Location:
Search - idt hook
Search list
Description: 键盘的IDT hook范例,学习rootkit的好教程!-keyboard hook IDT example, a good learning rootkit Guide!
Platform: |
Size: 145256 |
Author: luocong |
Hits:
Description: IDT Hook 检测及恢复
此程序在 Ring3 下打开物理内存对象取得当前内存中的 IDT,再用打开对应的原始内核文件进行比较。带恢复功能。
此程序适用于 XP/2003。采用特征码搜索方式查找。注释详细,代码规范
Platform: |
Size: 6505 |
Author: 张京 |
Hits:
Description: 代码hook了所有256个中断向量,在debdgview下打印输出了中断历程,使用是请加载.sys驱动程序,具体代码请看.c文件
Platform: |
Size: 33978 |
Author: happyforall |
Hits:
Description: taskmgr就是任务管理器的源码也许好多人都有了^_^-taskmgr Task Manager is the source may have a lot of people _ ^ ^
Platform: |
Size: 268288 |
Author: 洛克 |
Hits:
Description: 该代码为我学习winnt内核时所写,主要功能是在ring3下通过DeviceIoControl与驱动进行通信,获取内核的数据以及sdt,idt信息等。并实现了hook NtQuerySystemInformation函数来实现进程隐藏的功能-The code for the kernel, I am learning winnt wrote, Its main function is in ring3 through DeviceIoControl communication with the driver. access to the kernel and sdt data, the information loop. And the achievement of the hook function to achieve NtQuerySystemInformation implicit process possession of the function
Platform: |
Size: 55296 |
Author: 左手 |
Hits:
Description: 键盘的IDT hook范例,学习rootkit的好教程!-keyboard hook IDT example, a good learning rootkit Guide!
Platform: |
Size: 145408 |
Author: luocong |
Hits:
Description: IDT Hook 检测及恢复
此程序在 Ring3 下打开物理内存对象取得当前内存中的 IDT,再用打开对应的原始内核文件进行比较。带恢复功能。
此程序适用于 XP/2003。采用特征码搜索方式查找。注释详细,代码规范-IDT Hook detection and recovery procedures in this Ring3 to open the physical memory object to obtain the current memory of IDT, and then open the corresponding document to compare original kernel. With recovery. This procedure applies to XP/2003. Using signature search search. Notes detailed specification code
Platform: |
Size: 6144 |
Author: 张京 |
Hits:
Description: 利用hook idt技术,截取键盘记录,并提供读取记录接口-err
Platform: |
Size: 13312 |
Author: zh |
Hits:
Description: 对于hook,从ring3有很多,ring3到ring0也有很多,根据api调用环节递进的顺序,在每一个环节都有hook的机会,可以有int 2e或者sysenter hook,ssdt hook,inline hook ,irp hook,object hook,idt hook-The hook, from ring3 there are many, ring3 to ring0 there are many, according to api call progressive sequence of links, each link in the opportunity to have a hook, you can have int 2e or sysenter hook, ssdt hook, inline hook, irp hook, object hook, idt hook, etc.
Platform: |
Size: 1869824 |
Author: 王小明 |
Hits:
Description: HOOK所有IDT表项,在GUI中记录IDT回调函数调用次数,并且查看中断信息-HOOK table of all IDT, IDT recorded in the GUI callback function to call the number, and view the disruption of information
Platform: |
Size: 27648 |
Author: michael |
Hits:
Description: 取page段地址的代码 大概包括了ssdt, idt, msr钩子,3种notify,还有从文件读取偏移抗猥琐的代码. 支持这个编程板块-Get page segment address code probably includes ssdt, idt, msr hook, three kinds of notify, also read from the file offset anti-insignificant code. To support the programming plate
Platform: |
Size: 11264 |
Author: r00tsh3ll |
Hits:
Description: 本文从难易程度上主要分三块详细介绍:一.用户模式Hook:IAT-hook,Dll-inject 二.内核模式Hook:ssdt-hook,idt-hook,int 2e/sysenter-hook 三.Inline Function Hook -In this paper, Difficulty Level 3 detail the main points: 1. User Mode Hook: IAT-hook, Dll-inject 2. Kernel-mode Hook: ssdt-hook, idt-hook, int 2e/sysenter-hook 3. Inline Function Hook
Platform: |
Size: 14336 |
Author: lee |
Hits:
Description: R3下显示 IDT , IDT hook 研究必用-Under R3 shows IDT, IDT hook with the Study
Platform: |
Size: 8192 |
Author: |
Hits:
Description: ring3 下查看idt hook 和修复idt hook !修改版本!-ring3 to view idt hook and repair idt hook! Modified version!
Platform: |
Size: 1300480 |
Author: 小错 |
Hits:
Description: 一:SSDT表的hook检测和恢复
二:IDT表的hook检测和恢复
三:系统加载驱动模块的检测
四:进程的列举和进程所加载的dll检测
-1: SSDT table hook detection and recovery 2: IDT table hook detection and recovery 3: System load driver module test 4: the process list and the process of loading the dll test
Platform: |
Size: 2296832 |
Author: 虫子 |
Hits:
Description: 信息隐藏亮点之一: 将rootkit作为资源隐藏于用户模式程序之中
亮点之二: 将这个用户程序代码作为生成密钥的引子,可以有效地防止逆向后,隐藏信息被纰漏,因为只有逆向后生成的
代码,跟原作者的代码丝毫不差,将来才能打开其隐藏至深的下载者链接及代码。
亮点之三:用一个固定的KEY,通过某种运算,产生出1024个密钥组成的数组。
然后用这个密钥组与用户代码进行运算,最终生成一个4字节的解码KEY。
利用解码KEY,在从加载到内存的驱动中,找出隐藏在其资源中的那份肮脏的
下载者代码及名单解析出来,返回用户程序,用户程序用它来做坏事,并且最后
还要把痕迹擦得一干二净。
亮点之四:修改idt 0e号中断,让他指向一个无效地址,从而在调试的时候让你蓝屏,起到
反调试的功能。-nformation hiding one of the highlights: the rootkit as a resource hidden in the user program into
Highlights of the two: the user code will be generated key as a primer, can effectively prevent the reverse, the hidden information is flawed, because only generated after reverse
Code, the code with the original author no less, to open its hidden deep in the future who download link and code.
Highlight three: with a fixed KEY, by some calculations, to produce an array of keys 1024.
Then use this key group and the user code operation, and ultimately generate a 4-byte decoding KEY.
By decoding KEY, loaded into memory from the drive, find hidden in their share of dirty resources
The list of those who download the code and parse out and return the user program, the user program to do bad things with it, and finally
But also to trace polished completely.
Highlights of the four: No change idt 0e interrupted, so that he points to an invalid address, so when debugging your blue s
Platform: |
Size: 11264 |
Author: wu |
Hits:
Description: IDT是一个有256个入口的线形表,每个IDT的入口是个8字节的描述符,所以整个IDT表的大小为256*8=2048 bytes,每个中断向量关联了一个中断
处理过程。所谓的中断向量就是把每个中断或者异常用一个0-255的数字识别-IDT is a linear table 256 entry, each IDT entry is 8-byte descriptors, so the size of the IDT table 256* 8 = 2048 bytes, each interrupt vector associated with an interrupt handler. The so-called interrupt vector for each interrupt or exception is to use a 0-255 number recognition
Platform: |
Size: 112640 |
Author: wu |
Hits:
Description: 1.进程、线程、进程模块、进程窗口、进程内存信息查看,热键信息查看,杀进程、杀线程、卸载模块等功能 2.内核驱动模块查看,支持内核驱动模块的内存拷贝 3.SSDT、Shadow SSDT、FSD、KBD、TCPIP、IDT信息查看,并能检测和恢复ssdt hook和inline hook 4.CreateProcess、CreateThread、LoadImage、CmpCallback、BugCheckCallback、Shutdown、Lego等Notify Routine信息查看,并支持对这些Notify Routine的删除 5.端口信息查看,目前不支持2000系统 6.查看消息钩子 7.内核模块的iat、eat、inline hook、patches检测和恢复 8.磁盘、卷、键盘、网络层等过滤驱动检测,并支持删除 9.注册表编辑 -1 process, thread, process modules, process window, process memory information viewing, hot information to view, kill the process, kill thread, unload the module and other functions 2 kernel driver module view, to support the kernel driver module memory copy 3.SSDT, Shadow SSDT, FSD, KBD, TCPIP, IDT information view, and can detect and recover ssdt hook and inline hook 4.CreateProcess, CreateThread, LoadImage, CmpCallback, BugCheckCallback, Shutdown, Lego, etc. Notify Routine Information check, and to support their Notify Routine Delete 5 port information view, the current system does not support 2000 6 view news hook 7 kernel module iat, eat, inline hook, patches detection and recovery 8 disk, volume, keyboard, network layer filter driver detect, and support for the deletion 9. Registry Editor
Platform: |
Size: 3696640 |
Author: 接收 |
Hits:
Description: 隐藏IDT HOOK,可以过xuetr,PowerTool。发现windbg !idt命令也看不出,看来MS的哥们也偷懒
原理是利用了选择子。直接发码,关于IDT 的知识我就不科普了-Hidden IDT HOOK, can lead xuetr, PowerTool. Found windbg! Idt command can not see, it seems the man is lazy MS
Is the use of a selector. Send code directly on the IDT is not science knowledge I had
Platform: |
Size: 45056 |
Author: 田浩 |
Hits:
Description: 代码介绍了一种IDT Hook的新方法!很新颖的办法-IDT HOOK new method。代码介绍了一种IDT Hook的新方法!很新颖的办法
Platform: |
Size: 45056 |
Author: linzhixin |
Hits: