Location:
Search - inline hook
Search list
Description: 原创 天书夜读上 Inline Hook ZwCreateSection 源码
Platform: |
Size: 403061 |
Author: sunwubo@qq.com |
Hits:
Description: Hook Api Library 0.2 [Ring0&3] By Anskya
Email:Anskya@Gmail.com
ring3 inline hook For Api
Thank:
前29A高手也一直都是我的偶像...z0mbie大牛...这里膜拜一下
使用的LDE32引擎是翻译他老人家的...C->Delphi...
说明:
1.利用堆栈跳转
没有使用传统的jmp xxxx 长跳转,使用容易理解的push xxxx+ret
仔细看代码容易理解...封装完好.
2.内存补丁结构:
补丁1:|push xxx--钩子处理过程|ret|
补丁2:|保存原始补丁地址|保存原始地址代码长度|原始地址的代码|push xxxxxx|ret|
更新说明:
0.2:
支持Ring0 Inline Hook
0.1:
Ring3 Inline Hook
-Hook Api Library 0.2 [Ring0
Platform: |
Size: 6144 |
Author: david |
Hits:
Description: 对付ring0 inline hook的基本思路是这样的,自己写一个替换的内核函数,以NtOpenProcess为例,就是 MyNtOpenProcess。然后修改SSDT表,让系统服务进入自己的函数MyNtOpenProcess。而MyNtOpenProcess要做的事就是,实现NtOpenProcess前10字节指令,然后再JMP到原来的NtOpenProcess的十字节后。这样NtOpenProcess 函数头写的JMP都失效了,在ring3直接调用OpenProcess再也毫无影响。-Ring0 inline hook to deal with the basic idea is that the replacement of their own to write a kernel function to NtOpenProcess for example, is MyNtOpenProcess. And then amend the SSDT table, so that system services into its own function MyNtOpenProcess. And MyNtOpenProcess to do is realize NtOpenProcess the first 10-byte instruction, and then JMP to the original NtOpenProcess the Cross Festival. This NtOpenProcess function of the JMP are the first to write a lapse in ring3 no longer directly call OpenProcess no impact.
Platform: |
Size: 3072 |
Author: sdlylz |
Hits:
Description: 一份非常棒的inline hook 代码-A great inline hook code
Platform: |
Size: 93184 |
Author: sdlylz |
Hits:
Description: 通过SSDT绕过IceSword的inline Hook来关闭IceSword-IceSword bypass through the SSDT to turn off the inline Hook of IceSword
Platform: |
Size: 154624 |
Author: inking |
Hits:
Description: Hook CreateFileA ,Ring3下的inline Hook-Hook CreateFileA, Ring3 under inline Hook
Platform: |
Size: 4107264 |
Author: QQ |
Hits:
Description: r0 inline hook sample.
Platform: |
Size: 37888 |
Author: xiaohuangran |
Hits:
Description: 对于hook,从ring3有很多,ring3到ring0也有很多,根据api调用环节递进的顺序,在每一个环节都有hook的机会,可以有int 2e或者sysenter hook,ssdt hook,inline hook ,irp hook,object hook,idt hook-The hook, from ring3 there are many, ring3 to ring0 there are many, according to api call progressive sequence of links, each link in the opportunity to have a hook, you can have int 2e or sysenter hook, ssdt hook, inline hook, irp hook, object hook, idt hook, etc.
Platform: |
Size: 1869824 |
Author: 王小明 |
Hits:
Description: Inline hook KeyboardClassServiceCallback 实现键盘记录-Inline hook KeyboardClassServiceCallback the achievement of keyloggers
Platform: |
Size: 54272 |
Author: ldf |
Hits:
Description: 一段INLINE-HOOK的代码,以及一个循环检测是否改写,可在直接调用。【给HookOn传入一个PID即可】。-INLINE-HOOK section of the code, as well as a cycle of test re-evaluated, in direct call. 【HookOn into a PID to be】.
Platform: |
Size: 2048 |
Author: MagicCrow |
Hits:
Description: FSD INLINE HOOK的几乎达到实用级的代码。代码大部分是炉子[0GiNr]提供的,在此感谢。
增加了一段获取通过NTFS驱动对象获取分发函数地址的代码,如果已经被人hook过,可能造成蓝屏。最好的方法还是解析NTFS文件获取原始分发函数地址。Xp sp2测试通过。-FSD INLINE HOOK almost reached the practical level of the code. Most stoves code [0GiNr] provided, would like to thank. Increase access to a NTFS drive through the distribution function to obtain the target address of the code, if the hook has been, and may cause a blue screen. The best way to resolve or NTFS file access to the original distribution function of the address. Xp sp2 test.
Platform: |
Size: 10240 |
Author: 好好 |
Hits:
Description: DDK inline hook 钩子 啊懂的就下吧-DDK inline hook hook hook ah understand it on the next
Platform: |
Size: 89088 |
Author: 曹安抚 |
Hits:
Description: anti np inline hook,可以过游戏保护np的inline hook,目前还是可以使用,asm源码-anti np inline hook, can lead the game to protect np the inline hook, or you can use the current, asm source
Platform: |
Size: 1024 |
Author: 肖玛佳 |
Hits:
Description: ring0下恢复inline hook
还有点bug-inline hook resume ring0
Platform: |
Size: 27648 |
Author: xwaeeex |
Hits:
Description: Inline Hook NtOpenFile 简单实现保护指定路径文件-Inline Hook NtOpenFile a simple path to achieve the protection of designated documents
Platform: |
Size: 2048 |
Author: zzage |
Hits:
Description: inline hook 可以实现兼容PS/2键盘和USB键盘的Logge 源代码
键盘Logger是Hook 键盘类驱动Kbdclass的分发函数,在类驱动的下面是端口驱动。用DeviceTree 可以看到PS/2键盘的端口驱动是i8042prt,USB键盘的端口驱动是Kbdhid。无论是PS/2 键盘还是USB键盘,在端口驱动处理完IRP之后都会调用上层处理的回调函数,即KbdClass 处理输入数据的函数。Hook 这个回调函数,不但可以实现兼容PS/2 键盘和USB 键盘的Logger,而且比分层驱动的方法更加隐蔽。-inline hook can be achieved is compatible with PS/2 keyboard and USB keyboard Logge source code for the keyboard Hook Keyboard Logger is a class driver Kbdclass distribution function, the following is in the class-driven port driver. DeviceTree can be seen with the PS/2 keyboard port driver is i8042prt, USB keyboard port driver is Kbdhid. Both PS/2 keyboard or USB keyboard, processing the IRP in the port driver will be called after the callback function of the upper handle, that is KbdClass processing the input data function. Hook This callback function can be achieved not only compatible with PS/2 keyboard and USB keyboard Logger, and the score-driven approach is more hidden layers.
Platform: |
Size: 62464 |
Author: ithurricane |
Hits:
Description: inline hook NtSetInformationFile 保护目录或文件-inline hook NtSetInformationFile
Platform: |
Size: 3072 |
Author: 朱芮男 |
Hits:
Description: Inline HOOK ObReferenceObjectByHandle 保护进程-Inline HOOK ObReferenceObjectByHandle
Platform: |
Size: 1024 |
Author: 朱芮男 |
Hits:
Description: kernel Inline Hook word doc
详谈内核三步走Inline Hook实现-kernel Inline Hook word doc go into the details to achieve core three-step Inline Hook
Platform: |
Size: 25600 |
Author: jpinglove |
Hits:
Description: 目前流行和成熟的kernel inline hook技术就是修改内核函数的opcode,通过写入jmp或
push ret等指令跳转到新的内核函数中,从而达到修改或过滤的功能。这些技术的共同点
就是都会覆盖原有的指令,这样很容易在函数中通过查找jmp,push ret等指令来查出来,
因此这种inline hook方式不够隐蔽。本文将使用一种高级inline hook技术来实现更隐蔽的
inline hoo技术(Currently popular and mature kernel inline hook technology is to modify the kernel function of the opcode, by writing JMP or push, RET and other instructions jump to the new kernel function, so as to achieve the function of modification or filtering)
Platform: |
Size: 32768 |
Author: xiami001
|
Hits: