作 者: 小烦
时 间: 2013-08-07,16:46:07
链 接: http://bbs.pediy.com/showthread.php?t=176806
TP技术难点:
1.双机调试
2.TesSafe自身模块硬断检测和自身CRC检测
3.DebugOjbetType权值清零
4.DebugPort清零
1解决了 2放弃 3Pass 4Pass a half
讲解3.
直接上笔记和码
nt!NtDebugActiveProcess+0x9a:
84cb8e4a 341b xor al,1Bh
nt!NtCreateDebugObject+0x60:
84cb7f53 341b xor al,1Bh
nt!NtWaitForDebugEvent+0xb5:
84cb920a 341b xor al,1Bh
nt!NtDebugContinue+0x82:
84cb94f3 341b xor al,1Bh
nt!NtRemoveProcessDebug+0x6d:
这里使系统函数调用了dbgkdebugobjecttype我们要替换他
换成我们自己造好的
pass了 然后是Debugport请零 我们采用暴力法
nt!DbgkpCloseObject+0x11f:
84eaadfc 750c jne nt!DbgkpCloseObject+0x12d (84eaae0a)
84eaadfe 83a0ec00000000 and dword ptr [eax+0ECh],0
84eaae05 804c240e01 or byte ptr [esp+0Eh],1
84eaae0a a0fc4cd684 mov al,byte ptr [nt!DbgkpProcessDebugPortMutex+0x1c (84d64cfc)]
84eaae0f 8325e44cd68400 and dword ptr [nt!DbgkpProcessDebugPortMutex+0x4 (84d64ce4)],0
84eaae16 33c9 xor ecx,ecx
84eaae18 8844240f mov byte ptr [esp+0Fh],al
84eaae1c 41 inc ecx
1
nt!DbgkCopyProcessDebugPort+0xf:
84e6a7c5 83a0ec00000000 and dword ptr [eax+0ECh],0
17
nt!DbgkpSetProcessDebugObject+0x88:
84eab688 a3fc4cd684 mov dword ptr [nt!DbgkpProcessDebugPortMutex+0x1c (84d64cfc)],eax
84eab68d 83beec00000000 cmp dword ptr [esi+0ECh],0
84eab694 0f85ad000000 jne nt!DbgkpSetProcessDebugObject+0x147 (84eab747)
84eab69a 8b4d10 mov ecx,dword ptr [ebp+10h]
84eab69d 89beec000000 mov dword ptr [esi+0ECh],edi
84eab6a3 e82c3edbff call nt!ObfReferenceObject (84c5f4d4)
84eab6a8 ff7510 push dword ptr [ebp+10h]
84eab6ab 8bc6 mov eax,esi
2
nt!DbgkpSetProcessDebugObject+0x9a:
84eab69a 8b4d10 mov ecx,dword ptr [ebp+10h]
84eab69d 89beec000000 mov dword ptr [esi+0ECh],edi
84eab6a3 e82c3edbff call nt!ObfReferenceObject (84c5f4d4)
84eab6a8 ff7510 push dword ptr [ebp+10h]
84eab6ab 8bc6 mov eax,esi
84eab6ad e83e18fcff call nt!PsGetNextProcessThread (84e6cef0)
84eab6b2 8bf0 mov esi,eax
84eab6b4 85f6 test esi,esi
3
nt!DbgkpMarkProcessPeb+0x83:
84eaabc2 33c0 xor eax,eax
84eaabc4 3987ec000000 cmp dword ptr [edi+0ECh],eax
84eaabca 0f95c0 setne al
84eaabcd 8b8fa8010000 mov ecx,dword ptr [edi+1A8h]
84eaabd3 884102 mov byte ptr [ecx+2],al
84eaabd6 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
84eaabdd eb16 jmp nt!DbgkpMarkProcessPeb+0xb6 (84eaabf5)
84eaabdf 33c0 xor eax,eax
4
nt!DbgkCreateThread+0x225:
84e1c3ed e9befeffff jmp nt!DbgkCreateThread+0xe8 (84e1c2b0)
84e1c3f2 399eec000000 cmp dword ptr [esi+0ECh],ebx
84e1c3f8 0f8442010000 je nt!DbgkCreateThread+0x378 (84e1c540)
84e1c3fe 899d24ffffff mov dword ptr [ebp-0DCh],ebx
84e1c404 f645c801 test byte ptr [ebp-38h],1
84e1c408 0f85e5000000 jne nt!DbgkCreateThread+0x32b (84e1c4f3)
84e1c40e 899d38ffffff mov dword ptr [ebp-0C8h],ebx
84e1c414 8b8e28010000 mov ecx,dword ptr [esi+128h]
5
nt!DbgkpQueueMessage+0xaa:
84eab1d8 8b4508 mov eax,dword ptr [ebp+8]
84eab1db 8b80ec000000 mov eax,dword ptr [eax+0ECh]
84eab1e1 89442414 mov dword ptr [esp+14h],eax
84eab1e5 8b4510 mov eax,dword ptr [ebp+10h]
84eab1e8 8b4018 mov eax,dword ptr [eax+18h]
84eab1eb 83f801 cmp eax,1
84eab1ee 7405 je nt!DbgkpQueueMessage+0xc7 (84eab1f5)
84eab1f0 83f802 cmp eax,2
6
nt!KiDispatchException+0x1d5:
84caf48b 8b4050 mov eax,dword ptr [eax+50h]
84caf48e 39b0ec000000 cmp dword ptr [eax+0ECh],esi
84caf494 7509 jne nt!KiDispatchException+0x1e9 (84caf49f)
84caf496 803da91cd68400 cmp byte ptr [nt!KdIgnoreUmExceptions (84d61ca9)],0
84caf49d 7412 je nt!KiDispatchException+0x1fb (84caf4b1)
84caf49f 813b03000080 cmp dword ptr [ebx],80000003h
84caf4a5 753f jne nt!KiDispatchException+0x230 (84caf4e6)
84caf4a7 397310 cmp dword ptr [ebx+10h],esi
7
nt!DbgkForwardException+0x47:
84decfe0 eb06 jmp nt!DbgkForwardException+0x4f (84decfe8)
84decfe2 8b98ec000000 mov ebx,dword ptr [eax+0ECh]
84decfe8 32c0 xor al,al
84decfea eb12 jmp nt!DbgkForwardException+0x65 (84decffe)
84decfec 50 push eax
84decfed e89e580300 call nt!PsCaptureExceptionPort (84e22890)
84decff2 8bd8 mov ebx,eax
84decff4 c744241407000000 mov dword ptr [esp+14h],7
8
nt!PspExitThread+0x2aa:
84e18709 e8ef4ce4ff call nt!ObfDereferenceObject (84c5d3fd)
84e1870e 83bfec00000000 cmp dword ptr [edi+0ECh],0
84e18715 7422 je nt!PspExitThread+0x2da (84e18739)
84e18717 f7433c00200000 test dword ptr [ebx+3Ch],2000h
84e1871e 7519 jne nt!PspExitThread+0x2da (84e18739)
84e18720 807de300 cmp byte ptr [ebp-1Dh],0
84e18724 740d je nt!PspExitThread+0x2d4 (84e18733)
84e18726 ffb774020000 push dword ptr [edi+274h]
9
nt!DbgkExitThread+0x25:
84eaca26 8b4950 mov ecx,dword ptr [ecx+50h]
84eaca29 83b9ec00000000 cmp dword ptr [ecx+0ECh],0
84eaca30 742f je nt!DbgkExitThread+0x60 (84eaca61)
84eaca32 a802 test al,2
84eaca34 742b je nt!DbgkExitThread+0x60 (84eaca61)
84eaca36 8b4508 mov eax,dword ptr [ebp+8]
84eaca39 89442420 mov dword ptr [esp+20h],eax
84eaca3d 8d0424 lea eax,[esp]
10
nt!DbgkClearProcessDebugObject+0x3e:
84e80515 8b4508 mov eax,dword ptr [ebp+8]
84e80518 05ec000000 add eax,0ECh
84e8051d 8b38 mov edi,dword ptr [eax]
84e8051f 33db xor ebx,ebx
84e80521 897c2410 mov dword ptr [esp+10h],edi
84e80525 3bfb cmp edi,ebx
84e80527 7412 je nt!DbgkClearProcessDebugObject+0x64 (84e8053b)
84e80529 3b7d0c cmp edi,dword ptr [ebp+0Ch]
11
nt!PspTerminateAllThreads+0x1db:
84e2dc27 740e je nt!PspTerminateAllThreads+0x1eb (84e2dc37)
84e2dc29 83bfec00000000 cmp dword ptr [edi+0ECh],0
84e2dc30 7410 je nt!PspTerminateAllThreads+0x1f6 (84e2dc42)
84e2dc32 3b7df0 cmp edi,dword ptr [ebp-10h]
84e2dc35 740b je nt!PspTerminateAllThreads+0x1f6 (84e2dc42)
84e2dc37 8bc7 mov eax,edi
84e2dc39 e8bacb0a00 call nt!PspDoHandleSweepSingle (84eda7f8)
84e2dc3e 8365fc00 and dword ptr [ebp-4],0
12
nt!DbgkExitProcess+0x26:
84eaca99 7543 jne nt!DbgkExitProcess+0x6b (84eacade)
84eaca9b 83b9ec00000000 cmp dword ptr [ecx+0ECh],0
84eacaa2 743a je nt!DbgkExitProcess+0x6b (84eacade)
84eacaa4 a802 test al,2
84eacaa6 7436 je nt!DbgkExitProcess+0x6b (84eacade)
84eacaa8 81c1a8000000 add ecx,0A8h
84eacaae 51 push ecx
84eacaaf e80b97d8ff call nt!KeQuerySystemTime (84c361bf)
13
nt!DbgkpCloseObject+0xd3:
84eaadb0 8b4508 mov eax,dword ptr [ebp+8]
84eaadb3 3998ec000000 cmp dword ptr [eax+0ECh],ebx
84eaadb9 0f85c4000000 jne nt!DbgkpCloseObject+0x1a6 (84eaae83)
84eaadbf 8064240efe and byte ptr [esp+0Eh],0FEh
84eaadc4 b101 mov cl,1
84eaadc6 ff155c81c084 call dword ptr [nt!_imp_KfRaiseIrql (84c0815c)]
84eaadcc 8844240f mov byte ptr [esp+0Fh],al
84eaadd0 8bc6 mov eax,esi
14
nt!DbgkpCloseObject+0x116:
84eaadf3 8b4508 mov eax,dword ptr [ebp+8]
84eaadf6 3998ec000000 cmp dword ptr [eax+0ECh],ebx
84eaadfc 750c jne nt!DbgkpCloseObject+0x12d (84eaae0a)
84eaadfe 83a0ec00000000 and dword ptr [eax+0ECh],0
84eaae05 804c240e01 or byte ptr [esp+0Eh],1
84eaae0a a0fc4cd684 mov al,byte ptr [nt!DbgkpProcessDebugPortMutex+0x1c (84d64cfc)]
84eaae0f 8325e44cd68400 and dword ptr [nt!DbgkpProcessDebugPortMutex+0x4 (84d64ce4)],0
84eaae16 33c9 xor ecx,ecx
15
nt!PspProcessDelete+0xb6:
84e62e56 c70600000000 mov dword ptr [esi],0
84e62e5c 8db7ec000000 lea esi,[edi+0ECh]
84e62e62 8b0e mov ecx,dword ptr [esi]
84e62e64 85c9 test ecx,ecx
84e62e66 7408 je nt!PspProcessDelete+0xd0 (84e62e70)
84e62e68 e890a5dfff call nt!ObfDereferenceObject (84c5d3fd)
84e62e6d 832600 and dword ptr [esi],0
84e62e70 8db7f0000000 lea esi,[edi+0F0h]
16
贴代码
上图至于非法就不是在passTp的范围内了 有图有争相
*转载
时 间: 2013-08-07,16:46:07
链 接: http://bbs.pediy.com/showthread.php?t=176806
TP技术难点:
1.双机调试
2.TesSafe自身模块硬断检测和自身CRC检测
3.DebugOjbetType权值清零
4.DebugPort清零
1解决了 2放弃 3Pass 4Pass a half
讲解3.
直接上笔记和码
nt!NtDebugActiveProcess+0x9a:
84cb8e4a 341b xor al,1Bh
nt!NtCreateDebugObject+0x60:
84cb7f53 341b xor al,1Bh
nt!NtWaitForDebugEvent+0xb5:
84cb920a 341b xor al,1Bh
nt!NtDebugContinue+0x82:
84cb94f3 341b xor al,1Bh
nt!NtRemoveProcessDebug+0x6d:
这里使系统函数调用了dbgkdebugobjecttype我们要替换他
换成我们自己造好的
Code:
#ifndef VALIDACCESSMASK #define VALIDACCESSMASK #define OBJECT_TO_OBJECT_HEADER( o ) CONTAINING_RECORD( (o), OBJECT_HEADER_WIN7, Body ) typedef struct _OBJECT_DIRECTORY_ENTRY_WIN7{ struct _OBJECT_DIRECTORY_ENTRY_WIN7 *ChainLink; PVOID Object; ULONG HashValue; } OBJECT_DIRECTORY_ENTRY_WIN7, *POBJECT_DIRECTORY_ENTRY_WIN7; typedef struct _OBJECT_TYPE_INITIALIZER_WIN7 { USHORT Length ; USHORT type ; //+0x002 ObjectTypeFlags : UChar //+0x002 CaseInsensitive : Pos 0, 1 Bit //+0x002 UnnamedObjectsOnly : Pos 1, 1 Bit //+0x002 UseDefaultObject : Pos 2, 1 Bit //+0x002 SecurityRequired : Pos 3, 1 Bit //+0x002 MaintainHandleCount : Pos 4, 1 Bit //+0x002 MaintainTypeList : Pos 5, 1 Bit PVOID ObjectTypeCode ; PVOID InvalidAttributes ; GENERIC_MAPPING GenericMapping ; PVOID ValidAccessMask ; PVOID RetainAccess ; POOL_TYPE PoolType ; PVOID DefaultPagedPoolCharge ; PVOID DefaultNonPagedPoolCharge ; PVOID DumpProcedure ; PVOID OpenProcedure ; PVOID CloseProcedure ; PVOID DeleteProcedure ; PVOID ParseProcedure ; PVOID SecurityProcedure ; PVOID QueryNameProcedure ; USHORT OkayToCloseProcedure ; } OBJECT_TYPE_INITIALIZER_WIN7, *POBJECT_TYPE_INITIALIZER_WIN7; typedef struct _OBJECT_CREATE_INFORMATION_WIN7 { ULONG Attributes; HANDLE RootDirectory; KPROCESSOR_MODE ProbeMode; ULONG PagedPoolCharge; ULONG NonPagedPoolCharge; ULONG SecurityDescriptorCharge; PVOID SecurityDescriptor; PSECURITY_QUALITY_OF_SERVICE SecurityQos; SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; } OBJECT_CREATE_INFORMATION_WIN7, *POBJECT_CREATE_INFORMATION_WIN7; typedef struct _OBJECT_TYPE_WIN7 { LIST_ENTRY TypeList; // : _LIST_ENTRY UNICODE_STRING Name; // : _UNICODE_STRING PVOID DefaultObject; // : Ptr32 Void ULONG Index; // : UChar ULONG TotalNumberOfObjects; // : Uint4B ULONG TotalNumberOfHandles; // : Uint4B ULONG HighWaterNumberOfObjects; // : Uint4B ULONG HighWaterNumberOfHandles; // : Uint4B OBJECT_TYPE_INITIALIZER_WIN7 TypeInfo; // : _OBJECT_TYPE_INITIALIZER PVOID TypeLock; // : _EX_PUSH_LOCK ULONG Key; // : Uint4B LIST_ENTRY CallbackList; // : _LIST_ENTRY } OBJECT_TYPE_WIN7, *POBJECT_TYPE_WIN7; typedef struct _OBJECT_HEADER_WIN7 { //对象头部的指针计数,对对象头指针引用的计数 LONG_PTR PointerCount; union { //句柄引用计数 LONG_PTR HandleCount; PVOID NextToFree; }; POBJECT_TYPE Type; //OBJECT_HEADER_NAME_INFO相对于此结构的偏移 UCHAR NameInfoOffset; //OBJECT_HEADER_HANDLE_INFO相对于此结构的偏移 UCHAR HandleInfoOffset; //OBJECT_HEADER_QUOTA_INFO相对于此结构的偏移 UCHAR QuotaInfoOffset; UCHAR Flags; union { //创建对象是用于创建对象附加头的结构 //里面保存了和附加对象头类似的信息 PVOID ObjectCreateInfo; PVOID QuotaBlockCharged; }; PSECURITY_DESCRIPTOR SecurityDescriptor; QUAD Body; } OBJECT_HEADER_WIN7, *POBJECT_HEADER_WIN7; EXTERN_C { NTKERNELAPI NTSTATUS ObCreateObjectType( __in PUNICODE_STRING TypeName, __in POBJECT_TYPE_INITIALIZER_WIN7 ObjectTypeInitializer, __in_opt PSECURITY_DESCRIPTOR SecurityDesorintor, __in POBJECT_TYPE_WIN7 *ObjectType ); NTKERNELAPI PVOID ObGetObjectType( __in PVOID pObject ); } ULONG DbgkDebugObjectType=NULL; ULONG DbgkMyDebugObjectType=NULL; POBJECT_TYPE_WIN7 MyDebugObjectType=NULL; OBJECT_TYPE_INITIALIZER_WIN7 ObjectTypeInitializer; void CreateMyDebugObjectType(POBJECT_TYPE_WIN7 tmpObjectType,UNICODE_STRING MyObjectTypeName) { RtlZeroMemory(&ObjectTypeInitializer,sizeof(ObjectTypeInitializer)); ObjectTypeInitializer.Length=tmpObjectType->TypeInfo.Length; ObjectTypeInitializer.ObjectTypeCode=tmpObjectType->TypeInfo.ObjectTypeCode; ObjectTypeInitializer.InvalidAttributes=tmpObjectType->TypeInfo.InvalidAttributes; ObjectTypeInitializer.GenericMapping=tmpObjectType->TypeInfo.GenericMapping; ObjectTypeInitializer.ValidAccessMask=(PVOID) 0x001fffff; ObjectTypeInitializer.RetainAccess=tmpObjectType->TypeInfo.RetainAccess; ObjectTypeInitializer.PoolType=tmpObjectType->TypeInfo.PoolType; ObjectTypeInitializer.DefaultPagedPoolCharge=tmpObjectType->TypeInfo.DefaultPagedPoolCharge; ObjectTypeInitializer.DefaultNonPagedPoolCharge=tmpObjectType->TypeInfo.DefaultNonPagedPoolCharge; ObjectTypeInitializer.DumpProcedure=tmpObjectType->TypeInfo.DumpProcedure; ObjectTypeInitializer.OpenProcedure=tmpObjectType->TypeInfo.OpenProcedure; ObjectTypeInitializer.CloseProcedure=tmpObjectType->TypeInfo.CloseProcedure; ObjectTypeInitializer.DeleteProcedure=tmpObjectType->TypeInfo.DeleteProcedure; ObjectTypeInitializer.ParseProcedure=tmpObjectType->TypeInfo.ParseProcedure; ObjectTypeInitializer.SecurityProcedure=tmpObjectType->TypeInfo.SecurityProcedure; ObjectTypeInitializer.QueryNameProcedure=tmpObjectType->TypeInfo.QueryNameProcedure; ObjectTypeInitializer.OkayToCloseProcedure=tmpObjectType->TypeInfo.OkayToCloseProcedure; ObCreateObjectType(&MyObjectTypeName,&ObjectTypeInitializer,(PSECURITY_DESCRIPTOR)NULL,&MyDebugObjectType); } void InitMyDebugOjbetType(ULONG pObjectType) { UNICODE_STRING MyObjectTypeName; POBJECT_TYPE_WIN7 tmpObjectType=(POBJECT_TYPE_WIN7)*(ULONG *)pObjectType; RtlInitUnicodeString(&MyObjectTypeName,L"MyDebugObject"); if(MyDebugObjectType==NULL) { CreateMyDebugObjectType(tmpObjectType,MyObjectTypeName); DbgPrint("CreateMyDebugObjectType is succeed!!\n"); } if (MyDebugObjectType!=NULL) { //*(DWORD *)pObjectType=(ULONG)MyFirstType; DbgPrint("pObObjectType is %x !\n",(ULONG *)pObjectType); } else { DbgPrint("CreateMyDebugObjectType is failed!\n"); } } bool PickUpObjectType(ULONG pObjectType,PWCH Name) { UNICODE_STRING CmpName; POBJECT_TYPE_WIN7 tmpObjectType=(POBJECT_TYPE_WIN7)*(ULONG *)pObjectType; CmpName.Length=tmpObjectType->Name.Length; CmpName.Buffer=Name;//如果字符串2超过字符串1长度,那么不管超出部分怎么填都是对的 //DbgPrint("TestObjectType is %S!\n",CmpName.Buffer); if(RtlEqualUnicodeString(&tmpObjectType->Name,&CmpName,FALSE)) { return true; } return false; } POBJECT_TYPE GetObpTypeObjectType_Win7() { PUCHAR addr,p; UNICODE_STRING usObCreateObjectType; POBJECT_TYPE _ObpTypeObjectType=NULL; RtlInitUnicodeString(&usObCreateObjectType,L"ObCreateObjectType"); addr=(PUCHAR)MmGetSystemRoutineAddress(&usObCreateObjectType); ASSERT(addr!=NULL); DbgPrint("ObCreateObjectType=0x%08x\n",addr); for (p=addr;p<addr+PAGE_SIZE;p++) { if ((*(PUCHAR)p==0xa1) && (*(PUCHAR)(p+5)==0xbb)) { _ObpTypeObjectType=(POBJECT_TYPE)(*(PULONG)(p+1)); DbgPrint("ObpTypeObjectType=0x%08x\n",_ObpTypeObjectType); return _ObpTypeObjectType; } } if (p==addr+PAGE_SIZE) DbgPrint("Cannot find ObpTypeObjectType!\n"); return NULL; } void EnumObjectType_Win7() { ULONG OffsetObjectTypeName; ULONG OffsetCreatorInfoObject; ULONG OffsetObjectIndexObjectType; POBJECT_TYPE ObpTypeObjectType; ULONG ObjectTypeTable[50]={0}; int i=0; ULONG_PTR TypeObjectAddr; PLIST_ENTRY TypeObjectCreatorInfo; PLIST_ENTRY NextEntry; RTL_OSVERSIONINFOW VersionInformation; RtlGetVersion(&VersionInformation); if (VersionInformation.dwMajorVersion==6)//win7 { OffsetObjectTypeName=0x08; OffsetCreatorInfoObject=0x28; OffsetObjectIndexObjectType=0x14; ObpTypeObjectType=GetObpTypeObjectType_Win7(); } for(i=0;i<50;i++) { ObjectTypeTable[i]=(ULONG)ObpTypeObjectType+sizeof(ULONG)*i; } i=3; TypeObjectAddr=*(PULONG_PTR)ObpTypeObjectType; TypeObjectCreatorInfo=(PLIST_ENTRY)(TypeObjectAddr-OffsetCreatorInfoObject); NextEntry=TypeObjectCreatorInfo; while (NextEntry->Flink!=TypeObjectCreatorInfo) { if (PickUpObjectType(ObjectTypeTable[i],L"DebugObject")) { InitMyDebugOjbetType(ObjectTypeTable[i]); } if (PickUpObjectType(ObjectTypeTable[i],L"MyDebugObject")) { DbgkMyDebugObjectType=ObjectTypeTable[i]; DbgPrint("DbgkMyDebugObjectType is %x !\n",DbgkMyDebugObjectType); } DbgPrint("TypeAddr=0x%08x,TypeName=%wZ,TypeIndex=%d\n", (ULONG_PTR)NextEntry+OffsetCreatorInfoObject, (PUNICODE_STRING)((ULONG_PTR)NextEntry+OffsetCreatorInfoObject+OffsetObjectTypeName), *(PUCHAR)((ULONG_PTR)NextEntry+OffsetCreatorInfoObject+OffsetObjectIndexObjectType)); NextEntry=NextEntry->Flink; i++; } } void DeleteMyDebugObjectType() { if (MyDebugObjectType!=NULL) { //ObMakeTemporaryObject(MyDebugObjectType); ObfDereferenceObject(MyDebugObjectType); } } void PatchDebugObjectType() { DbgkDebugObjectType=(ULONG)GetSSDTFunctionAddr(96)+0x9a; DbgkDebugObjectType=*(PULONG)DbgkDebugObjectType; ULONG PassNtDebugActiveProcess=(ULONG)GetSSDTFunctionAddr(96)+0x9a; ULONG PassNtCreateDebugObject=(ULONG)GetSSDTFunctionAddr(61)+0x60; ULONG PassNtWaitForDebugEvent=(ULONG)GetSSDTFunctionAddr(387)+0xb5; ULONG PassNtDebugContinue=(ULONG)GetSSDTFunctionAddr(97)+0x82; ULONG PassNtRemoveProcessDebug=(ULONG)GetSSDTFunctionAddr(289)+0x6d; DbgPrint("DbgkDebugObjectType is %x!\n",*(PULONG)DbgkDebugObjectType); DbgPrint("PassNtDebugActiveProcess is %x!\n",*(PULONG)PassNtDebugActiveProcess); DbgPrint("PassNtCreateDebugObject is %x!\n", *(PULONG)PassNtCreateDebugObject); DbgPrint("PassNtCreateDebugObject is %x!\n",*(PULONG)PassNtWaitForDebugEvent); DbgPrint("PassNtWaitForDebugEvent is %x!\n",*(PULONG)PassNtDebugContinue); DbgPrint("PassNtRemoveProcessDebug is %x!\n",*(PULONG)PassNtRemoveProcessDebug); DbgPrint("DbgkMyDebugObjectType is %x!\n",DbgkMyDebugObjectType); if(DbgkMyDebugObjectType!=NULL) { WPOFF(); KIRQL uKirql; uKirql =KeRaiseIrqlToSynchLevel(); *(PULONG)PassNtDebugActiveProcess=DbgkMyDebugObjectType; *(PULONG)PassNtCreateDebugObject=DbgkMyDebugObjectType; *(PULONG)PassNtWaitForDebugEvent=DbgkMyDebugObjectType; *(PULONG)PassNtDebugContinue=DbgkMyDebugObjectType; *(PULONG)PassNtRemoveProcessDebug=DbgkMyDebugObjectType; KeLowerIrql(uKirql); WPON(); DbgPrint("PatchDebugObjectType is succeed!\n"); } else { DbgPrint("PatchDebugObjectType is failed!\n"); } } void UnPatchDebugObjectType() { ULONG PassNtDebugActiveProcess=(ULONG)GetSSDTFunctionAddr(96)+0x9a; ULONG PassNtCreateDebugObject=(ULONG)GetSSDTFunctionAddr(61)+0x60; ULONG PassNtWaitForDebugEvent=(ULONG)GetSSDTFunctionAddr(387)+0xb5; ULONG PassNtDebugContinue=(ULONG)GetSSDTFunctionAddr(97)+0x82; ULONG PassNtRemoveProcessDebug=(ULONG)GetSSDTFunctionAddr(289)+0x6d; if(DbgkDebugObjectType!=NULL) { WPOFF(); KIRQL uKirql; uKirql =KeRaiseIrqlToSynchLevel(); *(PULONG)PassNtDebugActiveProcess=DbgkDebugObjectType; *(PULONG)PassNtCreateDebugObject=DbgkDebugObjectType; *(PULONG)PassNtWaitForDebugEvent=DbgkDebugObjectType; *(PULONG)PassNtDebugContinue=DbgkDebugObjectType; *(PULONG)PassNtRemoveProcessDebug=DbgkDebugObjectType; KeLowerIrql(uKirql); WPON(); DbgPrint("UnPatchDebugObjectType is succeed!\n"); } else { DbgPrint("UnPatchDebugObjectType is failed!\n"); } } void AntiValidAccessMask() { EnumObjectType_Win7(); PatchDebugObjectType(); } void UnAntiValidAccessMask() { UnPatchDebugObjectType(); DeleteMyDebugObjectType(); } #endif
pass了 然后是Debugport请零 我们采用暴力法
nt!DbgkpCloseObject+0x11f:
84eaadfc 750c jne nt!DbgkpCloseObject+0x12d (84eaae0a)
84eaadfe 83a0ec00000000 and dword ptr [eax+0ECh],0
84eaae05 804c240e01 or byte ptr [esp+0Eh],1
84eaae0a a0fc4cd684 mov al,byte ptr [nt!DbgkpProcessDebugPortMutex+0x1c (84d64cfc)]
84eaae0f 8325e44cd68400 and dword ptr [nt!DbgkpProcessDebugPortMutex+0x4 (84d64ce4)],0
84eaae16 33c9 xor ecx,ecx
84eaae18 8844240f mov byte ptr [esp+0Fh],al
84eaae1c 41 inc ecx
1
nt!DbgkCopyProcessDebugPort+0xf:
84e6a7c5 83a0ec00000000 and dword ptr [eax+0ECh],0
17
nt!DbgkpSetProcessDebugObject+0x88:
84eab688 a3fc4cd684 mov dword ptr [nt!DbgkpProcessDebugPortMutex+0x1c (84d64cfc)],eax
84eab68d 83beec00000000 cmp dword ptr [esi+0ECh],0
84eab694 0f85ad000000 jne nt!DbgkpSetProcessDebugObject+0x147 (84eab747)
84eab69a 8b4d10 mov ecx,dword ptr [ebp+10h]
84eab69d 89beec000000 mov dword ptr [esi+0ECh],edi
84eab6a3 e82c3edbff call nt!ObfReferenceObject (84c5f4d4)
84eab6a8 ff7510 push dword ptr [ebp+10h]
84eab6ab 8bc6 mov eax,esi
2
nt!DbgkpSetProcessDebugObject+0x9a:
84eab69a 8b4d10 mov ecx,dword ptr [ebp+10h]
84eab69d 89beec000000 mov dword ptr [esi+0ECh],edi
84eab6a3 e82c3edbff call nt!ObfReferenceObject (84c5f4d4)
84eab6a8 ff7510 push dword ptr [ebp+10h]
84eab6ab 8bc6 mov eax,esi
84eab6ad e83e18fcff call nt!PsGetNextProcessThread (84e6cef0)
84eab6b2 8bf0 mov esi,eax
84eab6b4 85f6 test esi,esi
3
nt!DbgkpMarkProcessPeb+0x83:
84eaabc2 33c0 xor eax,eax
84eaabc4 3987ec000000 cmp dword ptr [edi+0ECh],eax
84eaabca 0f95c0 setne al
84eaabcd 8b8fa8010000 mov ecx,dword ptr [edi+1A8h]
84eaabd3 884102 mov byte ptr [ecx+2],al
84eaabd6 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
84eaabdd eb16 jmp nt!DbgkpMarkProcessPeb+0xb6 (84eaabf5)
84eaabdf 33c0 xor eax,eax
4
nt!DbgkCreateThread+0x225:
84e1c3ed e9befeffff jmp nt!DbgkCreateThread+0xe8 (84e1c2b0)
84e1c3f2 399eec000000 cmp dword ptr [esi+0ECh],ebx
84e1c3f8 0f8442010000 je nt!DbgkCreateThread+0x378 (84e1c540)
84e1c3fe 899d24ffffff mov dword ptr [ebp-0DCh],ebx
84e1c404 f645c801 test byte ptr [ebp-38h],1
84e1c408 0f85e5000000 jne nt!DbgkCreateThread+0x32b (84e1c4f3)
84e1c40e 899d38ffffff mov dword ptr [ebp-0C8h],ebx
84e1c414 8b8e28010000 mov ecx,dword ptr [esi+128h]
5
nt!DbgkpQueueMessage+0xaa:
84eab1d8 8b4508 mov eax,dword ptr [ebp+8]
84eab1db 8b80ec000000 mov eax,dword ptr [eax+0ECh]
84eab1e1 89442414 mov dword ptr [esp+14h],eax
84eab1e5 8b4510 mov eax,dword ptr [ebp+10h]
84eab1e8 8b4018 mov eax,dword ptr [eax+18h]
84eab1eb 83f801 cmp eax,1
84eab1ee 7405 je nt!DbgkpQueueMessage+0xc7 (84eab1f5)
84eab1f0 83f802 cmp eax,2
6
nt!KiDispatchException+0x1d5:
84caf48b 8b4050 mov eax,dword ptr [eax+50h]
84caf48e 39b0ec000000 cmp dword ptr [eax+0ECh],esi
84caf494 7509 jne nt!KiDispatchException+0x1e9 (84caf49f)
84caf496 803da91cd68400 cmp byte ptr [nt!KdIgnoreUmExceptions (84d61ca9)],0
84caf49d 7412 je nt!KiDispatchException+0x1fb (84caf4b1)
84caf49f 813b03000080 cmp dword ptr [ebx],80000003h
84caf4a5 753f jne nt!KiDispatchException+0x230 (84caf4e6)
84caf4a7 397310 cmp dword ptr [ebx+10h],esi
7
nt!DbgkForwardException+0x47:
84decfe0 eb06 jmp nt!DbgkForwardException+0x4f (84decfe8)
84decfe2 8b98ec000000 mov ebx,dword ptr [eax+0ECh]
84decfe8 32c0 xor al,al
84decfea eb12 jmp nt!DbgkForwardException+0x65 (84decffe)
84decfec 50 push eax
84decfed e89e580300 call nt!PsCaptureExceptionPort (84e22890)
84decff2 8bd8 mov ebx,eax
84decff4 c744241407000000 mov dword ptr [esp+14h],7
8
nt!PspExitThread+0x2aa:
84e18709 e8ef4ce4ff call nt!ObfDereferenceObject (84c5d3fd)
84e1870e 83bfec00000000 cmp dword ptr [edi+0ECh],0
84e18715 7422 je nt!PspExitThread+0x2da (84e18739)
84e18717 f7433c00200000 test dword ptr [ebx+3Ch],2000h
84e1871e 7519 jne nt!PspExitThread+0x2da (84e18739)
84e18720 807de300 cmp byte ptr [ebp-1Dh],0
84e18724 740d je nt!PspExitThread+0x2d4 (84e18733)
84e18726 ffb774020000 push dword ptr [edi+274h]
9
nt!DbgkExitThread+0x25:
84eaca26 8b4950 mov ecx,dword ptr [ecx+50h]
84eaca29 83b9ec00000000 cmp dword ptr [ecx+0ECh],0
84eaca30 742f je nt!DbgkExitThread+0x60 (84eaca61)
84eaca32 a802 test al,2
84eaca34 742b je nt!DbgkExitThread+0x60 (84eaca61)
84eaca36 8b4508 mov eax,dword ptr [ebp+8]
84eaca39 89442420 mov dword ptr [esp+20h],eax
84eaca3d 8d0424 lea eax,[esp]
10
nt!DbgkClearProcessDebugObject+0x3e:
84e80515 8b4508 mov eax,dword ptr [ebp+8]
84e80518 05ec000000 add eax,0ECh
84e8051d 8b38 mov edi,dword ptr [eax]
84e8051f 33db xor ebx,ebx
84e80521 897c2410 mov dword ptr [esp+10h],edi
84e80525 3bfb cmp edi,ebx
84e80527 7412 je nt!DbgkClearProcessDebugObject+0x64 (84e8053b)
84e80529 3b7d0c cmp edi,dword ptr [ebp+0Ch]
11
nt!PspTerminateAllThreads+0x1db:
84e2dc27 740e je nt!PspTerminateAllThreads+0x1eb (84e2dc37)
84e2dc29 83bfec00000000 cmp dword ptr [edi+0ECh],0
84e2dc30 7410 je nt!PspTerminateAllThreads+0x1f6 (84e2dc42)
84e2dc32 3b7df0 cmp edi,dword ptr [ebp-10h]
84e2dc35 740b je nt!PspTerminateAllThreads+0x1f6 (84e2dc42)
84e2dc37 8bc7 mov eax,edi
84e2dc39 e8bacb0a00 call nt!PspDoHandleSweepSingle (84eda7f8)
84e2dc3e 8365fc00 and dword ptr [ebp-4],0
12
nt!DbgkExitProcess+0x26:
84eaca99 7543 jne nt!DbgkExitProcess+0x6b (84eacade)
84eaca9b 83b9ec00000000 cmp dword ptr [ecx+0ECh],0
84eacaa2 743a je nt!DbgkExitProcess+0x6b (84eacade)
84eacaa4 a802 test al,2
84eacaa6 7436 je nt!DbgkExitProcess+0x6b (84eacade)
84eacaa8 81c1a8000000 add ecx,0A8h
84eacaae 51 push ecx
84eacaaf e80b97d8ff call nt!KeQuerySystemTime (84c361bf)
13
nt!DbgkpCloseObject+0xd3:
84eaadb0 8b4508 mov eax,dword ptr [ebp+8]
84eaadb3 3998ec000000 cmp dword ptr [eax+0ECh],ebx
84eaadb9 0f85c4000000 jne nt!DbgkpCloseObject+0x1a6 (84eaae83)
84eaadbf 8064240efe and byte ptr [esp+0Eh],0FEh
84eaadc4 b101 mov cl,1
84eaadc6 ff155c81c084 call dword ptr [nt!_imp_KfRaiseIrql (84c0815c)]
84eaadcc 8844240f mov byte ptr [esp+0Fh],al
84eaadd0 8bc6 mov eax,esi
14
nt!DbgkpCloseObject+0x116:
84eaadf3 8b4508 mov eax,dword ptr [ebp+8]
84eaadf6 3998ec000000 cmp dword ptr [eax+0ECh],ebx
84eaadfc 750c jne nt!DbgkpCloseObject+0x12d (84eaae0a)
84eaadfe 83a0ec00000000 and dword ptr [eax+0ECh],0
84eaae05 804c240e01 or byte ptr [esp+0Eh],1
84eaae0a a0fc4cd684 mov al,byte ptr [nt!DbgkpProcessDebugPortMutex+0x1c (84d64cfc)]
84eaae0f 8325e44cd68400 and dword ptr [nt!DbgkpProcessDebugPortMutex+0x4 (84d64ce4)],0
84eaae16 33c9 xor ecx,ecx
15
nt!PspProcessDelete+0xb6:
84e62e56 c70600000000 mov dword ptr [esi],0
84e62e5c 8db7ec000000 lea esi,[edi+0ECh]
84e62e62 8b0e mov ecx,dword ptr [esi]
84e62e64 85c9 test ecx,ecx
84e62e66 7408 je nt!PspProcessDelete+0xd0 (84e62e70)
84e62e68 e890a5dfff call nt!ObfDereferenceObject (84c5d3fd)
84e62e6d 832600 and dword ptr [esi],0
84e62e70 8db7f0000000 lea esi,[edi+0F0h]
16
贴代码
Code:
#ifndef DEBUGPORT #define DEUBGPORT ULONG pDebugOffset1[20]={0}; ULONG pDebugOffset2[20]={0}; int n1=0; int n2=0; BOOLEAN __stdcall MmIsAddressValidEx(PVOID VirtualAddress,int Lenth) { int i=0; for (i=0;i<Lenth;i++) { if (MmIsAddressValid(&*(PVOID*)VirtualAddress+i)==FALSE) { return FALSE; } } return TRUE; } void SearchDebugPortFeature(int nAddr,char pFeature[][6],int nLine,int ModuleSize,int nLeng,ULONG * pArray ,int *FindCount,int AddBytes) { char szStatus[256]=""; int i=0; int j=0; for(i=0;i<ModuleSize;i++) { if (MmIsAddressValidEx((PVOID)nAddr,nLeng)) { RtlMoveMemory(szStatus,(char*)nAddr,nLeng); for (j=0;j<nLine;j++) { if (RtlCompareMemory(pFeature[j],szStatus,nLeng)==nLeng) { pArray[*FindCount]=nAddr+AddBytes; DbgPrint("Find Address is %x",pArray[*FindCount]); (*FindCount)++; } } } nAddr++; } } void AntiDebugPort() { int i=0; int kernelbase; int kernelsize=4673; char code[13][6]={ {(char)0x83,(char)0xa0,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//1 {(char)0x83,(char)0xbe,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//2 {(char)0x89,(char)0xbe,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//3 {(char)0x39,(char)0x87,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//4 {(char)0x39,(char)0x9e,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//5 {(char)0x8b,(char)0x80,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//6 {(char)0x39,(char)0xb0,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//7 {(char)0x8b,(char)0x98,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//8 {(char)0x83,(char)0xbf,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//9 {(char)0x83,(char)0xb9,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//10 {(char)0x08,(char)0x05,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//11 //{(char)0x83,(char)0xbf,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//12 //{(char)0x83,(char)0xb9,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//13 {(char)0x39,(char)0x98,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//14 //{(char)0x39,(char)0x98,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//15 {(char)0x8d,(char)0xb7,(char)0xec,(char)0x00,(char)0x00,(char)0x00},//16 }; kernelbase=(int)GetSysImageBase(L"ntoskrnl.exe"); if (kernelbase==0) { kernelbase=(int)GetSysImageBase(L"ntkrnlpa.exe"); } DbgPrint("kernelbase is %x",kernelbase); if (kernelbase!=0) { for(i=0;i<900;i++)//770 { SearchDebugPortFeature((int)kernelbase+kernelsize*i,code,13,4673,6,pDebugOffset1,&n1,2); //DbgPrint("kerneladdr is %x",(int)kernelbase+kernelsize*i); } DbgPrint("n is %d",n1); for(i=0;i<n1;i++) { WPOFF(); KIRQL uKirql; uKirql =KeRaiseIrqlToSynchLevel(); *(PUCHAR)(pDebugOffset1[i])=0x70; DbgPrint("pDebugOffsetAddr is %x",pDebugOffset1[i]); DbgPrint("pDebugOffset is %x",*((PULONG)pDebugOffset1[i])); KeLowerIrql(uKirql); WPON(); } } } void UnAntiDebugPort() { int i=0; int kernelbase; int kernelsize=4673; char code[13][6]={ {(char)0x83,(char)0xa0,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//1 {(char)0x83,(char)0xbe,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//2 {(char)0x89,(char)0xbe,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//3 {(char)0x39,(char)0x87,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//4 {(char)0x39,(char)0x9e,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//5 {(char)0x8b,(char)0x80,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//6 {(char)0x39,(char)0xb0,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//7 {(char)0x8b,(char)0x98,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//8 {(char)0x83,(char)0xbf,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//9 {(char)0x83,(char)0xb9,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//10 {(char)0x08,(char)0x05,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//11 //{(char)0x83,(char)0xbf,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//12 //{(char)0x83,(char)0xb9,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//13 {(char)0x39,(char)0x98,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//14 //{(char)0x39,(char)0x98,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//15 {(char)0x8d,(char)0xb7,(char)0x70,(char)0x00,(char)0x00,(char)0x00},//16 }; kernelbase=(int)GetSysImageBase(L"ntoskrnl.exe"); if (kernelbase==0) { kernelbase=(int)GetSysImageBase(L"ntkrnlpa.exe"); } DbgPrint("kernelbase is %x",kernelbase); if (kernelbase!=0) { for(i=0;i<900;i++)//770 { SearchDebugPortFeature((int)kernelbase+kernelsize*i,code,13,4673,6,pDebugOffset2,&n2,2); //DbgPrint("kerneladdr is %x",(int)kernelbase+kernelsize*i); } DbgPrint("n is %d",n2); for(i=0;i<n2;i++) { WPOFF(); KIRQL uKirql; uKirql =KeRaiseIrqlToSynchLevel(); *(PUCHAR)(pDebugOffset2[i])=0xec; DbgPrint("pDebugOffsetAddr is %x",pDebugOffset2[i]); DbgPrint("pDebugOffset is %x",*((PULONG)pDebugOffset2[i])); KeLowerIrql(uKirql); WPON(); } } } #endif
上图至于非法就不是在passTp的范围内了 有图有争相
*转载