CCRootkit-V0.1
所属分类:驱动编程
开发工具:Visual C++
文件大小:503KB
下载次数:94
上传日期:2009-12-01 02:53:07
上 传 者:
ccvv22
说明: 一般网上找到的都是需要Ring3传输需要补丁的地址过去...
002就是直接用最标准的方法进行SSDT定位以及修复的
支持多核系统,当然还有003(加入shadow ssdt hook),004(加入inline hook)
基本上是现在最稳定的恢复方式了,大家可以用KMDLoader测试.加载就脱钩.不需要通讯
(Generally find on the Internet are required Ring3 address transmission needs a patch in the past ... 002 is the direct use of most standard approach to SSDT locate and repair support for multi-core systems, of course, 003 (add shadow ssdt hook), 004 (adding inline hook) is basically the recovery is now the most stable way, and we can use KMDLoader test. loaded on decoupling. does not require communication)
文件列表:
CCRootkit\RootkitSys\KillProcess.c (14220, 2008-08-05)
CCRootkit\RootkitSys\KillProcess.h (5633, 2008-08-05)
CCRootkit\RootkitSys\HideRegKey.h (1858, 2008-08-05)
CCRootkit\RootkitSys\NotifyRoutine.h (1395, 2008-08-05)
CCRootkit\RootkitSys\SysThread.h (825, 2008-08-05)
CCRootkit\RootkitSys\HideRegKey.c (5953, 2008-08-05)
CCRootkit\RootkitSys\NotifyRoutine.c (5727, 2008-08-05)
CCRootkit\RootkitSys\HideDriver.c (1219, 2008-08-05)
CCRootkit\RootkitSys\buildchk_wxp_x86.log (2581, 2008-08-05)
CCRootkit\RootkitSys\MAKEFILE (267, 1996-11-26)
CCRootkit\RootkitSys\HookSysCall.h (6749, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\_objects.mac (1718, 2008-08-04)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\SysThread.sys (3712, 2008-04-11)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\SysThread.pdb (84992, 2008-04-11)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\rootkit.obj (39929, 2008-05-09)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\hookshadowssdt.obj (38765, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\restoressdt.obj (22030, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\hookssdt.obj (40840, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\irpfile.obj (73136, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\hooksyscall.obj (12759, 2008-08-04)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\loadimagenotify.obj (41194, 2008-05-17)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\hidedriver.obj (35116, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\killprocess.obj (23107, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\systhread.obj (11070, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\hideregkey.obj (14076, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\notifyroutine.obj (11641, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\ccrootkit.obj (53199, 2008-08-05)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\rootkitdriver.obj (47308, 2008-08-04)
CCRootkit\RootkitSys\objchk_wxp_x86\i386\dkomhidedriver.obj (35138, 2008-08-04)
CCRootkit\RootkitSys\HideDriver.h (872, 2008-08-05)
CCRootkit\RootkitSys\SOURCES (323, 2008-08-04)
CCRootkit\RootkitSys\SysThread.c (2447, 2008-08-05)
CCRootkit\RootkitSys\buildfre_wxp_x86.log (2661, 2008-07-30)
CCRootkit\RootkitSys\objfre_wxp_x86\i386\loadimagenotify.obj (41286, 2008-05-15)
CCRootkit\RootkitSys\objfre_wxp_x86\i386\irpfile.obj (65997, 2008-07-30)
CCRootkit\RootkitSys\objfre_wxp_x86\i386\killprocess.obj (23114, 2008-07-30)
CCRootkit\RootkitSys\objfre_wxp_x86\i386\hooksyscall.obj (55952, 2008-07-30)
CCRootkit\RootkitSys\objfre_wxp_x86\i386\systhread.obj (9572, 2008-07-30)
CCRootkit\RootkitSys\objfre_wxp_x86\i386\hideregkey.obj (14026, 2008-07-30)
CCRootkit\RootkitSys\objfre_wxp_x86\i386\notifyroutine.obj (41248, 2008-07-30)
... ...
分享比较完整的ROOTKIT DEMO!原来Shadow Hook和SSDT Hook一样容易!
标 题: 分享比较完整的ROOTKIT DEMO!原来Shadow Hook和SSDT Hook一样容易!
作 者: embedlinux(E-mail:hqulyc@126.com QQ:5054-3533)
时 间: 2008-08-05
链 接:
这里写的ROOTKIT比较简单(有些代码是消化别人的代码后改写过来的),高手跳过.......
包含以下内容:(详细请看源代码)
SSDT Hook
//hook system call
#define HOOK_SYSCALL(FuncName, pHookFunc, pOrigFunc ) \
pOrigFunc = (PVOID)InterlockedExchange( \
(PLONG)&MappedSystemCallTable[ SYSCALL_INDEX(FuncName) ], \
(LONG)pHookFunc)
//unhook system call
#define UNHOOK_SYSCALL(FuncName, pHookFunc, pOrigFunc ) \
InterlockedExchange( \
(PLONG)&MappedSystemCallTable[ SYSCALL_INDEX(FuncName) ],\
(LONG)pOrigFunc)
SSDT HOOK了如下函数:
ZwQueryValueKey
ZwEnumerateValueKey
ZwQueryDirectoryFile
ZwOpenProcess
ZwDeleteKey
ZwDeleteValueKey
ZwSaveKey
ZwLoadDriver
ZwSetSystemInformation
ZwTerminateProcess
Shadow Hook
仿照SSDT HOOK,下面定义两个宏,让Shadow Hook和SSDT Hook一样简单!
//hook shadow system call
#define HOOK_SHADOW_SYSCALL(SysCallIndex, pHookFunc, pOrigFunc ) \
pOrigFunc = (PVOID)InterlockedExchange( \
(PLONG)&MappedSystemCallTable[ (SysCallIndex) ], \
(LONG)pHookFunc)
//unhook shadow system call
#define UNHOOK_SHADOW_SYSCALL(SysCallIndex, pHookFunc, pOrigFunc ) \
InterlockedExchange( \
(PLONG)&MappedSystemCallTable[ (SysCallIndex) ],\
(LONG)pOrigFunc)
上周一接到腾讯的电话面试,由于有一段时间没研究HOOK了,问到Shadow Hook时没回答好!汗!
现在把Shadow Hook重新整理了一下!
Shadow Hook了如下函数,程序框架比较好,容易加入新挂钩函数
NtUserFindWindowEx
NtUserGetForegroundWindow
NtUserQueryWindow
NtUserBuildHwndList
NtUserWindowFromPoint
NtUserSetWindowsHookEx
NtUserGetDC
NtUserGetDCEx
NtUserSendInput
为了保护进程,研究了终止进程的方法
WINDOWS内核定时器
老土的文件/目录隐藏
注册表键值隐藏
驱动隐藏
系统线程
IRP文件操作
多种加载内核级ROOTKIT方法
Ring3中恢复SSDT(ZwSystemDebugControl)
从资源释放文件
远程进程注入
消息钩子注入DLL
查找窗口
查找进程
注意:不要随便运行程序,最好在虚拟机下运行!此程序仅供学习WINDOWS内核驱动编程用!
在自己的ntddk.h中的结构IO_STACK_LOCATION添加如下代码才能顺利通过编译:
//Parameters for IRP_MJ_DIRECTORY_CONTROL
struct {
ULONG Length;
PUNICODE_STRING FileName;
FILE_INFORMATION_CLASS POINTER_ALIGNMENT \
FileInformationClass;
} QueryDirectory;
近期下载者:
相关文件:
收藏者: