Location:
Search - ssdt hook
Search list
Description: 用DDDK编写驱动,修改SSDT表HOOK NTDebugActiveProcess函数
钩子函数中可以判断PID号,决定是否放行,放行则在钩子函数中调用原来的NTDebugActiveProcess函数.否则直接返回False.HOOK成功后所有调用DebugActiveProcess的程序将会失效.当然可以按照你的需要HOOK更多的系统服务函数.同一服务函数的服务号在每个操作系统版本中是不同的.下面附件中编译完成的驱动请在WinXP SP2的环境下测试.否则可能会导致直接重启-Used to prepare DDDK drive, modify SSDT Table HOOK NTDebugActiveProcess function hook function can determine the PID number, decide whether to release, release in the hook function to call the original function NTDebugActiveProcess. False.HOOK Otherwise, after the success of a direct return all calls DebugActiveProcess procedures will be failure. You can, of course, in accordance with the needs of more system services HOOK function. the same service function of the service in each of the operating system versions are different. following the completion of the annex to compile drivers in WinXP SP2 test environment. or else may lead to the resumption of direct
Platform: |
Size: 3072 |
Author: 张京 |
Hits:
Description: 对付ring0 inline hook的基本思路是这样的,自己写一个替换的内核函数,以NtOpenProcess为例,就是 MyNtOpenProcess。然后修改SSDT表,让系统服务进入自己的函数MyNtOpenProcess。而MyNtOpenProcess要做的事就是,实现NtOpenProcess前10字节指令,然后再JMP到原来的NtOpenProcess的十字节后。这样NtOpenProcess 函数头写的JMP都失效了,在ring3直接调用OpenProcess再也毫无影响。-Ring0 inline hook to deal with the basic idea is that the replacement of their own to write a kernel function to NtOpenProcess for example, is MyNtOpenProcess. And then amend the SSDT table, so that system services into its own function MyNtOpenProcess. And MyNtOpenProcess to do is realize NtOpenProcess the first 10-byte instruction, and then JMP to the original NtOpenProcess the Cross Festival. This NtOpenProcess function of the JMP are the first to write a lapse in ring3 no longer directly call OpenProcess no impact.
Platform: |
Size: 3072 |
Author: sdlylz |
Hits:
Description: 通过SSDT绕过IceSword的inline Hook来关闭IceSword-IceSword bypass through the SSDT to turn off the inline Hook of IceSword
Platform: |
Size: 154624 |
Author: inking |
Hits:
Description:
Platform: |
Size: 3604480 |
Author: 徐善 |
Hits:
Description: 能够找出给种类型的系统Hook,包括IAT表,SSDT表等相关的钩子-VICE is a tool to find hooks.
Features include:
1. Looks for people hooking IAT s.
2. Looks for people hooking functions in-line aka detouring.
3. Looks for hooks in the System Call Table. Thanks to Tan perhaps it will fix the table in the future.
4. Looks for detour hooks in the System Call Table functions themselves.
5. Looks for people hooking IRP_MJ table in drivers. This is configurable by driver.ini.
Platform: |
Size: 67584 |
Author: 袁晓辉 |
Hits:
Description: 取page段地址的代码 大概包括了ssdt, idt, msr钩子,3种notify,还有从文件读取偏移抗猥琐的代码. 支持这个编程板块-Get page segment address code probably includes ssdt, idt, msr hook, three kinds of notify, also read from the file offset anti-insignificant code. To support the programming plate
Platform: |
Size: 11264 |
Author: r00tsh3ll |
Hits:
Description: DDK开发的在Ring0中通过HOOK SSDT,实现对注册表监控-DDK development in Ring0 through HOOK SSDT, to realize the Registry Monitor
Platform: |
Size: 4096 |
Author: 李扬 |
Hits:
Description: SSDT Hook snippet - so i can download some source code off this site
Platform: |
Size: 2449408 |
Author: Zerith |
Hits:
Description: 驱动层搜索内连HOOK,查看SSDT中的内核函数的开头是否被内连HOOK-Search within driving layer with HOOK, see SSDT in the beginning of the kernel function is to be in with HOOK
Platform: |
Size: 345088 |
Author: 王海 |
Hits:
Description: 利用SSDT HOOK 巧过 LINK HOOK的驱动源码。。合适新手熟悉内核学习-Clever use of SSDT HOOK LINK HOOK been driven source. . Appropriate learning novice familiar with the kernel
Platform: |
Size: 2048 |
Author: 郭嘉 |
Hits:
Description: SSDT 恢复源码,如果你的SSDT表中的函数被hook,可用此代码恢复-SSDT restore source, if your SSDT table function is hook, this code can be used to restore
Platform: |
Size: 5120 |
Author: 杨靖 |
Hits:
Description: this is an example on How to make a rootkit using Delphi
Platform: |
Size: 2048 |
Author: n3m0 |
Hits:
Description: 一:SSDT表的hook检测和恢复
二:IDT表的hook检测和恢复
三:系统加载驱动模块的检测
四:进程的列举和进程所加载的dll检测
-1: SSDT table hook detection and recovery 2: IDT table hook detection and recovery 3: System load driver module test 4: the process list and the process of loading the dll test
Platform: |
Size: 2296832 |
Author: 虫子 |
Hits:
Description: 1、息钩子监视:列举系统上的消息钩子。
2、块加载监视:列举系统上加载的所有内核模块
3、SSDT监视:通过得到原始的SSDT地址来得到被恶意程序HOOK的API以及恢复SSDT
4、注册表保护:对一些重要的注册表项进行保护,防止恶意程序对其进行修改。
5、隐藏进程检测:检测出系统中隐藏的进程。
6、隐藏端口检测:检测出系统中隐藏的端口。
7、进程强杀:能够杀死系统中的对自身保护的恶意进程。-1, the interest rate hook monitoring: list of system messages on the hook. 2, block load monitoring: list of all the system loads the kernel modules 3, SSDT Monitor: SSDT get the original address to get the API HOOK malicious program and restore SSDT 4, registry protection: some important registry item for protection against malicious programs modify. 5, the hidden process detection: detection of hidden system process. 6, hidden port detection: the system detected the hidden port. 7, strong kill the process: the system can kill self-protection against malicious processes.
Platform: |
Size: 3553280 |
Author: 虫子 |
Hits:
Description: 随着计算机的发展,越来越多人用上了个人计算机,而主流的操作系统是Microsoft的Windows。这种操作系统占据着PC操作系统市场的90 以上。但问题也随之而来,越来越多的针对该平台的病毒、木马、黑客程序、恶意程序、流氓软件以及间谍程序盗窃和破坏用户数据。
研究发现,大多数上述非法程序是通过注册表来达到自启动的。那么只要我们拦截上述程序对注册表的访问,便可禁止他们启动,达到了保护用户数据的目的。在本次设计中,使用了SSDT Hook这种技术对注册表的访问进行拦截。这种拦截技术通用,功能强大。-With the development of the computer more and more people were using personal computers, while the mainstream operating system is Microsoft s Windows. The operating system, PC operating system market occupies 90 or more. But the problem has cropped up more and more of the platform for viruses, Trojans, hacker programs, malware, rogue software and spyware, theft and destruction of user data.
Study found that most of these illegal programs is through the registry to achieve from the start. So long as we block access to the registry the program can be launched against them to achieve the purpose of the protection of user data. In this design, the technology used SSDT Hook to intercept access to the registry. The interception technology universal and powerful.
Platform: |
Size: 2985984 |
Author: ZYM |
Hits:
Description: 内核开发,主要介绍如何通过SSDT表HOOK函数。-Kernel development, focuses on how the SSDT table HOOK function.
Platform: |
Size: 3072 |
Author: zzz |
Hits:
Description: SSDT HOOK引擎,调用HookService()之前应该先调用InitServicesTalbe()来对SSDT进行一次性的保存,避免后面多次HOOK就要保存多次
!-SSDT HOOK engine, called HookService () should be called before InitServicesTalbe () to save on a one-time SSDT avoid HOOK will save many times the back!
Platform: |
Size: 4096 |
Author: agf |
Hits:
Description: 一个采用ssdt hook技术实现的hips,驱动使用ddk编译,应用层使用VC6.0编写的。-A technology used ssdt hook the hips, drive to use ddk compiler, written in the application layer using VC6.0.
Platform: |
Size: 198656 |
Author: |
Hits:
Description: 简单的SSDT的Hook,可以让想学习SSDT HOOK的朋友们学习学习。-The simple SSDT Hook, you can make friends want to learn SSDT HOOK learn to learn.
Platform: |
Size: 10240 |
Author: 王恺轶 |
Hits:
Description: SSDT的全稱是System Services Descriptor Table,系統服務描述符表。這個表就是一個把ring3的Win32 API和ring0的內核API聯繫起來。SSDT並不僅僅只包含一個龐大的位址索引表,它還包含著一些其他有用的資訊,諸如位址索引的基底位址、服務函數個數等。
通過修改此表的函數位址可以對常用windows函數及API進行hook,從而實現對一些關心的系統動作進行過濾、監控的目的。一些HIPS、防毒軟體、系統監控、註冊表監控軟體往往會採用此介面來實現自己的監控模組,
目前極個別病毒確實會採用這種方法來保護自己或者破壞防毒軟體,但在這種病毒進入系統前如果防毒軟體能夠識別並清除它將沒有機會發作.
-SSDT s full name is System Services Descriptor Table, the system service descriptor table. This is a table of the Win32 API and ring0 ring3 kernel API link. SSDT is not only a huge address contains only the index table, it also contains some other useful information, such as the address of the index base address, the number of functions and other services.
Function by modifying the address of this table can be used for windows functions and API hook, in order to achieve the action of some concern to filter systems, surveillance purpose. Some HIPS, antivirus software, system monitoring, registry monitoring software often uses this interface to implement its own monitoring module,
At present very few virus does use this method to protect themselves or to destroy anti-virus software, but if the virus before the antivirus software into the system and clear it will not be able to identify opportunities to attack.
Platform: |
Size: 335872 |
Author: 小明 |
Hits: