==Phrack Inc.==
Volume 0×0b, Issue 0×3e, Phile #0×06 of 0×10
|=—————=[ Kernel-mode backdoors for Windows NT ]=————–=|
|=———————————————————————–=|
|=—————–=[ firew0rker <firew0rker@nteam.ru> ]=—————-=|
|=—————-=[ the nobodies <http://www.nteam.ru> ]=—————=|
–[ Table of contents
1 - PREFACE

When you develop an add-in for excel 2003, you will get this link error message if you just import the type-lib.
The error produces because some IID are redefined in mso.olb
How to solve it? There are two ways:
1. Rename the name.
For example, rename(”DiagramNode”,”MSODiagramNode”)
2. If you won’t use that object, you can simply exclude them.
 Following is the correct […]

BSOD …
BSOD again …
My poor filter driver! 
 I don’t know why it fails because it is almost the same as the sample from MS . (I comment all of my own code)
I have to debug it. Fortunately, I have VM …
1. Right click “My computer”, Properties->Advanced->”Startup and Recovery”->”Settings”, set the dump type and path.
2. Load my driver […]

7882-15976C-CC

1. Using CreateFileMapping and MapViewOfFile to create a file ampping;
2. Using GetMappedFileName to get the file name.
 Following is an example from MSDN.
For remote files, it prints the device name received from the function.
For Local files, it converts the path to use a driver letter and prints the path.
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include <string.h>
#include <psapi.h>
#define BUFSIZE 512

1. Why we need allocate memory by ourselves?
    In a kernel driver function, you’d better allocate memory by yourself instead of defining a variable.
    For example, you need use  a struct _STRUCT_TEST, you should
_STRUCT_TEST*    pTest = ExAllocatePoolWithTag(NonPagedPool,
                                                     sizeof(_STRUCT_TEST),
                                                     YOUR_FLAG);
     But not:

KeBugCheck(POWER_FAILURE_SIMULATE);
Now, I know what you’re thinking, but you’re wrong. This will *not* bugcheck the machine. It will actually call HalReturnToFirmware(HalRebootMachine), right after processing bugcheck callbacks. No BSOD, no crash dump, just a clean, simple, immediate reboot.
Another method

扩展名是bat(在nt/2000/xp/2003下也可以是cmd)的文件就是批处理文件。
==== 注 =======================================
.bat是dos下的批处理文件
.cmd是nt内核命令行环境的另一种批处理文件
从 更广义的角度来看，unix的shell脚本以及其它操作系统甚至应用程序中由外壳进行解释执行的文本，都具有与批处理文件十分相似的作用，而且同样是由 专用解释器以行为单位解释执行，这种文本形式更通用的称谓是脚本语言。所以从某个程度分析，batch, unix shell, awk, basic, perl 等脚本语言都是一样的，只不过应用的范围和解释的平台各有不同而已。甚至有些应用程序仍然沿用批处理这一称呼，而其内容和扩展名与dos的批处理却又完全 不同。
===================================
首先批处理文件是一个文本文件，这个文件的每一行都是一条DOS命令（大部分时候就好象我们在DOS提示符下执行的命令行一样），你可以使用DOS下的Edit或者Windows的记事本(notepad)等任何文本文件编辑工具创建和修改批处理文件。
==== 注 ===================
批 处理文件中完全可以使用非dos命令，甚至可以使用不具有可执行特性的普通数据性文件，这缘于windows系统这个新型解释平台的涉入，使得批处理的应 用越来越”边缘化”。所以我们讨论的批处理应该限定在dos环境或者命令行环境中，否则很多观念和设定都需要做比较大的变动。
========================