首页
社区
课程
招聘
12345678
发表于: 2009-1-9 17:04 7793

12345678

2009-1-9 17:04
7793
收藏
免费 0
支持
分享
最新回复 (12)
雪    币: 424
活跃值: (10)
能力值: ( LV9,RANK:850 )
在线值:
发帖
回帖
粉丝
2
我抢到沙发了

看完,学习了学习了
2009-1-9 17:05
0
雪    币: 347
活跃值: (25)
能力值: ( LV9,RANK:420 )
在线值:
发帖
回帖
粉丝
3
板凳也行。。。
2009-1-9 17:30
0
雪    币: 231
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
地毯
2009-1-9 17:44
0
雪    币: 149
活跃值: (213)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
来个地板!
2009-1-9 19:00
0
雪    币: 709
活跃值: (2420)
能力值: ( LV12,RANK:1010 )
在线值:
发帖
回帖
粉丝
6
www.Rootkits.com不是有这个文章吗
2009-1-9 19:31
0
雪    币: 709
活跃值: (2420)
能力值: ( LV12,RANK:1010 )
在线值:
发帖
回帖
粉丝
7
非原创啊非原创

3. Hide SSDT hooks by manipulating the KTHREAD structure

The second technique equals to the one described above. Again some copies of kernel structures are made. But now the service table pointer of each thread is changed to one of the copies. If you disassemble KiSystemService you see the resolving of function pointers by using the ServiceTable pointer of the current thread's KTHREAD structure. The ServiceTable pointer is set by KeInitThread() and later by PsConvertToGuiThread(). Depending on the thread type the address of KTHREAD either points to the SSDT or the SSDT-Shadow. The shadow structure contains pointers to functions which are used by GUIs and therefore PsConvertToGuiThread() will change normally the ServiceTable pointer to the SSDT-Shadow. Below you find the KTHREAD structure:

kd> dt !_kthread
nt!_KTHREAD
[...]
+0x0e0 ServiceTable : Ptr32 Void
[...]

To stealth the SSDT hooks by manipulating the KTHREAD structure a copy of the SSDT and the SSDT-Shadow is made. For the next step the SSDT or SSDT-Shadow copy is modified to get control over certain system functions. Now the ServiceTable pointers to the corresponding structures in PsConvertToGuiThread() and KeInitThread() are changed to the copies by modifying the loaded kernel code. Furthermore all threads are enumerated and again the ServiceTable pointers are exchanged.

We have tested the detection of the hidden hooks with anti-rootkit tools like RootkitUnhooker, GMER, SVV and some more tools. None of them detected the kernel code and KTHREAD modification.

4. Results

The demo shows the loading of a driver example which hooks NtOpenProcess() by exchanging the ServiceTable pointer of new and existing threads. After hooking the latest RootkitUnhooker version is started to check any detections. You will see no detection success of the SSDT or SSDT-Shadow modification.

http://rapidshare.com/files/161590863/hidessdthooks.avi.html


http://www.rootkit.com/newsread.php?newsid=922
2009-1-9 19:33
0
雪    币: 709
活跃值: (2420)
能力值: ( LV12,RANK:1010 )
在线值:
发帖
回帖
粉丝
8
LZ其实是不错的. 重复了没关系, 反正也是分享一下嘛,英文不好的同学还能看看.

怎么编辑没了啊. 我的罪过,抱歉抱歉
2009-1-9 19:46
0
雪    币: 375
活跃值: (12)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
9
还原一下吧~
2009-1-9 20:45
0
雪    币: 364
活跃值: (152)
能力值: ( LV12,RANK:450 )
在线值:
发帖
回帖
粉丝
10
怎么成123456了?好戏没看到啊……还原还原
2009-1-9 21:48
0
雪    币: 398
活跃值: (343)
能力值: (RANK:650 )
在线值:
发帖
回帖
粉丝
11
楼主不必这样子啊
多好的文章,不能因为就几个人会,就不发出来啊
论坛上大多数人不会啊
像我这样的菜鸟还要学习的啊
如果没有重复才算原创的话
那这个论坛有几个贴子是原创啊
所以,楼主贴出来吧,我给你壮胆
2009-1-9 21:56
0
雪    币: 97697
活跃值: (200744)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
12
www.Rootkits.com的文章我看过,贴我关闭了.
2009-1-9 22:04
0
雪    币: 47147
活跃值: (20405)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
13
是啊,帖出来分享没关系。如果参考了相关资料,最后注明一下。
喜欢看堕落天才的文章。
2009-1-10 00:36
0
游客
登录 | 注册 方可回帖
返回
//