vice
所属分类:钩子与API截获
开发工具:Visual C++
文件大小:66KB
下载次数:26
上传日期:2009-05-02 13:39:22
上 传 者:
yuanxiaohui
说明: 能够找出给种类型的系统Hook,包括IAT表,SSDT表等相关的钩子
(VICE is a tool to find hooks.
Features include:
1. Looks for people hooking IAT s.
2. Looks for people hooking functions in-line aka detouring.
3. Looks for hooks in the System Call Table. Thanks to Tan perhaps it will fix the table in the future.
4. Looks for detour hooks in the System Call Table functions themselves.
5. Looks for people hooking IRP_MJ table in drivers. This is configurable by driver.ini.)
文件列表:
EXE\driver.ini (52, 2004-07-09)
EXE\ViceConsole.exe (159744, 2004-07-09)
EXE\VICESYS.sys (5632, 2004-08-16)
EXE (0, 2004-07-09)
VICE 2.0
Copywrite April 2004 HBGary
Author: Jamie Butler or
VICE is a program that identifies hooks in API calls, functions, and
function pointer tables. It has a user portion and a kernel portion.
Usually anything it detects in the kernel is a rootkit or some form of
third party software that uses "rootkit techniques". Third party
products that may be detected by VICE in the kernel are things like
personal firewalls and Host Based Intrusion Prevention Systems (HIPS)
like ZoneAlarm, Cisco Security Agent, or Blink.
Before you can begin, VICE requires the Microsoft .NET Framework for
the GUI. You can download this for free from Microsoft.
Not all hooks are necessarily rootkits as mentioned above. There are
even Microsoft DLL's that hook other DLL's much like a rootkit would
do. Below is a list of known DLL's that hook but are not necessarily
malicious. VICE cannot say with complete confidence that these DLL's
are not trojans because a malicious program could name itself as a
legitimate Microsoft DLL name.
1. setupapi.dll
2. mswsock.dll
3. sfc_os.dll
4. adsldpc.dll
5. advapi32.dll
6. secur32.dll
7. ws2_32.dll
8. iphlpapi.dll
9. ntdll.dll
10. kernel32.dll
11. user32.dll
12. gdi32.dll
The above list of DLL's do hook, but are probably fine.
FALSE POSITIVES
Anytime a DLL or the kernel report to be hooked by itself this is a
false positive. For example, if TAPI32.dll reports to be hooked by
TAPI32.dll, this is a false positive.
FALSE NEGATIVES
VICE may not find all rootkits. Some rootkits do not hook at all. These
usually use a layered approach in the kernel or modify memory directly
such as the FU rootkit.
Error: Overlapped I/O operation is in progress.
This occurs when you install the driver in one place and then move it later.
VICE is meant to run with the README, ini file, driver, and program all in
the same directory. If you move VICE on the filesystem, you need to delete
this Registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vicesys
and reboot your machine. Now, as long as all VICE's files are in the same
directory, it should work again.
近期下载者:
相关文件:
收藏者: