http://www.matousec.com/info/adv ... oftware-drivers.php
http://www.matousec.com/projects ... oftware-drivers.php



我是先load driver

1.Find SSDT hooks

2.Add to Probe list

3.按"GO"

不過，測到EQ的hook，直接藍屏了  

給一些防火牆和HIPS測試的結果

請看KIS7

有2個hooks不正確！

是否和下面有關

http://www.avpclub.ddns.info/discuz/thread-5154-1-1.html

Probing 6 function(s) started.
Probing function NtConnectPort(DUDDDDDD) ...
Function NtConnectPort passed the tests.
Probing function NtDuplicateObject(DDDBDDD) ...
Function NtDuplicateObject passed the tests.
Probing function NtOpenFile(DDODDD) ...
Function NtOpenFile passed the tests.
Probing function NtOpenThread(DDOD) ...
Function NtOpenThread passed the tests.
Probing function NtRenameKey(BU) ...
Function NtRenameKey passed the tests.
Probing function NtUnloadKey(O) ...
Function NtUnloadKey passed the tests.
Probing complete.
---------------------------------------------
CFP V3(Blue)通過測試！

uphclean (Red)通過測試！
他是微軟出的加速關機程式！

EQ的兔總版回覆：

Panda 2007 11.00.02

引用:

下午 12:17:49: Driver loaded.
下午 12:17:56: Unable to disable BSODs.
下午 12:17:57: Hook found: NtTerminateProcess
下午 12:17:57: Hook found: NtTerminateThread
下午 12:17:57: Hook found: NtWriteVirtualMemory
下午 12:18:02: Probing 3 function(s) started.
下午 12:18:02: Probing function NtTerminateProcess(PD) ...
下午 12:19:04: Function NtTerminateProcess passed the tests.
下午 12:19:04: Probing function NtTerminateThread(PD) ...
下午 12:20:08: Function NtTerminateThread passed the tests.
下午 12:20:08: Probing function NtWriteVirtualMemory(PDDDB) ...
下午 12:23:33: Function NtWriteVirtualMemory passed the tests.
下午 12:23:33: Probing complete.

其他測了DSA跟Sophos 7.0全部BSOD...

請問BSOD是什麼

終於知道了

BSOD = Blue Screen of Death

[ 本帖最後由 Roger 於 2007-9-20 12:38 編輯 ]

引用:

原帖由 ㄚ一 於 2007-9-20 12:30 發表
Panda 2007 11.00.02


其他測了DSA跟Sophos 7.0全部BSOD...

試試下面的方法

1.Load Driver

2.Disable BSOD

3.Find SSDT hooks

4.Add to Probe list

5.按"GO"或"I am happy"

BSOD 不就是這個測試程序的名稱嗎

奇怪莫名其妙被篡位了

算了 其實要測 ssdt 很簡單

用 iceword 就好啦

看看 ssdt unhook 之後

你們的安軟還有沒有用

不知道什麼原因它說我的OS不支援關閉BSOD...

FIS 2008 ALL PASS..

引用:

下午 12:36:11: Driver loaded.
下午 12:36:12: Hook found: NtCreateProcess
下午 12:36:12: Hook found: NtCreateProcessEx
下午 12:36:12: Hook found: NtLoadDriver
下午 12:36:12: Hook found: NtOpenSection
下午 12:36:12: Hook found: NtRenameKey
下午 12:36:12: Hook found: NtSetSystemInformation
下午 12:36:12: Hook found: NtSuspendProcess
下午 12:36:12: Hook found: NtSuspendThread
下午 12:36:12: Hook found: NtSystemDebugControl
下午 12:36:12: Hook found: NtTerminateProcess
下午 12:36:12: Hook found: NtTerminateThread
下午 12:36:12: Hook found: NtWriteVirtualMemory
下午 12:36:17: Probing 12 function(s) started.
下午 12:36:17: Probing function NtCreateProcess(DDODDDDD) ...
下午 12:41:27: Function NtCreateProcess passed the tests.
下午 12:41:27: Probing function NtCreateProcessEx(DDODDDDDD) ...
下午 12:46:59: Function NtCreateProcessEx passed the tests.
下午 12:46:59: Probing function NtLoadDriver(U) ...
下午 12:51:04: Function NtLoadDriver passed the tests.
下午 12:51:04: Probing function NtOpenSection(BDO) ...
下午 12:53:40: Function NtOpenSection passed the tests.
下午 12:53:40: Probing function NtRenameKey(BU) ...
下午 12:55:05: Function NtRenameKey passed the tests.
下午 12:55:05: Probing function NtSetSystemInformation(DDD) ...
下午 12:56:35: Function NtSetSystemInformation passed the tests.
下午 12:56:35: Probing function NtSuspendProcess(P) ...
下午 12:57:13: Function NtSuspendProcess passed the tests.
下午 12:57:13: Probing function NtSuspendThread(PD) ...
下午 12:58:21: Function NtSuspendThread passed the tests.
下午 12:58:21: Probing function NtSystemDebugControl(DDDDDD) ...
下午 01:01:13: Function NtSystemDebugControl passed the tests.
下午 01:01:13: Probing function NtTerminateProcess(PD) ...
下午 01:02:17: Function NtTerminateProcess passed the tests.
下午 01:02:17: Probing function NtTerminateThread(PD) ...
下午 01:03:22: Function NtTerminateThread passed the tests.
下午 01:03:22: Probing function NtWriteVirtualMemory(PDDDB) ...
下午 01:05:29: Function NtWriteVirtualMemory passed the tests.
下午 01:05:29: Probing complete.

Driver loaded.
BSODs disabled.

Hook found: NtConnectPort
Hook found: NtCreateFile
Hook found: NtCreateKey
Hook found: NtCreateSection
Hook found: NtCreateThread
Hook found: NtDeleteKey
Hook found: NtDeleteValueKey
Hook found: NtDuplicateObject
Hook found: NtLoadDriver
Hook found: NtOpenFile
Hook found: NtOpenProcess
Hook found: NtOpenSection
Hook found: NtOpenThread
Hook found: NtProtectVirtualMemory
Hook found: NtRenameKey
Hook found: NtRequestWaitReplyPort
Hook found: NtRestoreKey
Hook found: NtSetContextThread
Hook found: NtSetSystemInformation
Hook found: NtSetSystemTime
Hook found: NtSetValueKey
Hook found: NtShutdownSystem
Hook found: NtSuspendProcess
Hook found: NtSuspendThread
Hook found: NtSystemDebugControl
Hook found: NtTerminateJobObject
Hook found: NtTerminateProcess
Hook found: NtTerminateThread
Hook found: NtUnloadKey
Hook found: NtWriteVirtualMemory

Probing 30 function(s) started.
Probing function NtConnectPort(DUDDDDDD) ...
Function NtConnectPort passed the tests.
Probing function NtCreateFile(DDODDDDDDDD) ...
Function NtCreateFile passed the tests.
Probing function NtCreateKey(BDODUDD) ...
NtCreateKey(0x9EF99726, 0xF05BE27E, OBJECT_ATTRIBUTES.ObjectName=0x8FAED965, 0x8D5CDE01, UNICODE_STRING.Buffer=0x8C4B2A2C, 0x88FB230C, 0xE4658455) caused BSOD!
Probing function NtCreateSection(DDODDDD) ...
Function NtCreateSection passed the tests.
Probing function NtCreateThread(DDODDDDD) ...
Function NtCreateThread passed the tests.
Probing function NtDeleteKey(B) ...
NtDeleteKey caused BSOD when its 1st argument was 0xFFFFFFFE.
Probing function NtDeleteValueKey(BU) ...
NtDeleteValueKey(0x8840C091, 0x102B548D) caused BSOD!
Probing function NtDuplicateObject(DDDBDDD) ...
Function NtDuplicateObject passed the tests.
Probing function NtLoadDriver(U) ...
Function NtLoadDriver passed the tests.
Probing function NtOpenFile(DDODDD) ...
Function NtOpenFile passed the tests.
Probing function NtOpenProcess(DDOD) ...
Function NtOpenProcess passed the tests.
Probing function NtOpenSection(BDO) ...
Function NtOpenSection passed the tests.
Probing function NtOpenThread(DDOD) ...
Function NtOpenThread passed the tests.
Probing function NtProtectVirtualMemory(PBDDB) ...
Function NtProtectVirtualMemory passed the tests.
Probing function NtRenameKey(BU) ...
Function NtRenameKey passed the tests.
Probing function NtRequestWaitReplyPort(BDD) ...
Function NtRequestWaitReplyPort passed the tests.
Probing function NtRestoreKey(BDD) ...
NtRestoreKey caused BSOD when its 1st argument was 0xFFFFFFFE.
Probing function NtSetContextThread(PD) ...
Function NtSetContextThread passed the tests.
Probing function NtSetSystemInformation(DDD) ...
Function NtSetSystemInformation passed the tests.
Probing function NtSetSystemTime(DD) ...
Function NtSetSystemTime passed the tests.
Probing function NtSetValueKey(BUDDDD) ...
NtSetValueKey(0x8840C091, 0x102B548D, 0x6C9B2353, 0x54172F7D, 0xE5B1A3ED, 0xFF381560) caused BSOD!
Probing function NtShutdownSystem(D) ...
Function NtShutdownSystem passed the tests.
Probing function NtSuspendProcess(P) ...
Function NtSuspendProcess passed the tests.
Probing function NtSuspendThread(PD) ...
Function NtSuspendThread passed the tests.
Probing function NtSystemDebugControl(DDDDDD) ...
Function NtSystemDebugControl passed the tests.
Probing function NtTerminateJobObject(DD) ...
Function NtTerminateJobObject passed the tests.
Probing function NtTerminateProcess(PD) ...
Function NtTerminateProcess passed the tests.
Probing function NtTerminateThread(PD) ...
Function NtTerminateThread passed the tests.
Probing function NtUnloadKey(O) ...
Function NtUnloadKey passed the tests.
Probing function NtWriteVirtualMemory(PDDDB) ...
Function NtWriteVirtualMemory passed the tests.
Probing complete.

--------------------------------------------------------------------
1.CFP V3(Blue)通過測試！(5/5)

2.uphclean (Red)通過測試！(1/1)
他是微軟出的加速關機程式！

3.EQSecure V3.4 (Green)未通過下面的hook (19/24)

  1.Probing function NtCreateKey(BDODUDD) ...
NtCreateKey(0x9EF99726, 0xF05BE27E, OBJECT_ATTRIBUTES.ObjectName=0x8FAED965, 0x8D5CDE01, UNICODE_STRING.Buffer=0x8C4B2A2C, 0x88FB230C, 0xE4658455) caused BSOD!

  2.Probing function NtDeleteKey(B) ...
NtDeleteKey caused BSOD when its 1st argument was 0xFFFFFFFE.

  3.Probing function NtDeleteValueKey(BU) ...
NtDeleteValueKey(0x8840C091, 0x102B548D) caused BSOD!

  4.Probing function NtRestoreKey(BDD) ...
NtRestoreKey caused BSOD when its 1st argument was 0xFFFFFFFE.

  5.Probing function NtSetValueKey(BUDDDD) ...
NtSetValueKey(0x8840C091, 0x102B548D, 0x6C9B2353, 0x54172F7D, 0xE5B1A3ED, 0xFF381560) caused BSOD!

[ 本帖最後由 Roger 於 2007-9-20 18:39 編輯 ]

給一下，()裡面代表的意思！

1.V, valid pointer – pointer to the stack, no testing is performed for this parameter type
2.D, any DWORD – argument is in range 0x00000000 – 0xFFFFFFFF
3.P, local (process/thread) handle – argument is in range 0x00000001 – 0xFFFFFF00
4.B, no user-mode memory – argument is in range 0x7FFF0000 – 0xFFFFFFFF
5.O, OBJECT_ATTRIBUTES pointer – argument is OBJECT_ATTRIBUTES, which ObjectName part is any DWORD
6.Q, OBJECT_ATTRIBUTES pointer with invalid Buffer – argument is OBJECT_ATTRIBUTES,   which ObjectName.Buffer part is any DWORD
7.U, UNICODE_STRING pointer – argument is UNICODE_STRING, which Buffer is any DWORD