Mirrors
/
Windows-Rootkits
mirror of https://github.com/ciyze0101/Windows-Rootkits
6
0
Fork 0
Code Issues Projects Releases Wiki Activity
Windows-Rootkits/SSDT-SSSDT-Manager
History
LycorisGuard eae3805066 update 
update
 		2018-08-14 22:22:43 +08:00
..
EnumSSSDTManager delete no use file 2018-08-14 20:05:54 +08:00
EnumSSSDTManagerRing0 update 2018-08-14 22:22:43 +08:00
ReadMe.txt Create ReadMe.txt 2016-08-29 16:01:14 +08:00

ReadMe.txt 

1.send Io Control Code to Ring0 to get SSDT&SSSDT Information
include:functionIndex/Function Name/Current Address/Original Address/Is Hooked/the module belong
include:reload ntoskrnl.exe(SSDT)/win32k.sys(SSSDT) to compare

2.if current Address is not compare to  Original Address means the function is SSDT Hook
  if the code is not compare to the code in ntoskrnl.exe/win32k.sys in the first 32 bytes in the function,it is Inline Hook
  
3.Resume SSDT Hook/Inline Hook