# 攻擊與防禦 HW4 ###### tags: `攻擊與防禦` ## 1) Take a screenshot after executing the spectre-cli ping module with at least one infected port.  ## 2) The rootkit creates the fake ***AFD*** driver and replace the ***MajorFunction*** array to point to the hook functions. ### 2-1) Simply Explain "IRP Major Function". The **IRP** (I/O request packet) is a kernel mode data structure that describes an I/O request. It is used for WDM, Windows device drivers and the OS to communiate with each other via I/O. When the kernel creates an IRP, an associated data structure **IO_STACK_LOCATION** is generated and is bound to the IRP. The **MajorFunction** is a field of IO_STACK_LOCATION, which tells driver which operation should be done to meet the I/O request. The MajorFunction has the format `IRP_MJ_XXX`. ### 2-2)  ### 2-3) Disable test mode and generate another image. Use Volatility to show the MajorFunction array of AFD. Take a screenshot of your result.