以博会友http://feed.cnblogs.com/blog/u/30485/rss2010-03-29T16:04:32Zithurricanehttp://www.cnblogs.com/ithurricane/CNBlogs BlogServerhttp://www.cnblogs.com/ithurricane/archive/2010/03/30/1700164.html

可以删除金山/超级巡警/Unlocker1.8.9无法删除的文件

2010-03-29T16:05:00Z2010-03-29T16:05:00Zithurricanehttp://www.cnblogs.com/ithurricane/<p>C:/zip.txt我特意保护住的文件，<br />用金山/超级巡警/Unlocker1.8.9无法粉碎，</p> <p>有图有真相：</p> <p></p> <p><img border="0" alt="" src="http://images.cnblogs.com/cnblogs_com/ithurricane/re2.jpg" width="735" height="550" /></p> <p></p> <p><img border="0" alt="" src="http://images.cnblogs.com/cnblogs_com/ithurricane/re3.JPG" width="492" height="374" /></p> <p></p> <p><img border="0" alt="" src="http://images.cnblogs.com/cnblogs_com/ithurricane/p2.jpg" width="743" height="752" /></p> <p></p> <p>用我写的PowerTool可以轻松的粉碎这个文件</p> <p>顺带一下下载地址：</p> <p><a href="http://files.cnblogs.com/ithurricane/PowerToolV1.3_%e4%bf%ae%e6%ad%a3%e7%89%88.zip" target="_blank">http://files.cnblogs.com/ithurricane/PowerToolV1.3_%e4%bf%ae%e6%ad%a3%e7%89%88.zip</a></p><img src="http://www.cnblogs.com/ithurricane/aggbug/1700164.html?type=1" width="1" height="1" alt=""/><p><a href="http://www.cnblogs.com/ithurricane/archive/2010/03/30/1700164.html" target="_blank">本文链接</a></p>http://www.cnblogs.com/ithurricane/archive/2010/03/25/1695345.html

外国大牛都不得不关注XueTr的大名

2010-03-25T07:28:00Z2010-03-25T07:28:00Zithurricanehttp://www.cnblogs.com/ithurricane/<span style="font-family: 宋体, verdana, geneva, lucida, 'lucida grande', arial, helvetica, sans-serif; line-height: 19px; font-size: 12px; color: #13253c; ">看来很多老外也在使用XueTr这个工具啊，<br />不知道有没有给他们带来惊讶的感觉。。。<br /><br />这里是文章的源地址：<br />Killing&nbsp;XueTr&nbsp;from&nbsp;User&nbsp;Mode&nbsp;(oXueTb&nbsp;Poc)<br /><br />http://forum.sysinternals.com/topic22240_post117287.html<br /><br />老外最后还来了一句总结性的发言：<br /><strong><font color="Blue">I&nbsp;suggest&nbsp;antirootkit&nbsp;author&nbsp;stop&nbsp;using&nbsp;that&nbsp;sh1t&nbsp;and&nbsp;remove&nbsp;most&nbsp;of&nbsp;this&nbsp;useless&nbsp;hooks.&nbsp;This&nbsp;will&nbsp;dramatically&nbsp;improve&nbsp;stability&nbsp;and&nbsp;usability&nbsp;of&nbsp;your&nbsp;tool.</font></strong><br /><br /><br />代码是delphi的，MS流程是，<br />先把打开Xuetr进程和结束进程逻辑写在DLL里面，<br />然后把这个DLL的二进制数据，写成数组定义在主程序中，<br />主程序在内存中动态的加载这个DLL，然后Inject到Csrss里面，<br />打开XueTr进程，用到了<br />ZwQuerySystemInformation(SystemHandleInformation,&nbsp;buf,&nbsp;4194304,&nbsp;@bytesIO);<br />枚举所有句柄的方法，<br />然后用ZwQueryInformationProcess比较pid是否是xueTr的pid，<br />结束进程用<br />DbgUiDebugActiveProcess<br />的方法，关闭进程的句柄<br /><br /><strong>不过不知道为何在内存中动态的加载DLL这么麻烦的方法，<br />还有为什么要Inject到Csrss里面呢？</strong><br />可能是因为XueTr挂了LoadLibraryExW的原因吧。。。<br /><br />最后附带一下Xuetr主要的Hook：<br /><br />RkU&nbsp;Version:&nbsp;5.1.700.2220,&nbsp;Type&nbsp;VX2&nbsp;(VX+)<br />==============================================<br />OS&nbsp;Name:&nbsp;Windows&nbsp;XP<br />Version&nbsp;5.1.2600&nbsp;(Service&nbsp;Pack&nbsp;3)<br />Number&nbsp;of&nbsp;processors&nbsp;#1<br />==============================================<br />&gt;Shadow&nbsp;SSDT<br />==============================================<br />win32k.sys--&gt;NtUserBuildHwndList,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF835F21--&gt;F490E274&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />win32k.sys--&gt;NtUserDestroyWindow,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF845873--&gt;F490E656&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />win32k.sys--&gt;NtUserFindWindowEx,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF8B1369--&gt;F490E356&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />win32k.sys--&gt;NtUserGetForegroundWindow,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF820BC1--&gt;F490E3A0&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />win32k.sys--&gt;NtUserMessageCall,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF80EE6B--&gt;F490E698&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />win32k.sys--&gt;NtUserPostThreadMessage,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF8B3D3D--&gt;F490E4D4&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />win32k.sys--&gt;NtUserQueryWindow,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF803B56--&gt;F490E516&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />win32k.sys--&gt;NtUserSetParent,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF879695--&gt;F490E554&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />win32k.sys--&gt;NtUserSetWindowLong,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF832BEC--&gt;F490E5D2&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />win32k.sys--&gt;NtUserShowWindow,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF834FA9--&gt;F490E614&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />win32k.sys--&gt;NtUserWindowFromPoint,&nbsp;Type:&nbsp;Address&nbsp;Change&nbsp;0xBF8213A9--&gt;F490E592&nbsp;[C:\Documents&nbsp;and&nbsp;Settings\XueTr.sys]<br />==============================================<br />&gt;Hooks<br />==============================================<br />ntoskrnl.exe+0x0009A639,&nbsp;Type:&nbsp;Inline&nbsp;-&nbsp;RelativeCall&nbsp;0x80571639--&gt;F490F30E&nbsp;[XueTr.sys]<br />ntoskrnl.exe+0x0009A903,&nbsp;Type:&nbsp;Inline&nbsp;-&nbsp;RelativeCall&nbsp;0x80571903--&gt;F490F166&nbsp;[XueTr.sys]<br />ntoskrnl.exe+0x000A48C9,&nbsp;Type:&nbsp;Inline&nbsp;-&nbsp;RelativeCall&nbsp;0x8057B8C9--&gt;F490F58A&nbsp;[XueTr.sys]<br />ntoskrnl.exe+0x000AB325,&nbsp;Type:&nbsp;Inline&nbsp;-&nbsp;RelativeCall&nbsp;0x80582325--&gt;F490F58A&nbsp;[XueTr.sys]<br />ntoskrnl.exe+0x000B330F,&nbsp;Type:&nbsp;Inline&nbsp;-&nbsp;RelativeCall&nbsp;0x8058A30F--&gt;F490F166&nbsp;[XueTr.sys]<br />win32k.sys--&gt;NtUserPostMessage,&nbsp;Type:&nbsp;Inline&nbsp;-&nbsp;RelativeJump&nbsp;0xBF8089B4--&gt;F490E3EC&nbsp;[XueTr.sys]<br />[948]XueTr.exe--&gt;kernel32.dll--&gt;LoadLibraryExW,&nbsp;Type:&nbsp;Inline&nbsp;-&nbsp;RelativeJump&nbsp;0x7C801AF5--&gt;00402B20&nbsp;[XueTr.exe]</span><img src="http://www.cnblogs.com/ithurricane/aggbug/1695345.html?type=1" width="1" height="1" alt=""/><p><a href="http://www.cnblogs.com/ithurricane/archive/2010/03/25/1695345.html" target="_blank">本文链接</a></p>http://www.cnblogs.com/ithurricane/archive/2010/03/21/1691125.html

练手之作--简易的进程/文件检测管理工具~~~

2010-03-21T11:53:00Z2010-03-21T11:53:00Zithurricanehttp://www.cnblogs.com/ithurricane/要是实现了 <p>进程的枚举和结束，</p> <p>文件的枚举和技术，</p> <p>用的都是一些，大牛们在远古时代就玩剩下来的技术。。。</p> <p>稍有不同的是增加了文件被占用的情况，</p> <p>不过目前只能对应被进程占用的情况，</p> <p>DLL之类的还未解决。。。</p> <p></p> <p></p> <p><img border="0" alt="" src="http://images.cnblogs.com/cnblogs_com/ithurricane/V1.1.jpg" width="747" height="636" /></p> <p></p> <p><img border="0" alt="" src="http://images.cnblogs.com/cnblogs_com/ithurricane/1.jpg" width="749" height="638" /></p> <p></p> <p><img border="0" alt="" src="http://images.cnblogs.com/cnblogs_com/ithurricane/2.jpg" width="748" height="634" /></p><img src="http://www.cnblogs.com/ithurricane/aggbug/1691125.html?type=1" width="1" height="1" alt=""/><p><a href="http://www.cnblogs.com/ithurricane/archive/2010/03/21/1691125.html" target="_blank">本文链接</a></p>http://www.cnblogs.com/ithurricane/archive/2010/02/19/1669358.html

解决了一个2个 NotificationEvent和用户层交互的问题～～～

2010-02-19T03:51:00Z2010-02-19T03:51:00Zithurricanehttp://www.cnblogs.com/ithurricane/昨天出现了个很郁闷的问题，<br /><br />做的事情，目的是ring0告诉ring3有驱动要加载了，<br />ring3弹出确认框提醒用户是否加载，<br />然 后再把确认结果返回ring0，<br />ring0继续处理加载还是放行<br /><br />之间的通讯用 IoCreateNotificationEvent设置两个系统的Event来完成<br />（因为ring3无法set系统的event，ms比较安 全）<br /><br />不过昨天出现很多奇怪的现象，事件无法同步，我还没点确认框的按钮呢，ring0就继续往下处理了。。。<br /><br />今天试着在 ring0里setevent之前<br />提高IRQL中断级别，MS就解决掉了。。。<br /><br />看来自己还是没有摆脱菜鸟本色，<br />继续努力 了～～～<img src="http://www.cnblogs.com/ithurricane/aggbug/1669358.html?type=1" width="1" height="1" alt=""/><p><a href="http://www.cnblogs.com/ithurricane/archive/2010/02/19/1669358.html" target="_blank">本文链接</a></p>http://www.cnblogs.com/ithurricane/archive/2010/02/15/1668599.html

更新了PETotal，增加了一键加花免杀功能~~~

2010-02-15T09:57:00Z2010-02-15T09:57:00Zithurricanehttp://www.cnblogs.com/ithurricane/<p>原理非常简单，就是为PE文件增加一段空白的Section，</p> <p>然后把自己的shellcode写到section里面，</p> <p>最后修改入口地址，然后跳转回原来的入口地址，</p> <p>就大功告成了~~~</p><p></p><p>下载地址：</p><p><a target="_blank" href="http://files.cnblogs.com/ithurricane/PETotal1.2.zip">http://files.cnblogs.com/ithurricane/PETotal1.2.zip</a></p><p></p> <p><img small="0" src="http://hiphotos.baidu.com/ithurricane/pic/item/ebc7d1cad6ba0db5c817681a.jpg" _fcksavedurl="http://hiphotos.baidu.com/ithurricane/pic/item/ebc7d1cad6ba0db5c817681a.jpg" border="0" alt="" /></p> <p><span><span><img small="0" src="http://hiphotos.baidu.com/ithurricane/pic/item/4ed25dd8474d1b0632fa1ce4.jpg" _fcksavedurl="http://hiphotos.baidu.com/ithurricane/pic/item/4ed25dd8474d1b0632fa1ce4.jpg" border="0" alt="" /><br /> </span></span></p><img src="http://www.cnblogs.com/ithurricane/aggbug/1668599.html?type=1" width="1" height="1" alt=""/><p><a href="http://www.cnblogs.com/ithurricane/archive/2010/02/15/1668599.html" target="_blank">本文链接</a></p>http://www.cnblogs.com/ithurricane/archive/2010/02/10/1667319.html

自己写的一个PE文件分析工具，增加了文件嗅探的功能

2010-02-10T13:34:00Z2010-02-10T13:34:00Zithurricanehttp://www.cnblogs.com/ithurricane/http://www.cnblogs.com/ithurricane/archive/2010/02/04/1663614.html

今天把EasySYS 0.3.2.6稍微修改了一下

2010-02-04T06:19:00Z2010-02-04T06:19:00Zithurricanehttp://www.cnblogs.com/ithurricane/http://www.cnblogs.com/ithurricane/archive/2010/02/03/1663013.html

XX界的用语很多，不过像免杀，养马，养鸡就不提了，说一些自己觉得有意思的用语吧高手叫做大牛（对于我来说都是大牛）学习叫做膜拜（我每天都做的事情）大牛公开某个技术叫做放血（放血光荣啊）附上源代码的叫做有码（对于我这种小菜最喜欢有码的了）有创意的方法叫做猥琐（我什么时候也能WS一把啊）暂时就想到这么多，遇到有什么新的继续补充了~~~

2010-02-03T13:37:00Z2010-02-03T13:37:00Zithurricanehttp://www.cnblogs.com/ithurricane/http://www.cnblogs.com/ithurricane/archive/2010/02/03/1662450.html

安全卫士被恶搞成提权卫士360提权卫士，谁用都说好感谢360提权卫士&#8230;&#8230;非常感谢http://www.rising.com.cn/about/news/rising/2010-02-02/6617.html图片已经被和谐，看不到了~~~看 来瑞星和360的这场口水仗可能越演越烈了，互相爆漏洞，爆技术细节，对于我来说谁对谁错无所谓，能学习到技术细节才是真的，呵 呵～～～

2010-02-03T02:26:00Z2010-02-03T02:26:00Zithurricanehttp://www.cnblogs.com/ithurricane/http://www.cnblogs.com/ithurricane/archive/2010/02/02/1661415.html

保护自己的HOOK

2010-02-01T16:05:00Z2010-02-01T16:05:00Zithurricanehttp://www.cnblogs.com/ithurricane/