Description: VS start taking images of soft kill, talk about the kernel and process protection, to detect hidden drivers in the kernel process and directly call the NTFS file driver detects hidden files, executable files through the software firewall implantation
To Search:
File list (Check if you may need any files):
再谈内核及进程保护
..................\Protect
..................\.......\MAKEFILE
..................\.......\objfre
..................\.......\......\i386
..................\.......\......\....\Protect.sys
..................\.......\Protect.c
..................\.......\Protect.dsp
..................\.......\Protect.dsw
..................\.......\SOURCES
在内核驱动中检测隐藏进程
........................\code
........................\....\Release
........................\....\.......\Ring0.sys
........................\....\Ring0.c
........................\....\Ring0.dsp
........................\....\Ring0.dsw
........................\....\Ring0.opt
........................\涉及驱动加载软件
........................\................\Dbgview.exe
........................\................\DrvLoader.exe
映像劫持VS启动杀软
..................\IFEO Hijack
..................\...........\IFEO Hijack.cpp
..................\...........\IFEO Hijack.dsp
..................\...........\IFEO Hijack.dsw
..................\...........\IFEO Hijack.ncb
..................\...........\IFEO Hijack.opt
..................\...........\IFEO Hijack.plg
..................\...........\ReadMe.txt
..................\...........\Release
..................\...........\.......\IFEO Hijack.exe
..................\...........\.......\IFEO Hijack.obj
..................\...........\.......\IFEO Hijack.pch
..................\...........\.......\StdAfx.obj
..................\...........\.......\vc60.idb
..................\...........\StdAfx.cpp
..................\...........\StdAfx.h
植入执行文件穿越软件防火墙
..........................\asm.txt
..........................\Inject
..........................\......\Inject.asm
..........................\insert.txt
..........................\readme.txt
..........................\SERVER
..........................\......\CommonDlg.cpp
..........................\......\RESOURCE.H
..........................\......\SERVER.CPP
..........................\......\SERVER.RC
..........................\Setup
..........................\.....\INJECT.DAT
..........................\.....\RESOURCE.H
..........................\.....\SETUP.C
..........................\.....\SETUP.RC
直接调用NTFS文件驱动检测隐藏文件
................................\ntfsrdsys
................................\.........\main.c
................................\.........\MAKEFILE
................................\.........\ntfsrd.sys
................................\.........\NtWrap.c
................................\.........\NtWrap.h
................................\.........\Sources
................................\ntfsrdusr
................................\.........\main.c
................................\.........\ntfsrdusr.exe