Location:
Search - SSDT
Search list
Description: Vb Kill Process SSDT
Platform: |
Size: 14336 |
Author: obiwan |
Hits:
Description: 驱动级SSDT 钩子 打造完美不死程序 挂接NtOpenProcess 函数,防护进程不被关闭-SSDT hooks create the perfect drive-level program articulated NtOpenProcess die function, the process of being shut down protection
Platform: |
Size: 9216 |
Author: 洋洋 |
Hits:
Description: SSDT恢复的程序源
参考调试信息:
Linking f:\driver\3 directory ********************
nmake.exe /c BUILDMSG=Stop. -i LINKONLY=1 NOPASS0=1 NTTEST= UMTEST= 386=1
link -out:.\i386\DrvTest.sys -machine:ix86 @C:\DOCUME~1\LANGOU~1\LOCALS~1\Temp\nma02324.
Microsoft (R) Incremental Linker Version 7.00.9210
Copyright (C) Microsoft Corporation. All rights reserved.
-MERGE:_PAGE=PAGE
-MERGE:_TEXT=.text
-SECTION:INIT,d
-OPT:REF
-OPT:ICF
-IGNORE:4010,4037,4039,4065,4070,4078,4087,4089,4198,4221
-INCREMENTAL:NO
-FULLBUILD
-SSDT restore the program source reference debug information: Linking f: \ driver \ 3 directory******************** ' nmake.exe/c BUILDMSG = Stop.-I LINKONLY = 1 NOPASS0 = 1 NTTEST = UMTEST = 386 = 1 ' link-out:. \ i386 \ DrvTest.sys-machine: ix86 @ C: \ DOCUME ~ 1 \ LANGOU ~ 1 \ LOCALS ~ 1 \ Temp \ nma02324. Microsoft ( R) Incremental Linker Version 7.00.9210 Copyright (C) Microsoft Corporation. All rights reserved.-MERGE: _PAGE = PAGE-MERGE: _TEXT =. text-SECTION: INIT, d-OPT: REF-OPT: ICF-IGNORE: 4010 , 4037,4039,4065,4070,4078,4087,4089,4198,4221-INCREMENTAL: NO-FULLBUILD
Platform: |
Size: 1861632 |
Author: asd |
Hits:
Description: SSDT 恢复源码,如果你的SSDT表中的函数被hook,可用此代码恢复-SSDT restore source, if your SSDT table function is hook, this code can be used to restore
Platform: |
Size: 5120 |
Author: 杨靖 |
Hits:
Description: Get entry point of SSDT on x64 which not exported from ntoskrnl.exe like older os
Platform: |
Size: 1024 |
Author: n3m0 |
Hits:
Description: SSDT HOOK VB实现源码,调用底层函数,实现的SSDT HOOK.适合VB研究驱动。-SSDT HOOK VB to achieve source, call the underlying function, to achieve the SSDT HOOK. For VB research-driven.
Platform: |
Size: 49152 |
Author: 林繁 |
Hits:
Description: 一:SSDT表的hook检测和恢复
二:IDT表的hook检测和恢复
三:系统加载驱动模块的检测
四:进程的列举和进程所加载的dll检测
-1: SSDT table hook detection and recovery 2: IDT table hook detection and recovery 3: System load driver module test 4: the process list and the process of loading the dll test
Platform: |
Size: 2296832 |
Author: 虫子 |
Hits:
Description: 1、息钩子监视:列举系统上的消息钩子。
2、块加载监视:列举系统上加载的所有内核模块
3、SSDT监视:通过得到原始的SSDT地址来得到被恶意程序HOOK的API以及恢复SSDT
4、注册表保护:对一些重要的注册表项进行保护,防止恶意程序对其进行修改。
5、隐藏进程检测:检测出系统中隐藏的进程。
6、隐藏端口检测:检测出系统中隐藏的端口。
7、进程强杀:能够杀死系统中的对自身保护的恶意进程。-1, the interest rate hook monitoring: list of system messages on the hook. 2, block load monitoring: list of all the system loads the kernel modules 3, SSDT Monitor: SSDT get the original address to get the API HOOK malicious program and restore SSDT 4, registry protection: some important registry item for protection against malicious programs modify. 5, the hidden process detection: detection of hidden system process. 6, hidden port detection: the system detected the hidden port. 7, strong kill the process: the system can kill self-protection against malicious processes.
Platform: |
Size: 3553280 |
Author: 虫子 |
Hits:
Description: HookSSDT原理代码
保护方面的知识,感兴趣的多看看,有帮助的-HookSSDT the protection of the principles of the code, interested see more helpful
Platform: |
Size: 327680 |
Author: 卢嘉文 |
Hits:
Description: [Delphi] LoadDriver SSDT Hook.
Compile it with Meerkat 1.1
Use DbgView to catch informations.
Only for Windows XP.
Meerkat 1.1 link :
http://www.mediafire.com/?hbhjorv8797k2-[Delphi] LoadDriver SSDT Hook.
Compile it with Meerkat 1.1
Use DbgView to catch informations.
Only for Windows XP.
Meerkat 1.1 link :
http://www.mediafire.com/?hbhjorv8797k2ee
Platform: |
Size: 1024 |
Author: STRELiTZIA |
Hits:
Description: ZwOpenProcess SSDT Hook test to catch open process information.
Compile it with Meerkat Advanced kernel mode driver GUI for KmdKit4D.
Link: http://www.mediafire.com/?hbhjorv8797k2-ZwOpenProcess SSDT Hook test to catch open process information.
Compile it with Meerkat Advanced kernel mode driver GUI for KmdKit4D.
Link: http://www.mediafire.com/?hbhjorv8797k2ee
Platform: |
Size: 2048 |
Author: STRELiTZIA |
Hits:
Description: 直接干掉360杀毒,SSDT级别,,病毒和杀软就是徘徊在SSDT 之间-kill 360
Platform: |
Size: 9216 |
Author: yeyushu |
Hits:
Description: 驱动编写SSDT恢复工具,对于研究系统内核有很大帮助。-SSDT restore driver development tools, kernel for the study of great help.
Platform: |
Size: 518144 |
Author: lihui |
Hits:
Description: SSDT 系统服务描述表恢复的查看工具,让我们更加清晰查看到系统的函数是否已经恢复-System Service Description Table SSDT restore the viewer, let us see more clearly a function of the system is recovered
Platform: |
Size: 11264 |
Author: 小梦 |
Hits:
Description: 什么是SSDT?自然,这个是我必须回答的问题。不过在此之前,请你打开命令行(cmd.exe)窗口,并输入“dir”并回车——好了,列出了当前目录下的所有文件和子目录。 那么,以程序员的视角来看,整个过程应该是这样的:-What is the SSDT? Naturally, this is what I have to answer the question. But before, you open a command line (cmd.exe) window and enter " dir" and press Enter- OK, lists the current directory of all files and subdirectories. So, a programmer' s point of view, the whole process should be like this:
Platform: |
Size: 152576 |
Author: 魍酆 |
Hits:
Description: SSDT的全稱是System Services Descriptor Table,系統服務描述符表。這個表就是一個把ring3的Win32 API和ring0的內核API聯繫起來。SSDT並不僅僅只包含一個龐大的位址索引表,它還包含著一些其他有用的資訊,諸如位址索引的基底位址、服務函數個數等。
通過修改此表的函數位址可以對常用windows函數及API進行hook,從而實現對一些關心的系統動作進行過濾、監控的目的。一些HIPS、防毒軟體、系統監控、註冊表監控軟體往往會採用此介面來實現自己的監控模組,
目前極個別病毒確實會採用這種方法來保護自己或者破壞防毒軟體,但在這種病毒進入系統前如果防毒軟體能夠識別並清除它將沒有機會發作.
-SSDT s full name is System Services Descriptor Table, the system service descriptor table. This is a table of the Win32 API and ring0 ring3 kernel API link. SSDT is not only a huge address contains only the index table, it also contains some other useful information, such as the address of the index base address, the number of functions and other services.
Function by modifying the address of this table can be used for windows functions and API hook, in order to achieve the action of some concern to filter systems, surveillance purpose. Some HIPS, antivirus software, system monitoring, registry monitoring software often uses this interface to implement its own monitoring module,
At present very few virus does use this method to protect themselves or to destroy anti-virus software, but if the virus before the antivirus software into the system and clear it will not be able to identify opportunities to attack.
Platform: |
Size: 335872 |
Author: 小明 |
Hits:
Description: 1.进程、线程、进程模块、进程窗口、进程内存信息查看,热键信息查看,杀进程、杀线程、卸载模块等功能 2.内核驱动模块查看,支持内核驱动模块的内存拷贝 3.SSDT、Shadow SSDT、FSD、KBD、TCPIP、IDT信息查看,并能检测和恢复ssdt hook和inline hook 4.CreateProcess、CreateThread、LoadImage、CmpCallback、BugCheckCallback、Shutdown、Lego等Notify Routine信息查看,并支持对这些Notify Routine的删除 5.端口信息查看,目前不支持2000系统 6.查看消息钩子 7.内核模块的iat、eat、inline hook、patches检测和恢复 8.磁盘、卷、键盘、网络层等过滤驱动检测,并支持删除 9.注册表编辑 -1 process, thread, process modules, process window, process memory information viewing, hot information to view, kill the process, kill thread, unload the module and other functions 2 kernel driver module view, to support the kernel driver module memory copy 3.SSDT, Shadow SSDT, FSD, KBD, TCPIP, IDT information view, and can detect and recover ssdt hook and inline hook 4.CreateProcess, CreateThread, LoadImage, CmpCallback, BugCheckCallback, Shutdown, Lego, etc. Notify Routine Information check, and to support their Notify Routine Delete 5 port information view, the current system does not support 2000 6 view news hook 7 kernel module iat, eat, inline hook, patches detection and recovery 8 disk, volume, keyboard, network layer filter driver detect, and support for the deletion 9. Registry Editor
Platform: |
Size: 3696640 |
Author: 接收 |
Hits:
Description: Hook 了以下函数:
NtUserFindWindowEx FindWindow
NtUserGetForegroundWindow GetForegroundWindow
NtUserQueryWindow GetWindowThreadProcessId
NtUserWindowFromPoint WindowFromPoint
NtUserBuildHwndList EnumWindows
NtUserSetWindowLong SetWindowLong
经XP/Win 2003/Vista/Win7测试可用. 获取ShadowTable表的方法是自己调试出来的玩意,不太清楚稳定性.
-Hook the following functions: NtUserFindWindowEx FindWindow NtUserGetForegroundWindow GetForegroundWindow NtUserQueryWindow GetWindowThreadProcessId NtUserWindowFromPoint WindowFromPoint NtUserBuildHwndList EnumWindows NtUserSetWindowLong SetWindowLong after XP/Win 2003/Vista/Win7 test available. Ways to get ShadowTable table out of their own debugging stuff, is not clear stability if the instability can go online to find a way to get ShadowTable.
Platform: |
Size: 384000 |
Author: TianSin |
Hits:
Description: Hook SSDT shadow 示例,首先找到csrss进程然后attach,最后修改ssdt shadow table-Hook SSDT shadow sample, first find the csrss process then attach, last modified ssdt shadow table
Platform: |
Size: 17408 |
Author: 顺口溜 |
Hits:
Description: Restore SSDT using masm
If you do not know what you re doing do not use this.
Platform: |
Size: 10240 |
Author: robinhood |
Hits:
«
1
2
3
4
5
67
8
9
10
11
...
17
»