Search - address memory

Search - address memory - List

[Hook api] 55555 DL : 0: 内存读取基址 HOOK钩子舞林外传代码舞林外传代码-Memory base address read HOOK hook code dance dance Lin Lin rumor rumored code
Date : 2026-01-11 Size : 513kb User : QQ316118740
[Hook api] object-hook DL : 0: 信息隐藏亮点之一：将rootkit作为资源隐藏于用户模式程序之中亮点之二：将这个用户程序代码作为生成密钥的引子，可以有效地防止逆向后，隐藏信息被纰漏，因为只有逆向后生成的代码，跟原作者的代码丝毫不差，将来才能打开其隐藏至深的下载者链接及代码。亮点之三：用一个固定的KEY，通过某种运算，产生出1024个密钥组成的数组。然后用这个密钥组与用户代码进行运算，最终生成一个4字节的解码KEY。利用解码KEY，在从加载到内存的驱动中，找出隐藏在其资源中的那份肮脏的下载者代码及名单解析出来，返回用户程序，用户程序用它来做坏事，并且最后还要把痕迹擦得一干二净。亮点之四：修改idt 0e号中断，让他指向一个无效地址，从而在调试的时候让你蓝屏，起到反调试的功能。-nformation hiding one of the highlights: the rootkit as a resource hidden in the user program into Highlights of the two: the user code will be generated key as a primer, can effectively prevent the reverse, the hidden information is flawed, because only generated after reverse Code, the code with the original author no less, to open its hidden deep in the future who download link and code. Highlight three: with a fixed KEY, by some calculations, to produce an array of keys 1024. Then use this key group and the user code operation, and ultimately generate a 4-byte decoding KEY. By decoding KEY, loaded into memory from the drive, find hidden in their share of dirty resources The list of those who download the code and parse out and return the user program, the user program to do bad things with it, and finally But also to trace polished completely. Highlights of the four: No change idt 0e interrupted, so that he points to an invalid address, so when debugging your blue s
Date : 2026-01-11 Size : 11kb User : wu
[Hook api] SYSENTER-hook DL : 0: SYSENETER是一条汇编指令，它是在Pentium® II 处理器及以上处理器中提供的，是快速系统调用的一部分。SYSENTER/SYSEXIT这对指令专门用于实现快速调用。在这之前是采用INT 0x2E来实现的。INT 0x2E在系统调用的时候，需要进行栈切换的工作。由于Interrupt/Exception Handler的调用都是通过 call/trap/task这一类的gate来实现的，这种方式会进行栈切换，并且系统栈的地址等信息由TSS提供。这种方式可能会引起多次内存访问（来获取这些切换信息），因此，从PentiumII开始，IA-32引入了新指令：SYSENTER/SYSEXIT。有了这两条指令，从用户级到特权级的堆栈以及指令指针的转换，可以通过这一条指令来实现，并且，需要切换到的新堆栈的地址，以及相应过程的第一条指令的位置，都有一组特殊寄存器来实现，这类特殊寄存器在IA-32中称为MSR(Model Specific Register)。这里牵涉到3个特殊寄存器-SYSENETER is a compilation of instructions, it is in the Pentium ® II processor or above processor provided as part of a fast system calls. SYSENTER/SYSEXIT This specialized instruction For fast calls. Before this is achieved using INT 0x2E. INT 0x2E in the system call when the work required to switch the stack. The Interrupt/Exception Handler s Calls through call/trap/task to implement this type of gate, and in this way would be to switch the stack and system stack address and other information provided by the TSS. This approach may lead to memory access times Q (to obtain the switching information), therefore, start from the PentiumII, IA-32 introduces a new command: SYSENTER/SYSEXIT. With these two instructions, From the user level to privilege level of the stack and instruction pointer conversion, achieved through the instructions, and the need to switch to the new stack address, and the corresponding bits in the first instruction of the process Home, there is a spec
Date : 2026-01-11 Size : 30kb User : wu
[Hook api] SevenElevate DL : 0: 远程线程插入（注入）技术指的是通过在另一个进程中创建远程线程的方法进入目标进程的内存地址空间。将木马程序以DLL的形式实现后，需要使用插入到目标进程中的远程线程将该木马DLL插入到目标进程的地址空间，即利用该线程通过调用Windows API LoadLibrary函数来加载木马DLL，从而实现木马对系统的侵害-Remote thread into the (injection) technology refers to the process by another method of creating a remote thread into the target process memory address space. Trojans will be implemented as a DLL, you need to insert into the target process using remote thread in the Trojan DLL into the target process' s address space, namely the use of the thread by calling the Windows API LoadLibrary function to load the Trojan DLL, in order to achieve the system against Trojan
Date : 2026-01-11 Size : 9.53mb User : mralex
[Hook api] IE_HookTest DL : 0: 对IE进行HOOK，通过读取IE进程内存方式修改改写内存方式修改数据包或者地址，某公司病毒式推广曾采取这种方式-IE HOOK, IE read through the process of memory overwrite memory modify modify data packets or address, a viral promotion has taken this way
Date : 2026-01-11 Size : 3.78mb User : zhp21
[Hook api] IATHook DL : 0: ring3下的IAT HOOK,IAT是一个IMAGE_THUNK_DATAj结构的数组。只要程序装载进内存中，就只与IAT查询信息，所以可见IAT表是一个非常重要的位置。如果在IAT表中把某个函数的地址修改为钩子函数的地址，当调用到函数的时候，就会执行到该钩子函数中去 -the ring3 under IAT HOOK, IAT is a IMAGE_THUNK_DATAj structure array. As long as the program is loaded into memory, it is only with the IAT query information, it shows the IAT table is a very important position. IAT table, the address of a function to modify the hook function address, when the call to the function will be executed to the hook function
Date : 2026-01-11 Size : 1kb User : 陈峰
[Hook api] asked DL : 0: delphi版网络游戏问道找call找基址内存外挂-delphi version of the online game and asked to find call to find the base address of memory plug
Date : 2026-01-11 Size : 479kb User : 周浩
[Hook api] ncxgq DL : 0: 内存修改，可查看系统所有进程也可修改指定进程ID内存地址-Modify memory, can modify the specified process memory address ID
Date : 2026-01-11 Size : 12kb User : 李涛
[Hook api] my_VBHOOKAPItest DL : 0: 能成功的拦截目标API在内存中的地址,打开被拦截程序内存,将API地址首字节换成汇编指令RET[返回]-To find an intercept of the target API address in memory, open the interception program memory, the API address of the first byte into assembly instructions RET[returns]
Date : 2026-01-11 Size : 3kb User : zhang