Location:
Search - API hook driver
Search list
Description: 一个截取网络包的驱动。它与DDK文档正是NDIS中间驱动不同,是通过HOOK内核NDIS API来实现的。听说诺顿也是使用此方法来实现。-an interception network packet driver. It DDK documentation is NDIS Intermediate Driver, through HOOK kernel NDIS API to achieve. Norton also heard that the use of this method is to be achieved.
Platform: |
Size: 279618 |
Author: helwjh |
Hits:
Description: ExcpHook is an open source (see license.txt) Exception Monitor for Windows made by Gynvael Coldwind (of Team Vexillium). t uses a ring0 driver to hook KiExceptionDispatch procedure to detect the exceptions, and then shows information about the exception on stdout (using the ring3 part of the program ofc).
The difference between this method, and the standard debug API method it that this method monitores all of XP processes, and the program does not have to attach to any other process to monitor it, hence it s harder to detect.
The code currently is considered as ALPHA, and it has been reported to BSoD sometimes (on multi core/cpu machines). Take Care!
Platform: |
Size: 54007 |
Author: 张京 |
Hits:
Description: NT下的用驱动程序写的截获api函数调用的程序-Under NT driver written using api function call intercepted procedures
Platform: |
Size: 110592 |
Author: 站长 |
Hits:
Description: 一个截取网络包的驱动。它与DDK文档正是NDIS中间驱动不同,是通过HOOK内核NDIS API来实现的。听说诺顿也是使用此方法来实现。-an interception network packet driver. It DDK documentation is NDIS Intermediate Driver, through HOOK kernel NDIS API to achieve. Norton also heard that the use of this method is to be achieved.
Platform: |
Size: 279552 |
Author: helwjh |
Hits:
Description: 这是一个非常好的内核级HOOK API的例子,想看看效果里面的bin文件夹可以有编译好的程序,其中内核监视没有实现,进程和注册表监视已经完成。这个代码绝对可以成功编译,因为hookzwcreateprocess里的代码是驱动设备程序的,所以编译环境的设置比较复杂,所以在这个压缩包里也包含了一个小教程,教你去搭建vc 6.0中开发驱动设备程序的环境,并且带了个样本。声明:这个程序运行XP下,在2000下会造成蓝屏-This is a very good kernel-level HOOK API examples, I would like to look at the effects inside the bin folder can be compiled procedures, which did not materialize to monitor the kernel, processes and registry monitoring has been completed. This code is absolutely able to successfully compile, because the code is hookzwcreateprocess in process-driven equipment, so the compiler set up the environment more complex, so in this compression bag also contains a small tutorial to teach you to build in vc 6.0 device driver development program environment, and带了个samples. Statement: This program runs under XP, in 2000 will cause a blue screen
Platform: |
Size: 81920 |
Author: zhenbiao |
Hits:
Description: ExcpHook is an open source (see license.txt) Exception Monitor for Windows made by Gynvael Coldwind (of Team Vexillium). t uses a ring0 driver to hook KiExceptionDispatch procedure to detect the exceptions, and then shows information about the exception on stdout (using the ring3 part of the program ofc).
The difference between this method, and the standard debug API method it that this method monitores all of XP processes, and the program does not have to attach to any other process to monitor it, hence it s harder to detect.
The code currently is considered as ALPHA, and it has been reported to BSoD sometimes (on multi core/cpu machines). Take Care!
Platform: |
Size: 53248 |
Author: 张京 |
Hits:
Description: 开始,运行输入 sigverif
通过检查数字签名就知道是不是ms的了。
主要使用Win32API实现验证应用或驱动程
WinVerifyTrust API。如果该API被Hook有没有其他方法验证应用或驱动程序是否通过微软签名?如果仅仅是被挂钩了IAT,那么可以直接通过函数指针调用。
如果是像Detours那样用jmp改写了函数头,可以通过读取WinTrust.dll中WinVerifyTrust的实现位置,恢复函数头的机器码。
不知道使用CryptoAPI,再使用指定的Microsoft证书
是不是更好一点,不容易被欺骗
怕调api被hook的话,自己将验证的代码写出来,用openssl应该容易点。-Start, Run enter sigverif by checking the digital signature is not on the know of the ms. Win32API realize the main use of the application or driver to verify WinVerifyTrust API. If the API was Hook has no other way to verify whether the application or driver through Microsoft Signed? If merely being linked to the IAT, you can call directly through the function pointer. If it is used as the Detours as to alter the function jmp head, can be read in WinVerifyTrust Wintrust.dll realize the location, the restoration of function of the binary header. Do not know the use of CryptoAPI, and then use the specified certificate is not Microsoft a little better, not easy to be deceived by fear api tune hook, then he would write the code to verify, using openssl should be easy points.
Platform: |
Size: 200704 |
Author: 齐欢乐 |
Hits:
Description: 一个驱动级汇编HOOK的源码
适合驱动级HOOK拦截.-Driver hook api
Platform: |
Size: 54272 |
Author: dawin |
Hits:
Description: 对任何坐标类型多维地区的模板类
一个几年前,我曾写了一个视频挂钩驱动程序排序。在那里,我需要:
(其中包括)地区的业务处理,如发现路口,减,加入区域,等
有一个在Win32 API的这些地区的支持。区域功能是用于操作CreateRectRgn,CreateEllipticRgn,EqualRgn,GetRgnBox,OffsetRgn,CombineRgn,等这个API是相当难看,在我看来不舒服。它的实施是隐蔽,你要手柄(HRGN)来使用它。当你需要,例如,要找到一两个区域相交,你必须创建一个新的空区处理,然后再“补”的交集了。-A couple of years ago, I had to write a sort of a video hook driver. And there, I needed (among other things) to handle region operations, such as finding intersections, subtracting, joining regions, and etc.
There s a support for such regions in Win32 API. Functions for manipulating regions are CreateRectRgn, CreateEllipticRgn, EqualRgn, GetRgnBox, OffsetRgn, CombineRgn, and etc. This API is pretty ugly and uncomfortable, in my opinion. Its implementation is concealed, and you have to mess with handles (HRGN) to work with it. When you need, for instance, to find an intersection of two regions, you have to create a new empty region handle, and then "fill" it with the intersection. That is:
Platform: |
Size: 18432 |
Author: 胡八 |
Hits:
Description: API拦截pdf的手册,里面讲解了Injection\IAT HOOK,以及实现的代码,还讲解了驱动层的HOOK部分-API interception pdf manual, which explains Injection \ IAT HOOK, and the realization of the code, but also explain part of the driver layer HOOK
Platform: |
Size: 129024 |
Author: jibagan |
Hits:
Description: 驱动级DLL注入源码。包含有系统兼容性检测、驱动DLL注入技术、API HOOK技术,并且提供应用层测试。-Driver stage DLL into the source code. Contains system compatibility testing, driving the DLL implantation technology, technology, and provide the HOOK API application layer test.
Platform: |
Size: 75776 |
Author: 东东 |
Hits:
Description: 1.进程、线程、进程模块、进程窗口、进程内存信息查看,热键信息查看,杀进程、杀线程、卸载模块等功能 2.内核驱动模块查看,支持内核驱动模块的内存拷贝 3.SSDT、Shadow SSDT、FSD、KBD、TCPIP、IDT信息查看,并能检测和恢复ssdt hook和inline hook 4.CreateProcess、CreateThread、LoadImage、CmpCallback、BugCheckCallback、Shutdown、Lego等Notify Routine信息查看,并支持对这些Notify Routine的删除 5.端口信息查看,目前不支持2000系统 6.查看消息钩子 7.内核模块的iat、eat、inline hook、patches检测和恢复 8.磁盘、卷、键盘、网络层等过滤驱动检测,并支持删除 9.注册表编辑 -1 process, thread, process modules, process window, process memory information viewing, hot information to view, kill the process, kill thread, unload the module and other functions 2 kernel driver module view, to support the kernel driver module memory copy 3.SSDT, Shadow SSDT, FSD, KBD, TCPIP, IDT information view, and can detect and recover ssdt hook and inline hook 4.CreateProcess, CreateThread, LoadImage, CmpCallback, BugCheckCallback, Shutdown, Lego, etc. Notify Routine Information check, and to support their Notify Routine Delete 5 port information view, the current system does not support 2000 6 view news hook 7 kernel module iat, eat, inline hook, patches detection and recovery 8 disk, volume, keyboard, network layer filter driver detect, and support for the deletion 9. Registry Editor
Platform: |
Size: 3696640 |
Author: 接收 |
Hits:
Description: API钩子系统一般框架
通常,我们把拦截API的调用的这个过程称为是安装一个API钩子(API Hook)。一个API钩子基本是由两个模块组成:一个是钩子服务器(Hook Server)模块,一般为EXE的形式;一个是钩子驱动器(Hook Driver)模块,一般为DLL的形式。
钩子服务器主要负责向目标进程注入钩子驱动器,使得钩子驱动器运行在目标进程的地址空间中,这是关键的第一步,而钩子驱动器则负责实际的API拦截处理工作,以便在我们所关心的API函数调用的之前或之后能做一些我们所希望的工作。一个比较常见的API钩子的例子就是一些实时翻译软件(像金山词霸)中必备的的功能:屏幕抓词。它主要是对一些Win32 API中的GDI函数进行了拦截,获取它们的输入参数中的字符串,然后在自己的窗口中显示出来。
针对上述关于API钩子的两个部分,有以下两点需要我们重点考虑的: 选用何种DLL注入技术,以及采用何种API拦截机制。
本篇文章来源于 黑基网-中国最大的网络安全站点 原文链接:file:///C:/Documents 20and 20Settings/jingtianzi/桌面/最新资料/黑客编程:hook系统函数-学院-黑基网.mht-General framework for API hook system
Usually, we called this process intercept API calls is to install an API hook (API Hook,). An API hooks basically consists of two modules: one is the hook server (Hook, Server) module, generally in the form of EXE a hook drive (Hook Driver) module, generally in the form of a DLL.
Hook server is mainly responsible to the target process inject hook driver device, hook-driven devices running on the target process address space, a critical first step, while the hook-driven device is responsible for the actual API to intercept processing so that in we are concerned with API functions before or after the call to do something we want. Example of a common API hook is some real-time translation software (such as necessary.) Function: screen grab word. It is mainly to intercept some of the Win32 API GDI functions to obtain the string in the input parameters, and then displayed in its own window.
For the two parts of the API hook, the following two ke
Platform: |
Size: 555008 |
Author: 刘永 |
Hits:
Description: 屏幕录制,远程桌面传输,基于Windows图形驱动的屏幕截图技术,api hook,win32 gdi ,mirrorDriver-Screen recording, remote desktop transmission, based on the Windows graphics driver screenshots technology, api hook, win32 gdi, mirrorDriver
Platform: |
Size: 19456 |
Author: 楚云姬 |
Hits:
Description:
基于WFP模型的网络防火墙设计实现
WFP(Windows Filter Platform)是为网络过滤应用开发平台提供支持的API和系统服务的集合。WFP允许开发者编写代码和操作系统的网络协议栈
交互。网络数据可以在到达目的地之前被过滤和修改。通过提供简单的开发平台,WFP被用于取代以前的TDI过滤,NDIS过滤,以及LSP(Winsock
Layered Service )。在Visita及以后的系统火墙钩子,过滤钩子驱动将不再适用。
-Model-based network firewall designed to achieve WFP WFP (Windows Filter Platform) is a collection that provides support for network filtering application development platform API and system services. WFP allows developers to write interactive network protocol stack and operating system code. Network data can be filtered and modified before reaching the destination. By providing a simple development platform, WFP is used to replace the previous TDI filter, NDIS filter, and LSP (Winsock Layered Service). Visita systems in and beyond the firewall hook, the filter hook driver will no longer apply.
Platform: |
Size: 350208 |
Author: 注册会员 |
Hits:
Description: 本程序演示了在IE DOM中调用系统默认打印机进行打印,同时通过Hook API的方式组织隐藏打印机驱动程序的打印过程中的弹窗,传入默认参数,完成全自动打印。-This program demonstrates a call system in IE DOM default printer for printing, while hiding the printing process in the printer driver pop organized by Hook API, passing the default parameters, complete automatic printing.
Platform: |
Size: 9466880 |
Author: 周浩 |
Hits:
Description: 一个寒江老师的课件,单独出来发的目的是,让初级入门的驱动程序员们,很快的了解驱动如何对SSDT挂钩以及Windows应用程序如何简单的调用驱动接口的流程。
代码非原创,但是是我看到的最简单和最清楚的流程之一,非常适合刚入门驱动员们的口味,需要的就赶快下载吧。(It`s hanjiang teacher courseware, the purpose is to separate out, let the driver programmer entry-level, quickly understand how to drive SSDT and Windows applications to hook a simple call driver interface process.
The code is not original, but it is one of the simplest and clearest processes I have ever seen. It's very suitable for the beginner's driver's taste. You need to download it as soon as possible.)
Platform: |
Size: 212992 |
Author: pigshuai
|
Hits: