API tools faq
paste
Guest User

PCHunter CMD translated

a guest
Oct 20th, 2016
570
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 20.06 KB | None | 0 0
raw download clone embed print report
  1. The software adds a VMProtect shell, may be some anti-virus software will be reported ... ... Please rest assured that the use of drugs, this is anti-virus software false positives.
  2.  
  3. On the software: a puming to (Beijing) Information Technology Co., Ltd., the user is free to use, copy, distribute, disseminate, but did not obtain written authorization author is prohibited for commercial purposes; in addition ban the software used for malicious purposes (for example, As part of the Trojan virus, crack Internet cafes charging system, etc.).
  4.  
  5. The use of this software, you need to understand: If you use the software, to you directly or indirectly cause losses, damage, the Company is not responsible. From the moment you use the Software, you will be deemed to have accepted this Disclaimer.
  6.  
  7. This software supports XP ~ Win8.1 of all 32-bit system, also supports Win7 ~ Win8.1 64-bit system.
  8.  
  9. / ----------------------------- For some reason, this software does not provide a "modifiable system" function command. To use these features, use the PC Hunter interface version ----------------------------- /
  10.  
  11. Instructions:
  12. 1. Direct PCHunter_Cmd.exe run, this will enter into a loop, the cycle repeatedly receive user input commands, exit this cycle, it will automatically uninstall the driver.
  13. 2.PCHunter_Cmd.exe with parameters to run, this will execute the specific parameters of the command, the program quits, it will uninstall the driver.
  14. 3. Professional users can key file into PCHunter_Cmd.exe, so you can use some of the special version of the command-specific.
  15. 4. The software use time: 2013.11.25 ~ 2014.11.24
  16.  
  17. Standard version of the specific instructions:
  18.  
  19. 1.usage
  20. No parameters, lists all currently available commands
  21. 2.tasklist
  22. No parameters, enumeration process
  23. 3.ps
  24. And tasklist equivalent
  25. 4.lpm
  26. Two parameters, the first is the decimal process id, the second is the process of hexadecimal object address, the process of enumeration of the order of the module
  27. 5.lpt
  28. Two parameters, the first is the decimal process id, the second is the hexadecimal process object address, this command enumeration process thread
  29. 6. qpsr
  30. Two parameters, the first is the decimal process id, the second is the hexadecimal process object address, the order of the process of blocking the state of wake-up
  31. 7.sp
  32. Two parameters, the first is the decimal process id, the second is the hexadecimal process object address, the command to block the process
  33. 8.rp
  34. Two parameters, the first is the decimal process id, the second is the hexadecimal process object address, the command to wake up the blocking process
  35. 9.qtsr
  36. Two parameters, the first is the decimal thread id, the second is the hexadecimal thread object address, the command query thread wake-up blocking state
  37. 10.st
  38. Two parameters, the first is the decimal thread id, the second is the hexadecimal thread object address, the command block thread
  39. 11.rt
  40. Two parameters, the first is a decimal thread id, the second is the hexadecimal thread object address, the command to awaken the blocked thread
  41. 12.lph
  42. Two parameters, the first is the decimal process id, the second is the hexadecimal process object address, the command enumeration process handle
  43. 13.lw
  44. No arguments, this command enumerates the process window
  45. 14.lpmemory
  46. Two parameters, the first is the decimal process id, the second is the hexadecimal process object address, the command enumeration process memory information
  47. 15.lptimer
  48. No argument, this command enumerates the process timer
  49. 16.lphk
  50. No arguments, this command enumerates the process hotkey
  51. 17.lkm
  52. No argument, this command displays the kernel module information
  53. 18.ckmemory
  54. Three parameters, the first module is hexadecimal base address, the second is to copy the byte size, the third is the output file name, the command copy the kernel memory
  55. 19.freboot
  56. No parameters, the order to restart the computer
  57. 20.mfreboot
  58. No parameters, this command is more violent forced restart the computer
  59. 21.ssdt
  60. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows SSDT
  61. 22.shadowssdt
  62. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows Shadow SSDT
  63. 23.fsd
  64. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows the FSD
  65. 24.tcpip
  66. You can use the / all parameter to display all, otherwise only show hook function, this command shows TCPIP hook
  67. 25.kbd
  68. You can use the / all parameter to display all, otherwise only show hook function, this command shows the hook on the Keyboard
  69. 26. idt
  70. You can use the / all parameter to display all, otherwise display only hook-up function, this command shows the hook on the IDT
  71. 27.objecttype
  72. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows ObjectType on the hook
  73. 28.objecttype_callback
  74. You can use the / all parameter to display all, otherwise display only hooks. This command displays the hooks on the ObjectType Callback
  75. 29.hhive
  76. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows HHIVE hook
  77. 30.callback
  78. You can use the / all parameter to display all, otherwise only show the hook function, this command displays \ Callback directory tree hook on the object
  79. 31.nr
  80. No parameter, this command lists the Notify Routine
  81. 32.port
  82. No argument, this command lists the port information
  83. 33.mbr
  84. No argument, this command checks the MBR rootkit
  85. 34.classpnp
  86. You can use the / all parameter to display all, otherwise only show the hook function, this command shows the classpnp on the hook
  87. 35.atapi
  88. You can use the / all parameter to display all, otherwise only show the hook function, this command shows the hook atapi
  89. 36.acpi
  90. You can use the / all parameter to display all, otherwise only show hanging enough function, the command shows the hook acpi
  91. 37.dpctimer
  92. No parameter. This command displays the DPC timer information
  93. 38.filter
  94. No parameters, this command enum filter filter driver
  95. 39.messagehook
  96. No argument, the command displays the message hook
  97. 40.sigcheck
  98. A parameter, which is a file path, is used to digitally sign a file
  99. 41.processhook
  100. Two parameters, the first is the decimal process id, the second is the hexadecimal process object address, the command enumeration process Hook
  101. 42.processapfn
  102. Two parameters, the first is the decimal process id, the second is the hexadecimal process object address, you can use the / all parameter that shows all, or only show the hook function, the command enumeration process Apfn
  103. 43.kernelhook
  104. No arguments, this command enumerates the kernel module Hook
  105. 44.copy
  106. Two parameters, the first is the existence of the file path, the second is the new file path, the command to copy the file
  107. 45.dir
  108. A parameter, the parameters for the file directory, the command is equivalent to the Windows console dir command function
  109. 46.regkey
  110. One parameter, the parameter is the registry path, this command enumerates the registry subkey information under the path
  111. 47.regvalue
  112. One parameter, the parameter is the registry path, this command enumerates the registry value information under the path
  113. 48.scsi
  114. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows scsi on the hook
  115. 49.mouse
  116. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows the hook on the mouse
  117. 50.hdt
  118. No parameters, this command displays HalDispatchTable callback information
  119. 51.hpdt
  120. Without parameters, this command displays HalPrivateDispatchTable callback information
  121. 52.hadt
  122. No parameters, this command displays HalAcpiDispatchTable callback information
  123. 53.wdf01000
  124. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows wdf01000 distribution function on the hook
  125. 54.wdff
  126. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows WdfFunction hook
  127. / RTI & gt;
  128. No argument, this command displays the filter information
  129. 56.fs
  130. No argument, this command displays the file system information
  131. 57.fst
  132. No argument, this command displays the Sfilter callback information
  133. 58.cid
  134. No arguments, this command displays ClassInitData callback information
  135. 59.ckdr
  136. If no parameter is specified, this command displays the system debugging information
  137. 60.cdrx
  138. No parameters, this command displays the system register information
  139. 61.ccdrx
  140. A parameter, the parameter name for the register, the command to clear the register information
  141. 62.objhij
  142. No argument, this command displays object hijack information
  143. 63.nsiproxy
  144. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows Nsiproxy on the hook
  145. 64.tdx
  146. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows the hook on the Tdx
  147. 65.npfs
  148. You can use the / all parameter to display all, otherwise only show the hook function, this command displays the hook on Npfs
  149. 66.msfs
  150. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows Msfs hook
  151. 67.usbport
  152. You can use the / all parameter to display all, otherwise only show hook function, this command shows Usbport on the hook
  153. 68.i8042prt
  154. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows I8042prt on the hook
  155. 69.ndis
  156. No argument, this command displays the Ndis processing function information
  157. 70.exit
  158. No parameters, this command is used to exit the PCHunter_Cmd program
  159. 71.quit
  160. And exit equivalent
  161.  
  162. Professional Edition command specific instructions (Professional Edition supports the standard version of the command):
  163.  
  164. 1.fmdf
  165. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows the distribution function FltMgr hook
  166. 2.fsfcb
  167. No argument, this command displays the FltMgr file system filter callback information
  168. 3.fmc
  169. No argument, this command displays FltMgrCalls information
  170. 4.wdfli
  171. You can use the / all parameter to display all, otherwise display only hooks, this command displays the hook on WdfLibraryInfo
  172. 5.wdfc
  173. No argument, this command displays Wdf Client information
  174. 6.ntcb
  175. Without parameters, this command displays the NdisTdiCallback information
  176. 7.tpc
  177. No argument, this command displays the TdiPnpClient information
  178. 8.ipfltdrv
  179. No parameter, this command displays Ipfltdrv distribution function information
  180. 9.ntoh
  181. Without parameters, this command displays the NdisTcpOffloadHandlers information
  182. 10.not
  183. No parameters, this command displays NdisOidTable information
  184. 11.ftdt
  185. No argument, this command displays FwpsTcpipDispatchTable information
  186. 12.wnidt
  187. No argument, this command displays WfpNblInfoDispTable information
  188. 13.wss
  189. No argument, this command displays WfpStreamShim information
  190. 14.wms
  191. No argument, this command displays WfpMacShim information
  192. 15.nlh
  193. No parameters, this command displays NsiLegacyHandler information
  194. 16.nlcb
  195. No parameters, this command displays NetioLayerCallback information
  196. 17.wdobj
  197. No argument, this command displays WfpDeviceObject information
  198. 18.wcout
  199. No argument, this command displays WfpCallout information
  200. 19.ncp
  201. No argument, this command displays NmrProvider (Client) information
  202. 20.ncn
  203. No argument, this command displays NsiChangeNotification information
  204. 21. ncnmc
  205. No parameters, this command displays NsiChangeNotification_Monitor information
  206. 22.nii
  207. No parameters, this command displays the Ndis adapter / interface information
  208. 23.ipsec
  209. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows IpsecDispatchFun on the hook
  210. 24.afd
  211. You can use the / all parameter to display all, otherwise only show hook function, this command displays the hook on Afd
  212. 25.ipfw
  213. No argument, this command displays IpFirewallHook information
  214. 26.ipft
  215. No argument, this command displays IpFilterHook information
  216. 27.regmonitor
  217. One parameter, the parameter is the registry path, this command enumerates the registry under the path of the application layer registry monitoring information
  218.  
  219. / ------------------------------------------------- -------------------------------------------------- ------- /
  220.  
  221. Standard Edition is not yet open to specific instructions (because of these features on the system clean-up, modify the function, so temporarily open, so as not to cause damage to the system):
  222.  
  223. 1.fpm
  224. Three parameters, the first is the decimal process id, the second is the hexadecimal process object address, the third is the hexadecimal module base address, the command to uninstall the process module
  225. 2.kt
  226. Two parameters, the first is the decimal thread id, the second is the hexadecimal thread object address, the command to kill the thread
  227. 3.fkt
  228. Two parameters, the first is the decimal thread id, the second is the hexadecimal thread object address, the command to kill the thread
  229. 4.kp
  230. Two parameters, the first is the decimal process id, the second is the hexadecimal process object address, the order to kill the process
  231. 5.fkp
  232. Two parameters, the first is the decimal process id, the second is the hexadecimal process object address, this command to kill the process of killing
  233. 6.cph
  234. Four parameters, the first is the decimal process id, the second is the hexadecimal process object address, the third is the hexadecimal process handle, the fourth is the hexadecimal process handle object Address, this command closes the process handle
  235. 7.fcph
  236. Four parameters, the first is the decimal process id, the second is the hexadecimal process object address, the third is the hexadecimal process handle, the fourth is the hexadecimal process handle object Address, this command forces the process handle to close
  237. 8.fpmemory
  238. Four parameters, the first is the decimal process id, the second is the hexadecimal process object address, the third is the hexadecimal process memory address, the fourth is the hexadecimal memory size , The process of the release of memory
  239. 9.cptimer
  240. A parameter, which is the hexadecimal timer object address
  241. 10.cphk
  242. A parameter with the hexadecimal hotkey object address
  243. 11.fkm
  244. Two parameters, the first is the hexadecimal drive object address, the second is the drive service name, two parameters can be a valid, if the two valid priority to use the drive object address, the command to uninstall the driver
  245. 12. rssdt
  246. A parameter, the parameters for the decimal SSDT function index, the command to restore SSDT on the Hook
  247. 13.rshadowssdt
  248. A parameter, the parameter is a decimal Shadow SSDT function index, this command restores Shadow SSDT on the Hook
  249. 14. rfsd
  250. A parameter, which is a decimal FSD function index, restores the Hook on the FSD
  251. 15.rtcpip
  252. A parameter, the parameter for the decimal TCPIP function index, this command restores TCPIP Hook
  253. 16.rkbd
  254. An argument, which is a decimal Keybaord function index, restores the Hook on the Keyboard
  255. 17.robjecttype
  256. Two parameters, the first is the hex ObjectType object type, the second is the function name, the command to restore ObjectType on the Hook
  257. 18.robjecttype_callback
  258. Two parameters, the first is the hexadecimal object address, the second is the hexadecimal function address, this command to restore ObjectType Callback on the hook
  259. 19.rhhive
  260. Two parameters, the first is the hex HHIVE address, the second is the hexadecimal original function address, this command restores HHIVE hook
  261. 20.rcallback
  262. Two parameters, the first is the ObjectType address hexadecimal, the second is the hexadecimal SubObject address, this command to restore the \ Callback directory tree hook on the object
  263. 21.rnr
  264. Two parameters, the first is the hexadecimal Notify Routine entry function address, the second is the name of the Notify Routine type, this command to delete the Notify Routine
  265. 22.rclasspnp
  266. A parameter, the parameter CLASSPNP function decimal index, the command to restore CLASSPNP on the Hook
  267. 23.racpi
  268. A parameter, which is a decimal ACPI function index, resumes the Hook on ACPI
  269. 24.rdpctimer
  270. A parameter, the parameters for the hexadecimal DPC timer object address, the command to cancel a timer
  271. 25.rfilter
  272. Two parameters, the first is the hexadecimal DeviceObject address, the second is the Filter type name, the command to remove the Filter filter driver
  273. 26. rprocessapfn
  274. Three parameters, the first is the decimal process id, the second is the hexadecimal process object address, the third is the decimal process Apfn function index, the command recovery process Apfn Hook
  275. 27.del
  276. A mandatory parameter, the parameter file path, the command to delete a file, if you need to force the deletion of the file, you can add the file path before the / f switch
  277. 28.rename
  278. Two parameters, the first is the existence of the document path, the second is the new document path, the order to rename the document
  279. 29.delvalue
  280. Two parameters, the first is the registry path, the second is the registry value, the command to delete a value in the registry entries
  281. 30. rscsi
  282. You can use the / all parameter to display all, otherwise only show hanging enough function, the order shows scsi on the hook
  283. 31.rmouse
  284. You can use the / all parameter to display all, otherwise only show linked to the function, this command shows the hook on the mouse
  285. 32.rhadt
  286. A parameter, the function name for the function, this command to restore HalAcpiDispatchTable Hook
  287. 33.rwdf01000
  288. A parameter, the parameter is a decimal function index, this command restores df01000 on the distribution function of the Hook
  289. 34.rcid
  290. Two parameters, the first is a decimal function index, the second is the type name, this command to restore ClassInitData callback on the Hook
  291. 35.rwdff
  292. A parameter, the parameter is a decimal function index, this command restores the Hook on the WdfFunction
  293. 36.ratapi
  294. A parameter, the parameter is the decimal ATAPI function index, this command restores the ATAPI Hook
  295. 37.rnpfs
  296. A parameter, the parameter for the decimal Npfs function index, the command to restore Npfs Hook
  297. 38. rmsfs
  298. A parameter, the parameter is the decimal Msfs function index, this command restores the Hook on Msfs
  299. 39.rusbport
  300. A parameter, the parameter is a decimal Usbport function index, this command to restore Usbport on the Hook
  301. 40.ri8042prt
  302. A parameter, the parameters for the decimal I8042prt function index, the command to restore I8042prt the Hook
  303.  
  304. Professional Edition is not yet open command Specific instructions:
  305.  
  306. 1.rwdfli
  307. A parameter, the parameter is hexadecimal original function address, this command restores WdfLibraryInfo Hook
  308. 2.rfmdf
  309. A parameter, the parameter is a decimal function index, this command restores the FltMgr dispatch function on the Hook
  310. 3.rfsfcb
  311. A parameter, the parameter is a decimal function index, the command to restore FltMgr file system callback on the Hook
  312. 4.rfmc
  313. A parameter, the parameter is hexadecimal current function address, this command restores Hook on FltMgrCalls
  314. 5.rckdr
  315. No argument, this command restores all Hooks on system debugging
  316. 6.rnsiproxy
  317. A parameter, the parameter is a decimal function index, this command restores the Hook on Nsiproxy
  318. 7.rtdx
  319. A parameter, the parameter is a decimal function index, this command restores the Hook on Tdx
  320. 8.rntcb
  321. No argument, this command restores all Hooks on NdisTdiCallback
  322. 9.ripfltdrv
  323. A parameter, the parameter is a decimal function index or with [FastIo], this command restores the Hook on the pfltdrv dispatch function
  324. 10.rntoh
  325. A parameter, the parameters for the function name, the order to restore NdisTcpOffloadHandlers Hook
  326. 11.rnot
  327. A parameter, the name of the function, this command restores the Hook on NdisOidTable
  328. 12.rwdobj
  329. No argument, this command restores all Hooks on WfpDeviceObject
  330. 13.ripsec
  331. A parameter, the parameter is a decimal function index, this command restores the Hook on ipsecDispatchFun
  332. 14.rafd
  333. A parameter, the parameter is a decimal function index, the command to restore Afd on the distribution function Hook
  334. 15.cipfw
  335. A parameter, the parameter is a hexadecimal function address, this command clears IpFirewallHook Hook
  336. 16.cipft
  337. No argument, this command clears all Hooks on IpFilterHook
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!