer to any type. This type is declared in WinNT.h as follows: typedef void *PVOID;
PWCHAR	Pointer to a WCHAR. This type is declared in WinNT.h as follows: typedef WCHAR *PWCHAR;
PWORD	Pointer to a WORD. This type is declared in WinDef.h as follows: typedef WORD *PWORD;
PWSTR	Pointer to a null- terminated string of 16-bit Unicode characters. For more information, see Character Sets Used By Fonts. This type is declared in WinNT.h as follows: typedef WCHAR *PWSTR;
SC_HANDLE	Handle to a service control manager database. For more information, see SCM Handles. This type is declared in WinSvc.h as follows: typedef HANDLE SC_HANDLE;
SC_LOCK	Lock to a service control manager database. For more information, see SCM Handles. This type is declared in WinSvc.h as follows: typedef LPVOID SC_LOCK;
SERVICE_STATUS_HANDLE	Handle to a service status value. For more information, see SCM Handles. This type is declared in WinSvc.h as follows: typedef HANDLE SERVICE_STATUS_HANDLE;
SHORT	Short integer (16 bits). This type is declared in WinNT.h as follows: typedef short SHORT;
SIZE_T	The maximum number of bytes to which a pointer can point. Use for a count that must span the full range of a pointer. This type is declared in BaseTsd.h as follows: typedef ULONG_PTR SIZE_T;
SSIZE_T	Signed SIZE_T. This type is declared in BaseTsd.h as follows: typedef LONG_PTR SSIZE_T;
TBYTE	A WCHAR if UNICODE is defined, a CHAR otherwise. This type is declared in WinNT.h as follows: #ifdef UNICODE typedef WCHAR TBYTE; #else typedef unsigned char TBYTE; #endif
TCHAR	A WCHAR if UNICODE is defined, a CHAR otherwise. This type is declared in WinNT.h as follows: #ifdef UNICODE typedef WCHAR TCHAR; #else typedef char TCHAR; #endif
UCHAR	Unsigned CHAR. This type is declared in WinDef.h as follows: typedef unsigned char UCHAR;
UHALF_PTR	Unsigned HALF_PTR. Use within a structure that contains a pointer and two small fields. This type is declared in Basetsd.h as follows: #ifdef _WIN64 typedef unsigned int UHALF_PTR; #else typedef unsigned short UHALF_PTR; #endif
UINT	Unsigned INT. This type is declared in WinDef.h as follows: typedef unsigned int UINT;
UINT_PTR	Unsigned INT_PTR. This type is declared in BaseTsd.h as follows: #if defined(_WIN64) typedef unsigned __int64 UINT_PTR; #else typedef unsigned int UINT_PTR; #endif
UINT32	Unsigned INT32. This type is declared in BaseTsd.h as follows: typedef unsigned int UINT32;
UINT64	Unsigned INT64. This type is declared in BaseTsd.h as follows: typedef usigned __int 64 UINT64;
ULONG	Unsigned LONG. This type is declared in WinDef.h as follows: typedef unsigned long ULONG;
ULONGLONG	64-bit unsigned integer. This type is declared in WinNT.h as follows: #if !defined(_M_IX86) typedef unsigned __int64 ULONGLONG; #else typedef double ULONGLONG #endif
ULONG_PTR	Unsigned LONG_PTR. This type is declared in BaseTsd.h as follows: #if defined(_WIN64) typedef unsigned __int64 ULONG_PTR; #else typedef unsigned long ULONG_PTR; #endif
ULONG32	Unsigned LONG32. This type is declared in BaseTsd.h as follows: typedef unsigned int ULONG32;
ULONG64	Unsigned LONG64. This type is declared in BaseTsd.h as follows: typedef unsigned __int64 ULONG64;
USHORT	Unsigned SHORT. This type is declared in WinDef.h as follows: typedef unsigned short USHORT;
USN	Update sequence number (USN). This type is declared in WinNT.h as follows: typedef LONGLONG USN;
VOID	Any type. This type is declared in WinNT.h as follows: #define VOID void
WCHAR	16-bit Unicode character. For more information, see Character Sets Used By Fonts. This type is declared in WinNT.h as follows: typedef wchar_t WCHAR;
WINAPI	Calling convention for system functions. This type is declared in WinDef.h as follows: #define WINAPI __stdcall
WORD	16-bit unsigned integer. This type is declared in WinDef.h as follows: typedef unsigned short WORD;
WPARAM	Message parameter. This type is declared in WinDef.h as follows: typedef UINT_PTR WPARAM;

windows��Ϣ

gk — Tue, 24 Jun 2008 13:02:13 +0800

��Դmsdn

System-Defined Messages

The system sends or posts a system-defined message when it communicates with an application. It uses these messages to control the operations of applications and to provide input and other information for applications to process. An application can also send or post system-defined messages. Applications generally use these messages to control the operation of control windows created by using preregistered window classes.

Each system-defined message has a unique message identifier and a corresponding symbolic constant (defined in the software development kit (SDK) header files) that states the purpose of the message. For example, the WM_PAINT constant requests that a window paint its contents.

Symbolic constants specify the category to which system-defined messages belong. The prefix of the constant identifies the type of window that can interpret and process the message. Following are the prefixes and their related message categories.

Prefix	Message category
ABM	Application desktop toolbar
BM	Button control
CB	Combo box control
CBEM	Extended combo box control
CDM	Common dialog box
DBT	Device
DL	Drag list box
DM	Default push button control
DTM	Date and time picker control
EM	Edit control
HDM	Header control
HKM	Hot key control
IPM	IP address control
LB	List box control
LVM	List view control
MCM	Month calendar control
PBM	Progress bar
PGM	Pager control
PSM	Property sheet
RB	Rebar control
SB	Status bar window
SBM	Scroll bar control
STM	Static control
TB	Toolbar
TBM	Trackbar
TCM	Tab control
TTM	Tooltip control
TVM	Tree-view control
UDM	Up-down control
WM	General window

General window messages cover a wide range of information and requests, including messages for mouse and keyboard input, menu and dialog box input, window creation and management, and Dynamic Data Exchange (DDE).

Application-Defined Messages

An application can create messages to be used by its own windows or to communicate with windows in other processes. If an application creates its own messages, the window procedure that receives them must interpret the messages and provide appropriate processing.

Message-identifier values are used as follows:

The system reserves message-identifier values in the range 0x0000 through 0x03FF (the value of WM_USER �C 1) for system-defined messages. Applications cannot use these values for private messages.
Values in the range 0x0400 (the value of WM_USER) through 0x7FFF are available for message identifiers for private window classes.
If your application is marked version 4.0, you can use message-identifier values in the range 0x8000 (WM_APP) through 0xBFFF for private messages.
The system returns a message identifier in the range 0xC000 through 0xFFFF when an application calls the RegisterWindowMessage function to register a message. The message identifier returned by this function is guaranteed to be unique throughout the system. Use of this function prevents conflicts that can arise if other applications use the same message identifier for different purposes.

��FS�Ĵ��ȡKERNEL32.DLL��ַ�㷨��֤��

gk — Fri, 20 Jun 2008 21:25:08 +0800

FS�Ĵ��ָ��ǰ��̵߳�TEB�ṹ��߳̽ṹ��

ƫ�� ˵��

000 ָ��SEH��ָ��

004 �̶߳�ջ��

008 �̶߳�ջ�ײ�

00C SubSystemTib

010 FiberData

014 ArbitraryUserPointer

018 FS�μĴ��ڴ��еľ��ַ

020 ��PID

024 �߳�ID

02C ָ��ֲ߳̾��洢ָ��

030 PEB�ṹ��ַ��̽ṹ��

034 �ϸ��

��shellcode��KERNEL32.DLL��ַ�ǳ��㷨�ˣ��㷨��õ��FS�Ĵ��ǣ�

1. ͨ��PEB(FS:[30])��ȡKERNEL32.DLL��ַ

2. ͨ��TEB(FS:[18])��ȡKERNEL32.DLL��ַ

3. ͨ��SEH(FS:[00])��ȡKERNEL32.DLL��ַ

��ֱ�֤��֮��

��һ��ͨ��PEB(FS:[30])��ȡKERNEL32.DLL��ַ

�㷨��

mov eax,fs:[30h] ;�õ�PEB�ṹ��ַ

mov eax,[eax + 0ch] ;�õ�PEB_LDR_DATA�ṹ��ַ

mov esi,[eax + 1ch]

lodsd ; �õ�KERNEL32.DLL��LDR_MODULE�ṹ��

; InInitializationOrderModuleList��ַ

mov edx,[eax + 8h] ;�õ�BaseAddress��Kernel32.dll��ַ

֤��

1. ��openһ��exe��ڴ��е�KERNEL32.DLL��ַ�ǲ��ģ�

2. ��ȡPEB��ַ��

0:000> dd fs:30 L1

003b:00000030 7ffd6000

��ˣ�7ffd6000

3. ��ȡPEB_LDR_DATA�ṹ��ַ7ffd6000+0c

peb�Ľṹ��壺

ntdll!_PEB

+0x000 InheritedAddressSpace : UChar

+0x001 ReadImageFileExecOptions : UChar

+0x002 BeingDebugged : UChar

+0x003 SpareBool : UChar

+0x004 Mutant : Ptr32 Void

+0x008 ImageBaseAddress : Ptr32 Void

+0x00c Ldr : Ptr32 _PEB_LDR_DATA

+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS

+0x014 SubSystemData : Ptr32 Void

+0x018 ProcessHeap : Ptr32 Void

+0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION

......

0:000> dd 7ffd6000+0c L1

7ffd600c 00181ea0

PEB_LDR_DATA-> 00181ea0

4. ��ȡInInitializationOrderModuleList�ĵ�ַ

˵һ��PEB_LDR_DATA��ntdll.dll�е�u

ndocumented

��һ��ṹ��PEB_LDR_DATA�Ľṹ��壺

0:000> dt _PEB_LDR_DATA

+0x000 Length : Uint4B

+0x004 Initialized : UChar

+0x008 SsHandle : Ptr32 Void

+0x00c InLoadOrderModuleList : _LIST_ENTRY

+0x014 InMemoryOrderModuleList : _LIST_ENTRY

+0x01c InInitializationOrderModuleList : _LIST_ENTRY

+0x024 EntryInProgress : Ptr32 Void

0:000> dd 00181ea0+1c L1

00181ebc 00181f58

InInitializationOrderModuleList->00181f58

5. ��ȡkernel32�Ļ��ַ

0:000> dd 00181f58+8 L1

00181f60 7c920000

7c920000��ˣ�

checkһ�£�

0:000> dd kernel32 L1

7c800000 00905a4d

��Ȼ��ǰ��7c920000��ntdll.dll�ģ��

��㷨��Ȼ��ȷ�ġ��Ϊ��shellcode��ģ��б��ĵ�һ��kernel32�ˣ��Ȼ��ͨ��check�ģ��shellcode�Ŀռ䲻��ģ��shellcode��ˡ��Ե�exeǡ��ȼ��ntdll.dll��

��ͨ��TEB(FS:[18])��ȡKERNEL32.DLL��ַ

�㷨��

��̵߳�ջ��ƫ��18H��ָ��ָ��kernel32.dll�ڲ��fs :[ 0x18 ] ָ��ǰ�̶߳��ĸ��ֽ�ָ��߳�ջ��ջ��ָ��ж��ҵ�PE�ļ�ͷ��DLL��ļ��ʽ��ġ�MZ��MSDOS��־��õ��kernel32.dll��ַ��

xor esi , esi

mov esi , fs :[ esi + 0x18 ] // TEB

mov eax , [ esi + 4 ] // ��Ҫ��ջ��

mov eax , [ eax - 0x1c ] // ָ��Kernel32.dll�ڲ�

find_kernel32_base :

dec eax // ��ʼ��̺ʽ��Kernel32�ռ�

xor ax , ax

cmp word ptr [ eax ], 0x5a4d // "MZ"

jne find_kernel32_base // ѭ �� ҵ� �� eax

֤��

1. �ҵ�TEB��ð죺

0:000> dd fs:18 L1

003b:00000018 7ffdd000

TEB->7ffdd000

2. �ҵ�ջ��ָ�룺

0:000> dd 7ffdd000+4 L1

7ffdd004 00070000

3. ��Kernel32�ռ䣺

0:000> dd 00070000-1c L1

0006ffe4 7c839aa8

4. Kernel32�ռ�Ĵ��

0:000> db 7c839aa7 L4

7c839aa7 30 55 8b ec 0U..

......һֱ��ȥ

0:000> db 7c800000 L4

7c800000 4d 5a 90 00 MZ..

�ҵ��˰ɣ��е�Ч��⣬shellcode��ʱ��Ҫ��Ч�ʵģ�û�취��⡣

��ͨ��SEH(FS:[00])��ȡKERNEL32.DLL��ַ

�㷨��

ע�⣺FS:[ 0 ] ָ��SHE��ָ��kernel32.dll�ڲ��Ϳ��˳��ˡ�FS:[ 0 ] ָ��SHE��ڲ��Ϊ��ҵ��쳣��ҵ�prev��Ա�� 0xffffffff ��EXCEPTION_REGISTER�ṹ��ýṹ��handlerֵ��ϵͳ Ĭ �ϵĴ��̣��и�ϸ�ڣ�DLL��װ��64K�߽��ģ��Ҫ��ñ��ָ��쳣��ָ��ҳ��ң��ٽ��PE�ļ�MSDOS��־��֣�ֻҪ��ÿ�� 64K �߽�� MZ ��ַ��ҵ�kernel32.dll��ַ��

xor ecx , ecx

mov esi , fs :[ ecx ]

find_seh :

mov eax ,[ esi ]

mov esi , eax

cmp [ eax ], ecx

jns find_seh // 0xffffffff

mov eax , [ eax + 0x04 ] // handler

find_kernel32_base :

dec eax

xor ax , ax

cmp word ptr [ eax ], 0x5a4d

jne find_kernel32_base

֤��

1. &n

bsp;

�ҵ��ǰSEH��

0:000> dd fs:0 L1

003b:00000000 0006fedc

2. �ҵ��SEH��

round 1:

0:000> dd 0006fedc L1

0006fedc 0006ffb0 ; esi

0:000> dd 0006ffb0 L1

0006ffb0 0006ffe0 ; [eax]

round 2:

0:000> dd 0006ffb0 L1

0006ffb0 0006ffe0 ; esi

0:000> dd 0006ffe0 L1

0006ffe0 ffffffff ; [eax]

��ڶ��˾��ҵ��ˣ��ʱ��eax=0006ffe0

3. �ҵ�MZ��

0:000> dd 0006ffe0+4 L1

0006ffe4 7c839aa8

0:000> db 7c839aa7 L4

7c839aa7 30 55 8b ec 0U..

......��һֱ��ȥ

0:000> db 7c800000 L4

800000 4d 5a 90 00 MZ..

�ҵ��

֪��Ȼ��Ҫ֪��Ȼ��

��дwindowsϵͳ�ѱ��ڴ��

gk — Fri, 20 Jun 2008 21:22:47 +0800

windowsϵͳ��ĳЩ�汾�¶�ĳЩ�ڴ��д��Ĺ��ܣ��Ϊ��Щ��һ��Ϸ��ǲ��޸��ݵģ��ô��д��Щ�ڴ��أ�

PS:1) ��Щϵͳ��:windows xp��windows 2003
2) CPU�ṩд��Ĺ��Ǵ�486��ʼ��
3) һ��Ϸ��򲻰��ɱ��Ϊ��Hook SSDT��ֱ�Ӹ�ServiceTableBase��û��inline�ķ��

��Ǿ��SSDT��Ӱɣ��Hook SSDTʱ��innline hook��Ǿ�Ҫ�޸�SSDT��ϵͳ��Ǳ�д��ˣ��ring0��Ҳ��û��д��Ȩ�ޡ�

��һ��
��һ��CR0�Ĵ��ĸ�ʽ
|31|30|      |18|17|16|          5|4|3|2|0|1|
|P |C |      |A | |W |          N|E|T|E|M|P|
|G |D |      |M | |P |          E|T|S|M|P|E|

��Ҫע��WP��λ,��ο�IA-32 Volume 3A��
WP��Write Protect��Ϊ1ʱֻ�ṩ��ҳȨ��
PE��Paging��Ϊ1ʱ�ṩ��ҳ
MP��Protection Enable��Ϊ1ʱ��뱣��ģʽ
��ֻҪ��WP��һλ��Ϊ0ʱ��Ϳ��޸�SSDT��

//1 �ر�д��
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}

//2 ��д��
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
ͨ��ĵ�һ��ָ��ǾͿ��޸�SSDT��ǵ��޸ĺ�Ҫ��ԭ��

��
�˷��ǸǴ��ṩ�ģ��ڴ��(MDL)��һ��ڴ��MDL��ڴ��ʼ��ַ��ӵ��߽��̣��ֽ��Լ��־��
//��ddk�е��
typedef struct _MDL {
    struct _MDL *Next;
    CSHORT Size;
    CSHORT MdlFlags;
    struct _EPROCESS *Process;
    PVOID MappedSystemVa;
    PVOID StartVa;
    ULONG ByteCount;
    ULONG ByteOffset;
} MDL, *PMDL;

#define MDL_MAPPED_TO_SYSTEM_VA    0x0001
#define MDL_PAGES_LOCKED            0x0002
#define MDL_SOURCE_IS_NONPAGED_POOL 0x0004
#define MDL_ALLOCATED_FIXED_SIZE    0x0008
#define MDL_PARTIAL                0x0010
#define MDL_PARTIAL_HAS_BEEN_MAPPED 0x0020
#define MDL_IO_PAGE_READ            0x0040
#define MDL_WRITE_OPERATION        0x0080
#define MDL_PARENT_MAPPED_SYSTEM_VA 0x0100
#define MDL_LOCK_HELD              0x0200
#define MDL_PHYSICAL_VIEW          0x0400
#define MDL_IO_SPACE                0x0800
#define MDL_NETWORK_HEADER          0x1000
#define MDL_MAPPING_CAN_FAIL        0x2000
#define MDL_ALLOCATED_MUST_SUCCEED 0x4000

// Declarations

#pragma pack(1)

typedef struct ServiceDescriptorEntry {

unsigned int *ServiceTableBase;

unsigned int *ServiceCounterTableBase;

unsigned int NumberOfServices;

unsigned char *ParamTableBase;

} SSDT;

#pragma pack()

__declspec(dllimport) SSDTKeServiceDescriptorTable;

PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;

// save old system call locations
// Map the memory into our domain to change the permissions on
// the MDL
g_pmdlSystemCall = MmCreateMdl(NULL,
KeServiceDescriptorTable.ServiceTableBase,
KeServiceDescriptorTable.NumberOfServices*4);

if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;

MmBuildMdlForNonPagedPool(g_pmdlSystemCall);

// Change the flags of the MDL
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags |
MDL_MAPPED_TO_SYSTEM_VA;

MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);

MappedSystemCallTable��SSDT�ĵ�ַ��ڿ��Է��ĵĲ��ɣ��MmFreePagesFromMdl��

sinister

�� Mark Russinovich ��д��һ�δ��룬Ŀ��Ҳ��дֻ��ڴ档

NTSTATUS WriteReadOnlyMemory (char *dest, char *source, int length)
{
KSPIN_LOCK tempSpinLock;
KIRQL oldirql;
PMDL mdl;
PVOID writableAddress;

mdl = IoAllocateMdl((PVOID) dest, length, FALSE, FALSE, NULL);
if (mdl == NULL)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(mdl);
MmProbeAndLockPages(mdl, KernelMode, IoWriteAccess);
writableAddress = MmMapLockedPages(mdl, KernelMode);
if (writableAddress == NULL) {
MmUnlockPages(mdl);
IoFreeMdl(mdl);
return STATUS_UNSUCCESSFUL;
}

KeInitializeSpinLock(&tempSpinLock);
KeAcquireSpinLock(&tempSpinLock, &oldirql);
RtlCopyMemory(writableAddress, source, length);
KeReleaseSpinLock(&tempSpinLock, oldirql);

MmUnmapLockedPages(writableAddress, mdl);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
return STATUS_SUCCESS;
}

Windows��FS�μĴ��

gk — Fri, 20 Jun 2008 21:21:46 +0800

�߳��RING0��ϵͳ��ַ�ռ䣩��RING3��û��ַ�ռ䣩ʱ��FS�μĴ��ֱ�ָ����ͬ�ڴ�εġ��߳��RING0�£�FS��ֵ��0x3B��WindowsXP��ֵ��Windows2000��ֵΪ0x38��RING3��ʱ��FS�μĴ��ֵ��0x30��FS�Ĵ��ֵ�ĸı��ڳ��Ring3��Ring0��ʹ�Ring0�˻ص�Ring3ǰ��ɵģ�Ҳ��˵��Ring0�¸�FS��ֵͬ�ġ�

һ�� ��RING3��ʱ��FS

��߳��Ring3��ʱ��FSָ��Ķ��GDT�е�0x30�Ρ��öεĳ��Ϊ4K��ַΪ��ǰ�̵߳��̻߳��飨TEB��Ըö�Ҳ��Ϊ��TEB�Ρ��ΪWindows��߳��ǲ�ͣ�л��ģ��ԸöεĻ��ֵַ��߳��л��ı�ġ�

Windows2000�н��̻��飨PEB��ĵ�ַΪ0X7FFDF000��ý��̵ĵ�һ��̵߳�TEB��ַΪ0X7FFDE000��ڶ��TEB�ĵ�ַΪ0X7FFDD000��..��WindowsXP SP2 ��Щ�ṹ�ĵ�ַ��ӳ��ġ��Խ��̵�PEB�ĵ�ַֻ��ͨ��FS:[0x30]��ȡ�ˡ�

Windows��ÿ��̶߳��һ��ETHREAD�ṹ��ýṹ��TEB��Ա��ʵ��KTHREAD�еĳ�Ա��KTHREAD��ETHREAD�ĳ�Ա��̵߳�TEB��ַ�ģ��߳��л�ʱ��Windows�ͻ��ø�ֵ��GDT��0x30��Ļ��ֵַ��

��WindowsXP SP2��RING3��FS�μĴ��ָ����ݽṹ�͵�ַ��

_TIB

+0x000 NtTib : _NT_TIB

_NT_TIB

+0x000 ExceptionList: Ptr32 _EXCEPTION_REGISTRATION_RECORD

+0x004 StackBase : Ptr32 Void

+0x008 StackLimit : Ptr32 Void

+0x00c SubSystemTib : Ptr32 Void

+0x010 FiberData : Ptr32 Void

+0x010 Version : Uint4B

+0x014 ArbitraryUserPointer : Ptr32 Void

+0x018 Self : Ptr32 _NT_TIB

�� ��RING0��ʱ��FS

��߳��Ring0��ʱ�� FSָ��Ķ��GDT�е�0x3B�Ρ��öεĳ��ҲΪ4K��ַΪ0xFFDFF000��õ�ַָ��ϵͳ�Ĵ��KPCR��б��⴦��ص�һЩ��Ҫ��ֵ��GDT��IDT��ֵ�ȵȡ��WindowsXP sp2�е�KPCR��ݽṹ��

_KPCR

+0x000 NtTib : _NT_TIB

_NT_TIB

+0x000 ExceptionList: Ptr32 _EXCEPTION_REGISTRATION_RECORD

+0x004 StackBase : Ptr32 Void

+0x008 StackLimit : Ptr32 Void

+0x00c SubSystemTib : Ptr32 Void

+0x010 FiberData : Ptr32 Void

+0x010 Version : Uint4B

+0x014 ArbitraryUserPointer : Ptr32 Void

+0x018 Self : Ptr32 _NT_TIB

��WindowsXP�У��ϵͳ��ϵͳ��ֵַ��KPCR��ʼ��ݽṹ�У��Բο��ͼ��ע�⣬��WindowsXP�£��WIN2000��û��Ȥ�Ķ��߿��Կ�һ��www.rootkit.com�µ��¡�

��ʹ��FS�Ĵ��ɻ� �׸��Ĳ��

gk — Fri, 20 Jun 2008 21:20:48 +0800

��ʹ��FS�Ĵ��ɻ� �׸��Ĳ��

��û��˵��ף��ģ��ΪWin32�еĵ�ַΪƽ̹ģʽ��ds,ss,cs�ȸ��εĶλ��ַ��ָ��ͬһ��ط��ƽ��õ��߼��ַ��Ĭ��Щ��Ϊ��ַ�ģ��ݶλ��Ǵ��Σ�ֻҪ��ǵ�ƫ��ȣ��ô��Ǿ��Ѱַһ��ڴ棬��Ǿ�ֻ��ָ��ƫ�ƾ��ܵõ�ͳһ��ѰַĿ�꣬��Ŀ��ڴ��λ��ݶλ��߶�ջ��֮�С�WriteProcessMemory�õľ��ġ��߼��ַ��"0xXXXXXXXX"��ʵ��߼��ַʵ��ʽ��ds:XXXXXXXXX��ֻ��Ϊds=ss=cs��Կ��ds:XXXXXXXXX��Ѱַcs:XXXXXXXX��ss:XXXXXXXX��Ҳ��ֻ��Ҫָ��ƫ�ƾ��㹻Ѱַ��λ��ݶ��ˡ��win32�У�fsȴ�͸��μĴ��ֵ��һ��Ҫ��ds��Ѱַfsָ��ڴ棬�Ǿ͵�ת��ƫ��ˣ��Ϊfs:XXXXXXXX��ds:XXXXXXXXָ�Ĳ��ͬ��ڴ棻��WriteProcessMemoryѰַĳ��ַ��0xXXXXXXXX�Ļ��Ĭ�ϵ�Ѱַȴ��ds:XXXXXXXX��

ƫ��ת��ķ��ģ��仰

��

�磺

mov eax,dword ptr [12345678h+12345678h]

�൱��

mov eax,dword ptr fs:[12345678h]

��

�е�

mov eax,dword ptr [12345678h+12345678h]

��Ĭ�ϵ�ds��Ѱַ��ʵ��

mov eax,dword ptr ds:[12345678h+12345678h]

��仰

mov eax,dword ptr fs:[12345678h]

��ǿ��fs��Ѱַ��൱��˵��fs��Ѱַ�õ�ƫ��"12345678"ת��ds��Ѱַ�Ļ��͵��

ת��"12345678+12345678"ƫ��

Slow.More��BLOG

ASCII����ձ�

windows��������

��Դmsdn

Windows Data Types

windows��Ϣ

����FS�Ĵ�����ȡKERNEL32.DLL��ַ�㷨��֤��

���дwindowsϵͳ�ѱ������ڴ�����

Windows��FS�μĴ���

����ʹ��FS�Ĵ������ɻ� �׸������������Ĳ���

ASCII��ձ�

windows��

��FS�Ĵ��ȡKERNEL32.DLL��ַ�㷨��֤��

��дwindowsϵͳ�ѱ��ڴ��

Windows��FS�μĴ��

��ʹ��FS�Ĵ��ɻ� �׸��Ĳ��