C++博客-S.l.e!ep.￠%-随笔分类-RootKit

C++博客-S.l.e!ep.￠%-随笔分类-RootKithttp://www.cppblog.com/sleepwom/category/12162.html某天睡觉醒来，我发现我会开机了~~~ <br> 方法，过程，目标，成就 <br> 是时候起兵作反了~<br> 不要太多感情<br> zh-cnMon, 12 Jul 2010 03:44:08 GMTMon, 12 Jul 2010 03:44:08 GMT60Load Driverhttp://www.cppblog.com/sleepwom/archive/2010/07/10/119977.htmlS.l.e!ep.￠%S.l.e!ep.￠%Sat, 10 Jul 2010 09:19:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/07/10/119977.htmlhttp://www.cppblog.com/sleepwom/comments/119977.htmlhttp://www.cppblog.com/sleepwom/archive/2010/07/10/119977.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/119977.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/119977.html阅读全文

S.l.e!ep.￠% 2010-07-10 17:19 发表评论

]]>protect_pwd.txthttp://www.cppblog.com/sleepwom/archive/2010/07/02/119170.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 02 Jul 2010 07:18:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/07/02/119170.htmlhttp://www.cppblog.com/sleepwom/comments/119170.htmlhttp://www.cppblog.com/sleepwom/archive/2010/07/02/119170.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/119170.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/119170.html阅读全文

S.l.e!ep.￠% 2010-07-02 15:18 发表评论

]]> Windows下Hook API技术 inline hookhttp://www.cppblog.com/sleepwom/archive/2010/07/02/119135.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 02 Jul 2010 00:20:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/07/02/119135.htmlhttp://www.cppblog.com/sleepwom/comments/119135.htmlhttp://www.cppblog.com/sleepwom/archive/2010/07/02/119135.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/119135.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/119135.html阅读全文

S.l.e!ep.￠% 2010-07-02 08:20 发表评论

]]>对付API-splicing的一种简单方法http://www.cppblog.com/sleepwom/archive/2010/07/02/119134.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 02 Jul 2010 00:19:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/07/02/119134.htmlhttp://www.cppblog.com/sleepwom/comments/119134.htmlhttp://www.cppblog.com/sleepwom/archive/2010/07/02/119134.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/119134.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/119134.html阅读全文

S.l.e!ep.￠% 2010-07-02 08:19 发表评论

]]>修改IAT实现API HOOKhttp://www.cppblog.com/sleepwom/archive/2010/07/01/119062.htmlS.l.e!ep.￠%S.l.e!ep.￠%Thu, 01 Jul 2010 06:57:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/07/01/119062.htmlhttp://www.cppblog.com/sleepwom/comments/119062.htmlhttp://www.cppblog.com/sleepwom/archive/2010/07/01/119062.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/119062.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/119062.html阅读全文

S.l.e!ep.￠% 2010-07-01 14:57 发表评论

]]>API-HOOK and ANTI-API-HOOK For Ring3http://www.cppblog.com/sleepwom/archive/2010/03/15/109733.htmlS.l.e!ep.￠%S.l.e!ep.￠%Mon, 15 Mar 2010 06:36:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/03/15/109733.htmlhttp://www.cppblog.com/sleepwom/comments/109733.htmlhttp://www.cppblog.com/sleepwom/archive/2010/03/15/109733.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/109733.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/109733.html阅读全文

S.l.e!ep.￠% 2010-03-15 14:36 发表评论

]]>API Hook jmp 法http://www.cppblog.com/sleepwom/archive/2010/03/12/109536.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 12 Mar 2010 07:32:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/03/12/109536.htmlhttp://www.cppblog.com/sleepwom/comments/109536.htmlhttp://www.cppblog.com/sleepwom/archive/2010/03/12/109536.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/109536.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/109536.html阅读全文

S.l.e!ep.￠% 2010-03-12 15:32 发表评论

]]> DirectX Input 键盘实现收藏 http://www.cppblog.com/sleepwom/archive/2010/03/12/109533.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 12 Mar 2010 07:01:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/03/12/109533.htmlhttp://www.cppblog.com/sleepwom/comments/109533.htmlhttp://www.cppblog.com/sleepwom/archive/2010/03/12/109533.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/109533.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/109533.html阅读全文

S.l.e!ep.￠% 2010-03-12 15:01 发表评论

]]>一个反键盘记录工具的分析http://www.cppblog.com/sleepwom/archive/2010/03/09/109281.htmlS.l.e!ep.￠%S.l.e!ep.￠%Tue, 09 Mar 2010 07:34:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/03/09/109281.htmlhttp://www.cppblog.com/sleepwom/comments/109281.htmlhttp://www.cppblog.com/sleepwom/archive/2010/03/09/109281.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/109281.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/109281.html阅读全文

S.l.e!ep.￠% 2010-03-09 15:34 发表评论

]]>不用hook 实现挂机锁http://www.cppblog.com/sleepwom/archive/2010/02/08/107530.htmlS.l.e!ep.￠%S.l.e!ep.￠%Mon, 08 Feb 2010 13:28:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/08/107530.htmlhttp://www.cppblog.com/sleepwom/comments/107530.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/08/107530.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107530.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107530.html阅读全文

S.l.e!ep.￠% 2010-02-08 21:28 发表评论

]]>about Injection (2)http://www.cppblog.com/sleepwom/archive/2010/02/07/107441.htmlS.l.e!ep.￠%S.l.e!ep.￠%Sun, 07 Feb 2010 09:23:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/07/107441.htmlhttp://www.cppblog.com/sleepwom/comments/107441.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/07/107441.html#Feedback2http://www.cppblog.com/sleepwom/comments/commentRss/107441.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107441.html阅读全文

S.l.e!ep.￠% 2010-02-07 17:23 发表评论

]]>DLL_THREAD_DETACH 认识误区http://www.cppblog.com/sleepwom/archive/2010/02/07/107440.htmlS.l.e!ep.￠%S.l.e!ep.￠%Sun, 07 Feb 2010 09:18:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/07/107440.htmlhttp://www.cppblog.com/sleepwom/comments/107440.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/07/107440.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107440.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107440.html阅读全文

S.l.e!ep.￠% 2010-02-07 17:18 发表评论

]]>enum all moduleshttp://www.cppblog.com/sleepwom/archive/2010/02/06/107395.htmlS.l.e!ep.￠%S.l.e!ep.￠%Sat, 06 Feb 2010 10:36:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/06/107395.htmlhttp://www.cppblog.com/sleepwom/comments/107395.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/06/107395.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107395.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107395.html阅读全文

S.l.e!ep.￠% 2010-02-06 18:36 发表评论

]]>about Injectionhttp://www.cppblog.com/sleepwom/archive/2010/02/06/107225.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 05 Feb 2010 20:38:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/06/107225.htmlhttp://www.cppblog.com/sleepwom/comments/107225.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/06/107225.html#Feedback2http://www.cppblog.com/sleepwom/comments/commentRss/107225.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107225.html阅读全文

S.l.e!ep.￠% 2010-02-06 04:38 发表评论

]]>Injective Code inside Import Tablehttp://www.cppblog.com/sleepwom/archive/2010/02/05/107316.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 05 Feb 2010 15:36:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/05/107316.htmlhttp://www.cppblog.com/sleepwom/comments/107316.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/05/107316.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107316.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107316.html阅读全文

S.l.e!ep.￠% 2010-02-05 23:36 发表评论

]]>CreateRemoteThread-实现进程代码注入http://www.cppblog.com/sleepwom/archive/2010/02/05/107309.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 05 Feb 2010 13:33:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/05/107309.htmlhttp://www.cppblog.com/sleepwom/comments/107309.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/05/107309.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107309.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107309.html阅读全文

S.l.e!ep.￠% 2010-02-05 21:33 发表评论

]]>利用CreateRemoteThread进行远程代码注入的技术在64位机上可能遇到的问题http://www.cppblog.com/sleepwom/archive/2010/02/05/107306.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 05 Feb 2010 13:15:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/05/107306.htmlhttp://www.cppblog.com/sleepwom/comments/107306.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/05/107306.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107306.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107306.html阅读全文

S.l.e!ep.￠% 2010-02-05 21:15 发表评论

]]>SeDebugPrivilege 特权http://www.cppblog.com/sleepwom/archive/2010/02/05/107233.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 05 Feb 2010 04:07:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/05/107233.htmlhttp://www.cppblog.com/sleepwom/comments/107233.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/05/107233.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107233.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107233.html阅读全文

S.l.e!ep.￠% 2010-02-05 12:07 发表评论

]]>SetProcessShutdownParameters Functionhttp://www.cppblog.com/sleepwom/archive/2010/02/05/107229.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 05 Feb 2010 03:28:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/05/107229.htmlhttp://www.cppblog.com/sleepwom/comments/107229.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/05/107229.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107229.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107229.html阅读全文

S.l.e!ep.￠% 2010-02-05 11:28 发表评论

]]>ShutdownBlockReasonCreate Functionhttp://www.cppblog.com/sleepwom/archive/2010/02/05/107227.htmlS.l.e!ep.￠%S.l.e!ep.￠%Fri, 05 Feb 2010 03:18:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/05/107227.htmlhttp://www.cppblog.com/sleepwom/comments/107227.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/05/107227.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107227.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107227.html阅读全文

S.l.e!ep.￠% 2010-02-05 11:18 发表评论

]]>windows平台.lnk文件感染技术研究http://www.cppblog.com/sleepwom/archive/2010/02/04/107191.htmlS.l.e!ep.￠%S.l.e!ep.￠%Thu, 04 Feb 2010 09:42:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/04/107191.htmlhttp://www.cppblog.com/sleepwom/comments/107191.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/04/107191.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107191.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107191.html阅读全文

S.l.e!ep.￠% 2010-02-04 17:42 发表评论

]]>绕过主动防御的代码Inject方法思考http://www.cppblog.com/sleepwom/archive/2010/02/03/107096.htmlS.l.e!ep.￠%S.l.e!ep.￠%Wed, 03 Feb 2010 04:49:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/03/107096.htmlhttp://www.cppblog.com/sleepwom/comments/107096.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/03/107096.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107096.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107096.html阅读全文

S.l.e!ep.￠% 2010-02-03 12:49 发表评论

]]>HOOK钩子机制学习笔记(3) - 钩子常用结构体MSDN翻译整理收藏http://www.cppblog.com/sleepwom/archive/2010/02/03/107093.htmlS.l.e!ep.￠%S.l.e!ep.￠%Wed, 03 Feb 2010 04:41:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/03/107093.htmlhttp://www.cppblog.com/sleepwom/comments/107093.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/03/107093.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107093.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107093.html阅读全文

S.l.e!ep.￠% 2010-02-03 12:41 发表评论

]]>HOOK钩子机制学习笔记(4) - 钩子函数说明收藏 http://www.cppblog.com/sleepwom/archive/2010/02/03/107094.htmlS.l.e!ep.￠%S.l.e!ep.￠%Wed, 03 Feb 2010 04:41:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/03/107094.htmlhttp://www.cppblog.com/sleepwom/comments/107094.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/03/107094.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107094.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107094.html阅读全文

S.l.e!ep.￠% 2010-02-03 12:41 发表评论

]]>HOOK钩子机制学习笔记(2) - 钩子类型MSDN翻译整理收藏 http://www.cppblog.com/sleepwom/archive/2010/02/03/107092.htmlS.l.e!ep.￠%S.l.e!ep.￠%Wed, 03 Feb 2010 04:40:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/03/107092.htmlhttp://www.cppblog.com/sleepwom/comments/107092.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/03/107092.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107092.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107092.html阅读全文

S.l.e!ep.￠% 2010-02-03 12:40 发表评论

]]>HOOK钩子机制学习笔记(1) 收藏 http://www.cppblog.com/sleepwom/archive/2010/02/03/107091.htmlS.l.e!ep.￠%S.l.e!ep.￠%Wed, 03 Feb 2010 04:39:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/03/107091.htmlhttp://www.cppblog.com/sleepwom/comments/107091.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/03/107091.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107091.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107091.html阅读全文

S.l.e!ep.￠% 2010-02-03 12:39 发表评论

]]>DLL Inject -- 一、Windows 钩子（Hooks） - (2)http://www.cppblog.com/sleepwom/archive/2010/02/03/107090.htmlS.l.e!ep.￠%S.l.e!ep.￠%Wed, 03 Feb 2010 04:38:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/03/107090.htmlhttp://www.cppblog.com/sleepwom/comments/107090.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/03/107090.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107090.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107090.html阅读全文

S.l.e!ep.￠% 2010-02-03 12:38 发表评论

]]>DLL Inject -- 一、Windows 钩子（Hooks） - (1)http://www.cppblog.com/sleepwom/archive/2010/02/03/106672.htmlS.l.e!ep.￠%S.l.e!ep.￠%Wed, 03 Feb 2010 04:07:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/03/106672.htmlhttp://www.cppblog.com/sleepwom/comments/106672.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/03/106672.html#Feedback3http://www.cppblog.com/sleepwom/comments/commentRss/106672.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/106672.html阅读全文

S.l.e!ep.￠% 2010-02-03 12:07 发表评论

]]>显示某进程里所有模块信息http://www.cppblog.com/sleepwom/archive/2010/02/02/107052.htmlS.l.e!ep.￠%S.l.e!ep.￠%Tue, 02 Feb 2010 14:39:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/02/107052.htmlhttp://www.cppblog.com/sleepwom/comments/107052.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/02/107052.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107052.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107052.html阅读全文

S.l.e!ep.￠% 2010-02-02 22:39 发表评论

]]>Hook Api lib 0.4 for C http://www.cppblog.com/sleepwom/archive/2010/02/02/107051.htmlS.l.e!ep.￠%S.l.e!ep.￠%Tue, 02 Feb 2010 14:03:00 GMThttp://www.cppblog.com/sleepwom/archive/2010/02/02/107051.htmlhttp://www.cppblog.com/sleepwom/comments/107051.htmlhttp://www.cppblog.com/sleepwom/archive/2010/02/02/107051.html#Feedback0http://www.cppblog.com/sleepwom/comments/commentRss/107051.htmlhttp://www.cppblog.com/sleepwom/services/trackbacks/107051.html阅读全文

S.l.e!ep.￠% 2010-02-02 22:03 发表评论

]]>