Location:
Search - Shadow SSDT
Search list
Description: 一个演示如何hook shadow ssdt表的例子。
Platform: |
Size: 477658 |
Author: macro |
Hits:
Description: 一个演示如何hook shadow ssdt表的例子。
Platform: |
Size: 477184 |
Author: macro |
Hits:
Description: 1.恢复shadow ssdt
2.恢复
NtReadVirtualMemory
NtWriteVirtualMemory
NtOpenProcess
NtOpenThread
KiAttachProce-1.恢复shadow ssdt
2.恢复
NtReadVirtualMemory
NtWriteVirtualMemory
NtOpenProcess
NtOpenThread
KiAttachProcess
Platform: |
Size: 300032 |
Author: 傅碧波 |
Hits:
Description: 创建一个内核驱动,伪造一个ssdt表,使得ssdt钩子失效。-Create a kernel driver, forged a ssdt table, making failure ssdt hook.
Platform: |
Size: 72704 |
Author: john smith |
Hits:
Description: Ring0下恢复SSDT Shadow。-Restore SSDT Shadow.
Platform: |
Size: 19456 |
Author: ldf |
Hits:
Description: Ring0下恢复SSDT Shadow,是一个完整的VC工程,可以学习学习。-Ring0 resume SSDT Shadow
Platform: |
Size: 21504 |
Author: 李扬 |
Hits:
Description: 一般网上找到的都是需要Ring3传输需要补丁的地址过去...
002就是直接用最标准的方法进行SSDT定位以及修复的
支持多核系统,当然还有003(加入shadow ssdt hook),004(加入inline hook)
基本上是现在最稳定的恢复方式了,大家可以用KMDLoader测试.加载就脱钩.不需要通讯
-Generally find on the Internet are required Ring3 address transmission needs a patch in the past ... 002 is the direct use of most standard approach to SSDT locate and repair support for multi-core systems, of course, 003 (add shadow ssdt hook), 004 (adding inline hook) is basically the recovery is now the most stable way, and we can use KMDLoader test. loaded on decoupling. does not require communication
Platform: |
Size: 515072 |
Author: 按时飞 |
Hits:
Description: 一个简单ARK源码。包括进线程操作,隐藏进程检测,SSDT,SHADOW SSDT hook查看-An anti-rookit tool
Platform: |
Size: 1452032 |
Author: 韩挚同 |
Hits:
Description: SSDT 及 SSDT Shadow HOOK通用框架及保护模块-SSDT and the SSDT Shadow HOOK common framework and protection module
Platform: |
Size: 10240 |
Author: 小鱼 |
Hits:
Description: 1.进程、线程、进程模块、进程窗口、进程内存信息查看,热键信息查看,杀进程、杀线程、卸载模块等功能 2.内核驱动模块查看,支持内核驱动模块的内存拷贝 3.SSDT、Shadow SSDT、FSD、KBD、TCPIP、IDT信息查看,并能检测和恢复ssdt hook和inline hook 4.CreateProcess、CreateThread、LoadImage、CmpCallback、BugCheckCallback、Shutdown、Lego等Notify Routine信息查看,并支持对这些Notify Routine的删除 5.端口信息查看,目前不支持2000系统 6.查看消息钩子 7.内核模块的iat、eat、inline hook、patches检测和恢复 8.磁盘、卷、键盘、网络层等过滤驱动检测,并支持删除 9.注册表编辑 -1 process, thread, process modules, process window, process memory information viewing, hot information to view, kill the process, kill thread, unload the module and other functions 2 kernel driver module view, to support the kernel driver module memory copy 3.SSDT, Shadow SSDT, FSD, KBD, TCPIP, IDT information view, and can detect and recover ssdt hook and inline hook 4.CreateProcess, CreateThread, LoadImage, CmpCallback, BugCheckCallback, Shutdown, Lego, etc. Notify Routine Information check, and to support their Notify Routine Delete 5 port information view, the current system does not support 2000 6 view news hook 7 kernel module iat, eat, inline hook, patches detection and recovery 8 disk, volume, keyboard, network layer filter driver detect, and support for the deletion 9. Registry Editor
Platform: |
Size: 3696640 |
Author: 接收 |
Hits:
Description: Hook 了以下函数:
NtUserFindWindowEx FindWindow
NtUserGetForegroundWindow GetForegroundWindow
NtUserQueryWindow GetWindowThreadProcessId
NtUserWindowFromPoint WindowFromPoint
NtUserBuildHwndList EnumWindows
NtUserSetWindowLong SetWindowLong
经XP/Win 2003/Vista/Win7测试可用. 获取ShadowTable表的方法是自己调试出来的玩意,不太清楚稳定性.
-Hook the following functions: NtUserFindWindowEx FindWindow NtUserGetForegroundWindow GetForegroundWindow NtUserQueryWindow GetWindowThreadProcessId NtUserWindowFromPoint WindowFromPoint NtUserBuildHwndList EnumWindows NtUserSetWindowLong SetWindowLong after XP/Win 2003/Vista/Win7 test available. Ways to get ShadowTable table out of their own debugging stuff, is not clear stability if the instability can go online to find a way to get ShadowTable.
Platform: |
Size: 384000 |
Author: TianSin |
Hits:
Description: Hook SSDT shadow 示例,首先找到csrss进程然后attach,最后修改ssdt shadow table-Hook SSDT shadow sample, first find the csrss process then attach, last modified ssdt shadow table
Platform: |
Size: 17408 |
Author: 顺口溜 |
Hits:
Description: 这份是重载内核,知道重载内核能干什么了,基本所有的ssdt和shadow ssdt都能恢复,神马hook之类的弱爆了-This is overloaded kernel know to reload the kernel can do the basic the all ssdt and shadow ssdt, will recover, of Shenma hook like a weak burst
Platform: |
Size: 32768 |
Author: 王涛 |
Hits:
Description: 易语言 ssdt shadow hook 保护窗口,挂钩多个函数,兼容X86 XP~2008所有32位操作系统。包含调用和驱动源代码,使用sys边源包可编译-The easy language ssdt shadow hook Protection window, linked to more than one function, compatible with X86 XP ~ 2008 all 32-bit operating system. Contains call and driver source code can be compiled to use sys side source package
Platform: |
Size: 384000 |
Author: 学俊 |
Hits:
Description: 里面有
SSDTHOOK
Shadow SSDT HOOK
内存读写
等等自己看去
-SSDTHOOK
Shadow SSDT HOOK
Platform: |
Size: 19456 |
Author: 四大皆 |
Hits:
Description: 获取shadow SSDT 当前地址 用于修改驱动-Get shadow SSDT address is used to modify the current drive
Platform: |
Size: 2048 |
Author: 蔡生 |
Hits:
Description: 遍历shadow ssdt 的代码 会win窗体HOOK 很有帮助-Traverse shadow ssdt code will win form HOOK helpful
Platform: |
Size: 8547328 |
Author: 4444 |
Hits:
Description: 用vc软件编写Shadow SSDT服务函数原始地址-Shadow SSDT service function of the original address
Platform: |
Size: 81920 |
Author: 啊平 |
Hits:
Description: hook shadow ssdt keylogger - sth like regin code
Platform: |
Size: 296960 |
Author: mohsen |
Hits:
Description: 1.进程、线程、进程模块、进程窗口、进程内存信息查看,杀进程、杀线程、卸载模块等功能
2.内核驱动模块查看,支持内核驱动模块的内存拷贝
3.SSDT、Shadow SSDT、FSD、KBD、TCPIP、Classpnp、Atapi、Acpi、SCSI、IDT、GDT信息查看,并能检测和恢复ssdt hook和inline hook
4.CreateProcess、CreateThread、LoadImage、CmpCallback、BugCheckCallback、Shutdown、Lego等Notify Routine信息查看,并支持对这些Notify Routine的删除
5.端口信息查看,目前不支持2000系统
6.查看消息钩子
7.内核模块的iat、eat、inline hook、patches检测和恢复
8.磁盘、卷、键盘、网络层等过滤驱动检测,并支持删除(1. process, thread, process module, process window, process memory information view, kill process, kill thread, unload module and so on
2. kernel driver module view, support the memory module of the kernel driver module
3.SSDT, Shadow, SSDT, FSD, KBD, TCPIP, Classpnp, Atapi, Acpi, SCSI, IDT, GDT, information view, and can detect and restore SSDT, hook and inline hook
4.CreateProcess, CreateThread, LoadImage, CmpCallback, BugCheckCallback, Shutdown, Lego and other Notify Routine information view, and support for the deletion of these Notify Routine
5. port information, currently 2000 systems are not supported
6. view message hook
7. kernel module of IAT, eat, inline, hook, patches detection and recovery
8. disk, volume, keyboard, network layer filter driver detection, and support deletion)
Platform: |
Size: 6559744 |
Author: aa77ss55dd
|
Hits: