[hack004]

i find by using a software calld "Xuetr" some SSDT function was inline hook,but,i using similar "Kernel Detective v1.3.1" and "Rootkit Unhook" no find SSDT functions has been hook,but i using "Rootkit Unhook" viewing has been source ASM code of the hook functions,found some clues,which are using such methods
//---------------------------------
push 0x123456 //assume it's 0x123456
ret
//---------------------------------------------
I Want recover them,May I ask What? or some examples.,BTW:in cann't directly "NOP" the cases.Thans for help me.

[EP_X0FF]

http://translate.google.com/

[hack004]

http://translate.google.com/

I'm sorry,,, - -,,english is not too good.~i translated it with GOOGLE translate~ :roll:

----------------------------------------------------------------------------------------------------
I use one called "XueTr" software to view the SSDT HOOK function, found in several functions are Inline HOOK, but I used the"Kernel Detective v1.3.1"and "Rootkit Unhook" similar software, but shows no HOOK, then I used the "Rootkit Unhook" checked those HOOK function disassembly code, find the previous is:
//----------------------------------
push 0x123456 //assume it's 0x123456
ret
//------------------------------------------
I want to recover them, may I ask what's the method not? I am not sure if "NOP" or the previous function during the first few bytes can be replaced, are there examples in this regard?

[EP_X0FF]

You need to get original bytes of function from image from the disk. After this you can restore hooked function.

[hack004]

Thanks for quick reply,
//------------------------------
about you refer to the disk,is in the ntoskrnl.exe file gets?,very much hope you can give me a sample.

[GamingMasteR]

Hi,

I think XueTr shows it's own hooks, maybe it shows the inline hooks in the ssdt hooks dialog too, while RkU & KeDetective show inline hooks only in the inline hooks dialog (not mixed with ssdt dialog) .