OpenProcess and the PSPCIDTABLE (by st00ner):
Ever wonder how rootkit detectors work?
Take for instance, Blacklight.(Uniformed.org)
It loops OpenProcess from 0x0004 to 0x41DC(Uniformed.org) and if it gets a handle it records it. But beware, processes can hook OpenProcess(nProtect, HackShield, XTrap) Most now do it in the kernel, so you must program a driver to undo them. If its removed from the pspcidtable, then this method will not work.(Uniformed.org)
mov eax, 4
.while eax<=0000041DCh
push eax
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,eax
Call AddPid
pop eax
add eax, 4
.endw
AddPid:
;Logging here
ret
PS:
I figured all that out on my own, and then read it later at Uniformed, and got some specific data there. What i learned is cited
OpenProcess and the PSPCIDTABLE
On lunes, 27 de diciembre de 2010
0
comentarios
Suscribirse a:
Enviar comentarios (Atom)
0 comentarios:
Publicar un comentario