Location:
Search - ring3 hook
Search list
Description: Rootkit 1。 内核hook 隐身术 ring0中调用ring3程序 其他
Platform: |
Size: 6086340 |
Author: 359380123@qq.com |
Hits:
Description: 在Ring0层中调用Ring3层的功能 需要安装DDK-in Rign0 layer called Ring3 layer functions need to install DDK
Platform: |
Size: 932864 |
Author: 大家庭 |
Hits:
Description: 该代码为我学习winnt内核时所写,主要功能是在ring3下通过DeviceIoControl与驱动进行通信,获取内核的数据以及sdt,idt信息等。并实现了hook NtQuerySystemInformation函数来实现进程隐藏的功能-The code for the kernel, I am learning winnt wrote, Its main function is in ring3 through DeviceIoControl communication with the driver. access to the kernel and sdt data, the information loop. And the achievement of the hook function to achieve NtQuerySystemInformation implicit process possession of the function
Platform: |
Size: 55296 |
Author: 左手 |
Hits:
Description: ring0--hook NtContinue+source_code
ring0下面hookNtContinue 使用drx7寄存器实现的hook
this code hooks ntoskrnl!NtContinue to set dr7 to 0 (no updating of dr7)
so NtContinue called from ring3 cannot alter drX registers...
This hook will only PREVENT drX clearing from SEH (kiuser->ntcontinue)
and will not alter debugging using ring3 debuggers (olly->SetThreadContext)
mainly developed for personal reasearch and as anti-bpm...
Hook NtContinue (not exported from ntoskrnl.exe but exported in ntdll.dll with service number) to set dr7 to 0 prior to calling original NtContinue so debug registers won t be changed from seh and ring3 code =)
Its use for some targets such as armadillo... but never posted code...
by deroko-ring0- hook NtContinue+ source_codering0 use the following hookNtContinue register drx7 realize the hook this code hooks ntoskrnl! NtContinue to set dr7 to 0 (no updating of dr7) so NtContinue called from ring3 cannot alter drX registers ... This hook will only PREVENT drX clearing from SEH (kiuser-> ntcontinue) and will not alter debugging using ring3 debuggers (olly-> SetThreadContext) mainly developed for personal reasearch and as anti-bpm ... Hook NtContinue (not exported from ntoskrnl.exe but exported in ntdll. dll with service number) to set dr7 to 0 prior to calling original NtContinue so debug registers won t be changed from seh and ring3 code =) Its use for some targets such as armadillo ... but never posted code ... by deroko
Platform: |
Size: 6144 |
Author: 张京 |
Hits:
Description: IDT Hook 检测及恢复
此程序在 Ring3 下打开物理内存对象取得当前内存中的 IDT,再用打开对应的原始内核文件进行比较。带恢复功能。
此程序适用于 XP/2003。采用特征码搜索方式查找。注释详细,代码规范-IDT Hook detection and recovery procedures in this Ring3 to open the physical memory object to obtain the current memory of IDT, and then open the corresponding document to compare original kernel. With recovery. This procedure applies to XP/2003. Using signature search search. Notes detailed specification code
Platform: |
Size: 6144 |
Author: 张京 |
Hits:
Description: ExcpHook is an open source (see license.txt) Exception Monitor for Windows made by Gynvael Coldwind (of Team Vexillium). t uses a ring0 driver to hook KiExceptionDispatch procedure to detect the exceptions, and then shows information about the exception on stdout (using the ring3 part of the program ofc).
The difference between this method, and the standard debug API method it that this method monitores all of XP processes, and the program does not have to attach to any other process to monitor it, hence it s harder to detect.
The code currently is considered as ALPHA, and it has been reported to BSoD sometimes (on multi core/cpu machines). Take Care!
Platform: |
Size: 53248 |
Author: 张京 |
Hits:
Description: Hook Api Library 0.2 [Ring0&3] By Anskya
Email:Anskya@Gmail.com
ring3 inline hook For Api
Thank:
前29A高手也一直都是我的偶像...z0mbie大牛...这里膜拜一下
使用的LDE32引擎是翻译他老人家的...C->Delphi...
说明:
1.利用堆栈跳转
没有使用传统的jmp xxxx 长跳转,使用容易理解的push xxxx+ret
仔细看代码容易理解...封装完好.
2.内存补丁结构:
补丁1:|push xxx--钩子处理过程|ret|
补丁2:|保存原始补丁地址|保存原始地址代码长度|原始地址的代码|push xxxxxx|ret|
更新说明:
0.2:
支持Ring0 Inline Hook
0.1:
Ring3 Inline Hook
-Hook Api Library 0.2 [Ring0
Platform: |
Size: 6144 |
Author: david |
Hits:
Description: 对付ring0 inline hook的基本思路是这样的,自己写一个替换的内核函数,以NtOpenProcess为例,就是 MyNtOpenProcess。然后修改SSDT表,让系统服务进入自己的函数MyNtOpenProcess。而MyNtOpenProcess要做的事就是,实现NtOpenProcess前10字节指令,然后再JMP到原来的NtOpenProcess的十字节后。这样NtOpenProcess 函数头写的JMP都失效了,在ring3直接调用OpenProcess再也毫无影响。-Ring0 inline hook to deal with the basic idea is that the replacement of their own to write a kernel function to NtOpenProcess for example, is MyNtOpenProcess. And then amend the SSDT table, so that system services into its own function MyNtOpenProcess. And MyNtOpenProcess to do is realize NtOpenProcess the first 10-byte instruction, and then JMP to the original NtOpenProcess the Cross Festival. This NtOpenProcess function of the JMP are the first to write a lapse in ring3 no longer directly call OpenProcess no impact.
Platform: |
Size: 3072 |
Author: sdlylz |
Hits:
Description: Hook CreateFileA ,Ring3下的inline Hook-Hook CreateFileA, Ring3 under inline Hook
Platform: |
Size: 4107264 |
Author: QQ |
Hits:
Description: tat hook api 在一个文件中对自身调用的api进行hook的一个例子。-tat hook api in a document of its own hook to call api
Platform: |
Size: 7168 |
Author: 王奎 |
Hits:
Description: 可以将机器码计算为汇编指令并且算出指令长度的C头文件。在编写Ring0或Ring3的Inline Hook时不可缺少的东西。-Can be calculated as the compilation of binary instructions and directives to calculate the length of the C header file. In the preparation of the Ring0 or Ring3 when Inline Hook indispensable things.
Platform: |
Size: 15360 |
Author: gbcgbc |
Hits:
Description: 对于hook,从ring3有很多,ring3到ring0也有很多,根据api调用环节递进的顺序,在每一个环节都有hook的机会,可以有int 2e或者sysenter hook,ssdt hook,inline hook ,irp hook,object hook,idt hook-The hook, from ring3 there are many, ring3 to ring0 there are many, according to api call progressive sequence of links, each link in the opportunity to have a hook, you can have int 2e or sysenter hook, ssdt hook, inline hook, irp hook, object hook, idt hook, etc.
Platform: |
Size: 1869824 |
Author: 王小明 |
Hits:
Description: 一般网上找到的都是需要Ring3传输需要补丁的地址过去...
002就是直接用最标准的方法进行SSDT定位以及修复的
支持多核系统,当然还有003(加入shadow ssdt hook),004(加入inline hook)
基本上是现在最稳定的恢复方式了,大家可以用KMDLoader测试.加载就脱钩.不需要通讯
-Generally find on the Internet are required Ring3 address transmission needs a patch in the past ... 002 is the direct use of most standard approach to SSDT locate and repair support for multi-core systems, of course, 003 (add shadow ssdt hook), 004 (adding inline hook) is basically the recovery is now the most stable way, and we can use KMDLoader test. loaded on decoupling. does not require communication
Platform: |
Size: 515072 |
Author: 按时飞 |
Hits:
Description: 完整的ring3 hook openprocess
包含 VB 調用例子而且非常穩定-Full ring3 hook openprocess includes examples of VB calls and is very stable
Platform: |
Size: 998400 |
Author: 火車 |
Hits:
Description: RING3 HOOK API FINDFILE函数隐藏文件-HOOK API FINDFILE
Platform: |
Size: 1024 |
Author: ly |
Hits:
Description: Anti Hook from ring3
Platform: |
Size: 21504 |
Author: depress |
Hits:
Description: Delphi Source Code:
=== === === === === === === ====
Magic Api Hook Engine v1.0 - Date: 2006.04.24
this is a simple all around process api hooker
UserMode(Ring3) just for WinNT family
By: Magic_h2001 - magic_h2001@yahoo.com
Home: http://magic.shabgard.org
==============================================
-Delphi Source Code:
==============================================
Magic Api Hook Engine v1.0 - Date: 2006.04.24
this is a simple all around process api hooker
UserMode(Ring3) just for WinNT family
By: Magic_h2001 - magic_h2001@yahoo.com
Home: http://magic.shabgard.org
==============================================
Platform: |
Size: 18432 |
Author: Weder |
Hits:
Description: 用汇编实在Ring3 和 Ring0 下的Inline HooK-It Ring3 and assembly under the Inline HooK Ring0
Platform: |
Size: 14336 |
Author: 星痕 |
Hits:
Description: 另类挂钩-RING3数据包监视 另类挂钩-RING3数据包监视-Alternative hook-RING3 packet monitoring alternative hook-RING3 packet monitoring
Platform: |
Size: 3072 |
Author: sinsin0005 |
Hits:
Description: {
Ring3 Hook api Demo By Anskya
Email: Anskya@Gmail.com
www.delphibasics.co.nr
//In this example, the phrase "Hello World" is checked and changed to "Goodbye World"
}-{
Ring3 Hook api Demo By Anskya
Email: Anskya@Gmail.com
www.delphibasics.co.nr
//In this example, the phrase "Hello World" is checked and changed to "Goodbye World"
}
Platform: |
Size: 5120 |
Author: Diego |
Hits: