by unknown at F754CDB7]--
ZwDeleteFile 34 --[hooked by unknown at F754C80C]--
ZwGetTickCount 4C --[hooked by unknown at F754CE27]--
ZwLoadDriver 55 --[hooked by unknown at F754CBF2]--
ZwQueryDirectoryFile 7D --[hooked by unknown at F754C6E8]--
ZwQuerySystemInformation 97 --[hooked by unknown at F754C623]--
ZwSetInformationFile C2 --[hooked by unknown at F754C8A8]--
Number of Service Table entries hooked = 10
WARNING: THIS IS EXPERIMENTAL CODE. FIXING THE SDT MAY HAVE GRAVE
CONSEQUENCES, SUCH AS SYSTEM CRASH, DATA LOSS OR SYSTEM CORRUPTION.
PROCEED AT YOUR OWN RISK. YOU HAVE BEEN WARNED.
Fix SDT Entries (Y/N)? : y
[+] Patched SDT entry 10 to 804A257F
[+] Patched SDT entry 20 to 80497EF9
[+] Patched SDT entry 23 to 804B2483
[+] Patched SDT entry 29 to 804A9212
[+] Patched SDT entry 34 to 804D0584
[+] Patched SDT entry 4C to 80463FF2
[+] Patched SDT entry 55 to 8052DC72
[+] Patched SDT entry 7D to 80498541
[+] Patched SDT entry 97 to 80493B5B
[+] Patched SDT entry C2 to 80498C08
Limitations
This version is tested only on English Win2K SP2 and SP4, WinXP SP0 and SP1.
THIS IS EXPERIMENTAL CODE. FIXING THE SDT MAY HAVE GRAVE CONSEQUENCES, SUCH AS SYSTEM CRASH, DATA LOSS OR SYSTEM CORRUPTION. IT IS RECOMMENDED THAT YOU USE THIS CODE ONLY ON A TEST SYSTEM. PROCEED AT YOUR OWN RISK.
Credits
hoglund - original and first public NT ROOTKIT
fuzen_op - FU Rootkit
hf - Hacker Defender
joanna - klister
90210//HI-TECH - phide
90210 - Thanks for the more stable way of finding the address of KiServiceTable.
Contacts
For further enquries or to submit malicious code for our analysis, email them to the following.