武林争霸 鹿死谁手 nProtect VS HackShield
文章作者:zhuwg
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
先祝大家新年快乐:rose :rose 红包多多
偶写的文章貌似都是看的人少,回复的人更少了,不知道是偶的RP有问题还是文章写的太差了
这次换个题材把 改用武侠小说中的模式来写 正好偶也很想写1回小说了
不知道会不会感兴趣的人多1点咯
江湖自古分久必合 合久必分,自从上次战争结束,江湖武林一直处于群龙无首的状态
于是坛主选定一个吉日,召开武林大会,广招武林豪杰,各大门派纷纷派出门中兄弟
场地选择在郊外的一片空地上,各门派分居一处,当然还有不少小门派武林人士前来挑战
一时场面煞是热烈
坛主宣布,武林大会正式开始,第一项,各大门派自报身份
来自INCA Internet的弟子第一个走上台来,如今INCA Internet门下的GameGuard风头
正劲,不少商家酒楼客店纷纷邀请INCA Internet的弟子担任安防顾问,一时使人一说本店
有INCA Internet弟子相助者,那是极为敬佩之意
来着自称为INCA Internet门下的GameGuard,虽然年龄尚小,不足以和同门师兄KeyCrypt
相比,然而其武学功力全然不在师兄之下,一上场就赢得一片称赞
我派乃是江湖最有名望之门,为确保各位安全,我们的安全工作是细致入微的
还是以酒楼为例吧,自古酒楼就是是非争战之地,且看我派是如何对付的
首先,客人进门之前,我们使用真气搜身
[440]EXPLORER.EXE–>advapi32.dll–>CreateProcessWithLogonW, Type: Inline – RelativeJump at address 0x77DE5C9D hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>gdi32.dll–>GetPixel, Type: Inline – RelativeJump at address 0x77EFB471 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>CreateProcessInternalW, Type: Inline – RelativeJump at address 0x7C8191EB hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>DebugActiveProcess, Type: Inline – RelativeJump at address 0x7C859F0B hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>GetProcAddress, Type: Inline – RelativeJump at address 0x7C80AC28 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>LoadLibraryExW, Type: Inline – RelativeJump at address 0x7C801AF1 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>MapViewOfFile, Type: Inline – RelativeJump at address 0x7C80B78D hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>MapViewOfFileEx, Type: Inline – RelativeJump at address 0x7C80B71E hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>MoveFileW, Type: Inline – RelativeJump at address 0x7C839659 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>OpenProcess, Type: Inline – RelativeJump at address 0x7C81E079 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>ReadProcessMemory, Type: Inline – RelativeJump at address 0x7C8021CC hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>VirtualProtect, Type: Inline – RelativeJump at address 0x7C801AD0 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>VirtualProtectEx, Type: Inline – RelativeJump at address 0x7C801A5D hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>kernel32.dll–>WriteProcessMemory, Type: Inline – RelativeJump at address 0x7C80220F hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtDeviceIoControlFile, Type: Inline – RelativeJump at address 0x7C92D8E3 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtLoadDriver, Type: Inline – RelativeJump at address 0x7C92DB6E hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtOpenProcess, Type: Inline – RelativeJump at address 0x7C92DD7B hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtProtectVirtualMemory, Type: Inline – RelativeJump at address 0x7C92DEB6 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtQuerySystemInformation, Type: Inline – RelativeJump at address 0x7C92E1AA hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtReadVirtualMemory, Type: Inline – RelativeJump at address 0x7C92E2BB hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtSuspendProcess, Type: Inline – RelativeJump at address 0x7C92E83A hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtSuspendThread, Type: Inline – RelativeJump at address 0x7C92E84F hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtTerminateProcess, Type: Inline – RelativeJump at address 0x7C92E88E hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtTerminateThread, Type: Inline – RelativeJump at address 0x7C92E8A3 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>ntdll.dll–>NtWriteVirtualMemory, Type: Inline – RelativeJump at address 0x7C92EA32 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll+0x00008B80, Type: Inline – RelativeJump at address 0x77D18B80 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>GetWindowThreadProcessId, Type: Inline – RelativeJump at address 0x77D18A80 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>keybd_event, Type: Inline – RelativeJump at address 0x77D66341 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>mouse_event, Type: Inline – RelativeJump at address 0x77D662FD hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>ostMessageA, Type: Inline – RelativeJump at address 0x77D1CB85 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>ostMessageW, Type: Inline – RelativeJump at address 0x77D18CCB hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>SendInput, Type: Inline – RelativeJump at address 0x77D2F118 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>SendInput, Type: Inline – RelativeJump at address 0x77D2F122 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>SendMessageA, Type: Inline – RelativeJump at address 0x77D2F39A hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>SendMessageW, Type: Inline – RelativeJump at address 0x77D1B8BA hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>SetCursorPos, Type: Inline – RelativeJump at address 0x77D55E4B hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>SetWindowsHookExA, Type: Inline – RelativeJump at address 0x77D311E9 hook handler located in [npggNT.des]
[440]EXPLORER.EXE–>user32.dll–>SetWindowsHookExW, Type: Inline – RelativeJump at address 0x77D2E4AF hook handler located in [npggNT.des]
大家慢慢看。我派检测之严密
当然,搜查会不断进行,以防止客人身上有武器或者拿出武器,我派兼可立刻将其逐出门外
当然光这样是不够的,某些刺客会使用暗器,而且隐藏很深,我派常规搜查难以发现
我派还有功夫,若是客人要进入核心地带,我们还有检测,各位请看
>Hooks
ntoskrnl.exe+0x00004AA2, Type: Inline – RelativeJump at address 0x804DCAA2 hook handler located in [ntoskrnl.exe]
ntoskrnl.exe+0x000147DA, Type: Inline – RelativeJump at address 0x804EC7DA hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe–>KeAttachProcess, Type: Inline – RelativeJump at address 0x804EC938 hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe–>KeStackAttachProcess, Type: Inline – RelativeJump at address 0x804F2743 hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe–>NtDeviceIoControlFile, Type: Inline – RelativeJump at address 0x8057CF7B hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe–>NtOpenProcess, Type: Inline – RelativeJump at address 0x80574C96 hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe–>NtProtectVirtualMemory, Type: Inline – RelativeJump at address 0x80575045 hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe–>NtReadVirtualMemory, Type: Inline – RelativeJump at address 0x8057F48E hook handler located in [dump_wmimmc.sys]
ntoskrnl.exe–>NtWriteVirtualMemory, Type: Inline – RelativeJump at address 0x8057F5E0 hook handler located in [dump_wmimmc.sys]
如此保护,加上我们还有独特秘笈,服务员提供酒菜的时候都是隐身进行
最大可能的保护各位的安全
nProtect Gameguard退了下去,掌声雷动
不等片刻,另一位武林人士立马冲了上来
来着自称为AhnLab HackShield 安博士门下之弟子
AhnLab 乃是江湖名门望族,AhnLab Security已经在江湖中成名已久
HackShield虽然不比Gameguard名气之旺,却也依赖实力赢得的一席之地
上来便称,我派没有独立的搜身检测,尊重各位的个人隐私
然而并不代表我派的安全防护能力低下,我派同样有着严格的进门检测
NtReadVirtualMemory
Actual Address 0xF7609FF0
Hooked by: C:\WINDOWS\system32\drivers\EagleNT.sys
NtSuspendThread
Actual Address 0xF760A450
Hooked by: C:\WINDOWS\system32\drivers\EagleNT.sys
NtTerminateThread
Actual Address 0xF760A3F0
Hooked by: C:\WINDOWS\system32\drivers\EagleNT.sys
NtWriteVirtualMemory
Actual Address 0xF760A150
Hooked by: C:\WINDOWS\system32\drivers\EagleNT.sys
>Shadow
NtUserSendInput
Actual Address 0xF760C150
Hooked by: C:\WINDOWS\system32\drivers\EagleNT.sys
各位请看,一点也不比别人少,而且,我们的隐身能力比Gameguard更深一筹
若没有深厚武学功力,一般人是不可能看见我们的,
我们更有独门绝技
IDT–>Int 0x00000001, Type: IDT modification hook handler located in [EagleNT.sys]
IDT–>Int 0x00000003, Type: IDT modification hook handler located in [EagleNT.sys]
ntoskrnl.exe+0x00004AA2, Type: Inline – RelativeJump at address 0x804DCAA2 hook handler located in [ntoskrnl.exe]
瞧,酒楼核心之关键int1和int3已经在我们监视之中,若发现有敌方进来,我们可以第一时间发现
我们不靠搜身检查各位,而是看是非闯入核心机密地带来判断敌友,能够在最大可能的信任各位又不
失去安全防护的严密
HackShield 介绍完毕,也退下了,坛主宣布,由于一些原因,NES和XTrap未能及时赶到
就不能参加比武了,且等到来的再议,下面,各位挑战者可以上场了
人群一阵喧闹声,都想争先上场
我喜欢看正规点的文章……这样写反而不愿看……