驱动项目
https://github.com/wqreytuk/article/blob/main/agsdygasidgasuidgoGx64_ASM_Kernel_Mode-main.7z
48b91400000080f7ffff48b8bd427ae5d594bfd6488b0948f7e148b8cdcccccccccccccc48c1ea1748f7e24c8bea49c1ed02
直接在windbg中把执行内存修改为上面这一串字节序列,运行完成后r13中将包含当前时间戳,可使用如下代码转换成人类可阅读时间格式
/*代码BEGIN*/
#include <windows.h>
#include <stdint.h>
#include <stdio.h>int main()
{// Example adjusted time valueuint64_t adjustedTime = 0x9f4ce6f4;// Reverse the operations to get the original timeuint64_t time = adjustedTime * 5L * 10000000L;// Split the 64-bit time into high and low partsFILETIME fileTime;fileTime.dwLowDateTime = (DWORD)(time & 0xFFFFFFFF);fileTime.dwHighDateTime = (DWORD)(time >> 32);// Optionally, convert FILETIME back to SYSTEMTIME for readable timeSYSTEMTIME systemTime;FileTimeToSystemTime(&fileTime, &systemTime);// Print the SYSTEMTIMEprintf("Year: %d\n", systemTime.wYear);printf("Month: %d\n", systemTime.wMonth);printf("Day: %d\n", systemTime.wDay);printf("Hour: %d\n", systemTime.wHour);printf("Minute: %d\n", systemTime.wMinute);printf("Second: %d\n", systemTime.wSecond);printf("Milliseconds: %d\n", systemTime.wMilliseconds);return 0;}
/*代码END*/