UTM4XP 联合开发网

Pudn.com > 下载中心 > 驱动编程 > UTM4XP

UTM4XP

所属分类：驱动编程
开发工具：Visual Basic
文件大小：1418KB
下载次数：259
上传日期：2010-01-05 21:33:18
上传者：cogito

说明：一个简单ARK源码。包括进线程操作，隐藏进程检测，SSDT,SHADOW SSDT hook查看等等
(An anti-rookit tool)

文件列表:

!FPLG\Shadow SSDT\CIcyListView.cls (50864, 2009-04-20)
!FPLG\Shadow SSDT\frmMain.frm (5811, 2009-07-07)
!FPLG\Shadow SSDT\frmMain.frx (3786, 2009-07-07)
!FPLG\Shadow SSDT\mdlDisasm.bas (9725, 2009-04-18)
!FPLG\Shadow SSDT\mdlDumpKernelMemory.bas (1797, 2009-04-19)
!FPLG\Shadow SSDT\mdlPortableExecutable.bas (7839, 2009-04-19)
!FPLG\Shadow SSDT\mdlShadowSSDT.bas (7615, 2009-04-19)
!FPLG\Shadow SSDT\MSSCCPRJ.SCC (196, 2009-06-21)
!FPLG\Shadow SSDT\print scr.jpg (482247, 2009-05-03)
!FPLG\Shadow SSDT\Shadow SSDT.csi (3574, 2009-05-03)
!FPLG\Shadow SSDT\shadow ssdt.exe.manifest (803, 2009-01-21)
!FPLG\Shadow SSDT\Shadow SSDT.lvw (63488, 2009-04-18)
!FPLG\Shadow SSDT\Shadow SSDT.vbp (920, 2009-07-07)
!FPLG\Shadow SSDT\Shadow SSDT.vbw (249, 2009-07-21)
!FPLG\Shadow SSDT\Shadow.exe (155648, 2009-07-07)
!FPLG\Shadow SSDT\Shadow_SSDT.RES (77652, 2009-04-19)
!FPLG\SSDT\Dump.frm (2714, 2008-04-09)
!FPLG\SSDT\Dump.frx (12, 2008-04-09)
!FPLG\SSDT\List.frm (4920, 2009-07-21)
!FPLG\SSDT\List.frx (3786, 2009-07-21)
!FPLG\SSDT\MSSCCPRJ.SCC (189, 2009-06-21)
!FPLG\SSDT\SSDT.bas (13671, 2008-12-31)
!FPLG\SSDT\SSDT.exe (49152, 2009-07-21)
!FPLG\SSDT\ssdt.old\ASM.RES (127052, 2007-11-22)
!FPLG\SSDT\ssdt.old\Form1.frm (13695, 2009-07-21)
!FPLG\SSDT\ssdt.old\Form1.frx (3786, 2009-07-21)
!FPLG\SSDT\ssdt.old\HookViewer.vbp (1022, 2009-07-21)
!FPLG\SSDT\ssdt.old\HookViewer.vbw (264, 2009-07-21)
!FPLG\SSDT\ssdt.old\mFilePE.bas (5839, 2008-08-20)
!FPLG\SSDT\ssdt.old\mKernelModule.bas (2706, 2008-10-01)
!FPLG\SSDT\ssdt.old\mMapIntoMemory.bas (2756, 2008-04-19)
!FPLG\SSDT\ssdt.old\mMemoryControl.bas (7044, 2008-04-19)
!FPLG\SSDT\ssdt.old\mod_MapMemory.bas (12226, 2008-10-01)
!FPLG\SSDT\ssdt.old\mPeGetExports.bas (2087, 2008-04-22)
!FPLG\SSDT\ssdt.old\mProcess.bas (7903, 2009-07-05)
!FPLG\SSDT\ssdt.old\mSetStyle.bas (4424, 2008-10-01)
!FPLG\SSDT\ssdt.old\MSSCCPRJ.SCC (195, 2008-04-25)
!FPLG\SSDT\ssdt.old\mStrCheck.bas (1519, 2008-04-23)
!FPLG\SSDT\ssdt.old\SSDT.exe (212992, 2009-07-11)
!FPLG\SSDT\SSDT.vbp (764, 2009-07-21)
... ...

Attribute VB_Name = "mod_z_ReadMemory" Private Declare Function ZwSystemDebugControl Lib "NTDLL" (ByVal ControlCode As Long, ByRef InputBuffer As Long, ByVal InputBufferLength As Long, ByVal pOutputBuffer As Long, ByVal OutputBufferLength As Long, ByRef ReturnLength As Long) As Long Private Declare Function lstrlen Lib "kernel32.dll" Alias "lstrlenA" (ByVal lpString As String) As Long Public Function GetData(ByVal Address As Long, ByVal Buffer As Long, ByVal Length As Long) As Boolean Dim ReturnLength As Long ZwSystemDebugControl 8, Address, 12, 0, 0, ReturnLength If ReturnLength = Length Then GetData = True End Function Public Function ReadMemory(ByVal Address As Long, Optional ByVal Length As Long = 4) As Long Dim ret As Long GetData Address, VarPtr(ret), Length ReadMemory = ret End Function Public Function GetPIDByEPROCESS(ByVal lngEPROCESS As Long) As Long 'May be False PID GetPIDByEPROCESS = ReadMemory(lngEPROCESS + 132) End Function Public Function PsGetETHREADByEPROCESS(ByVal lngEPROCESS As Long) As Long PsGetETHREADByEPROCESS = ReadMemory(lngEPROCESS + &H190) - &H22C End Function Public Function PsGetTruePID(ByVal lngEPROCESS As Long) As Long PsGetTruePID = ReadMemory(PsGetETHREADByEPROCESS(lngEPROCESS) + &H1EC) End Function Public Function GetIFNByEPROCESS(ByVal szEPROCESS As String) As String Dim i As Long, allURL As String Dim SnN() As String szEPROCESS = UCase(Trim("0x" & szEPROCESS)) For i = 1 To frmMAIN.lvProc.ListItems.Count If szEPROCESS = UCase(Trim(frmMAIN.lvProc.ListItems(i).SubItems(2))) Then allURL = frmMAIN.lvProc.ListItems(i).SubItems(3) End If Next SnN = Split(allURL, "\") GetIFNByEPROCESS = SnN(UBound(SnN)) End Function 'Public Function StringFromPtr(ByVal pString As Long) As String 'Dim Buff() As Byte, Length As Long 'Length = lstrlen(pString) 'If Length = 0 Then Exit Function 'ReDim Buff(Length - 1) 'CopyMemory VarPtr(Buff(0)), pString, Length 'StringFromPtr = StrConv(Buff, vbUnicode) 'End Function

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：