发表于: 2007-03-13 17:07 | 显示全部 短消息 资料
字号: 1楼

恢复SSDT的软件!

IceSword只给你看一看哪些地方被改了,却不改回去,真是faint! 
俺只好自己编了个恢复SSDT的软件。
下载地址:http://b.py99.net/zip/f?v=20073/131616209.zip
.386p
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includemacros.asm
include masm32.inc
include debug.inc
include advapi32.inc
includelib debug.lib
includelib masm32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib advapi32.lib

.data

hFiledd 0
hMemorydd0
pMemorydd0
FunBasedd0b6a8h

hSCManagerdd 0
hServicedd0
acDriverPathdb256 dup(0)


szExceptionCaused db 'Exception Caused - could not switch to ring 0',0
szError    db 'Error',0

Callgt dd 0
    dw 353h

.data?


.code
ExceptCallBack PROC
invoke    MessageBoxA, 0, addr szExceptionCaused,addr szError, 0
invoke ExitProcess, -1
ret
ExceptCallBack ENDP

start: 
push  offset ExceptCallBack
call  SetUnhandledExceptionFilter

invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
.if eax != NULL
mov hSCManager, eax

push eax
invoke GetFullPathName, CTXT("sys.sys",0), sizeof acDriverPath, addr acDriverPath, esp
  pop eax

; Register driver in SCM active database
invoke CreateService, hSCManager, CTXT("sys"), CTXT("System"), \
SERVICE_START + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
SERVICE_ERROR_IGNORE, addr acDriverPath, NULL, NULL, NULL, NULL, NULL
.if eax != NULL
mov hService, eax
invoke StartService, hService, 0, NULL
; Here driver beeper.sys plays its nice melody
; and reports error to be removed from memory
; Remove driver from SCM database
invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
invoke MessageBox, NULL, CTXT("Can't register driver."), NULL, MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
invoke MessageBox, NULL, CTXT("Can't connect to Service Control Manager."), \
NULL, MB_ICONSTOP
.endif

invoke GlobalAlloc,GMEM_MOVEABLE or GMEM_ZEROINIT,2178944
      mov  hMemory,eax
      invoke GlobalLock,hMemory
      mov  pMemory,eax
       
invoke CreateFile, CTXT("getSSDT.bak",0), GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL

.if eax == INVALID_HANDLE_value
invoke MessageBox, NULL, CTXT("打开文件失败!",0), CTXT("打开文件失败!",0), MB_OK or MB_ICONHAND
jmp Exit
.endif

mov hFile, eax
invokeReadFile, hFile, pMemory, 2178944, esp, 0
     

call    fword ptr [Callgt]            ;use callgate to Ring0!

mov eax,esp  ;save ring0 esp
mov esp,[esp+4];->ring3 esp
push eax

cli
mov edi,0804d8000h ;copy MyIntCode to End Idt+1
add edi,FunBase
mov esi,pMemory
;add esi,FunBase
mov ecx,0470h;瑞星的inlinehook
cld
rep movsb
sti

pop esp  ;restore ring0 esp
push offset Exit
retf

Exit:
invoke MessageBox, NULL, CTXT("已成功恢复SSDT",0), CTXT("Success",0), MB_OK
invoke CloseHandle,hFile
invoke GlobalUnlock,pMemory
invoke GlobalFree,hMemory
invoke ExitProcess,NULL
end start
最后编辑2007-03-13 17:07:04.500000000