FU_Rootkit 隐藏进程的源代码

论坛上好象没有,发出来分享分享
inf文件可以用sfilter的来改改

呵呵，不错呀....
     

1. 所谓的隐藏有点玄乎！
2. FUto RootKit都已经出来了，楼主发的应该是第一代。

可能是比较老的版本拉,版主有新的版本发一个上来,
不过这个软件好象被不少杀毒软件盯上了,会被杀毒软件干掉
这个用IceSword可以看到的.只是在任务列表中藏起来.

也不想真正藏起来,只是不想让一般的客户看到,这样可以减少不少的不必要的麻烦

 

引用第2楼devia于2007-05-16 12:48发表的  :
1. 所谓的隐藏有点玄乎！
2. FUto RootKit都已经出来了，楼主发的应该是第一代。

再发一个,这个加强版还是能被卡巴6给当成病毒
///////////////////////////////////////////////////////////////////////////////////////
// Filename Rootkit.c
//
// Author: Peter Silberman peter.silberman@gmail.com
//         C.H.A.O.S.      unknown
//
// Description: This is the main rootkit code. It builds upon Fuzen's FU rootkit, but it
//              goes quite a bit further. FUTo removes pointers from the CSRSS.EXE
//              process that was a tip off to the hidden processes. It also unhooks the
//              the hidden process from the linked list of handle tables. In the past,
//              F-Secure Blacklight used the linked handle table list to locate hidden
//              processes. Also new to FUTo is a DKOM trick to the PspCidTable. The
//              PspCidTable contains the addresses of all the EPROCESS and ETHREAD
//              objects. By exhaustively calling OpenProcess on all the possible PIDs
//              a rootkit detector could find the hidden processes. By modifying the
//              PspCidTable, FUTo does not fall victim to this detection method.
//
// Date:    12/25/2005
// Version: 3.0
//
// Notes:       FUTo's hidden processes may not be able to properly create child processes.
//              If this is the case, simply modify the unlinking of the handle table list.
//              Also, FUTo has to add the hidden entries to the PspCidTable before the
//              hidden process is destroyed. Otherwise, the system will bluescreen. If
//              this leads to detection, we have other means to keep the system alive.
//
//
// Old header...
// Author: fuzen_op
// Email:  fuzen_op@yahoo.com or fuzen_op@rootkit.com
//
// Description: This driver does all the work of fu.exe. The driver is never unloaded
//              until reboot. You can use whatever methods you like to load the driver
//                such as SystemLoadAndCallImage suggested by Greg Hoglund. The driver
//              is named msdirectx.sys. It is a play on Microsoft's DirectX and is named
//              this to help hide it. (A future tool will hide it completely!) The
//              driver can change the groups and privileges on any process. It can also
//              hide a process. Another feature is it can impersonate another logon
//              session so that Windows Auditing etc. does not know what user really
//              performed the actions you choose to take with the process. It does all
//              this by Direct Kernel Object Manipulation (TM). No worries about do I have
//              permission to that process, token, etc. If you can load a driver once,
//              you are golden! NOW IT HIDES DRIVERS TOO!
//
// Date:    5/27/2003
// Version: 2.0
//
// Date     7/04/2003   Fixed a problem with a modified token not being inheritable.
//           12/04/2003   Fixed problem with faking out the Windows Event Viewer.    
//                        Cleaned up the code a lot!
//           12/05/2003   Now the driver walks the PsLoadedModuleList and removes references
//                      to the device being hidden. Even after the device is hidden, a user
//                        land process can open a handle to it if its symbolic link name still
//                        exists. Obviously, a stealth driver would not want to create a or it
//                        could delete the symbolic link once it has initialized through the use
//                        of an IOCTL.  

还是放弃隐藏进程了,Rootkit 和Anti-Rootkit 不知何时了,还是从软件设计逻辑上来做防kill process才是正道

无休止的隐藏、反隐藏，俺是没兴趣了，窥视OS、拿来研究倒是不错！

就事论事，谢谢共享