zjh7272 发表于 2021-5-6 14:26:22

x64 antidebug 不触发PG 补充代码



先说antiantidebug
都知道 32位的驱动保护不用VT说白了就是 HOOK过来 HOOK过去比的是谁的 钩子深谁的 钩子更多~~~~
然而 64位呢 很多保护 例如TP/HP/HS 基本就是驱动几个callbacks 应用层 几个钩子 反调试模拟一场等等    我的 PASS方法呢 例如TP钩子 KIuserdispatcherException 这个 钩子的恢复方法 直接恢复 或者挂钩 游戏会秒掉 因为他自己处理了自己的异常,但是实际 他里面并没有用到检测硬件断点~~~HOOK 方式 过滤异常是他的就跳到他里面 提前计算他的钩子函数 ,不是就自己处理~~(HOOK注意堆栈和标志位)   
其他的就是干线程和忽略 模拟异常了忽略模拟异常的方式 HOOK OD WaitDebugEvent 过滤000400..07.....随便改一个 然后OK~~~~

最后ANTIDEBUG~~~
X64没PASS pg 也没用VT技术的   比较难防御~!~~
枚举所有进程(EPROCESS链) 枚举句柄表 所有句柄项 法相TPYEININDEX为11(win7)的直接 抹掉句柄 当然得正常一点儿的抹掉先设置属性可关闭等等最后KISTACKattachprocess NTclose(TA的 代码里面有) 出现的效果就是 没法调试了~~ 代码我实现了没网 所以就不发了 等有网了发把~~
还可以这样阻止搜索内存 打开进程~~~~

放出源码:

有个BUG如果 移出的目标有线程退出那么 我的 系统线程就挂了   目测是枚举函数的 问题
这个   我就 不解决了   退出不蓝屏
因为 有 了新的 解决办法这个 就扔掉了

#include "ntddk.h"
#include "commonfunc.h"
#define IMAGE_FILENAME_OFFSET 0x2e0
VOID startthread();
VOID stopthread();
KEVENT event;
HANDLE systemthreadhandle;
KTIMER cleartimer= { 0 };      
KDPC cleardpc = { 0 };
BOOLEAN REMOVING = FALSE;
typedef struct _HANDLE_TABLE_ENTRY{
union{
    VOID* Object;
    ULONG32 ObAttributes;
    PVOID64 InfoTable;
    ULONG64 Value;
   };

union{
    ULONG32 GrantedAccess;
    struct{
      UINT16GrantedAccessIndex;
      UINT16 CreatorBackTraceIndex;
      UINT8_PADDING;
    };
    ULONG32NextFreeTableEntry;
};

}HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;

typedef struct _save_handlentry{
struct _save_handlentry*head;
PVOID id;
char processname;
ULONG64 value;
ULONG32 GrantedAccess;
struct HANDLE_TABLE_ENTRY*address;
struct _save_handlentry*next;
}_save_handlentry, *p_save_handlentry;

ULONG64 SreachFunctionAddress(ULONG64 uAddress, UCHAR *Signature, ULONG addopcodelength, ULONG addopcodedatasize);

p_save_handlentry createlist(char*processname){
ULONG i;

p_save_handlentry phead = (p_save_handlentry) ExAllocatePool(NonPagedPool,sizeof(_save_handlentry));
p_save_handlentry ptail = phead;
ptail->next = NULL;
p_save_handlentry pnew = (p_save_handlentry)ExAllocatePool(NonPagedPool, sizeof(_save_handlentry));
memcpy(&pnew->processname, processname, 16);
pnew->address = 0;
pnew->id = 0;
pnew->value = 0;
pnew->GrantedAccess = 0;
pnew->head = NULL;
ptail->next = pnew;
pnew->next = NULL;
ptail->head = NULL;
return phead;

}
// 插入链表
p_save_handlentry insertlist(char*processname, ULONG GrantedAccess, ULONG64 value, PVOID id, PHANDLE_TABLE_ENTRY adress, p_save_handlentry phead){
p_save_handlentry p = phead->next;

while (p != NULL)
{
    if (p->next == NULL){
      break;
    }
    p = p->next;
}

p_save_handlentry pnew = (p_save_handlentry)ExAllocatePool(NonPagedPool, sizeof(_save_handlentry));
memcpy(&pnew->processname, processname, 16);

pnew->GrantedAccess = GrantedAccess;
pnew->id = id;
pnew->value = value;
pnew->address = adress;
p->next = pnew;
pnew->next = NULL;
pnew->head = p;
return pnew;
}
p_save_handlentry querylist(p_save_handlentry phead, ULONG64 id){
p_save_handlentry p = phead->next;
while (p != NULL)
{

    if (p->id == id){

      return p;
    }

    p = p->next;
}


return NULL;
}

//删除节点
void deletelist(p_save_handlentry pclid){
p_save_handlentry p, pp;
if (pclid->head != NULL){//头部
    p = pclid->head;
    pp = pclid->next;

    if (pp == NULL){//最后节点
      p->next = NULL;
      ExFreePool(pclid);
      return;
    }
    p->next = pp;//不是最后节点
    pp->head = p;
    ExFreePool(pclid);
    return;
}
}


typedef NTSTATUS(__fastcall * pfnEnumObjectTable)(PVOID64 HANDLETABLE, PVOID CALLback, ULONG64 unKonw);
NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
NTKERNELAPI NTSTATUS PsLookupThreadByThreadId(HANDLE Id, PETHREAD *Thread);
NTKERNELAPI PEPROCESS IoThreadToProcess(PETHREAD Thread);
pfnEnumObjectTable EnumObjectTablex = 0;;
PVOID64 PspCidTable=0;
NTSTATUS getenumhandletablefunc()
{
UCHARopcode = { 0x89, 0x6c, 0x24, 0x30, 0xe8 };
UCHARopcode1 = { 0xdc, 0x48, 0x8b, 0xd1, 0x48 };
UNICODE_STRING64 ObFindHandleForObjectsign;
ULONG64 temp64 = 0;
NTSTATUS state = STATUS_SUCCESS;

RtlInitUnicodeString(&ObFindHandleForObjectsign, L"ObFindHandleForObject");//ObFindHandleForObject PAGE 0000000140319DB0 000000B4 00000048 00000028 R . . . . . .
temp64 = (ULONG64)MmGetSystemRoutineAddress(&ObFindHandleForObjectsign);

if (!MmIsAddressValid(temp64))
    return state;
EnumObjectTablex = (pfnEnumObjectTable)SreachFunctionAddress(temp64, opcode,1,5);
PspCidTable = (PVOID64)SreachFunctionAddress(&PsLookupProcessByProcessId, opcode1, 3, 7);
PspCidTable = *(PVOID64*)PspCidTable;

if (!MmIsAddressValid(EnumObjectTablex) || !MmIsAddressValid(PspCidTable)){

    DbgPrint("cant get EnumObjectTablex orPspCidTable\n");
}
   
DbgPrint("Super game protect start~\n");

}
p_save_handlentry mainphead = NULL;
PVOID64 psidprocessobject = 0;
PVOID64 pscidkthreadbject = 0;
ULONG64 passmaska = TRUE;
#define de_o -10
#define de_s de_o*1000
LARGE_INTEGER myxx;

VOID clearDEBUGTOOL(){
myxx.QuadPart = de_s;
myxx.QuadPart *= 2000;
while (passmaska==TRUE)
{

    KeDelayExecutionThread(KernelMode, 0, &myxx);
    if (REMOVING)
      continue;
    enumtable(2);
   
    if (psidprocessobject!=0 ){
      DbgPrint("clear psidprocessobject %p", *(ULONG64*)psidprocessobject);
      *(ULONG64*)psidprocessobject = 0;
      DbgPrint("clear psidprocessobject %p", *(ULONG64*)psidprocessobject);
      psidprocessobject = 0;
      
    }
    DbgPrint("clearing...");
    if (pscidkthreadbject != 0){
      DbgPrint("clear pscidkthreadbject %p", *(ULONG64*)pscidkthreadbject);
      *(ULONG64*)pscidkthreadbject = 0;
      DbgPrint("clear pscidkthreadbject %p", *(ULONG64*)pscidkthreadbject);
      pscidkthreadbject = 0;
   

    }
    continue;
}
DbgPrint("ending...");
KeSetEvent(&event, 0, TRUE);
}
BOOLEAN removdebugtoolhandle(PHANDLE_TABLE_ENTRY object, PHANDLE handle, ULONG64 Unkonw){
ULONG64 Pobject;
ULONG64 object_header;
ULONG32 object_type;

p_save_handlentry paddress;

Pobject = (object->Value)&~7;
object_header = Pobject - 0x30;//getobjectheader

object_type = (ULONG32)*(UINT8*)(object_header + 0x18);//pspcidtable object_header

if (!MmIsAddressValid(Pobject))
    {
    return FALSE;//is true

}



if ( object_type == 7 ){

    if (strstr(PsGetProcessImageFileName(Pobject), "天网系统") != NULL || strstr(PsGetProcessImageFileName(Pobject), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(Pobject), "ollyice") != NULL){
      paddress = insertlist(Pobject + IMAGE_FILENAME_OFFSET, object->GrantedAccess, object->Value, handle, &object->Value, mainphead);
   
      DbgPrint("process is look~");

      psidprocessobject = &object->Value;

    }
    return FALSE;
}

if ( object_type == 8 ){

    ULONG64 tempprocess;

    tempprocess = IoThreadToProcess(Pobject);
      if (strstr(PsGetProcessImageFileName(tempprocess), "天网系统") != NULL || strstr(PsGetProcessImageFileName(tempprocess), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(tempprocess), "ollyice") != NULL ){
      DbgPrint("thread is look~");
      paddress = insertlist(Pobject + IMAGE_FILENAME_OFFSET, object->GrantedAccess, object->Value, handle, &object->Value, mainphead);
      pscidkthreadbject = &object->Value;
    }
    return FALSE;
}
return FALSE;
}



BOOLEAN removepspcidtabl(HANDLE p){

if (PspCidTable == 0 || EnumObjectTablex == 0){
    getenumhandletablefunc();
}

if (mainphead==NULL){
    mainphead = createlist("system");
}
EnumObjectTablex(PspCidTable, removdebugtoolhandle, p);
}


PCREATE_PROCESS_NOTIFY_ROUTINE callback(HANDLE prid, HANDLE pid, BOOLEAN create){
ULONG64 EPROCESS;
PHANDLE_TABLE_ENTRY phdt;
p_save_handlentry tempsave;
EPROCESS = IoGetCurrentProcess();
if (!create && (strstr(PsGetProcessImageFileName(EPROCESS), "天网系统") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "ollyice") != NULL)){
    REMOVING = TRUE;
   
    tempsave = querylist(mainphead, pid);
    if (tempsave != 0){
      phdt = tempsave->address;
      //phdt->GrantedAccess = tempsave->GrantedAccess;
      phdt->Value = tempsave->value;
      DbgPrint("pid %d pt:%p phdt:%p", tempsave->id, tempsave->address, phdt->Object);
      //deletelist(tempsave);
      stopthread();
      startthread();
    }
    //ObDereferenceObject(leprocess);
   
    REMOVING = FALSE;
}


}
PCREATE_THREAD_NOTIFY_ROUTINE callback2(HANDLE processid, HANDLE threadid, BOOLEAN create){
ULONG64 EPROCESS;
PHANDLE_TABLE_ENTRY phdt;
p_save_handlentry tempsave;
EPROCESS = IoGetCurrentProcess();

if(!create && (strstr(PsGetProcessImageFileName(EPROCESS), "天网系统") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "ollyice") != NULL)){
   
    REMOVING = TRUE;
    tempsave = querylist(mainphead, threadid);
    if (tempsave != 0){
      phdt = tempsave->address;
   
      //phdt->GrantedAccess = tempsave->GrantedAccess;
      phdt->Value = tempsave->value;
      DbgPrint("tid %d pt:%p phdt:%p", tempsave->id, tempsave->address, phdt->Object);
    //deletelist(tempsave);
      stopthread();
      startthread();
    }

    REMOVING = FALSE;
}
   
}


VOID startthread(){
KeInitializeEvent(
    &event,
    SynchronizationEvent,//SynchronizationEvent为同步事件
    FALSE//当是TRUE 时初始化事件是有信号状态.,当是FALSE时初始化事件是没信号状态,如果此处为TRUE,则为有信号状态,KeWaitForSingleObject会直接通过,此时需要调用KeResetEvent来设置为无信号
    );
PsCreateSystemThread(&systemthreadhandle, THREAD_ALL_ACCESS, NULL, NULL, NULL, clearDEBUGTOOL, NULL);
}

VOID stopthread(){
ZwClose(systemthreadhandle);
}


/////////////////////////////////////
VOID clearprocessinformationRoutine(
_In_      struct _KDPC *Dpc,
_In_opt_PVOID DeferredContext,
_In_opt_PVOID SystemArgument1,
_In_opt_PVOID SystemArgument2
)
{
UNREFERENCED_PARAMETER(Dpc);
UNREFERENCED_PARAMETER(DeferredContext);
UNREFERENCED_PARAMETER(SystemArgument1);
UNREFERENCED_PARAMETER(SystemArgument2);

LARGE_INTEGER lTime = { 0 };
ULONG ulMicroSecond = 0;
KIRQL irql;
//将定时器的时间设置为500ms
ulMicroSecond = 5000000;
//将32位整数转化成64位整数
lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond);

    enumtable(2);

KeSetTimer(&cleartimer, lTime, &cleardpc);
}

BOOLEAN bTimerStart = FALSE;
VOID startdpc(){
// DPC定时器是否开启标志
LARGE_INTEGER lTime = { 0 };
ULONG ulMicroSecond = 0;

// 初始化定时器
KeInitializeTimer(&cleartimer);

// 初始化DPC
KeInitializeDpc(&cleardpc, clearprocessinformationRoutine, NULL);
// 开始定时器
//将定时器的时间设置为500ms
ulMicroSecond = 5000000;
//将32位整数转化成64位整数
lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond);
bTimerStart = KeSetTimer(&cleartimer, lTime, &cleardpc);
if (bTimerStart)
{
    DbgPrint("定时器开启成功\n");
}

}
VOID stopdpc(){
if (bTimerStart)
    KeCancelTimer(&cleartimer);

}


voidprotectprocessforpspcidtable(){

if (mainphead==NULL)
{
    mainphead = createlist("system");
}


PsSetCreateProcessNotifyRoutine(callback, FALSE);

PsSetCreateThreadNotifyRoutine(callback2);

//startdpc();

    startthread();

}

voidunprotectprocessforpspcidtable(){
passmaska = FALSE;

KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0);
PsSetCreateProcessNotifyRoutine(callback, TRUE);

PsRemoveCreateThreadNotifyRoutine(callback2);
//stopdpc();
stopthread();
}

void enumtable(PHANDLE handle){

if (PspCidTable == 0 || EnumObjectTablex == 0){
    getenumhandletablefunc();
}

if (mainphead == NULL){
    mainphead = createlist("system");
}
EnumObjectTablex(PspCidTable, removdebugtoolhandle, handle);
}
页: [1]
查看完整版本: x64 antidebug 不触发PG 补充代码