ТС, а в чём кайф от использования натив апи? Или мы все здесь какие-то тупые, или ты мазохист. =)
-
XSS.stack #1 – первый литературный журнал от юзеров форума
Аналог SetFilePointerEx в Nt\Zw
- Автор темы MegadethProj
- Дата начала
А если все похукано в ядре зачем ав хукают ntdll? работать снтдлл "почти" нонсенс.. а вот сисколлы обойдут хотябы хуки нтдлл.
вот вам немножечко лога PC HUNTER хуки аваста
inline - len(5) ntdll.dll->NtClose - 0x00007FFBC07652A0->_
inline - len(5) ntdll.dll->NtCreateFile - 0x00007FFBC0765B60->_
inline - len(5) ntdll.dll->NtOpenProcess - 0x00007FFBC0765580->_
inline - len(5) ntdll.dll->NtWriteVirtualMemory - 0x00007FFBC0765800->_
inline - len(5) ntdll.dll->NtAdjustPrivilegesToken - 0x00007FFBC07658E0->_
inline - len(5) ntdll.dll->NtCreateProcess - 0x00007FFBC0766670->_
inline - len(5) ntdll.dll->NtCreateProcessEx - 0x00007FFBC0765A60->_
inline - len(5) ntdll.dll->NtCreateThread - 0x00007FFBC0765A80->_
inline - len(5) ntdll.dll->NtCreateThreadEx - 0x00007FFBC0766730->_
inline - len(5) ntdll.dll->NtCreateUserProcess - 0x00007FFBC0766810->_
inline - len(5) ntdll.dll->NtDuplicateObject - 0x00007FFBC0765840->_
inline - len(5) ntdll.dll->NtMapViewOfSection - 0x00007FFBC07655C0->_
inline - len(5) ntdll.dll->NtQueueApcThread - 0x00007FFBC0765960->_
inline - len(5) ntdll.dll->NtSetContextThread - 0x00007FFBC0767EF0->_
inline - len(5) ntdll.dll->NtTerminateProcess - 0x00007FFBC0765640->_
inline - len(5) ntdll.dll->RtlAllocateHeap - 0x00007FFBC06E55D0->_
inline - len(5) ntdll.dll->ZwAdjustPrivilegesToken - 0x00007FFBC07658E0->_
inline - len(5) ntdll.dll->ZwClose - 0x00007FFBC07652A0->_
inline - len(5) ntdll.dll->ZwCreateFile - 0x00007FFBC0765B60->_
inline - len(5) ntdll.dll->ZwCreateProcess - 0x00007FFBC0766670->_
inline - len(5) ntdll.dll->ZwCreateProcessEx - 0x00007FFBC0765A60->_
inline - len(5) ntdll.dll->ZwCreateThread - 0x00007FFBC0765A80->_
inline - len(5) ntdll.dll->ZwCreateThreadEx - 0x00007FFBC0766730->_
inline - len(5) ntdll.dll->ZwCreateUserProcess - 0x00007FFBC0766810->_
inline - len(5) ntdll.dll->ZwDuplicateObject - 0x00007FFBC0765840->_
inline - len(5) ntdll.dll->ZwMapViewOfSection - 0x00007FFBC07655C0->_
inline - len(5) ntdll.dll->ZwOpenProcess - 0x00007FFBC0765580->_
inline - len(5) ntdll.dll->ZwQueueApcThread - 0x00007FFBC0765960->_
inline - len(5) ntdll.dll->ZwSetContextThread - 0x00007FFBC0767EF0->_
inline - len(5) ntdll.dll->ZwTerminateProcess - 0x00007FFBC0765640->_
inline - len(5) ntdll.dll->ZwWriteVirtualMemory - 0x00007FFBC0765800->_
inline - len(5) KERNEL32.DLL->CreateFileMappingA - 0x00007FFBC0631810->_
inline - len(5) KERNEL32.DLL->CreateFileMappingNumaA - 0x00007FFBC0650C70->_
inline - len(5) KERNEL32.DLL->CreateToolhelp32Snapshot - 0x00007FFBC063E800->_
inline - len(5) KERNEL32.DLL->DefineDosDeviceA - 0x00007FFBC06502B0->_
inline - len(5) KERNEL32.DLL->MoveFileExA - 0x00007FFBC0651390->_
inline - len(5) KERNEL32.DLL->MoveFileWithProgressA - 0x00007FFBC0651490->_
inline - len(5) KERNEL32.DLL->Process32NextW - 0x00007FFBC0631040->_
inline - len(5) KERNELBASE.dll->CloseHandle - 0x00007FFBBCEAC440->_
inline - len(5) KERNELBASE.dll->CreateFileMappingNumaW - 0x00007FFBBCEAAFA0->_
inline - len(5) KERNELBASE.dll->CreateFileMappingW - 0x00007FFBBCEA9C50->_
inline - len(4) KERNELBASE.dll->CreateProcessA - 0x00007FFBBCECCA00->_
inline - len(5) KERNELBASE.dll->CreateProcessInternalA - 0x00007FFBBCECCA80->_
inline - len(5) KERNELBASE.dll->CreateProcessInternalW - 0x00007FFBBCECD060->_
inline - len(4) KERNELBASE.dll->CreateProcessW - 0x00007FFBBCECC980->_
inline - len(4) KERNELBASE.dll->CreateRemoteThread - 0x00007FFBBCF55340->_
inline - len(5) KERNELBASE.dll->CreateRemoteThreadEx - 0x00007FFBBCEB2810->_
inline - len(5) KERNELBASE.dll->DefineDosDeviceW - 0x00007FFBBCF00900->_
inline - len(5) KERNELBASE.dll->DeleteFileW - 0x00007FFBBCED4B30->_
inline - len(5) KERNELBASE.dll->DuplicateHandle - 0x00007FFBBCEBD5A0->_
inline - len(5) KERNELBASE.dll->GetProcAddress - 0x00007FFBBCEC8160->_
inline - len(5) KERNELBASE.dll->LoadLibraryA - 0x00007FFBBCEEFA70->_
inline - len(5) KERNELBASE.dll->LoadLibraryW - 0x00007FFBBCEF9460->_
inline - len(5) KERNELBASE.dll->MapViewOfFile - 0x00007FFBBCEE40C0->_
inline - len(4) KERNELBASE.dll->MapViewOfFileEx - 0x00007FFBBCEE7920->_
inline - len(5) KERNELBASE.dll->MapViewOfFileExNuma - 0x00007FFBBCEE7950->_
inline - len(5) KERNELBASE.dll->MoveFileExW - 0x00007FFBBCED3C70->_
inline - len(5) KERNELBASE.dll->MoveFileWithProgressW - 0x00007FFBBCED3CA0->_
inline - len(4) KERNELBASE.dll->OpenThread - 0x00007FFBBCEAABC0->_
inline - len(5) KERNELBASE.dll->SetEnvironmentVariableA - 0x00007FFBBCEEA770->_
inline - len(5) KERNELBASE.dll->SetEnvironmentVariableW - 0x00007FFBBCEEA3F0->_
inline - len(5) USER32.dll->SetWindowsHookExA - 0x00007FFBC02328E0->_
inline - len(5) USER32.dll->SetWindowsHookExW - 0x00007FFBC0256030->_
inline - len(5) USER32.dll->UserClientDllInitialize - 0x00007FFBC023A8D0->_
inline - len(5) ADVAPI32.dll->CryptAcquireContextA - 0x00007FFBC0417E00->_
inline - len(5) ADVAPI32.dll->CryptAcquireContextW - 0x00007FFBC0417CF0->_
inline - len(5) ADVAPI32.dll->CryptCreateHash - 0x00007FFBC0417190->_
inline - len(5) ADVAPI32.dll->CryptExportKey - 0x00007FFBC0416FE0->_
inline - len(5) ADVAPI32.dll->CryptGetHashParam - 0x00007FFBC0416650->_
inline - len(5) ADVAPI32.dll->CryptHashData - 0x00007FFBC0417330->_
inline - len(5) ADVAPI32.dll->CryptImportKey - 0x00007FFBC0416FD0->_
inline - len(5) ADVAPI32.dll - 0x00007FFBC04158D0->_
...
Хром тоже делал/делает хуки в нтдлл.
вот вам немножечко лога PC HUNTER хуки аваста
inline - len(5) ntdll.dll->NtClose - 0x00007FFBC07652A0->_
inline - len(5) ntdll.dll->NtCreateFile - 0x00007FFBC0765B60->_
inline - len(5) ntdll.dll->NtOpenProcess - 0x00007FFBC0765580->_
inline - len(5) ntdll.dll->NtWriteVirtualMemory - 0x00007FFBC0765800->_
inline - len(5) ntdll.dll->NtAdjustPrivilegesToken - 0x00007FFBC07658E0->_
inline - len(5) ntdll.dll->NtCreateProcess - 0x00007FFBC0766670->_
inline - len(5) ntdll.dll->NtCreateProcessEx - 0x00007FFBC0765A60->_
inline - len(5) ntdll.dll->NtCreateThread - 0x00007FFBC0765A80->_
inline - len(5) ntdll.dll->NtCreateThreadEx - 0x00007FFBC0766730->_
inline - len(5) ntdll.dll->NtCreateUserProcess - 0x00007FFBC0766810->_
inline - len(5) ntdll.dll->NtDuplicateObject - 0x00007FFBC0765840->_
inline - len(5) ntdll.dll->NtMapViewOfSection - 0x00007FFBC07655C0->_
inline - len(5) ntdll.dll->NtQueueApcThread - 0x00007FFBC0765960->_
inline - len(5) ntdll.dll->NtSetContextThread - 0x00007FFBC0767EF0->_
inline - len(5) ntdll.dll->NtTerminateProcess - 0x00007FFBC0765640->_
inline - len(5) ntdll.dll->RtlAllocateHeap - 0x00007FFBC06E55D0->_
inline - len(5) ntdll.dll->ZwAdjustPrivilegesToken - 0x00007FFBC07658E0->_
inline - len(5) ntdll.dll->ZwClose - 0x00007FFBC07652A0->_
inline - len(5) ntdll.dll->ZwCreateFile - 0x00007FFBC0765B60->_
inline - len(5) ntdll.dll->ZwCreateProcess - 0x00007FFBC0766670->_
inline - len(5) ntdll.dll->ZwCreateProcessEx - 0x00007FFBC0765A60->_
inline - len(5) ntdll.dll->ZwCreateThread - 0x00007FFBC0765A80->_
inline - len(5) ntdll.dll->ZwCreateThreadEx - 0x00007FFBC0766730->_
inline - len(5) ntdll.dll->ZwCreateUserProcess - 0x00007FFBC0766810->_
inline - len(5) ntdll.dll->ZwDuplicateObject - 0x00007FFBC0765840->_
inline - len(5) ntdll.dll->ZwMapViewOfSection - 0x00007FFBC07655C0->_
inline - len(5) ntdll.dll->ZwOpenProcess - 0x00007FFBC0765580->_
inline - len(5) ntdll.dll->ZwQueueApcThread - 0x00007FFBC0765960->_
inline - len(5) ntdll.dll->ZwSetContextThread - 0x00007FFBC0767EF0->_
inline - len(5) ntdll.dll->ZwTerminateProcess - 0x00007FFBC0765640->_
inline - len(5) ntdll.dll->ZwWriteVirtualMemory - 0x00007FFBC0765800->_
inline - len(5) KERNEL32.DLL->CreateFileMappingA - 0x00007FFBC0631810->_
inline - len(5) KERNEL32.DLL->CreateFileMappingNumaA - 0x00007FFBC0650C70->_
inline - len(5) KERNEL32.DLL->CreateToolhelp32Snapshot - 0x00007FFBC063E800->_
inline - len(5) KERNEL32.DLL->DefineDosDeviceA - 0x00007FFBC06502B0->_
inline - len(5) KERNEL32.DLL->MoveFileExA - 0x00007FFBC0651390->_
inline - len(5) KERNEL32.DLL->MoveFileWithProgressA - 0x00007FFBC0651490->_
inline - len(5) KERNEL32.DLL->Process32NextW - 0x00007FFBC0631040->_
inline - len(5) KERNELBASE.dll->CloseHandle - 0x00007FFBBCEAC440->_
inline - len(5) KERNELBASE.dll->CreateFileMappingNumaW - 0x00007FFBBCEAAFA0->_
inline - len(5) KERNELBASE.dll->CreateFileMappingW - 0x00007FFBBCEA9C50->_
inline - len(4) KERNELBASE.dll->CreateProcessA - 0x00007FFBBCECCA00->_
inline - len(5) KERNELBASE.dll->CreateProcessInternalA - 0x00007FFBBCECCA80->_
inline - len(5) KERNELBASE.dll->CreateProcessInternalW - 0x00007FFBBCECD060->_
inline - len(4) KERNELBASE.dll->CreateProcessW - 0x00007FFBBCECC980->_
inline - len(4) KERNELBASE.dll->CreateRemoteThread - 0x00007FFBBCF55340->_
inline - len(5) KERNELBASE.dll->CreateRemoteThreadEx - 0x00007FFBBCEB2810->_
inline - len(5) KERNELBASE.dll->DefineDosDeviceW - 0x00007FFBBCF00900->_
inline - len(5) KERNELBASE.dll->DeleteFileW - 0x00007FFBBCED4B30->_
inline - len(5) KERNELBASE.dll->DuplicateHandle - 0x00007FFBBCEBD5A0->_
inline - len(5) KERNELBASE.dll->GetProcAddress - 0x00007FFBBCEC8160->_
inline - len(5) KERNELBASE.dll->LoadLibraryA - 0x00007FFBBCEEFA70->_
inline - len(5) KERNELBASE.dll->LoadLibraryW - 0x00007FFBBCEF9460->_
inline - len(5) KERNELBASE.dll->MapViewOfFile - 0x00007FFBBCEE40C0->_
inline - len(4) KERNELBASE.dll->MapViewOfFileEx - 0x00007FFBBCEE7920->_
inline - len(5) KERNELBASE.dll->MapViewOfFileExNuma - 0x00007FFBBCEE7950->_
inline - len(5) KERNELBASE.dll->MoveFileExW - 0x00007FFBBCED3C70->_
inline - len(5) KERNELBASE.dll->MoveFileWithProgressW - 0x00007FFBBCED3CA0->_
inline - len(4) KERNELBASE.dll->OpenThread - 0x00007FFBBCEAABC0->_
inline - len(5) KERNELBASE.dll->SetEnvironmentVariableA - 0x00007FFBBCEEA770->_
inline - len(5) KERNELBASE.dll->SetEnvironmentVariableW - 0x00007FFBBCEEA3F0->_
inline - len(5) USER32.dll->SetWindowsHookExA - 0x00007FFBC02328E0->_
inline - len(5) USER32.dll->SetWindowsHookExW - 0x00007FFBC0256030->_
inline - len(5) USER32.dll->UserClientDllInitialize - 0x00007FFBC023A8D0->_
inline - len(5) ADVAPI32.dll->CryptAcquireContextA - 0x00007FFBC0417E00->_
inline - len(5) ADVAPI32.dll->CryptAcquireContextW - 0x00007FFBC0417CF0->_
inline - len(5) ADVAPI32.dll->CryptCreateHash - 0x00007FFBC0417190->_
inline - len(5) ADVAPI32.dll->CryptExportKey - 0x00007FFBC0416FE0->_
inline - len(5) ADVAPI32.dll->CryptGetHashParam - 0x00007FFBC0416650->_
inline - len(5) ADVAPI32.dll->CryptHashData - 0x00007FFBC0417330->_
inline - len(5) ADVAPI32.dll->CryptImportKey - 0x00007FFBC0416FD0->_
inline - len(5) ADVAPI32.dll - 0x00007FFBC04158D0->_
...
Хром тоже делал/делает хуки в нтдлл.
Последнее редактирование:
Нет там хуков. Гипервизоры слишком дорогие и тормозят систему, только у нескольких аверов используется эта технология. В юм тоже не все аверы хуки ставят. Сейчас эра фильтров/минифильтров.Что за бред? Всё похукано в ядре. Аверам побоку, что ты там используешь.
Ну это понятно. Я к тому, что большинство антивирусов просто не одобрят эту " магию ", на дворе 2019 год. Не совсем верно выразился, я имел ввиду отслеживание вызовов функций, а не конкретно хуки.Нет там хуков. Гипервизоры слишком дорогие и тормозят систему, только у нескольких аверов используется эта технология. В юм тоже не все аверы хуки ставят. Сейчас эра фильтров/минифильтров.