Location:
Search - ntoskrnl
Search list
Description: hHook 内核ntoskrnl sZwQuerySystemInformation隐藏任务管理器进程名-hHook kernel ntoskrnl sZwQuerySystemInforma tion task management device hidden from the process
Platform: |
Size: 172090 |
Author: 任晓枫 |
Hits:
Description: ring0--hook NtContinue+source_code
ring0下面hookNtContinue 使用drx7寄存器实现的hook
this code hooks ntoskrnl!NtContinue to set dr7 to 0 (no updating of dr7)
so NtContinue called from ring3 cannot alter drX registers...
This hook will only PREVENT drX clearing from SEH (kiuser->ntcontinue)
and will not alter debugging using ring3 debuggers (olly->SetThreadContext)
mainly developed for personal reasearch and as anti-bpm...
Hook NtContinue (not exported from ntoskrnl.exe but exported in ntdll.dll with service number) to set dr7 to 0 prior to calling original NtContinue so debug registers won t be changed from seh and ring3 code =)
Its use for some targets such as armadillo... but never posted code...
by deroko
Platform: |
Size: 6421 |
Author: 张京 |
Hits:
Description: Delphi开发驱动的一个例子
1.映射ntoskrnl.exe到内存
2.重定位信息...
3.搜索SSDT基址
4.补丁回去
Platform: |
Size: 14457 |
Author: fanghui |
Hits:
Description: hHook 内核ntoskrnl sZwQuerySystemInformation隐藏任务管理器进程名-hHook kernel ntoskrnl sZwQuerySystemInforma tion task management device hidden from the process
Platform: |
Size: 172032 |
Author: 任晓枫 |
Hits:
Description: ring0--hook NtContinue+source_code
ring0下面hookNtContinue 使用drx7寄存器实现的hook
this code hooks ntoskrnl!NtContinue to set dr7 to 0 (no updating of dr7)
so NtContinue called from ring3 cannot alter drX registers...
This hook will only PREVENT drX clearing from SEH (kiuser->ntcontinue)
and will not alter debugging using ring3 debuggers (olly->SetThreadContext)
mainly developed for personal reasearch and as anti-bpm...
Hook NtContinue (not exported from ntoskrnl.exe but exported in ntdll.dll with service number) to set dr7 to 0 prior to calling original NtContinue so debug registers won t be changed from seh and ring3 code =)
Its use for some targets such as armadillo... but never posted code...
by deroko-ring0- hook NtContinue+ source_codering0 use the following hookNtContinue register drx7 realize the hook this code hooks ntoskrnl! NtContinue to set dr7 to 0 (no updating of dr7) so NtContinue called from ring3 cannot alter drX registers ... This hook will only PREVENT drX clearing from SEH (kiuser-> ntcontinue) and will not alter debugging using ring3 debuggers (olly-> SetThreadContext) mainly developed for personal reasearch and as anti-bpm ... Hook NtContinue (not exported from ntoskrnl.exe but exported in ntdll. dll with service number) to set dr7 to 0 prior to calling original NtContinue so debug registers won t be changed from seh and ring3 code =) Its use for some targets such as armadillo ... but never posted code ... by deroko
Platform: |
Size: 6144 |
Author: 张京 |
Hits:
Description: ICEExt for Driver Studio3.2的sourcecode -ICEExt for Driver Studio3.2 the sourcecode
Platform: |
Size: 323584 |
Author: enhom |
Hits:
Description: Delphi开发驱动的一个例子
1.映射ntoskrnl.exe到内存
2.重定位信息...
3.搜索SSDT基址
4.补丁回去-Delphi developed an example-driven 1. Mappings ntoskrnl.exe into memory 2. ... 3, re-positioning information. Search SSDT base address 4. Patch back
Platform: |
Size: 14336 |
Author: fanghui |
Hits:
Description: 解析内核ntoskrnl的EAT,获取相应的内核例程的地址-analyze ntoskrnl s EAT ,and get the address of related system rountine.
Platform: |
Size: 37888 |
Author: ejoyc |
Hits:
Description: EasySYS English version Driver maker
Platform: |
Size: 12254208 |
Author: santuri |
Hits:
Description: CPUTemp - the compact monitor of temperature of the processor.
Used libraries: ntoskrnl.lib
Platform: |
Size: 166912 |
Author: Eugenii |
Hits:
Description: Open Source SSDT Hook detection utility, it will scan the SSDT Entries in the kernel (ntoskrnl.exe) and find the functions that are hooked & not in the kernel base address range .
Platform: |
Size: 102400 |
Author: __Genius__ |
Hits:
Description: Get entry point of SSDT on x64 which not exported from ntoskrnl.exe like older os
Platform: |
Size: 1024 |
Author: n3m0 |
Hits:
Description: 获取内核ntoskrnl.exe基地址的几种常见办法-Access to the kernel ntoskrnl.exe base address several common approaches
Platform: |
Size: 2048 |
Author: zhangliang84 |
Hits:
Description: 一个进入ring0并且能调用ntoskrnl.exe的导出函数的源码。十分整蛊。-This is the code to enter RING0 and call the export function in ntoskrnl.exe ...Very tricky.
Platform: |
Size: 413696 |
Author: Wujiahao |
Hits:
Description: 驱动编译说明:
可以支持多个Obj驱动编译,编译出错会回馈错误信息
编译时,只能把驱动obj文件和所需的LIB支持库,放在“驱动编译.exe”目录下
使用某些LIB支持库编译成功的驱动,也会加载不了
比如:"C:\1.obj"
编译时,请把"C:\1.*" 保存好,否则会误删
驱动是否编译成功,以驱动加载工具为效果,与以下支持库有冲突的都编译成功的驱动,也会加载不了
以下为自带支持库
krnln_static.lib
ntoskrnl.lib-Driver compilers note: can support multiple Obj-driven compilation, compile error feedback error information compiled, only the driver obj files and required LIB support library, on the " driver compiled exe" directory LIB support library compile the drivers of success, will be loaded can not for example: " C: \ 1.obj" compile-time, the " C: \ 1.*" save the driver is compiled successfully, otherwise it will mistakenly deleted, to drive the load tool effect, following support libraries are compiled drive for success will be loaded not own support library krnln_static.lib ntoskrnl.lib
Platform: |
Size: 380928 |
Author: 博文 |
Hits:
Description: 对 Hook 内核ntoskrnl sZwQuerySystemInformation隐藏任务管理器进程名 的彻底完善-Hook the kernel ntoskrnl' sZwQuerySystemInformation hide the Task Manager process name completely perfect
Platform: |
Size: 10240 |
Author: 小红 |
Hits:
Description: 这是一个有关RING0编程中需要的数据结构,采用了C++格式,希望能对大家有帮助!-This is a RING0 programming required data structures, using a C++ format, I hope you can help!
Platform: |
Size: 2800640 |
Author: 林飞 |
Hits:
Description: NT/2K provides a set of APIs, known as "Process Structure Routines" [2] exported by NTOSKRNL. One of these APIs PsSetCreateProcessNotifyRoutine() offers the ability to register system-wide callback function which is called by OS each time when a new process starts, exits or is terminated. The mentioned API can be employed as an easy to implement method for tracking down processes simply by implementing a NT kernel-mode driver and a user mode Win32 control application. The role of the driver is to detect process execution and notifiy the control program about these events.
Platform: |
Size: 34816 |
Author: sirpoot |
Hits:
Description: 通过读取ntoskrnl.exe文件的导出函数API相对虚拟地址,找到ntoskrnl.exe在内存中的基地址,计算各个API真正的起始地址,比较SSDT表中对应的API地址,不同则去掉SSDT钩子的驱动代码-First,the driver code acquires the RVA of APIs the export table of ntoskrnl.exe.Second,program acquires the base address of ntoskrnl.exe loaded into memory to compute the real memory addresses of APIs. Third, program gets rid of hooks by comparing real addresses with items in SSDT table.
Platform: |
Size: 667648 |
Author: 王冠 |
Hits:
Description: 获取内核ntoskrnl.exe基地址的几种常见办法-Access to the kernel ntoskrnl.exe base address several common approaches
Platform: |
Size: 2048 |
Author: qvk9836xingsh |
Hits: