Location:
Search - icesword
Search list
Description: 关于如何突破 icesword 的注册表隐藏的一点想法.这个想法应该是可以突破现有版本的 icesword 的注册表隐藏的. 这是一个半通用的方法.但不是搜索特征传.在 coding 中,这个要比隐藏进程麻烦些. 编码如果超过 1天半 俺就会放弃. 这里给出了一个简单的包.里面包含一个驱动程序和一个注册表文件.
测试的时候请自己把 HideRegistryApp.exe 跑起来. 然后把 test.reg 导入到注册表中. icesword 可以先启动,也可以后启动. 然后在 icesword 的注册表浏览中浏览 HKEY_LOCAL_MACHINE --> SOFTWARE --> wuyanfeng 我的驱动隐藏了 wuyanfeng 下面的 wuyanfeng KEY . 你门可以随便的在什么地方 建立 不少于 2层的 wuyanfeng KEY 在我的驱动跑着的时候只能看到最上一层,其他的都被隐藏掉了. 例如你可以 建立如下 KEY HKEY_CLASSES_ROOT ---> wuyanfeng1 -->wuyanfeng 等等. 这个驱动我只在 xp sp2 的系统中测试过,其他系统没有测试-icesword on how to break the 1:00 hidden registry idea. This idea should be able to suddenly breaking the existing version of the registry icesword hidden. This is a semi-generic approach. But instead of search features Chuan. In coding, The trouble than some hidden process. encoding more than one-half if I will stop. Here is a simple package. Lane surface contains a driver and a registry document. Please test when they put HideRegistryA pp.exe run up. then test.reg into the registry. icesword ahead start can be activated. Then in the registry icesword Browsing View HKEY_LOCAL_MA 24:00 --
Platform: |
Size: 68204 |
Author: 79282853 |
Hits:
Description: 虽然我不知道icesword是什么样列举服务的,但估计最终也是通过历遍SCM内部的ServiceRecordList来检测。
为什么呢?看下面。
用附件中的InjectDLL.exe把hideservice.dll注入到Services.exe进程后就会把Alerter服务隐藏掉。用icesword也检测不出Alerter服务了。
代码原理很简单,就是在Services.exe进程找到ServiceRecordList表,将需要隐藏的服务从链表上断开。
既然icesword也检测不出了,那就说明icesword最终也是通过历遍SCM内部的ServiceRecordList来检测-Although I do not know what kind icesword enumerated services, it is estimated that by the end times calendar SCM internal ServiceRecordList to detect. Why? See below. The annex InjectDLL.exe put hideservice.dll injected into Ser vices.exe process after Alerter service will be hidden swap. Detection also used icesword not Alerter service. Code principle is very simple. Services.exe is in the process of finding ServiceRecordList table Hide will need the services disconnected from the chain on. Since icesword also can not be detected. it shows icesword calendar through the end times within the SCM ServiceRecordL ist to detect
Platform: |
Size: 19964 |
Author: 79282853 |
Hits:
Description: 可以用于电脑安全的管理,非常方便和有效,在日常运用中很使用-can be used for computer security management, a very convenient and effective in the use of day-to-day use is very
Platform: |
Size: 595840 |
Author: 李里 |
Hits:
Description: 通过SSDT绕过IceSword的inline Hook来关闭IceSword
Platform: |
Size: 154950 |
Author: inking |
Hits:
Description: 这是一个免费开源的远程控制软件
功能特点:
提供CMDSHELL、文件管理、进程管理、端口代理(未完成)、屏幕捕获和一些其它功能。
用到了一些内核技术,包括活动进程链脱链(隐藏进程),与ICESWORD相同的进程强杀方
法(能杀掉一些杀毒软件的进程),Ring0打开文件(用于感染正在运行的可执行文件),
2000/xp下采用无驱Ring0
同时支持正向连接和反向连接,服务端和控制端均可接受管理多个连接
Platform: |
Size: 718216 |
Author: 方启 |
Hits:
Description: 用PsSetCreateProcessNotifyRoutine,PsSetCreateThreadNotifyRoutine来进行进程线程监控我想大家已经都非常熟练了.sinister在<<编写进程/线程监视器>>一文中已经实现得很好了.前一段时间看到网上有人在研究监视远线程的文章,比较有意思.就写代码玩一玩.这之中就出现了一些问题.比方说直接用sinister的代码的话,是不能动态卸载的,因为他在安装了进线程监视函数后没有进行清除动作,造成在动态卸载时蓝屏,BUGCHECK为0x000000ce,错误码为:DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS.很显然,在驱动退出后,一些进线程操作仍然在访问原来的地址,造成出错.在XP后,微软给出了一个函数PsRemoveCreateThreadNotifyRoutine用来清除线程监视函数(清除进程监视的就是PsSetCreateProcessNotifyRoutine).我一直奇怪ICESWORD在2000中是怎么做到进线程监视的.后来才发现,在运行icesword后释放出一个detport.sys文件,然后一直在系统中存在着没有卸载掉.只是把它隐藏了而已^_^.这不是个好消息,难道我为了测试一个驱动,测试一次就得重启一次吗?呵呵,肯定不是啊,所以想办法搞定它.-with PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine thread to process control, I think we had a very skilled. Sinister In "<preparation process / thread monitors>" A text has been achieved in very good. Some time ago the Internet was seen in the surveillance study of the threads from article more interesting. Write playing with a code to play. on this issue, there have been some problems. For example, the direct use of sinister code, the dynamic is not unloaded, because he installed into threads without surveillance function after removal action, resulting in dynamic unloading blue screens, BUGCHECK to 0x000000ce, error code : DRIVER_UNLOADED _WITHOUT_CANCELLING_PENDING_OPERATIONS. It is clear that following the withdrawal of the drive, some threads are sti
Platform: |
Size: 7492 |
Author: 龙 |
Hits:
Description: 用PsSetCreateProcessNotifyRoutine,PsSetCreateThreadNotifyRoutine来进行进程线程监控我想大家已经都非常熟练了.sinister在<<编写进程/线程监视器>>一文中已经实现得很好了.前一段时间看到网上有人在研究监视远线程的文章,比较有意思.就写代码玩一玩.这之中就出现了一些问题.比方说直接用sinister的代码的话,是不能动态卸载的,因为他在安装了进线程监视函数后没有进行清除动作,造成在动态卸载时蓝屏,BUGCHECK为0x000000ce,错误码为:DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS.很显然,在驱动退出后,一些进线程操作仍然在访问原来的地址,造成出错.在XP后,微软给出了一个函数PsRemoveCreateThreadNotifyRoutine用来清除线程监视函数(清除进程监视的就是PsSetCreateProcessNotifyRoutine).我一直奇怪ICESWORD在2000中是怎么做到进线程监视的.后来才发现,在运行icesword后释放出一个detport.sys文件,然后一直在系统中存在着没有卸载掉.只是把它隐藏了而已^_^.这不是个好消息,难道我为了测试一个驱动,测试一次就得重启一次吗?呵呵,肯定不是啊,所以想办法搞定它.-with PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine thread to process control, I think we had a very skilled. Sinister In "<preparation process/thread monitors>" A text has been achieved in very good. Some time ago the Internet was seen in the surveillance study of the threads from article more interesting. Write playing with a code to play. on this issue, there have been some problems. For example, the direct use of sinister code, the dynamic is not unloaded, because he installed into threads without surveillance function after removal action, resulting in dynamic unloading blue screens, BUGCHECK to 0x000000ce, error code : DRIVER_UNLOADED _WITHOUT_CANCELLING_PENDING_OPERATIONS. It is clear that following the withdrawal of the drive, some threads are sti
Platform: |
Size: 7168 |
Author: 龙 |
Hits:
Description: hao-hao
Platform: |
Size: 2036736 |
Author: sunlightboy |
Hits:
Description: 这里是用于特征提取时去除停用词的词表,很有用的.-here for feature extraction to remove the word out thesaurus, very useful.
Platform: |
Size: 1024 |
Author: zzhang |
Hits:
Description: 自己看,是明白人都知道,常用的黑客工具
比较好用,很简单-own look, sensible people know, the usual hacking tools more convenient, very simple
Platform: |
Size: 4118528 |
Author: daiyu |
Hits:
Description: 比较老版本的IceSwordSample的源码,相信大家还是可以用得上的-IceSwordSample older version of the source, I believe the U.S. can still be useful
Platform: |
Size: 946176 |
Author: 蓝帝 |
Hits:
Description: 冰刃可以删除那些系统无法删除的文件,对付病毒的好工具-冰刃can delete those systems could not delete the file, a good tool to deal with virus
Platform: |
Size: 2171904 |
Author: 种田 |
Hits:
Description:
Platform: |
Size: 279552 |
Author: 蒋荣欣 |
Hits:
Description: 这是一个免费开源的远程控制软件
功能特点:
提供CMDSHELL、文件管理、进程管理、端口代理(未完成)、屏幕捕获和一些其它功能。
用到了一些内核技术,包括活动进程链脱链(隐藏进程),与ICESWORD相同的进程强杀方
法(能杀掉一些杀毒软件的进程),Ring0打开文件(用于感染正在运行的可执行文件),
2000/xp下采用无驱Ring0
同时支持正向连接和反向连接,服务端和控制端均可接受管理多个连接
-This is a free open-source remote control software features: providing CMDSHELL, document management, process management, port agent (not completed), screen capture and a number of other features. Used a number of core technologies, including the activities of the process chain from chain (hidden processes), and the same process IceSword strong killing methods (some antivirus software to kill the process), Ring0 open the file (for infection of the executable file is running ), 2000/xp used under the hassel Ring0 while supporting positive connections and reverse connections, service-side and control acceptable to manage multiple client connections
Platform: |
Size: 804864 |
Author: 方启 |
Hits:
Description: 电子图书-<黑客反汇编揭秘>(English).本书详细介绍了在没有源代码的情况下,如何应用反汇编手段剖析软件。-E-book-
Platform: |
Size: 4947968 |
Author: Bai |
Hits:
Description: 窗口抖动,完整代码,不错的突破IceSword自身进程保护的方法 -Jitter window, complete code, it is true breakthrough IceSword ways to protect their own process
Platform: |
Size: 173056 |
Author: uygfug |
Hits:
Description: 突破IceSword自身进程保护的方法,网上现在一般都是2007的.我的这个版本是2008-IceSword breakthrough methods to protect its own process, on-line now are generally 2007. My version is 2008
Platform: |
Size: 4096 |
Author: piit |
Hits:
Description: Although I do not know what kind icesword enumerated services, it is estimated that by the end times calendar SCM internal ServiceRecordList to detect. Why? See below. The annex InjectDLL.exe put hideservice.dll injected into Ser vices.exe process after Alerter service will be hidden swap. Detection also used icesword not Alerter service. Code principle is very simple. Services.exe is in the process of finding ServiceRecordList table Hide will need the services disconnected from the chain on. Since icesword also can not be detected. it shows icesword calendar through the end times within the SCM ServiceRecordL ist to detect
Platform: |
Size: 2048 |
Author: fisher |
Hits:
Description: 驱动开发工具集,含DebugView,DriverMonitor,IRPTrace,WinObj,DeviceTree.exe,DiskView.exe,EzDriverInstaller.exe,IceSword.exe
很齐全-Driver development tools, including DebugView, DriverMonitor, IRPTrace, WinObj, DeviceTree.exe, DiskView.exe, EzDriverInstaller.exe, IceSword.exe a very complete
Platform: |
Size: 5144576 |
Author: hackjoy |
Hits:
Description: 仿icesword软件。适合单核 Windows XP SP2系统,基于VS2005编写。驱动层采用Windows DDK 3790.1830编写-Imitation icesword software. Suitable for single-core Windows XP SP2 system, based on the preparation of VS2005. Driver layer prepared using Windows DDK 3790.1830
Platform: |
Size: 3602432 |
Author: dailin |
Hits: