I have a kernel-mode driver on Windows XP and I need to access virtual memory of some process, which PID I know. How can I do it?
If your current process is requested process, it is already done. You already have access.
If you are in other process use PsLookupProcessByProcessId to find the PEPROCESS and KeStackAttachProcess to attach to the requested process address space.
Related
I have a hard drive was crypted by TryeCrypt,a custom edtion ,self input password,and i have found this 40-bytes password via MBR debugging, but can't mount it using standard version 7.1a.
what i want is get some files from this hard drive,good news is,this hard drive is bootable and it is a windows xp sp2,but a fullscreen app was auto startup and any input(keyboard,mouse etc.) was blocked,therefore,the only way to touch it is debugging it with vmware gdb stub.
The ida's remote dbg debugger is working very well, now I touch the guest's memory, edit it's codes, set breakpoints and the symbols was loaded.
so the question is,how can I start a process via patching the kernel?
What I thinking is,build a winddk project , implement a driver to do this with user APC, and then disassemble it to get it's assembler code ,and then patch it into guest via ida.
Any idea? thanks.
I am using windows 2008 R2 64 bit Operating system. I have clearcase dynamic view. [You can think of it as a network mapped drive]
When scheduling basic task with the option "Run whether the user is logged on or not" , my powershell script is not executing.
It says operation executed successfully but nothing has been done. Our build will send mail at the end I did not receive any mail.
You can think of it as a network mapped drive
Not exactly: this is a MVFS mounting point.
Make sure you are:
using the full and complete path of a dynamic view: M:\myView\myVob\...
executing your script in a vob (M:\myView\myVob or below) and not in the view (M:\myView)
Our application has been changed from ".exe" to virtual application launched via "Microsoft Application Virtualization Client".
QTP is unable to identify any objects even with the same add-ins (which was working before). What could be the possible reason for the odd behaviour?
QTP : 10, Win7 64 bit OS.
Let me know for additional info. Thanks in advance!
When this application is launched via Microsoft Virtual Client it has limited interaction with local applications. For the same reason QTP\UFT is unable to identify the object of AUT. To overcome this issue you have to set "LOCAL_INTERACTION_ALLOW" to TRUE in the Application OSD file.
You can find the file in the OSD Cache folder in the program data of Microsoft Virtual Client.
What happens when we double click an application at OS level. I understand that this is highly OS dependent. But i think that in windows
The currently executing process will fork() a new child process and the Process Control Block of the newly created child process will be initialized with the data required for the application and the new process would be scheduled or would be executed immediately
Any suggestions.
Thanx in advance
Like fork() on linux , we have CreateProcess on windows. Similarly all the initialization will happen ... for more details you can refer http://msdn.microsoft.com/en-us/library/ms682425(v=vs.85).aspx. Like in linux we use command ps to list the running processes , here in windows we have tasklist.
In solutions to a question on the book "Operating Systems Concepts" it indicates that issuing a trap not a privileged task. Why is that so?
Some instructions need special privileges to run at all, which most of the time means only the OS gets to execute them.
Most user processes (programs) will need to issue a trap / exception to get the OS to run these instructions.
If it were a privileged operation, it wouldn't be possible for a process to issue a system call.