English
Regulars table & Café

what are because the for Module???

 
- Page 1 -


Ausgelesen with ModHunter under windows98:



Windowsversion: windows98 ( A )

Prozessdaten:
Prozessname=C:WINDOWSSYSTEMMSGSRV32.EXE
Process-ID=-56225
Prozesserzeuger=

Modulname=C:WINDOWSSYSTEMMPR.DLL
Ladeadresse=2143223808
Ladestatus=geladen
Hersteller=Microsoft Corporation

Modulname=C:WINDOWSSYSTEMUSER32.DLL
Ladeadresse=-1074462720
Ladestatus=geladen
Hersteller=Microsoft Corporation

Modulname=C:WINDOWSSYSTEMGDI32.DLL
Ladeadresse=-1074659328
Ladestatus=geladen
Hersteller=Microsoft Corporation

Modulname=C:WINDOWSSYSTEMADVAPI32.DLL
Ladeadresse=-1075314688
Ladestatus=geladen
Hersteller=Microsoft Corporation

Modulname=C:WINDOWSSYSTEMKERNEL32.DLL
Ladeadresse=-1074331648
Ladestatus=geladen
Hersteller=Microsoft Corporation

Modulname=unbekannt
Ladeadresse=-1341456384
Ladestatus=Memory-Module
Hersteller=

Modulname=unbekannt
Ladeadresse=-1163264000
Ladestatus=Memory-Module
Hersteller=

Modulname=unbekannt
Ladeadresse=-1078525952
Ladestatus=Memory-Module
Hersteller=

Modulname=unbekannt
Ladeadresse=-1075904512
Ladestatus=Memory-Module
Hersteller=

Modulname=unbekannt
Ladeadresse=-1075707904
Ladestatus=Memory-Module
Hersteller=

Modulname=unbekannt
Ladeadresse=-1075445760
Ladestatus=Memory-Module
Hersteller=

Modulname=unbekannt
Ladeadresse=-1075380224
Ladestatus=Memory-Module
Hersteller=

Modulname=unbekannt
Ladeadresse=-1074921472
Ladestatus=Memory-Module
Hersteller=


could The here as Memory-Module items well driver his .
 
03/20/07  
 



 
- Page 2 -


I can for all Detektive here time ModHunter of of my Homepage recommend. ModHunter is pointed and taugt not only to that Scannen to Trojanern!
 
03/22/07  
 




Nico
Madysa
Ähm, Andreas, i will me not you lay out, but I can whom ModHunter not find. The zipper of your HP contains ne DLL, one video, a HLP, a CNT and ne GID, but no EXE.
 
Nico Madysa
03/23/07  
 



Habs straight once more Downloaded - by me is the EXE there. can the time anyone else again to check on?
 
03/23/07  
 




Nico
Madysa
Aargh, I nehm everything back. I Have The EXE at In-a-Extra-Ordner-move overlooking, there the Explorer The EXE same eingeordnet has, sorry!
 
Nico Madysa
03/23/07  
 



so, place now time following statement on:

1.) Speicherbereiche Pipe.pcu 2GB behaviour itself under Wiondows95/98/ME just as How NT-based system.
a) virtual Adressen in unterschiedlichen Prozessen verweisen on The equal real Speicheradressen.
b) The memory becomes in each Process likewise gemappt. becomes one Speicherbereich in a Process allocated, appear this too in all others Prozessen.


the means: becomes in DLL under windows95/98/ME of a Process in Speicherbereiche Pipe.pcu 2GB loaded, are its Exportfunktionen not only in the actually Process, separate too in all others ongoing Prozessen over Call aufrufbar, though there no lever on The DLL exists.
=>
under NT-based Systemen counts for Speicherbereiche Pipe.pcu 2GB:
any there implemented Schreibaktionen attend in virtual Adressbereich all others processes the Systems.


so correctly.?
 
03/29/07  
 




Nico
Madysa
momentum, is the, if I main memory over 2 GB have, can I under designed terms a DLL Call, oghne tappt im dunkeln opened to have?
 
Nico Madysa
03/30/07  
 



No the has nothing with the Size the physical available stehenden Rams To do.
 
03/30/07  
 



Hello Nico...

time integrally simply:
windows verschafft each Process quasi a own Speicherbereich with of/ one Size of in the rule 4GB. The upper area this virtual Speichers becomes of Betriebsystem used (there go to that example driver loaded); the User has usually none grabbed hereon, so the Betriebsystem sure runs.
The downstairs area is the User zugänglich (Module loading, variables memory etc.) and can read and machine go.
under windows95/98/ME are 3GB the User zugänglich, NT based Systemen (NT/2000/XP/Vista) in the rule 2GB.

Läd now windows under windows95/98/ME one Module in this area of 1GB Size, the the User there More zusteht as NT, standing the loaded Module (DLL) too whom Prozessen available, The tappt im dunkeln none loaded having!

The Sachverhalt is extreme simply over ModHunter and TNT nachzuvollziehen - witty story .
 
03/30/07  
 



If I right have, might there also The most Fehlerquelle Windows95/98/ME lying.
.
writes one processes inadvertently in this area, would this then too under Umständen to that crash or hang the WindowsExplores and so the Betriebsystems lead .
 
03/30/07  
 




Nico
Madysa
OK, thanks for explanation.

P.s.: because of your inquire in the RGH-Forum: by me runs the code without Problems through, what your supposition zustätzlich sustain might.
 
Nico Madysa
04/02/07  
 



time to that Abschluss here the proof, that the really so is. only windows95/98/ME!

code 1:
The in the Downlod enthaldene code Module loading.prf  enthalt The of me something modified Include of Sebastian king MemoryModule.Inc . Modifiziert have I here The function LoadLibraryM and I there among other things whom undokumentierten Flag $8000000, whom it only under windows95/98/ME gives, eingefügt. this Flag bewirkt, the the virtual memory for the Module in the area between 2GB and 3GB provided becomes.

code 2:
The code the DLL, The of code 1 loaded go should (Testmodul.dll), finds one in the File Testmodul.prf . here becomes simply a variable circa 1 increased and the worth in the File C:TEST.INI  stored, if The function _increase@0 called becomes..

code 3:
The code Increase_Variable.prf :
into Inputfeld must here The address the function _increase@0 association go. thereafter results simply one Call on these address.

Voila: Variable increased itself, though code 3 The DLL Testmodul.dll  none läd!
... and the increased itself naturally too, if Increase_Variable.prf  with this address called and is Module loading.prf  not runs.

Fazit:
1.) The best Possibility, circa into windows9x/ME system a DLL To injizieren, is about one Memory-Module the in denSpeicherbereich between 2GB and 3GB loaded becomes.

2.) an in this area loaded DLL diving mitsammt their Datenbereich very so in each others Process on, is there but invisible, there no lever on these DLL exists.

3.) In Speicherbereiche of 2GB To 3GB go under windows9x/ME in the rule important Systemdlls and Systemstrukturen (well too The TEBs) loaded. writes one fehlerhaftes Program in these reaches, are schwere Systemabstürze vorprogrammiert!
under NT-based Systemen becomes this area complete of Treibern used - d.h. the User can't in these reaches write - what the system ingesammt stabiler power.

4.) The User can under windows9x/ME with VIrtualAlloc with Parameter 3 whom Flag $8000000 use, circa data Specifically in this shared Speicherbereich To loading.

652 kB
Kurzbeschreibung: Testcodes
Hochgeladen:05/06/07
Downloadcounter123
Download
 
05/06/07  
 




Frank
Abbing
everything interestingly, but unfortunately snow of yesterday. These Betriebssysteme smell already something severe...
 
05/06/07  
 




Answer


Topictitle, max. 100 characters.
 

Systemprofile:

no Systemprofil laid out. [anlegen]

XProfan:

 Posting  Font  Smilies  ▼ 

Please register circa a Posting To verfassen.
 

Topic-Options

9.786 Views

Untitledvor 0 min.
Christian Hahn12/14/11

Themeninformationen



Admins  |  AGB  |  Applications  |  Authors  |  Chat  |  Privacy Policy  |  Download  |  Entrance  |  Help  |  Merchantportal  |  Imprint  |  Mart  |  Interfaces  |  SDK  |  Services  |  Games  |  Search  |  Support

One proposition all XProfan, The there's!


My XProfan
Private Messages
Own Storage Forum
Topics-Remember-List
Own Posts
Own Topics
Clipboard
Log off
 Deutsch English Français Español Italia
Translations

Privacy Policy


we use Cookies only as Session-Cookies because of the technical necessity and with us there no Cookies of Drittanbietern.

If you here on our Website click or navigate, stimmst You ours registration of Information in our Cookies on XProfan.Net To.

further Information To our Cookies and moreover, How You The control above keep, find You in ours nachfolgenden Datenschutzerklärung.


all rightDatenschutzerklärung
i want none Cookie