无聊之作,没什么技术含量.
自动hook外壳的NetRockey函数与NrClient.dll的NetRockey函数
外壳部分通过签名搜索定位到NetRockey开始地址
使用方法:
1.把压缩文件解压到被监控程序目录
2.执行Loader.exe选择被监控exe
3.执行完被监控exe后关闭进程查看LOG_Rockey.txt
LOG_Rockey.txt
---------- 2010-10-07 14:24:25 ----------
14:24:25 注入完成.
14:24:25 LoadLibraryA LibFileName Kernel32.dll
14:24:25 LoadLibraryA LibFileName Kernel32.dll
14:24:25 LoadLibraryA LibFileName User32.dll
14:24:25 LoadLibraryA LibFileName Gdi32.dll
14:24:25 LoadLibraryA LibFileName Msvcrt.dll
14:24:25 LoadLibraryA LibFileName wsock32.dll
14:24:25 LoadLibraryA LibFileName netapi32.dll
14:24:25 GetVersionExA Ret 0140AFD7
14:24:25 脱壳完成.
14:24:25 开始搜索 NetRockey 函数地址...
14:24:25 发现地址 0140D0D8
14:24:25 调用 NetRockey 开始 function = 1(RY_FIND), handle = 5FE1, lp1 = 7C930F04, lp2 = 7C92E920, p1 = FFFF, p2 = FFFF, p3 = 0, p4 = 0 返回地址 0140AAA4
14:24:25 LoadLibraryA LibFileName C:\WINDOWS\system32\mswsock.dll
14:24:25 LoadLibraryA LibFileName C:\WINDOWS\system32\mswsock.dll
14:24:25 LoadLibraryA LibFileName WS2_32.dll
14:24:27 调用 NetRockey 结束 handle = 0, lp1 = 40F937C, lp2 = 20E9927C, p1 = 0, p2 = 0, p3 = 0, p4 = 0 返回值 00000003(ERR_NO_ROCKEY)
14:24:27 LoadLibraryA LibFileName C:\WINDOWS\system32\ole32.dll
14:24:27 LoadLibraryA LibFileName KERNEL32.DLL
14:24:27 LoadLibraryA LibFileName KERNEL32.DLL
14:24:27 LoadLibraryA LibFileName KERNEL32.DLL
14:24:27 LoadLibraryA LibFileName advapi32.dll
14:24:27 LoadLibraryA LibFileName user32.dll
14:24:27 LoadLibraryA LibFileName user32.dll
新建文件夹.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
