Index
> Windows > DETOUR, HOOK, DLL imports change and any code INTERCEPTION!Goto page 1, 2, 3 Next |
| Author |
|
I've just started to learning more about the detouring method, hooking (in user mode) and any-type of code execution interception.
|
windwakr 31 Oct 2008, 18:11
You should post this in windows forum, this forum is for making an OS
|
|||
31 Oct 2008, 18:11 |
|
|
Pirata Derek 31 Oct 2008, 18:14
Sorry, i've just registed about 17 minutes ago... OK
|
|||
|
31 Oct 2008, 18:14 |
|
|
windwakr 31 Oct 2008, 18:14
But while we're here, is THIS what you want?
|
|||
|
31 Oct 2008, 18:14 |
|
|
Pirata Derek 31 Oct 2008, 18:24
No, thanks, i've tryed this program. this is a USER MODE DEBUGGER
i need a FREWARE KERNEL MODE DEBUGGER, like SYSER or RASTA RING 0 DEBUGGER. |
|||
|
31 Oct 2008, 18:24 |
|
|
Pirata Derek 31 Oct 2008, 18:28
I use IDA Pro disassembler for debuggin any type of programs but it cant trace over the SYSENTER instruction, entering the system gate.
( You can find the SYSENTER into the NTDLL.DLL at the export: KiFastSystemCall ) only a Kernel debugger can let you see the code into the system area. |
|||
|
31 Oct 2008, 18:28 |
|
|
Pirata Derek 31 Oct 2008, 18:30
Cause i've created a library that remove all kind of firewall or anti-virus DETOUR (intercepting), but did it in user mode.
|
|||
|
31 Oct 2008, 18:30 |
|
|
LocoDelAssembly 31 Oct 2008, 18:34
But you can use it as a kernel-mode debugger: http://board.flatassembler.net/topic.php?t=9169
|
|||
|
31 Oct 2008, 18:34 |
|
|
windwakr 31 Oct 2008, 18:34
Quote: Debugging Tools for Windows is a set of extensible tools for debugging device drivers for the Microsoft Windows family of operating systems. Debugging Tools for Windows supports debugging of: |
|||
|
31 Oct 2008, 18:34 |
|
|
asmcoder 31 Oct 2008, 20:35
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:55; edited 1 time in total |
|||
|
31 Oct 2008, 20:35 |
|
|
vid 01 Nov 2008, 02:25
Quote: yes im dumb, i dont understand many things, like HOW TO USE that thing @up Well... I am the last one to speak here, 'cause I am lazy myself to learn it properly, but... how about just going through the manual? I believe that would teach you much more than you need. |
|||
|
01 Nov 2008, 02:25 |
|
|
Pirata Derek 03 Nov 2008, 09:55
I've resolved my problem! tanks you all.
Now i'll make my personal DETOUR REMOVER like a DRIVER in kernel mode! (MORE STRONGER!) |
|||
|
03 Nov 2008, 09:55 |
|
|
Pirata Derek 03 Nov 2008, 12:06
Who knows why when i overwrite the original NTDLL.DLL with my NTDLL.DLL modifyed (the code debugged work well, there is no error or bug) the system restart?
There is a CHECKSUM control, or what? Last edited by Pirata Derek on 03 Nov 2008, 12:17; edited 3 times in total |
|||
|
03 Nov 2008, 12:06 |
|
|
Pirata Derek 03 Nov 2008, 12:08
I modify only the original KiFastSystemCall function:
KiFastSystemCall: MOV EDX,ESP SYSENTER NOP NOP NOP ....... KiFastSystemCallRet: RET |
|||
|
03 Nov 2008, 12:08 |
|
|
Pirata Derek 03 Nov 2008, 12:09
.....(CORRECTION) The SYSTEM RESTART AUTOMATICALLY AFTER A FEW SECONDS OF CORRECT STARTING..........
|
|||
|
03 Nov 2008, 12:09 |
|
|
Pirata Derek 03 Nov 2008, 12:13
The modifyed function is:
KiFastSystemCall: CALL ....... ----> Somewhere i want to jump for control MOV EDX;ESP SYSENTER NOP KiFastSystemCallRet: RET |
|||
|
03 Nov 2008, 12:13 |
|
|
Pirata Derek 03 Nov 2008, 12:20
Is the same with this change:
KiFastSystemCall: __Hooked: PUSHD ....... -----> Somewhere i want RET __Return from hook: MOV EDX;ESP SYSENTER KiFastSystemCallRet: RET |
|||
|
03 Nov 2008, 12:20 |
|
|
Pirata Derek 03 Nov 2008, 12:36
I need this code work because my little TEST PROGRAM must try to remove (in USER MODE) my DRIVER HOOK (in kernel mode)
If the TEST PROGRAM wins (i think NO), i should make another better driver hook, and also RE-verify if work! |
|||
|
03 Nov 2008, 12:36 |
|
|
revolution 03 Nov 2008, 12:37
Hey Pirata Derek, how about using the edit function if you want to update your posting. This board is not a blog.
|
|||
|
03 Nov 2008, 12:37 |
|
|
Pirata Derek 03 Nov 2008, 13:30
Please, let me get more confidence with theese boards! I'm not registred from so looong time like you, no?
|
|||
|
03 Nov 2008, 13:30 |
|
| Goto page 1, 2, 3 Next < Last Thread | Next Thread > |
Forum Rules:
|