Readme: PsNull3 Build 1426

1. Intro

    һ NT ƽ̨µĽ̹,  Windows 2000/XP/2003/Vista

    Ϸʾ˵ǰϵͳдڵĽ, ؽ̻úɫ, ·н̵
ϸϢ, ·Сʱ䡢߳бģб

    ڹ߲˵в鿴 IDTGDT, 鿴ָ SSDTShadow SSDTinline hook 
ϢӵĹܡ

    ʹʱԵա

2. Tips

    ʹñҪԱȨ (SeDebugPrivilegeSeLoadDriverPrivilege)

    ֻб̽⵽, Ҳ PsActiveProcessList еĽ̲ŻᱻΪɫ, 
ĳЩʹ Ring3 API Hook صĽ̲ʾΪɫ֮Բʹ ToolHelp32 һ
ΪЧʼ (ʹһ CreateToolhelp32Snapshot ʹʱ
仹Ҫ), ڴڴ̵ռñȽϸߵ cpu

    ϶, Զˢ¿ܻռýϸߵ cpu, ļ˵ȡ
Զˢ¡ҪˢµʱʹҼ˵ F5 ɡ

    бĬϲʾѾΪĽ̡еĽΪԼ趨
, ͨѡʾ״̬Ϊ Deleting Ľ̡ǡ

    ұҹ ObReferenceObjectByHandle  NtUserQueryWindow, 벻Ҫ
ҹһͬʹ, пܷԤϵĺ(һҪʹ
, ѭĺ˳ԭ) , ʹ -hide 

    鿴 SSDTShadow бʱ, ͨѡ񡰽ʾҹĺ˵δҹ
, Ҳͨݡҹɡ

    IDTGDT ַ仯ĵԾж, 

    ɨ Inline Hook ʱ, ͨطļø׼ȷĽǽ°
 dbghelp.dllsymsrv.dll Ƶ PsNull3.exe ڵĿ¼, ɨʱѡʹ
 dbghelp.dll ⲿš, ȷķļ·ʵ֡ʹ
Դ, Ҫ 2MB ҵļ, ʱٶ

    ָ inline hook һΣ, ҪһɨǷȷ, Ϊںݱ
ϴ, пܽݶΪΡһ, ִַʮ
Ҿ˵ɨȷڻָȲΪһе hook ʱ, Ҫ˳:

    (1) 360  KeUserModeCallback
    0x80570163 nt!KeUserModeCallback       5    push 30 ...    jmp b18e9d70   C:\Program Files\360Safebox\SafeBoxKrnl.sys
    0x80570168 nt!KeUserModeCallback + 0x5 1    dec esi        nop            -                                          
    0x80570169 nt!KeUserModeCallback + 0x6 1    sub al, 04 ??? nop            -                                          

     hook , ҪȻָ, ٻָһС

    (2) IL  PspTerminateThreadByPointer
    0x80575f6f nt!PspTerminateThreadByPointer - 0x5 5    nop ...        jmp af3f0fbc   C:\WINDOWS\system32\drivers\ILDriver.sys
    0x80575f74 nt!PspTerminateThreadByPointer       2    mov edi, edi   jmp 80575f6f   C:\WINDOWS\system32\ntoskrnl.exe        

     hook  MS Detour ʵ, ҪȻָһ, һпԲָ

    (3) KV2008  RtlImageNtHeader
    0x8084403a nt!RtlImageNtHeader       1    mov edi, edi ???                      nop            - 
    0x8084403b nt!RtlImageNtHeader + 0x1 1    call dword ptr ss:[ebp-75h] ???       nop            - 
    0x8084403c nt!RtlImageNtHeader + 0x2 1    push ebp                              nop            - 
    0x8084403d nt!RtlImageNtHeader + 0x3 1    mov ebp, esp ???                      nop            - 
    0x8084403e nt!RtlImageNtHeader + 0x4 1    in al, dx                             nop            - 
    0x8084403f nt!RtlImageNtHeader + 0x5 1    push ecx                              nop            - 
    0x80844040 nt!RtlImageNtHeader + 0x6 1    xor eax, eax ???                      nop            - 
    0x80844041 nt!RtlImageNtHeader + 0x7 1    ror byte ptr ss:[ebp+5051fc4d],50 ??? nop            - 
    0x80844042 nt!RtlImageNtHeader + 0x8 1    lea ecx,dword ptr ss:[ebp-04h] ???    nop            - 
    0x80844043 nt!RtlImageNtHeader + 0x9 1    dec ebp                               nop            - 
    0x80844044 nt!RtlImageNtHeader + 0xa 5    cld ...                               jmp 82390370   - 
    0x80844049 nt!RtlImageNtHeader + 0xf 1    jnz 80844053 ???                      nop            - 

    ڳƵʱûпǵ BT  hook, ֻȫѡ, ȻһָȻ
òƵ, Ȼһ BSOD ʡ(ֻϵ, û)

    ҪʹõԱ, ָ ObReferenceObjectByHandle hook ɡ

3. Special Thanks

    лڹڶԻ, ˳ո˲ RP ֵ

4. Contact me

    ʹʱ bug 뼰ʱϵFeel free to talk!

    MSN / Email: icediy -at- hotmail.com
    QQ:          41785691
    Blog:        hi.baidu.com/iceboy_

                                                       iceboy @ 2008.11.9