【专题四】Rootkit的学习与研究

Rootkit 内核 HOOK 钩子

D:. │ Read me.txt │ 目录里面的文件.txt │ └─Rootkit ├─1。内核hook │ ├─1）object hook │ │ 1）object hook.doc │ │ │ ├─2）ssdt hook │ │ 2）ssdt hook.doc │ │ SSDT Hook的妙用－对抗ring0 inline hook .doc │ │ swk0207.rar │ │ │ ├─3）inline-hook │ │ 360SuperKill学习之--恢复FSD的IRP处理函数.doc │ │ 3）inline-hook.doc │ │ cnnic.rar │ │ ExpLookupHandleTableEntry.rar │ │ ExpLookupHandleTableEntry2.rar │ │ kill_SecuritySoftware.rar │ │ PsLookupProcessByProcessId执行流程学习笔记.doc │ │ 句柄啊，3层表啊，ExpLookupHandleTableEntry啊.doc │ │ 干掉KV 2008, Rising等大部分杀软.doc │ │ 搜索未导出的函数地址.doc │ │ │ ├─4）idt hook │ │ bhwin_keysniff.rar │ │ IDT Hook .doc │ │ │ ├─5）IRP hook │ │ 5）IRP hook.doc │ │ irphook1.rar │ │ irphook2.rar │ │ irphook3.rar │ │ │ ├─6）SYSENTER hook │ │ 6）SYSENTER hook.doc │ │ SysEnterHook.rar │ │ │ ├─7）IAT HOOK │ │ 7）IAT HOOK.doc │ │ HybridHook.rar │ │ testtest.rar │ │ │ └─8）EAT HOOK │ 8）EAT HOOK.doc │ 利用导出表来禁止一些驱动程序的加载.doc │ 导出表钩子.rar │ ├─2。保护模式篇章第一部分： ring3进ring0之门 │ ├─1)通过调用门访问内核 │ │ 1)通过调用门访问内核.doc │ │ myCallGate.rar │ │ test.rar │ │ │ ├─2)通过中断门访问内核 │ │ 2)通过中断门访问内核.doc │ │ myIntGate.rar │ │ │ ├─3)通过任务门访问内核 │ │ 3)通过任务门访问内核.doc │ │ MyTaskGate.rar │ │ │ └─4)通过陷阱门访问内核 │ 4)通过陷阱门访问内核.doc │ exe.rar │ src.rar │ ├─3。保护模式篇章第二部分：windows分页机制 │ 1）windows分页机制.doc │ ├─4。保护模式篇章第三部分：直接访问硬件 │ ├─1）修改iopl，ring3直接访问硬件 │ │ 1）修改iopl，ring3直接访问硬件.doc │ │ drv.rar │ │ exe.rar │ │ │ ├─2）追加tss默认IO许可位图区域 │ │ 2）追加tss默认IO许可位图区域.doc │ │ drv.rar │ │ │ └─3）更改tss IO许可位图指向 │ 3）更改tss IO许可位图指向.doc │ modifyiopmbase.rar │ porttalk.rar │ ├─5。detour 修改函数执行路径，可用于对函数的控制流程进行重定路径。 │ └─1）detour补丁 │ 1）detour补丁.doc │ Inline HOOK SeSinglePrivilegeCheck.rar │ ├─6. 隐身术 │ ├─1）文件隐藏 │ │ 1）文件隐藏.doc │ │ │ ├─2）进程隐藏 │ │ 2）进程隐藏.doc │ │ │ ├─3）注册表键值隐藏 │ │ 3）注册表键值隐藏.doc │ │ BypassRegMon.rar │ │ BypassRegMon2[1].idb.rar │ │ BypassRegMon_src.rar │ │ drv.rar │ │ HIVE文件读写.rar │ │ HIVE格式.rar │ │ HIVE格式解析.doc │ │ 注册表监控弱点演示程序 v0.2 逆向ASM源码及相关资料.doc │ │ │ ├─4）驱动隐藏 │ │ 4）驱动隐藏.doc │ │ │ ├─5）进程中dll模块隐藏 │ │ 5）进程中dll模块隐藏.doc │ │ │ ├─6）更绝的隐藏进程中的dll模块，绕过IceSword的检测 │ │ 6）更绝的隐藏进程中的dll模块，绕过IceSword的检测.doc │ │ │ └─7）端口隐藏 │ 7）端口隐藏.doc │ ├─7。ring0中调用ring3程序 │ ├─1) apc方式 │ │ 1) apc方式 .doc │ │ KernelExec.rar │ │ │ └─2) deviceiocontrol 方式 ├─8。进程线程监控 │ ├─1）监控进程创建 │ │ 1）监控进程创建.doc │ │ protect.rar │ │ │ ├─2）杀线程 │ │ 2）杀线程.doc │ │ │ └─3）保护进程和屏蔽文件执行 │ 3）保护进程和屏蔽文件执行 .doc │ sysnap.rar │ └─9。其他 ├─10）另一种读写进程内存空间的方法 │ 10）另一种读写进程内存空间的方法.doc │ ├─11）完整驱动感染代码 │ 11）完整驱动感染代码.doc │ 驱动感染成功[1].V 1.0.080528_sudami.rar │ ├─12）Hook Shadow SSDT │ 12）Hook Shadow SSDT.doc │ HookShadowSSDT.rar │ ├─13）ring0检测隐藏进程 │ 13）ring0检测隐藏进程.doc │ Ring0下搜索内存枚举隐藏进程.doc │ ├─1）获取ntoskrnl.exe模块地址的几种办法 │ 1）获取ntoskrnl.exe模块地址的几种办法.doc │ ├─2）驱动感染技术扫盲 │ 2）驱动感染技术扫盲.doc │ InfectDriver.rar │ ├─3）shadow ssdt学习笔记 │ 3）shadow ssdt学习笔记.doc │ ├─4）高手进阶windows内核定时器之一 │ 4）高手进阶windows内核定时器之一.doc │ WorkItem.rar │ ├─5）高手进阶windows内核定时器之二 │ 5）高手进阶windows内核定时器之二.doc │ TimerWorks.rar │ ├─6）运行期修改可执行文件的路径和Command Line │ 6）运行期修改可执行文件的路径和Command Line.doc │ ImgPathChanger.rar │ ├─7）查找隐藏驱动 │ 7）查找隐藏驱动.doc │ ├─8）装载驱动的几种办法 │ 8内核模式下装载驱动和原生态应用程序.pdf │ 8）装载驱动的几种办法.doc │ Loading drivers and Native applications from kernel mode, withou t touching registry.rar │ └─9）内核中注入dll的一种流氓方法 9）内核中注入dll的一种流氓方法.doc Apc.rar

文件下载

资源详情

[{"title":"（ 96 个子文件 5.8MB ）【专题四】Rootkit的学习与研究","children":[{"title":"【专题四】Rootkit的学习与研究","children":[{"title":"Read me.txt 2.34KB ","children":null,"spread":false},{"title":"Rootkit","children":[{"title":"6. 隐身术","children":[{"title":"1）文件隐藏","children":[{"title":"1）文件隐藏.doc 45.50KB ","children":null,"spread":false}],"spread":true},{"title":"2）进程隐藏","children":[{"title":"2）进程隐藏.doc 48.00KB ","children":null,"spread":false}],"spread":true},{"title":"3）注册表键值隐藏","children":[{"title":"BypassRegMon_src.rar 52.54KB ","children":null,"spread":false},{"title":"HIVE格式解析.doc 48.00KB ","children":null,"spread":false},{"title":"HIVE文件读写.rar 155.66KB ","children":null,"spread":false},{"title":"drv.rar 35.25KB ","children":null,"spread":false},{"title":"BypassRegMon2[1].idb.rar 54.62KB ","children":null,"spread":false},{"title":"HIVE格式.rar 8.01KB ","children":null,"spread":false},{"title":"注册表监控弱点演示程序 v0.2 逆向ASM源码及相关资料.doc 116.50KB ","children":null,"spread":false},{"title":"3）注册表键值隐藏.doc 189.50KB ","children":null,"spread":false},{"title":"BypassRegMon.rar 14.23KB ","children":null,"spread":false}],"spread":true},{"title":"4）驱动隐藏","children":[{"title":"4）驱动隐藏.doc 10.50KB ","children":null,"spread":false}],"spread":true},{"title":"6）更绝的隐藏进程中的dll模块，绕过IceSword的检测","children":[{"title":"6）更绝的隐藏进程中的dll模块，绕过IceSword的检测.doc 231.00KB ","children":null,"spread":false}],"spread":true},{"title":"5）进程中dll模块隐藏","children":[{"title":"5）进程中dll模块隐藏.doc 31.00KB ","children":null,"spread":false}],"spread":true},{"title":"7）端口隐藏","children":[{"title":"7）端口隐藏.doc 10.50KB ","children":null,"spread":false}],"spread":true}],"spread":true},{"title":"8。进程线程监控","children":[{"title":"1）监控进程创建","children":[{"title":"1）监控进程创建.doc 30.50KB ","children":null,"spread":false},{"title":"protect.rar 16.22KB ","children":null,"spread":false}],"spread":true},{"title":"2）杀线程","children":[{"title":"2）杀线程.doc 23.50KB ","children":null,"spread":false}],"spread":true},{"title":"3）保护进程和屏蔽文件执行","children":[{"title":"sysnap.rar 2.92KB ","children":null,"spread":false},{"title":"3）保护进程和屏蔽文件执行 .doc 132.00KB ","children":null,"spread":false}],"spread":true}],"spread":true},{"title":"1。内核hook","children":[{"title":"7）IAT HOOK","children":[{"title":"HybridHook.rar 88.50KB ","children":null,"spread":false},{"title":"7）IAT HOOK.doc 50.00KB ","children":null,"spread":false},{"title":"testtest.rar 13.42KB ","children":null,"spread":false}],"spread":true},{"title":"5）IRP hook","children":[{"title":"5）IRP hook.doc 68.00KB ","children":null,"spread":false},{"title":"irphook2.rar 83.03KB ","children":null,"spread":false},{"title":"irphook3.rar 506.81KB ","children":null,"spread":false},{"title":"irphook1.rar 33.43KB ","children":null,"spread":false}],"spread":true},{"title":"6）SYSENTER hook","children":[{"title":"6）SYSENTER hook.doc 62.00KB ","children":null,"spread":false},{"title":"SysEnterHook.rar 973B ","children":null,"spread":false}],"spread":true},{"title":"1）object hook","children":[{"title":"1）object hook.doc 62.50KB ","children":null,"spread":false}],"spread":true},{"title":"2）ssdt hook","children":[{"title":"2）ssdt hook.doc 51.00KB ","children":null,"spread":false},{"title":"SSDT Hook的妙用－对抗ring0 inline hook .doc 33.00KB ","children":null,"spread":false},{"title":"swk0207.rar 5.21KB ","children":null,"spread":false}],"spread":true},{"title":"4）idt hook","children":[{"title":"bhwin_keysniff.rar 2.90KB ","children":null,"spread":false},{"title":"IDT Hook .doc 218.50KB ","children":null,"spread":false}],"spread":true},{"title":"3）inline-hook","children":[{"title":"cnnic.rar 505.84KB ","children":null,"spread":false},{"title":"PsLookupProcessByProcessId执行流程学习笔记.doc 122.00KB ","children":null,"spread":false},{"title":"干掉KV 2008, Rising等大部分杀软.doc 93.50KB ","children":null,"spread":false},{"title":"句柄啊，3层表啊，ExpLookupHandleTableEntry啊.doc 58.00KB ","children":null,"spread":false},{"title":"ExpLookupHandleTableEntry.rar 400.50KB ","children":null,"spread":false},{"title":"搜索未导出的函数地址.doc 117.00KB ","children":null,"spread":false},{"title":"3）inline-hook.doc 36.00KB ","children":null,"spread":false},{"title":"ExpLookupHandleTableEntry2.rar 400.50KB ","children":null,"spread":false},{"title":"360SuperKill学习之--恢复FSD的IRP处理函数.doc 62.50KB ","children":null,"spread":false},{"title":"kill_SecuritySoftware.rar 80.23KB ","children":null,"spread":false}],"spread":true},{"title":"8）EAT HOOK","children":[{"title":"利用导出表来禁止一些驱动程序的加载.doc 57.50KB ","children":null,"spread":false},{"title":"8）EAT HOOK.doc 113.50KB ","children":null,"spread":false},{"title":"导出表钩子.rar 157.88KB ","children":null,"spread":false}],"spread":true}],"spread":true},{"title":"2。保护模式篇章第一部分： ring3进ring0之门","children":[{"title":"1)通过调用门访问内核","children":[{"title":"1)通过调用门访问内核.doc 74.00KB ","children":null,"spread":false},{"title":"test.rar 4.58KB ","children":null,"spread":false},{"title":"myCallGate.rar 3.30KB ","children":null,"spread":false}],"spread":true},{"title":"3)通过任务门访问内核","children":[{"title":"MyTaskGate.rar 3.59KB ","children":null,"spread":false},{"title":"3)通过任务门访问内核.doc 191.50KB ","children":null,"spread":false}],"spread":true},{"title":"4)通过陷阱门访问内核","children":[{"title":"exe.rar 6.31KB ","children":null,"spread":false},{"title":"4)通过陷阱门访问内核.doc 86.00KB ","children":null,"spread":false},{"title":"src.rar 6.49KB ","children":null,"spread":false}],"spread":true},{"title":"2)通过中断门访问内核","children":[{"title":"2)通过中断门访问内核.doc 90.50KB ","children":null,"spread":false},{"title":"myIntGate.rar 11.29KB ","children":null,"spread":false}],"spread":true}],"spread":true},{"title":"4。保护模式篇章第三部分：直接访问硬件","children":[{"title":"2）追加tss默认IO许可位图区域","children":[{"title":"2）追加tss默认IO许可位图区域.doc 32.00KB ","children":null,"spread":false},{"title":"drv.rar 1.85KB ","children":null,"spread":false}],"spread":true},{"title":"3）更改tss IO许可位图指向","children":[{"title":"3）更改tss IO许可位图指向.doc 50.00KB ","children":null,"spread":false},{"title":"porttalk.rar 24.79KB ","children":null,"spread":false},{"title":"modifyiopmbase.rar 10.53KB ","children":null,"spread":false}],"spread":true},{"title":"1）修改iopl，ring3直接访问硬件","children":[{"title":"exe.rar 6.70KB ","children":null,"spread":false},{"title":"1）修改iopl，ring3直接访问硬件.doc 54.50KB ","children":null,"spread":false},{"title":"drv.rar 1.49KB ","children":null,"spread":false}],"spread":true}],"spread":true},{"title":"7。ring0中调用ring3程序","children":[{"title":"1) apc方式","children":[{"title":"1) apc方式 .doc 36.00KB ","children":null,"spread":false},{"title":"KernelExec.rar 48.55KB ","children":null,"spread":false}],"spread":true},{"title":"2) deviceiocontrol 方式","children":null,"spread":false}],"spread":true},{"title":"3。保护模式篇章第二部分：windows分页机制","children":[{"title":"1）windows分页机制.doc 367.50KB ","children":null,"spread":false}],"spread":true},{"title":"5。detour 修改函数执行路径，可用于对函数的控制流程进行重定路径。","children":[{"title":"1）detour补丁","children":[{"title":"1）detour补丁.doc 61.00KB ","children":null,"spread":false},{"title":"Inline HOOK SeSinglePrivilegeCheck.rar 17.32KB ","children":null,"spread":false}],"spread":true}],"spread":true},{"title":"9。其他","children":[{"title":"1）获取ntoskrnl.exe模块地址的几种办法","children":[{"title":"1）获取ntoskrnl.exe模块地址的几种办法.doc 62.00KB ","children":null,"spread":false}],"spread":true},{"title":"6）运行期修改可执行文件的路径和Command Line","children":[{"title":"ImgPathChanger.rar 335.54KB ","children":null,"spread":false},{"title":"6）运行期修改可执行文件的路径和Command Line.doc 25.50KB ","children":null,"spread":false}],"spread":true},{"title":"11）完整驱动感染代码","children":[{"title":"驱动感染成功[1].V 1.0.080528_sudami.rar 200.19KB ","children":null,"spread":false},{"title":"11）完整驱动感染代码.doc 45.50KB ","children":null,"spread":false}],"spread":false},{"title":"7）查找隐藏驱动","children":[{"title":"7）查找隐藏驱动.doc 53.00KB ","children":null,"spread":false}],"spread":false},{"title":"3）shadow ssdt学习笔记","children":[{"title":"3）shadow ssdt学习笔记.doc 39.00KB ","children":null,"spread":false}],"spread":false},{"title":"4）高手进阶windows内核定时器之一","children":[{"title":"WorkItem.rar 1.73KB ","children":null,"spread":false},{"title":"4）高手进阶windows内核定时器之一.doc 63.50KB ","children":null,"spread":false}],"spread":false},{"title":"2）驱动感染技术扫盲","children":[{"title":"2）驱动感染技术扫盲.doc 36.00KB ","children":null,"spread":false},{"title":"InfectDriver.rar 13.12KB ","children":null,"spread":false}],"spread":false},{"title":"10）另一种读写进程内存空间的方法","children":[{"title":"10）另一种读写进程内存空间的方法.doc 33.00KB ","children":null,"spread":false}],"spread":false},{"title":"5）高手进阶windows内核定时器之二","children":[{"title":"TimerWorks.rar 2.27KB ","children":null,"spread":false},{"title":"5）高手进阶windows内核定时器之二.doc 56.00KB ","children":null,"spread":false}],"spread":false},{"title":"9）内核中注入dll的一种流氓方法","children":[{"title":"Apc.rar 4.90KB ","children":null,"spread":false},{"title":"9）内核中注入dll的一种流氓方法.doc 25.00KB ","children":null,"spread":false}],"spread":false},{"title":"13）ring0检测隐藏进程","children":[{"title":"13）ring0检测隐藏进程.doc 28.00KB ","children":null,"spread":false},{"title":"Ring0下搜索内存枚举隐藏进程.doc 25.50KB ","children":null,"spread":false}],"spread":false},{"title":"12）Hook Shadow SSDT","children":[{"title":"12）Hook Shadow SSDT.doc 114.00KB ","children":null,"spread":false},{"title":"HookShadowSSDT.rar 466.20KB ","children":null,"spread":false}],"spread":false},{"title":"8）装载驱动的几种办法","children":[{"title":"8内核模式下装载驱动和原生态应用程序.pdf 136.71KB ","children":null,"spread":false},{"title":"Loading drivers and Native applications from kernel mode, without touching registry.rar 111.37KB ","children":null,"spread":false},{"title":"8）装载驱动的几种办法.doc 219.00KB ","children":null,"spread":false}],"spread":false}],"spread":false}],"spread":true},{"title":"目录里面的文件.txt 5.92KB ","children":null,"spread":false}],"spread":true}],"spread":true}]

评论信息

其他资源

免责申明

【只为小站】的资源来自网友分享，仅供学习研究，请务必在下载后24小时内给予删除，不得用于其他任何用途，否则后果自负。基于互联网的特殊性，【只为小站】无法对用户传输的作品、信息、内容的权属或合法性、合规性、真实性、科学性、完整权、有效性等进行实质审查；无论【只为小站】经营者是否已进行审查，用户均应自行承担因其传输的作品、信息、内容而可能或已经产生的侵权或权属纠纷等法律责任。
本站所有资源不代表本站的观点或立场，基于网友分享，根据中国法律《信息网络传播权保护条例》第二十二条之规定，若资源存在侵权或相关问题请联系本站客服人员，zhiweidada#qq.com，请把#换成@，本站将给予最大的支持与配合，做到及时反馈和处理。关于更多版权及免责申明参见版权及免责申明

【专题四】Rootkit的学习与研究

文件下载

资源详情

评论信息

其他资源

免责申明

个人信息

相关资源标签

热门下载

最新下载