ADHD-0.0.8
所属分类:驱动编程
开发工具:C/C++
文件大小:23KB
下载次数:5
上传日期:2012-12-17 10:10:15
上 传 者:
HoustinTrint
说明: ADHD stands for Another Debugger Hiding Driver. It is a driver for Windows XP that helps prevent debugger detection.
文件列表:
adhd.c (12949, 2006-09-28)
adhd.h (62, 2006-09-28)
librootkit.c (34776, 2006-09-28)
librootkit.h (9516, 2006-09-28)
MAKEFILE (35, 2006-09-28)
SOURCES (77, 2006-09-28)
sysdefs.h (15523, 2006-09-28)
ADHD - Another Debugger Hiding Driver
v0.0.8 - ToorCon 8 Release
ADHD is a rootkit that hooks a series of system calls in order to help
conceal the fact that you are using a debugger. It is built for WinXP SP2.
ADHD is hands-off. You load it and it's good to go. It provides the following
means of protection:
1. Resets PEB->BeingDebugged flag
This is used by IsDebuggerPresent() and CheckRemoteDebuggerPresent().
2. Hooks ZwQueryInformationProcess
Zeroes out DebugPort. This will prevent drwtsn32 from creating crash dumps of
processes, but otherwise debugger attaching and action is unaffected.
Checking for non-zero DebugPort is a common debugger detection technique.
3. Protects DbgUiRemoteBreakin and DbgBreakpoint from modifications
Kakeeware's AntiDebug modifes these functions to detect debuggers.
4. Resets parent PID to explorer.exe
Useful for launching processes in the debugger if you don't want to attach to
them.
5. Blocks ZwSetInformationProcess(ThreadHideFromDebugger)
This system call allows a thread to "hide" from a debugger, which means that
the debugger will no longer receive exceptions from that thread. The thread is
still visible by the debugger, however, so the "hiding" term is misleading.
Since it is not possible to verify the status of this property, the rootkit
simply drops this request and returns STATUS_SUCCESS.
STUFF YOU MAY STILL NEED TO DO YOURSELF:
1. Exception re-delivery. This is handled by good userland debuggers.
IDA for example is particularly good about passing through breakpoint
exceptions for breakpoints you did not set.
2. Hide your debugger process with FUTo.
3. Obfuscate your debugger's title with an injected DLL
Win32k.sys functions exist, but are not always called. Most info is in shared
user segments.
The IDA plugin CLU does reset titles for you for IDA.
4. Software breakpoint scanning
For this, use ADHD in conjuction with Tron and CLU.
5. Wall clock time.
This is not really possible to do from kernel. Windows uses a shared segment in
the PEB for time. Also, spoofing will be specific to application..
Try scripting timed areas of your debugging session.
Stacking ADHD with Tron
ADHD CAN be stacked with Tron. You should insert them as a stack, for example:
DrvrLdr -l adhd.sys
DrvrLdr -l infodisc.sys
DrvrLdr -u infodisc.sys
DrvrLdr -u adhd.sys
Failure to use LIFO order WILL cause BSOD. The ordering itself should not
matter so long as it is LIFO (ie like a stack).
近期下载者:
相关文件:
收藏者: