x64 antidebug 不触发PG 补充代码
先说antiantidebug
都知道 32位的驱动保护不用VT说白了就是 HOOK过来 HOOK过去比的是谁的 钩子深谁的 钩子更多~~~~
然而 64位呢 很多保护 例如TP/HP/HS 基本就是驱动几个callbacks 应用层 几个钩子 反调试模拟一场等等 我的 PASS方法呢 例如TP钩子 KIuserdispatcherException 这个 钩子的恢复方法 直接恢复 或者挂钩 游戏会秒掉 因为他自己处理了自己的异常,但是实际 他里面并没有用到检测硬件断点~~~HOOK 方式 过滤异常是他的就跳到他里面 提前计算他的钩子函数 ,不是就自己处理~~(HOOK注意堆栈和标志位)
其他的就是干线程和忽略 模拟异常了忽略模拟异常的方式 HOOK OD WaitDebugEvent 过滤000400..07.....随便改一个 然后OK~~~~
最后ANTIDEBUG~~~
X64没PASS pg 也没用VT技术的 比较难防御~!~~
枚举所有进程(EPROCESS链) 枚举句柄表 所有句柄项 法相TPYEININDEX为11(win7)的直接 抹掉句柄 当然得正常一点儿的抹掉先设置属性可关闭等等最后KISTACKattachprocess NTclose(TA的 代码里面有) 出现的效果就是 没法调试了~~ 代码我实现了没网 所以就不发了 等有网了发把~~
还可以这样阻止搜索内存 打开进程~~~~
放出源码:
有个BUG如果 移出的目标有线程退出那么 我的 系统线程就挂了 目测是枚举函数的 问题
这个 我就 不解决了 退出不蓝屏
因为 有 了新的 解决办法这个 就扔掉了
#include "ntddk.h"
#include "commonfunc.h"
#define IMAGE_FILENAME_OFFSET 0x2e0
VOID startthread();
VOID stopthread();
KEVENT event;
HANDLE systemthreadhandle;
KTIMER cleartimer= { 0 };
KDPC cleardpc = { 0 };
BOOLEAN REMOVING = FALSE;
typedef struct _HANDLE_TABLE_ENTRY{
union{
VOID* Object;
ULONG32 ObAttributes;
PVOID64 InfoTable;
ULONG64 Value;
};
union{
ULONG32 GrantedAccess;
struct{
UINT16GrantedAccessIndex;
UINT16 CreatorBackTraceIndex;
UINT8_PADDING;
};
ULONG32NextFreeTableEntry;
};
}HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
typedef struct _save_handlentry{
struct _save_handlentry*head;
PVOID id;
char processname;
ULONG64 value;
ULONG32 GrantedAccess;
struct HANDLE_TABLE_ENTRY*address;
struct _save_handlentry*next;
}_save_handlentry, *p_save_handlentry;
ULONG64 SreachFunctionAddress(ULONG64 uAddress, UCHAR *Signature, ULONG addopcodelength, ULONG addopcodedatasize);
p_save_handlentry createlist(char*processname){
ULONG i;
p_save_handlentry phead = (p_save_handlentry) ExAllocatePool(NonPagedPool,sizeof(_save_handlentry));
p_save_handlentry ptail = phead;
ptail->next = NULL;
p_save_handlentry pnew = (p_save_handlentry)ExAllocatePool(NonPagedPool, sizeof(_save_handlentry));
memcpy(&pnew->processname, processname, 16);
pnew->address = 0;
pnew->id = 0;
pnew->value = 0;
pnew->GrantedAccess = 0;
pnew->head = NULL;
ptail->next = pnew;
pnew->next = NULL;
ptail->head = NULL;
return phead;
}
// 插入链表
p_save_handlentry insertlist(char*processname, ULONG GrantedAccess, ULONG64 value, PVOID id, PHANDLE_TABLE_ENTRY adress, p_save_handlentry phead){
p_save_handlentry p = phead->next;
while (p != NULL)
{
if (p->next == NULL){
break;
}
p = p->next;
}
p_save_handlentry pnew = (p_save_handlentry)ExAllocatePool(NonPagedPool, sizeof(_save_handlentry));
memcpy(&pnew->processname, processname, 16);
pnew->GrantedAccess = GrantedAccess;
pnew->id = id;
pnew->value = value;
pnew->address = adress;
p->next = pnew;
pnew->next = NULL;
pnew->head = p;
return pnew;
}
p_save_handlentry querylist(p_save_handlentry phead, ULONG64 id){
p_save_handlentry p = phead->next;
while (p != NULL)
{
if (p->id == id){
return p;
}
p = p->next;
}
return NULL;
}
//删除节点
void deletelist(p_save_handlentry pclid){
p_save_handlentry p, pp;
if (pclid->head != NULL){//头部
p = pclid->head;
pp = pclid->next;
if (pp == NULL){//最后节点
p->next = NULL;
ExFreePool(pclid);
return;
}
p->next = pp;//不是最后节点
pp->head = p;
ExFreePool(pclid);
return;
}
}
typedef NTSTATUS(__fastcall * pfnEnumObjectTable)(PVOID64 HANDLETABLE, PVOID CALLback, ULONG64 unKonw);
NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
NTKERNELAPI NTSTATUS PsLookupThreadByThreadId(HANDLE Id, PETHREAD *Thread);
NTKERNELAPI PEPROCESS IoThreadToProcess(PETHREAD Thread);
pfnEnumObjectTable EnumObjectTablex = 0;;
PVOID64 PspCidTable=0;
NTSTATUS getenumhandletablefunc()
{
UCHARopcode = { 0x89, 0x6c, 0x24, 0x30, 0xe8 };
UCHARopcode1 = { 0xdc, 0x48, 0x8b, 0xd1, 0x48 };
UNICODE_STRING64 ObFindHandleForObjectsign;
ULONG64 temp64 = 0;
NTSTATUS state = STATUS_SUCCESS;
RtlInitUnicodeString(&ObFindHandleForObjectsign, L"ObFindHandleForObject");//ObFindHandleForObject PAGE 0000000140319DB0 000000B4 00000048 00000028 R . . . . . .
temp64 = (ULONG64)MmGetSystemRoutineAddress(&ObFindHandleForObjectsign);
if (!MmIsAddressValid(temp64))
return state;
EnumObjectTablex = (pfnEnumObjectTable)SreachFunctionAddress(temp64, opcode,1,5);
PspCidTable = (PVOID64)SreachFunctionAddress(&PsLookupProcessByProcessId, opcode1, 3, 7);
PspCidTable = *(PVOID64*)PspCidTable;
if (!MmIsAddressValid(EnumObjectTablex) || !MmIsAddressValid(PspCidTable)){
DbgPrint("cant get EnumObjectTablex orPspCidTable\n");
}
DbgPrint("Super game protect start~\n");
}
p_save_handlentry mainphead = NULL;
PVOID64 psidprocessobject = 0;
PVOID64 pscidkthreadbject = 0;
ULONG64 passmaska = TRUE;
#define de_o -10
#define de_s de_o*1000
LARGE_INTEGER myxx;
VOID clearDEBUGTOOL(){
myxx.QuadPart = de_s;
myxx.QuadPart *= 2000;
while (passmaska==TRUE)
{
KeDelayExecutionThread(KernelMode, 0, &myxx);
if (REMOVING)
continue;
enumtable(2);
if (psidprocessobject!=0 ){
DbgPrint("clear psidprocessobject %p", *(ULONG64*)psidprocessobject);
*(ULONG64*)psidprocessobject = 0;
DbgPrint("clear psidprocessobject %p", *(ULONG64*)psidprocessobject);
psidprocessobject = 0;
}
DbgPrint("clearing...");
if (pscidkthreadbject != 0){
DbgPrint("clear pscidkthreadbject %p", *(ULONG64*)pscidkthreadbject);
*(ULONG64*)pscidkthreadbject = 0;
DbgPrint("clear pscidkthreadbject %p", *(ULONG64*)pscidkthreadbject);
pscidkthreadbject = 0;
}
continue;
}
DbgPrint("ending...");
KeSetEvent(&event, 0, TRUE);
}
BOOLEAN removdebugtoolhandle(PHANDLE_TABLE_ENTRY object, PHANDLE handle, ULONG64 Unkonw){
ULONG64 Pobject;
ULONG64 object_header;
ULONG32 object_type;
p_save_handlentry paddress;
Pobject = (object->Value)&~7;
object_header = Pobject - 0x30;//getobjectheader
object_type = (ULONG32)*(UINT8*)(object_header + 0x18);//pspcidtable object_header
if (!MmIsAddressValid(Pobject))
{
return FALSE;//is true
}
if ( object_type == 7 ){
if (strstr(PsGetProcessImageFileName(Pobject), "天网系统") != NULL || strstr(PsGetProcessImageFileName(Pobject), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(Pobject), "ollyice") != NULL){
paddress = insertlist(Pobject + IMAGE_FILENAME_OFFSET, object->GrantedAccess, object->Value, handle, &object->Value, mainphead);
DbgPrint("process is look~");
psidprocessobject = &object->Value;
}
return FALSE;
}
if ( object_type == 8 ){
ULONG64 tempprocess;
tempprocess = IoThreadToProcess(Pobject);
if (strstr(PsGetProcessImageFileName(tempprocess), "天网系统") != NULL || strstr(PsGetProcessImageFileName(tempprocess), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(tempprocess), "ollyice") != NULL ){
DbgPrint("thread is look~");
paddress = insertlist(Pobject + IMAGE_FILENAME_OFFSET, object->GrantedAccess, object->Value, handle, &object->Value, mainphead);
pscidkthreadbject = &object->Value;
}
return FALSE;
}
return FALSE;
}
BOOLEAN removepspcidtabl(HANDLE p){
if (PspCidTable == 0 || EnumObjectTablex == 0){
getenumhandletablefunc();
}
if (mainphead==NULL){
mainphead = createlist("system");
}
EnumObjectTablex(PspCidTable, removdebugtoolhandle, p);
}
PCREATE_PROCESS_NOTIFY_ROUTINE callback(HANDLE prid, HANDLE pid, BOOLEAN create){
ULONG64 EPROCESS;
PHANDLE_TABLE_ENTRY phdt;
p_save_handlentry tempsave;
EPROCESS = IoGetCurrentProcess();
if (!create && (strstr(PsGetProcessImageFileName(EPROCESS), "天网系统") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "ollyice") != NULL)){
REMOVING = TRUE;
tempsave = querylist(mainphead, pid);
if (tempsave != 0){
phdt = tempsave->address;
//phdt->GrantedAccess = tempsave->GrantedAccess;
phdt->Value = tempsave->value;
DbgPrint("pid %d pt:%p phdt:%p", tempsave->id, tempsave->address, phdt->Object);
//deletelist(tempsave);
stopthread();
startthread();
}
//ObDereferenceObject(leprocess);
REMOVING = FALSE;
}
}
PCREATE_THREAD_NOTIFY_ROUTINE callback2(HANDLE processid, HANDLE threadid, BOOLEAN create){
ULONG64 EPROCESS;
PHANDLE_TABLE_ENTRY phdt;
p_save_handlentry tempsave;
EPROCESS = IoGetCurrentProcess();
if(!create && (strstr(PsGetProcessImageFileName(EPROCESS), "天网系统") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "ollyice") != NULL)){
REMOVING = TRUE;
tempsave = querylist(mainphead, threadid);
if (tempsave != 0){
phdt = tempsave->address;
//phdt->GrantedAccess = tempsave->GrantedAccess;
phdt->Value = tempsave->value;
DbgPrint("tid %d pt:%p phdt:%p", tempsave->id, tempsave->address, phdt->Object);
//deletelist(tempsave);
stopthread();
startthread();
}
REMOVING = FALSE;
}
}
VOID startthread(){
KeInitializeEvent(
&event,
SynchronizationEvent,//SynchronizationEvent为同步事件
FALSE//当是TRUE 时初始化事件是有信号状态.,当是FALSE时初始化事件是没信号状态,如果此处为TRUE,则为有信号状态,KeWaitForSingleObject会直接通过,此时需要调用KeResetEvent来设置为无信号
);
PsCreateSystemThread(&systemthreadhandle, THREAD_ALL_ACCESS, NULL, NULL, NULL, clearDEBUGTOOL, NULL);
}
VOID stopthread(){
ZwClose(systemthreadhandle);
}
/////////////////////////////////////
VOID clearprocessinformationRoutine(
_In_ struct _KDPC *Dpc,
_In_opt_PVOID DeferredContext,
_In_opt_PVOID SystemArgument1,
_In_opt_PVOID SystemArgument2
)
{
UNREFERENCED_PARAMETER(Dpc);
UNREFERENCED_PARAMETER(DeferredContext);
UNREFERENCED_PARAMETER(SystemArgument1);
UNREFERENCED_PARAMETER(SystemArgument2);
LARGE_INTEGER lTime = { 0 };
ULONG ulMicroSecond = 0;
KIRQL irql;
//将定时器的时间设置为500ms
ulMicroSecond = 5000000;
//将32位整数转化成64位整数
lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond);
enumtable(2);
KeSetTimer(&cleartimer, lTime, &cleardpc);
}
BOOLEAN bTimerStart = FALSE;
VOID startdpc(){
// DPC定时器是否开启标志
LARGE_INTEGER lTime = { 0 };
ULONG ulMicroSecond = 0;
// 初始化定时器
KeInitializeTimer(&cleartimer);
// 初始化DPC
KeInitializeDpc(&cleardpc, clearprocessinformationRoutine, NULL);
// 开始定时器
//将定时器的时间设置为500ms
ulMicroSecond = 5000000;
//将32位整数转化成64位整数
lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond);
bTimerStart = KeSetTimer(&cleartimer, lTime, &cleardpc);
if (bTimerStart)
{
DbgPrint("定时器开启成功\n");
}
}
VOID stopdpc(){
if (bTimerStart)
KeCancelTimer(&cleartimer);
}
voidprotectprocessforpspcidtable(){
if (mainphead==NULL)
{
mainphead = createlist("system");
}
PsSetCreateProcessNotifyRoutine(callback, FALSE);
PsSetCreateThreadNotifyRoutine(callback2);
//startdpc();
startthread();
}
voidunprotectprocessforpspcidtable(){
passmaska = FALSE;
KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0);
PsSetCreateProcessNotifyRoutine(callback, TRUE);
PsRemoveCreateThreadNotifyRoutine(callback2);
//stopdpc();
stopthread();
}
void enumtable(PHANDLE handle){
if (PspCidTable == 0 || EnumObjectTablex == 0){
getenumhandletablefunc();
}
if (mainphead == NULL){
mainphead = createlist("system");
}
EnumObjectTablex(PspCidTable, removdebugtoolhandle, handle);
}
页:
[1]