Location:
Search - RING0 RING3
Search list
Description: 从RING0级下启动RING3级的应用程序源代码-from RING0 activated RING3-level application program source code
Platform: |
Size: 69883 |
Author: fengdian |
Hits:
Description: ring0--hook NtContinue+source_code
ring0下面hookNtContinue 使用drx7寄存器实现的hook
this code hooks ntoskrnl!NtContinue to set dr7 to 0 (no updating of dr7)
so NtContinue called from ring3 cannot alter drX registers...
This hook will only PREVENT drX clearing from SEH (kiuser->ntcontinue)
and will not alter debugging using ring3 debuggers (olly->SetThreadContext)
mainly developed for personal reasearch and as anti-bpm...
Hook NtContinue (not exported from ntoskrnl.exe but exported in ntdll.dll with service number) to set dr7 to 0 prior to calling original NtContinue so debug registers won t be changed from seh and ring3 code =)
Its use for some targets such as armadillo... but never posted code...
by deroko
Platform: |
Size: 6421 |
Author: 张京 |
Hits:
Description: 从RING3进入RING0的方法,不需要驱动
Platform: |
Size: 4354 |
Author: Noctune |
Hits:
Description: ExcpHook is an open source (see license.txt) Exception Monitor for Windows made by Gynvael Coldwind (of Team Vexillium). t uses a ring0 driver to hook KiExceptionDispatch procedure to detect the exceptions, and then shows information about the exception on stdout (using the ring3 part of the program ofc).
The difference between this method, and the standard debug API method it that this method monitores all of XP processes, and the program does not have to attach to any other process to monitor it, hence it s harder to detect.
The code currently is considered as ALPHA, and it has been reported to BSoD sometimes (on multi core/cpu machines). Take Care!
Platform: |
Size: 54007 |
Author: 张京 |
Hits:
Description: Hook Api Library 0.2 [Ring0&3] By Anskya
Email:Anskya@Gmail.com
ring3 inline hook For Api
Thank:
前29A高手也一直都是我的偶像...z0mbie大牛...这里膜拜一下
使用的LDE32引擎是翻译他老人家的...C->Delphi...
说明:
1.利用堆栈跳转
没有使用传统的jmp xxxx 长跳转,使用容易理解的push xxxx+ret
仔细看代码容易理解...封装完好.
2.内存补丁结构:
补丁1:|push xxx--钩子处理过程|ret|
补丁2:|保存原始补丁地址|保存原始地址代码长度|原始地址的代码|push xxxxxx|ret|
更新说明:
0.2:
支持Ring0 Inline Hook
0.1:
Ring3 Inline Hook
Platform: |
Size: 6347 |
Author: david |
Hits:
Description: 对付ring0 inline hook的基本思路是这样的,自己写一个替换的内核函数,以NtOpenProcess为例,就是 MyNtOpenProcess。然后修改SSDT表,让系统服务进入自己的函数MyNtOpenProcess。而MyNtOpenProcess要做的事就是,实现NtOpenProcess前10字节指令,然后再JMP到原来的NtOpenProcess的十字节后。这样NtOpenProcess 函数头写的JMP都失效了,在ring3直接调用OpenProcess再也毫无影响。
Platform: |
Size: 3631 |
Author: sdlylz |
Hits:
Description: Windows NT/2000/XP/Server 2003 获取Ring0的便捷工具
程序创建了几个段:
IDT,GDT,SSDT,Linear
为创建Ring3,Ring0之间的互交便捷
Platform: |
Size: 1464 |
Author: peacekeep |
Hits:
Description: Ring0和Ring3下的Rootkit源代码。很棒。
Platform: |
Size: 246542 |
Author: DNA |
Hits:
Description: 对付ring0 inline hook的基本思路是这样的,自己写一个替换的内核函数,以NtOpenProcess为例,就是 MyNtOpenProcess。然后修改SSDT表,让系统服务进入自己的函数MyNtOpenProcess。而MyNtOpenProcess要做的事就是,实现NtOpenProcess前10字节指令,然后再JMP到原来的NtOpenProcess的十字节后。这样NtOpenProcess 函数头写的JMP都失效了,在ring3直接调用OpenProcess再也毫无影响。-Ring0 inline hook to deal with the basic idea is that the replacement of their own to write a kernel function to NtOpenProcess for example, is MyNtOpenProcess. And then amend the SSDT table, so that system services into its own function MyNtOpenProcess. And MyNtOpenProcess to do is realize NtOpenProcess the first 10-byte instruction, and then JMP to the original NtOpenProcess the Cross Festival. This NtOpenProcess function of the JMP are the first to write a lapse in ring3 no longer directly call OpenProcess no impact.
Platform: |
Size: 3072 |
Author: sdlylz |
Hits:
Description: Ring0和Ring3下的Rootkit源代码。很棒。-Ring3 under Ring0 and Rootkit source code. Great.
Platform: |
Size: 245760 |
Author: DNA |
Hits:
Description: 网上的大多数第一代机器狗ring3层代码都缺少几个声明,这个能完全编译,ring0层没带,请自己弄,ring3是直接寻址方式的。qq 295333637-Most of the first generation of online ring3 dog layer codes are the lack of a number of statements, this can be fully compiled, ring0 layer did not have, please get their own, ring3 direct addressing mode. qq 295333637
Platform: |
Size: 128000 |
Author: 沈学雄 |
Hits:
Description: delphi版内核调用PspTerminateProcess杀进程源码,在ring3下搜索PspTerminateProcess地址,传给ring0,然后在ring0下调用。-delphi kernel call PspTerminateProcess kill the process, source code, in the next ring3 search PspTerminateProcess address, passed ring0, and then ring0 invoked.
Platform: |
Size: 13312 |
Author: 9908006 |
Hits:
Description: RTL special definitions for ring0 & ring3 in one header.
Platform: |
Size: 8192 |
Author: Pudn4everFF |
Hits:
Description: SSDT的全稱是System Services Descriptor Table,系統服務描述符表。這個表就是一個把ring3的Win32 API和ring0的內核API聯繫起來。SSDT並不僅僅只包含一個龐大的位址索引表,它還包含著一些其他有用的資訊,諸如位址索引的基底位址、服務函數個數等。
通過修改此表的函數位址可以對常用windows函數及API進行hook,從而實現對一些關心的系統動作進行過濾、監控的目的。一些HIPS、防毒軟體、系統監控、註冊表監控軟體往往會採用此介面來實現自己的監控模組,
目前極個別病毒確實會採用這種方法來保護自己或者破壞防毒軟體,但在這種病毒進入系統前如果防毒軟體能夠識別並清除它將沒有機會發作.
-SSDT s full name is System Services Descriptor Table, the system service descriptor table. This is a table of the Win32 API and ring0 ring3 kernel API link. SSDT is not only a huge address contains only the index table, it also contains some other useful information, such as the address of the index base address, the number of functions and other services.
Function by modifying the address of this table can be used for windows functions and API hook, in order to achieve the action of some concern to filter systems, surveillance purpose. Some HIPS, antivirus software, system monitoring, registry monitoring software often uses this interface to implement its own monitoring module,
At present very few virus does use this method to protect themselves or to destroy anti-virus software, but if the virus before the antivirus software into the system and clear it will not be able to identify opportunities to attack.
Platform: |
Size: 335872 |
Author: 小明 |
Hits:
Description: 详解系统服务描述符表,即SSDT。作用是把ring3的win32 api和ring0的内核api联系起来-Detailed system service descriptor table, the SSDT. Role is to the win32 api and ring0 ring3 kernel api link
Platform: |
Size: 36864 |
Author: 杨阳 |
Hits:
Description: 一个hooklib,使用distorm解析指令
支持 ring0 & ring3 以及 x86 & amd64
-A hooklib use distorm parsing instructions
Support ring 0, & ring3 as well as x86 & amd64
Platform: |
Size: 110592 |
Author: tunshizhe |
Hits:
Description: Intel的CPU将特权级别分为4个级别:RING0,RING1,RING2,RING3。Windows只使用其中的两个级别RING0和RING3,RING0只给操作系统用,RING3谁都能用。如果普通应用程序企图执行RING0指令,则Windows会显示“非法指令”错误信息。-Intel' s CPU privilege level will be divided into four levels: RING0, RING1, RING2, RING3. Windows uses only one of the two levels RING0 and RING3, RING0 only to the operating system used, RING3 anyone can. If the application attempts to execute common commands RING0, Windows will display " Illegal Instruction" error message.
Platform: |
Size: 5120 |
Author: 仔仔 |
Hits:
Description: API hooking bypass ideas, ring0/ring3
Platform: |
Size: 258048 |
Author: The Munsta |
Hits:
Description: RTL special definitions for ring0 & ring3 in one header.
Platform: |
Size: 9216 |
Author: ddjvj415hao |
Hits:
Description: RTL special definitions for ring0 & ring3 in one header.
Platform: |
Size: 9216 |
Author: rzovoong |
Hits: