原文发表于百度空间,2009-07-06
==========================================================================
以下内容来自www.rootkit.com
Driver Hidding based on the following methods:
1.removing module form PsLoadedModuleList(that passed some old rkdectors)
2.removing object from ObjectDirectory(that bypassed GMER,IceSword and some others)
3.removing module from DriverObjects
4.removing module form DeviceObjects
5.memzero form POBJECT_HEADER(that finally bypasses DarkSpy)
6.fake thread start address(to be sured that antirootkit wil not show "unknown thread")
7.using non usual wait funciton to bypass "Stealth Walker" detection method of our Rootkit Unhooker AntiRootkit.
====================================我是邪恶的分割线==================================
以下内容来自killvxk:
"HideObject和断链(TypeList和moduledist都断开了)都已经有了~
另外把IoDeviceObjectType的copy了,之后重写自己的object_header~~
嘿嘿~~
目前枚举驱动要用猥琐新技术~
内存FileObject和SectionObject查找~~
结合PE格式~"
隐藏驱动的方法基本都在上面了~
当然,这里说的是“正统”的隐藏方式,而不是像ReloadandRun那么邪恶的东西~~
各位还需要更详细的吗?