# 20180625

## 使用通达信测试软件和测试外挂来测试驱动功能

### 问题：

#### 模块检测

* 外挂运行后检测到测试软件有dll载入，载入dll均为系统dll，暂时排除注入恶意dll的可能
  * 外挂运行后检测到测试软件有新进程创建，但驱动监控显示创建者为测试软件本身（并非外挂进程）

    > 猜想外挂未使用CreateRemoteThread来实现代码注入，需要继续研究其注入方法

#### 权限检测

* 外挂运行后驱动检测到其打开测试软件句柄，并请求一下句柄访问权限

  `process_vm_operation, process_vm_write, process_vm_read`

  > 猜想外挂使用`VirtualAllocEx`或者`ReadMemory, WriteMemory`来实现任意代码注入
* 当外挂请求以上权限时，驱动设置的回调函数直接拒绝，因此导致外挂代码注入失败，无法正常执行


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://m0uk4.gitbook.io/notebooks/mouka/driverdevelopment/20180625.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.