- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
作 者:
小烦
时 间: 2013-08-07,16:46:07
链 接: http://bbs.pediy.com/showthread.php?t=176806
TP技术难点:
1.双机调试
2.TesSafe自身模块硬断检测和自身CRC检测
3.DebugOjbetType权值清零
4.DebugPort清零
1解决了2放弃3Pass4Passahalf
讲解3.
直接上笔记和码
nt!NtDebugActiveProcess+0x9a:
84cb8e4a341bxoral,1Bh
nt!NtCreateDebugObject+0x60:
84cb7f53341bxoral,1Bh
nt!NtWaitForDebugEvent+0xb5:
84cb920a341bxoral,1Bh
nt!NtDebugContinue+0x82:
84cb94f3341bxoral,1Bh
nt!NtRemoveProcessDebug+0x6d:
这里使系统函数调用了dbgkdebugobjecttype我们要替换他
换成我们自己造好的
Code:
#ifndefVALIDACCESSMASK
#defineVALIDACCESSMASK
#defineOBJECT_TO_OBJECT_HEADER(o)CONTAINING_RECORD((o),OBJECT_HEADER_WIN7,Body)
typedefstruct_OBJECT_DIRECTORY_ENTRY_WIN7{
struct_OBJECT_DIRECTORY_ENTRY_WIN7*ChainLink;
PVOIDObject;
ULONGHashValue;
}OBJECT_DIRECTORY_ENTRY_WIN7,*POBJECT_DIRECTORY_ENTRY_WIN7;
typedefstruct_OBJECT_TYPE_INITIALIZER_WIN7{
USHORTLength;
USHORTtype;
//+0x002ObjectTypeFlags:UChar
//+0x002CaseInsensitiveos0,1Bit
//+0x002UnnamedObjectsOnlyos1,1Bit
//+0x002UseDefaultObjectos2,1Bit
//+0x002SecurityRequiredos3,1Bit
//+0x002MaintainHandleCountos4,1Bit
//+0x002MaintainTypeListos5,1Bit
PVOIDObjectTypeCode;
PVOIDInvalidAttributes;
GENERIC_MAPPINGGenericMapping;
PVOIDValidAccessMask;
PVOIDRetainAccess;
POOL_TYPEPoolType;
PVOIDDefaultPagedPoolCharge;
PVOIDDefaultNonPagedPoolCharge;
PVOIDDumpProcedure;
PVOIDOpenProcedure;
PVOIDCloseProcedure;
PVOIDDeleteProcedure;
PVOIDParseProcedure;
PVOIDSecurityProcedure;
PVOIDQueryNameProcedure;
USHORTOkayToCloseProcedure;
}OBJECT_TYPE_INITIALIZER_WIN7,*POBJECT_TYPE_INITIALIZER_WIN7;
typedefstruct_OBJECT_CREATE_INFORMATION_WIN7{
ULONGAttributes;
HANDLERootDirectory;
KPROCESSOR_MODEProbeMode;
ULONGPagedPoolCharge;
ULONGNonPagedPoolCharge;
ULONGSecurityDescriptorCharge;
PVOIDSecurityDescriptor;
PSECURITY_QUALITY_OF_SERVICESecurityQos;
SECURITY_QUALITY_OF_SERVICESecurityQualityOfService;
}OBJECT_CREATE_INFORMATION_WIN7,*POBJECT_CREATE_INFORMATION_WIN7;
typedefstruct_OBJECT_TYPE_WIN7{
LIST_ENTRYTypeList;//:_LIST_ENTRY
UNICODE_STRINGName;//:_UNICODE_STRING
PVOIDDefaultObject;//tr32Void
ULONGIndex;//:UChar
ULONGTotalNumberOfObjects;//:Uint4B
ULONGTotalNumberOfHandles;//:Uint4B
ULONGHighWaterNumberOfObjects;//:Uint4B
ULONGHighWaterNumberOfHandles;//:Uint4B
OBJECT_TYPE_INITIALIZER_WIN7TypeInfo;//:_OBJECT_TYPE_INITIALIZER
PVOIDTypeLock;//:_EX_PUSH_LOCK
ULONGKey;//:Uint4B
LIST_ENTRYCallbackList;//:_LIST_ENTRY
}OBJECT_TYPE_WIN7,*POBJECT_TYPE_WIN7;
typedefstruct_OBJECT_HEADER_WIN7{
//对象头部的指针计数,对对象头指针引用的计数
LONG_PTRPointerCount;
union{
//句柄引用计数
LONG_PTRHandleCount;
PVOIDNextToFree;
};
POBJECT_TYPEType;
//OBJECT_HEADER_NAME_INFO相对于此结构的偏移
UCHARNameInfoOffset;
//OBJECT_HEADER_HANDLE_INFO相对于此结构的偏移
UCHARHandleInfoOffset;
//OBJECT_HEADER_QUOTA_INFO相对于此结构的偏移
UCHARQuotaInfoOffset;
UCHARFlags;
union{
//创建对象是用于创建对象附加头的结构
//里面保存了和附加对象头类似的信息
PVOIDObjectCreateInfo;
PVOIDQuotaBlockCharged;
};
PSECURITY_DESCRIPTORSecurityDescriptor;
QUADBody;
}OBJECT_HEADER_WIN7,*POBJECT_HEADER_WIN7;
EXTERN_C
{
NTKERNELAPI
NTSTATUS
ObCreateObjectType(
__inPUNICODE_STRINGTypeName,
__inPOBJECT_TYPE_INITIALIZER_WIN7ObjectTypeInitializer,
__in_optPSECURITY_DESCRIPTORSecurityDesorintor,
__inPOBJECT_TYPE_WIN7*ObjectType
);
NTKERNELAPI
PVOID
ObGetObjectType(
__inPVOIDpObject
);
}
ULONGDbgkDebugObjectType=NULL;
ULONGDbgkMyDebugObjectType=NULL;
POBJECT_TYPE_WIN7MyDebugObjectType=NULL;
OBJECT_TYPE_INITIALIZER_WIN7ObjectTypeInitializer;
voidCreateMyDebugObjectType(POBJECT_TYPE_WIN7tmpObjectType,UNICODE_STRINGMyObjectTypeName)
{
RtlZeroMemory(&ObjectTypeInitializer,sizeof(ObjectTypeInitializer));
ObjectTypeInitializer.Length=tmpObjectType->TypeInfo.Length;
ObjectTypeInitializer.ObjectTypeCode=tmpObjectType->TypeInfo.ObjectTypeCode;
ObjectTypeInitializer.InvalidAttributes=tmpObjectType->TypeInfo.InvalidAttributes;
ObjectTypeInitializer.GenericMapping=tmpObjectType->TypeInfo.GenericMapping;
ObjectTypeInitializer.ValidAccessMask=(PVOID)0x001fffff;
ObjectTypeInitializer.RetainAccess=tmpObjectType->TypeInfo.RetainAccess;
ObjectTypeInitializer.PoolType=tmpObjectType->TypeInfo.PoolType;
ObjectTypeInitializer.DefaultPagedPoolCharge=tmpObjectType->TypeInfo.DefaultPagedPoolCharge;
ObjectTypeInitializer.DefaultNonPagedPoolCharge=tmpObjectType->TypeInfo.DefaultNonPagedPoolCharge;
ObjectTypeInitializer.DumpProcedure=tmpObjectType->TypeInfo.DumpProcedure;
ObjectTypeInitializer.OpenProcedure=tmpObjectType->TypeInfo.OpenProcedure;
ObjectTypeInitializer.CloseProcedure=tmpObjectType->TypeInfo.CloseProcedure;
ObjectTypeInitializer.DeleteProcedure=tmpObjectType->TypeInfo.DeleteProcedure;
ObjectTypeInitializer.ParseProcedure=tmpObjectType->TypeInfo.ParseProcedure;
ObjectTypeInitializer.SecurityProcedure=tmpObjectType->TypeInfo.SecurityProcedure;
ObjectTypeInitializer.QueryNameProcedure=tmpObjectType->TypeInfo.QueryNameProcedure;
ObjectTypeInitializer.OkayToCloseProcedure=tmpObjectType->TypeInfo.OkayToCloseProcedure;
ObCreateObjectType(&MyObjectTypeName,&ObjectTypeInitializer,(PSECURITY_DESCRIPTOR)NULL,&MyDebugObjectType);
}
voidInitMyDebugOjbetType(ULONGpObjectType)
{
UNICODE_STRINGMyObjectTypeName;
POBJECT_TYPE_WIN7tmpObjectType=(POBJECT_TYPE_WIN7)*(ULONG*)pObjectType;
RtlInitUnicodeString(&MyObjectTypeName,L"MyDebugObject");
if(MyDebugObjectType==NULL)
{
CreateMyDebugObjectType(tmpObjectType,MyObjectTypeName);
DbgPrint("CreateMyDebugObjectTypeissucceed!!\n");
}
if(MyDebugObjectType!=NULL)
{
//*(DWORD*)pObjectType=(ULONG)MyFirstType;
DbgPrint("pObObjectTypeis%x!\n",(ULONG*)pObjectType);
}
else
{
DbgPrint("CreateMyDebugObjectTypeisfailed!\n");
}
}
boolPickUpObjectType(ULONGpObjectType,PWCHName)
{
UNICODE_STRINGCmpName;
POBJECT_TYPE_WIN7tmpObjectType=(POBJECT_TYPE_WIN7)*(ULONG*)pObjectType;
CmpName.Length=tmpObjectType->Name.Length;
CmpName.Buffer=Name;//如果字符串2超过字符串1长度,那么不管超出部分怎么填都是对的
//DbgPrint("TestObjectTypeis%S!\n",CmpName.Buffer);
if(RtlEqualUnicodeString(&tmpObjectType->Name,&CmpName,FALSE))
{
returntrue;
}
returnfalse;
}
POBJECT_TYPEGetObpTypeObjectType_Win7()
{
PUCHARaddr,p;
UNICODE_STRINGusObCreateObjectType;
POBJECT_TYPE_ObpTypeObjectType=NULL;
RtlInitUnicodeString(&usObCreateObjectType,L"ObCreateObjectType");
addr=(PUCHAR)MmGetSystemRoutineAddress(&usObCreateObjectType);
ASSERT(addr!=NULL);
DbgPrint("ObCreateObjectType=0x%08x\n",addr);
for(p=addr;p<addr+PAGE_SIZE;p++)
{
if((*(PUCHAR)p==0xa1)&&(*(PUCHAR)(p+5)==0xbb))
{
_ObpTypeObjectType=(POBJECT_TYPE)(*(PULONG)(p+1));
DbgPrint("ObpTypeObjectType=0x%08x\n",_ObpTypeObjectType);
return_ObpTypeObjectType;
}
}
if(p==addr+PAGE_SIZE)
DbgPrint("CannotfindObpTypeObjectType!\n");
returnNULL;
}
voidEnumObjectType_Win7()
{
ULONGOffsetObjectTypeName;
ULONGOffsetCreatorInfoObject;
ULONGOffsetObjectIndexObjectType;
POBJECT_TYPEObpTypeObjectType;
ULONGObjectTypeTable[50]={0};
inti=0;
ULONG_PTRTypeObjectAddr;
PLIST_ENTRYTypeObjectCreatorInfo;
PLIST_ENTRYNextEntry;
RTL_OSVERSIONINFOWVersionInformation;
RtlGetVersion(&VersionInformation);
if(VersionInformation.dwMajorVersion==6)//win7
{
OffsetObjectTypeName=0x08;
OffsetCreatorInfoObject=0x28;
OffsetObjectIndexObjectType=0x14;
ObpTypeObjectType=GetObpTypeObjectType_Win7();
}
for(i=0;i<50;i++)
{
ObjectTypeTable=(ULONG)ObpTypeObjectType+sizeof(ULONG)*i;
}
i=3;
TypeObjectAddr=*(PULONG_PTR)ObpTypeObjectType;
TypeObjectCreatorInfo=(PLIST_ENTRY)(TypeObjectAddr-OffsetCreatorInfoObject);
NextEntry=TypeObjectCreatorInfo;
while(NextEntry->Flink!=TypeObjectCreatorInfo)
{
if(PickUpObjectType(ObjectTypeTable,L"DebugObject"))
{
InitMyDebugOjbetType(ObjectTypeTable);
}
if(PickUpObjectType(ObjectTypeTable,L"MyDebugObject"))
{
DbgkMyDebugObjectType=ObjectTypeTable;
DbgPrint("DbgkMyDebugObjectTypeis%x!\n",DbgkMyDebugObjectType);
}
DbgPrint("TypeAddr=0x%08x,TypeName=%wZ,TypeIndex=%d\n",
(ULONG_PTR)NextEntry+OffsetCreatorInfoObject,
(PUNICODE_STRING)((ULONG_PTR)NextEntry+OffsetCreatorInfoObject+OffsetObjectTypeName),
*(PUCHAR)((ULONG_PTR)NextEntry+OffsetCreatorInfoObject+OffsetObjectIndexObjectType));
NextEntry=NextEntry->Flink;
i++;
}
}
voidDeleteMyDebugObjectType()
{
if(MyDebugObjectType!=NULL)
{
//ObMakeTemporaryObject(MyDebugObjectType);
ObfDereferenceObject(MyDebugObjectType);
}
}
voidPatchDebugObjectType()
{
DbgkDebugObjectType=(ULONG)GetSSDTFunctionAddr(96)+0x9a;
DbgkDebugObjectType=*(PULONG)DbgkDebugObjectType;
ULONGPassNtDebugActiveProcess=(ULONG)GetSSDTFunctionAddr(96)+0x9a;
ULONGPassNtCreateDebugObject=(ULONG)GetSSDTFunctionAddr(61)+0x60;
ULONGPassNtWaitForDebugEvent=(ULONG)GetSSDTFunctionAddr(387)+0xb5;
ULONGPassNtDebugContinue=(ULONG)GetSSDTFunctionAddr(97)+0x82;
ULONGPassNtRemoveProcessDebug=(ULONG)GetSSDTFunctionAddr(289)+0x6d;
DbgPrint("DbgkDebugObjectTypeis%x!\n",*(PULONG)DbgkDebugObjectType);
DbgPrint("assNtDebugActiveProcessis%x!\n",*(PULONG)PassNtDebugActiveProcess);
DbgPrint("assNtCreateDebugObjectis%x!\n",*(PULONG)PassNtCreateDebugObject);
DbgPrint("assNtCreateDebugObjectis%x!\n",*(PULONG)PassNtWaitForDebugEvent);
DbgPrint("assNtWaitForDebugEventis%x!\n",*(PULONG)PassNtDebugContinue);
DbgPrint("assNtRemoveProcessDebugis%x!\n",*(PULONG)PassNtRemoveProcessDebug);
DbgPrint("DbgkMyDebugObjectTypeis%x!\n",DbgkMyDebugObjectType);
if(DbgkMyDebugObjectType!=NULL)
{
WPOFF();
KIRQLuKirql;
uKirql=KeRaiseIrqlToSynchLevel();
*(PULONG)PassNtDebugActiveProcess=DbgkMyDebugObjectType;
*(PULONG)PassNtCreateDebugObject=DbgkMyDebugObjectType;
*(PULONG)PassNtWaitForDebugEvent=DbgkMyDebugObjectType;
*(PULONG)PassNtDebugContinue=DbgkMyDebugObjectType;
*(PULONG)PassNtRemoveProcessDebug=DbgkMyDebugObjectType;
KeLowerIrql(uKirql);
WPON();
DbgPrint("atchDebugObjectTypeissucceed!\n");
}
else
{
DbgPrint("atchDebugObjectTypeisfailed!\n");
}
}
voidUnPatchDebugObjectType()
{
ULONGPassNtDebugActiveProcess=(ULONG)GetSSDTFunctionAddr(96)+0x9a;
ULONGPassNtCreateDebugObject=(ULONG)GetSSDTFunctionAddr(61)+0x60;
ULONGPassNtWaitForDebugEvent=(ULONG)GetSSDTFunctionAddr(387)+0xb5;
ULONGPassNtDebugContinue=(ULONG)GetSSDTFunctionAddr(97)+0x82;
ULONGPassNtRemoveProcessDebug=(ULONG)GetSSDTFunctionAddr(289)+0x6d;
if(DbgkDebugObjectType!=NULL)
{
WPOFF();
KIRQLuKirql;
uKirql=KeRaiseIrqlToSynchLevel();
*(PULONG)PassNtDebugActiveProcess=DbgkDebugObjectType;
*(PULONG)PassNtCreateDebugObject=DbgkDebugObjectType;
*(PULONG)PassNtWaitForDebugEvent=DbgkDebugObjectType;
*(PULONG)PassNtDebugContinue=DbgkDebugObjectType;
*(PULONG)PassNtRemoveProcessDebug=DbgkDebugObjectType;
KeLowerIrql(uKirql);
WPON();
DbgPrint("UnPatchDebugObjectTypeissucceed!\n");
}
else
{
DbgPrint("UnPatchDebugObjectTypeisfailed!\n");
}
}
voidAntiValidAccessMask()
{
EnumObjectType_Win7();
PatchDebugObjectType();
}
voidUnAntiValidAccessMask()
{
UnPatchDebugObjectType();
DeleteMyDebugObjectType();
}
#endif
[/code]
pass了然后是Debugport请零我们采用暴力法
nt!DbgkpCloseObject+0x11f:
84eaadfc750cjnent!DbgkpCloseObject+0x12d(84eaae0a)
84eaadfe83a0ec00000000anddwordptr[eax+0ECh],0
84eaae05804c240e01orbyteptr[esp+0Eh],1
84eaae0aa0fc4cd684moval,byteptr[nt!DbgkpProcessDebugPortMutex+0x1c(84d64cfc)]
84eaae0f8325e44cd68400anddwordptr[nt!DbgkpProcessDebugPortMutex+0x4(84d64ce4)],0
84eaae1633c9xorecx,ecx
84eaae188844240fmovbyteptr[esp+0Fh],al
84eaae1c41incecx
1
nt!DbgkCopyProcessDebugPort+0xf:
84e6a7c583a0ec00000000anddwordptr[eax+0ECh],0
17
nt!DbgkpSetProcessDebugObject+0x88:
84eab688a3fc4cd684movdwordptr[nt!DbgkpProcessDebugPortMutex+0x1c(84d64cfc)],eax
84eab68d83beec00000000cmpdwordptr[esi+0ECh],0
84eab6940f85ad000000jnent!DbgkpSetProcessDebugObject+0x147(84eab747)
84eab69a8b4d10movecx,dwordptr[ebp+10h]
84eab69d89beec000000movdwordptr[esi+0ECh],edi
84eab6a3e82c3edbffcallnt!ObfReferenceObject(84c5f4d4)
84eab6a8ff7510pushdwordptr[ebp+10h]
84eab6ab8bc6moveax,esi
2
nt!DbgkpSetProcessDebugObject+0x9a:
84eab69a8b4d10movecx,dwordptr[ebp+10h]
84eab69d89beec000000movdwordptr[esi+0ECh],edi
84eab6a3e82c3edbffcallnt!ObfReferenceObject(84c5f4d4)
84eab6a8ff7510pushdwordptr[ebp+10h]
84eab6ab8bc6moveax,esi
84eab6ade83e18fcffcallnt!PsGetNextProcessThread(84e6cef0)
84eab6b28bf0movesi,eax
84eab6b485f6testesi,esi
3
nt!DbgkpMarkProcessPeb+0x83:
84eaabc233c0xoreax,eax
84eaabc43987ec000000cmpdwordptr[edi+0ECh],eax
84eaabca0f95c0setneal
84eaabcd8b8fa8010000movecx,dwordptr[edi+1A8h]
84eaabd3884102movbyteptr[ecx+2],al
84eaabd6c745fcfeffffffmovdwordptr[ebp-4],0FFFFFFFEh
84eaabddeb16jmpnt!DbgkpMarkProcessPeb+0xb6(84eaabf5)
84eaabdf33c0xoreax,eax
4
nt!DbgkCreateThread+0x225:
84e1c3ede9befeffffjmpnt!DbgkCreateThread+0xe8(84e1c2b0)
84e1c3f2399eec000000cmpdwordptr[esi+0ECh],ebx
84e1c3f80f8442010000jent!DbgkCreateThread+0x378(84e1c540)
84e1c3fe899d24ffffffmovdwordptr[ebp-0DCh],ebx
84e1c404f645c801testbyteptr[ebp-38h],1
84e1c4080f85e5000000jnent!DbgkCreateThread+0x32b(84e1c4f3)
84e1c40e899d38ffffffmovdwordptr[ebp-0C8h],ebx
84e1c4148b8e28010000movecx,dwordptr[esi+128h]
5
nt!DbgkpQueueMessage+0xaa:
84eab1d88b4508moveax,dwordptr[ebp+8]
84eab1db8b80ec000000moveax,dwordptr[eax+0ECh]
84eab1e189442414movdwordptr[esp+14h],eax
84eab1e58b4510moveax,dwordptr[ebp+10h]
84eab1e88b4018moveax,dwordptr[eax+18h]
84eab1eb83f801cmpeax,1
84eab1ee7405jent!DbgkpQueueMessage+0xc7(84eab1f5)
84eab1f083f802cmpeax,2
6
nt!KiDispatchException+0x1d5:
84caf48b8b4050moveax,dwordptr[eax+50h]
84caf48e39b0ec000000cmpdwordptr[eax+0ECh],esi
84caf4947509jnent!KiDispatchException+0x1e9(84caf49f)
84caf496803da91cd68400cmpbyteptr[nt!KdIgnoreUmExceptions(84d61ca9)],0
84caf49d7412jent!KiDispatchException+0x1fb(84caf4b1)
84caf49f813b03000080cmpdwordptr[ebx],80000003h
84caf4a5753fjnent!KiDispatchException+0x230(84caf4e6)
84caf4a7397310cmpdwordptr[ebx+10h],esi
7
nt!DbgkForwardException+0x47:
84decfe0eb06jmpnt!DbgkForwardException+0x4f(84decfe8)
84decfe28b98ec000000movebx,dwordptr[eax+0ECh]
84decfe832c0xoral,al
84decfeaeb12jmpnt!DbgkForwardException+0x65(84decffe)
84decfec50pusheax
84decfede89e580300callnt!PsCaptureExceptionPort(84e22890)
84decff28bd8movebx,eax
84decff4c744241407000000movdwordptr[esp+14h],7
8
nt!PspExitThread+0x2aa:
84e18709e8ef4ce4ffcallnt!ObfDereferenceObject(84c5d3fd)
84e1870e83bfec00000000cmpdwordptr[edi+0ECh],0
84e187157422jent!PspExitThread+0x2da(84e18739)
84e18717f7433c00200000testdwordptr[ebx+3Ch],2000h
84e1871e7519jnent!PspExitThread+0x2da(84e18739)
84e18720807de300cmpbyteptr[ebp-1Dh],0
84e18724740djent!PspExitThread+0x2d4(84e18733)
84e18726ffb774020000pushdwordptr[edi+274h]
9
nt!DbgkExitThread+0x25:
84eaca268b4950movecx,dwordptr[ecx+50h]
84eaca2983b9ec00000000cmpdwordptr[ecx+0ECh],0
84eaca30742fjent!DbgkExitThread+0x60(84eaca61)
84eaca32a802testal,2
84eaca34742bjent!DbgkExitThread+0x60(84eaca61)
84eaca368b4508moveax,dwordptr[ebp+8]
84eaca3989442420movdwordptr[esp+20h],eax
84eaca3d8d0424leaeax,[esp]
10
nt!DbgkClearProcessDebugObject+0x3e:
84e805158b4508moveax,dwordptr[ebp+8]
84e8051805ec000000addeax,0ECh
84e8051d8b38movedi,dwordptr[eax]
84e8051f33dbxorebx,ebx
84e80521897c2410movdwordptr[esp+10h],edi
84e805253bfbcmpedi,ebx
84e805277412jent!DbgkClearProcessDebugObject+0x64(84e8053b)
84e805293b7d0ccmpedi,dwordptr[ebp+0Ch]
11
nt!PspTerminateAllThreads+0x1db:
84e2dc27740ejent!PspTerminateAllThreads+0x1eb(84e2dc37)
84e2dc2983bfec00000000cmpdwordptr[edi+0ECh],0
84e2dc307410jent!PspTerminateAllThreads+0x1f6(84e2dc42)
84e2dc323b7df0cmpedi,dwordptr[ebp-10h]
84e2dc35740bjent!PspTerminateAllThreads+0x1f6(84e2dc42)
84e2dc378bc7moveax,edi
84e2dc39e8bacb0a00callnt!PspDoHandleSweepSingle(84eda7f8)
84e2dc3e8365fc00anddwordptr[ebp-4],0
12
nt!DbgkExitProcess+0x26:
84eaca997543jnent!DbgkExitProcess+0x6b(84eacade)
84eaca9b83b9ec00000000cmpdwordptr[ecx+0ECh],0
84eacaa2743ajent!DbgkExitProcess+0x6b(84eacade)
84eacaa4a802testal,2
84eacaa67436jent!DbgkExitProcess+0x6b(84eacade)
84eacaa881c1a8000000addecx,0A8h
84eacaae51pushecx
84eacaafe80b97d8ffcallnt!KeQuerySystemTime(84c361bf)
13
nt!DbgkpCloseObject+0xd3:
84eaadb08b4508moveax,dwordptr[ebp+8]
84eaadb33998ec000000cmpdwordptr[eax+0ECh],ebx
84eaadb90f85c4000000jnent!DbgkpCloseObject+0x1a6(84eaae83)
84eaadbf8064240efeandbyteptr[esp+0Eh],0FEh
84eaadc4b101movcl,1
84eaadc6ff155c81c084calldwordptr[nt!_imp_KfRaiseIrql(84c0815c)]
84eaadcc8844240fmovbyteptr[esp+0Fh],al
84eaadd08bc6moveax,esi
14
nt!DbgkpCloseObject+0x116:
84eaadf38b4508moveax,dwordptr[ebp+8]
84eaadf63998ec000000cmpdwordptr[eax+0ECh],ebx
84eaadfc750cjnent!DbgkpCloseObject+0x12d(84eaae0a)
84eaadfe83a0ec00000000anddwordptr[eax+0ECh],0
84eaae05804c240e01orbyteptr[esp+0Eh],1
84eaae0aa0fc4cd684moval,byteptr[nt!DbgkpProcessDebugPortMutex+0x1c(84d64cfc)]
84eaae0f8325e44cd68400anddwordptr[nt!DbgkpProcessDebugPortMutex+0x4(84d64ce4)],0
84eaae1633c9xorecx,ecx
15
nt!PspProcessDelete+0xb6:
84e62e56c70600000000movdwordptr[esi],0
84e62e5c8db7ec000000leaesi,[edi+0ECh]
84e62e628b0emovecx,dwordptr[esi]
84e62e6485c9testecx,ecx
84e62e667408jent!PspProcessDelete+0xd0(84e62e70)
84e62e68e890a5dfffcallnt!ObfDereferenceObject(84c5d3fd)
84e62e6d832600anddwordptr[esi],0
84e62e708db7f0000000leaesi,[edi+0F0h]
16
贴代码
Code:
#ifndefDEBUGPORT
#defineDEUBGPORT
ULONGpDebugOffset1[20]={0};
ULONGpDebugOffset2[20]={0};
intn1=0;
intn2=0;
BOOLEAN__stdcallMmIsAddressValidEx(PVOIDVirtualAddress,intLenth)
{
inti=0;
for(i=0;i<Lenth;i++)
{
if(MmIsAddressValid(&*(PVOID*)VirtualAddress+i)==FALSE)
{
returnFALSE;
}
}
returnTRUE;
}
voidSearchDebugPortFeature(intnAddr,charpFeature[][6],intnLine,intModuleSize,intnLeng,ULONG*pArray,int*FindCount,intAddBytes)
{
charszStatus[256]="";
inti=0;
intj=0;
for(i=0;i<ModuleSize;i++)
{
if(MmIsAddressValidEx((PVOID)nAddr,nLeng))
{
RtlMoveMemory(szStatus,(char*)nAddr,nLeng);
for(j=0;j<nLine;j++)
{
if(RtlCompareMemory(pFeature[j],szStatus,nLeng)==nLeng)
{
pArray[*FindCount]=nAddr+AddBytes;
DbgPrint("FindAddressis%x",pArray[*FindCount]);
(*FindCount)++;
}
}
}
nAddr++;
}
}
voidAntiDebugPort()
{
inti=0;
intkernelbase;
intkernelsize=4673;
charcode[13][6]={
{(char)0x83,(char)0xa0,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//1
{(char)0x83,(char)0xbe,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//2
{(char)0x89,(char)0xbe,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//3
{(char)0x39,(char)0x87,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//4
{(char)0x39,(char)0x9e,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//5
{(char)0x8b,(char)0x80,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//6
{(char)0x39,(char)0xb0,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//7
{(char)0x8b,(char)0x98,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//8
{(char)0x83,(char)0xbf,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//9
{(char)0x83,(char)0xb9,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//10
{(char)0x08,(char)0x05,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//11
//{(char)0x83,(char)0xbf,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//12
//{(char)0x83,(char)0xb9,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//13
{(char)0x39,(char)0x98,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//14
//{(char)0x39,(char)0x98,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//15
{(char)0x8d,(char)0xb7,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//16
};
kernelbase=(int)GetSysImageBase(L"ntoskrnl.exe");
if(kernelbase==0)
{
kernelbase=(int)GetSysImageBase(L"ntkrnlpa.exe");
}
DbgPrint("kernelbaseis%x",kernelbase);
if(kernelbase!=0)
{
for(i=0;i<900;i++)//770
{
SearchDebugPortFeature((int)kernelbase+kernelsize*i,code,13,4673,6,pDebugOffset1,&n1,2);
//DbgPrint("kerneladdris%x",(int)kernelbase+kernelsize*i);
}
DbgPrint("nis%d",n1);
for(i=0;i<n1;i++)
{
WPOFF();
KIRQLuKirql;
uKirql=KeRaiseIrqlToSynchLevel();
*(PUCHAR)(pDebugOffset1)=0x70;
DbgPrint("pDebugOffsetAddris%x",pDebugOffset1);
DbgPrint("pDebugOffsetis%x",*((PULONG)pDebugOffset1));
KeLowerIrql(uKirql);
WPON();
}
}
}
voidUnAntiDebugPort()
{
inti=0;
intkernelbase;
intkernelsize=4673;
charcode[13][6]={
{(char)0x83,(char)0xa0,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//1
{(char)0x83,(char)0xbe,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//2
{(char)0x89,(char)0xbe,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//3
{(char)0x39,(char)0x87,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//4
{(char)0x39,(char)0x9e,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//5
{(char)0x8b,(char)0x80,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//6
{(char)0x39,(char)0xb0,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//7
{(char)0x8b,(char)0x98,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//8
{(char)0x83,(char)0xbf,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//9
{(char)0x83,(char)0xb9,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//10
{(char)0x08,(char)0x05,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//11
//{(char)0x83,(char)0xbf,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//12
//{(char)0x83,(char)0xb9,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//13
{(char)0x39,(char)0x98,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//14
//{(char)0x39,(char)0x98,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//15
{(char)0x8d,(char)0xb7,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//16
};
kernelbase=(int)GetSysImageBase(L"ntoskrnl.exe");
if(kernelbase==0)
{
kernelbase=(int)GetSysImageBase(L"ntkrnlpa.exe");
}
DbgPrint("kernelbaseis%x",kernelbase);
if(kernelbase!=0)
{
for(i=0;i<900;i++)//770
{
SearchDebugPortFeature((int)kernelbase+kernelsize*i,code,13,4673,6,pDebugOffset2,&n2,2);
//DbgPrint("kerneladdris%x",(int)kernelbase+kernelsize*i);
}
DbgPrint("nis%d",n2);
for(i=0;i<n2;i++)
{
WPOFF();
KIRQLuKirql;
uKirql=KeRaiseIrqlToSynchLevel();
*(PUCHAR)(pDebugOffset2)=0xec;
DbgPrint("pDebugOffsetAddris%x",pDebugOffset2);
DbgPrint("pDebugOffsetis%x",*((PULONG)pDebugOffset2));
KeLowerIrql(uKirql);
WPON();
}
}
}
#endif
[/code]
上图至于非法就不是在passTp的范围内了有图有争相
*转载 |
|