阅读:5044回复:7
FU_Rootkit 隐藏进程的源代码
论坛上好象没有,发出来分享分享
inf文件可以用sfilter的来改改 |
|
|
沙发#
发布于:2007-05-16 12:10
呵呵,不错呀....
|
|
板凳#
发布于:2007-05-16 12:48
1. 所谓的隐藏有点玄乎!
2. FUto RootKit都已经出来了,楼主发的应该是第一代。 |
|
|
地板#
发布于:2007-05-16 13:20
可能是比较老的版本拉,版主有新的版本发一个上来,
不过这个软件好象被不少杀毒软件盯上了,会被杀毒软件干掉 这个用IceSword可以看到的.只是在任务列表中藏起来. 也不想真正藏起来,只是不想让一般的客户看到,这样可以减少不少的不必要的麻烦 |
|
地下室#
发布于:2007-05-16 14:04
引用第2楼devia于2007-05-16 12:48发表的 : 再发一个,这个加强版还是能被卡巴6给当成病毒 /////////////////////////////////////////////////////////////////////////////////////// // Filename Rootkit.c // // Author: Peter Silberman peter.silberman@gmail.com // C.H.A.O.S. unknown // // Description: This is the main rootkit code. It builds upon Fuzen's FU rootkit, but it // goes quite a bit further. FUTo removes pointers from the CSRSS.EXE // process that was a tip off to the hidden processes. It also unhooks the // the hidden process from the linked list of handle tables. In the past, // F-Secure Blacklight used the linked handle table list to locate hidden // processes. Also new to FUTo is a DKOM trick to the PspCidTable. The // PspCidTable contains the addresses of all the EPROCESS and ETHREAD // objects. By exhaustively calling OpenProcess on all the possible PIDs // a rootkit detector could find the hidden processes. By modifying the // PspCidTable, FUTo does not fall victim to this detection method. // // Date: 12/25/2005 // Version: 3.0 // // Notes: FUTo's hidden processes may not be able to properly create child processes. // If this is the case, simply modify the unlinking of the handle table list. // Also, FUTo has to add the hidden entries to the PspCidTable before the // hidden process is destroyed. Otherwise, the system will bluescreen. If // this leads to detection, we have other means to keep the system alive. // // // Old header... // Author: fuzen_op // Email: fuzen_op@yahoo.com or fuzen_op@rootkit.com // // Description: This driver does all the work of fu.exe. The driver is never unloaded // until reboot. You can use whatever methods you like to load the driver // such as SystemLoadAndCallImage suggested by Greg Hoglund. The driver // is named msdirectx.sys. It is a play on Microsoft's DirectX and is named // this to help hide it. (A future tool will hide it completely!) The // driver can change the groups and privileges on any process. It can also // hide a process. Another feature is it can impersonate another logon // session so that Windows Auditing etc. does not know what user really // performed the actions you choose to take with the process. It does all // this by Direct Kernel Object Manipulation (TM). No worries about do I have // permission to that process, token, etc. If you can load a driver once, // you are golden! NOW IT HIDES DRIVERS TOO! // // Date: 5/27/2003 // Version: 2.0 // // Date 7/04/2003 Fixed a problem with a modified token not being inheritable. // 12/04/2003 Fixed problem with faking out the Windows Event Viewer. // Cleaned up the code a lot! // 12/05/2003 Now the driver walks the PsLoadedModuleList and removes references // to the device being hidden. Even after the device is hidden, a user // land process can open a handle to it if its symbolic link name still // exists. Obviously, a stealth driver would not want to create a or it // could delete the symbolic link once it has initialized through the use // of an IOCTL. |
|
|
5楼#
发布于:2007-05-16 14:19
还是放弃隐藏进程了,Rootkit 和Anti-Rootkit 不知何时了,还是从软件设计逻辑上来做防kill process才是正道
|
|
6楼#
发布于:2007-05-16 14:48
无休止的隐藏、反隐藏,俺是没兴趣了,窥视OS、拿来研究倒是不错!
|
|
|
7楼#
发布于:2007-05-18 12:19
就事论事,谢谢共享
|
|