看流星社区

 找回密码
 注册账号
查看: 2166|回复: 0

Tp已经pass Only win7 32下面讲解方法

[复制链接]

该用户从未签到

发表于 2017-6-1 14:50:02 | 显示全部楼层 |阅读模式
作 者:
小烦
时 间: 2013-08-07,16:46:07
链 接: http://bbs.pediy.com/showthread.php?t=176806

TP技术难点:
1.双机调试
2.TesSafe自身模块硬断检测和自身CRC检测
3.DebugOjbetType权值清零
4.DebugPort清零

1解决了2放弃3Pass4Passahalf

讲解3.
直接上笔记和码
nt!NtDebugActiveProcess+0x9a:
84cb8e4a341bxoral,1Bh


nt!NtCreateDebugObject+0x60:
84cb7f53341bxoral,1Bh



nt!NtWaitForDebugEvent+0xb5:
84cb920a341bxoral,1Bh





nt!NtDebugContinue+0x82:
84cb94f3341bxoral,1Bh




nt!NtRemoveProcessDebug+0x6d:


这里使系统函数调用了dbgkdebugobjecttype我们要替换他
换成我们自己造好的


Code:
#ifndefVALIDACCESSMASK
#defineVALIDACCESSMASK


#defineOBJECT_TO_OBJECT_HEADER(o)CONTAINING_RECORD((o),OBJECT_HEADER_WIN7,Body)


typedefstruct_OBJECT_DIRECTORY_ENTRY_WIN7{
struct_OBJECT_DIRECTORY_ENTRY_WIN7*ChainLink;
PVOIDObject;
ULONGHashValue;
}OBJECT_DIRECTORY_ENTRY_WIN7,*POBJECT_DIRECTORY_ENTRY_WIN7;


typedefstruct_OBJECT_TYPE_INITIALIZER_WIN7{

USHORTLength;
USHORTtype;
//+0x002ObjectTypeFlags:UChar
//+0x002CaseInsensitiveos0,1Bit
//+0x002UnnamedObjectsOnlyos1,1Bit
//+0x002UseDefaultObjectos2,1Bit
//+0x002SecurityRequiredos3,1Bit
//+0x002MaintainHandleCountos4,1Bit
//+0x002MaintainTypeListos5,1Bit
PVOIDObjectTypeCode;
PVOIDInvalidAttributes;
GENERIC_MAPPINGGenericMapping;
PVOIDValidAccessMask;
PVOIDRetainAccess;
POOL_TYPEPoolType;
PVOIDDefaultPagedPoolCharge;
PVOIDDefaultNonPagedPoolCharge;
PVOIDDumpProcedure;
PVOIDOpenProcedure;
PVOIDCloseProcedure;
PVOIDDeleteProcedure;
PVOIDParseProcedure;
PVOIDSecurityProcedure;
PVOIDQueryNameProcedure;
USHORTOkayToCloseProcedure;

}OBJECT_TYPE_INITIALIZER_WIN7,*POBJECT_TYPE_INITIALIZER_WIN7;

typedefstruct_OBJECT_CREATE_INFORMATION_WIN7{
ULONGAttributes;
HANDLERootDirectory;
KPROCESSOR_MODEProbeMode;
ULONGPagedPoolCharge;
ULONGNonPagedPoolCharge;
ULONGSecurityDescriptorCharge;
PVOIDSecurityDescriptor;
PSECURITY_QUALITY_OF_SERVICESecurityQos;
SECURITY_QUALITY_OF_SERVICESecurityQualityOfService;
}OBJECT_CREATE_INFORMATION_WIN7,*POBJECT_CREATE_INFORMATION_WIN7;

typedefstruct_OBJECT_TYPE_WIN7{
LIST_ENTRYTypeList;//:_LIST_ENTRY
UNICODE_STRINGName;//:_UNICODE_STRING
PVOIDDefaultObject;//tr32Void
ULONGIndex;//:UChar
ULONGTotalNumberOfObjects;//:Uint4B
ULONGTotalNumberOfHandles;//:Uint4B
ULONGHighWaterNumberOfObjects;//:Uint4B
ULONGHighWaterNumberOfHandles;//:Uint4B
OBJECT_TYPE_INITIALIZER_WIN7TypeInfo;//:_OBJECT_TYPE_INITIALIZER
PVOIDTypeLock;//:_EX_PUSH_LOCK
ULONGKey;//:Uint4B
LIST_ENTRYCallbackList;//:_LIST_ENTRY
}OBJECT_TYPE_WIN7,*POBJECT_TYPE_WIN7;

typedefstruct_OBJECT_HEADER_WIN7{
//对象头部的指针计数,对对象头指针引用的计数
LONG_PTRPointerCount;
union{
//句柄引用计数
LONG_PTRHandleCount;
PVOIDNextToFree;
};
POBJECT_TYPEType;
//OBJECT_HEADER_NAME_INFO相对于此结构的偏移
UCHARNameInfoOffset;
//OBJECT_HEADER_HANDLE_INFO相对于此结构的偏移
UCHARHandleInfoOffset;
//OBJECT_HEADER_QUOTA_INFO相对于此结构的偏移
UCHARQuotaInfoOffset;
UCHARFlags;

union{
//创建对象是用于创建对象附加头的结构
//里面保存了和附加对象头类似的信息
PVOIDObjectCreateInfo;
PVOIDQuotaBlockCharged;
};
PSECURITY_DESCRIPTORSecurityDescriptor;
QUADBody;
}OBJECT_HEADER_WIN7,*POBJECT_HEADER_WIN7;






EXTERN_C
{
NTKERNELAPI
NTSTATUS
ObCreateObjectType(
__inPUNICODE_STRINGTypeName,
__inPOBJECT_TYPE_INITIALIZER_WIN7ObjectTypeInitializer,
__in_optPSECURITY_DESCRIPTORSecurityDesorintor,
__inPOBJECT_TYPE_WIN7*ObjectType

);


NTKERNELAPI
PVOID
ObGetObjectType(
__inPVOIDpObject
);


}


ULONGDbgkDebugObjectType=NULL;
ULONGDbgkMyDebugObjectType=NULL;

POBJECT_TYPE_WIN7MyDebugObjectType=NULL;

OBJECT_TYPE_INITIALIZER_WIN7ObjectTypeInitializer;


voidCreateMyDebugObjectType(POBJECT_TYPE_WIN7tmpObjectType,UNICODE_STRINGMyObjectTypeName)
{




RtlZeroMemory(&ObjectTypeInitializer,sizeof(ObjectTypeInitializer));
ObjectTypeInitializer.Length=tmpObjectType->TypeInfo.Length;
ObjectTypeInitializer.ObjectTypeCode=tmpObjectType->TypeInfo.ObjectTypeCode;
ObjectTypeInitializer.InvalidAttributes=tmpObjectType->TypeInfo.InvalidAttributes;
ObjectTypeInitializer.GenericMapping=tmpObjectType->TypeInfo.GenericMapping;
ObjectTypeInitializer.ValidAccessMask=(PVOID)0x001fffff;
ObjectTypeInitializer.RetainAccess=tmpObjectType->TypeInfo.RetainAccess;
ObjectTypeInitializer.PoolType=tmpObjectType->TypeInfo.PoolType;
ObjectTypeInitializer.DefaultPagedPoolCharge=tmpObjectType->TypeInfo.DefaultPagedPoolCharge;
ObjectTypeInitializer.DefaultNonPagedPoolCharge=tmpObjectType->TypeInfo.DefaultNonPagedPoolCharge;


ObjectTypeInitializer.DumpProcedure=tmpObjectType->TypeInfo.DumpProcedure;
ObjectTypeInitializer.OpenProcedure=tmpObjectType->TypeInfo.OpenProcedure;
ObjectTypeInitializer.CloseProcedure=tmpObjectType->TypeInfo.CloseProcedure;
ObjectTypeInitializer.DeleteProcedure=tmpObjectType->TypeInfo.DeleteProcedure;
ObjectTypeInitializer.ParseProcedure=tmpObjectType->TypeInfo.ParseProcedure;
ObjectTypeInitializer.SecurityProcedure=tmpObjectType->TypeInfo.SecurityProcedure;
ObjectTypeInitializer.QueryNameProcedure=tmpObjectType->TypeInfo.QueryNameProcedure;
ObjectTypeInitializer.OkayToCloseProcedure=tmpObjectType->TypeInfo.OkayToCloseProcedure;


ObCreateObjectType(&MyObjectTypeName,&ObjectTypeInitializer,(PSECURITY_DESCRIPTOR)NULL,&MyDebugObjectType);

}


voidInitMyDebugOjbetType(ULONGpObjectType)
{
UNICODE_STRINGMyObjectTypeName;
POBJECT_TYPE_WIN7tmpObjectType=(POBJECT_TYPE_WIN7)*(ULONG*)pObjectType;
RtlInitUnicodeString(&MyObjectTypeName,L"MyDebugObject");
if(MyDebugObjectType==NULL)
{

CreateMyDebugObjectType(tmpObjectType,MyObjectTypeName);
DbgPrint("CreateMyDebugObjectTypeissucceed!!\n");
}
if(MyDebugObjectType!=NULL)
{
//*(DWORD*)pObjectType=(ULONG)MyFirstType;
DbgPrint("pObObjectTypeis%x!\n",(ULONG*)pObjectType);
}
else
{
DbgPrint("CreateMyDebugObjectTypeisfailed!\n");
}
}
boolPickUpObjectType(ULONGpObjectType,PWCHName)
{
UNICODE_STRINGCmpName;
POBJECT_TYPE_WIN7tmpObjectType=(POBJECT_TYPE_WIN7)*(ULONG*)pObjectType;
CmpName.Length=tmpObjectType->Name.Length;
CmpName.Buffer=Name;//如果字符串2超过字符串1长度,那么不管超出部分怎么填都是对的
//DbgPrint("TestObjectTypeis%S!\n",CmpName.Buffer);
if(RtlEqualUnicodeString(&tmpObjectType->Name,&CmpName,FALSE))
{

returntrue;


}
returnfalse;
}

POBJECT_TYPEGetObpTypeObjectType_Win7()
{
PUCHARaddr,p;
UNICODE_STRINGusObCreateObjectType;
POBJECT_TYPE_ObpTypeObjectType=NULL;
RtlInitUnicodeString(&usObCreateObjectType,L"ObCreateObjectType");
addr=(PUCHAR)MmGetSystemRoutineAddress(&usObCreateObjectType);
ASSERT(addr!=NULL);
DbgPrint("ObCreateObjectType=0x%08x\n",addr);
for(p=addr;p<addr+PAGE_SIZE;p++)
{
if((*(PUCHAR)p==0xa1)&amp;&amp;(*(PUCHAR)(p+5)==0xbb))
{
_ObpTypeObjectType=(POBJECT_TYPE)(*(PULONG)(p+1));
DbgPrint("ObpTypeObjectType=0x%08x\n",_ObpTypeObjectType);
return_ObpTypeObjectType;
}
}
if(p==addr+PAGE_SIZE)
DbgPrint("CannotfindObpTypeObjectType!\n");
returnNULL;
}

voidEnumObjectType_Win7()
{
ULONGOffsetObjectTypeName;
ULONGOffsetCreatorInfoObject;
ULONGOffsetObjectIndexObjectType;
POBJECT_TYPEObpTypeObjectType;
ULONGObjectTypeTable[50]={0};
inti=0;

ULONG_PTRTypeObjectAddr;
PLIST_ENTRYTypeObjectCreatorInfo;
PLIST_ENTRYNextEntry;
RTL_OSVERSIONINFOWVersionInformation;

RtlGetVersion(&amp;VersionInformation);

if(VersionInformation.dwMajorVersion==6)//win7
{
OffsetObjectTypeName=0x08;
OffsetCreatorInfoObject=0x28;
OffsetObjectIndexObjectType=0x14;
ObpTypeObjectType=GetObpTypeObjectType_Win7();
}
for(i=0;i<50;i++)
{
ObjectTypeTable=(ULONG)ObpTypeObjectType+sizeof(ULONG)*i;

}
i=3;
TypeObjectAddr=*(PULONG_PTR)ObpTypeObjectType;
TypeObjectCreatorInfo=(PLIST_ENTRY)(TypeObjectAddr-OffsetCreatorInfoObject);
NextEntry=TypeObjectCreatorInfo;
while(NextEntry->Flink!=TypeObjectCreatorInfo)
{

if(PickUpObjectType(ObjectTypeTable,L"DebugObject"))
{
InitMyDebugOjbetType(ObjectTypeTable);
}
if(PickUpObjectType(ObjectTypeTable,L"MyDebugObject"))
{
DbgkMyDebugObjectType=ObjectTypeTable;
DbgPrint("DbgkMyDebugObjectTypeis%x!\n",DbgkMyDebugObjectType);
}
DbgPrint("TypeAddr=0x%08x,TypeName=%wZ,TypeIndex=%d\n",
(ULONG_PTR)NextEntry+OffsetCreatorInfoObject,
(PUNICODE_STRING)((ULONG_PTR)NextEntry+OffsetCreatorInfoObject+OffsetObjectTypeName),
*(PUCHAR)((ULONG_PTR)NextEntry+OffsetCreatorInfoObject+OffsetObjectIndexObjectType));
NextEntry=NextEntry->Flink;
i++;

}

}

voidDeleteMyDebugObjectType()
{
if(MyDebugObjectType!=NULL)
{
//ObMakeTemporaryObject(MyDebugObjectType);
ObfDereferenceObject(MyDebugObjectType);
}
}

voidPatchDebugObjectType()

{

DbgkDebugObjectType=(ULONG)GetSSDTFunctionAddr(96)+0x9a;
DbgkDebugObjectType=*(PULONG)DbgkDebugObjectType;
ULONGPassNtDebugActiveProcess=(ULONG)GetSSDTFunctionAddr(96)+0x9a;
ULONGPassNtCreateDebugObject=(ULONG)GetSSDTFunctionAddr(61)+0x60;
ULONGPassNtWaitForDebugEvent=(ULONG)GetSSDTFunctionAddr(387)+0xb5;
ULONGPassNtDebugContinue=(ULONG)GetSSDTFunctionAddr(97)+0x82;
ULONGPassNtRemoveProcessDebug=(ULONG)GetSSDTFunctionAddr(289)+0x6d;
DbgPrint("DbgkDebugObjectTypeis%x!\n",*(PULONG)DbgkDebugObjectType);
DbgPrint("assNtDebugActiveProcessis%x!\n",*(PULONG)PassNtDebugActiveProcess);
DbgPrint("assNtCreateDebugObjectis%x!\n",*(PULONG)PassNtCreateDebugObject);
DbgPrint("assNtCreateDebugObjectis%x!\n",*(PULONG)PassNtWaitForDebugEvent);
DbgPrint("assNtWaitForDebugEventis%x!\n",*(PULONG)PassNtDebugContinue);
DbgPrint("assNtRemoveProcessDebugis%x!\n",*(PULONG)PassNtRemoveProcessDebug);
DbgPrint("DbgkMyDebugObjectTypeis%x!\n",DbgkMyDebugObjectType);
if(DbgkMyDebugObjectType!=NULL)
{
WPOFF();
KIRQLuKirql;
uKirql=KeRaiseIrqlToSynchLevel();
*(PULONG)PassNtDebugActiveProcess=DbgkMyDebugObjectType;
*(PULONG)PassNtCreateDebugObject=DbgkMyDebugObjectType;
*(PULONG)PassNtWaitForDebugEvent=DbgkMyDebugObjectType;
*(PULONG)PassNtDebugContinue=DbgkMyDebugObjectType;
*(PULONG)PassNtRemoveProcessDebug=DbgkMyDebugObjectType;
KeLowerIrql(uKirql);
WPON();
DbgPrint("atchDebugObjectTypeissucceed!\n");
}
else
{
DbgPrint("atchDebugObjectTypeisfailed!\n");
}


}
voidUnPatchDebugObjectType()
{


ULONGPassNtDebugActiveProcess=(ULONG)GetSSDTFunctionAddr(96)+0x9a;
ULONGPassNtCreateDebugObject=(ULONG)GetSSDTFunctionAddr(61)+0x60;
ULONGPassNtWaitForDebugEvent=(ULONG)GetSSDTFunctionAddr(387)+0xb5;
ULONGPassNtDebugContinue=(ULONG)GetSSDTFunctionAddr(97)+0x82;
ULONGPassNtRemoveProcessDebug=(ULONG)GetSSDTFunctionAddr(289)+0x6d;

if(DbgkDebugObjectType!=NULL)
{
WPOFF();
KIRQLuKirql;
uKirql=KeRaiseIrqlToSynchLevel();
*(PULONG)PassNtDebugActiveProcess=DbgkDebugObjectType;
*(PULONG)PassNtCreateDebugObject=DbgkDebugObjectType;
*(PULONG)PassNtWaitForDebugEvent=DbgkDebugObjectType;
*(PULONG)PassNtDebugContinue=DbgkDebugObjectType;
*(PULONG)PassNtRemoveProcessDebug=DbgkDebugObjectType;
KeLowerIrql(uKirql);
WPON();
DbgPrint("UnPatchDebugObjectTypeissucceed!\n");
}
else
{
DbgPrint("UnPatchDebugObjectTypeisfailed!\n");
}


}

voidAntiValidAccessMask()
{
EnumObjectType_Win7();
PatchDebugObjectType();
}


voidUnAntiValidAccessMask()
{
UnPatchDebugObjectType();
DeleteMyDebugObjectType();
}

#endif
[/code]




pass了然后是Debugport请零我们采用暴力法


nt!DbgkpCloseObject+0x11f:
84eaadfc750cjnent!DbgkpCloseObject+0x12d(84eaae0a)
84eaadfe83a0ec00000000anddwordptr[eax+0ECh],0
84eaae05804c240e01orbyteptr[esp+0Eh],1
84eaae0aa0fc4cd684moval,byteptr[nt!DbgkpProcessDebugPortMutex+0x1c(84d64cfc)]
84eaae0f8325e44cd68400anddwordptr[nt!DbgkpProcessDebugPortMutex+0x4(84d64ce4)],0
84eaae1633c9xorecx,ecx
84eaae188844240fmovbyteptr[esp+0Fh],al
84eaae1c41incecx

1



nt!DbgkCopyProcessDebugPort+0xf:
84e6a7c583a0ec00000000anddwordptr[eax+0ECh],0

17




nt!DbgkpSetProcessDebugObject+0x88:
84eab688a3fc4cd684movdwordptr[nt!DbgkpProcessDebugPortMutex+0x1c(84d64cfc)],eax
84eab68d83beec00000000cmpdwordptr[esi+0ECh],0
84eab6940f85ad000000jnent!DbgkpSetProcessDebugObject+0x147(84eab747)
84eab69a8b4d10movecx,dwordptr[ebp+10h]
84eab69d89beec000000movdwordptr[esi+0ECh],edi
84eab6a3e82c3edbffcallnt!ObfReferenceObject(84c5f4d4)
84eab6a8ff7510pushdwordptr[ebp+10h]
84eab6ab8bc6moveax,esi

2

nt!DbgkpSetProcessDebugObject+0x9a:
84eab69a8b4d10movecx,dwordptr[ebp+10h]
84eab69d89beec000000movdwordptr[esi+0ECh],edi
84eab6a3e82c3edbffcallnt!ObfReferenceObject(84c5f4d4)
84eab6a8ff7510pushdwordptr[ebp+10h]
84eab6ab8bc6moveax,esi
84eab6ade83e18fcffcallnt!PsGetNextProcessThread(84e6cef0)
84eab6b28bf0movesi,eax
84eab6b485f6testesi,esi
3


nt!DbgkpMarkProcessPeb+0x83:
84eaabc233c0xoreax,eax
84eaabc43987ec000000cmpdwordptr[edi+0ECh],eax
84eaabca0f95c0setneal
84eaabcd8b8fa8010000movecx,dwordptr[edi+1A8h]
84eaabd3884102movbyteptr[ecx+2],al
84eaabd6c745fcfeffffffmovdwordptr[ebp-4],0FFFFFFFEh
84eaabddeb16jmpnt!DbgkpMarkProcessPeb+0xb6(84eaabf5)
84eaabdf33c0xoreax,eax

4

nt!DbgkCreateThread+0x225:
84e1c3ede9befeffffjmpnt!DbgkCreateThread+0xe8(84e1c2b0)
84e1c3f2399eec000000cmpdwordptr[esi+0ECh],ebx
84e1c3f80f8442010000jent!DbgkCreateThread+0x378(84e1c540)
84e1c3fe899d24ffffffmovdwordptr[ebp-0DCh],ebx
84e1c404f645c801testbyteptr[ebp-38h],1
84e1c4080f85e5000000jnent!DbgkCreateThread+0x32b(84e1c4f3)
84e1c40e899d38ffffffmovdwordptr[ebp-0C8h],ebx
84e1c4148b8e28010000movecx,dwordptr[esi+128h]

5

nt!DbgkpQueueMessage+0xaa:
84eab1d88b4508moveax,dwordptr[ebp+8]
84eab1db8b80ec000000moveax,dwordptr[eax+0ECh]
84eab1e189442414movdwordptr[esp+14h],eax
84eab1e58b4510moveax,dwordptr[ebp+10h]
84eab1e88b4018moveax,dwordptr[eax+18h]
84eab1eb83f801cmpeax,1
84eab1ee7405jent!DbgkpQueueMessage+0xc7(84eab1f5)
84eab1f083f802cmpeax,2

6


nt!KiDispatchException+0x1d5:
84caf48b8b4050moveax,dwordptr[eax+50h]
84caf48e39b0ec000000cmpdwordptr[eax+0ECh],esi
84caf4947509jnent!KiDispatchException+0x1e9(84caf49f)
84caf496803da91cd68400cmpbyteptr[nt!KdIgnoreUmExceptions(84d61ca9)],0
84caf49d7412jent!KiDispatchException+0x1fb(84caf4b1)
84caf49f813b03000080cmpdwordptr[ebx],80000003h
84caf4a5753fjnent!KiDispatchException+0x230(84caf4e6)
84caf4a7397310cmpdwordptr[ebx+10h],esi

7

nt!DbgkForwardException+0x47:
84decfe0eb06jmpnt!DbgkForwardException+0x4f(84decfe8)
84decfe28b98ec000000movebx,dwordptr[eax+0ECh]
84decfe832c0xoral,al
84decfeaeb12jmpnt!DbgkForwardException+0x65(84decffe)
84decfec50pusheax
84decfede89e580300callnt!PsCaptureExceptionPort(84e22890)
84decff28bd8movebx,eax
84decff4c744241407000000movdwordptr[esp+14h],7

8

nt!PspExitThread+0x2aa:
84e18709e8ef4ce4ffcallnt!ObfDereferenceObject(84c5d3fd)
84e1870e83bfec00000000cmpdwordptr[edi+0ECh],0
84e187157422jent!PspExitThread+0x2da(84e18739)
84e18717f7433c00200000testdwordptr[ebx+3Ch],2000h
84e1871e7519jnent!PspExitThread+0x2da(84e18739)
84e18720807de300cmpbyteptr[ebp-1Dh],0
84e18724740djent!PspExitThread+0x2d4(84e18733)
84e18726ffb774020000pushdwordptr[edi+274h]

9

nt!DbgkExitThread+0x25:
84eaca268b4950movecx,dwordptr[ecx+50h]
84eaca2983b9ec00000000cmpdwordptr[ecx+0ECh],0
84eaca30742fjent!DbgkExitThread+0x60(84eaca61)
84eaca32a802testal,2
84eaca34742bjent!DbgkExitThread+0x60(84eaca61)
84eaca368b4508moveax,dwordptr[ebp+8]
84eaca3989442420movdwordptr[esp+20h],eax
84eaca3d8d0424leaeax,[esp]
10

nt!DbgkClearProcessDebugObject+0x3e:
84e805158b4508moveax,dwordptr[ebp+8]
84e8051805ec000000addeax,0ECh
84e8051d8b38movedi,dwordptr[eax]
84e8051f33dbxorebx,ebx
84e80521897c2410movdwordptr[esp+10h],edi
84e805253bfbcmpedi,ebx
84e805277412jent!DbgkClearProcessDebugObject+0x64(84e8053b)
84e805293b7d0ccmpedi,dwordptr[ebp+0Ch]

11


nt!PspTerminateAllThreads+0x1db:
84e2dc27740ejent!PspTerminateAllThreads+0x1eb(84e2dc37)
84e2dc2983bfec00000000cmpdwordptr[edi+0ECh],0
84e2dc307410jent!PspTerminateAllThreads+0x1f6(84e2dc42)
84e2dc323b7df0cmpedi,dwordptr[ebp-10h]
84e2dc35740bjent!PspTerminateAllThreads+0x1f6(84e2dc42)
84e2dc378bc7moveax,edi
84e2dc39e8bacb0a00callnt!PspDoHandleSweepSingle(84eda7f8)
84e2dc3e8365fc00anddwordptr[ebp-4],0

12

nt!DbgkExitProcess+0x26:
84eaca997543jnent!DbgkExitProcess+0x6b(84eacade)
84eaca9b83b9ec00000000cmpdwordptr[ecx+0ECh],0
84eacaa2743ajent!DbgkExitProcess+0x6b(84eacade)
84eacaa4a802testal,2
84eacaa67436jent!DbgkExitProcess+0x6b(84eacade)
84eacaa881c1a8000000addecx,0A8h
84eacaae51pushecx
84eacaafe80b97d8ffcallnt!KeQuerySystemTime(84c361bf)

13

nt!DbgkpCloseObject+0xd3:
84eaadb08b4508moveax,dwordptr[ebp+8]
84eaadb33998ec000000cmpdwordptr[eax+0ECh],ebx
84eaadb90f85c4000000jnent!DbgkpCloseObject+0x1a6(84eaae83)
84eaadbf8064240efeandbyteptr[esp+0Eh],0FEh
84eaadc4b101movcl,1
84eaadc6ff155c81c084calldwordptr[nt!_imp_KfRaiseIrql(84c0815c)]
84eaadcc8844240fmovbyteptr[esp+0Fh],al
84eaadd08bc6moveax,esi

14


nt!DbgkpCloseObject+0x116:
84eaadf38b4508moveax,dwordptr[ebp+8]
84eaadf63998ec000000cmpdwordptr[eax+0ECh],ebx
84eaadfc750cjnent!DbgkpCloseObject+0x12d(84eaae0a)
84eaadfe83a0ec00000000anddwordptr[eax+0ECh],0
84eaae05804c240e01orbyteptr[esp+0Eh],1
84eaae0aa0fc4cd684moval,byteptr[nt!DbgkpProcessDebugPortMutex+0x1c(84d64cfc)]
84eaae0f8325e44cd68400anddwordptr[nt!DbgkpProcessDebugPortMutex+0x4(84d64ce4)],0
84eaae1633c9xorecx,ecx

15

nt!PspProcessDelete+0xb6:
84e62e56c70600000000movdwordptr[esi],0
84e62e5c8db7ec000000leaesi,[edi+0ECh]
84e62e628b0emovecx,dwordptr[esi]
84e62e6485c9testecx,ecx
84e62e667408jent!PspProcessDelete+0xd0(84e62e70)
84e62e68e890a5dfffcallnt!ObfDereferenceObject(84c5d3fd)
84e62e6d832600anddwordptr[esi],0
84e62e708db7f0000000leaesi,[edi+0F0h]



16



贴代码

Code:
#ifndefDEBUGPORT
#defineDEUBGPORT

ULONGpDebugOffset1[20]={0};
ULONGpDebugOffset2[20]={0};
intn1=0;
intn2=0;

BOOLEAN__stdcallMmIsAddressValidEx(PVOIDVirtualAddress,intLenth)
{
inti=0;

for(i=0;i<Lenth;i++)
{
if(MmIsAddressValid(&amp;*(PVOID*)VirtualAddress+i)==FALSE)
{
returnFALSE;
}

}
returnTRUE;

}
voidSearchDebugPortFeature(intnAddr,charpFeature[][6],intnLine,intModuleSize,intnLeng,ULONG*pArray,int*FindCount,intAddBytes)
{
charszStatus[256]="";
inti=0;
intj=0;
for(i=0;i<ModuleSize;i++)
{
if(MmIsAddressValidEx((PVOID)nAddr,nLeng))
{

RtlMoveMemory(szStatus,(char*)nAddr,nLeng);
for(j=0;j<nLine;j++)
{
if(RtlCompareMemory(pFeature[j],szStatus,nLeng)==nLeng)
{
pArray[*FindCount]=nAddr+AddBytes;
DbgPrint("FindAddressis%x",pArray[*FindCount]);
(*FindCount)++;
}
}



}
nAddr++;

}


}

voidAntiDebugPort()
{
inti=0;
intkernelbase;
intkernelsize=4673;
charcode[13][6]={
{(char)0x83,(char)0xa0,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//1
{(char)0x83,(char)0xbe,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//2
{(char)0x89,(char)0xbe,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//3
{(char)0x39,(char)0x87,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//4
{(char)0x39,(char)0x9e,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//5
{(char)0x8b,(char)0x80,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//6
{(char)0x39,(char)0xb0,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//7
{(char)0x8b,(char)0x98,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//8
{(char)0x83,(char)0xbf,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//9
{(char)0x83,(char)0xb9,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//10
{(char)0x08,(char)0x05,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//11
//{(char)0x83,(char)0xbf,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//12
//{(char)0x83,(char)0xb9,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//13
{(char)0x39,(char)0x98,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//14
//{(char)0x39,(char)0x98,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//15
{(char)0x8d,(char)0xb7,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//16



};
kernelbase=(int)GetSysImageBase(L"ntoskrnl.exe");
if(kernelbase==0)
{
kernelbase=(int)GetSysImageBase(L"ntkrnlpa.exe");
}
DbgPrint("kernelbaseis%x",kernelbase);
if(kernelbase!=0)
{

for(i=0;i<900;i++)//770
{
SearchDebugPortFeature((int)kernelbase+kernelsize*i,code,13,4673,6,pDebugOffset1,&amp;n1,2);
//DbgPrint("kerneladdris%x",(int)kernelbase+kernelsize*i);
}
DbgPrint("nis%d",n1);
for(i=0;i<n1;i++)
{
WPOFF();
KIRQLuKirql;
uKirql=KeRaiseIrqlToSynchLevel();
*(PUCHAR)(pDebugOffset1)=0x70;
DbgPrint("pDebugOffsetAddris%x",pDebugOffset1);
DbgPrint("pDebugOffsetis%x",*((PULONG)pDebugOffset1));
KeLowerIrql(uKirql);
WPON();
}



}

}



voidUnAntiDebugPort()
{
inti=0;
intkernelbase;
intkernelsize=4673;
charcode[13][6]={
{(char)0x83,(char)0xa0,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//1
{(char)0x83,(char)0xbe,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//2
{(char)0x89,(char)0xbe,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//3
{(char)0x39,(char)0x87,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//4
{(char)0x39,(char)0x9e,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//5
{(char)0x8b,(char)0x80,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//6
{(char)0x39,(char)0xb0,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//7
{(char)0x8b,(char)0x98,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//8
{(char)0x83,(char)0xbf,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//9
{(char)0x83,(char)0xb9,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//10
{(char)0x08,(char)0x05,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//11
//{(char)0x83,(char)0xbf,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//12
//{(char)0x83,(char)0xb9,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//13
{(char)0x39,(char)0x98,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//14
//{(char)0x39,(char)0x98,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//15
{(char)0x8d,(char)0xb7,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//16



};
kernelbase=(int)GetSysImageBase(L"ntoskrnl.exe");
if(kernelbase==0)
{
kernelbase=(int)GetSysImageBase(L"ntkrnlpa.exe");
}
DbgPrint("kernelbaseis%x",kernelbase);
if(kernelbase!=0)
{
for(i=0;i<900;i++)//770
{
SearchDebugPortFeature((int)kernelbase+kernelsize*i,code,13,4673,6,pDebugOffset2,&amp;n2,2);
//DbgPrint("kerneladdris%x",(int)kernelbase+kernelsize*i);
}
DbgPrint("nis%d",n2);
for(i=0;i<n2;i++)
{
WPOFF();
KIRQLuKirql;
uKirql=KeRaiseIrqlToSynchLevel();
*(PUCHAR)(pDebugOffset2)=0xec;
DbgPrint("pDebugOffsetAddris%x",pDebugOffset2);
DbgPrint("pDebugOffsetis%x",*((PULONG)pDebugOffset2));
KeLowerIrql(uKirql);
WPON();
}



}

}


#endif
[/code]


上图至于非法就不是在passTp的范围内了有图有争相
*转载
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-3-19 11:40

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表