打印本文 打印本文 关闭窗口 关闭窗口
Win2K/XP SDT Restore 0.2 (Proof-Of-Concept)
作者:武汉SEO闵涛  文章来源:敏韬网  点击数2411  更新时间:2009/4/25 0:44:48  文章录入:mintao  责任编辑:mintao
by unknown at F754CDB7]-- ZwDeleteFile 34 --[hooked by unknown at F754C80C]-- ZwGetTickCount 4C --[hooked by unknown at F754CE27]-- ZwLoadDriver 55 --[hooked by unknown at F754CBF2]-- ZwQueryDirectoryFile 7D --[hooked by unknown at F754C6E8]-- ZwQuerySystemInformation 97 --[hooked by unknown at F754C623]-- ZwSetInformationFile C2 --[hooked by unknown at F754C8A8]-- Number of Service Table entries hooked = 10 WARNING: THIS IS EXPERIMENTAL CODE. FIXING THE SDT MAY HAVE GRAVE CONSEQUENCES, SUCH AS SYSTEM CRASH, DATA LOSS OR SYSTEM CORRUPTION. PROCEED AT YOUR OWN RISK. YOU HAVE BEEN WARNED. Fix SDT Entries (Y/N)? : y [+] Patched SDT entry 10 to 804A257F [+] Patched SDT entry 20 to 80497EF9 [+] Patched SDT entry 23 to 804B2483 [+] Patched SDT entry 29 to 804A9212 [+] Patched SDT entry 34 to 804D0584 [+] Patched SDT entry 4C to 80463FF2 [+] Patched SDT entry 55 to 8052DC72 [+] Patched SDT entry 7D to 80498541 [+] Patched SDT entry 97 to 80493B5B [+] Patched SDT entry C2 to 80498C08
 
Limitations

This version is tested only on English Win2K SP2 and SP4, WinXP SP0 and SP1.

THIS IS EXPERIMENTAL CODE. FIXING THE SDT MAY HAVE GRAVE CONSEQUENCES, SUCH AS SYSTEM CRASH, DATA LOSS OR SYSTEM CORRUPTION. IT IS RECOMMENDED THAT YOU USE THIS CODE ONLY ON A TEST SYSTEM. PROCEED AT YOUR OWN RISK.
 

Credits

  1. hoglund - original and first public NT ROOTKIT
  2. fuzen_op - FU Rootkit
  3. hf - Hacker Defender
  4. joanna - klister
  5. 90210//HI-TECH - phide
  6. 90210 - Thanks for the more stable way of finding the address of KiServiceTable.

 

Contacts

For further enquries or to submit malicious code for our analysis, email them to the following.

Overall-in-charge: Tan Chew Keong

上一页  [1] [2] 

打印本文 打印本文 关闭窗口 关闭窗口