doer
所属分类:杀毒
开发工具:C++ Builder
文件大小:15KB
下载次数:4
上传日期:2010-11-30 13:58:14
上 传 者:
vivid_lee
说明: anti virus for different scanners to scan the files
文件列表:
doer (0, 2007-05-11)
doer\i386 (0, 2007-05-11)
doer\i386\loader.exe (3072, 2007-05-04)
doer\i386\tracer.sys (6144, 2007-05-11)
doer\tr1.exe (4608, 2007-05-10)
doer_src.zip (10028, 2010-11-16)
Dream Of Every Reverser
deroko of ARTeam
Usage:
- use loader.exe to load tracer engine, after that put tr1.exe in folder
of your target, rename target to unpackme.exe and run tr1.exe, and watch
output in DebugView...
Theory and coding
To make working r0 memory tracer some rules must be defined.
- r3 memory is pagable
- no way to lock that memory
- SwapContext hook is required
Ring3 memory is pagable so there are 2 ways of controling access to it.
One of them is when memory is paged out, in that case P bit in pte is
set to 0. When such page is being accessed IA32 generates page fault
so access to this page can be tracked like that.
When page is in memory P bit can't be used track access to memory in r3.
This is place where U/S bit is used to mark present pages as supervisor,
so any access from r3 will cause page fault. Only task here is to such
pages set to user and to return from handler.
All of this is performed by hook of int 0e handler.
Role of SwapContext is to clear and set breaks on memory which is not
paged out. During execution memory can be paged out/in. So to keep
everything under control on execution of traced process breaks are set.
- win2k3 is not supported
- MP system is not supported
- systems running Kaspersky shit and other shity AVs which patch your
system more then any known rootkit are not compatible with this
tracer. Don't like this? I don't care
近期下载者:
相关文件:
收藏者: