main menu
vault
you must be level 2 to upload files to your vaultdownloads
you must be logged on, and level 1, to access downloadsRootkit Collection
| File | Contributer | Link |
| Hacker Def... | hf | n/a |
| HE4Hook | admin | n/a |
| BASIC CLAS... | hoglund | n/a |
| Vanquish | xshadow | n/a |
| NT Rootkit | hoglund | n/a |
| FU | fuzen_op | n/a |
| WinlogonHi... | JeFFOsZ | n/a |
| klister | joanna | n/a |
| Patchfinde... | joanna | n/a |
| MyNetwork | hoglund | n/a |
| MTDWin | hoglund | n/a |
| NTFSHider | hoglund | n/a |
| VideoCardK... | hoglund | n/a |
| VICE | fuzen_op | n/a |
| Klog | Clandestin... | n/a |
| NtIllusion | Kdm | n/a |
| AFX Rootki... | TheRealAph... | n/a |
| SInAR | vulndev | n/a |
| Shadow Wal... | Clandestin... | n/a |
| BootRootki... | dereksoede... | n/a |
| CHAZ - Nim... | neocrackr | n/a |
| Clandestin... | merlvingia... | n/a |
| FUTo | petersilbe... | n/a |
| Windows Me... | alcapone66... | n/a |
| RAIDE | petersilbe... | n/a |
| BOOT KIT | vipinkumar | n/a |
| BluePill | Joanna and... | n/a |
| DEFRAG | blume1975 | n/a |
| Keyboard H... | chpie | n/a |
| CheatEngin... | DarkByte | n/a |
Detecting Hidden Processes by Hooking the SwapContext Function : message board
| view options: unpacked threads | | old style view | |
 Posted by kimmo
(Rootkit Contributor) [ip info hidden] - Aug 10 2004, 11:54 (UTC+0)
| ||
| Updated to add support for XP SP2 | ||
| I made minor changes and improvements to add better support for Windows XP SP2. If we have to find the SwapContext function by searching through the address space of the ntoskrnl.exe module, we no longer use hardcoded start and end address of the module. We get this information from the PsLoadedModuleList which we can find easily, thanks to Opc0de and Alex Ionescu. -Kimmo | ||
this thread posts:
- Updated to add support for XP SP2
(by kimmo (Rootkit Contributor) Aug 10 2004, 11:54 (UTC+0) )I made minor changes and improvements to add better support for Windows XP SP2. If we have to find the SwapContext function by searching through the address space of the ntoskrnl.exe module, we no longer use hardcoded start and end address of the module. We get this information from the PsLoadedModuleList which we can find easily, thanks to Opc0de and Alex Ionescu.
-Kimmo- Re: Updated to add support for XP SP2
(by fuzen_op (Underboss) Aug 27 2004, 03:42 (UTC+0) )I do not believe Opcode's method will find PsLoadedModuleEntry on 2000. Why don't you just use the generic method that FU uses or call ZwQuerySystemInformation to get the list of loaded modules?
-fuzen- Re: Updated to add support for XP SP2
(by kimmo (Rootkit Contributor) Aug 27 2004, 05:12 (UTC+0) )You are correct. While I was coding I made a decision not to support Windows 2000 (people should use XP or 2003). I was already using some functions that are not supported by W2K, so I thought it would be interesting to test the method discovered by Opcode. After all, I am doing all this just to learn new things :).
I also noticed that the way I interpret the data in the PsLoadedModule list is quite dangerous. It contains _LDR_MODULE structures:
typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
I am going to update the code that scans the memory so that it will read the PE data structures of the module to make sure that we only scan sections that contain executable code and that are not discardable. Now, if I scan from the base address to the address given by "base address + length", I will get an access violation while reading the last few bytes of the module. My theory is that the discardable sections are placed at the end of the PE file and they are no longer present in the memory. Have you seen this behaviour?
-Kimmo
- Re: Updated to add support for XP SP2
- Re: Updated to add support for XP SP2