Description: 利用挂钩线程调度链表来检测进程的代码。基本能查出当前所有Rootkit隐藏的进程。系统编程爱好者必下。-use of thread scheduling Chain link to the code detection process. Basic can be detected all current Rootkit hidden process. System programming enthusiasts certainly under. Platform: |
Size: 492838 |
Author:黄芸乐 |
Hits:
Description: 虽然我不知道icesword是什么样列举服务的,但估计最终也是通过历遍SCM内部的ServiceRecordList来检测。
为什么呢?看下面。
用附件中的InjectDLL.exe把hideservice.dll注入到Services.exe进程后就会把Alerter服务隐藏掉。用icesword也检测不出Alerter服务了。
代码原理很简单,就是在Services.exe进程找到ServiceRecordList表,将需要隐藏的服务从链表上断开。
既然icesword也检测不出了,那就说明icesword最终也是通过历遍SCM内部的ServiceRecordList来检测-Although I do not know what kind icesword enumerated services, it is estimated that by the end times calendar SCM internal ServiceRecordList to detect. Why? See below. The annex InjectDLL.exe put hideservice.dll injected into Ser vices.exe process after Alerter service will be hidden swap. Detection also used icesword not Alerter service. Code principle is very simple. Services.exe is in the process of finding ServiceRecordList table Hide will need the services disconnected from the chain on. Since icesword also can not be detected. it shows icesword calendar through the end times within the SCM ServiceRecordL ist to detect Platform: |
Size: 19964 |
Author:79282853 |
Hits:
Description: Drag and Drop Component Suite Version 4.1 Field test 5, released 16-dec-2001 ?1997-2001 Angus Johnson & Anders Melander http://www.melander.dk/delphi/dragdrop/ ------------------------------------------- Table of Contents: ------------------------------------------- 1. Supported platforms 2. Installation 3. Getting started 4. Known problems 5. Support and feedback 6. Bug reports 7. Upgrades and bug fixes 8. Missing in this release 9. New in version 4.x 10. TODO 11. Licence, Copyright and Disclaimer 12. Release history ------------------------------------------- 1. Supported platforms: ------------------------------------------- This release supports Delphi 4-6 and C++ Builder 4-5. Earlier versions of Delphi and C++ Builder will not be supported. If you need Delphi 3 or C++ Builder 3 support you will have to revert to version 3.7 of the Drag and Drop Component Suite. The library has been tested on NT4 service pack 5 and Windows 2000. Windows 95, 98, ME and XP should be supported, but has not been tested. Linux and Kylix are not supported. There are *NO* plans to port the library to Kylix. The drag and drop protocols available on Linux are too much of a mess at this time. ------------------------------------------- 2. Installation: ------------------------------------------- 1) Before you do anything else, read the "Known problems" section of this document. 2) Install the source into a directory of your choice. The files are installed into three directories: DragDrop DragDrop\Components DragDrop\Demo 3) Install and compile the appropriate design time package. The design time packages are located in the Components directory. Each version of Delphi and C++ Builder has its own package; DragDropD6.dpk for Delphi 6, DragDropD5.dpk for Delphi 5, DragDropC5.bpk for C++ Builder 5, etc. 4) Add the Drag and Drop Component Suite components directory to your library path. 5) Load the demo project group: demo\dragdrop_delphi.bpg for Delphi 5 and 6 demo\dragdrop_bcb4.bpg for C++ Builder 4 demo\dragdrop_bcb5.bpg for C++ Builder 5 The project group contains all the demo applications. 6) If your version of Delphi does not support text format DFM files (e.g. Delphi 4 doesn't), you will have to use the convert.exe utility supplied with Delphi to convert all the demo form files to binary format. A batch file, convert_forms_to delphi_4_format.bat, is supplied in the demo directory which automates the conversion process. The C++ Builder demo forms are distributed in binary format. 7) If upgrading from a previous version of the Drag and Drop Component Suite, please read the document "upgrading_to_v4.txt" before you begin working on your existing projects. Note about "Property does not exist" errors: Since all demos were developed with the latest version of Delphi, most of the demo forms probably contains references to properties that doesn't exist in earlier versions of Delphi and C++ Builder. Because of this you will get fatal run-time errors (e.g. "Error reading blahblahblah: Property does not exist.") if you attemt to run the demos without fixing this problem. Luckily it is very easy to make the forms work again; Just open the forms in the IDE, then select "Ignore All" when the IDE complains that this or that property doesn't exist and finally save the forms. ------------------------------------------- 3. Getting started: ------------------------------------------- It is recommended that you start by running each of the demo applications and then look through the demo source. Each demo application is supplied with a readme.txt file which briefly describes what the demo does and what features it uses. The demos should be run in the order in which they are listed in the supplied project group. Even if you have used previous versions of the Drag and Drop Component Suite it would be a good idea to have a quick look at the demos. The library has been completely rewritten and a lot of new features has been added. ------------------------------------------- 4. Known problems: ------------------------------------------- * The Shell Extension components does not support C++ Builder 4. For some strange reason the components causes a link error. * There appear to be sporadic problems compiling with C++ Builder 5. Several user have reported that they occasionally get one or more of the following compiler errors: [C++ Error] DragDropFile.hpp(178): E2450 Undefined structure '_FILEDESCRIPTORW' [C++ Error] DropSource.hpp(135): E2076 Overloadable operator expected I have not been able to reproduce these errors, but I believe the following work around will fix the problem: In the project options of *all* projects which uses these components, add the following conditional define: NO_WIN32_LEAN_AND_MEAN The define *must* be made in the project options. It is not sufficient to #define it in the source. If you manage to compile with C++ Builder (any version), I would very much like to know about it. * Delphi's and C++ Builder's HWND and THandle types are not compatible. For this reason it might be nescessary to cast C++ Builder's HWND values to Delphi's THandle type when a HWND is passed to a function. E.g.: if (DragDetectPlus(THandle(MyControl->Handle), Point(X, Y))) { ... } * Virtual File Stream formats can only be pasted from the clipboard with live data (i.e. FlushClipboard/OleFlushClipboard hasn't been called on the data source). This problem affects TFileContentsStreamOnDemandClipboardFormat and the VirtualFileStream demo. This is believed to be a bug in the Windows clipboard and a work around hasn't been found yet. * Asynchronous targets appears to be broken in the current release. * When TDropFileTarget.GetDataOnEnter is set to True, the component doesn't work with WinZip. Although the file names are received correctly by TDropFileTarget, WinZip doesn't extract the files and the files thus can't be copied/moved. This is caused by a quirk in WinZip; Apparently WinZip doesn't like IDataObject.GetData to be called before IDropTarget.Drop is called. ------------------------------------------- 5. Support and feedback: ------------------------------------------- Since these components are freeware they are also unsupported. You are welcome to ask for help via email, but I cannot guarantee that I will have time to help you or even reply to your mail. If you absolytely can't live without my help, you can alway try bribing me. You can also try asking for help in the Delphi newsgroups. Since the Drag and Drop Component Suite is in widespread use, there's a good chance another user can help you. I recommend the following newsgroups for issues regarding this library (or COM based Drag/Drop in general): borland.public.delphi.winapi borland.public.delphi.thirdparty-tools borland.public.delphi.oleautomation borland.public.cppbuilder.winapi borland.public.cppbuilder.thirdparty-tools Please choose the most appropiate newsgroup for your question. Do not cross post to them all. Before posting to the newsgroups, I suggest you try to search for an answer on the Google (DejaNews) search engine: http://groups.google.com Chances are that your question has been asked and answered before. If you have suggestions for improvements please mail them to me: anders@melander.dk Please include the words "Drag Drop" in the subject of any email regarding these components. ------------------------------------------- 6. Bug reports: ------------------------------------------- Bugs can either be reported at my home page (http://www.melander.dk/) or mailed directly to me: anders@melander.dk. When reporting a bug, please provide the following information: * The exact version of the Drag and Drop Component Suite you are using. * The exact version of Delphi or C++ Builder you are using. * The name and exact version of your operating system (e.g. NT4 SP5). * The exact version of the Internet Explorer installed on your system. If you can provide me with a minimal application which reproduces the problem, I can almost guarantee that I will be able to fix the problem in very short time. Please supply only the source files (pas, dfm, dpr, dof, res, etc.) and mail them as a single zip file. If I need a compiled version I will ask for it. If you feel you need to send me a screen shot, please send it in GIF or PNG format. If you mail a bug report to me, please include the words "Drag Drop" in the subject of your email. ------------------------------------------- 7. Upgrades and bug fixes: ------------------------------------------- Upgrades can be downloaded from my home page: http://www.melander.dk/delphi/dragdrop/ Bug fixes will also be posted to the above page. If you have registered for update notification via the installation program, you will receive email notification when a new release is available. You will not be notified of bug fixes. You can use the installation program to check for and download new releases and to check for known bugs. Note: If a new release is made available and you are not notified even though you registered for notification, you probably mistyped your email address during installation; About 10% of all registrations supply an invalid email address. ------------------------------------------- 8. Missing in this release: ------------------------------------------- * On-line help has not been updated and included in the kit due to late changes in the Delphi 6 help system and lack of time. If time permits, I will update the help and include it in a future release. ------------------------------------------- 9. New in version 4.x: ------------------------------------------- * Completely redesigned and rewritten. Previous versions of the Drag and Drop Component Suite used a very monolithic design and flat class hierachy which made it a bit cumbersome to extend the existing components or implement new ones. Version 4 is a complete rewrite and redesign, but still maintains compatibility with previous versions. The new V4 design basically separates the library into three layers: 1) Clipboard format I/O. 2) Data format conversion and storage. 3) COM Drag/Drop implementation and VCL component interface. The clipboard format layer is responsible for reading and writing data in different formats to and from an IDataObject interface. For each different clipboard format version 4 implements a specialized class which knows exactly how to interpret the clipboard format. For example the CF_TEXT (plain text) clipboard format is handled by the TTextClipboardFormat class and the CF_FILE (file names) clipboard format is handled by the TFileClipboardFormat class. The data format layer is primarily used to render the different clipboard formats to and from native Delphi data types. For example the TTextDataFormat class represents all text based clipboard formats (e.g. TTextClipboardFormat) as a string while the TFileDataFormat class represents a list of file names (e.g. TFileClipboardFormat) as a string list. The conversion between different data- and clipboard formats is handled by the same Assign/AssignTo mechanism as the VCLs TPersistent employes. This makes it possible to extend existing data formats with support for new clipboard formats without modification to the existing classes. The drag/drop component layer has several tasks; It implements the actual COM drag/drop functionality (i.e. it implements the IDropSource, IDropTarget and IDataObject interfaces (along with several other related interfaces)), it surfaces the data provided by the data format layer as component properties and it handles the interaction between the whole drag/drop framework and the users code. The suite provides a multitude of different components. Most are specialized for different drag/drop tasks (e.g. the TDropFileTarget and TDropFilesSource components for drag/drop of files), but some are either more generic, handling multiple unrelated formats, or simply helper components which are used to extend the existing components or build new ones. * Support for Delphi 6. Version 4.0 was primarily developed on Delphi 6 and then ported back to previous versions of Delphi and C++ Builder. * Support for Windows 2000 inter application drag images. On Windows platforms which supports it, drag images are now displayed when dragging between applications. Currently only Windows 2000 supports this feature. On platforms which doesn't support the feature, drag images are only displayed whithin the source application. * Support for Windows 2000 asynchronous data transfers. Asynchronous data tranfers allows the drop source and targets to perform slow transfers or to transfer large amounts of data without blocking the user interface while the data is being transfered. For platforms other than Windows 2000, the new TDropSourceThread class can be used to provide similar (but more limited) asynchronous data transfer capabilities. * Support for optimized and non-optimized move. When performing drag-move operations, it is now possible to specify if the target (optimized move) or the source (non-optimized move) is responsible for deleting the source files. * Support for delete-on-paste. When data is cut to the clipboard, it is now possible to defer the deletion of the source data until the target actually pastes the data. The source is notified by an event when the target pastes the data. * Extended clipboard support. All formats and components (both source and target) now support clipboard operations (copy/cut/paste) and the VCL clipboard object. * Support for shell drop handlers. The new TDropHandler component can be used to write drop handler shell extensions. A drop handler is a shell extension which is executed when a user drags and drops one or more files on a file associated wth your application. * Support for shell drag drop handlers. The new TDragDropHandler component can be used to write drag drop handler shell extensions. A drag drop handler is a shell extension which can extend the popup menu which is displayed when a user drag and drops files with the right mouse button. * Support for shell context menu handlers. The new TDropContextMenu component can be used to write context menu handler shell extensions. A context menu handler is a shell extension which can extend the popup menu which is displayed when a user right-clicks a file in the shell. * Drop sources can receive data from drop targets. It is now possible for drop targets to write data back to the drop source. This is used to support optimized-move, delete-on-paste and inter application drag images. * Automatic re-registration of targets when the target window handle is recreated. In previous versions, target controls would loose their ability to accept drops when their window handles were recreated by the VCL (e.g. when changing the border style or docking a form). This is no longer a problem. * Support for run-time definition of custom data formats. You can now add support for new clipboard formats without custom components. * Support for design-time extension of existing source and target components. Using the new TDataFormatAdapter component it is now possible to mix and match data formats and source and target components at design time. E.g. the TDropFileTarget component can be extended with URL support. * It is now possible to completely customize the target auto-scroll feature. Auto scroling can now be completely customized via the OnDragEnter, OnDragOver, OnGetDropEffect and OnScroll events and the public NoScrollZone and published AutoScroll properties. * Multiple target controls per drop target component. In previous versions you had to use one drop target component per target control. With version 4, each drop target component can handle any number of target controls. * It is now possible to specify the target control at design time. A published Target property has been added to the drop target components. * Includes 20 components: - TDropFileSource and TDropFileTarget Used for drag and drop of files. Supports recycle bin and PIDLs. - TDropTextSource and TDropTextTarget Used for drag and drop of text. - TDropBMPSource and TDropBMPTarget Used for drag and drop of bitmaps. - TDropPIDLSource and TDropPIDLTarget Used for drag and drop of PIDLs in native format. - TDropURLSource and TDropURLTarget Used for drag and drop of internet shortcuts. - TDropDummyTarget Used to provide drag/drop cursor feedback for controls which aren't registered as drop targets. - TDropComboTarget (new) Swiss-army-knife target. Accepts text, files, bitmaps, meta files, URLs and file contents. - TDropMetaFileTarget (new) Target which can accept meta files and enhanced meta files. - TDropImageTarget (new) Target which can accept bitmaps, DIBs, meta files and enhanced meta files. - TDragDropHandler (new) Used to implement Drag Drop Handler shell extensions. - TDropHandler (new) Used to implement Shell Drop Handler shell extensions. - TDragDropContext (new) Used to implement Shell Context Menu Handler shell extensions. - TDataFormatAdapter (new) Extends the standard source and target components with support for extra data formats. An alternative to TDropComboTarget. - TDropEmptySource and TDropEmptyTarget (new) Target and source components which doesn't support any formats, but can be extended with TDataFormatAdapter components. * Supports 27 standard clipboard formats: Text formats: - CF_TEXT (plain text) - CF_UNICODETEXT (Unicode text) - CF_OEMTEXT (Text in the OEM characterset) - CF_LOCALE (Locale specification) - 'Rich Text Format' (RTF text) - 'CSV' (Tabular spreadsheet text) File formats: - CF_HDROP (list of file names) - CF_FILEGROUPDESCRIPTOR, CF_FILEGROUPDESCRIPTORW and CF_FILECONTENTS (list of files and their attributes and content). - 'Shell IDList Array' (PIDLs) - 'FileName' and 'FileNameW' (single filename, used for 16 bit compatibility). - 'FileNameMap' and 'FileNameMapW' (used to rename files, usually when dragging from the recycle bin) Image formats: - CF_BITMAP (Windows bitmap) - CF_DIB (Device Independant Bitmap) - CF_METAFILEPICT (Windows MetaFile) - CF_ENHMETAFILE (Enhanced Metafile) - CF_PALETTE (Bitmap palette) Internet formats: - 'UniformResourceLocator' and 'UniformResourceLocatorW' (Internet shortcut) - 'Netscape Bookmark' (Netscape bookmark/URL) - 'Netscape Image Format' (Netscape image/URL) - '+//ISBN 1-887687-00-9::versit::PDI//vCard' (V-Card) - 'HTML Format' (HTML text) - 'Internet Message (rfc822/rfc1522)' (E-mail message in RFC822 format) Misc. formats: - CF_PREFERREDDROPEFFECT and CF_PASTESUCCEEDED (mostly used by clipboard) - CF_PERFORMEDDROPEFFECT and CF_LOGICALPERFORMEDDROPEFFECT (mostly used for optimized-move) - 'InShellDragLoop' (used by Windows shell) - 'TargetCLSID' (Mostly used when dragging to recycle-bin) * New source events: - OnGetData: Fired when the target requests data. - OnSetData: Fired when the target writes data back to the source. - OnPaste: Fired when the target pastes data which the source has placed on the clipboard. - OnAfterDrop: Fired after the drag/drop operation has completed. * New target events: - OnScroll: Fires when the target component is about to perform auto-scroll on the target control. - OnAcceptFormat: Fires when the target component needs to determine if it will accept a given data format. Only surfaced in the TDropComboTarget component. * 8 new demo applications, 19 in total. ------------------------------------------- 10. TODO (may or may not be implemented): ------------------------------------------- * Async target demo (with and without IAsyncOperation support). * Scrap file demo. * Native Outlook message format. * Structured storage support (IStorage encapsulation). ------------------------------------------- 11. Licence, Copyright and Disclaimer: ------------------------------------------- The Drag and Drop Component Suite is Copyright ?1997-2001 Angus Johnson and Anders Melander. All rights reserved. The software is copyrighted as noted above. It may be freely copied, modified, and redistributed, provided that the copyright notice(s) is preserved on all copies. The Drag and Drop Component Suite is freeware and we would like it to remain so. This means that it may not be bundled with commercial libraries or sold as shareware. You are welcome to use it in commercial and shareware applications providing you do not charge for the functionality provided by the Drag and Drop Component Suite. There is no warranty or other guarantee of fitness for this software, it is provided solely "as is". You are welcome to use the source to make your own modified components, and such modified components may be distributed by you or others if you include credits to the original components, and do not charge anything for your modified components. ------------------------------------------- 12. Version 4 release history: ------------------------------------------- 16-dec-2001 * Ported to C++ Builder 4. * Released for test as v4.1 FT5. 12-dec-2001 * Fixed C++ Builder name clash between TDropComboTarget.GetMetaFile and the GetMetaFile #define in wingdi.h 1-dec-2001 * The IAsyncOperation interface is now also declared as IAsyncOperation2 and all references to IAsyncOperation has been replaced with IAsyncOperation2. This was done to work around a bug in C++ Builder. Thanks to Jonathan Arnold for all his help with getting the components to work with C++ Builder. Without Jonathan's help version 4.1 would prabably have shipped witout C++ Builder support and certainly without any C++ Builder demos. * Demo applications for C++ Builder. The C++ Builder demos were contributed by Jonathan Arnold. 27-nov-2001 * TCustomDropTarget.Droptypes property renamed to DropTypes (notice the case). Thanks to Krystian Brazulewicz for spotting this. 24-nov-2001 * The GetURLFromString function in the DragDropInternet unit has been made public due to user request. 21-nov-2001 * Modified MakeHTML function to comply with Microsoft's description of the CF_HTML clipboard format. * Added MakeTextFromHTML function to convert CF_HTML data to plain HTML. Provides the reverse functionality of MakeHTML. * Added HTML support to TTextDataFormat class and TDropTextSource and TDropTextTarget components. * Fixed C++ Builder 5 problem with IAsyncOperation. * Released for test as v4.1 FT4. 10-nov-2001 * Added NetscapeDemo demo application. Demonstrates how to receive messages dropped from Netscape. This demo was sponsored by ThoughtShare Communications Inc. * Released for test as v4.1 FT3. 23-oct-2001 * Conversion priority of TURLDataFormat has been changed to give the File Group Descritor formats priority over the Internet Shortcut format. This resolves a problem where dropping an URL on the desktop would cause the desktop to assume that an Active Desktop item was to be created instead of an Internet Shortcut. Thanks to Allen Martin for reporting this problem. By luck this modification also happens to work around a bug in Mozilla and Netscape 6; Mozilla incorrectly supplies the UniformResourceLocator clipboard format in unicode format instead of ANSI format. Thanks to Florian Kusche for reporting this problem. * Added support for TFileGroupDescritorWClipboardFormat to TURLDataFormat. * Added declaration of FD_PROGRESSUI to DragDropFormats. * Added TURLWClipboardFormat which implements the "UniformResourceLocatorW" (a.k.a. CFSTR_INETURLW) clipboard format. Basically a Unicode version of CFSTR_SHELLURL/CFSTR_INETURL. The TURLWClipboardFormat class isn't used anywhere yet but will probably be supported by TURLDataFormat (and thus TDropURLTarget/TDropURLSource) in a later release. * Added experimental Shell Drag Image support. This relies on undodumented shell32.dll functions and probably won't be fully support before v4.2 (if ever). See InitShellDragImage in DropSource.pas. Thanks to Jim Kueneman for bringning these functions to my attention. 13-oct-2001 * TCustomDropSource.Destroy and TCustomDropMultiSource.Destroy changed to call FlushClipboard instead of EmptyClipboard. This means that clipboard contents will be preserved when the source application/component is terminated. * Added clipboard support to VirtualFileStream demo. * Modified VirtualFileStream demo to work around clipboard quirk with IStream medium. * Modified TCustomSimpleClipboardFormat to disable TYMED_ISTORAGE support by default. At present TYMED_ISTORAGE is only supported for drop targets and enabling it by default in TCustomSimpleClipboardFormat.Create caused a lot of clipboard operations (e.g. copy/paste of text) to fail. Thanks to Michael J Marshall for bringing this problem to my attention. * Modified TCustomSimpleClipboardFormat to read from the the TYMED_ISTREAM medium in small (1Mb) chunks and via a global memory buffer. This has resultet in a huge performance gain (several orders of magnitude) when transferring large amounts of data via the TYMED_ISTREAM medium. 3-oct-2001 * Fixed bug in TCustomDropSource.SetImageIndex. Thanks to Maxim Abramovich for spotting this. * Added missing default property values to TCustomDropSource. Thanks to Maxim Abramovich for spotting this. * DragDrop.pas and DragDropContext.pas updated for Delphi 4. * Reimplemented utility to convert DFM form files from Delphi 5/6 test format to Delphi 4/5 binary format. * Improved unregistration of Shell Extensions. Shell extension now completely (and safely) remove their registry entries when unregistered. * Deprecated support for C++ Builder 3. * Released for test as v4.1 FT2. 25-sep-2001 * Rewritten ContextMenuHandlerShellExt demo. The demo is now actually a quite useful utility which can be used to register and unregister ActiveX controls, COM servers and type libraries. It includes the same functionality as Borland's TRegSvr utility. 20-sep-2001 * Added support for cascading menus, ownerdraw and menu bitmaps to TDropContextMenu component. * Modified TFileContentsStreamOnDemandClipboardFormat to handle invalid parameter value (FormatEtcIn.lindex) when data is copied to clipboard. This works around an apparent bug in the Windows clipboard. Thanks to Steve Moss for reporting this problem. * Modified TEnumFormatEtc class to not enumerate empty clipboard formats. Thanks to Steve Moss for this improvement. 1-sep-2001 * Introduced TCustomDropTarget.AutoRegister property. The AutoRegister property is used to control if drop target controls should be automatically unregistered and reregistered when their window handle is recreated by the VCL. If AutoRegister is True, which is the default, then automatic reregistration will be performed. This property was introduced because the hidden child control, which is used to monitor the drop target control's window handle, can have unwanted side effects on the drop target control (e.g. TToolBar). * Deprecated support for Delphi 3. 22-jun-2001 * Redesigned TTextDataFormat to handle RTF, Unicode, CSV and OEM text without conversion. Moved TTextDataFormat class to DragDropText unit. Added support for TLocaleClipboardFormat. * Surfaced new text formats as properties in TDropTextSource and TDropTextTarget. Previous versions of the Text source and target components represented all supported text formats via the Text property. In order to enable users to handle the different text formats independantly, the text source and target components now has individual properties for ANSI, OEM, Unicode and RTF text formats. The text target component can automatically synthesize some of the formats from the others (e.g. OEM text from ANSI text), but applications which previously relied on all formats being represented by the Text property will have to be modified to handle the new properties. * Added work around for problem where TToolBar as a drop target would display the invisible target proxy window. * Fixed wide string bug in WriteFilesToZeroList. Thanks to Werner Lehmann for spotting this. 15-jun-2001 * Added work-around for Outlook Express IDataObject.QueryGetData quirk. 3-jun-2001 * Ported to C++ Builder 4 and 5. * Added missing DragDropDesign.pas unit to design time packages. * First attempt at C++ Builder 3 port.... failed. * Improved handling of oversized File Group Descriptor data. * Added support for IStorage medium to TFileContentsStreamClipboardFormat. This allows the TDropComboTarget component to accept messages dropped from Microsoft Outlook. This work was sponsored by ThoughtShare Communications Inc. 23-may-2001 * Ported to Delphi 4. * First attempt at C++ Builder 5 port.... failed. 18-may-2001 * Released as version 4.0. Note: Version 4.0 was released exclusively on the Delphi 6 Companion CD. * ContextMenuDemo and DropHandlerDemo application has been partially rewritten and renamed. ContextMenuDemo is now named ContextMenuHandlerShellExt. DropHandlerDemo is now named DropHandlerShellExt. * TDropContextMenu component has been rewitten. The TDropContextMenu now implements a context menu handler shell extension. In previous releases it implemented a drag drop handler shell extension. * The DragDropHandler.pas unit which implements the TDropHandler component has been renamed to DropHandler.pas. * Added new TDragDropHandler component. The new component, which lives in the DragDropHandler unit, is used to implement drag drop handler shell extensions. * Added DragDropHandlerShellExt demo application. * Removed misc incomplete demos from kit. * Fixed minor problem in VirtualFileStream demo which caused drops from the VirtualFile demo not to transfer content correctly. 11-may-2001 * Converted all demo forms to text DFM format. This has been nescessary to maintain compatibility between all supported versions of Delphi. * Fixed a bug in GetPIDLsFromFilenames which caused drag-link of files (dtLink with TDropFileSource) not to work. * Added readme.txt files to some demo applications. * Added missing tlb and C++ Builder files to install kit. * Released as FT4. 6-may-2001 * Added missing dfm files to install kit. * Tested with Delphi 5. Fixed Delphi 5 compatibility error in main.dfm of DragDropDemo. * Removed misc compiler warnings. * The AsyncTransferTarget and OleObjectDemo demos were incomplete and has been removed from the kit for the V4.0 release. The demos will be included in a future release. * Released as FT3. 3-may-2001 * Added missing dpr and bpg files to install kit. * Updated readme.txt with regard to lack of C++ Builder demos. * Released as FT2. 29-apr-2001 * Cleaned up for release. * Released as FT1. 23-feb-2001 * Modified TCustomDropTarget.FindTarget to handle overlapping targets (e.g. different targets at the same position but on different pages of a page control or notebook). Thanks to Roger Moe for spotting this problem. 13-feb-2001 * Renamed AsyncTransfer2 demo to AsyncTransferSource. * Added AsyncTransferTarget demo. * Replaced TChart in AsyncTransfer2 demo with homegrown pie-chart-thing. * Modified all IStream based target formats to support incremental transfer. * URW533 problem has finally been fixed. The cause of the problem, which is a bug in Delphi, was found by Stefan Hoffmeister. * Fixed free notification for TDropContextmenu and TDataFormatAdapter. 27-dec-2000 * Moved TVirtualFileStreamDataFormat and TFileContentsStreamOnDemandClipboardFormat classes from VirtualFileStream demo to DragDropFormats unit. * Added TClipboardFormat.DataFormat and TClipboardFormats.DataFormat property. * Added TDropEmptySource and TDropEmptyTarget components. These are basically do-nothing components for use with TDataFormatAdapter. * Rewritten AsyncTransfer2 demo. The demo now uses TDropEmptySource, TDataFormatAdapter and TVirtualFileStreamDataFormat to transfer 10Mb of data with progress feedback. * Rewritten VirtualFileStream demo. The demo now uses TDropEmptySource, TDropEmptyTarget, TDataFormatAdapter and TVirtualFileStreamDataFormat. * Fixed memory leak in TVirtualFileStreamDataFormat. This leak only affected the old VirtualFileStream demo. * Added support for full File Descriptor attribute set to TVirtualFileStreamDataFormat. It is now possible to specify file attributes such as file size and last modified time in addition to the filename. I plan to add similar features to the other classes which uses FileDescriptors (e.g. TDropFileSource and TDropFileTarget). 21-dec-2000 * Ported to Delphi 4. * Added workaround for design bug in either Explorer or the clipboard. Explorer and the clipboard's requirements to the cursor position of an IStream object are incompatible. Explorer requires the cursor to be at the beginning of stream and the clipboard requires the cursor to be at the end of stream. 15-dec-2000 * Fixed URW533 problem. I'll leave the description of the workaround in here for now in case the problem resurfaces. 11-dec-2000 * Fixed bug in filename to PIDL conversion (GetPIDLsFromFilenames) which affected TDropFileTarget. Thanks to Poul Halgaard J鴕gensen for reporting this. 4-dec-2000 * Added THTMLDataFormat. * Fixed a a few small bugs which affected clipboard operations. * Added {$ALIGN ON} to dragdrop.inc. Apparently COM drag/drop requires some structures to be word alligned. This change fixes problems where some of the demos would suddenly stop working. * The URW533 problem has resurfaced. See the "Known problems" section below. 13-nov-2000 * TCopyPasteDataFormat has been renamed to TFeedbackDataFormat. * Added support for the Windows 2000 "TargetCLSID" format with the TTargetCLSIDClipboardFormat class and the TCustomDropSource.TargetCLSID property. * Added support for the "Logical Performed DropEffect" format with the TLogicalPerformedDropEffectClipboardFormat class. The class is used internally by TCustomDropSource. 30-oct-2000 * Added ContextMenu demo and TDropContextMenu component. Demonstrates how to customize the context menu which is displayed when a file is dragged with the right mouse button and dropped in the shell. * Added TCustomDataFormat.GetData. With the introduction of the GetData method, Data Format classes can now be used stand-alone to extract data from an IDataObject. 20-oct-2000 * Added VirtualFileStream demo. Demonstrates how to use the "File Contents" and "File Group Descritor" clipboard formats to drag and drop virtual files (files which doesn't exist physically) and transfer the data on-demand via a stream. 14-oct-2000 * Added special drop target registration of TCustomRichEdit controls. TCustomRichEdit needs special attention because it implements its own drop target handling which prevents it to work with these components. TCustomDropTarget now disables a rich edit control's built in drag/drop handling when the control is registered as a drop target. * Added work around for Windows bug where IDropTarget.DragOver is called regardless that the drop has been rejected in IDropTarget.DragEnter. 12-oct-2000 * Fixed bug that caused docking to interfere with drop targets. Thanks to G. Bradley MacDonald for bringing the problem to my attention. 30-sep-2000 * The DataFormats property has been made public in the TCustomDropMultiTarget class. * Added VirtualFile demo. Demonstrates how to use the TFileContentsClipboardFormat and TFileGroupDescritorClipboardFormat formats to drag and drop a virtual file (a file which doesn't exist physically). 28-sep-2000 * Improved drop source detection of optimized move. When an optimized move is performed by a drop target, the drop source's Execute method will now return drDropMove. Previously drCancel was returned. The OnAfterDrop event must still be used to determine if a move operation were optimized or not. * Modified TCustomDropTarget.GetPreferredDropEffect to get data from the current IDataObject instead of from the VCL global clipboard. 18-sep-2000 * Fixed bug in DropComboTarget caused by the 17-sep-2000 TStreams modification. 17-sep-2000 * Added AsyncTransfer2 demo to demonstrate use of TDropSourceThread. * Renamed TStreams class to TStreamList. 29-aug-2000 * Added TDropSourceThread. TDropSourceThread is an alternative to Windows 2000 asynchronous data transfers but also works on other platforms than Windows 2000. TDropSourceThread is based on code contributed by E. J. Molendijk. 24-aug-2000 * Added support for Windows 2000 asynchronous data transfers. Added IAsyncOperation implementation to TCustomDropSource. Added TCustomDropSource.AllowAsyncTransfer and AsyncTransfer properties. 5-aug-2000 * Added work around for URW533 compiler bug. * Fixed D4 and D5 packages and updated a few demos. Obsolete DropMultiTarget were still referenced a few places. * Documented work around for C++ Builder 5 compiler error. See the Known Problems section later in this document for more information. 2-aug-2000 * The package files provided in the kit is now design-time only packages. In previous versions, the packages could be used both at design- and run-time. The change was nescessary because the package now contains design-time code. * Added possible work around for suspected C++ Builder bug. The bug manifests itself as a "Overloadable operator expected" compile time error. See the "Known problems" section of this document. * Rewrote CustomFormat1 demo. * Added CustomFormat2 demo. * TDataDirection members has been renamed from ddGet and ddSet to ddRead and ddWrite. * All File Group Descritor and File Contents clipboard formats has been moved from the DragDropFile unit to the DragDropFormats unit. * File Contents support has been added to TTextDataFormat. The support is currently only enabled for drop sources. * Renamed TDropMultiTarget component to TDropComboTarget. Note: This will break applications which uses the TDropMultiTarget component. You can use the following technique to port application from previous releases: 1) Install the new components. 2) Repeat step 3-8 for all units which uses the TDropMultiTarget component. 3) Make a backup of the unit (both pas and dfm file) just in case... 4) Open the unit in the IDE. 5) In the .pas file, replace all occurances of "TDropMultiTarget" with "TDropComboTarget". 6) View the form as text. 7) Replace all occurances of "TDropMultiTarget" with "TDropComboTarget". 8) Save the unit. * Renamed a lot of demo files and directories. * Added work around for yet another bug in TStreamAdapter. * Added TCustomStringClipboardFormat as new base class for TCustomTextClipboardFormat. This changes the class hierachy a bit for classes which previously descended from TCustomTextClipboardFormat: All formats which needs zero termination now descend from TCustomTextClipboardFormat and the rest descend from TCustomStringClipboardFormat. Added TrimZeroes property. Fixed zero termination bug in TCustomTextClipboardFormat and generally improved handling of zero terminated strings. Disabled zero trim in TCustomStringClipboardFormat and enabled it in TCustomTextClipboardFormat. 23-jul-2000 * Improved handling of long file names in DropHandler demo. Added work around for ParamStr bug. * Added TDataFormatAdapter component and adapter demo. TDataFormatAdapter is used to extend the existing source and target components with additional data format support without modifying them. It can be considered an dynamic alternative to the current TDropMultiTarget component. 17-jul-2000 * TDropHandler component and DropHandler demo fully functional. 14-jul-2000 * Tested with C++ Builder 5. * Fixed sporadic integer overflow bug in DragDetectPlus function. * Added shell drop handler support with TDropHandler component. This is a work in progress and is not yet functional. 1-jul-2000 * Tested with Delphi 4. * Support for Windows 2000 inter application drag images. * TRawClipboardFormat and TRawDataFormat classes for support of arbitrary unknown clipboard formats. The classes are used internally in the TCustomDropSource.SetData method to support W2K drag images. Platform: |
Size: 2130304 |
Author:smj_9547 |
Hits:
Description: 利用挂钩线程调度链表来检测进程的代码。基本能查出当前所有Rootkit隐藏的进程。系统编程爱好者必下。-use of thread scheduling Chain link to the code detection process. Basic can be detected all current Rootkit hidden process. System programming enthusiasts certainly under. Platform: |
Size: 492544 |
Author:黄芸乐 |
Hits:
Description: Many users have got used that Windows NT Task Manager shows all processes, and many consider that i s impossible to hide a process from Task Manager. Actually, process hiding is incredibly simple. There are lots of methods available for such a purpose and there are source codes available. It still amazes me that there are only a few trojans using these methods. Literally only 1 trojan from a 1000 is hidden. I think that trojan authors are lazy, since it requires extra work to hide the process and it is always easier to use ready-made sources and copy-paste them. Therefore we should expect hidden trojan processes in a near future.-Many users have got used that Windows NT Tas k Manager shows all processes, and many consider that i s impossible to hide a process from Task Manager. Actually, hiding process is incredibly simple. There are lots of methods available for such a purpose and there are source codes available. It still amaz es me that there are only a few trojans using thes e methods. Literally only a variant is from a 1000 hidden. I think that disables authors are lazy, since it requires extra work to hide the process and it is always easier to use ready-made source s and copy-paste them. Therefore we should Expe ct hidden variant processes in a near future. Platform: |
Size: 15360 |
Author:inwing |
Hits:
Description: Although I do not know what kind icesword enumerated services, it is estimated that by the end times calendar SCM internal ServiceRecordList to detect. Why? See below. The annex InjectDLL.exe put hideservice.dll injected into Ser vices.exe process after Alerter service will be hidden swap. Detection also used icesword not Alerter service. Code principle is very simple. Services.exe is in the process of finding ServiceRecordList table Hide will need the services disconnected from the chain on. Since icesword also can not be detected. it shows icesword calendar through the end times within the SCM ServiceRecordL ist to detect Platform: |
Size: 2048 |
Author:fisher |
Hits:
Description: 编写的内核检测隐藏进程的驱动程序,可以了解内核的进程隐藏,和侦测技术-The core of the preparation process of detection of hidden drivers, you can understand the hidden core of the process, and detection technology Platform: |
Size: 12288 |
Author:chenmo |
Hits:
Description: HooS-SofT成员“夕阳_dapro”写的ARK的部分代码
他还没有写完,因为时间关系,只写了一点点。就是检测隐藏进程的部分,另外附上驱动检测隐藏进程的24种方法
-HooS-SofT members of the " sunset _dapro" written by ARK part of the code that he had not yet finished, because of time, just write a little. Is the detection of hidden part of the process, another attached drive the process of detection of 24 hidden ways Platform: |
Size: 153600 |
Author:fishgs |
Hits:
Description: 2009 年全国大学生信息安全竞赛获奖作品集
目 录
一等奖作品
基于安全交换机的ARP 攻击自动防御系 ........................................................... 1
USB 设备加密转接口 ............................................................................ 5
基于语义完整性的隐藏恶意代码检测系统 ......................................................... 9
进程动态完整性检测系统 ...................................................................... 13
支持多还原点的磁盘隔离系统 .................................................................. 17
Final (风诺)Web 服务防护系统 ................................................................ 21
基于硬件平台的移动存储设备信息隐藏系统 ...................................................... 24
支持多通道多任务的网络舆情监测与分析系统 .................................................... 27
基于交换分区的主机行为安全检测系统 .......................................................... 31
可疑程序威胁分析系统 -2009 National College contest winning set of information security
CONTENTS
First Prize works
ARP attack on safety switch automatically Defense Department ......................................... .................. 1
USB Device Interface ............................................. encryption switch ............................... 5
Semantic integrity of hidden malicious code detection system ........................................ ................. 9
The integrity of the process of dynamic testing system ............................................ .......................... 13
Support multi-disk separation system restore point .......................................... ........................ 17
Final (wind Connaught) Web Service protection system ......................................... ....................... 21
Hardware-based platform for mobile storage devices information hiding system ........................................ .............. 24
Multi-channe Platform: |
Size: 8192000 |
Author:林珺 |
Hits:
Description: 1、息钩子监视:列举系统上的消息钩子。
2、块加载监视:列举系统上加载的所有内核模块
3、SSDT监视:通过得到原始的SSDT地址来得到被恶意程序HOOK的API以及恢复SSDT
4、注册表保护:对一些重要的注册表项进行保护,防止恶意程序对其进行修改。
5、隐藏进程检测:检测出系统中隐藏的进程。
6、隐藏端口检测:检测出系统中隐藏的端口。
7、进程强杀:能够杀死系统中的对自身保护的恶意进程。-1, the interest rate hook monitoring: list of system messages on the hook. 2, block load monitoring: list of all the system loads the kernel modules 3, SSDT Monitor: SSDT get the original address to get the API HOOK malicious program and restore SSDT 4, registry protection: some important registry item for protection against malicious programs modify. 5, the hidden process detection: detection of hidden system process. 6, hidden port detection: the system detected the hidden port. 7, strong kill the process: the system can kill self-protection against malicious processes. Platform: |
Size: 3553280 |
Author:虫子 |
Hits:
Description: ISoft主要功能:分为六大模块:首页、U盘防护、系统优化、硬件检测、进程管理、高级功能。
① 首页:主要是对当前操作系统、U盘防御转台进行检测,并列出主要的推荐功能。
② U盘防护:可以对U盘病毒进行扫描,清除U盘潜在的危险病毒文件。可以禁止U盘自动运行,可以恢复被恶意隐藏的文件。
③ 系统优化:对操作系统常见的项目进行优化,比如对开机关机速度进行优化、加快系统预读能力、禁止远程修改注册表等。
④ 进程管理:主要是对系统任务管理器进行模拟,采用多线程对当前执行的程度进程进行刷新。
⑤ 硬件检测:ISoft要做最详细的硬件检测,通过查询WMI列出各个硬件的详细信息。
⑥ 高级功能:主要包含了一些常用的工具包括文件粉碎、个性化、垃圾清理、系统加速、打文件扫描、默认软件设置、语音朗读机、磁盘监视、时间同步助手、视频录制器、文件分割与合并、文件内容比较器等。- ISoft main functions: divided into six modules: First, U disk protection, system optimization, hardware detection, process management, and advanced features.
① Home: mainly on the current operating system, U-defense turntable for testing, and lists the major recommendation function.
② U disk protection: can U disk virus scans, remove potentially dangerous virus U disk file. U disk can be disabled automatically, you can restore the malicious hidden files.
③ system optimization: a common operating system to optimize the project, such as the power shutdown speed to optimize and accelerate the system pre-reading skills, such as prohibiting remotely modify the registry.
④ process management: The main task manager for the system to simulate the extent of the use of multi-threaded processes currently executing refresh.
⑤ hardware detection: ISoft do most detailed hardware detection, by querying the WMI lists details of each of the hardware.
⑥ advanced features: mainly contains Platform: |
Size: 5716992 |
Author:夏子睿 |
Hits:
Description: 可以用来加入自己的软件里面,隐藏进程非常彻底,电脑管家之类也无法检测到,同时,大部分游戏辅助制作要跳过游戏检测实现(It can be added to its own software, hidden process is very thorough, computer housekeeper and so on can not be detected. Meanwhile, most of the game assistant production must skip the game detection implementation.) Platform: |
Size: 8192 |
Author:0524lei |
Hits:
Search - Detection of the hidden process