文件列表:

adhd.c (12949, 2006-09-28)
adhd.h (62, 2006-09-28)
librootkit.c (34776, 2006-09-28)
librootkit.h (9516, 2006-09-28)
MAKEFILE (35, 2006-09-28)
SOURCES (77, 2006-09-28)
sysdefs.h (15523, 2006-09-28)

ADHD - Another Debugger Hiding Driver v0.0.8 - ToorCon 8 Release ADHD is a rootkit that hooks a series of system calls in order to help conceal the fact that you are using a debugger. It is built for WinXP SP2. ADHD is hands-off. You load it and it's good to go. It provides the following means of protection: 1. Resets PEB->BeingDebugged flag This is used by IsDebuggerPresent() and CheckRemoteDebuggerPresent(). 2. Hooks ZwQueryInformationProcess Zeroes out DebugPort. This will prevent drwtsn32 from creating crash dumps of processes, but otherwise debugger attaching and action is unaffected. Checking for non-zero DebugPort is a common debugger detection technique. 3. Protects DbgUiRemoteBreakin and DbgBreakpoint from modifications Kakeeware's AntiDebug modifes these functions to detect debuggers. 4. Resets parent PID to explorer.exe Useful for launching processes in the debugger if you don't want to attach to them. 5. Blocks ZwSetInformationProcess(ThreadHideFromDebugger) This system call allows a thread to "hide" from a debugger, which means that the debugger will no longer receive exceptions from that thread. The thread is still visible by the debugger, however, so the "hiding" term is misleading. Since it is not possible to verify the status of this property, the rootkit simply drops this request and returns STATUS_SUCCESS. STUFF YOU MAY STILL NEED TO DO YOURSELF: 1. Exception re-delivery. This is handled by good userland debuggers. IDA for example is particularly good about passing through breakpoint exceptions for breakpoints you did not set. 2. Hide your debugger process with FUTo. 3. Obfuscate your debugger's title with an injected DLL Win32k.sys functions exist, but are not always called. Most info is in shared user segments. The IDA plugin CLU does reset titles for you for IDA. 4. Software breakpoint scanning For this, use ADHD in conjuction with Tron and CLU. 5. Wall clock time. This is not really possible to do from kernel. Windows uses a shared segment in the PEB for time. Also, spoofing will be specific to application.. Try scripting timed areas of your debugging session. Stacking ADHD with Tron ADHD CAN be stacked with Tron. You should insert them as a stack, for example: DrvrLdr -l adhd.sys DrvrLdr -l infodisc.sys DrvrLdr -u infodisc.sys DrvrLdr -u adhd.sys Failure to use LIFO order WILL cause BSOD. The ordering itself should not matter so long as it is LIFO (ie like a stack).

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：