Posted By Inking
This article is a study of the Rootkit... and the SSDT Hook magical－against ring0 inline hook after the results. According to the SSDT Hook magical－against ring0 inline hook said, IceSword inline Hook the NtOpenProcess() function, but when I wrote out the code when how also unable to successfully close IceSword, and later after debugging only to find my IceSword in Hook the NtOpenProcess() function also Hooks the NtTerminateProcess() function, but also is inline Hook, but since the number of NtTerminateProcess() in SSDT offset when the range of a mistake, resulting in spending the whole day was able to discover, is really tiring.
The code is basically the SSDT Hook magical－against ring0 inline hook a text very similar, just increase the Hook NtTerminateProcess() part. In the write Hook NtTerminateProcess() encountered a problem: don't know how to get NtTerminateProcess() address. I'm here is to keep the SSDT of the content to achieve, but this way is not very good, if before the SSDT has been modified?? Myself also find the relevant information, but it is by scanning the NtTerminateProcess() feature code to achieve, do not know there is no better way.
The project file contains my IceSword version prevent version inconsistencies in the experiments cannot be successfully requested from thehereto download, since there is no written driver is loaded and the end of the IceSword of the code, so when testing please use the other tools to load the driver, then try the Task Manager to close IceSword of.