龙马谷论坛 › C/C++技术分享 › OD/CE 过掉TMD壳附加检查

蓝灵火焰 发表于 2022-8-13 07:26:28

OD/CE 过掉TMD壳附加检查

恢复OD进程附加原理


1、恢复DbgBreakPoint和DbgUiRemoteBreakin被HOOK代码

//由于我是使用ntdll SDK,可直接使用NTDLL中的API,如果你们不能使用,直接用GetProcAddress获取API

注意该处的修复,自己可以写个HOOK，放到LoadLibrary，每次加载DLL时候，就处理一次,防止某些DLL还有TMD壳，又会被恢复

ntdll->DbgBreakPoint 被TMD壳修改为retn -> 0xC3

DWORD lpflOldProtect;
LPVOID ulAddress = DbgBreakPoint;
VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpflOldProtect);

*(BYTE*)(ulAddress) = 0xCC;

ntdll->DbgUiRemoteBreakin 被TMD修改为 JMP LdrShutdownProcess

ulAddress = DbgUiRemoteBreakin

VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpProtect);
*(BYTE*)(ulAddress) =0x6A;
*(DWORD*)((BYTE*)ulAddress+1)= 0xFC686808;


2、修复允许CE的附加

第一步虽然修复了允许附加,但TMD壳本身还自带线程检查ANTI，所以我们要终止掉这些线程


BOOL WINAPI _AhnHS_GetThreadModuleName(char* szModuleName,DWORD szThreadId,LPVOID & StartAddress,HANDLE & hThread) {
        hThread= OpenThread(THREAD_ALL_ACCESS, FALSE, szThreadId);
        if (!hThread) return FALSE;
        LONG status
        = ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &StartAddress, sizeof(StartAddress), NULL);
        if(status <0) {
                CloseHandle(hThread);
                SetLastError(RtlNtStatusToDosError(status));
                return FALSE;
        }
        return (GetMappedFileNameA(GetCurrentProcess(), StartAddress, szModuleName, MAX_PATH)>=0) ? TRUE : FALSE;
}
void WINAPI _AhnHS_PassThreadByTMD() {
        HANDLE hThreadSnap , hThread;
        THREADENTRY32 te32 = {0};
        CONTEXT context= {0};
        hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
        if ( hThreadSnap == INVALID_HANDLE_VALUE )
        return;
        memset(&te32, 0, sizeof(THREADENTRY32));
        te32.dwSize= sizeof(THREADENTRY32);
        BOOL dwRet = Thread32First(hThreadSnap, &te32);
        DWORD dwCurrentProcessId = GetCurrentProcessId();
        do {
                if (te32.th32OwnerProcessID != dwCurrentProcessId) continue;
                char szModuleFileName;
                LPVOIDStartAddress;
                if(!_AhnHS_GetThreadModuleName(szModuleFileName,te32.th32ThreadID,StartAddress,hThread)) continue;
                char* pszName
                = (strrchr(szModuleFileName,'\\')) ? strrchr(szModuleFileName,'\\')+1 : szModuleFileName;
                //AntiHookGetMainThreadId()=主线程ID，可自行修改
                if(lstrcmpiA(pszName,AntiHookGetModuleInfo()->AppName)==0 && AntiHookGetMainThreadId()!=te32.th32ThreadID) {
                        //远程线程非代码块,为其它检查线程，终止
                        HMODULElib = GetModuleHandleA(pszName);
                        PIMAGE_NT_HEADERS
                        nth =PIMAGE_NT_HEADERS(PBYTE(lib) + PIMAGE_DOS_HEADER(lib)->e_lfanew);
                        IMAGE_SECTION_HEADER
                        *pSection =
                        (IMAGE_SECTION_HEADER*)((DWORD)nth + sizeof(IMAGE_NT_HEADERS));
                        if((DWORD)StartAddress>(pSection.VirtualAddress+(DWORD)lib) && (DWORD)StartAddress<pSection.VirtualAddress+(DWORD)lib) continue;
                        TerminateThread(hThread,0);
                }
                CloseHandle(hThread);
        }
        while(Thread32Next(hThreadSnap, &te32));
        CloseHandle(hThreadSnap);
}

OK，万事大吉，世界清静了

查看完整版本: OD/CE 过掉TMD壳附加检查