龙马谷

 找回密码
 立即注册

QQ登录

只需一步,快速开始

龙马谷VIP会员办理客服QQ:82926983(如果临时会话没有收到回复,请先加QQ好友再发。)
1 [已完结] GG修改器新手入门与实战教程 31课 2 [已完结] GG修改器美化修改教程 6课 3 [已完结] GG修改器Lua脚本新手入门教程 12课
4 [已完结] 触动精灵脚本新手入门必学教程 22课 5 [已完结] 手游自动化脚本入门实战教程 9课 6 [已完结] C++射击游戏方框骨骼透视与自瞄教程 27课
7 [已完结] C++零基础UE4逆向开发FPS透视自瞄教程 29课 8 [已完结] C++零基础大漠模拟器手游自动化辅助教程 22课 9 [已完结] C++零基础开发DXF内存脚本辅助教程 32课
以下是天马阁VIP教程,本站与天马阁合作,赞助VIP可以获得天马阁对应VIP会员,名额有限! 点击进入天马阁论坛
1 [已完结] x64CE与x64dbg入门基础教程 7课 2 [已完结] x64汇编语言基础教程 16课 3 [已完结] x64辅助入门基础教程 9课
4 [已完结] C++x64内存辅助实战技术教程 149课 5 [已完结] C++x64内存检测与过检测技术教程 10课 6 [已完结] C+x64二叉树分析遍历与LUA自动登陆教程 19课
7 [已完结] C++BT功能原理与x64实战教程 29课 8 [已完结] C+FPS框透视与自瞄x64实现原理及防护思路
查看: 8753|回复: 0

x64 antidebug 不触发PG 补充代码

[复制链接]

31

主题

1

回帖

39

积分

编程入门

Rank: 1

龙马币
72


先说antiantidebug
都知道 32位的驱动保护  不用VT说白了就是 HOOK过来 HOOK过去  比的是谁的 钩子深  谁的 钩子更多~~~~
然而 64位呢 很多保护 例如TP/HP/HS 基本就是驱动几个callbacks 应用层 几个钩子 反调试  模拟一场等等    我的 PASS方法呢 例如TP钩子 KIuserdispatcherException 这个 钩子的恢复方法 直接恢复 或者挂钩 游戏会秒掉 因为他自己处理了自己的异常,但是实际 他里面并没有用到检测硬件断点~~~HOOK 方式 过滤异常是他的就跳到他里面 提前计算他的钩子函数 ,不是就自己处理~~(HOOK注意堆栈和标志位)   
其他的就是干线程和忽略 模拟异常了  忽略模拟异常的方式 HOOK OD WaitDebugEvent 过滤000400..07.....随便改一个 然后OK~~~~

最后ANTIDEBUG  ~~~
X64没PASS pg 也没用VT技术的   比较难防御~!~~
枚举所有进程(EPROCESS链) 枚举句柄表 所有句柄项 法相TPYEININDEX为11(win7)的直接 抹掉句柄 当然得正常一点儿的抹掉先设置属性可关闭等等最后  KISTACKattachprocess NTclose(TA的 代码里面有) 出现的效果就是 没法调试了~~ 代码我实现了  没网 所以就不发了 等有网了发把~~
还可以这样阻止搜索内存 打开进程~~~~

放出源码:

有个BUG  如果 移出的目标有线程退出  那么 我的 系统线程就挂了   目测是枚举函数的 问题
这个   我就 不解决了   退出不蓝屏
因为 有 了新的 解决办法  这个 就扔掉了

  1. #include "ntddk.h"
  2. #include "commonfunc.h"
  3. #define IMAGE_FILENAME_OFFSET 0x2e0
  4. VOID startthread();
  5. VOID stopthread();
  6. KEVENT event;
  7. HANDLE systemthreadhandle;
  8. KTIMER cleartimer= { 0 };      
  9. KDPC cleardpc = { 0 };
  10. BOOLEAN REMOVING = FALSE;
  11. typedef struct _HANDLE_TABLE_ENTRY{
  12.   union{
  13.     VOID* Object;
  14.     ULONG32 ObAttributes;
  15.     PVOID64 InfoTable;
  16.     ULONG64 Value;
  17.    };

  18.   union{
  19.     ULONG32 GrantedAccess;
  20.     struct{
  21.       UINT16  GrantedAccessIndex;
  22.       UINT16 CreatorBackTraceIndex;
  23.       UINT8  _PADDING[0x4];
  24.     };
  25.     ULONG32  NextFreeTableEntry;
  26.   };

  27. }HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;

  28. typedef struct _save_handlentry{
  29.   struct _save_handlentry*head;
  30.   PVOID id;
  31.   char processname[17];
  32.   ULONG64 value;
  33.   ULONG32 GrantedAccess;
  34.   struct HANDLE_TABLE_ENTRY*address;
  35.   struct _save_handlentry*next;
  36. }_save_handlentry, *p_save_handlentry;

  37. ULONG64 SreachFunctionAddress(ULONG64 uAddress, UCHAR *Signature, ULONG addopcodelength, ULONG addopcodedatasize);

  38. p_save_handlentry createlist(char*processname){
  39.   ULONG i;
  40.   
  41.   p_save_handlentry phead = (p_save_handlentry) ExAllocatePool(NonPagedPool,sizeof(_save_handlentry));
  42.   p_save_handlentry ptail = phead;
  43.   ptail->next = NULL;
  44.   p_save_handlentry pnew = (p_save_handlentry)ExAllocatePool(NonPagedPool, sizeof(_save_handlentry));
  45.   memcpy(&pnew->processname, processname, 16);
  46.   pnew->address = 0;
  47.   pnew->id = 0;
  48.   pnew->value = 0;
  49.   pnew->GrantedAccess = 0;
  50.   pnew->head = NULL;
  51.   ptail->next = pnew;
  52.   pnew->next = NULL;
  53.   ptail->head = NULL;
  54.   return phead;

  55. }
  56. // 插入链表
  57. p_save_handlentry insertlist(char*processname, ULONG GrantedAccess, ULONG64 value, PVOID id, PHANDLE_TABLE_ENTRY adress, p_save_handlentry phead){
  58.   p_save_handlentry p = phead->next;

  59.   while (p != NULL)
  60.   {
  61.     if (p->next == NULL){
  62.       break;
  63.     }
  64.     p = p->next;
  65.   }

  66.   p_save_handlentry pnew = (p_save_handlentry)ExAllocatePool(NonPagedPool, sizeof(_save_handlentry));
  67.   memcpy(&pnew->processname, processname, 16);

  68.   pnew->GrantedAccess = GrantedAccess;
  69.   pnew->id = id;
  70.   pnew->value = value;
  71.   pnew->address = adress;
  72.   p->next = pnew;
  73.   pnew->next = NULL;
  74.   pnew->head = p;
  75.   return pnew;
  76. }
  77. p_save_handlentry querylist(p_save_handlentry phead, ULONG64 id){
  78.   p_save_handlentry p = phead->next;
  79.   while (p != NULL)
  80.   {

  81.     if (p->id == id){

  82.       return p;
  83.     }

  84.     p = p->next;
  85.   }


  86.   return NULL;
  87. }

  88. //删除节点
  89. void deletelist(p_save_handlentry pclid){
  90.   p_save_handlentry p, pp;
  91.   if (pclid->head != NULL){//头部
  92.     p = pclid->head;
  93.     pp = pclid->next;

  94.     if (pp == NULL){//最后节点
  95.       p->next = NULL;
  96.       ExFreePool(pclid);
  97.       return;
  98.     }
  99.     p->next = pp;//不是最后节点
  100.     pp->head = p;
  101.     ExFreePool(pclid);
  102.     return;
  103.   }
  104. }


  105. typedef NTSTATUS(__fastcall * pfnEnumObjectTable)(PVOID64 HANDLETABLE, PVOID CALLback, ULONG64 unKonw);
  106. NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
  107. NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
  108. NTKERNELAPI NTSTATUS PsLookupThreadByThreadId(HANDLE Id, PETHREAD *Thread);
  109. NTKERNELAPI PEPROCESS IoThreadToProcess(PETHREAD Thread);
  110. pfnEnumObjectTable EnumObjectTablex = 0;;
  111. PVOID64 PspCidTable=0;
  112. NTSTATUS getenumhandletablefunc()
  113. {
  114.   UCHAR  opcode[5] = { 0x89, 0x6c, 0x24, 0x30, 0xe8 };
  115.   UCHAR  opcode1[5] = { 0xdc, 0x48, 0x8b, 0xd1, 0x48 };
  116.   UNICODE_STRING64 ObFindHandleForObjectsign;
  117.   ULONG64 temp64 = 0;
  118.   NTSTATUS state = STATUS_SUCCESS;

  119.   RtlInitUnicodeString(&ObFindHandleForObjectsign, L"ObFindHandleForObject");//ObFindHandleForObject PAGE 0000000140319DB0 000000B4 00000048 00000028 R . . . . . .
  120.   temp64 = (ULONG64)MmGetSystemRoutineAddress(&ObFindHandleForObjectsign);

  121.   if (!MmIsAddressValid(temp64))
  122.     return state;
  123.   EnumObjectTablex = (pfnEnumObjectTable)SreachFunctionAddress(temp64, opcode,1,5);
  124.   PspCidTable = (PVOID64)SreachFunctionAddress(&PsLookupProcessByProcessId, opcode1, 3, 7);
  125.   PspCidTable = *(PVOID64*)PspCidTable;

  126.   if (!MmIsAddressValid(EnumObjectTablex) || !MmIsAddressValid(PspCidTable)){

  127.     DbgPrint("cant get EnumObjectTablex or  PspCidTable  \n");
  128.   }
  129.    
  130.   DbgPrint("Super game protect start~\n");
  131.   
  132. }
  133. p_save_handlentry mainphead = NULL;
  134. PVOID64 psidprocessobject = 0;
  135. PVOID64 pscidkthreadbject = 0;
  136. ULONG64 passmaska = TRUE;
  137. #define de_o -10
  138. #define de_s de_o*1000
  139. LARGE_INTEGER myxx;

  140. VOID clearDEBUGTOOL(){
  141.   myxx.QuadPart = de_s;
  142.   myxx.QuadPart *= 2000;
  143.   while (passmaska==TRUE)
  144.   {
  145.   
  146.     KeDelayExecutionThread(KernelMode, 0, &myxx);
  147.     if (REMOVING)
  148.       continue;
  149.     enumtable(2);
  150.    
  151.     if (psidprocessobject!=0 ){
  152.       DbgPrint("clear psidprocessobject %p", *(ULONG64*)psidprocessobject);
  153.       *(ULONG64*)psidprocessobject = 0;
  154.       DbgPrint("clear psidprocessobject %p", *(ULONG64*)psidprocessobject);
  155.       psidprocessobject = 0;
  156.       
  157.     }  
  158.     DbgPrint("clearing...");
  159.     if (pscidkthreadbject != 0){
  160.       DbgPrint("clear pscidkthreadbject %p", *(ULONG64*)pscidkthreadbject);
  161.       *(ULONG64*)pscidkthreadbject = 0;
  162.       DbgPrint("clear pscidkthreadbject %p", *(ULONG64*)pscidkthreadbject);
  163.       pscidkthreadbject = 0;
  164.    

  165.     }
  166.     continue;
  167.   }
  168.   DbgPrint("ending...");
  169.   KeSetEvent(&event, 0, TRUE);
  170. }
  171. BOOLEAN removdebugtoolhandle(PHANDLE_TABLE_ENTRY object, PHANDLE handle, ULONG64 Unkonw){
  172.   ULONG64 Pobject;
  173.   ULONG64 object_header;
  174.   ULONG32 object_type;

  175.   p_save_handlentry paddress;
  176.   
  177.   Pobject = (object->Value)&~7;
  178.   object_header = Pobject - 0x30;//getobjectheader
  179.   
  180.   object_type = (ULONG32)*(UINT8*)(object_header + 0x18);//pspcidtable object_header
  181.   
  182.   if (!MmIsAddressValid(Pobject))
  183.     {
  184.     return FALSE;//is true
  185.   
  186.   }
  187.   

  188.   
  189.   if ( object_type == 7 ){
  190.   
  191.     if (strstr(PsGetProcessImageFileName(Pobject), "天网系统") != NULL || strstr(PsGetProcessImageFileName(Pobject), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(Pobject), "ollyice") != NULL){
  192.       paddress = insertlist(Pobject + IMAGE_FILENAME_OFFSET, object->GrantedAccess, object->Value, handle, &object->Value, mainphead);
  193.    
  194.       DbgPrint("process is look~");

  195.       psidprocessobject = &object->Value;

  196.     }
  197.     return FALSE;
  198.   }
  199.   
  200.   if ( object_type == 8 ){
  201.   
  202.     ULONG64 tempprocess;

  203.     tempprocess = IoThreadToProcess(Pobject);
  204.       if (strstr(PsGetProcessImageFileName(tempprocess), "天网系统") != NULL || strstr(PsGetProcessImageFileName(tempprocess), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(tempprocess), "ollyice") != NULL ){
  205.         DbgPrint("thread is look~");
  206.         paddress = insertlist(Pobject + IMAGE_FILENAME_OFFSET, object->GrantedAccess, object->Value, handle, &object->Value, mainphead);
  207.         pscidkthreadbject = &object->Value;
  208.     }
  209.     return FALSE;
  210.   }
  211.   return FALSE;
  212. }



  213. BOOLEAN removepspcidtabl(HANDLE p){
  214.   
  215.   if (PspCidTable == 0 || EnumObjectTablex == 0){
  216.     getenumhandletablefunc();
  217.   }

  218.   if (mainphead==NULL){
  219.     mainphead = createlist("system");
  220.   }
  221.   EnumObjectTablex(PspCidTable, removdebugtoolhandle, p);
  222. }


  223. PCREATE_PROCESS_NOTIFY_ROUTINE callback(HANDLE prid, HANDLE pid, BOOLEAN create){
  224.   ULONG64 EPROCESS;
  225.   PHANDLE_TABLE_ENTRY phdt;
  226.   p_save_handlentry tempsave;
  227.   EPROCESS = IoGetCurrentProcess();
  228.   if (!create && (strstr(PsGetProcessImageFileName(EPROCESS), "天网系统") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "ollyice") != NULL)){
  229.     REMOVING = TRUE;
  230.    
  231.     tempsave = querylist(mainphead, pid);
  232.     if (tempsave != 0){
  233.       phdt = tempsave->address;
  234.       //phdt->GrantedAccess = tempsave->GrantedAccess;
  235.       phdt->Value = tempsave->value;
  236.       DbgPrint("pid %d pt:%p phdt:%p", tempsave->id, tempsave->address, phdt->Object);
  237.       //deletelist(tempsave);
  238.       stopthread();
  239.       startthread();
  240.     }
  241.     //  ObDereferenceObject(leprocess);
  242.    
  243.     REMOVING = FALSE;
  244.   }
  245.   

  246. }
  247. PCREATE_THREAD_NOTIFY_ROUTINE callback2(HANDLE processid, HANDLE threadid, BOOLEAN create){
  248.   ULONG64 EPROCESS;
  249.   PHANDLE_TABLE_ENTRY phdt;
  250.   p_save_handlentry tempsave;
  251.   EPROCESS = IoGetCurrentProcess();

  252.   if(!create && (strstr(PsGetProcessImageFileName(EPROCESS), "天网系统") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "cheatengine") != NULL || strstr(PsGetProcessImageFileName(EPROCESS), "ollyice") != NULL)){
  253.    
  254.     REMOVING = TRUE;
  255.     tempsave = querylist(mainphead, threadid);
  256.     if (tempsave != 0){
  257.       phdt = tempsave->address;
  258.    
  259.       //phdt->GrantedAccess = tempsave->GrantedAccess;
  260.       phdt->Value = tempsave->value;
  261.       DbgPrint("tid %d pt:%p phdt:%p", tempsave->id, tempsave->address, phdt->Object);
  262.     //  deletelist(tempsave);
  263.       stopthread();
  264.       startthread();
  265.     }

  266.     REMOVING = FALSE;
  267.   }
  268.    
  269. }


  270. VOID startthread(){
  271.   KeInitializeEvent(
  272.     &event,
  273.     SynchronizationEvent,//SynchronizationEvent为同步事件  
  274.     FALSE//  当是TRUE 时初始化事件是有信号状态.,当是FALSE时初始化事件是没信号状态,如果此处为TRUE,则为有信号状态,KeWaitForSingleObject会直接通过,此时需要调用KeResetEvent来设置为无信号  
  275.     );
  276.   PsCreateSystemThread(&systemthreadhandle, THREAD_ALL_ACCESS, NULL, NULL, NULL, clearDEBUGTOOL, NULL);
  277. }

  278. VOID stopthread(){
  279.   ZwClose(systemthreadhandle);
  280. }


  281. /////////////////////////////////////
  282. VOID clearprocessinformationRoutine(
  283.   _In_      struct _KDPC *Dpc,
  284.   _In_opt_  PVOID DeferredContext,
  285.   _In_opt_  PVOID SystemArgument1,
  286.   _In_opt_  PVOID SystemArgument2
  287.   )
  288. {
  289.   UNREFERENCED_PARAMETER(Dpc);
  290.   UNREFERENCED_PARAMETER(DeferredContext);
  291.   UNREFERENCED_PARAMETER(SystemArgument1);
  292.   UNREFERENCED_PARAMETER(SystemArgument2);

  293.   LARGE_INTEGER lTime = { 0 };
  294.   ULONG ulMicroSecond = 0;
  295.   KIRQL irql;
  296.   //将定时器的时间设置为500ms
  297.   ulMicroSecond = 5000000;
  298.   //将32位整数转化成64位整数
  299.   lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond);

  300.     enumtable(2);
  301.   
  302.   KeSetTimer(&cleartimer, lTime, &cleardpc);
  303. }

  304. BOOLEAN bTimerStart = FALSE;
  305. VOID startdpc(){
  306.   // DPC定时器是否开启标志
  307.   LARGE_INTEGER lTime = { 0 };
  308.   ULONG ulMicroSecond = 0;

  309.   // 初始化定时器
  310.   KeInitializeTimer(&cleartimer);

  311.   // 初始化DPC
  312.   KeInitializeDpc(&cleardpc, clearprocessinformationRoutine, NULL);
  313.   // 开始定时器
  314.   //将定时器的时间设置为500ms
  315.   ulMicroSecond = 5000000;
  316.   //将32位整数转化成64位整数
  317.   lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond);
  318.   bTimerStart = KeSetTimer(&cleartimer, lTime, &cleardpc);
  319.   if (bTimerStart)
  320.   {
  321.     DbgPrint("定时器开启成功\n");
  322.   }

  323. }
  324. VOID stopdpc(){
  325.   if (bTimerStart)
  326.     KeCancelTimer(&cleartimer);

  327. }


  328. void  protectprocessforpspcidtable(){

  329.   if (mainphead==NULL)
  330.   {
  331.     mainphead = createlist("system");
  332.   }


  333.   PsSetCreateProcessNotifyRoutine(callback, FALSE);

  334.   PsSetCreateThreadNotifyRoutine(callback2);

  335.   //  startdpc();

  336.     startthread();

  337. }

  338. void  unprotectprocessforpspcidtable(){
  339.   passmaska = FALSE;

  340.   KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, 0);
  341.   PsSetCreateProcessNotifyRoutine(callback, TRUE);
  342.   
  343.   PsRemoveCreateThreadNotifyRoutine(callback2);
  344.   //stopdpc();
  345.   stopthread();
  346. }

  347. void enumtable(PHANDLE handle){

  348.   if (PspCidTable == 0 || EnumObjectTablex == 0){
  349.     getenumhandletablefunc();
  350.   }

  351.   if (mainphead == NULL){
  352.     mainphead = createlist("system");
  353.   }
  354.   EnumObjectTablex(PspCidTable, removdebugtoolhandle, handle);
  355. }
复制代码

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

龙马谷| C/C++辅助教程| 安卓逆向安全| 论坛导航| 免责申明|Archiver|
拒绝任何人以任何形式在本论坛发表与中华人民共和国法律相抵触的言论,本站内容均为会员发表,并不代表龙马谷立场!
任何人不得以任何方式翻录、盗版或出售本站视频,一经发现我们将追究其相关责任!
我们一直在努力成为最好的编程论坛!
Copyright© 2018-2021 All Right Reserved.
在线客服
快速回复 返回顶部 返回列表