搜索资源列表
hookntcontinue
- ring0--hook NtContinue+source_code ring0下面hookNtContinue 使用drx7寄存器实现的hook this code hooks ntoskrnl!NtContinue to set dr7 to 0 (no updating of dr7) so NtContinue called from ring3 cannot alter drX registers... This hook will only PREVENT dr
ssdt.
- Delphi开发驱动的一个例子 1.映射ntoskrnl.exe到内存 2.重定位信息... 3.搜索SSDT基址 4.补丁回去
test_blue
- 一个进入ring0并且能调用ntoskrnl.exe的导出函数的源码。十分整蛊。-This is the code to enter RING0 and call the export function in ntoskrnl.exe ...Very tricky.
KernelLookup
- Open Source SSDT Hook detection utility, it will scan the SSDT Entries in the kernel (ntoskrnl.exe) and find the functions that are hooked & not in the kernel base address range .
x64ssdt
- Get entry point of SSDT on x64 which not exported from ntoskrnl.exe like older os
neihe
- 获取内核ntoskrnl.exe基地址的几种常见办法-Access to the kernel ntoskrnl.exe base address several common approaches
InstDrv
- 驱动编译说明: 可以支持多个Obj驱动编译,编译出错会回馈错误信息 编译时,只能把驱动obj文件和所需的LIB支持库,放在“驱动编译.exe”目录下 使用某些LIB支持库编译成功的驱动,也会加载不了 比如:"C:\1.obj" 编译时,请把"C:\1.*" 保存好,否则会误删 驱动是否编译成功,以驱动加载工具为效果,与以下支持库有冲突的都编译成功的驱动,也会加载不了 以下为自带支持库 krnln_static.lib
WRK1.2
- 1. 【WindowsResearchKernel-WRK1.2.rar】 应该直接使用命令行方式编译 WRK-v1.2,假设解压出来的放置在 D:\WRK-v1.2 下,并编译成x86方式,打开一个cmd: set arch=x86 [或者选择 amd64] path D:\WRK-v1.2\tools\x86 path cd D:\WRK-v1.2\base\ntos nmake -nologo x86= 约1-2分钟,编译出的内核文件在 D:\WRK
SDT_UnHook_Code
- 通过读取ntoskrnl.exe文件的导出函数API相对虚拟地址,找到ntoskrnl.exe在内存中的基地址,计算各个API真正的起始地址,比较SSDT表中对应的API地址,不同则去掉SSDT钩子的驱动代码-First,the driver code acquires the RVA of APIs the export table of ntoskrnl.exe.Second,program acquires the base address of ntoskrnl.exe loaded
neihe
- 获取内核ntoskrnl.exe基地址的几种常见办法-Access to the kernel ntoskrnl.exe base address several common approaches