[求助]所有进程都被hook了，这么找出是谁hook的-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]所有进程都被hook了，这么找出是谁hook的

发表于: 2017-1-8 00:35 8757

[求助]所有进程都被hook了，这么找出是谁hook的

火勺

2017-1-8 00:35

8757

100

101

102

103

104

105

106

107

108

109

en(12) ntdll.dll->NtAllocateVirtualMemory        0x000000007799DB30->_        inline      48 B8 00 D2 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 15 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateEvent     0x000000007799DE30->_        inline      48 B8 F0 13 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 45 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateFile      0x000000007799DF00->_        inline      48 B8 C0 E9 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 52 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->NtCreateMutant        0x000000007799E380->_        inline      48 B8 B0 15 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 19 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 13 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 9A 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9B 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtCreateNamedPipeFile     0x000000007799E390->_        inline      48 B8 10 19 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 13 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 9B 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreatePagingFile        0x000000007799E3A0->_        inline      48 B8 10 13 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateProcess       0x000000007799E3D0->_        inline      48 B8 40 0C 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 9F 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtCreateProcessEx     0x000000007799DE80->_        inline      48 B8 B0 0D 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 E0 E3 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 4A 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 4B 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateSection       0x000000007799DE50->_        inline      48 B8 E0 DC 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 47 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->NtCreateSemaphore     0x000000007799E410->_        inline      48 B8 50 17 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 30 1B 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 50 E5 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 A3 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A4 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtCreateSymbolicLinkObject        0x000000007799E420->_        inline      48 B8 30 1B 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 50 E5 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 A4 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateThread        0x000000007799DE90->_        inline      48 B8 E0 E3 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 4B 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateThreadEx      0x000000007799E430->_        inline      48 B8 50 E5 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtCreateUserProcess       0x000000007799E480->_        inline      48 B8 40 0F 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 AA 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtDeleteFile      0x000000007799E500->_        inline      48 B8 B0 ED 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 B2 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtDeviceIoControlFile     0x000000007799DA20->_        inline      48 B8 50 EE 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 1C 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 04 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 05 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtDuplicateObject     0x000000007799DD70->_        inline      48 B8 50 F4 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 39 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtGetNextProcess      0x000000007799E6C0->_        inline      48 B8 20 F7 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 20 F8 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 CE 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 CF 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtGetNextThread       0x000000007799E6D0->_        inline      48 B8 20 F8 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 CF 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtLoadDriver      0x000000007799E7A0->_        inline      48 B8 D0 03 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 DC 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtMapViewOfSection        0x000000007799DC30->_        inline      48 B8 00 DF 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenEvent       0x000000007799DDB0->_        inline      48 B8 F0 14 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 3D 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenFile        0x000000007799DCE0->_        inline      48 B8 80 EB 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 30 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenMutant      0x000000007799E940->_        inline      48 B8 90 16 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 F6 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->NtOpenProcess     0x000000007799DC10->_        inline      48 B8 90 CE 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 B0 EC 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 00 DF 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 23 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 24 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenSection     0x000000007799DD20->_        inline      48 B8 30 DE 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 34 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenSemaphore       0x000000007799E990->_        inline      48 B8 50 18 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 FB 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtOpenThread      0x000000007799E9C0->_        inline      48 B8 70 CF 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 FE 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtProtectVirtualMemory        0x000000007799DEB0->_        inline      48 B8 40 D7 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 4D 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtQueueApcThread      0x000000007799DE00->_        inline      48 B8 20 E7 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 42 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtQueueApcThreadEx        0x000000007799ECC0->_        inline      48 B8 60 E8 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 2E 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtRaiseHardError      0x000000007799ECE0->_        inline      48 B8 10 11 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 30 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtRequestWaitReplyPort        0x000000007799DBD0->_        inline      48 B8 10 05 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 1F 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtSetContextThread        0x000000007799EEE0->_        inline      48 B8 00 E3 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 50 01 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtSetInformationFile      0x000000007799DC20->_        inline      48 B8 B0 EC 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 00 DF 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 24 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtSetInformationObject        0x000000007799DF70->_        inline      48 B8 30 12 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 59 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtSetInformationProcess       0x000000007799DB70->_        inline      48 B8 60 F3 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 19 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtSetSystemInformation        0x000000007799F0A0->_        inline      48 B8 10 03 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 6C 01 00 00 0F 05 C3 0F
len(44) ntdll.dll->NtSuspendProcess      0x000000007799F180->_        inline      48 B8 40 E2 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 60 E1 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 F0 01 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 7A 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7B 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(28) ntdll.dll->NtSuspendThread       0x000000007799F190->_        inline      48 B8 60 E1 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 F0 01 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 7B 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtSystemDebugControl      0x000000007799F1A0->_        inline      48 B8 F0 01 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtTerminateProcess        0x000000007799DC70->_        inline      48 B8 60 D0 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 29 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtTerminateThread     0x000000007799DEE0->_        inline      48 B8 30 D1 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 50 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtUnloadDriver        0x000000007799F220->_        inline      48 B8 70 04 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 84 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtUnmapViewOfSection      0x000000007799DC50->_        inline      48 B8 80 E0 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 27 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtWriteFile       0x000000007799DA30->_        inline      48 B8 10 1C 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 05 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->NtWriteVirtualMemory      0x000000007799DD50->_        inline      48 B8 A0 D4 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 37 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwAllocateVirtualMemory       0x000000007799DB30->_        inline      48 B8 00 D2 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 15 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateEvent     0x000000007799DE30->_        inline      48 B8 F0 13 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 45 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateFile      0x000000007799DF00->_        inline      48 B8 C0 E9 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 52 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->ZwCreateMutant        0x000000007799E380->_        inline      48 B8 B0 15 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 19 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 13 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 9A 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9B 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwCreateNamedPipeFile     0x000000007799E390->_        inline      48 B8 10 19 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 13 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 9B 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreatePagingFile        0x000000007799E3A0->_        inline      48 B8 10 13 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 9C 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateProcess       0x000000007799E3D0->_        inline      48 B8 40 0C 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 9F 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwCreateProcessEx     0x000000007799DE80->_        inline      48 B8 B0 0D 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 E0 E3 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 4A 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 4B 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateSection       0x000000007799DE50->_        inline      48 B8 E0 DC 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 47 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->ZwCreateSemaphore     0x000000007799E410->_        inline      48 B8 50 17 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 30 1B 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 50 E5 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 A3 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A4 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwCreateSymbolicLinkObject        0x000000007799E420->_        inline      48 B8 30 1B 1D 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 50 E5 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 A4 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateThread        0x000000007799DE90->_        inline      48 B8 E0 E3 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 4B 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateThreadEx      0x000000007799E430->_        inline      48 B8 50 E5 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 A5 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwCreateUserProcess       0x000000007799E480->_        inline      48 B8 40 0F 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 AA 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwDeleteFile      0x000000007799E500->_        inline      48 B8 B0 ED 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 B2 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwDeviceIoControlFile     0x000000007799DA20->_        inline      48 B8 50 EE 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 10 1C 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 04 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 05 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwDuplicateObject     0x000000007799DD70->_        inline      48 B8 50 F4 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 39 00 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwGetNextProcess      0x000000007799E6C0->_        inline      48 B8 20 F7 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 20 F8 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 CE 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 CF 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwGetNextThread       0x000000007799E6D0->_        inline      48 B8 20 F8 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 CF 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwLoadDriver      0x000000007799E7A0->_        inline      48 B8 D0 03 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 DC 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwMapViewOfSection        0x000000007799DC30->_        inline      48 B8 00 DF 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenEvent       0x000000007799DDB0->_        inline      48 B8 F0 14 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 3D 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenFile        0x000000007799DCE0->_        inline      48 B8 80 EB 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 30 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenMutant      0x000000007799E940->_        inline      48 B8 90 16 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 F6 00 00 00 0F 05 C3 0F
len(44) ntdll.dll->ZwOpenProcess     0x000000007799DC10->_        inline      48 B8 90 CE 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 B0 EC 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 00 DF 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 23 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 24 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenSection     0x000000007799DD20->_        inline      48 B8 30 DE 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 34 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenSemaphore       0x000000007799E990->_        inline      48 B8 50 18 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 FB 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwOpenThread      0x000000007799E9C0->_        inline      48 B8 70 CF 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 FE 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwProtectVirtualMemory        0x000000007799DEB0->_        inline      48 B8 40 D7 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 4D 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwQueueApcThread      0x000000007799DE00->_        inline      48 B8 20 E7 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 42 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwQueueApcThreadEx        0x000000007799ECC0->_        inline      48 B8 60 E8 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 2E 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwRaiseHardError      0x000000007799ECE0->_        inline      48 B8 10 11 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 30 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwRequestWaitReplyPort        0x000000007799DBD0->_        inline      48 B8 10 05 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 1F 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwSetContextThread        0x000000007799EEE0->_        inline      48 B8 00 E3 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 50 01 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwSetInformationFile      0x000000007799DC20->_        inline      48 B8 B0 EC 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 00 DF 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 24 00 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 25 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwSetInformationObject        0x000000007799DF70->_        inline      48 B8 30 12 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 59 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwSetInformationProcess       0x000000007799DB70->_        inline      48 B8 60 F3 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 19 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwSetSystemInformation        0x000000007799F0A0->_        inline      48 B8 10 03 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 6C 01 00 00 0F 05 C3 0F
len(44) ntdll.dll->ZwSuspendProcess      0x000000007799F180->_        inline      48 B8 40 E2 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 60 E1 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 F0 01 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 7A 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7B 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(28) ntdll.dll->ZwSuspendThread       0x000000007799F190->_        inline      48 B8 60 E1 1C 00 00 00 00 00 FF E0 1F 44 00 00 48 B8 F0 01 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 7B 01 00 00 0F 05 C3 0F 1F 44 00 00 4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwSystemDebugControl      0x000000007799F1A0->_        inline      48 B8 F0 01 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 7C 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwTerminateProcess        0x000000007799DC70->_        inline      48 B8 60 D0 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 29 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwTerminateThread     0x000000007799DEE0->_        inline      48 B8 30 D1 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 50 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwUnloadDriver        0x000000007799F220->_        inline      48 B8 70 04 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 84 01 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwUnmapViewOfSection      0x000000007799DC50->_        inline      48 B8 80 E0 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 27 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwWriteFile       0x000000007799DA30->_        inline      48 B8 10 1C 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 05 00 00 00 0F 05 C3 0F
len(12) ntdll.dll->ZwWriteVirtualMemory      0x000000007799DD50->_        inline      48 B8 A0 D4 1C 00 00 00 00 00 FF E0     4C 8B D1 B8 37 00 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x000000007518FE90->_        inline      48 B8 A0 1F 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 07 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x000000007518FF10->_        inline      48 B8 B0 20 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 0F 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x0000000075190090->_        inline      48 B8 10 1F 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 27 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x00000000751903A0->_        inline      48 B8 F0 1D 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 58 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x00000000751903E0->_        inline      48 B8 90 22 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 5C 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x0000000075190410->_        inline      48 B8 50 21 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 5F 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x0000000075190590->_        inline      48 B8 00 22 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 77 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x0000000075190640->_        inline      48 B8 D0 23 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 82 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x00000000751906E0->_        inline      48 B8 F0 24 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 8C 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x00000000751907F0->_        inline      48 B8 A0 1D 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 9D 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x0000000075190C40->_        inline      48 B8 60 24 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 E2 10 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x0000000075190E60->_        inline      48 B8 90 26 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 04 11 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x0000000075190FD0->_        inline      48 B8 80 1E 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 1B 11 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x0000000075192DA0->_        inline      48 B8 E0 25 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 F8 12 00 00 0F 05 C3 0F
len(12) wow64win.dll        0x00000000751931C0->_        inline      48 B8 30 23 1D 00 00 00 00 00 FF E0     4C 8B D1 B8 3A 13 00 00 0F 05 C3 90

我用XT看的电脑上的进程在用户层都被HOOK了。怎么找出来谁hook的。
我的软件hook好多nt函数，其他的nt函数都正常，唯一的hook NtDeviceIoControlFile失效了。100台电脑里边有1台会这样，最初想是不是和网银控件冲突了，经过排查不是。禁用了非系统的启动项还是不行。
这台电脑和其他电脑不一样的地方，就是每个进程都会被hook，Ntdll.dll版本高了一点。怎么回事

[招生]科锐逆向工程师培训(2025年3月11日实地，远程教学同时开班, 第52期)！

收藏・1

免费

支持

最新回复 (13)
Hacker小浪雪币： 56 活跃值： (31) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 6 粉丝 0 关注私信	Hacker小浪 2 楼这个好像是显卡版本的问题 2017-1-8 09:58 0
ezrealik 雪币： 1370 活跃值： (383) 能力值： ( LV3，RANK：30 ) 在线值：发帖 24 回帖 94 粉丝 1 关注私信	ezrealik 3 楼这样是看不出来谁hook的还是把hook的函数还原后监控谁对那些函数写入内存才知道是谁hook了~ 2017-1-8 14:05 0
yimingqpa 雪币： 6992 活跃值： (4841) 能力值： ( LV10，RANK：163 ) 在线值：发帖 35 回帖 499 粉丝 55 关注私信	yimingqpa 1 4 楼百度的XXX会干这种事. 2017-1-8 14:11 0
黑洛雪币： 6129 活跃值： (4846) 能力值： ( LV6，RANK：80 ) 在线值：发帖 8 回帖 568 粉丝 77 关注私信	黑洛 1 5 楼这个也不像是显卡hook的，显卡一般是直接inline相关的函数不会去搞nt的，杀毒吧 2017-1-8 15:32 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 1 关注私信	petersonhz 6 楼 XT是什么呢？ 2017-1-9 20:43 0
ninebell 雪币： 37884 活跃值： (7410) 能力值： ( LV3，RANK：20 ) 在线值：发帖 135 回帖 1135 粉丝 72 关注私信	ninebell 7 楼火火火火火火火火火火火火火火火火眼吧 2017-1-10 08:45 0
轩辕之风雪币： 2291 活跃值： (938) 能力值： ( LV8，RANK：130 ) 在线值：发帖 34 回帖 322 粉丝 68 关注私信	轩辕之风 1 8 楼 64位系统的Ring3层HOOK框架 2017-1-10 08:57 0
xacker 雪币： 522 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 17 回帖 449 粉丝 0 关注私信	xacker 1 9 楼你用XT 應該很好找啊系統最小化然後仔細看看未簽名項注意國產軟件這种搞法多半是國產的垃圾軟件。 2017-1-10 10:10 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 1 关注私信	petersonhz 10 楼 XueTr不是PCHunter么？看xt很久没更新了，论坛也关闭了，傅老大放弃杀毒了么 http://bbs.duba.net/forum-6513-1.html 2017-1-11 06:22 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 1 关注私信	petersonhz 11 楼监控谁对那些函数写入内存,用什么工具好呢? 2017-1-15 10:24 0
mtkppqq 雪币： 2 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	mtkppqq 12 楼我的用户也有这个问题， 2017-1-16 12:06 0
zhangAngle 雪币： 79 活跃值： (184) 能力值： ( LV3，RANK：30 ) 在线值：发帖 8 回帖 81 粉丝 0 关注私信	zhangAngle 13 楼 xx杀毒记得毛肚和火绒都这样在x64 hook几乎所有的native 函数 2017-1-16 12:59 0
supercolin 雪币： 1711 活跃值： (516) 能力值： ( LV12，RANK：200 ) 在线值：发帖 11 回帖 133 粉丝 11 关注私信	supercolin 1 14 楼比如第二行： len(12) ntdll.dll->NtCreateEvent 0x000000007799DE30->_ inline 48 B8 F0 13 1D 00 00 00 00 00 FF E0 4C 8B D1 B8 45 00 00 00 0F 05 C3 0F windbg attach到进程上去，然后: u 0x001D13F0 就知道被谁hook了 2017-2-7 13:47 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

火勺

发帖

135

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (13)
Hacker小浪雪币： 56 活跃值： (31) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 6 粉丝 0 关注私信	Hacker小浪 2 楼这个好像是显卡版本的问题 2017-1-8 09:58 0
ezrealik 雪币： 1370 活跃值： (383) 能力值： ( LV3，RANK：30 ) 在线值：发帖 24 回帖 94 粉丝 1 关注私信	ezrealik 3 楼这样是看不出来谁hook的还是把hook的函数还原后监控谁对那些函数写入内存才知道是谁hook了~ 2017-1-8 14:05 0
yimingqpa 雪币： 6992 活跃值： (4841) 能力值： ( LV10，RANK：163 ) 在线值：发帖 35 回帖 499 粉丝 55 关注私信	yimingqpa 1 4 楼百度的XXX会干这种事. 2017-1-8 14:11 0
黑洛雪币： 6129 活跃值： (4846) 能力值： ( LV6，RANK：80 ) 在线值：发帖 8 回帖 568 粉丝 77 关注私信	黑洛 1 5 楼这个也不像是显卡hook的，显卡一般是直接inline相关的函数不会去搞nt的，杀毒吧 2017-1-8 15:32 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 1 关注私信	petersonhz 6 楼 XT是什么呢？ 2017-1-9 20:43 0
ninebell 雪币： 37884 活跃值： (7410) 能力值： ( LV3，RANK：20 ) 在线值：发帖 135 回帖 1135 粉丝 72 关注私信	ninebell 7 楼火火火火火火火火火火火火火火火火眼吧 2017-1-10 08:45 0
轩辕之风雪币： 2291 活跃值： (938) 能力值： ( LV8，RANK：130 ) 在线值：发帖 34 回帖 322 粉丝 68 关注私信	轩辕之风 1 8 楼 64位系统的Ring3层HOOK框架 2017-1-10 08:57 0
xacker 雪币： 522 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 17 回帖 449 粉丝 0 关注私信	xacker 1 9 楼你用XT 應該很好找啊系統最小化然後仔細看看未簽名項注意國產軟件這种搞法多半是國產的垃圾軟件。 2017-1-10 10:10 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 1 关注私信	petersonhz 10 楼 XueTr不是PCHunter么？看xt很久没更新了，论坛也关闭了，傅老大放弃杀毒了么 http://bbs.duba.net/forum-6513-1.html 2017-1-11 06:22 0
petersonhz 雪币： 2375 活跃值： (433) 能力值： ( LV2，RANK：10 ) 在线值：发帖 422 回帖 2433 粉丝 1 关注私信	petersonhz 11 楼监控谁对那些函数写入内存,用什么工具好呢? 2017-1-15 10:24 0
mtkppqq 雪币： 2 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	mtkppqq 12 楼我的用户也有这个问题， 2017-1-16 12:06 0
zhangAngle 雪币： 79 活跃值： (184) 能力值： ( LV3，RANK：30 ) 在线值：发帖 8 回帖 81 粉丝 0 关注私信	zhangAngle 13 楼 xx杀毒记得毛肚和火绒都这样在x64 hook几乎所有的native 函数 2017-1-16 12:59 0
supercolin 雪币： 1711 活跃值： (516) 能力值： ( LV12，RANK：200 ) 在线值：发帖 11 回帖 133 粉丝 11 关注私信	supercolin 1 14 楼比如第二行： len(12) ntdll.dll->NtCreateEvent 0x000000007799DE30->_ inline 48 B8 F0 13 1D 00 00 00 00 00 FF E0 4C 8B D1 B8 45 00 00 00 0F 05 C3 0F windbg attach到进程上去，然后: u 0x001D13F0 就知道被谁hook了 2017-2-7 13:47 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[求助]所有进程都被hook了，这么找出是谁hook的

账号登录 验证码登录

账号登录

验证码登录