804de972 64ff0538060000 inc dword ptr fs:[638h]
804de979 8bf2 mov esi,edx
804de97b 8b5f0c mov ebx,dword ptr [edi+0Ch]
804de97e 33c9 xor ecx,ecx
804de980 8a0c18 mov cl,byte ptr [eax+ebx]
804de983 8b3f mov edi,dword ptr [edi]
804de985 8b1c87 mov ebx,dword ptr [edi+eax*4]
804de988 ba11804d80 mov edx,offset nt!_imp__VidInitialize <PERF> (nt+0x11) (804d8011) // inline hook 这里 R.K.U可以扫描出
804de98d ffd2 call edx
804de98f 3b35d48e5680 cmp esi,dword ptr [nt!MmUserProbeAddress (80568ed4)]
804de995 0f83a8010000 jae nt!KiSystemCallExit2+0x9f (804deb43)
804d8011 68e074c1b4 push 0B4C174E0h //做这么多功夫也是白费,早被R.K.U检测出
804d8016 c3 ret
b4c174e0 5a pop edx
b4c174e1 9c pushfd
b4c174e2 60 pushad
b4c174e3 53 push ebx //<-- CurrentServiceAddress
b4c174e4 50 push eax //<-- ServiceIndex
b4c174e5 57 push edi //<-- KeServiceTable
b4c174e6 e815010000 call b4c17600 //做一些判断比较
b4c174eb 89442410 mov dword ptr [esp+10h],eax //<--mov ebx,eax
b4c174ef 61 popad
b4c174f0 9d popfd
b4c174f1 2be1 sub esp,ecx
b4c174f3 8bff mov edi,edi
b4c174f5 c1e902 shr ecx,2
b4c174f8 8bfc mov edi,esp
b4c174fa ff35b026c3b4 push dword ptr ds:[0B4C326B0h] <--804de98f
b4c17500 c3 ret
//------------------------------------------------------------------------------
果然垃圾,跟
The Age-Old Art of SSDT Hooking(But Bypass Most ARK Tools...) 如出一撤,只对SSDT HOOK有效,对inline hook无效,这么垃圾的东西居然还加密???说你这个sys比这篇文章《The Age-Old Art of SSDT Hooking(But Bypass Most ARK Tools...) 》早,还不相信呢。