Location:
Search - hook ssdt
Search list
Description: 对付ring0 inline hook的基本思路是这样的,自己写一个替换的内核函数,以NtOpenProcess为例,就是 MyNtOpenProcess。然后修改SSDT表,让系统服务进入自己的函数MyNtOpenProcess。而MyNtOpenProcess要做的事就是,实现NtOpenProcess前10字节指令,然后再JMP到原来的NtOpenProcess的十字节后。这样NtOpenProcess 函数头写的JMP都失效了,在ring3直接调用OpenProcess再也毫无影响。-Ring0 inline hook to deal with the basic idea is that the replacement of their own to write a kernel function to NtOpenProcess for example, is MyNtOpenProcess. And then amend the SSDT table, so that system services into its own function MyNtOpenProcess. And MyNtOpenProcess to do is realize NtOpenProcess the first 10-byte instruction, and then JMP to the original NtOpenProcess the Cross Festival. This NtOpenProcess function of the JMP are the first to write a lapse in ring3 no longer directly call OpenProcess no impact.
Platform: |
Size: 3072 |
Author: sdlylz |
Hits:
Description: 一个演示如何hook shadow ssdt表的例子。
Platform: |
Size: 477184 |
Author: macro |
Hits:
Description: 通过SSDT绕过IceSword的inline Hook来关闭IceSword-IceSword bypass through the SSDT to turn off the inline Hook of IceSword
Platform: |
Size: 154624 |
Author: inking |
Hits:
Description: SSDT Hook ZwQuerySystemInformation 隐藏进程-SSDT Hook ZwQuerySystemInformation hidden processes
Platform: |
Size: 41984 |
Author: inking |
Hits:
Description: Delphi开发驱动的一个例子
1.映射ntoskrnl.exe到内存
2.重定位信息...
3.搜索SSDT基址
4.补丁回去-Delphi developed an example-driven 1. Mappings ntoskrnl.exe into memory 2. ... 3, re-positioning information. Search SSDT base address 4. Patch back
Platform: |
Size: 14336 |
Author: fanghui |
Hits:
Description: SSDT HOOK注册表电子书 简单的教程-SSDT HOOK registry simple tutorial e-book
Platform: |
Size: 1420288 |
Author: 浮士德 |
Hits:
Description: RING0下检测用HOOK SSDT隐藏进程的代码,直接build,适用于XP,2000系统。短小实用。-RING0 detect hidden process by HOOK SSDT code directly build, apply to XP, 2000 systems. Short and practical.
Platform: |
Size: 4096 |
Author: ldf |
Hits:
Description: Ring0中Hook SSDT防止进程被结束
Platform: |
Size: 207872 |
Author: 杨晓 |
Hits:
Description: 基于ssdt hook 的进程保护,防止自己的进程被恶意关闭。包含应用层与应用层通信的代码-based on ssdt hook the process of protection against their own process of being shut down malicious. Contains application-layer and application layer communication code
Platform: |
Size: 48128 |
Author: lier |
Hits:
Description: 驱动级的隐藏进程代码,在驱动层通过替换ssdt地址表中的函数来隐藏进程-Drive-level code to hide the process, in the driver layer ssdt address by replacing the function table to hide the process of
Platform: |
Size: 3072 |
Author: 帅俊 |
Hits:
Description: SSDT恢复源代码,恢复被挂钩的SSDT(系统服务调用函数表)-SSDT unhook sourcecode
Platform: |
Size: 4096 |
Author: fd |
Hits:
Description: DDK开发的在Ring0中通过HOOK SSDT,实现对注册表监控-DDK development in Ring0 through HOOK SSDT, to realize the Registry Monitor
Platform: |
Size: 4096 |
Author: 李扬 |
Hits:
Description: 一般网上找到的都是需要Ring3传输需要补丁的地址过去...
002就是直接用最标准的方法进行SSDT定位以及修复的
支持多核系统,当然还有003(加入shadow ssdt hook),004(加入inline hook)
基本上是现在最稳定的恢复方式了,大家可以用KMDLoader测试.加载就脱钩.不需要通讯
-Generally find on the Internet are required Ring3 address transmission needs a patch in the past ... 002 is the direct use of most standard approach to SSDT locate and repair support for multi-core systems, of course, 003 (add shadow ssdt hook), 004 (adding inline hook) is basically the recovery is now the most stable way, and we can use KMDLoader test. loaded on decoupling. does not require communication
Platform: |
Size: 515072 |
Author: 按时飞 |
Hits:
Description: Windows XP是通过sysenter调用KiFastCallEntry将ntdll.dll的调用切换到内核的。KiFastCallEntry的原理是通过在SSDT中查找函数地址跳转。所以只要伪造一张原始SSDT,就可以使得SSDT-HOOK无效了。-Windows XP by calling KiFastCallEntry sysenter ntdll.dll call will switch to the kernel. KiFastCallEntry SSDT principle is to find the function by address jump. So long as the original forged an SSDT, you can make SSDT-HOOK invalid.
Platform: |
Size: 5120 |
Author: 何耀彬 |
Hits:
Description: SSDT HOOK VB实现源码,调用底层函数,实现的SSDT HOOK.适合VB研究驱动。-SSDT HOOK VB to achieve source, call the underlying function, to achieve the SSDT HOOK. For VB research-driven.
Platform: |
Size: 49152 |
Author: 林繁 |
Hits:
Description: ZwOpenProcess SSDT Hook test to catch open process information.
Compile it with Meerkat Advanced kernel mode driver GUI for KmdKit4D.
Link: http://www.mediafire.com/?hbhjorv8797k2-ZwOpenProcess SSDT Hook test to catch open process information.
Compile it with Meerkat Advanced kernel mode driver GUI for KmdKit4D.
Link: http://www.mediafire.com/?hbhjorv8797k2ee
Platform: |
Size: 2048 |
Author: STRELiTZIA |
Hits:
Description: 1。获取ssdt函数个数
2。获取ssdt函数表中的所有函数
3。hook ZwQuerySystemInformation
4。unhook ZwQuerySystemInformation
5。根据用户给定的函数地址和ssdt表中的索引,修改ssdt表。-1. Get ssdt number of functions 2. Get ssdt all functions in the function table 3. hook ZwQuerySystemInformation 4. unhook ZwQuerySystemInformation 5. Given function according to the user address and ssdt table index, modify ssdt table.
Platform: |
Size: 10240 |
Author: wu |
Hits:
Description: Hook 了以下函数:
NtUserFindWindowEx FindWindow
NtUserGetForegroundWindow GetForegroundWindow
NtUserQueryWindow GetWindowThreadProcessId
NtUserWindowFromPoint WindowFromPoint
NtUserBuildHwndList EnumWindows
NtUserSetWindowLong SetWindowLong
经XP/Win 2003/Vista/Win7测试可用. 获取ShadowTable表的方法是自己调试出来的玩意,不太清楚稳定性.
-Hook the following functions: NtUserFindWindowEx FindWindow NtUserGetForegroundWindow GetForegroundWindow NtUserQueryWindow GetWindowThreadProcessId NtUserWindowFromPoint WindowFromPoint NtUserBuildHwndList EnumWindows NtUserSetWindowLong SetWindowLong after XP/Win 2003/Vista/Win7 test available. Ways to get ShadowTable table out of their own debugging stuff, is not clear stability if the instability can go online to find a way to get ShadowTable.
Platform: |
Size: 384000 |
Author: TianSin |
Hits:
Description: Hook SSDT shadow 示例,首先找到csrss进程然后attach,最后修改ssdt shadow table-Hook SSDT shadow sample, first find the csrss process then attach, last modified ssdt shadow table
Platform: |
Size: 17408 |
Author: 顺口溜 |
Hits:
Description: XP下SSDT Hook ZwCreateThread的代码,仅适用于XP,由驱动和用户模式下控制程序组成,是从以前写的另一个程序修改过来的,所以代码中部分结构体的成员的定义是多余的,要写SSDT Hook的可以参考一下-XP, SSDT Hook ZwCreateThread code only applies to XP, drivers and user mode by the control program component is written in another program from the previous change over, so the code part of the structure is defined as the members of the excess to write SSDT Hook can refer to
Platform: |
Size: 396288 |
Author: seven |
Hits: