۲۶-مرداد-۱۳۹۶, ۱۷:۴۳:۲۰
این مقاله شامل موضوعات زیر است :
کد:
0.Begin
|-Hardware preparation
|-Configure environment of driver development
------------------------------
1.HelloWorld In Kernel-Mode
|-Configure environment of driver testing
|-Compile and load kernel-mode HelloWorld
------------------------------
2.Basic Code
|-Basic rule of WIN64 kernel-mode programming
|-Communication between EXE and SYS
|-Use memory in kernel-mode
|-Use string in kernel-mode
|-File operation in kernel-mode
|-Registry operation in kernel-mode
|-Process/Thread operation in kernel-mode
|-Other common code
------------------------------
3.Kernel-Mode Hook And Unhook
|-SYSCALL,WOW64 and Compatibility Mode
|-Disable WIN7 PatchGuard
|-Structure of System Services Descriptor Table
|-SSDT HOOK and UNHOOK
|-SHADOW SSDT HOOK and UNHOOK
|-INLINE HOOK and UNHOOK
------------------------------
4.Monitor Process Behavior Without Hook
|-Monitor Process/Thread startup and exit
|-Monitor Load module (DLL and SYS)
|-Monitor Registry operation
|-Monitor File operation
|-Monitor Process/Thread handle operation
|-Monitor File access by object notify
|-Monitor Internet access
|-Monitor Time change
------------------------------
5.Some Stuff
|-Use ASM code in driver
|-DKOM hide/protect process
|-Enumerate and hide kernel module
|-Kill process by PspTerminateProcess
|-Read/Write process memory enforcement
|-Enumerate message hook
|-Unlock file
|-Preliminary exploration on PE32+ file
------------------------------
6.User-Mode Hook And Unhook
|-Inject DLL to system process
|-RING3 INLINE HOOK and UNHOOK
|-RING3 EAT HOOK and IAT HOOK
------------------------------
7.Anti Notify And Callback
|-Enumerate and Delete CreateProcess/CreateThread notify
|-Enumerate and Delete LoadImage notify
|-Enumerate and Delete Registry callback
|-Enumerate and Anti MiniFilter
|-Enumerate and Delete Object notifyتنها مشکل این آموزش اینکه به زبان چینی هست و شما باید از یه مترجم کمک بگیرید 