- 注册时间
- 2021-4-16
- 最后登录
- 2023-7-27
- 在线时间
- 4 小时
编程入门
- 龙马币
- 144
|
一种无差别的抗-反双击调试的方法,原创不原创不敢说,也许还有很多人也想到过这种方法
无差别,意思是不针对某.sys,完全只需要修改自己的内核即可实现的。。
思路如下,
Hook KdpStub 到一个我们的函数,暂名 beforeKdpTrap
beforeKdpTrap要做的事情如下
- __declspec(naked) beforeKdpTrap() {
- __asm {
- pushad
- mov eax, KdDebuggerEnabled
- mov byte ptr [eax],0x1
- popad
- jmp KdpTrap
- }
- }
这样做的好处是可以避免通过检测 KiDebugRoutine 来发现调试。
理论上,就算 KdpStub 被校验了,也可以在它的内部找另外一个跳板。
下面是一份win7 32bit 下,针对 Txxsafe.sys 所做的处理。
代码:- #include <ntddk.h>
- //#include "..\1.h"
- DRIVER_INITIALIZE DriverEntry;
- DRIVER_UNLOAD nUnload;
- KIRQL Irql;
- PVOID uTesSafeIBase;
- PVOID KdpStub;
- PVOID KdpTrap;
- PVOID KiDebugRoutine;
- PVOID KdpSuspendAllBreakpoints;
- PVOID KdDisableDebuggerWithLock;
- PVOID GetSysRoutineAddress (IN PCWSTR funcName) {
- UNICODE_STRING us_fn;
- RtlInitUnicodeString(&us_fn,funcName);
- return MmGetSystemRoutineAddress(&us_fn);
- }
- VOID WPOFF() {
- __asm {
- cli
- mov eax,cr0
- and eax,not 10000h
- mov cr0,eax
- }
- }
- VOID WPON() {
- __asm {
- mov eax,cr0
- or eax,10000h
- mov cr0,eax
- sti
- }
- }
- __declspec(naked) beforeKdpTrap() {
- __asm {
- pushad
- mov eax, KdDebuggerEnabled
- mov byte ptr [eax],0x1
- popad
- jmp KdpTrap
- }
- }
- __declspec(naked) nkKdDisableDebuggerWithLock() {
- __asm {
- pushad
- mov eax, KdDebuggerEnabled
- mov byte ptr [eax],0x0
- popad
- mov edi,edi
- push ebp
- mov ebp,esp
- push ecx
- push KdDisableDebuggerWithLock
- add dword ptr [esp],0x6
- retn
- }
- }
- VOID LoadImageNotifyRoutine( __in_opt PUNICODE_STRING FullImageName, __in HANDLE ProcessId, __in PIMAGE_INFO ImageInfo ) {
- if (wcsstr(FullImageName->Buffer, L"TesSafe.sys") && wcsstr(FullImageName->Buffer, L":") ) {
- uTesSafeIBase=ImageInfo->ImageBase;
- __asm {
- int 3
- }
- }
- }
- VOID initialize() {
- PVOID *p1;
- PVOID f1;
- p1 = (ULONG)KdEnableDebugger+3;
- f1 = (ULONG)KdEnableDebugger+7+(ULONG)*p1;
- p1 = (ULONG)f1+0x7b;
- f1 = (ULONG)f1+0x7f+(ULONG)*p1;//KdInitSystem
- p1 = (ULONG)f1+0x4c;
- KiDebugRoutine=(ULONG)*p1;
- p1 = (ULONG)f1+0x50;
- KdpStub=(ULONG)*p1;
- p1 = (ULONG)f1+0x2ce;
- KdpTrap=(ULONG)*p1;
- p1 = (ULONG)KdDisableDebugger+3;
- f1 = (ULONG)KdDisableDebugger+7+(ULONG)*p1;//KdDisableDebuggerWithLock
- KdDisableDebuggerWithLock = f1;
- p1 = (ULONG)f1+0x97;
- KdpSuspendAllBreakpoints = (ULONG)f1+0x9b+(ULONG)*p1;//KdpSuspendAllBreakpoints
- WPOFF();
- Irql=KeRaiseIrqlToDpcLevel();
- __asm {
- pushad
- mov eax, KdpSuspendAllBreakpoints
- mov byte ptr [eax], 0xc3
- mov eax, KdpStub
- mov byte ptr [eax], 0x68
- mov ebx, beforeKdpTrap
- mov dword ptr [eax+0x01], ebx
- mov byte ptr [eax+0x05], 0xC3
- mov eax, KdDisableDebuggerWithLock
- mov byte ptr [eax], 0x68
- mov ebx, nkKdDisableDebuggerWithLock
- mov dword ptr [eax+0x01], ebx
- mov byte ptr [eax+0x05], 0xC3
- popad
- }
- KeLowerIrql(Irql);
- WPON();
- PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine);
- }
- VOID nUnload(__in struct _DRIVER_OBJECT *DriverObject) {
- PsRemoveLoadImageNotifyRoutine(LoadImageNotifyRoutine);
- WPOFF();
- Irql=KeRaiseIrqlToDpcLevel();
- __asm {
- pushad
- mov eax, KdpStub
- mov byte ptr [eax], 0x8b
- mov byte ptr [eax+0x01], 0xff
- mov byte ptr [eax+0x02], 0x55
- mov byte ptr [eax+0x03], 0x8b
- mov byte ptr [eax+0x04], 0xec
- mov byte ptr [eax+0x05], 0x53
- mov eax, KdDisableDebuggerWithLock
- mov byte ptr [eax], 0x8b
- mov byte ptr [eax+0x01], 0xff
- mov byte ptr [eax+0x02], 0x55
- mov byte ptr [eax+0x03], 0x8b
- mov byte ptr [eax+0x04], 0xec
- mov byte ptr [eax+0x05], 0x51
- popad
- }
- KeLowerIrql(Irql);
- WPON();
- }
- NTSTATUS DriverEntry (__in struct _DRIVER_OBJECT *DriverObject, __in PUNICODE_STRING RegistryPath) {
- initialize();
- DriverObject->DriverUnload = nUnload;
- return STATUS_SUCCESS;
- }
最后我就说一句,本人所分析的内容完全属于本人自己电脑上cpu、内存中的内容,没有修改任何第三方程序本身的代码()。。。以上提到的某Txxsafe.sys仅用来运行测试。
|
|
hong5499999