别人收集的windows驱动资料
Windows Rootkits Links
[ 1] Avoiding Windows Rootkit Detection/Bypassing PatchFinder 2 - Edgar Barbosa [2004-02-17]
http://www.geocities.com/embarbosa/bypass/bypassEPA.pdf
[ 2] TOCTOU with NT System Service Hooking
http://www.securityfocus.com/archive/1/348570
TOCTOU with NT System Service Hooking Bug Demo
http://www.securesize.com/Resources/hookdemo.shtml
[ 3] Hooking Windows NT System Services
http://www.windowsitlibrary.com/content/356/06/1.html
http://www.windowsitlibrary.com/content/356/06/2.html
[ 4] NTIllusion: A portable Win32 userland rootkit - Kdm <Kodmaker@syshell.org>
http://www.phrack.org/phrack/62/p62-0x0c_Win32_Portable_Userland_Rootkit.txt
[ 5] Kernel-mode backdoors for Windows NT - firew0rker <firew0rker@nteam.ru>
http://www.phrack.org/phrack/62/p62-0x06_Kernel_Mode_Backdoors_for_Windows_NT.txt
[ 6] Win2K Kernel Hidden Process/Module Checker 0.1 (Proof-Of-Concept) - Tan Chew Keong [2004-05-23]
http://www.security.org.sg/code/kproccheck.html
http://www.security.org.sg/code/KProcCheck-0.1.zip
http://www.security.org.sg/code/KProcCheck-0.2beta1.zip
[ 7] port/connection hiding - akcom[2004-06-18]
http://www.rootkit.com/newsread_print.php?newsid=143
[ 8] Process Invincibility - metro_mystery[2004-06-13]
http://www.rootkit.com/newsread_print.php?newsid=139
[ 9] KCode Patching - hoglund[2004-06-06]
http://www.rootkit.com/newsread_print.php?newsid=152
http://www.rootkit.com/vault/hoglund/migbot.zip
[10] Hiding Window Handles through Shadow Table Hooking on Windows XP - metro_mystery [2004-06-12]
http://www.rootkit.com/newsread_print.php?newsid=137
[11] hooking functions not exported by ntoskrnl - akcom[2004-07-02]
http://www.rootkit.com/newsread_print.php?newsid=151
[12] A method of get the Address of PsLoadedModuleList - stoneclever [2004-06-10]
http://www.rootkit.com/newsread_print.php?newsid=135
[13] Fun with Kernel Structures (Plus FU all over again) - fuzen_op [2004-06-08]
http://www.rootkit.com/newsread_print.php?newsid=134
http://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip
[14] Getting Kernel Variables from KdVersionBlock, Part 2 - ionescu007 [2004-07-11]
http://www.rootkit.com/newsread_print.php?newsid=153
[15] Byepass Scheduler List Process Detection - SoBeIt <kinvis@hotmail.com> [2004-04-25]
http://www.rootkit.com/newsread_print.php?newsid=117
[16] Detecting Hidden Processes by Hooking the SwapContext Function - kkasslin [2004-08-03]
http://www.rootkit.com/newsread_print.php?newsid=170
[17] Loading Rootkit using SystemLoadAndCallImage - Greg Hoglund <hoglund@ieway.com> [2000-08-29]
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0114.html
http://seclists.org/lists/bugtraq/2000/Aug/0408.html
http://marc.theaimsgroup.com/?l=ntbugtraq&m=96766147118874&w=2
http://www.securityfocus.com/archive/1/79379/2002-11-30/2002-12-06/0
[18] A *REAL* NT Rootkit, patching the NT Kernel - Greg Hoglund <hoglund@ieway.com> [1999-09-09]
http://www.phrack.org/phrack/55/P55-05
[19] Win2K/XP SDT Restore 0.2 (Proof-Of-Concept) - Tan Chew Keong [2004-10-01]
http://www.security.org.sg/code/sdtrestore.html
http://www.security.org.sg/code/SDTrestore-0.1.zip
http://www.security.org.sg/code/SDTrestore-0.2.zip
Disabling Sebek Win32 Client by Direct Service Table Restoration - Tan Chew Keong [2004-07-17]
http://www.security.org.sg/vuln/sebek215-2.html
[20] Sebek is a tool to capture the attacker's activities on a honeypot
http://www.honeynet.org/tools/sebek/
Sebek client for Win2000 and WinXP
http://www.honeynet.org/tools/sebek/sebek-win32-2.1.5-src.zip
[21] Advanced Windows 2000 Rootkits Detection - Jan K. Rutkowski <jkrutkowski@elka.pw.edu.pl>
http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/bh-us-03-rutkowski-r2.pdf
http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/rutkowski-antirootkit.zip
[22] Windows Key Logging and Counter-Measures - Chew Keong TAN <chewkeong@hotmail.com>
http://pachome2.pacific.net.sg/~chewkeong/keylogr.pdf
[23] Windows NT System-Call Hooking/Dr. Dobb's Journal January 1997 - Mark Russinovich <mark@osr.com> and Bryce Cogswell <cogswell@cs.uoregon.edu>
http://www.exetools.com/forum/showthread.php?p=23296
http://www.exetools.com/forum/attachment.php?attachmentid=1751(9701.rar 253.6KB)
(three post minimum required)
[24] Kernel Filter Driver Example & Article(非常不错)
Designing A Kernel Key Logger/A Filter Driver Tutorial - Clandestiny <clandestiny@despammed.com> [2004-09-01]
http://www.woodmann.net/forum/showthread.php?t=6312
http://www.woodmann.net/forum/attachment.php?attachmentid=1084(Klog 1.0.zip 139.8KB)
[25] Hide'n'Seek? Anatomy of Stealth Malware
http://www.blackhat.com/presentations/bh-europe-04/bh-eu-04-erdelyi/bh-eu-04-erdelyi-paper.pdf
(对rootkit隐藏手段进行概述性介绍,没有太多意义)
[26] A more stable way to locate real KiServiceTable - 90210 [2004-08-12]
http://www.rootkit.com/newsread_print.php?newsid=176
[27] Bypassing SDT Restore tool - Opc0de[2004-10-11]
http://www.rootkit.com/newsread_print.php?newsid=200
http://www.rootkit.com/vault/Opc0de/Bypassing_SDT_Restore.zip
[28] Writing Trojans that bypass Windows XP Service Pack 2 Firewall - <americanidiot@hushmail.com> [2004-10-12]
http://marc.theaimsgroup.com/?l=full-disclosure&m=109759186016337&w=2
[29] Concepts for the Stealth Windows Rootkit - Joanna Rutkowska <joanna@mailsnare.net> [2003-09]
http://invisiblethings.org/papers/chameleon_concepts.pdf
[30] Rootkits Detection on Windows Systems - Joanna Rutkowska <joanna@invisiblethings.org> [2004-10]
http://invisiblethings.org/papers/ITUnderground2004_Win_rtks_detection.ppt
[31] OMCD - Open Methodology for Compromise Detection by Joanna Rutkowska <omcd@isecom.org>
http://www.isecom.org/projects/omcd.shtml
http://isecom.securenetltd.com/omcs.outline.v.0.1.pdf
[32] Windows rootkits of 2005 - James Butler <james.butler@hbgary.com>, Sherri Sparks <ssparks@longwood.cs.ucf.edu> [2005-11-04]
http://www.securityfocus.com/infocus/1850
http://www.securityfocus.com/infocus/1851
http://www.securityfocus.com/infocus/1854
http://www.securityfocus.com/print/infocus/1850
http://www.securityfocus.com/print/infocus/1851
http://www.securityfocus.com/print/infocus/1854
(xuna推荐)
[33] Implementing malware with virtual machines - Samuel T. King, Peter M. Chen
http://www.eecs.umich.edu/Rio/papers/king06.pdf
how to detect VMM using (almost) one CPU instruction - Joanna Rutkowska <joanna@invisiblethings.org>
http://invisiblethings.org/tools/redpill.c
http://invisiblethings.org/tools/redpill.exe
Generically Determining the Prescence of Virtual Machines - valsmith [2006-03-17]
http://www.offensivecomputing.net/?q=node/172
http://www.offensivecomputing.net/./files/active/0/vm.pdf
http://www.offensivecomputing.net/./files/active/0/nopill.cpp
http://www.offensivecomputing.net/./files/active/0/nopill.exe
Windows文件系统驱动程序编程相关链接
[ 1] What's in a Name? - Cracking Rename Operations
http://www.osronline.com/article.cfm?id=85
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=85
[ 2] Filtering the Riff-Raff - Observations on File System Filter Drivers
http://www.osronline.com/article.cfm?id=34
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=34
[ 3] Tracking State and Context - Reference Counting for File System Filter Drivers
http://www.osronline.com/article.cfm?id=102
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=102
[ 4] Redirecting Create Requests - [2005-04-20]
http://www.osronline.com/article.cfm?article=397
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=397
http://www.osronline.com/OsrDown.cfm/redirect.zip?name=redirect.zip&id=87
[ 5] Meandering Through the Object Manager/How to Get From Create to a Target Device Object - [2005-03-16]
http://www.osronline.com/article.cfm?article=381
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=381
[ 6] The Transactional File System (TxFS) in Windows - [2005-04-20]
http://www.osronline.com/article.cfm?article=398
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=398
[ 7] Writing a File System Minifilter(Pitfalls, Hints and Tips) - Rod Widdowson [2005-11-16]
http://www.osronline.com/article.cfm?id=424
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=424
[ 8] File Systems & XP/New File Systems Material in Windows XP - [2001-08-15]
http://www.osronline.com/article.cfm?id=33
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=33
[ 9] Tunneling/Name Tunneling in Windows 2000 File Systems - [2001-06-15]
http://www.osronline.com/article.cfm?article=22
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=22
[10] What's in a Name?/Cracking Rename Operations - [1997-04-15]
http://www.osronline.com/article.cfm?article=85
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=85
[11] File System Filter Context/Observations and Comments - [2004-12-09]
http://www.osronline.com/article.cfm?article=356
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=356
[12] Caching in Network File Systems - [2003-05-09]
http://www.osronline.com/article.cfm?article=226
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=226
[13] One Special Case/Testing File Systems - [2004-08-18]
http://www.osronline.com/article.cfm?article=320
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=320
[14] Finding File Contents in Memory - [2004-03-12]
http://www.osronline.com/article.cfm?article=280
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=280
[15] Are You Being SRVed?/The Lan Manager File Server on NT - [1996-08-15]
http://www.osronline.com/article.cfm?article=89
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=89
[16] Going Native/Using the NT API for File I/O - [1996-06-15]
http://www.osronline.com/article.cfm?id=91
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=91
http://www.osronline.com/OsrDown.cfm/native.zip?name=native.zip&id=91
[17] Cache Me if You Can/Using the NT Cache Manager - [1996-04-15]
http://www.osronline.com/article.cfm?id=167
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=167
[18] Emerging Issues in IoCancelFileOpen - [2003-03-06]
http://www.osronline.com/article.cfm?article=219
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=219
Windows设备驱动程序编程相关链接
[ 1] Getting DbgPrint Output To Appear In Longhorn
http://www.osronline.com/article.cfm?id=295
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=295
[ 2] Scheduling, Thread Context, and IRQL - [2006-04-28]
http://www.microsoft.com/taiwan/whdc/driver/kernel/IRQL.mspx
http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfeae4b45/IRQL_thread.doc
[ 3] Handling IRPs: What Every Driver Writer Needs to Know - [2003-07-15]
http://msdn.microsoft.com/library/en-us/dndevice/html/IRP_Handle.asp?frame=true
http://www.microsoft.com/whdc/driver/kernel/IRPs.mspx
http://download.microsoft.com/download/5/7/7/577a5684-8a83-43ae-9272-ff260a9c20e2/IRPs.doc
NDIS驱动编程资源
[ 1] Simple NDIS Hooking Based Firewall for NT4/2000
http://ntdev.h1.ru/ndis_fw.html
http://ntdev.h1.ru/ndis_fw.zip
[ 2] Simple TDI-Based Open Source Personal Firewall for Windows NT4/2000/XP/2003
http://sourceforge.net/projects/tdifw
http://optusnet.dl.sourceforge.net/sourceforge/tdifw/tdifw-1.3.2.zip
[ 3] http://dream.net9.org/~driver/restrict/PCAUSA/pcausa.zip(非最新版)
[ 4] Firewall for Windows 9x/ME/NT/2000/XP - Vadim V.Smirnov
http://www.ntkernel.com/articles/firewalleng.shtml
[ 5] How to implement a Firewall-Hook Driver(cool and undocumented)
http://www.codeproject.com/internet/FwHookDrv.asp
http://www.codeproject.com/internet/FwHookDrv/FwHookDrv_src.zip
[ 6] Windows Network Data And Packet Filtering Frequently Asked Questions(这里有一张Network Architecture Diagram)
http://www.pcausa.com/resources/winpktfilter.htm
[ 7] Network Architecture in Windows NT-based Operating Systems
http://plasmic.com/~vizzini/ntnetarch.html
[ 8] Ntpacket.exe: Updated Windows NT 4.0 NDIS 3.0 Packet Sample Available
http://support.microsoft.com/default.aspx?scid=kb;EN-US;238652
ftp://ftp.microsoft.com/Softlib/MSLFILES/Ntpacket.exe
Bugs in the NT DDK Packet Protocol Driver Sample
http://www.panix.com/~perin/packetbugs.html
[ 9] EthernetSpy
http://telemat.det.unifi.it/book/EthernetSpy/EthernetSpy.zip
[10] BriProto NDIS Protocol Driver Project Files
http://adaptive4.ucsd.edu/projects/briproto_driver/files/BriProto.2003.08.01.1218.zip
http://adaptive4.ucsd.edu/projects/briproto_driver/doc/
[11] A RARP Server(source code)
http://www.panix.com/~perin/rarpd.zip
[12] NDIS "Packet" Discussion(介绍了NDIS_PACKET、NDIS_BUFFER)
http://www.pcausa.com/resources/ndispacket.htm
http://www.pcausa.com/resources/ndispacket_decode.htm
http://www.pcausa.com/resources/readonpacket.htm
NDIS_PACKET Discussion Part 2 - NDIS_PACKET Reserved Areas
http://www.ndis.com/papers/ndispacket/ndispacket2.htm
[13] Workaround To Circumvent ProtocolReceive Faults Caused By Some Faulty NDIS Miniport Drivers
http://www.pcausa.com/support/KB03080201.htm
[14] Conditions Needed For ReceivePacketHandler To Be Called
http://www.pcausa.com/support/KB07130001.htm
[15] http://www.rhyshaden.com/ethernet.htm(介绍了802.1p的帧格式)
[16] NDIS Driver Compile Flags - Stephan Wolf[2004-03-15]
http://www.wd-3.com/031504/NDISCompile.htm
[17] KNOWLEDGE BASE LINKS STOP MESSAGES(理解BSOD)
http://aumha.org/win5/kbestop.htm
[18] Stop 0x0000000A or IRQL_NOT_LESS_OR_EQUAL(介绍了Stop Message的四个参数)
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prmd_stp_hwpg.asp
[19] Kernel Driver Frequestly Asked Questions (FAQ)
http://www.osronline.com/custom.cfm?name=articlePrint.cfm&id=256
[20] INFO: Network Binding Analysis
http://support.microsoft.com/default.aspx?scid=kb;en-us;192483
[21] Windows 2000 Filter-Hook Driver example
http://ntdev.h1.ru/ipfilter.html
http://ntdev.h1.ru/ipfilter_src.html
[22] 用VC开发Win2000/XP下的防火墙
http://computer.sz.net.cn/2004-05-17/nw2004051700070.shtml
http://computer.sz.net.cn/2004-05-17/nw2004051700071.shtml
http://computer.sz.net.cn/2004-05-17/nw2004051700072.shtml
http://dl2.mydown.com/code/more/DrvFltIp_FirewallFHK.rar
[23] Simple Packet Filtering Firewall - Deepthi Reddy, Ramya Balakumar, Vandana Bhardwaj
http://www.csc.villanova.edu/~vbhardwa/netclass/firewall.ppt
http://www.sju.edu/~vb189802/computerNet/fire.zip(source code)
Simple packet Filter Firewall
http://www.csc.villanova.edu/~vbhardwa/netclass/Firewall.htm
[24] Developing Firewalls for Windows 2000/XP
http://www.codeproject.com/internet/drvfltip.asp
http://www.codeproject.com/internet/drvfltip/FirewallFHK_src.zip
http://www.codeproject.com/internet/drvfltip/DrvFltIp_source.zip
[25] Simple Packet - Filter Firewall
http://www.codeproject.com/internet/smfirewall.asp
http://www.codeproject.com/internet/smfirewall/fire.zip
[26] Hollis Technology Solutions IpHook Version 1 Release
http://www.hollistech.com/Resources/IpHook/Release%20Notes.htm
http://www.hollistech.com/Resources/IpHook/IpHook.msi(source code)
[27] An Easy Firewall Application - [2003-10-06]
http://www.codeproject.com/tools/firewallpapi.asp
http://www.codeproject.com/tools/firewallpapi/firewallpapisrc.zip
http://www.codeproject.com/tools/firewallpapi/firewallpapi.zip
[28] NetCenturion is a TCP/IP packet filter for Windows 2000 and XP
http://www.softsystem.co.uk/page5.html
http://www.softsystem.co.uk/NetCenturion1204.zip
http://www.softsystem.co.uk/NetCenturion1204src.zip
[29] Extending The Microsoft PassThru NDIS Intermediate Driver - Thomas F. Divine <wd-3.tdivine@pcausa.com> [2003-07-15]
Part 1 Adding a DeviceIoControl Interface
http://www.wd-3.com/archive/ExtendingPassthru.htm
http://www.wd-3.com/downloads/ExtendingPassthru.zip
Extending The Microsoft PassThru NDIS Intermediate Driver - James Antognini <antognini@mindspring.com> Thomas F. Divine <wd-3.tdivine@pcausa.com> [2003-12-15]
Part 2 Two IP Address Blocking NDIS IM Drivers
http://www.wd-3.com/archive/ExtendingPassthru2.htm
http://www.wd-3.com/downloads/PassThru2.zip
[30] NDIS Driver Debugging Guidelines - [2003-05-05]
http://www.microsoft.com/taiwan/whdc/device/network/NDIS/ndisdebug.mspx
http://download.microsoft.com/download/5/7/7/577a5684-8a83-43ae-9272-ff260a9c20e2/ndisWinHec2003.doc
(用kd调试)
Debugging NDIS Drivers
http://msdn.microsoft.com/library/en-us/NetXP_d/hh/NetXp_d/ndisdbg_f025bb0a-4cbe-4d58-ab3e-faa8b9b01340.xml.asp?frame=true
NDIS Debug Tracing and Kernel Debugger Extensions - [2003-11-20]
http://support.microsoft.com/kb/q248413/
How to enable NDIS debug tracing - [2005-08-09]
http://support.microsoft.com/kb/q164459/
如何启用和使用NDIS验证程序 - [2005-12-23]
http://support.microsoft.com/kb/q266403/
[31] Porting Miniport Drivers to NDIS 6.0 - [2005-04-19]
http://www.microsoft.com/taiwan/whdc/device/network/NDIS/NDIS6drvport.mspx
http://download.microsoft.com/download/5/d/6/5d6eaf2b-7ddf-476b-93dc-7cf0072878e6/NDIS6drvport.doc
[32] 基于PassThru的NDIS中间层驱动程序扩展 - Addylee <Addylee2004@163.com> [2006-05-02]
http://www.xfocus.net/articles/200605/865.html
[33] PCAUSA Discussion List
http://groups.yahoo.com/group/discussion-pcausa/
[34] Controlling Stacking Order of NDIS 5.0 Intermediate Drivers - [2003-12-17]
http://support.microsoft.com/kb/250615
[35] NAT在NDIS中间层驱动中的实现 - thinking <thinkingfh@163.com> [2006-06-17]
http://www.xfocus.net/articles/200606/870.html
[36] Raw Ethernet Packet Sending - miahrugger [2003-10-25]
http://www.codeproject.com/cs/internet/sendrawpacket.asp
http://www.codeproject.com/cs/internet/SendRawPacket/SendRawPacket.zip
(用到了NDIS Protocol Driver)
牛站(Windows内核)
Web站点:
http://www.osronline.com,技术含量很高的Windows驱动开发站点,该站点的list基本上覆盖了所有Windows驱动开发的常见问题,强烈推荐;
http://www.microsoft.com/whdc,微软的驱动开发资源主页,可以获取很多官方资料;
http://www.wd-3.com/,该站点收集了一些比较好的Windows驱动开发方面的文章和示例代码;
http://www.sysinternals.com/,Inside Windows 2000的作者之一创建的站点,有很多内核方面的工具和示例代码;
http://www.driverdevelop.com/forum,国内最大的驱动开发技术论坛;
http://www.rootkit.com,顾名思义,该站点上有很多Windows内核rootkit的文章和代码;
http://www.ndis.com,NDIS驱动开发的资源站点;
http://www.pcausa.com,NDIS的各类驱动的相关资源;
http://www.wdmaudiodev.com/,WDM 音频驱动开发的资源站点。
个人站点:
http://blogs.msdn.com/doronh/,A Hole In My Head
http://www.sysinternals.com/Blog/,大名鼎鼎的Windows Internals的作者Mark的BLOG
http://kernelmustard.com/category/ddk/,A blog by Steve Dispensa about Microsoft Windows development, focused on kernel-mode driver development, the Windows DDK, WDK, and related tools.
http://blogs.msdn.com/peterwie/,Peter Wieland's thoughts on Windows driver development
