doer

所属分类:杀毒
开发工具:C++ Builder
文件大小:15KB
下载次数:4
上传日期:2010-11-30 13:58:14
上 传 者vivid_lee
说明:  anti virus for different scanners to scan the files

文件列表:
doer (0, 2007-05-11)
doer\i386 (0, 2007-05-11)
doer\i386\loader.exe (3072, 2007-05-04)
doer\i386\tracer.sys (6144, 2007-05-11)
doer\tr1.exe (4608, 2007-05-10)
doer_src.zip (10028, 2010-11-16)

Dream Of Every Reverser deroko of ARTeam Usage: - use loader.exe to load tracer engine, after that put tr1.exe in folder of your target, rename target to unpackme.exe and run tr1.exe, and watch output in DebugView... Theory and coding To make working r0 memory tracer some rules must be defined. - r3 memory is pagable - no way to lock that memory - SwapContext hook is required Ring3 memory is pagable so there are 2 ways of controling access to it. One of them is when memory is paged out, in that case P bit in pte is set to 0. When such page is being accessed IA32 generates page fault so access to this page can be tracked like that. When page is in memory P bit can't be used track access to memory in r3. This is place where U/S bit is used to mark present pages as supervisor, so any access from r3 will cause page fault. Only task here is to such pages set to user and to return from handler. All of this is performed by hook of int 0e handler. Role of SwapContext is to clear and set breaks on memory which is not paged out. During execution memory can be paged out/in. So to keep everything under control on execution of traced process breaks are set. - win2k3 is not supported - MP system is not supported - systems running Kaspersky shit and other shity AVs which patch your system more then any known rootkit are not compatible with this tracer. Don't like this? I don't care

近期下载者

相关文件


收藏者