Hot Search : Source embeded web remote control p2p game More...
Location : Home Search - ring0 hook
Search - ring0 hook - List
[Hook api] hookntcontinue
DL : 0
ring0--hook NtContinue+source_code ring0下面hookNtContinue 使用drx7寄存器实现的hook this code hooks ntoskrnl!NtContinue to set dr7 to 0 (no updating of dr7) so NtContinue called from ring3 cannot alter drX registers... This hook will only PREVENT drX clearing from SEH (kiuser->ntcontinue) and will not alter debugging using ring3 debuggers (olly->SetThreadContext) mainly developed for personal reasearch and as anti-bpm... Hook NtContinue (not exported from ntoskrnl.exe but exported in ntdll.dll with service number) to set dr7 to 0 prior to calling original NtContinue so debug registers won t be changed from seh and ring3 code =) Its use for some targets such as armadillo... but never posted code... by deroko
Update : 2008-10-13 Size : 6.27kb Publisher : 张京
[Driver Develop] Rootkit 内核hook 隐身术
DL : 0
Rootkit 1。 内核hook 隐身术 ring0中调用ring3程序 其他
Update : 2012-03-29 Size : 5.8mb Publisher : 359380123@qq.com
[Driver Develop] CallRing3FormRing0
DL : 0
在Ring0层中调用Ring3层的功能 需要安装DDK-in Rign0 layer called Ring3 layer functions need to install DDK
Update : 2025-02-17 Size : 911kb Publisher : 大家庭
[Hook api] hookntcontinue
DL : 0
ring0--hook NtContinue+source_code ring0下面hookNtContinue 使用drx7寄存器实现的hook this code hooks ntoskrnl!NtContinue to set dr7 to 0 (no updating of dr7) so NtContinue called from ring3 cannot alter drX registers... This hook will only PREVENT drX clearing from SEH (kiuser->ntcontinue) and will not alter debugging using ring3 debuggers (olly->SetThreadContext) mainly developed for personal reasearch and as anti-bpm... Hook NtContinue (not exported from ntoskrnl.exe but exported in ntdll.dll with service number) to set dr7 to 0 prior to calling original NtContinue so debug registers won t be changed from seh and ring3 code =) Its use for some targets such as armadillo... but never posted code... by deroko-ring0- hook NtContinue+ source_codering0 use the following hookNtContinue register drx7 realize the hook this code hooks ntoskrnl! NtContinue to set dr7 to 0 (no updating of dr7) so NtContinue called from ring3 cannot alter drX registers ... This hook will only PREVENT drX clearing from SEH (kiuser-> ntcontinue) and will not alter debugging using ring3 debuggers (olly-> SetThreadContext) mainly developed for personal reasearch and as anti-bpm ... Hook NtContinue (not exported from ntoskrnl.exe but exported in ntdll. dll with service number) to set dr7 to 0 prior to calling original NtContinue so debug registers won t be changed from seh and ring3 code =) Its use for some targets such as armadillo ... but never posted code ... by deroko
Update : 2025-02-17 Size : 6kb Publisher : 张京
[Driver Develop] ExcpHookMonitor_0.0.4
DL : 0
ExcpHook is an open source (see license.txt) Exception Monitor for Windows made by Gynvael Coldwind (of Team Vexillium). t uses a ring0 driver to hook KiExceptionDispatch procedure to detect the exceptions, and then shows information about the exception on stdout (using the ring3 part of the program ofc). The difference between this method, and the standard debug API method it that this method monitores all of XP processes, and the program does not have to attach to any other process to monitor it, hence it s harder to detect. The code currently is considered as ALPHA, and it has been reported to BSoD sometimes (on multi core/cpu machines). Take Care!
Update : 2025-02-17 Size : 52kb Publisher : 张京
[Hook api] HookLibrary
DL : 0
Hook Api Library 0.2 [Ring0&3] By Anskya Email:Anskya@Gmail.com ring3 inline hook For Api Thank: 前29A高手也一直都是我的偶像...z0mbie大牛...这里膜拜一下 使用的LDE32引擎是翻译他老人家的...C->Delphi... 说明: 1.利用堆栈跳转 没有使用传统的jmp xxxx 长跳转,使用容易理解的push xxxx+ret 仔细看代码容易理解...封装完好. 2.内存补丁结构: 补丁1:|push xxx--钩子处理过程|ret| 补丁2:|保存原始补丁地址|保存原始地址代码长度|原始地址的代码|push xxxxxx|ret| 更新说明: 0.2: 支持Ring0 Inline Hook 0.1: Ring3 Inline Hook -Hook Api Library 0.2 [Ring0
Update : 2025-02-17 Size : 6kb Publisher : david
[OS program] SSDTHook
DL : 0
对付ring0 inline hook的基本思路是这样的,自己写一个替换的内核函数,以NtOpenProcess为例,就是 MyNtOpenProcess。然后修改SSDT表,让系统服务进入自己的函数MyNtOpenProcess。而MyNtOpenProcess要做的事就是,实现NtOpenProcess前10字节指令,然后再JMP到原来的NtOpenProcess的十字节后。这样NtOpenProcess 函数头写的JMP都失效了,在ring3直接调用OpenProcess再也毫无影响。-Ring0 inline hook to deal with the basic idea is that the replacement of their own to write a kernel function to NtOpenProcess for example, is MyNtOpenProcess. And then amend the SSDT table, so that system services into its own function MyNtOpenProcess. And MyNtOpenProcess to do is realize NtOpenProcess the first 10-byte instruction, and then JMP to the original NtOpenProcess the Cross Festival. This NtOpenProcess function of the JMP are the first to write a lapse in ring3 no longer directly call OpenProcess no impact.
Update : 2025-02-17 Size : 3kb Publisher : sdlylz
[Hook api] KillIceSword(SSDT_and_Inline_Hook_in_Ring0)
DL : 0
通过SSDT绕过IceSword的inline Hook来关闭IceSword-IceSword bypass through the SSDT to turn off the inline Hook of IceSword
Update : 2025-02-17 Size : 151kb Publisher : inking
[Hook api] NtOpenProcess[InlineHook]
DL : 0
r0 inline hook sample.
Update : 2025-02-17 Size : 37kb Publisher : xiaohuangran
[Driver Develop] ring0
DL : 0
Ring0钩子防网页挂马的一个代码,不错。-Anti-hook Ring0 pages linked to the horse a code, yes.
Update : 2025-02-17 Size : 70kb Publisher : hybrid
[assembly language] X86IL
DL : 0
可以将机器码计算为汇编指令并且算出指令长度的C头文件。在编写Ring0或Ring3的Inline Hook时不可缺少的东西。-Can be calculated as the compilation of binary instructions and directives to calculate the length of the C header file. In the preparation of the Ring0 or Ring3 when Inline Hook indispensable things.
Update : 2025-02-17 Size : 15kb Publisher : gbcgbc
[Driver Develop] ring0
DL : 0
ring0 hook from an Chinese website
Update : 2025-02-17 Size : 565kb Publisher : Hax4ever
[Driver Develop] Kehook
DL : 0
对于hook,从ring3有很多,ring3到ring0也有很多,根据api调用环节递进的顺序,在每一个环节都有hook的机会,可以有int 2e或者sysenter hook,ssdt hook,inline hook ,irp hook,object hook,idt hook-The hook, from ring3 there are many, ring3 to ring0 there are many, according to api call progressive sequence of links, each link in the opportunity to have a hook, you can have int 2e or sysenter hook, ssdt hook, inline hook, irp hook, object hook, idt hook, etc.
Update : 2025-02-17 Size : 1.78mb Publisher : 王小明
[Driver Develop] RING0
DL : 0
RING0下检测用HOOK SSDT隐藏进程的代码,直接build,适用于XP,2000系统。短小实用。-RING0 detect hidden process by HOOK SSDT code directly build, apply to XP, 2000 systems. Short and practical.
Update : 2025-02-17 Size : 4kb Publisher : ldf
[Hook api] Fireshield-ring0
DL : 0
Example of Ring0 hook with uAll Hook Pack-Example of Ring0 hook with uAll Hook Pack...
Update : 2025-02-17 Size : 245kb Publisher : Cipee
[Documents] Ring0
DL : 0
Ring0中Hook SSDT防止进程被结束
Update : 2025-02-17 Size : 203kb Publisher : 杨晓
[Driver Develop] InlineReHOOK
DL : 0
ring0下恢复inline hook 还有点bug-inline hook resume ring0
Update : 2025-02-17 Size : 27kb Publisher : xwaeeex
[Driver Develop] ObReferenceObjectByHandle
DL : 0
Inline HOOK ObReferenceObjectByHandle 保护进程-Inline HOOK ObReferenceObjectByHandle
Update : 2025-02-17 Size : 1kb Publisher : 朱芮男
[Driver Develop] RING0INLINEHOOK
DL : 0
RING0下的恢复所有模块导出函数的INLINE HOOK驱动-RING0 restore all modules under the derived functions INLINE HOOK-driven
Update : 2025-02-17 Size : 28kb Publisher : franket
[Driver Develop] Ring0
DL : 0
Hook NtQueryDirectoryFile隐藏文件 仅限32位系统-Hook NtQueryDirectoryFile hidden files is limited to 32-bit systems
Update : 2025-02-17 Size : 5kb Publisher : 刘海宁
« 12 »
CodeBus is one of the largest source code repositories on the Internet!
Contact us :
1999-2046 CodeBus All Rights Reserved.