首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[分享]NP的hook检测工具,
发表于: 2008-2-15 21:54 14893

[分享]NP的hook检测工具,

speeches 活跃值
2008-2-15 21:54
14893
上次看到牛人,检测了NP的hook.
最近在 写驱动时候,看到了几个工具,能用,用来检测内核级的,hook

RkU3.7.300.503.zip
f44K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0T1M7#2)9J5k6h3c8J5K9i4k6W2M7X3c8W2N6X3g2D9L8%4m8Q4x3X3g2U0L8$3#2Q4x3V1k6B7L8$3u0Q4x3X3g2H3K9s2m8Q4x3@1k6S2j5%4c8A6L8$3&6Q4x3@1c8V1L8%4N6F1L8r3!0S2k6q4)9J5y4Y4m8A6k6q4)9K6c8q4)9J5y4Y4c8A6k6q4)9K6c8o6p5H3x3o6V1@1y4#2)9J5y4X3q4A6k6q4)9K6c8o6p5^5y4U0p5@1

[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (11)
stupidass
雪    币: 356
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
1059版本的NP与该工具不兼容。
2008-2-18 12:53
0
stupidass
雪    币: 356
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
改造一下可以用。写个工具禁止R3邪恶模块注入检测工具进程。驱动层需要稍微做点改动。
2008-2-18 12:57
0
stupidass
雪    币: 356
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
只能检测SSDT钩子,对于NP的inlinehook无法检测出来。
2008-2-18 12:59
0
speeches
雪    币: 141
活跃值: (23)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
别人的,不是我造的,还没这功力
2008-2-18 16:25
0
poppig
雪    币: 193
活跃值: (1614)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
6
>Hooks
ntfs.sys-->ntkrnlpa.exe-->IoCreateDevice, Type: IAT modification at address 0xF2670C8C hook handler located in [unknown_code_page]
ntkrnlpa.exe+0x00020174, Type: Inline - RelativeJump at address 0x804F8174 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe+0x00020438, Type: Inline - RelativeJump at address 0x804F8438 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->FsRtlCheckLockForReadAccess, Type: Inline - RelativeJump at address 0x804EAE14 hook handler located in [klif.sys]
ntkrnlpa.exe-->IoCreateDevice, Type: EAT modification at address 0x80663770 hook handler located in [unknown_code_page]
ntkrnlpa.exe-->IoIsOperationSynchronous, Type: Inline - RelativeJump at address 0x804EF54E hook handler located in [klif.sys]
ntkrnlpa.exe-->KeAttachProcess, Type: Inline - RelativeJump at address 0x804F853C hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->KeStackAttachProcess, Type: Inline - RelativeJump at address 0x804F8638 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtDeviceIoControlFile, Type: Inline - RelativeJump at address 0x8056E2FC hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Inline - RelativeJump at address 0x805C0B56 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtOpenSection, Type: Inline - RelativeJump at address 0x8059F258 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Inline - RelativeJump at address 0x805AD4C6 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtReadVirtualMemory, Type: Inline - RelativeJump at address 0x805A91D0 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtWriteFile, Type: Inline - RelativeJump at address 0x805720A0 hook handler located in [dump_wmimmc.sys]
ntkrnlpa.exe-->NtWriteVirtualMemory, Type: Inline - RelativeJump at address 0x805A92DA hook handler located in [dump_wmimmc.sys]
2008-2-18 17:15
0
luolinlove
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
看不懂,还是去看看初级教程。
2008-2-19 00:18
0
灵火
雪    币: 100
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
8
看不懂,还是去看看初级教程。
2008-2-20 14:13
0
xihuanxue
雪    币: 38
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
driverdevelop注册不上 谁上传个上来  谢谢
2008-2-22 17:39
0
NINEIN
雪    币: 215
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
那块有不初级教程呀。没找到呀。能给个链接吗
2008-2-22 22:55
0
linhanshi
雪    币: 111929
活跃值: (203394)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
11
Down it.
上传的附件:
2008-2-23 01:26
0
anthor
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
12
请问下NP坚定到我的UCE(undetected cheat engine)..
怎样找出哪个字串被坚定到呢??
2008-2-24 01:35
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回