阅读:1927回复:14
隐藏驱动和文件的一般方法
转自<www.rootkit.com>
Driver hidding based on the following methods: 1. removing module from PsLoadedModulesList (that bypasses some old rkdetectors) 2. removing object from ObjectDirectory (that bypassed GMER, IceSword and some others) 3. removing module from DriverObjects 4. removing module from DeviceObjects 5. memzero for POBJECT_HEADER (that finally bypasses DarkSpy) 6. fake thread start address (to be sure that antirootkit will not show "unknown thread") 7. using non usual wait function to bypass "Stealth Walker" detection method of our Rootkit Unhooker Antirootkit. //----------------------------------------------------------------------------------- File hidding based on the following methods: 1. We are using NTFS ADS (that's bypasses DarkSpy, IceSword automatically) 2. ADS attach to root directory of disk C: (that automatically bypass GMER, RootkitRevealer) 3. driver set up itself as File System Filter and filters some IRP's like IRP_MJ_READ, IRP_MJ_QUERY_INFORMATION etc. Thats bypasses all other antirootkit thats using RAW reading (BlackLight, Rootkit Unhooker etc). |
|
最新喜欢:HWFDVD
|
沙发#
发布于:2007-02-25 17:22
因此可以利用deviceObjects来删除antirootkit的deviceobject,从而达到隐藏自己的作用。
|
|
|
板凳#
发布于:2007-02-25 19:10
呵呵
|
|
|