DebugPort 调用过程
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
DebugPort调用过程
学习各种外挂制作技术,马上去百度搜索"魔鬼作坊"点击第一个站进入、快速成为做挂达人。
1一个程序被ring3调试器调试时,有很多的调试特征可以检测,本论坛也有专门的帖子详细论述,但有个非常根本的标志ring3也是可以检测的比较少人提及,那就是_EPROCESS.DebugPort。
DebugPort对于ring3调试器来说非常重要,没有它正常的ring3调试是无法进行的。
当然要检测这个标志的前提是程序能够读取ring0内存,在XP 以上的系统有个非常简单的方法就是使用ZwSystemDebugControl的SysDbgReadVirtualMemory方法,我们也可以mapphysicalmemory来操作。
检测DebugPort之前首先要得到进程的eprocess地址,这可以通过ZwQuerySystemInformation的SystemHandleInformation方法得到,也可以直接搜索ring0内存的eprocess结构。
对于ring3直接检测DebugPort,我们可以通过禁止该进程访问ring0内存来对付,但是目标一旦使用驱动来检测,那么就非常麻烦了。
下面介绍一种隐藏_EPROCESS.DebugPort的方法,这种方法的基本思路是,将一个正常被调试进程的DebugPort置零后,修正所有受影响的函数,使我们的调试器能够正常进行。
这些函数如下:
PspCreateProcess、MmCreatePeb进程创建,设置DebugPort
DbgkCreateThread发送线程或者进程创建的调试信息
KiDispatchException、DbgkForwardException和DbgkpQueueMessage发送异常调试信息
PspExitThread、DbgkExitThread和DbgkExitProcess发送线程退出、进程退出的调试信息
DbgkMapViewOfSection和DbgkUnMapViewOfSection发送映像装载卸载调试信息
DbgkpSetProcessDebugObject和DbgkpMarkProcessPeb当调试器附加进程时设置DebugPort
这类函数非常多的,如果都HOOK处理的话,那太恐怖了,这里使用一个非常简单的办法:偷龙转凤。
我们看系统访问DebugPort的代码都是这样的(XP)
8b89bc000000mov ecx,dword ptr[ecx+0BCh]//0BCh就是DebugPort的偏移
我们可以把DebugPort转移到_EPROCESS的另外一个地方,比如我使用+0x070CreateTime,它是纪录进程创建时间的,进程创建之后,在进程退出前系统不会对它进行任何修改,而且我们修改后对系统或进程没有任何影响。
这样我们可以把上面的代码改成这样
8b8970000000mov ecx,dword ptr[ecx+070h]//指向CreateTime,实际的DebugPort已经被移到这里
只需要修改一个字节,非常简单。
当然这种方法最麻烦的地方就是定位引用到DebugPort的函数(本人仅仅针对不同的XP系统制作特征码都累到吐血),这些函数都是不导出的,如果是特定系统,最简单的方法就是WinDbg->uf***直接找地址硬编码,只需要几分钟时间。
BOOLEAN InitHackAddress()
2{
3_SEH_TRY
4{
5g_KernelBase=GetKernelBaseAndSize(&g_KernelSize);
6g_HackPspCreateProcess= SearchHackPspCreateProcess(&g_NopPspCreateProcess.Address);
7g_HackKiDispatchException
=SearchKiDispatchException(g_KernelBase,g_KernelSize);
8g_HackDbgkpQueueMessage= SearchDbgkpQueueMessage(g_KernelBase,g_KernelSize);
9g_HackDbgkCreateThread= SearchDbgkCreateThread(g_KernelBase,g_KernelSize);
10SearchDbgkNotifyRoutine(g_KernelBase,g_KernelSize);
11g_HackPspExitThread=SearchPspExitThread();
12g_HackMmCreatePeb=SearchMmCreatePeb(g_HackPspCreateProcess); 13SearchDbgkpSetProcessDebugObject(g_KernelBase,g_KernelSize);
14if(g_HackDbgkpSetProcessDebugObject[3])
15g_HackDbgkpMarkProcessPeb= SearchDbgkpMarkProcessPeb(g_HackDbgkpSetProcessDebugObject[3]);
16
17if(g_NopPspCreateProcess.Address!=0){
18
RtlFillMemory(g_NopPspCreateProcess.NopCode,sizeof(g_NopPspCreateProcess. NopCode),0x90);
19g_NopPspCreateProcess.Size=9;
20
RtlCopyMemory(g_NopPspCreateProcess.OrigCode,(PVOID)g_NopPspCreateProce ss.Address,g_NopPspCreateProcess.Size);
21}
22if(g_NopDbgkForwardException.Address!=0){
23
RtlFillMemory(g_NopDbgkForwardException.NopCode,sizeof(g_NopDbgkForwardE xception.NopCode),0x90);
24
RtlCopyMemory(g_NopDbgkForwardException.OrigCode,(PVOID)g_NopDbgkForwa rdException.Address,g_NopDbgkForwardException.Size);
25}
26if(g_NopDbgkExitThread.Address!=0){
27
RtlFillMemory(g_NopDbgkExitThread.NopCode,sizeof(g_NopDbgkExitThread.NopC ode),0x90);
28
RtlCopyMemory(g_NopDbgkExitThread.OrigCode,(PVOID)g_NopDbgkExitThread.A ddress,g_NopDbgkExitThread.Size);
29}
30if(g_NopDbgkExitProcess.Address!=0){
31
RtlFillMemory(g_NopDbgkExitProcess.NopCode,sizeof(g_NopDbgkExitProcess.Nop Code),0x90);
32
RtlCopyMemory(g_NopDbgkExitProcess.OrigCode,(PVOID)g_NopDbgkExitProcess. Address,g_NopDbgkExitProcess.Size);
33}
34if(g_NopDbgkMapViewOfSection.Address!=0){
35
RtlFillMemory(g_NopDbgkMapViewOfSection.NopCode,sizeof(g_NopDbgkMapView OfSection.NopCode),0x90);
36
RtlCopyMemory(g_NopDbgkMapViewOfSection.OrigCode,(PVOID)g_NopDbgkMapV iewOfSection.Address,g_NopDbgkMapViewOfSection.Size);
37}
38if(g_NopDbgkUnMapViewOfSection.Address!=0){
39
RtlFillMemory(g_NopDbgkUnMapViewOfSection.NopCode,sizeof(g_NopDbgkUnMa pViewOfSection.NopCode),0x90);
40
RtlCopyMemory(g_NopDbgkUnMapViewOfSection.OrigCode,(PVOID)g_NopDbgkUn MapViewOfSection.Address,g_NopDbgkUnMapViewOfSection.Size);
41}
42
43
44}
45_SEH_HANDLER
46{
47DbgPrint("InitHackAddress Exception!\n");
48}
49return(g_HackPspCreateProcess!=0&&
50g_HackKiDispatchException!=0&&
51g_HackDbgkForwardException!=0&&
52g_HackDbgkpQueueMessage!=0&&
53g_NopPspCreateProcess.Address!=0&&
54g_NopDbgkForwardException.Address!=0&&
55g_HackDbgkCreateThread!=0&&
56g_HackDbgkExitThread!=0&&
57g_NopDbgkExitThread.Address!=0&&
58g_HackDbgkExitProcess!=0&&
59g_NopDbgkExitProcess.Address!=0&&
60g_HackDbgkMapViewOfSection!=0&&
61g_NopDbgkMapViewOfSection.Address!=0&&
62g_HackDbgkUnMapViewOfSection!=0&&
63g_NopDbgkUnMapViewOfSection.Address!=0&&
64g_HackPspExitThread!=0&&
65g_HackMmCreatePeb!=0&&
66g_HackDbgkpSetProcessDebugObject[0]!=0&&
67g_HackDbgkpSetProcessDebugObject[1]!=0&&
68g_HackDbgkpSetProcessDebugObject[2]!=0&&
69g_HackDbgkpSetProcessDebugObject[3]!=0&&
70g_HackDbgkpMarkProcessPeb!=0);
71}//修改已经运行进程的DebugPort位置
72BOOLEAN ChangeProcessDebugPort(BOOLEAN Hide)
73{
74ULONG eProcess=(ULONG)PsInitialSystemProcess;
75PLIST_ENTRY pListHead,pListWalk;
76ULONG DebugObject;
77if(!g_bIsAddressStartup){
78return FALSE;
79}
80pListHead=(PLIST_ENTRY)(eProcess+ACTIVE_LINKS_OFFSET);
81pListWalk=pListHead;
82_SEH_TRY
83{
84do{
85if(pListWalk==NULL||eProcess==0)
86break;
87eProcess=((ULONG)pListWalk-ACTIVE_LINKS_OFFSET);
88if(Hide){
89DebugObject=*(ULONG*)(eProcess+DEBUG_PORT_OFFSET); 90*(ULONG*)(eProcess+CREATE_TIME_OFFSET)=DebugObject; 91*(ULONG*)(eProcess+DEBUG_PORT_OFFSET)=0;
92}else{
93DebugObject=*(ULONG*)(eProcess+CREATE_TIME_OFFSET); 94*(ULONG*)(eProcess+DEBUG_PORT_OFFSET)=DebugObject; 95}
96pListWalk=pListWalk->Flink;
97}while(pListWalk!=pListHead);
98}
99_SEH_HANDLER
100{
101DbgPrint("ChangeProcessDebugPortexception!\n");
102}
103
104return TRUE;
105}
106代码:
107BOOLEANModifyDebugFunction()
108{
109if(!g_bIsAddressStartup){
110returnFALSE;
111}
112__asm{
113cli
114mov eax,cr0
115and eax,not10000h
116mov cr0,eax
117}
118*(ULONG*)g_HackPspCreateProcess=CREATE_TIME_OFFSET;
119*(ULONG*)g_HackKiDispatchException=CREATE_TIME_OFFSET;
120*(ULONG*)g_HackDbgkForwardException=CREATE_TIME_OFFSET;
121*(ULONG*)g_HackDbgkpQueueMessage=CREATE_TIME_OFFSET;
122*(ULONG*)g_HackDbgkCreateThread=CREATE_TIME_OFFSET;
123*(ULONG*)g_HackDbgkExitThread=CREATE_TIME_OFFSET;
124*(ULONG*)g_HackDbgkExitProcess=CREATE_TIME_OFFSET;
125*(ULONG*)g_HackDbgkMapViewOfSection=CREATE_TIME_OFFSET;
126*(ULONG*)g_HackDbgkUnMapViewOfSection=CREATE_TIME_OFFSET;
127*(ULONG*)g_HackPspExitThread=CREATE_TIME_OFFSET;
128*(ULONG*)g_HackDbgkpMarkProcessPeb=CREATE_TIME_OFFSET;
129*(ULONG*)g_HackMmCreatePeb=CREATE_TIME_OFFSET;
130*(ULONG*)g_HackDbgkpSetProcessDebugObject[0]= CREATE_TIME_OFFSET;
131*(ULONG*)g_HackDbgkpSetProcessDebugObject[1]= CREATE_TIME_OFFSET;
132*(ULONG*)g_HackDbgkpSetProcessDebugObject[2]= CREATE_TIME_OFFSET;
133*(ULONG*)g_HackDbgkpSetProcessDebugObject[3]= CREATE_TIME_OFFSET;
134
135
RtlCopyMemory((PVOID)g_NopPspCreateProcess.Address,g_NopPspCreateProces s.NopCode,g_NopPspCreateProcess.Size);
136
RtlCopyMemory((PVOID)g_NopDbgkForwardException.Address,g_NopDbgkForward Exception.NopCode,g_NopDbgkForwardException.Size);
137
RtlCopyMemory((PVOID)g_NopDbgkExitThread.Address,g_NopDbgkExitThread.No pCode,g_NopDbgkExitThread.Size);
138
RtlCopyMemory((PVOID)g_NopDbgkExitProcess.Address,g_NopDbgkExitProcess.N opCode,g_NopDbgkExitProcess.Size);
139
RtlCopyMemory((PVOID)g_NopDbgkMapViewOfSection.Address,g_NopDbgkMapVi ewOfSection.NopCode,g_NopDbgkMapViewOfSection.Size);
140
RtlCopyMemory((PVOID)g_NopDbgkUnMapViewOfSection.Address,g_NopDbgkUn MapViewOfSection.NopCode,g_NopDbgkUnMapViewOfSection.Size);
141__asm{
142mov eax,cr0
143or eax,10000h
144mov cr0,eax
145sti
146}
147return TRUE;
148}
149BOOLEAN WriteBackDebugFunction()
150{
151if(!g_bIsAddressStartup){
152return FALSE;
153}
154__asm{
155cli
156mov eax,cr0
157and eax,not10000h
158mov cr0,eax
159}
160*(ULONG*)g_HackPspCreateProcess=DEBUG_PORT_OFFSET;
161*(ULONG*)g_HackKiDispatchException=DEBUG_PORT_OFFSET;
162*(ULONG*)g_HackDbgkForwardException=DEBUG_PORT_OFFSET;
163*(ULONG*)g_HackDbgkpQueueMessage=DEBUG_PORT_OFFSET;
164*(ULONG*)g_HackDbgkCreateThread=DEBUG_PORT_OFFSET;
165*(ULONG*)g_HackDbgkExitThread=DEBUG_PORT_OFFSET;
166*(ULONG*)g_HackDbgkExitProcess=DEBUG_PORT_OFFSET;
167*(ULONG*)g_HackDbgkMapViewOfSection=DEBUG_PORT_OFFSET;
168*(ULONG*)g_HackDbgkUnMapViewOfSection=DEBUG_PORT_OFFSET;
169*(ULONG*)g_HackPspExitThread=DEBUG_PORT_OFFSET;
170*(ULONG*)g_HackDbgkpMarkProcessPeb=DEBUG_PORT_OFFSET;
171*(ULONG*)g_HackMmCreatePeb=DEBUG_PORT_OFFSET;
172*(ULONG*)g_HackDbgkpSetProcessDebugObject[0]= DEBUG_PORT_OFFSET;
173*(ULONG*)g_HackDbgkpSetProcessDebugObject[1]= DEBUG_PORT_OFFSET;
174*(ULONG*)g_HackDbgkpSetProcessDebugObject[2]= DEBUG_PORT_OFFSET;
175*(ULONG*)g_HackDbgkpSetProcessDebugObject[3]= DEBUG_PORT_OFFSET;
176
RtlCopyMemory((PVOID)g_NopPspCreateProcess.Address,g_NopPspCreateProces s.OrigCode,g_NopPspCreateProcess.Size);
177
RtlCopyMemory((PVOID)g_NopDbgkForwardException.Address,g_NopDbgkForward Exception.OrigCode,g_NopDbgkForwardException.Size);
178
RtlCopyMemory((PVOID)g_NopDbgkExitThread.Address,g_NopDbgkExitThread.Ori gCode,g_NopDbgkExitThread.Size);
179
RtlCopyMemory((PVOID)g_NopDbgkExitProcess.Address,g_NopDbgkExitProcess.O rigCode,g_NopDbgkExitProcess.Size);
180
RtlCopyMemory((PVOID)g_NopDbgkMapViewOfSection.Address,g_NopDbgkMapVi ewOfSection.OrigCode,g_NopDbgkMapViewOfSection.Size);
181
RtlCopyMemory((PVOID)g_NopDbgkUnMapViewOfSection.Address,g_NopDbgkUn MapViewOfSection.OrigCode,g_NopDbgkUnMapViewOfSection.Size);
182__asm{
183mov eax,cr0
184or eax,10000h
185mov cr0,eax
186sti
187}
188return TRUE;
189}
我想再嗦一下,上面代码大家看到很多函数有个NOPCode,这个实际上是对付线程PS_C ROSS_THREAD_FLAGS_HIDEFROMDBG的,NOP掉相关地方后,就算线程被设置为T hreadHideFromDebugger也无法阻挡调试器接收调试信息。