看来很多老外也在使用XueTr这个工具啊,
不知道有没有给他们带来惊讶的感觉。。。
这里是文章的源地址:
Killing XueTr from User Mode (oXueTb Poc)
http://forum.sysinternals.com/topic22240_post117287.html
老外最后还来了一句总结性的发言:
I suggest antirootkit author stop using that sh1t and remove most of this useless hooks. This will dramatically improve stability and usability of your tool. 代码是delphi的,MS流程是,
先把打开Xuetr进程和结束进程逻辑写在DLL里面,
然后把这个DLL的二进制数据,写成数组定义在主程序中,
主程序在内存中动态的加载这个DLL,然后Inject到Csrss里面,
打开XueTr进程,用到了
ZwQuerySystemInformation(SystemHandleInformation, buf, 4194304, @bytesIO);
枚举所有句柄的方法,
然后用ZwQueryInformationProcess比较pid是否是xueTr的pid,
结束进程用
DbgUiDebugActiveProcess
的方法,关闭进程的句柄
不过不知道为何在内存中动态的加载DLL这么麻烦的方法,
可能是因为XueTr挂了LoadLibraryExW的原因吧。。。
最后附带一下Xuetr主要的Hook:
RkU Version: 5.1.700.2220, Type VX2 (VX+)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Shadow SSDT
==============================================
win32k.sys-->NtUserBuildHwndList, Type: Address Change 0xBF835F21-->F490E274 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserDestroyWindow, Type: Address Change 0xBF845873-->F490E656 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserFindWindowEx, Type: Address Change 0xBF8B1369-->F490E356 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserGetForegroundWindow, Type: Address Change 0xBF820BC1-->F490E3A0 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserMessageCall, Type: Address Change 0xBF80EE6B-->F490E698 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserPostThreadMessage, Type: Address Change 0xBF8B3D3D-->F490E4D4 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserQueryWindow, Type: Address Change 0xBF803B56-->F490E516 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserSetParent, Type: Address Change 0xBF879695-->F490E554 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserSetWindowLong, Type: Address Change 0xBF832BEC-->F490E5D2 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserShowWindow, Type: Address Change 0xBF834FA9-->F490E614 [C:\Documents and Settings\XueTr.sys]
win32k.sys-->NtUserWindowFromPoint, Type: Address Change 0xBF8213A9-->F490E592 [C:\Documents and Settings\XueTr.sys]
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x0009A639, Type: Inline - RelativeCall 0x80571639-->F490F30E [XueTr.sys]
ntoskrnl.exe+0x0009A903, Type: Inline - RelativeCall 0x80571903-->F490F166 [XueTr.sys]
ntoskrnl.exe+0x000A48C9, Type: Inline - RelativeCall 0x8057B8C9-->F490F58A [XueTr.sys]
ntoskrnl.exe+0x000AB325, Type: Inline - RelativeCall 0x80582325-->F490F58A [XueTr.sys]
ntoskrnl.exe+0x000B330F, Type: Inline - RelativeCall 0x8058A30F-->F490F166 [XueTr.sys]
win32k.sys-->NtUserPostMessage, Type: Inline - RelativeJump 0xBF8089B4-->F490E3EC [XueTr.sys]
[948]XueTr.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00402B20 [XueTr.exe]
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
