Location:
Search - hook driver
Search list
Description: X-探测器2.6版完全源码.X-探测器是在网络端口监视软件的基础上增加了隐藏进程检查、加载驱动程序检查、HOOK系统服务函数检查、Windows Hook检查、远程线程创建检查、网络端口关闭及阻止程序上网等功能的系统安全检查软件。-X-Detector 2.6 version complete source. X-detector in the network port monitoring software based on an increase of hidden process inspection, load the driver to check, HOOK system function checks, Windows Hook inspection, remote thread creation check , network ports and stop the procedure to close the Internet and other functions of the system software security checks.
Platform: |
Size: 6063104 |
Author: fdsa |
Hits:
Description: KPDrv驱动加载器,配合KPDrv一起使用,负责加载驱动。-KPDrv driver loader, used in conjunction with KPDrv responsible for loading drivers.
Platform: |
Size: 90112 |
Author: 追风少年 |
Hits:
Description: 开始,运行输入 sigverif
通过检查数字签名就知道是不是ms的了。
主要使用Win32API实现验证应用或驱动程
WinVerifyTrust API。如果该API被Hook有没有其他方法验证应用或驱动程序是否通过微软签名?如果仅仅是被挂钩了IAT,那么可以直接通过函数指针调用。
如果是像Detours那样用jmp改写了函数头,可以通过读取WinTrust.dll中WinVerifyTrust的实现位置,恢复函数头的机器码。
不知道使用CryptoAPI,再使用指定的Microsoft证书
是不是更好一点,不容易被欺骗
怕调api被hook的话,自己将验证的代码写出来,用openssl应该容易点。-Start, Run enter sigverif by checking the digital signature is not on the know of the ms. Win32API realize the main use of the application or driver to verify WinVerifyTrust API. If the API was Hook has no other way to verify whether the application or driver through Microsoft Signed? If merely being linked to the IAT, you can call directly through the function pointer. If it is used as the Detours as to alter the function jmp head, can be read in WinVerifyTrust Wintrust.dll realize the location, the restoration of function of the binary header. Do not know the use of CryptoAPI, and then use the specified certificate is not Microsoft a little better, not easy to be deceived by fear api tune hook, then he would write the code to verify, using openssl should be easy points.
Platform: |
Size: 200704 |
Author: 齐欢乐 |
Hits:
Description: 驱动写的键盘钩子 勾住一切键盘输入 保存在txt文件中-Driver wrote勾住keyboard hook all keyboard input is saved in txt file
Platform: |
Size: 141312 |
Author: 韩爱杨 |
Hits:
Description: hook dll driver for keyboard mouse source
Platform: |
Size: 13312 |
Author: sky |
Hits:
Description: Sample kayboard hook driver
Platform: |
Size: 144384 |
Author: Dmitry |
Hits:
Description: DiskMon运行在NT4上才加载驱动,在W2k以上平台其使用kernel event tracing实现磁盘活动的监视,
但其驱动可以跑在W2k/XP/2K3/Vista上
该驱动Hook了disk的driver dispatch例程,不仅可以监视磁盘活动,稍微改下还能拦截、修改上层对磁盘的读写,
很容易就可以搞个什么 基于Disk的 -DiskMon only run on NT4 load on the drive, more than W2k platform in its use of kernel event tracing activities to monitor the achievement of the disk, but the drive can run in W2k/XP/2K3/Vista on the Hook of the disk drive of the driver dispatch routine, not only can monitor disk activity, but also under a slight change to intercept, modify the top of the disk read and write, it is easy to Disk-based搞个what the xxx
Platform: |
Size: 8192 |
Author: sldfl |
Hits:
Description: HOOK ZwCreateFile 配合 ZwDeleteFile 实现监视不许指定文件创建-HOOK ZwCreateFile with monitoring the realization of ZwDeleteFile not create the specified file
Platform: |
Size: 2048 |
Author: 朱芮男 |
Hits:
Description: Firewall-hook driver
Platform: |
Size: 21504 |
Author: Rudolf Hess |
Hits:
Description: Rootkit detector to find system hook and user code hooks, hidden driver, hidden files, hidden proccess.
Platform: |
Size: 22528 |
Author: sis-2kx |
Hits:
Description: IRP Hook 键盘Logger源代码
键盘Logger是Hook 键盘类驱动Kbdclass的分发函数,在类驱动的下面是端口驱动。用DeviceTree 可以看到PS/2键盘的端口驱动是i8042prt,USB键盘的端口驱动是Kbdhid。无论是PS/2 键盘还是USB键盘,在端口驱动处理完IRP之后都会调用上层处理的回调函数,即KbdClass 处理输入数据的函数。Hook 这个回调函数,不但可以实现兼容PS/2 键盘和USB 键盘的Logger,而且比分层驱动的方法更加隐蔽。-IRP Hook Keyboard Logger Keyboard Logger is the source code for Hook the keyboard class driver Kbdclass distribution function, the following is in the class-driven port driver. DeviceTree can be seen with the PS/2 keyboard port driver is i8042prt, USB keyboard port driver is Kbdhid. Both PS/2 keyboard or USB keyboard, processing the IRP in the port driver will be called after the callback function of the upper handle, that is KbdClass processing the input data function. Hook This callback function can be achieved not only compatible with PS/2 keyboard and USB keyboard Logger, and the score-driven approach is more hidden layers.
Platform: |
Size: 57344 |
Author: ithurricane |
Hits:
Description: inline hook 可以实现兼容PS/2键盘和USB键盘的Logge 源代码
键盘Logger是Hook 键盘类驱动Kbdclass的分发函数,在类驱动的下面是端口驱动。用DeviceTree 可以看到PS/2键盘的端口驱动是i8042prt,USB键盘的端口驱动是Kbdhid。无论是PS/2 键盘还是USB键盘,在端口驱动处理完IRP之后都会调用上层处理的回调函数,即KbdClass 处理输入数据的函数。Hook 这个回调函数,不但可以实现兼容PS/2 键盘和USB 键盘的Logger,而且比分层驱动的方法更加隐蔽。-inline hook can be achieved is compatible with PS/2 keyboard and USB keyboard Logge source code for the keyboard Hook Keyboard Logger is a class driver Kbdclass distribution function, the following is in the class-driven port driver. DeviceTree can be seen with the PS/2 keyboard port driver is i8042prt, USB keyboard port driver is Kbdhid. Both PS/2 keyboard or USB keyboard, processing the IRP in the port driver will be called after the callback function of the upper handle, that is KbdClass processing the input data function. Hook This callback function can be achieved not only compatible with PS/2 keyboard and USB keyboard Logger, and the score-driven approach is more hidden layers.
Platform: |
Size: 62464 |
Author: ithurricane |
Hits:
Description: 一:SSDT表的hook检测和恢复
二:IDT表的hook检测和恢复
三:系统加载驱动模块的检测
四:进程的列举和进程所加载的dll检测
-1: SSDT table hook detection and recovery 2: IDT table hook detection and recovery 3: System load driver module test 4: the process list and the process of loading the dll test
Platform: |
Size: 2296832 |
Author: 虫子 |
Hits:
Description: ZwOpenProcess SSDT Hook test to catch open process information.
Compile it with Meerkat Advanced kernel mode driver GUI for KmdKit4D.
Link: http://www.mediafire.com/?hbhjorv8797k2-ZwOpenProcess SSDT Hook test to catch open process information.
Compile it with Meerkat Advanced kernel mode driver GUI for KmdKit4D.
Link: http://www.mediafire.com/?hbhjorv8797k2ee
Platform: |
Size: 2048 |
Author: STRELiTZIA |
Hits:
Description: 这是介绍如何在Windows驱动层 HOOK NtQuerySystemInformation内核 函数的文章。 这篇文章超级详细的介绍了这个函数的每一个参数以及用法。-This is how the Windows kernel function driver layer HOOK NtQuerySystemInformation article. This article describes the super-detailed each parameter of this function and usage.
Platform: |
Size: 55296 |
Author: 汤文 |
Hits:
Description: 对任何坐标类型多维地区的模板类
一个几年前,我曾写了一个视频挂钩驱动程序排序。在那里,我需要:
(其中包括)地区的业务处理,如发现路口,减,加入区域,等
有一个在Win32 API的这些地区的支持。区域功能是用于操作CreateRectRgn,CreateEllipticRgn,EqualRgn,GetRgnBox,OffsetRgn,CombineRgn,等这个API是相当难看,在我看来不舒服。它的实施是隐蔽,你要手柄(HRGN)来使用它。当你需要,例如,要找到一两个区域相交,你必须创建一个新的空区处理,然后再“补”的交集了。-A couple of years ago, I had to write a sort of a video hook driver. And there, I needed (among other things) to handle region operations, such as finding intersections, subtracting, joining regions, and etc.
There s a support for such regions in Win32 API. Functions for manipulating regions are CreateRectRgn, CreateEllipticRgn, EqualRgn, GetRgnBox, OffsetRgn, CombineRgn, and etc. This API is pretty ugly and uncomfortable, in my opinion. Its implementation is concealed, and you have to mess with handles (HRGN) to work with it. When you need, for instance, to find an intersection of two regions, you have to create a new empty region handle, and then "fill" it with the intersection. That is:
Platform: |
Size: 18432 |
Author: 胡八 |
Hits:
Description: 大家好,我们又见面啦,今天我将为各位讲述一个新故事,那就是IAT HOOK。再观看这个故事之前,需要观众确定具备两个基本能力: 1.对简单的数据结构在内存中的样子能有个宏观的理解。 2.理解运行在windows环境程序的工作原理。驱动教程-Hello everybody, we meet again, I will speak to you today a new story, that is, IAT HOOK. Then watch this story, you need to determine the audience have two basic capabilities: 1. on the simple data structure in memory looks to have a macro understanding. 2. to understand the program runs in windows environment works. Driver Guide
Platform: |
Size: 302080 |
Author: 魍酆 |
Hits:
Description: API拦截pdf的手册,里面讲解了Injection\IAT HOOK,以及实现的代码,还讲解了驱动层的HOOK部分-API interception pdf manual, which explains Injection \ IAT HOOK, and the realization of the code, but also explain part of the driver layer HOOK
Platform: |
Size: 129024 |
Author: jibagan |
Hits:
Description: 基于Filter-Hook Driver(使用ipfirewall.h)的IP过滤驱动-Based on Filter-Hook Driver (use ipfirewall.h) the IP filtering driver
Platform: |
Size: 6144 |
Author: 林云 |
Hits:
Description: 1.进程、线程、进程模块、进程窗口、进程内存信息查看,热键信息查看,杀进程、杀线程、卸载模块等功能 2.内核驱动模块查看,支持内核驱动模块的内存拷贝 3.SSDT、Shadow SSDT、FSD、KBD、TCPIP、IDT信息查看,并能检测和恢复ssdt hook和inline hook 4.CreateProcess、CreateThread、LoadImage、CmpCallback、BugCheckCallback、Shutdown、Lego等Notify Routine信息查看,并支持对这些Notify Routine的删除 5.端口信息查看,目前不支持2000系统 6.查看消息钩子 7.内核模块的iat、eat、inline hook、patches检测和恢复 8.磁盘、卷、键盘、网络层等过滤驱动检测,并支持删除 9.注册表编辑 -1 process, thread, process modules, process window, process memory information viewing, hot information to view, kill the process, kill thread, unload the module and other functions 2 kernel driver module view, to support the kernel driver module memory copy 3.SSDT, Shadow SSDT, FSD, KBD, TCPIP, IDT information view, and can detect and recover ssdt hook and inline hook 4.CreateProcess, CreateThread, LoadImage, CmpCallback, BugCheckCallback, Shutdown, Lego, etc. Notify Routine Information check, and to support their Notify Routine Delete 5 port information view, the current system does not support 2000 6 view news hook 7 kernel module iat, eat, inline hook, patches detection and recovery 8 disk, volume, keyboard, network layer filter driver detect, and support for the deletion 9. Registry Editor
Platform: |
Size: 3696640 |
Author: 接收 |
Hits: