首页
社区
课程
招聘
[分享]NP的hook检测工具,
发表于: 2008-2-15 21:54 14680

[分享]NP的hook检测工具,

2008-2-15 21:54
14680
上次看到牛人,检测了NP的hook.
最近在 写驱动时候,看到了几个工具,能用,用来检测内核级的,hook

RkU3.7.300.503.zip
http://bbs.driverdevelop.com/job.php?action=download&pid=&tid=100947&aid=18614

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (11)
雪    币: 356
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
1059版本的NP与该工具不兼容。
2008-2-18 12:53
0
雪    币: 356
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
改造一下可以用。写个工具禁止R3邪恶模块注入检测工具进程。驱动层需要稍微做点改动。
2008-2-18 12:57
0
雪    币: 356
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
只能检测SSDT钩子,对于NP的inlinehook无法检测出来。
2008-2-18 12:59
0
雪    币: 141
活跃值: (23)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
别人的,不是我造的,还没这功力
2008-2-18 16:25
0
雪    币: 193
活跃值: (1389)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
6
>Hooks
ntfs.sys-->ntkrnlpa.exe-->IoCreateDevice, Type: IAT modification at address 0xF2670C8C hook handler located in [unknown_code_page]
ntkrnlpa.exe+0x00020174, Type: Inline - RelativeJump at address 0x804F8174 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe+0x00020438, Type: Inline - RelativeJump at address 0x804F8438 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->FsRtlCheckLockForReadAccess, Type: Inline - RelativeJump at address 0x804EAE14 hook handler located in [klif.sys]
ntkrnlpa.exe-->IoCreateDevice, Type: EAT modification at address 0x80663770 hook handler located in [unknown_code_page]
ntkrnlpa.exe-->IoIsOperationSynchronous, Type: Inline - RelativeJump at address 0x804EF54E hook handler located in [klif.sys]
ntkrnlpa.exe-->KeAttachProcess, Type: Inline - RelativeJump at address 0x804F853C hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->KeStackAttachProcess, Type: Inline - RelativeJump at address 0x804F8638 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtDeviceIoControlFile, Type: Inline - RelativeJump at address 0x8056E2FC hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Inline - RelativeJump at address 0x805C0B56 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtOpenSection, Type: Inline - RelativeJump at address 0x8059F258 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x805AD4C6 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtReadVirtualMemory, Type: Inline - RelativeJump at address 0x805A91D0 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtWriteFile, Type: Inline - RelativeJump at address 0x805720A0 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x805A92DA hook handler located in [dump_wmimmc.sys]
2008-2-18 17:15
0
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
看不懂,还是去看看初级教程。
2008-2-19 00:18
0
雪    币: 100
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
看不懂,还是去看看初级教程。
2008-2-20 14:13
0
雪    币: 38
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
driverdevelop注册不上 谁上传个上来  谢谢
2008-2-22 17:39
0
雪    币: 215
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
那块有不初级教程呀。没找到呀。能给个链接吗
2008-2-22 22:55
0
雪    币: 97697
活跃值: (200824)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
11
Down it.
上传的附件:
2008-2-23 01:26
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
请问下NP坚定到我的UCE(undetected cheat engine)..
怎样找出哪个字串被坚定到呢??
2008-2-24 01:35
0
游客
登录 | 注册 方可回帖
返回
//