 V1.0(԰)һ̹ļSSDTSHADOWںģ쿴Inline Hookɨ裬־䣬ҪԱ书ܣһǿİȫߡ

̹
    ṩ˷ḻĽϢֱС״̬(ҪǱ־Ƿؽ̺ͱḶ̌ĽҪڱ书ܵ)ӳPIDID´IDΨһģǽ̵ıʶPIDָ˽̵ĽIDⷽ쿴̵ļ壬Ҳ԰ļȣûûSystemַǳãںܶಡαװϵͳļһĽϵͳԴĽ̹Ϊϵͳ̣ûҲ޷ֹУǴಡһ㶼иصǽûSystemȻҲвܰûҲˣǿԼӽ·ϽжϣEPROCESSһûûʲôãһЩںоеΪ̵ָں˶һЩԹ߲쿴ḻĽϢ·̶Ӧļ·ŲһЩαװϵͳ̵ĳҲαװȴαװϵͳ̵ļ·
    ǿķعܣֱṩּĽؼⷽʽöٽ̷ʽ1óöSessionProcessLinksʵ֣ô˷ʽöٳĽһŵ---öٳĽǰ˳еģĽԶһԺ׵Ĳ쿴һЩԽ̡öٽ̷ʽ2öϵͳʽöٽ̵ġ˷öٳؽ̷ʽĳ򡣡öٽ̷ʽ3һۺϷʽöٳĿǰ󲿷ֵؽ̣Ŀǰûöٲؽ̣.
    ǿɱ̹ܡṩɱ̷ʽҪṩ4ַʽֱǣֹ̡NtTerminateProcessʽǿֹͶAPCʽɱ̣ʹô˷ʽɱ̵ʱҪעһ£˷ʽɱǿȷǳߣĿǰûɱ˵Ḷ̌ʱڲɱһЩ̵Ľ̵ʱʾأҲҪС֣ʵĿѾֹˣ벻Ҫٴʹô˷ʽֹпϵͳ¼ֹ˷ʽǽ˵һַʽټ֤ʹô˷ʽ˵Ľ̽޷ٴнˣڡ߼ѡɾɣ˷ʽҪһЩ໥ػĲûֱжϳļֹͿѡ˷ʽǿֹ˷ʽǽϡǿֹʽ֤Ч͵ַʽһֻǿȸ˺ܶ࣬ע˷ʽĽҲʹٴν
    ߼˵뷽ʽΪṩ¹ܣǿɾļ˹ܿǿɾ̶Ӧļ˹ʹãΪ˹ܿ԰еĽ̶ӦļɾһϵͳҪļǿɾ˾OVERˣɨ̹ӡĿǰ汾û˹ܣ¸汾ṩڴ㡱˹ҪΪ˶ԸһЩ̬Ḻ̌ǿѾǿ̷ֹʽḶ̌ĿǰûĳôǾͿʹô˷ʽаĽڴ㣩ӱ̡˹Ϊ䡱ƣϸ˵ļӱ̡˹Ϊ䡱ƣϸ˵ֹ̡˹Ϊ˶ԸһЩɱĳ뷽ʽֹһ£ʹõʱûѽ̽˽̣ļֹ̡˹ƿ԰һЩĳӽбô˴˳ôҵĳҲֹУҪǶԱֹ̺һЩԶܾĶĹɾκһ߼ĹҪΪƵģʹõʱء
    ߳ءṩö̵߳ķʽö̷߳ʽ1˷ʽ߳ʽö̵߳ġö̷߳ʽ2һۺϵöٷʽԶԸ󲿷ֶ߳صĳĿǰûּⲻģ
    ߳ϢУ߳͡Ҫϵͳ̺߳һ̣߳ڱʶһЩSystemThread־̵ĳ򡣡TID̵߳ID̵߳ıʶETHREADһûûãںоԱԷôֵһЩ쿴ḻ߳ϢTebһûҲûáPriority ߳ȼ𡣡ʼִַ߳еһָĵַҪȡ߳ģġģ顱߳ڵģ顣
    ̵̵ֹֹ߳߳ҲṩַʽһǳNtTerminateThreadʽһǸǿȵAPCʽ
    ģءĿǰģֻṩܡжعܽ¸汾ṩֱַʽģ飬öģ鷽ʽ1ͨPEBķʽöٽģ飬˷ŵöٳģǰȺ˳ģصԶҲ쿴Щģˡöģ鷽ʽ2NtQueryVirtualMemoryʽöٵģ˷ʽЧǳãһ
¸汾ṩ
    ģѯ˹ܿϵͳнжԹؼֵģвѯٶȷǳ졣

ļ
    ļṩˣļAPI HOOKʽصļĲ쿴,ļǿɾƻļļļԸļSAMעݿļ
    ͨɾ˹ܺ͡DeleteFileһ
    ǿɾ˹ṩ˸ǿļɾܣɾеĽ̶ӦļһЩʹеļ
    ļ˹ܿԽһЩ߲Ϊ˴ﵽñɾļļԶռʽ򿪣̾޷ļÿԽ෽ʽļ
    ƻļ˹ܿ԰һЩļƻʵӦ˵0˹ʹãΪ˹ܿ԰һеĳļƻ
    Ƶ...˹ܿ԰һļ߶ļƵһĿ¼¡˹ܿԹһЩAPIļƵĳ򣬻ԸSAMעļ
    ǿɾ˹ܽ˽ǿɾΪһ壬вҲһ԰ɾ

SSDT
    SSDTṩ˶SSDTϢ쿴޸ģԲ쿴ʲôļĳЩ˹ҽӣԽлָṩʽʾз˹ܻѷкϢʾѾҽ˵ģô˷ʽֱ۵Ĳ쿴ҽӵĺʹáʾHOOK,˹ܻѾҽӵĺгָѡ˹ܿɻָѡĺ

SHADOW
    SHADOWṩ˶SHADOWϢ쿴޸ģԲ쿴ʲôļĳЩ˹ҽӣԽлָṩʽʾз˹ܻѷкϢʾѾҽ˵ģô˷ʽֱ۵Ĳ쿴ҽӵĺʹáʾHOOK,˹ܻѾҽӵĺгָѡ˹ܿɻָѡĺ

ںģ쿴:
    Բ쿴ںģ顣

Inline Hookɨ裺
    ˰汾ֻNtosxxxx/ntkxxxxɨ裬¸汾ļɨ.˹ܿԲ쿴Ntosxxxx/ntkxxxxϹҽӵInline HookҿԶָ

־
    Ҫ־еݡ

䣺
    ˹ܣԷֹһЩľ͵ó򡣳Ӵ壬ͽڴԼֹԶעֶﵽ䡱Ĺܡ
    ʹ÷Ҫʹô˹ַܿʽҪĳ򡣵һִӽ̹ѡ񡰸߼ѡӱ̡ɡҲѡ񡰴ļӱַ̡һӵļκʱκεطκļֻҪҵĳ״̬ͿԱļļ·ļֻ뷽ʽжϡֻҪ߱ĳֻҪһᱻ˵IEôٸIEᱻעòҪEXPLORERΪһ̾ͿĴϢˣһĵĽ̵ĴϢᱻ޷ĴϢʹԷֹһЩó̹ͨλмؼ¼ڴϢҲ޷̷ʣҲ޷ע̡ĳʲôӳҪڴʹϢ㵱򵯳ѯʿʱԡһΡԶΡȲֻͨδһΡҵĳ˳ǰͨԶΡεĳҲΪвҿԶܱĽ̡


    ˹ҪԱƵġҪԴϢأڴдں˿ռдԼųأҸӳ.
 

ע⣺
޸£
       һЩҳʱ
       ޸һЩСBUGȶ

2008-09-08()
       ²BUGͨļеһЩСBUGע༭һСBUG

2008-10-07()
       ʱڷǷػ

2008-10-11(İ)
       ʱ޷ѡĿ

2008-11-02()
       һЩﲻȶ˲ǿɾļеֱƻļ

2008-11-08()
      ڽ򲻸ԭڰͳARKܷ롣Ĭǲ(ͻʹõmt32.dllɳǳȶ).뿪()ܿڡ򿪡˵ѡ񼴿ɡ
      ޸ڲ쿴̾ʱ2K»ǻ֣һڲ쿴ϵͳ̣XPѾʹáöģ鷽ʽ2ɵ޸˺ĳЩȫ߳ͻɵ޷ϵͳˡScanLibڻָһЩʱҪǰһָֱָָ˱0x68 xxxxxxxxx c3.ģ鲿ֹܺȶԡˡFSD쿴ָܵȸ¡
      ;ѽһʹõĻ˳ʱ˳ѽ˳ҵĳȻгͻѽ汾 0429
       ڲʱ򣬻Ƿǳȶ.

2008-11-09(߰)
      ˳ͽɽרҵĳͻĳЩϳ˳ʱ

2008-11-11(˰)
      ʹáֹЧʹáǿֹû֤
      ־ѹܣڿֵʱԶĳ "+<ֵ>""ǿɱ""ǿɱ","ǿɱ߳"ȹܣǿɱϵκAPIӡ

2008-11-12 (Ű)
       reginfo.sysѾЩݲ˵ʾʽ.
       ģ顰жءܣ˲˼Ŷжءܣʹô˷ʽжأΪ˷ʽжزᴥȫʾȽǿŶǿжءܣʹô˹ܵʱҪע⣬һжģ黹ʾڣΪûдԴҲҪٴжزȻᱻסڴDUMPܡDUMPڴеPEļڴжPEļ򶼿һһDUMPģܣӺֱӷعܣ˹ܿʹһAPIֱӷأҲʵЧ

2008-11-13 (Ű<ر>)
       ҪǶȫܼǿǿȵĵطǿ΢ߡ
       һЩʾʽ֧󻯺Ϸšǿ"ֹ"ǿȣĿǰǿȿֱʹô˷ʽСǿģϢһЩģ飨ܷ˻ûȫжأʾһöٽģ鷽˷ʽȽϰȫǶںؽṹ޸ĲȻöٳҴ˷ʽöٲᱻȫءļ޷ʾUSB豸ģ鴰ģҴ嵱ûģʾʱҼ.FSDܲ˵ʾ⣬Shadowܲ˵ʾ
       ӡļ쿴/޸ܣӡ쿴/ɾܣӡӳٳ֡༭ܡ

2008-11-18£
       360°޷^_^,ͼkv2009ʱ
       ʽĬ˳ жйѾжˣҷģֻΪ˳ȶƣµİ汾Ҫµ£ԭ汾ѡ񡰴򿪡˵ġ˳жȻ滻ʵ

2008-11-19£
       ɾаȫȨļʱ˳ڿֶرյ˳
       ڸһЩļʧܵ

2009-01-09£
	öļķʽӰȫ٣Ҳǰ汾ڻȡsystem32Ŀ¼ļʱЩͼ޷ʾ(ļȽ϶ʱ).ͬʱ޷ɾһЩʹ..\ļбļĿ¼.

2009-02-14£
	ȫ˴ɨ㷨ٶȸȷĳЩAMD˫˻ʹ"Scan"˳ڲһЩСBUGring3ӵInline Hook	ʽ,EAT,IATɨԼںEATɨɨ轫ʽӣʱ滻VCʱ԰ˡָ̺ģɨ貢ҶѾ޸(Hook)ĺлԭ

2009-02-21£
	ȫǿ˹ɨĹܣû㵽ڿⷽɨӦεAPI HOOKԴӽģɨģӦӦòEAT,IAT,InlineHook,ҲԴںģɨEAT,IAT,InlineHookҲԴSSDT,SHADOW,FSDȵطɨ裬ҲԶַʼɨȵȡ˴زԷ쿴ͲһЩܰȫĴ塣

2009-02-28£
	˽̹ܿݲ˵ʾȥǰʾʽԴġļ˵ҵáý漴ɸǰֽбʾʽģ߳Ҳơˡֹֹֹ̡̡߳ļСܣʽȫֹ֧дǿ˱书ܣʹ֮ǰ汾ֹܷAppInit_DllsעǷǳΣյģѾɹ⡣ҿԷĵʹġ䡱ܡ

ĿǰڷֵBUG
       mt32.dllµЩȼʧЧĿǰwin+e
       mt32.dllµĲҵĳл뷨
       mt32.dllµʱܵг
       ûʱڡ 