[求助]我的atapi驱动被挂钩了，如何才能找到这个罪魁祸首啊？！-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]我的atapi驱动被挂钩了，如何才能找到这个罪魁祸首啊？！

发表于: 2016-2-15 13:49 6321

[求助]我的atapi驱动被挂钩了，如何才能找到这个罪魁祸首啊？！

雪六四

2016-2-15 13:49

6321

这是我用PCHunter导出的Atapi表：

[PC Hunter Standard][Atapi]: 28
序号函数名称当前函数地址 Hook 原始函数地址当前函数地址所在模块
0 IRP_MJ_CREATE 0xFFFFFA8006CD02C0 atapi hook 0xFFFFF88001021880 未知模块
1 IRP_MJ_CREATE_NAMED_PIPE 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
2 IRP_MJ_CLOSE 0xFFFFFA8006CD02C0 atapi hook 0xFFFFF88001021880 未知模块
3 IRP_MJ_READ 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
4 IRP_MJ_WRITE 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
5 IRP_MJ_QUERY_INFORMATION 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
6 IRP_MJ_SET_INFORMATION 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
7 IRP_MJ_QUERY_EA 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
8 IRP_MJ_SET_EA 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
9 IRP_MJ_FLUSH_BUFFERS 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
10 IRP_MJ_QUERY_VOLUME_INFORMATION 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
11 IRP_MJ_SET_VOLUME_INFORMATION 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
12 IRP_MJ_DIRECTORY_CONTROL 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
13 IRP_MJ_FILE_SYSTEM_CONTROL 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
14 IRP_MJ_DEVICE_CONTROL 0xFFFFFA8006CD02C0 atapi hook 0xFFFFF88001007500 未知模块
15 IRP_MJ_INTERNAL_DEVICE_CONTROL 0xFFFFFA8006CD02C0 atapi hook 0xFFFFF880010074D8 未知模块
16 IRP_MJ_SHUTDOWN 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
17 IRP_MJ_LOCK_CONTROL 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
18 IRP_MJ_CLEANUP 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
19 IRP_MJ_CREATE_MAILSLOT 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
20 IRP_MJ_QUERY_SECURITY 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
21 IRP_MJ_SET_SECURITY 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
22 IRP_MJ_POWER 0xFFFFFA8006CD02C0 atapi hook 0xFFFFF88001007528 未知模块
23 IRP_MJ_SYSTEM_CONTROL 0xFFFFFA8006CD02C0 atapi hook 0xFFFFF8800101C4E0 未知模块
24 IRP_MJ_DEVICE_CHANGE 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
25 IRP_MJ_QUERY_QUOTA 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
26 IRP_MJ_SET_QUOTA 0xFFFFF80002E83140 - 0xFFFFF80002E83140 C:\Windows\system32\ntoskrnl.exe
27 IRP_MJ_PNP_POWER 0xFFFFFA8006CD02C0 atapi hook 0xFFFFF8800101C4AC 未知模块

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・0

免费・0

支持