[原创]Antirootkit: CodeWalker-编程技术-看雪-安全社区|安全招聘|kanxue.com

[原创]Antirootkit: CodeWalker

发表于: 2008-12-12 15:02 25208

[原创]Antirootkit: CodeWalker

thuggie

2008-12-12 15:02

25208

查看主题内容

收藏・4

免费・0

支持

最新回复 (75) ◀ 1 2 3 4 ▶
thuggie 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	thuggie 26 楼 [QUOTE=qihoocom] but my hook in tophet will not modify any of execution image and any of function pointer(do you forgot the IAT/EAT?) [/QUOTE] It does detect IAT hooks, you can check the screenshot at page 1 about IAT hook in tcpip.sys (NdisOpenAdapter, NdisCloseAdapter) but EAT detection isnt stable. If your hook doesnt modify image or function ptr then my tool will not detect it, of cos ;) but my DKOM detection feature is currently in stable and ready for next build :) 2008-12-12 22:17 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 27 楼不看no source code 的东西~~ 尤其界面复杂的~ 2008-12-12 22:34 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 28 楼想要我们帮助免费测试和提出升级意见——不开源的东西，我坚决不做益工~~ 2008-12-12 22:36 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 29 楼 It Can not detect my gui hacking rootkit~~ ~~~~ 2008-12-12 22:37 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 30 楼驱动有VMP，看起来一点都不舒服~ 最后说句：居然引入了MmIsAddressValid... 2008-12-12 22:39 0
Sysnap 雪币： 581 活跃值： (149) 能力值： ( LV12，RANK：600 ) 在线值：发帖 32 回帖 389 粉丝 10 关注私信	Sysnap 14 31 楼一般公开的anti rootkit的驱动基本感觉没什么好东西...没必要加那么多保护 2008-12-12 22:41 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 32 楼 GUI的Tilte居然固定，Windows样式有特征~~ 等着被SetParent么？唉~~ 2008-12-12 22:52 0
sudami 雪币： 709 活跃值： (2590) 能力值： ( LV12，RANK：1010 ) 在线值：发帖 71 回帖 1581 粉丝 68 关注私信	sudami 25 33 楼 I know what you had mentioned: you scan AN API, when your DASM ENGINE find a E8 call /FF 15 CALL, your Engine follow in, this called "deep scan", AND I had used this little trick for a long time. BUT, you may forget that your call hook in MmLoadSystemImage is: call f7946003 ; <--- this ADDRESS isn't in ntoskrnl.exe my call HOOK is like this: call 81a02451 ; <-- this ADDRESS is in ntoskrnl.exe that is the differentia, because your ENGINE follow in each CALL xxxx, and if xxxx's address is in ntoskrnl.exe, you take it for granted that it is a normal call, but not a Virus Modify. AND my scan ENGINE CAN deeply carry out... 2008-12-12 22:52 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 34 楼貌似我的白菜技术普及说过的... 比如这里的XX~~ 1e5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2A6i4K6u0W2j5X3q4A6k6s2g2Q4x3X3g2U0L8$3#2Q4x3V1k6C8K9h3I4D9N6Y4S2C8i4K6u0r3j5X3I4G2k6#2)9J5c8X3W2@1k6h3#2Q4x3V1j5#2j5K6p5I4k6U0c8X3z5o6g2U0j5e0m8X3y4o6g2X3x3U0f1J5k6r3j5J5k6o6c8Q4x3X3g2Z5N6r3#2D9 2008-12-12 22:57 0
weolar 雪币： 364 活跃值： (152) 能力值： ( LV12，RANK：450 ) 在线值：发帖 142 回帖 620 粉丝 21 关注私信	weolar 10 35 楼 It's so rascally~~~ We are discussing how to bypass the inline hook scaning in ring 0 2008-12-12 23:00 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 36 楼 MmIsAddressValid Hook maybe work~ Or the ShadowWalker+VMM(XCON 2008 xuhao said some thing about protecting kernel memory from scaning with VMM) 2008-12-12 23:01 0
thuggie 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	thuggie 37 楼 @cvcvxK: Hi, im sorry that i cant fully understand your post, becos I dont know Chinese :( I only use google to translate to Vietnamese :( It translate "驱动有VMP，看起来一点都不舒服~ 最后说句：居然引入了MmIsAddressValid..." to "Driver has VMP, is not comfortable to look To be the last: even the introduction of the MmIsAddressValid ...". Im really sorry, can you post in English ? @Sudami: No, that isnt the reason. Even CALL/JMP xxxx with xxxx inside ntoskrnl.exe or i.e the being scanned module, it still be detected as hook, becos it doesnt make any assumption that address inside ntoskrnl.exe is safe or geniune. It's the difference to other ark. It checks the target functions which is called, if the target is abnormal, suspect flag is set. 2008-12-12 23:01 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 38 楼 The MmIsAddressValid is not a safe function in the system which is infected by rootkits. It might return an unreal value to some address. 2008-12-12 23:05 0
sudami 雪币： 709 活跃值： (2590) 能力值： ( LV12，RANK：1010 ) 在线值：发帖 71 回帖 1581 粉丝 68 关注私信	sudami 25 39 楼 but the result in my computer is that your PROC CAN NOT DETECT my call hook. that is all. your technique for DEEP SCAN is nice, It is really more stronger than current other arks. AND I had mad ONE DEMO too, almost like yours~~ 2008-12-12 23:07 0
thuggie 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	thuggie 40 楼 @cvcvxk: Ah, i will take a look at this problem. Thanks a lot. @sudami: Yes, bugs are always welcome, maybe i've forgotten some conditions somewhere. Im checking the code now too ^^ I can't send pm to you guys in this forum, is this feature disable? I tried to translate but it doesnt help much. 2008-12-12 23:18 0
sudami 雪币： 709 活跃值： (2590) 能力值： ( LV12，RANK：1010 ) 在线值：发帖 71 回帖 1581 粉丝 68 关注私信	sudami 25 41 楼 YOU WANT TO Pm,but that exceed your authority. good luck, chinese for foreigners is always hard to learn... 2008-12-12 23:24 0
Sysnap 雪币： 581 活跃值： (149) 能力值： ( LV12，RANK：600 ) 在线值：发帖 32 回帖 389 粉丝 10 关注私信	Sysnap 14 42 楼 it thing you tool is cool but you check hidden drv is weak ..for it will not detect my drv while you load it before you drv 上传的附件： hide_drv_synap.rar （1.67kb，26次下载） 2008-12-12 23:25 0
nObele 雪币： 1876 活跃值： (1860) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 24 粉丝 0 关注私信	nObele 43 楼为啥不偶喷琐死呢? 2008-12-12 23:28 0
thuggie 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	thuggie 44 楼 @Sysnap: Hi, thanks for your testing driver, but I tested it and it was detected. You have to use the "Hardcore scan" method. The tool can detect your driver with the result shown below. Of cos I loaded your driver before starting my tool ;) You can check it again too. @Sudami: I just want to ask if I can contact you guys via email, ICQ or Yahoo Messenger or not. 2008-12-12 23:55 0
sudami 雪币： 709 活跃值： (2590) 能力值： ( LV12，RANK：1010 ) 在线值：发帖 71 回帖 1581 粉丝 68 关注私信	sudami 25 45 楼 I'm willing to contact with you: EMAIL -- sudami@163.com 2008-12-13 00:04 0
dayed 雪币： 225 活跃值： (10) 能力值： ( LV5，RANK：60 ) 在线值：发帖 10 回帖 222 粉丝 1 关注私信	dayed 1 46 楼老外跑到中国的网站来交流，有意思还能看懂『Win32/Win64编程』，有意思 2008-12-13 00:14 0
thuggie 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	thuggie 47 楼老外跑到中国的网站来交流，有意思还能看懂『Win32/Win64编程』，有意思 is translated to English The foreigners went to China to exchange Web site, interesting Can 'read' Win32/Win64 programming, interesting Yes, that's why I can read/guess :P 2008-12-13 00:34 0
weolar 雪币： 364 活跃值： (152) 能力值： ( LV12，RANK：450 ) 在线值：发帖 142 回帖 620 粉丝 21 关注私信	weolar 10 48 楼 haha,I have a simple way to bypass your inline hook scaning,just like this, and your AR can't find my hook~~~ you can retry like this ps:you can touch me by weolar@qq.com. welcome to discuss Rootkit 上传的附件： 1.jpg （26.20kb，203次下载） 2008-12-13 00:57 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 49 楼 the VMM Rootkit is also undetected~~ 2008-12-13 01:24 0
wowocock 雪币： 405 活跃值： (2900) 能力值： ( LV4，RANK：50 ) 在线值：发帖 4 回帖 299 粉丝 23 关注私信	wowocock 1 50 楼还是比较好检测的,不过估计也只能在32位下生存,64位下在HYPER-V 下面估计你进不了VMM 2008-12-13 08:47 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

thuggie

发帖

回帖

RANK

关注

私信

他的文章

[原创]Antirootkit: CodeWalker 25208

关于我们

联系我们

企业服务

看雪公众号

最新回复 (75) ◀ 1 2 3 4 ▶
thuggie 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	thuggie 26 楼 [QUOTE=qihoocom] but my hook in tophet will not modify any of execution image and any of function pointer(do you forgot the IAT/EAT?) [/QUOTE] It does detect IAT hooks, you can check the screenshot at page 1 about IAT hook in tcpip.sys (NdisOpenAdapter, NdisCloseAdapter) but EAT detection isnt stable. If your hook doesnt modify image or function ptr then my tool will not detect it, of cos ;) but my DKOM detection feature is currently in stable and ready for next build :) 2008-12-12 22:17 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 27 楼不看no source code 的东西~~ 尤其界面复杂的~ 2008-12-12 22:34 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 28 楼想要我们帮助免费测试和提出升级意见——不开源的东西，我坚决不做益工~~ 2008-12-12 22:36 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 29 楼 It Can not detect my gui hacking rootkit~~ ~~~~ 2008-12-12 22:37 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 30 楼驱动有VMP，看起来一点都不舒服~ 最后说句：居然引入了MmIsAddressValid... 2008-12-12 22:39 0
Sysnap 雪币： 581 活跃值： (149) 能力值： ( LV12，RANK：600 ) 在线值：发帖 32 回帖 389 粉丝 10 关注私信	Sysnap 14 31 楼一般公开的anti rootkit的驱动基本感觉没什么好东西...没必要加那么多保护 2008-12-12 22:41 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 32 楼 GUI的Tilte居然固定，Windows样式有特征~~ 等着被SetParent么？唉~~ 2008-12-12 22:52 0
sudami 雪币： 709 活跃值： (2590) 能力值： ( LV12，RANK：1010 ) 在线值：发帖 71 回帖 1581 粉丝 68 关注私信	sudami 25 33 楼 I know what you had mentioned: you scan AN API, when your DASM ENGINE find a E8 call /FF 15 CALL, your Engine follow in, this called "deep scan", AND I had used this little trick for a long time. BUT, you may forget that your call hook in MmLoadSystemImage is: call f7946003 ; <--- this ADDRESS isn't in ntoskrnl.exe my call HOOK is like this: call 81a02451 ; <-- this ADDRESS is in ntoskrnl.exe that is the differentia, because your ENGINE follow in each CALL xxxx, and if xxxx's address is in ntoskrnl.exe, you take it for granted that it is a normal call, but not a Virus Modify. AND my scan ENGINE CAN deeply carry out... 2008-12-12 22:52 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 34 楼貌似我的白菜技术普及说过的... 比如这里的XX~~ 1e5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2A6i4K6u0W2j5X3q4A6k6s2g2Q4x3X3g2U0L8$3#2Q4x3V1k6C8K9h3I4D9N6Y4S2C8i4K6u0r3j5X3I4G2k6#2)9J5c8X3W2@1k6h3#2Q4x3V1j5#2j5K6p5I4k6U0c8X3z5o6g2U0j5e0m8X3y4o6g2X3x3U0f1J5k6r3j5J5k6o6c8Q4x3X3g2Z5N6r3#2D9 2008-12-12 22:57 0
weolar 雪币： 364 活跃值： (152) 能力值： ( LV12，RANK：450 ) 在线值：发帖 142 回帖 620 粉丝 21 关注私信	weolar 10 35 楼 It's so rascally~~~ We are discussing how to bypass the inline hook scaning in ring 0 2008-12-12 23:00 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 36 楼 MmIsAddressValid Hook maybe work~ Or the ShadowWalker+VMM(XCON 2008 xuhao said some thing about protecting kernel memory from scaning with VMM) 2008-12-12 23:01 0
thuggie 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	thuggie 37 楼 @cvcvxK: Hi, im sorry that i cant fully understand your post, becos I dont know Chinese :( I only use google to translate to Vietnamese :( It translate "驱动有VMP，看起来一点都不舒服~ 最后说句：居然引入了MmIsAddressValid..." to "Driver has VMP, is not comfortable to look To be the last: even the introduction of the MmIsAddressValid ...". Im really sorry, can you post in English ? @Sudami: No, that isnt the reason. Even CALL/JMP xxxx with xxxx inside ntoskrnl.exe or i.e the being scanned module, it still be detected as hook, becos it doesnt make any assumption that address inside ntoskrnl.exe is safe or geniune. It's the difference to other ark. It checks the target functions which is called, if the target is abnormal, suspect flag is set. 2008-12-12 23:01 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 38 楼 The MmIsAddressValid is not a safe function in the system which is infected by rootkits. It might return an unreal value to some address. 2008-12-12 23:05 0
sudami 雪币： 709 活跃值： (2590) 能力值： ( LV12，RANK：1010 ) 在线值：发帖 71 回帖 1581 粉丝 68 关注私信	sudami 25 39 楼 but the result in my computer is that your PROC CAN NOT DETECT my call hook. that is all. your technique for DEEP SCAN is nice, It is really more stronger than current other arks. AND I had mad ONE DEMO too, almost like yours~~ 2008-12-12 23:07 0
thuggie 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	thuggie 40 楼 @cvcvxk: Ah, i will take a look at this problem. Thanks a lot. @sudami: Yes, bugs are always welcome, maybe i've forgotten some conditions somewhere. Im checking the code now too ^^ I can't send pm to you guys in this forum, is this feature disable? I tried to translate but it doesnt help much. 2008-12-12 23:18 0
sudami 雪币： 709 活跃值： (2590) 能力值： ( LV12，RANK：1010 ) 在线值：发帖 71 回帖 1581 粉丝 68 关注私信	sudami 25 41 楼 YOU WANT TO Pm,but that exceed your authority. good luck, chinese for foreigners is always hard to learn... 2008-12-12 23:24 0
Sysnap 雪币： 581 活跃值： (149) 能力值： ( LV12，RANK：600 ) 在线值：发帖 32 回帖 389 粉丝 10 关注私信	Sysnap 14 42 楼 it thing you tool is cool but you check hidden drv is weak ..for it will not detect my drv while you load it before you drv 上传的附件： hide_drv_synap.rar （1.67kb，26次下载） 2008-12-12 23:25 0
nObele 雪币： 1876 活跃值： (1860) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 24 粉丝 0 关注私信	nObele 43 楼为啥不偶喷琐死呢? 2008-12-12 23:28 0
thuggie 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	thuggie 44 楼 @Sysnap: Hi, thanks for your testing driver, but I tested it and it was detected. You have to use the "Hardcore scan" method. The tool can detect your driver with the result shown below. Of cos I loaded your driver before starting my tool ;) You can check it again too. @Sudami: I just want to ask if I can contact you guys via email, ICQ or Yahoo Messenger or not. 2008-12-12 23:55 0
sudami 雪币： 709 活跃值： (2590) 能力值： ( LV12，RANK：1010 ) 在线值：发帖 71 回帖 1581 粉丝 68 关注私信	sudami 25 45 楼 I'm willing to contact with you: EMAIL -- sudami@163.com 2008-12-13 00:04 0
dayed 雪币： 225 活跃值： (10) 能力值： ( LV5，RANK：60 ) 在线值：发帖 10 回帖 222 粉丝 1 关注私信	dayed 1 46 楼老外跑到中国的网站来交流，有意思还能看懂『Win32/Win64编程』，有意思 2008-12-13 00:14 0
thuggie 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 20 粉丝 0 关注私信	thuggie 47 楼老外跑到中国的网站来交流，有意思还能看懂『Win32/Win64编程』，有意思 is translated to English The foreigners went to China to exchange Web site, interesting Can 'read' Win32/Win64 programming, interesting Yes, that's why I can read/guess :P 2008-12-13 00:34 0
weolar 雪币： 364 活跃值： (152) 能力值： ( LV12，RANK：450 ) 在线值：发帖 142 回帖 620 粉丝 21 关注私信	weolar 10 48 楼 haha,I have a simple way to bypass your inline hook scaning,just like this, and your AR can't find my hook~~~ you can retry like this ps:you can touch me by weolar@qq.com. welcome to discuss Rootkit 上传的附件： 1.jpg （26.20kb，203次下载） 2008-12-13 00:57 0
cvcvxk 雪币： 8833 活跃值： (2419) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 244 关注私信	cvcvxk 10 49 楼 the VMM Rootkit is also undetected~~ 2008-12-13 01:24 0
wowocock 雪币： 405 活跃值： (2900) 能力值： ( LV4，RANK：50 ) 在线值：发帖 4 回帖 299 粉丝 23 关注私信	wowocock 1 50 楼还是比较好检测的,不过估计也只能在32位下生存,64位下在HYPER-V 下面估计你进不了VMM 2008-12-13 08:47 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复