OD/CE 过掉TMD壳附加检查

蓝灵火焰

恢复OD进程附加原理


1、恢复DbgBreakPoint和DbgUiRemoteBreakin被HOOK代码

//由于我是使用ntdll SDK,可直接使用NTDLL中的API,如果你们不能使用,直接用GetProcAddress获取API

注意该处的修复,自己可以写个HOOK，放到LoadLibrary，每次加载DLL时候，就处理一次,防止某些DLL还有TMD壳，又会被恢复

ntdll->DbgBreakPoint 被TMD壳修改为retn -> 0xC3

DWORD lpflOldProtect;
LPVOID ulAddress = DbgBreakPoint;
VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpflOldProtect);

*(BYTE*)(ulAddress) = 0xCC;

ntdll->DbgUiRemoteBreakin 被TMD修改为 JMP LdrShutdownProcess

ulAddress = DbgUiRemoteBreakin

VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpProtect);
*(BYTE*)(ulAddress) =0x6A;
*(DWORD*)((BYTE*)ulAddress+1)= 0xFC686808;


2、修复允许CE的附加

第一步虽然修复了允许附加,但TMD壳本身还自带线程检查ANTI，所以我们要终止掉这些线程

1. 
   
2. BOOL WINAPI _AhnHS_GetThreadModuleName(char* szModuleName,DWORD szThreadId,LPVOID & StartAddress,HANDLE & hThread) {
   
3.         hThread  = OpenThread(THREAD_ALL_ACCESS, FALSE, szThreadId);
   
4.         if (!hThread) return FALSE;
   
5.         LONG status
   
6.         = ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &StartAddress, sizeof(StartAddress), NULL);
   
7.         if(status <0) {
   
8.                 CloseHandle(hThread);
   
9.                 SetLastError(RtlNtStatusToDosError(status));
   
10.                 return FALSE;
    
11.         }
    
12.         return (GetMappedFileNameA(GetCurrentProcess(), StartAddress, szModuleName, MAX_PATH)>=0) ? TRUE : FALSE;
    
13. }
    
14. void WINAPI _AhnHS_PassThreadByTMD() {
    
15.         HANDLE hThreadSnap , hThread;
    
16.         THREADENTRY32 te32 = {0};
    
17.         CONTEXT context= {0};
    
18.         hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
    
19.         if ( hThreadSnap == INVALID_HANDLE_VALUE )
    
20.         return;
    
21.         memset(&te32, 0, sizeof(THREADENTRY32));
    
22.         te32.dwSize  = sizeof(THREADENTRY32);
    
23.         BOOL dwRet = Thread32First(hThreadSnap, &te32);
    
24.         DWORD dwCurrentProcessId = GetCurrentProcessId();
    
25.         do {
    
26.                 if (te32.th32OwnerProcessID != dwCurrentProcessId) continue;
    
27.                 char szModuleFileName[MAX_PATH];
    
28.                 LPVOID  StartAddress;
    
29.                 if(!_AhnHS_GetThreadModuleName(szModuleFileName,te32.th32ThreadID,StartAddress,hThread)) continue;
    
30.                 char* pszName
    
31.                 = (strrchr(szModuleFileName,'\\')) ? strrchr(szModuleFileName,'\\')+1 : szModuleFileName;
    
32.                 //AntiHookGetMainThreadId()=主线程ID，可自行修改
    
33.                 if(lstrcmpiA(pszName,AntiHookGetModuleInfo()->AppName)==0 && AntiHookGetMainThreadId()!=te32.th32ThreadID) {
    
34.                         //远程线程非代码块,为其它检查线程，终止
    
35.                         HMODULE  lib = GetModuleHandleA(pszName);
    
36.                         PIMAGE_NT_HEADERS
    
37.                         nth =  PIMAGE_NT_HEADERS(PBYTE(lib) + PIMAGE_DOS_HEADER(lib)->e_lfanew);
    
38.                         IMAGE_SECTION_HEADER
    
39.                         *pSection =
    
40.                         (IMAGE_SECTION_HEADER*)((DWORD)nth + sizeof(IMAGE_NT_HEADERS));
    
41.                         if((DWORD)StartAddress>(pSection[0].VirtualAddress+(DWORD)lib) && (DWORD)StartAddress<pSection[1].VirtualAddress+(DWORD)lib) continue;
    
42.                         TerminateThread(hThread,0);
    
43.                 }
    
44.                 CloseHandle(hThread);
    
45.         }
    
46.         while(Thread32Next(hThreadSnap, &te32));
    
47.         CloseHandle(hThreadSnap);
    
48. }

复制代码

OK，万事大吉，世界清静了