恢复OD进程附加原理
1、恢复DbgBreakPoint和DbgUiRemoteBreakin被HOOK代码
//由于我是使用ntdll SDK,可直接使用NTDLL中的API,如果你们不能使用,直接用GetProcAddress获取API
注意该处的修复,自己可以写个HOOK,放到LoadLibrary,每次加载DLL时候,就处理一次,防止某些DLL还有TMD壳,又会被恢复
ntdll->DbgBreakPoint 被TMD壳修改为retn -> 0xC3
DWORD lpflOldProtect;
LPVOID ulAddress = DbgBreakPoint;
VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpflOldProtect);
*(BYTE*)(ulAddress) = 0xCC;
ntdll->DbgUiRemoteBreakin 被TMD修改为JMP LdrShutdownProcess
ulAddress = DbgUiRemoteBreakin
VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpProtect);
*(BYTE*)(ulAddress) = 0x6A;
*(DWORD*)((BYTE*)ulAddress+1)= 0xFC686808;