info.txt

Cracker终结者——提供最优秀的软件保护技术

  ntgsrv.dll can hook/load dll into every NT Win32 process.
It loads (using EstablishApiHooks) DLLs written in
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Real_AppInit_DLLs
value (similar to AppInit_DLLs. Dll names are separated by
asterisk. Other Dlls can be added via Add_DLL.exe. ntgsrv can be "started"
at boot or manually - use Add_DLL.exe. Dlls in registry are loaded always
when ntgsrv is started.
 ntgsrv requires administrator for installation/start. In the
case of starting at boot, it hooks any Win32 process in all sessions.
On manual start, ntgsrv hooks current or given session.
Effect of ntgsrv hook is nearly identical with hooking CreateProcessWin32
in Windows 9x (see ProcLog example) - everything is caught (very powerful).
Instead of SAFE_DEBUGGEE technique dwMilliseconds = 0 is passed to hEAH,
that has similar effect but it is not so effective.
ntgsrv was tested on Win2K only.
Don't forget to set Read&Execute access for Everyone to used Dlls.
Dlls whose names do not contain Path should be located in search Path
of all processes (e.g. %SystemRoot%\SYSTEM32).

Add_DLL.exe
Usage:
 Add_DLL [SessionId | AddReg | BootOn | BootOff] <DllName | Start>


 Add_DLL AddReg DllName
- adds DllName to registry value mentioned above.

 Add_DLL Start
- Starts ntgsrv (if needed) in current session.
  Hooks current session with Dlls in registry.

 Add_DLL 2 Start
- Starts ntgsrv (if needed) in session 2.
  Hooks session 2 with Dlls in registry.

 Add_DLL DllName
- hooks current session with DllName.
  Starts ntgsrv if needed.

 Add_DLL 2 DllName
- hooks session 2 with DllName.
  Starts ntgsrv if needed.

 Add_DLL BootOff
- system will not be hooked after rebooting.

 Add_DLL BootOn
- system will be hooked after rebooting. USE AT YOUR OWN RISK !!!