[求助]所有进程都被hook了，这么找出是谁hook的-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]所有进程都被hook了，这么找出是谁hook的

发表于: 2017-1-8 00:35 8538

[求助]所有进程都被hook了，这么找出是谁hook的

火勺

2017-1-8 00:35

8538

en(12) ntdll.dll->NtAllocateVirtualMemory		0x000000007799DB30->_		inline		48 B8 00 D2 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 15 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateEvent		0x000000007799DE30->_		inline		48 B8 F0 13 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 45 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateFile		0x000000007799DF00->_		inline		48 B8 C0 E9 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 52 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->NtCreateMutant		0x000000007799E380->_		inline		48 B8 B0 15 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 19 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 13 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 9A 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9B 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtCreateNamedPipeFile		0x000000007799E390->_		inline		48 B8 10 19 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 13 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 9B 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreatePagingFile		0x000000007799E3A0->_		inline		48 B8 10 13 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateProcess		0x000000007799E3D0->_		inline		48 B8 40 0C 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 9F 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtCreateProcessEx		0x000000007799DE80->_		inline		48 B8 B0 0D 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 E0 E3 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 4A 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 4B 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateSection		0x000000007799DE50->_		inline		48 B8 E0 DC 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 47 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->NtCreateSemaphore		0x000000007799E410->_		inline		48 B8 50 17 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 30 1B 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 50 E5 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 A3 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A4 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtCreateSymbolicLinkObject		0x000000007799E420->_		inline		48 B8 30 1B 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 50 E5 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 A4 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateThread		0x000000007799DE90->_		inline		48 B8 E0 E3 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 4B 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateThreadEx		0x000000007799E430->_		inline		48 B8 50 E5 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateUserProcess		0x000000007799E480->_		inline		48 B8 40 0F 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 AA 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtDeleteFile		0x000000007799E500->_		inline		48 B8 B0 ED 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 B2 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtDeviceIoControlFile		0x000000007799DA20->_		inline		48 B8 50 EE 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 1C 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 04 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 05 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtDuplicateObject		0x000000007799DD70->_		inline		48 B8 50 F4 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 39 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtGetNextProcess		0x000000007799E6C0->_		inline		48 B8 20 F7 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 20 F8 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 CE 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 CF 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtGetNextThread		0x000000007799E6D0->_		inline		48 B8 20 F8 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 CF 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtLoadDriver		0x000000007799E7A0->_		inline		48 B8 D0 03 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 DC 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtMapViewOfSection		0x000000007799DC30->_		inline		48 B8 00 DF 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenEvent		0x000000007799DDB0->_		inline		48 B8 F0 14 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 3D 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenFile		0x000000007799DCE0->_		inline		48 B8 80 EB 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 30 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenMutant		0x000000007799E940->_		inline		48 B8 90 16 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 F6 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->NtOpenProcess		0x000000007799DC10->_		inline		48 B8 90 CE 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 B0 EC 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 00 DF 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 23 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 24 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenSection		0x000000007799DD20->_		inline		48 B8 30 DE 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 34 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenSemaphore		0x000000007799E990->_		inline		48 B8 50 18 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 FB 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenThread		0x000000007799E9C0->_		inline		48 B8 70 CF 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 FE 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtProtectVirtualMemory		0x000000007799DEB0->_		inline		48 B8 40 D7 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 4D 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtQueueApcThread		0x000000007799DE00->_		inline		48 B8 20 E7 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 42 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtQueueApcThreadEx		0x000000007799ECC0->_		inline		48 B8 60 E8 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 2E 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtRaiseHardError		0x000000007799ECE0->_		inline		48 B8 10 11 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 30 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtRequestWaitReplyPort		0x000000007799DBD0->_		inline		48 B8 10 05 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 1F 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtSetContextThread		0x000000007799EEE0->_		inline		48 B8 00 E3 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 50 01 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtSetInformationFile		0x000000007799DC20->_		inline		48 B8 B0 EC 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 00 DF 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 24 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtSetInformationObject		0x000000007799DF70->_		inline		48 B8 30 12 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 59 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtSetInformationProcess		0x000000007799DB70->_		inline		48 B8 60 F3 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 19 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtSetSystemInformation		0x000000007799F0A0->_		inline		48 B8 10 03 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 6C 01 00 00 0F 05 C3 0F
len(44) ntdll.dll->NtSuspendProcess		0x000000007799F180->_		inline		48 B8 40 E2 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 60 E1 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 F0 01 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 7A 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7B 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtSuspendThread		0x000000007799F190->_		inline		48 B8 60 E1 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 F0 01 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 7B 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtSystemDebugControl		0x000000007799F1A0->_		inline		48 B8 F0 01 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtTerminateProcess		0x000000007799DC70->_		inline		48 B8 60 D0 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 29 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtTerminateThread		0x000000007799DEE0->_		inline		48 B8 30 D1 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 50 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtUnloadDriver		0x000000007799F220->_		inline		48 B8 70 04 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 84 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtUnmapViewOfSection		0x000000007799DC50->_		inline		48 B8 80 E0 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 27 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtWriteFile		0x000000007799DA30->_		inline		48 B8 10 1C 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 05 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtWriteVirtualMemory		0x000000007799DD50->_		inline		48 B8 A0 D4 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 37 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwAllocateVirtualMemory		0x000000007799DB30->_		inline		48 B8 00 D2 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 15 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateEvent		0x000000007799DE30->_		inline		48 B8 F0 13 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 45 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateFile		0x000000007799DF00->_		inline		48 B8 C0 E9 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 52 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->ZwCreateMutant		0x000000007799E380->_		inline		48 B8 B0 15 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 19 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 13 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 9A 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9B 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwCreateNamedPipeFile		0x000000007799E390->_		inline		48 B8 10 19 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 13 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 9B 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreatePagingFile		0x000000007799E3A0->_		inline		48 B8 10 13 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateProcess		0x000000007799E3D0->_		inline		48 B8 40 0C 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 9F 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwCreateProcessEx		0x000000007799DE80->_		inline		48 B8 B0 0D 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 E0 E3 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 4A 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 4B 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateSection		0x000000007799DE50->_		inline		48 B8 E0 DC 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 47 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->ZwCreateSemaphore		0x000000007799E410->_		inline		48 B8 50 17 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 30 1B 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 50 E5 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 A3 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A4 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwCreateSymbolicLinkObject		0x000000007799E420->_		inline		48 B8 30 1B 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 50 E5 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 A4 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateThread		0x000000007799DE90->_		inline		48 B8 E0 E3 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 4B 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateThreadEx		0x000000007799E430->_		inline		48 B8 50 E5 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateUserProcess		0x000000007799E480->_		inline		48 B8 40 0F 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 AA 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwDeleteFile		0x000000007799E500->_		inline		48 B8 B0 ED 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 B2 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwDeviceIoControlFile		0x000000007799DA20->_		inline		48 B8 50 EE 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 1C 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 04 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 05 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwDuplicateObject		0x000000007799DD70->_		inline		48 B8 50 F4 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 39 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwGetNextProcess		0x000000007799E6C0->_		inline		48 B8 20 F7 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 20 F8 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 CE 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 CF 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwGetNextThread		0x000000007799E6D0->_		inline		48 B8 20 F8 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 CF 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwLoadDriver		0x000000007799E7A0->_		inline		48 B8 D0 03 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 DC 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwMapViewOfSection		0x000000007799DC30->_		inline		48 B8 00 DF 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenEvent		0x000000007799DDB0->_		inline		48 B8 F0 14 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 3D 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenFile		0x000000007799DCE0->_		inline		48 B8 80 EB 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 30 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenMutant		0x000000007799E940->_		inline		48 B8 90 16 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 F6 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->ZwOpenProcess		0x000000007799DC10->_		inline		48 B8 90 CE 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 B0 EC 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 00 DF 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 23 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 24 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenSection		0x000000007799DD20->_		inline		48 B8 30 DE 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 34 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenSemaphore		0x000000007799E990->_		inline		48 B8 50 18 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 FB 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenThread		0x000000007799E9C0->_		inline		48 B8 70 CF 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 FE 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwProtectVirtualMemory		0x000000007799DEB0->_		inline		48 B8 40 D7 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 4D 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwQueueApcThread		0x000000007799DE00->_		inline		48 B8 20 E7 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 42 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwQueueApcThreadEx		0x000000007799ECC0->_		inline		48 B8 60 E8 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 2E 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwRaiseHardError		0x000000007799ECE0->_		inline		48 B8 10 11 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 30 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwRequestWaitReplyPort		0x000000007799DBD0->_		inline		48 B8 10 05 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 1F 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwSetContextThread		0x000000007799EEE0->_		inline		48 B8 00 E3 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 50 01 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwSetInformationFile		0x000000007799DC20->_		inline		48 B8 B0 EC 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 00 DF 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 24 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwSetInformationObject		0x000000007799DF70->_		inline		48 B8 30 12 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 59 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwSetInformationProcess		0x000000007799DB70->_		inline		48 B8 60 F3 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 19 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwSetSystemInformation		0x000000007799F0A0->_		inline		48 B8 10 03 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 6C 01 00 00 0F 05 C3 0F
len(44) ntdll.dll->ZwSuspendProcess		0x000000007799F180->_		inline		48 B8 40 E2 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 60 E1 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 F0 01 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 7A 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7B 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwSuspendThread		0x000000007799F190->_		inline		48 B8 60 E1 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 F0 01 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 7B 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwSystemDebugControl		0x000000007799F1A0->_		inline		48 B8 F0 01 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwTerminateProcess		0x000000007799DC70->_		inline		48 B8 60 D0 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 29 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwTerminateThread		0x000000007799DEE0->_		inline		48 B8 30 D1 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 50 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwUnloadDriver		0x000000007799F220->_		inline		48 B8 70 04 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 84 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwUnmapViewOfSection		0x000000007799DC50->_		inline		48 B8 80 E0 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 27 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwWriteFile		0x000000007799DA30->_		inline		48 B8 10 1C 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 05 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwWriteVirtualMemory		0x000000007799DD50->_		inline		48 B8 A0 D4 1C 00 00 00 00 00 FF E0		4C 8B D1 B8 37 00 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x000000007518FE90->_		inline		48 B8 A0 1F 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 07 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x000000007518FF10->_		inline		48 B8 B0 20 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 0F 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x0000000075190090->_		inline		48 B8 10 1F 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 27 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x00000000751903A0->_		inline		48 B8 F0 1D 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 58 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x00000000751903E0->_		inline		48 B8 90 22 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 5C 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x0000000075190410->_		inline		48 B8 50 21 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 5F 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x0000000075190590->_		inline		48 B8 00 22 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 77 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x0000000075190640->_		inline		48 B8 D0 23 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 82 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x00000000751906E0->_		inline		48 B8 F0 24 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 8C 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x00000000751907F0->_		inline		48 B8 A0 1D 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 9D 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x0000000075190C40->_		inline		48 B8 60 24 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 E2 10 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x0000000075190E60->_		inline		48 B8 90 26 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 04 11 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x0000000075190FD0->_		inline		48 B8 80 1E 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 1B 11 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x0000000075192DA0->_		inline		48 B8 E0 25 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 F8 12 00 00 0F 05 C3 0F
len(12) wow64win.dll		0x00000000751931C0->_		inline		48 B8 30 23 1D 00 00 00 00 00 FF E0		4C 8B D1 B8 3A 13 00 00 0F 05 C3 90

我用XT看的电脑上的进程在用户层都被HOOK了。怎么找出来谁hook的。
我的软件hook好多nt函数，其他的nt函数都正常，唯一的hook NtDeviceIoControlFile失效了。100台电脑里边有1台会这样，最初想是不是和网银控件冲突了，经过排查不是。禁用了非系统的启动项还是不行。
这台电脑和其他电脑不一样的地方，就是每个进程都会被hook，Ntdll.dll版本高了一点。怎么回事

[课程]FART 脱壳王！加量不加价！FART作者讲授！

收藏・1

免费・0

支持

最新回复 (13)
Hacker小浪雪币： 56 活跃值： (31) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 6 粉丝 0 关注私信	Hacker小浪 2 楼这个好像是显卡版本的问题 2017-1-8 09:58 0
ezrealik 雪币： 1570 活跃值： (383) 能力值： ( LV3，RANK：30 ) 在线值：发帖 24 回帖 94 粉丝 1 关注私信	ezrealik 3 楼这样是看不出来谁hook的还是把hook的函数还原后监控谁对那些函数写入内存才知道是谁hook了~ 2017-1-8 14:05 0
yimingqpa 雪币： 6400 活跃值： (4160) 能力值： ( LV10，RANK：163 ) 在线值：发帖 35 回帖 498 粉丝 50 关注私信	yimingqpa 1 4 楼百度的XXX会干这种事. 2017-1-8 14:11 0
黑洛雪币： 6124 活跃值： (4466) 能力值： ( LV6，RANK：80 ) 在线值：发帖 8 回帖 568 粉丝 70 关注私信	黑洛 1 5 楼这个也不像是显卡hook的，显卡一般是直接inline相关的函数不会去搞nt的，杀毒吧 2017-1-8 15:32 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 0 关注私信	petersonhz 6 楼 XT是什么呢？ 2017-1-9 20:43 0
ninebell 雪币： 34577 活跃值： (7135) 能力值： ( LV3，RANK：20 ) 在线值：发帖 135 回帖 1120 粉丝 67 关注私信	ninebell 7 楼火火火火火火火火火火火火火火火火眼吧 2017-1-10 08:45 0
轩辕之风雪币： 2291 活跃值： (933) 能力值： ( LV8，RANK：130 ) 在线值：发帖 34 回帖 322 粉丝 67 关注私信	轩辕之风 1 8 楼 64位系统的Ring3层HOOK框架 2017-1-10 08:57 0
xacker 雪币： 522 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 17 回帖 449 粉丝 0 关注私信	xacker 1 9 楼你用XT 應該很好找啊系統最小化然後仔細看看未簽名項注意國產軟件這种搞法多半是國產的垃圾軟件。 2017-1-10 10:10 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 0 关注私信	petersonhz 10 楼 XueTr不是PCHunter么？看xt很久没更新了，论坛也关闭了，傅老大放弃杀毒了么 http://bbs.duba.net/forum-6513-1.html 2017-1-11 06:22 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 0 关注私信	petersonhz 11 楼监控谁对那些函数写入内存,用什么工具好呢? 2017-1-15 10:24 0
mtkppqq 雪币： 2 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	mtkppqq 12 楼我的用户也有这个问题， 2017-1-16 12:06 0
zhangAngle 雪币： 79 活跃值： (184) 能力值： ( LV3，RANK：30 ) 在线值：发帖 8 回帖 81 粉丝 0 关注私信	zhangAngle 13 楼 xx杀毒记得毛肚和火绒都这样在x64 hook几乎所有的native 函数 2017-1-16 12:59 0
supercolin 雪币： 1711 活跃值： (516) 能力值： ( LV12，RANK：200 ) 在线值：发帖 11 回帖 133 粉丝 11 关注私信	supercolin 1 14 楼比如第二行： len(12) ntdll.dll->NtCreateEvent 0x000000007799DE30->_ inline 48 B8 F0 13 1D 00 00 00 00 00 FF E0 4C 8B D1 B8 45 00 00 00 0F 05 C3 0F windbg attach到进程上去，然后: u 0x001D13F0 就知道被谁hook了 2017-2-7 13:47 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

火勺

发帖

135

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (13)
Hacker小浪雪币： 56 活跃值： (31) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 6 粉丝 0 关注私信	Hacker小浪 2 楼这个好像是显卡版本的问题 2017-1-8 09:58 0
ezrealik 雪币： 1570 活跃值： (383) 能力值： ( LV3，RANK：30 ) 在线值：发帖 24 回帖 94 粉丝 1 关注私信	ezrealik 3 楼这样是看不出来谁hook的还是把hook的函数还原后监控谁对那些函数写入内存才知道是谁hook了~ 2017-1-8 14:05 0
yimingqpa 雪币： 6400 活跃值： (4160) 能力值： ( LV10，RANK：163 ) 在线值：发帖 35 回帖 498 粉丝 50 关注私信	yimingqpa 1 4 楼百度的XXX会干这种事. 2017-1-8 14:11 0
黑洛雪币： 6124 活跃值： (4466) 能力值： ( LV6，RANK：80 ) 在线值：发帖 8 回帖 568 粉丝 70 关注私信	黑洛 1 5 楼这个也不像是显卡hook的，显卡一般是直接inline相关的函数不会去搞nt的，杀毒吧 2017-1-8 15:32 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 0 关注私信	petersonhz 6 楼 XT是什么呢？ 2017-1-9 20:43 0
ninebell 雪币： 34577 活跃值： (7135) 能力值： ( LV3，RANK：20 ) 在线值：发帖 135 回帖 1120 粉丝 67 关注私信	ninebell 7 楼火火火火火火火火火火火火火火火火眼吧 2017-1-10 08:45 0
轩辕之风雪币： 2291 活跃值： (933) 能力值： ( LV8，RANK：130 ) 在线值：发帖 34 回帖 322 粉丝 67 关注私信	轩辕之风 1 8 楼 64位系统的Ring3层HOOK框架 2017-1-10 08:57 0
xacker 雪币： 522 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 17 回帖 449 粉丝 0 关注私信	xacker 1 9 楼你用XT 應該很好找啊系統最小化然後仔細看看未簽名項注意國產軟件這种搞法多半是國產的垃圾軟件。 2017-1-10 10:10 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 0 关注私信	petersonhz 10 楼 XueTr不是PCHunter么？看xt很久没更新了，论坛也关闭了，傅老大放弃杀毒了么 http://bbs.duba.net/forum-6513-1.html 2017-1-11 06:22 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 0 关注私信	petersonhz 11 楼监控谁对那些函数写入内存,用什么工具好呢? 2017-1-15 10:24 0
mtkppqq 雪币： 2 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	mtkppqq 12 楼我的用户也有这个问题， 2017-1-16 12:06 0
zhangAngle 雪币： 79 活跃值： (184) 能力值： ( LV3，RANK：30 ) 在线值：发帖 8 回帖 81 粉丝 0 关注私信	zhangAngle 13 楼 xx杀毒记得毛肚和火绒都这样在x64 hook几乎所有的native 函数 2017-1-16 12:59 0
supercolin 雪币： 1711 活跃值： (516) 能力值： ( LV12，RANK：200 ) 在线值：发帖 11 回帖 133 粉丝 11 关注私信	supercolin 1 14 楼比如第二行： len(12) ntdll.dll->NtCreateEvent 0x000000007799DE30->_ inline 48 B8 F0 13 1D 00 00 00 00 00 FF E0 4C 8B D1 B8 45 00 00 00 0F 05 C3 0F windbg attach到进程上去，然后: u 0x001D13F0 就知道被谁hook了 2017-2-7 13:47 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复