| |
|
|
- Page 1 - |
|
| Ausgelesen with ModHunter under windows98:
Windowsversion: windows98 ( A )
Prozessdaten: Prozessname=C:WINDOWSSYSTEMMSGSRV32.EXE Process-ID=-56225 Prozesserzeuger=
Modulname=C:WINDOWSSYSTEMMPR.DLL Ladeadresse=2143223808 Ladestatus=geladen Hersteller=Microsoft Corporation
Modulname=C:WINDOWSSYSTEMUSER32.DLL Ladeadresse=-1074462720 Ladestatus=geladen Hersteller=Microsoft Corporation
Modulname=C:WINDOWSSYSTEMGDI32.DLL Ladeadresse=-1074659328 Ladestatus=geladen Hersteller=Microsoft Corporation
Modulname=C:WINDOWSSYSTEMADVAPI32.DLL Ladeadresse=-1075314688 Ladestatus=geladen Hersteller=Microsoft Corporation
Modulname=C:WINDOWSSYSTEMKERNEL32.DLL Ladeadresse=-1074331648 Ladestatus=geladen Hersteller=Microsoft Corporation
Modulname=unbekannt Ladeadresse=-1341456384 Ladestatus=Memory-Module Hersteller=
Modulname=unbekannt Ladeadresse=-1163264000 Ladestatus=Memory-Module Hersteller=
Modulname=unbekannt Ladeadresse=-1078525952 Ladestatus=Memory-Module Hersteller=
Modulname=unbekannt Ladeadresse=-1075904512 Ladestatus=Memory-Module Hersteller=
Modulname=unbekannt Ladeadresse=-1075707904 Ladestatus=Memory-Module Hersteller=
Modulname=unbekannt Ladeadresse=-1075445760 Ladestatus=Memory-Module Hersteller=
Modulname=unbekannt Ladeadresse=-1075380224 Ladestatus=Memory-Module Hersteller=
Modulname=unbekannt Ladeadresse=-1074921472 Ladestatus=Memory-Module Hersteller=
could The here as Memory-Module items well driver his . |
|
|
| |
|
|
| |
|
- Page 2 - |
|
|
| I can for all Detektive here time ModHunter of of my Homepage recommend. ModHunter is pointed and taugt not only to that Scannen to Trojanern! |
|
|
| |
|
|
|
Nico Madysa | Ähm, Andreas, i will me not you lay out, but I can whom ModHunter not find. The zipper of your HP contains ne DLL, one video, a HLP, a CNT and ne GID, but no EXE. |
|
|
| |
|
|
|
| Habs straight once more Downloaded - by me is the EXE there. can the time anyone else again to check on? |
|
|
| |
|
|
|
Nico Madysa | Aargh, I nehm everything back. I Have The EXE at In-a-Extra-Ordner-move overlooking, there the Explorer The EXE same eingeordnet has, sorry! |
|
|
| |
|
|
|
| so, place now time following statement on:
1.) Speicherbereiche Pipe.pcu 2GB behaviour itself under Wiondows95/98/ME just as How NT-based system. a) virtual Adressen in unterschiedlichen Prozessen verweisen on The equal real Speicheradressen. b) The memory becomes in each Process likewise gemappt. becomes one Speicherbereich in a Process allocated, appear this too in all others Prozessen.
the means: becomes in DLL under windows95/98/ME of a Process in Speicherbereiche Pipe.pcu 2GB loaded, are its Exportfunktionen not only in the actually Process, separate too in all others ongoing Prozessen over Call aufrufbar, though there no lever on The DLL exists. => under NT-based Systemen counts for Speicherbereiche Pipe.pcu 2GB: any there implemented Schreibaktionen attend in virtual Adressbereich all others processes the Systems.
so correctly.? |
|
|
| |
|
|
|
Nico Madysa | momentum, is the, if I main memory over 2 GB have, can I under designed terms a DLL Call, oghne tappt im dunkeln opened to have? |
|
|
| |
|
|
|
| No the has nothing with the Size the physical available stehenden Rams To do. |
|
|
| |
|
|
|
| Hello Nico...
time integrally simply: windows verschafft each Process quasi a own Speicherbereich with of/ one Size of in the rule 4GB. The upper area this virtual Speichers becomes of Betriebsystem used (there go to that example driver loaded); the User has usually none grabbed hereon, so the Betriebsystem sure runs. The downstairs area is the User zugänglich (Module loading, variables memory etc.) and can read and machine go. under windows95/98/ME are 3GB the User zugänglich, NT based Systemen (NT/2000/XP/Vista) in the rule 2GB.
Läd now windows under windows95/98/ME one Module in this area of 1GB Size, the the User there More zusteht as NT, standing the loaded Module (DLL) too whom Prozessen available, The tappt im dunkeln none loaded having!
The Sachverhalt is extreme simply over ModHunter and TNT nachzuvollziehen - witty story . |
|
|
| |
|
|
|
| If I right have, might there also The most Fehlerquelle Windows95/98/ME lying. . writes one processes inadvertently in this area, would this then too under Umständen to that crash or hang the WindowsExplores and so the Betriebsystems lead . |
|
|
| |
|
|
|
Nico Madysa | OK, thanks for explanation.
P.s.: because of your inquire in the RGH-Forum: by me runs the code without Problems through, what your supposition zustätzlich sustain might. |
|
|
| |
|
|
|
| time to that Abschluss here the proof, that the really so is. only windows95/98/ME!
code 1: The in the Downlod enthaldene code Module loading.prf enthalt The of me something modified Include of Sebastian king MemoryModule.Inc . Modifiziert have I here The function LoadLibraryM and I there among other things whom undokumentierten Flag $8000000, whom it only under windows95/98/ME gives, eingefügt. this Flag bewirkt, the the virtual memory for the Module in the area between 2GB and 3GB provided becomes.
code 2: The code the DLL, The of code 1 loaded go should (Testmodul.dll), finds one in the File Testmodul.prf . here becomes simply a variable circa 1 increased and the worth in the File C:TEST.INI stored, if The function _increase@0 called becomes..
code 3: The code Increase_Variable.prf : into Inputfeld must here The address the function _increase@0 association go. thereafter results simply one Call on these address.
Voila: Variable increased itself, though code 3 The DLL Testmodul.dll none läd! ... and the increased itself naturally too, if Increase_Variable.prf with this address called and is Module loading.prf not runs.
Fazit: 1.) The best Possibility, circa into windows9x/ME system a DLL To injizieren, is about one Memory-Module the in denSpeicherbereich between 2GB and 3GB loaded becomes.
2.) an in this area loaded DLL diving mitsammt their Datenbereich very so in each others Process on, is there but invisible, there no lever on these DLL exists.
3.) In Speicherbereiche of 2GB To 3GB go under windows9x/ME in the rule important Systemdlls and Systemstrukturen (well too The TEBs) loaded. writes one fehlerhaftes Program in these reaches, are schwere Systemabstürze vorprogrammiert! under NT-based Systemen becomes this area complete of Treibern used - d.h. the User can't in these reaches write - what the system ingesammt stabiler power.
4.) The User can under windows9x/ME with VIrtualAlloc with Parameter 3 whom Flag $8000000 use, circa data Specifically in this shared Speicherbereich To loading. |
|
|
| |
|
|
|
Frank Abbing | everything interestingly, but unfortunately snow of yesterday. These Betriebssysteme smell already something severe... |
|
|
| |
|
|