Location:
Search - sysenter
Search list
Description: 对于hook,从ring3有很多,ring3到ring0也有很多,根据api调用环节递进的顺序,在每一个环节都有hook的机会,可以有int 2e或者sysenter hook,ssdt hook,inline hook ,irp hook,object hook,idt hook-The hook, from ring3 there are many, ring3 to ring0 there are many, according to api call progressive sequence of links, each link in the opportunity to have a hook, you can have int 2e or sysenter hook, ssdt hook, inline hook, irp hook, object hook, idt hook, etc.
Platform: |
Size: 1869824 |
Author: 王小明 |
Hits:
Description: 本文从难易程度上主要分三块详细介绍:一.用户模式Hook:IAT-hook,Dll-inject 二.内核模式Hook:ssdt-hook,idt-hook,int 2e/sysenter-hook 三.Inline Function Hook -In this paper, Difficulty Level 3 detail the main points: 1. User Mode Hook: IAT-hook, Dll-inject 2. Kernel-mode Hook: ssdt-hook, idt-hook, int 2e/sysenter-hook 3. Inline Function Hook
Platform: |
Size: 14336 |
Author: lee |
Hits:
Description: KiFastCallEntry hooking
Platform: |
Size: 1024 |
Author: DongHyun |
Hits:
Description: Check ring0 vulnerability in Windows kernels.
Checked:
1. SYSENTER
2. IO Write Memory
3. Bus Write Memory
4. Reset CPU in ring0
5. Zero IDT
Platform: |
Size: 9216 |
Author: hamlo |
Hits:
Description: Windows XP是通过sysenter调用KiFastCallEntry将ntdll.dll的调用切换到内核的。KiFastCallEntry的原理是通过在SSDT中查找函数地址跳转。所以只要伪造一张原始SSDT,就可以使得SSDT-HOOK无效了。-Windows XP by calling KiFastCallEntry sysenter ntdll.dll call will switch to the kernel. KiFastCallEntry SSDT principle is to find the function by address jump. So long as the original forged an SSDT, you can make SSDT-HOOK invalid.
Platform: |
Size: 5120 |
Author: 何耀彬 |
Hits:
Description: SYSENETER是一条汇编指令,它是在Pentium® II 处理器及以上处理器中提供的,是快速系统调用的一部分。SYSENTER/SYSEXIT这对指令专门
用于实现快速调用。在这之前是采用INT 0x2E来实现的。INT 0x2E在系统调用的时候,需要进行栈切换的工作。由于Interrupt/Exception Handler的
调用都是通过 call/trap/task这一类的gate来实现的,这种方式会进行栈切换,并且系统栈的地址等信息由TSS提供。这种方式可能会引起多次内存访
问(来获取这些切换信息),因此,从PentiumII开始,IA-32引入了新指令:SYSENTER/SYSEXIT。有了这两条指令,
从用户级到特权级的堆栈以及指令指针的转换,可以通过这一条指令来实现,并且,需要切换到的新堆栈的地址,以及相应过程的第一条指令的位
置,都有一组特殊寄存器来实现,这类特殊寄存器在IA-32中称为MSR(Model Specific Register)。这里牵涉到3个特殊寄存器-SYSENETER is a compilation of instructions, it is in the Pentium ® II processor or above processor provided as part of a fast system calls. SYSENTER/SYSEXIT This specialized instruction
For fast calls. Before this is achieved using INT 0x2E. INT 0x2E in the system call when the work required to switch the stack. The Interrupt/Exception Handler s
Calls through call/trap/task to implement this type of gate, and in this way would be to switch the stack and system stack address and other information provided by the TSS. This approach may lead to memory access times
Q (to obtain the switching information), therefore, start from the PentiumII, IA-32 introduces a new command: SYSENTER/SYSEXIT. With these two instructions,
From the user level to privilege level of the stack and instruction pointer conversion, achieved through the instructions, and the need to switch to the new stack address, and the corresponding bits in the first instruction of the process
Home, there is a spec
Platform: |
Size: 30720 |
Author: wu |
Hits:
Description: 看雪学院Rootkit学习,1.内核Hook:对于hook,从ring3有很多,ring3到ring0也有很多,根据api调用环节递进的顺序,在每一个环节都有hook的机会,可以有int 2e或者sysenter hook,ssdt hook,inline hook ,irp hook,object hook,idt hook-See snow Institute Rootkit learning, kernel Hook: hook from ring3 many, ring3 to ring0 also the api call progressive order, every link has the opportunity to hook int 2e or sysenter. hook, ssdt hook, inline hook, irp hook, object hook, idt hook, etc.
Platform: |
Size: 1652736 |
Author: stars |
Hits:
Description: This file contains the needed initializations to support sysenter for Linux.
Platform: |
Size: 4096 |
Author: nerperjun |
Hits:
Description: 简单的Rootkit检测程序,不改变sysenter地址,而是通过直接在原来sysenter地址里面写跳转代码来实现的,这实际上跟一般的函数头inline hook一样.这样rootkit检测工具就不会认为sysenter已经改变(实际上也是没变).-Rootkit detection program, not change sysenter address, but through direct jump inside original sysenter address write code to achieve, which is actually the general function header inlinehook of the same so that the rootkit detection tools would not think sysenter has changed (in fact, is not changed).
Platform: |
Size: 1024 |
Author: 王辉 |
Hits:
Description: 很多人听说过HOOK 很多人也了解内核HOOK inline hook,sysenter hook,ssdt hook,我这次写的就是ssdt hook,修改系统服务函数的地址改成我的回调地址,当初写的时候 下载了十几个源码,都是蓝屏,这个是我调试出来的,XP系统没问题的-Many people have heard a lot of people understand the core HOOK HOOK inline hook, sysenter hook, ssdt hook, I write this is ssdt hook, modifying the system service function' s address into my callback address, when he started writing when downloading a dozen Several source, are blue, this is out of my debugging, XP system is not the problem
Platform: |
Size: 55296 |
Author: jkjk |
Hits:
Description: A、分析API函数原理
B、自写API函数
C、SYSENTER指令
D、硬编码_emit
E、模拟FindWindow函数
-Analysis of A, API function principle
B, write API function
C, SYSENTER instruction
D, hard coded _emit
E, simulating FindWindow function
Platform: |
Size: 8192 |
Author: 蔡中伟 |
Hits:
Description: Code for the vDSO. This version uses the sysenter instruction.
Platform: |
Size: 2048 |
Author: pozuisj |
Hits: