Hi, everyone.
This tutorials is excerpted from my study notes. It include:
0.Begin
|-Hardware preparation
|-Configure environment of driver development
------------------------------
1.HelloWorld In Kernel-Mode
|-Configure environment of driver testing
|-Compile and load kernel-mode HelloWorld
------------------------------
2.Basic Code
|-Basic rule of WIN64 kernel-mode programming
|-Communication between EXE and SYS
|-Use memory in kernel-mode
|-Use string in kernel-mode
|-File operation in kernel-mode
|-Registry operation in kernel-mode
|-Process/Thread operation in kernel-mode
|-Other common code
------------------------------
3.Kernel-Mode Hook And Unhook
|-SYSCALL,WOW64 and Compatibility Mode
|-Disable WIN7 PatchGuard
|-Structure of System Services Descriptor Table
|-SSDT HOOK and UNHOOK
|-SHADOW SSDT HOOK and UNHOOK
|-INLINE HOOK and UNHOOK
------------------------------
4.Monitor Process Behavior Without Hook
|-Monitor Process/Thread startup and exit
|-Monitor Load module (DLL and SYS)
|-Monitor Registry operation
|-Monitor File operation
|-Monitor Process/Thread handle operation
|-Monitor File access by object notify
|-Monitor Internet access
|-Monitor Time change
------------------------------
5.Some Stuff
|-Use ASM code in driver
|-DKOM hide/protect process
|-Enumerate and hide kernel module
|-Kill process by PspTerminateProcess
|-Read/Write process memory enforcement
|-Enumerate message hook
|-Unlock file
|-Preliminary exploration on PE32+ file
------------------------------
6.User-Mode Hook And Unhook
|-Inject DLL to system process
|-RING3 INLINE HOOK and UNHOOK
|-RING3 EAT HOOK and IAT HOOK
------------------------------
7.Anti Notify And Callback
|-Enumerate and Delete CreateProcess/CreateThread notify
|-Enumerate and Delete LoadImage notify
|-Enumerate and Delete Registry callback
|-Enumerate and Anti MiniFilter
|-Enumerate and Delete Object notify
PDF part is written by CHINESE, if you cannot read CHINESE, you can see the code directly.
The code is ugly, but as a demonstration should be no problem.
Download URL: http://pan.baidu.com/s/1bnxQNJh
This tutorials is excerpted from my study notes. It include:
0.Begin
|-Hardware preparation
|-Configure environment of driver development
------------------------------
1.HelloWorld In Kernel-Mode
|-Configure environment of driver testing
|-Compile and load kernel-mode HelloWorld
------------------------------
2.Basic Code
|-Basic rule of WIN64 kernel-mode programming
|-Communication between EXE and SYS
|-Use memory in kernel-mode
|-Use string in kernel-mode
|-File operation in kernel-mode
|-Registry operation in kernel-mode
|-Process/Thread operation in kernel-mode
|-Other common code
------------------------------
3.Kernel-Mode Hook And Unhook
|-SYSCALL,WOW64 and Compatibility Mode
|-Disable WIN7 PatchGuard
|-Structure of System Services Descriptor Table
|-SSDT HOOK and UNHOOK
|-SHADOW SSDT HOOK and UNHOOK
|-INLINE HOOK and UNHOOK
------------------------------
4.Monitor Process Behavior Without Hook
|-Monitor Process/Thread startup and exit
|-Monitor Load module (DLL and SYS)
|-Monitor Registry operation
|-Monitor File operation
|-Monitor Process/Thread handle operation
|-Monitor File access by object notify
|-Monitor Internet access
|-Monitor Time change
------------------------------
5.Some Stuff
|-Use ASM code in driver
|-DKOM hide/protect process
|-Enumerate and hide kernel module
|-Kill process by PspTerminateProcess
|-Read/Write process memory enforcement
|-Enumerate message hook
|-Unlock file
|-Preliminary exploration on PE32+ file
------------------------------
6.User-Mode Hook And Unhook
|-Inject DLL to system process
|-RING3 INLINE HOOK and UNHOOK
|-RING3 EAT HOOK and IAT HOOK
------------------------------
7.Anti Notify And Callback
|-Enumerate and Delete CreateProcess/CreateThread notify
|-Enumerate and Delete LoadImage notify
|-Enumerate and Delete Registry callback
|-Enumerate and Anti MiniFilter
|-Enumerate and Delete Object notify
PDF part is written by CHINESE, if you cannot read CHINESE, you can see the code directly.
The code is ugly, but as a demonstration should be no problem.
Download URL: http://pan.baidu.com/s/1bnxQNJh
Attachments
(4.16 MiB) Downloaded 338 times
Last edited by m5home on Fri Jun 13, 2014 9:41 am, edited 2 times in total.
The woman of my avatar: MiYue, the first empress dowager of China. In the TV series "The Legend of MiYue", my favourite movie star SunLi plays MiYue.