SoftIce_Service_Hider_by_deroko 联合开发网

Pudn.com > 下载中心 > Windows编程 > SoftIce_Service_Hider_by_deroko

SoftIce_Service_Hider_by_deroko

所属分类：Windows编程
开发工具：Visual C++
文件大小：771KB
下载次数：4
上传日期：2012-11-24 17:26:09
上传者：qq399599204

说明： SoftIce_Service_Hider_by_deroko softice内使用的隐藏源码
(The use SoftIce_Service_Hider_by_deroko softice hidden source)

文件列表:

softice_service_hider\ARTeam.esfv (1845, 2008-08-06)
softice_service_hider\detect_sice\detect_sice\detect_sice.cpp (1718, 2008-08-05)
softice_service_hider\detect_sice\detect_sice\detect_sice.vcproj (4241, 2008-08-05)
softice_service_hider\detect_sice\detect_sice\detect_sice.vcproj.BLABLA-1B08C86E.blabla.user (1433, 2008-08-05)
softice_service_hider\detect_sice\detect_sice\stdafx.cpp (298, 2008-08-02)
softice_service_hider\detect_sice\detect_sice\stdafx.h (400, 2008-08-02)
softice_service_hider\detect_sice\detect_sice.sln (898, 2008-08-02)
softice_service_hider\hide_sice\dbghelp.dll (377856, 2008-06-22)
softice_service_hider\hide_sice\detect_sice.exe (57344, 2008-08-05)
softice_service_hider\hide_sice\hook_services.exe (77824, 2008-08-05)
softice_service_hider\hide_sice\hook_services_dll.dll (53248, 2008-08-05)
softice_service_hider\hide_sice\symsrv.dll (113664, 2008-06-22)
softice_service_hider\hook_services\hook_services\asm_loader.asm (7424, 2008-08-05)
softice_service_hider\hook_services\hook_services\hook_services.cpp (4062, 2008-08-05)
softice_service_hider\hook_services\hook_services\hook_services.vcproj (4764, 2008-08-05)
softice_service_hider\hook_services\hook_services\hook_services.vcproj.BLABLA-1B08C86E.blabla.user (1433, 2008-08-05)
softice_service_hider\hook_services\hook_services\ldex86bin.inc (5164, 2006-07-12)
softice_service_hider\hook_services\hook_services\setprivilege.cpp (1243, 2008-08-05)
softice_service_hider\hook_services\hook_services\stdafx.cpp (300, 2008-08-05)
softice_service_hider\hook_services\hook_services\stdafx.h (1028, 2008-08-05)
softice_service_hider\hook_services\hook_services\SymbolFind.cpp (4379, 2008-08-05)
softice_service_hider\hook_services\hook_services\SymbolFind.h (1208, 2008-07-18)
softice_service_hider\hook_services\hook_services\windows.inc (1127716, 2006-03-08)
softice_service_hider\hook_services\hook_services.sln (904, 2008-08-05)
softice_service_hider\hook_services_dll\hook_services_dll\hook_services_dll.cpp (4131, 2008-08-05)
softice_service_hider\hook_services_dll\hook_services_dll\hook_services_dll.def (280, 2008-08-05)
softice_service_hider\hook_services_dll\hook_services_dll\hook_services_dll.vcproj (4859, 2008-08-05)
softice_service_hider\hook_services_dll\hook_services_dll\hook_services_dll.vcproj.BLABLA-1B08C86E.blabla.user (1407, 2008-08-05)
softice_service_hider\hook_services_dll\hook_services_dll\stdafx.cpp (304, 2008-08-05)
softice_service_hider\hook_services_dll\hook_services_dll\stdafx.h (1358, 2008-08-05)
softice_service_hider\hook_services_dll\hook_services_dll.sln (916, 2008-08-05)
softice_service_hider\detect_sice\detect_sice\Release (0, 2008-08-08)
softice_service_hider\hook_services\hook_services\Release (0, 2008-08-08)
softice_service_hider\hook_services_dll\hook_services_dll\Release (0, 2008-08-08)
softice_service_hider\detect_sice\detect_sice (0, 2008-08-08)
softice_service_hider\hook_services\hook_services (0, 2008-08-08)
... ...

Hooking Services.exe to hide softice To be honest, this is tool was developed only because I was bored of writing inline hooks for targets which use advapi32.dll exports to query if SoftICE is active, but you may use code to hide different kinds of services, instead of hiding SoftICE. RPC is used to operate services on windows. Most of client side code is implemented in advapi32.dll. Server side code is however implemented in services.exe. Here is an example of OpenServiceA export from advapi32.dll: .text:77DF4C4D push eax .text:77DF4C4E push [ebp+dwDesiredAccess] .text:77DF4C51 push [ebp+lpServiceName] .text:77DF4C54 push [ebp+hscm] .text:77DF4C57 call _ROpenServiceA@16 ; ROpenServiceA(x,x,x,x) This will endup in NdrClientCall2: .text:77DF4C89 _ROpenServiceA@16 proc near .text:77DF4C89 mov edi, edi .text:77DF4C8B push ebp .text:77DF4C8C mov ebp, esp .text:77DF4C8E lea eax, [ebp+4] .text:77DF4C91 add eax, 4 .text:77DF4C94 push eax .text:77DF4C95 push offset unk_77DE689E ; pFormat .text:77DF4C9A push offset stru_77DE1F60 ; pStubDescriptor .text:77DF4C9F call _NdrClientCall2 .text:77DF4CA4 add esp, 0Ch .text:77DF4CA7 pop ebp .text:77DF4CA8 retn 10h Now we switch into services.exe where we may find same names as above (_RopenServiceA@16): .text:0100188C dd offset _ROpenSCManagerA@16 ; ROpenSCManagerA(x,x,x,x) .text:01001890 dd offset _ROpenServiceA@16 ; ROpenServiceA(x,x,x,x) .text:01001894 dd offset _RQueryServiceConfigA@16 ; RQueryServiceConfigA(x,x,x,x) .text:010018*** dd offset _RQueryServiceLockStatusA@16 ; RQueryServiceLockStatusA(x,x,x,x) .text:0100189C dd offset _RStartServiceA@12 ; RStartServiceA(x,x,x) .text:010018A0 dd offset _RGetServiceDisplayNameA@16 ; RGetServiceDisplayNameA(x,x,x,x) .text:010018A4 dd offset _RGetServiceKeyNameA@16 ; RGetServiceKeyNameA(x,x,x,x) and many others which corespond to the names from advapi32.dll: .text:01005CE5 _ROpenServiceA@16 proc near .text:01005CE5 arg_0 = dword ptr 8 .text:01005CE5 ServiceName = dword ptr 0Ch .text:01005CE5 arg_8 = dword ptr 10h .text:01005CE5 arg_C = dword ptr 14h .text:01005CE5 mov edi, edi .text:01005CE7 push ebp .text:01005CE8 mov ebp, esp .text:01005CEA push [ebp+ServiceName] ; char * .text:01005CED lea eax, [ebp+ServiceName] .text:01005CF0 push eax ; unsigned __int16 ** .text:01005CF1 call ?ScConvertToUnicode@@YGHPAPAGPBD@Z ; ScConvertToUnicode(ushort * *,char const *) .text:01005CF6 test eax, eax .text:01005CF8 jz loc_100E929 .text:01005CFE push esi .text:01005CFF push [ebp+arg_C] ; int .text:01005D02 push [ebp+arg_8] ; unsigned __int32 .text:01005D05 push [ebp+ServiceName] ; ServiceName .text:01005D08 push [ebp+arg_0] ; void * .text:01005D0B call _ROpenServiceW@16 ; ROpenServiceW(x,x,x,x) .text:01005D10 push [ebp+ServiceName] ; hMem .text:01005D13 mov esi, eax .text:01005D15 call ds:__imp__LocalFree@4 ; LocalFree(x) .text:01005D1B mov eax, esi .text:01005D1D pop esi .text:01005D1E .text:01005D1E loc_1005D1E: .text:01005D1E pop ebp .text:01005D1F retn 10h .text:01005D1F _ROpenServiceA@16 endp Now note the arguments passed to _ROpenServiceW. Exactly the same as in advapi32.dll call to _ROpenServiceA/W@16, which tells us that we have one good spot for hooking this code!! arg0 is SCManager handle arg1 is name of service arg2 is desired access arg3 is handle to opened service You will do similar stuff for REnumServicesStatusW and REnumServicesStatusExW. Although I use tool to hide SoftICE, you may use it for some other purpose... NOTE: For the first time you have to be connected to inet, as tool uses symbol server, or C:\Symbols\ to parse services.pdb, as it is required to find functions from services.exe which are not exported, but only available in pdb files... (c) 2008 deroko of ARTeam

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：