Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > hacker course > Content
Hot Articles
SmoothWall Introduces Lo
Travel of the JSP+Oracle
Hacker skill: Gains Webs
Breaks through the Inter
MYSQL database injection
The Tomcat backstage tak
Breaks through the Inter
The hacker teaches you a
WinHex pursues the code
How does the hacker dest
How teaches you to take
The SQL injection revise
mssql SA jurisdiction ne
Microsoft SQL Server SA
The bored Css cross stat
Recommend Articles
The SQL injection revise
How does the hacker dest
The new military recruit
Union inquires the small
MYSQL database injection
Invades under new skill
How does the website scr
Smells searches works as
How in does the net seep
Microsoft SQL Server SA
A simple invasion, does
The mainstream raises th
The bored Css cross stat
The random combined comm
The hacker teaches you a
New Articles
Check Point offers compa
The malware spreads Cali
Full Disk Encryption pro
Cardholders should take
U.S. still more spam tha
Strong encryption L?solu
ConvexSoft DJ Audio Mixe
Few companies k?can be i
IT professionals can kee
k the media?can not by s
k the media?can not by s
Google Custom Search Eng
Users of the iPhone and
Gateshead College offers
Manchester obtained pass
Reorganizes ROOTKIT the material(2)
  Add date: 07/17/2008   Publishing date: 07/17/2008   Hits: 22
Total 10 pages, Current page:2, Jump to page:
 

typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBDTES, *POBJECT_ ATTRIBUTES;

typedef struct _IO_STATUS_BLOCK
{
NTSTATDS Status;
ULONG Information;
} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;

typedef struct _LIST_ENTRY
{
Struct _LIST_ENTRY *Flink;
Struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY;
The bidirectional chain table's typical example is the advancement and the thread chain. Internal variable PsActiveProcessHead is a LIST_ENTRY structure, in the ntoskrnl.exe data segment, has assigned the system advancement tabulation first member. Thinks carefully, if we advancement object from advancement bidirectional chain table detachment, will then transfer NtQuerySystemInformation to enumerate the advancement in duty supervisor taskmgr.exe not to see our advancement. Then some people will worry. If the advancement deletes from the chain table, that will also be moved? The answer is, meeting. Because of windows ds, is also the thread distribution, what is also called the task scheduling divider (dispatcher scheduler) to use is another construction of data, i.e., enters the thread whether to be dispatched processing to have nothing to do with the advancement bidirectional activity chain table, will not be neglected by CPU, does not need to worry. in 2003 pjf proposed on the security focal point is this method, and gave this method to realize the code. In the article ending's place reference I will give this article URL.
2. revision system call table (sst)
rootkit may through increase own service then movement wish execution in the system call table the duty. He4HookInv is this. He4HookInv is also quite famous windows rootkit. Below we have a look at He4HookInv concretely to realize the process. In the beforehand people did not know that it is these which how to realize, introduced that rootkit the article also mentions a spot, but only knew that is revision SST, the detail also does not have excessively to describe. Announced He4HookInv details until the phrack magazine.
He4Hook the method which uses in the different versions differs from. In the announcement method has two kinds. Here only said the first method. If wants to understand that the second method and the first edition look at the article ending the reference (the phrack connection).
ZwCreateFile, ZwOpenFile, IoCreateFile, ZwQueryDirectoryFile, ZwClose these functions are realize like this in Ntdll.dll.
mov eax, NumberFunction
lea edx, [esp+04h]
int 2eh; Syscall interface

Certainly Ntdll.dll is main gate, the true function call is completes in Ntoskrnl. About this aircraft API, may read another article which in the reference I write "Brief analysis This aircraft API".
In EAX is storing up the system call number. Representative int 2Eh changes to interrupt descrptor table IDT position 0x2E place the interrupt handling routine. The interrupt handling routine takes the EAX in value in the search table the index, found the final objective function. This table is system service table SST. ntoskrnl through the KeServiceDescriptorTable mark, has derived a main SDT indicator. We may visit SDT through KeServiceDescriptorTable. Now has a look at KeServiceDescriptorTable the structure.

 
Other pages: : <<Prev * 1 * 2 * 3 * 4 * 5 * 6 * 7 * 8 * 9 * 10 * Next>>
Prev:Vista deals with the network military judge and the ARP deceit attack Next:The SQL script pours into uncommon method summary

Comment:

Category: Home > hacker course
Home