|
64位 win7 解析pdb失败,跟踪之后找到了错误地址,但是找不出错误原因
跟踪到上图的rip位置,返回值为0啊,正常的是1,谁给一个64位能用的啊 |
|
[转帖]x64_dbg V1.7ALPHA is out!
反汇编的乱码,搞不定了,还是让原作者支持多国语言吧 |
|
|
|
[原创]重载内核之三获取原始地址
KeGetModuleHandle在哪 |
|
[原创]WIN64驱动编程基础教程(福利:过WIN7/8/8.1签名强制的LIB、过WIN7“补丁守卫”的SRC、吊销的正规数字签名)
这是怎样的精神,向雷锋同志致谢,初学编程5个月,目前在搞内核,你的代码,对我帮助很大,一直看电子书,楼主出书,我一定买一本珍藏 |
|
[求助]重载内核之后,还是过不去tp,我是新手
自己解决的,发上来共享下 |
|
[求助]重载内核之后,还是过不去tp,我是新手
#include <ntddk.h> int DbgkDebugObjectTypeaddr; int DbgkDebugObjectTypeaddrold; int PassNtDebugActiveProcess; int PassNtCreateDebugObject; int PassNtWaitForDebugEvent; int PassNtDebugContinue; int PassNtRemoveProcessDebug; int passPspCreateProcess; int passDbgkOpenProcessDebugPort; int passNtSetInformationDebugObject; typedef unsigned char BYTE; typedef struct _ServiceDescriptorTable_ { PVOID pSSDTBase; PVOID pServiceCounterTable; ULONG ulNumberOfServices; PVOID pParamTableBase; } ServiceDescriptorTable, *PServiceDescriptorTable; extern PServiceDescriptorTable KeServiceDescriptorTable; typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { HANDLE Section; PVOID MappedBase; PVOID Base; ULONG Size; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation, SystemTimeOfDayInformation, SystemNotImplemented1, SystemProcessesAndThreadsInformation, SystemCallCounts, SystemConfigurationInformation, SystemProcessorTimes, SystemGlobalFlag, SystemNotImplemented2, SystemModuleInformation, SystemLockInformation, SystemNotImplemented3, SystemNotImplemented4, SystemNotImplemented5, SystemHandleInformation, SystemObjectInformation, SystemPagefileInformation, SystemInstructionEmulationCounts, SystemInvalidInfoClass1, SystemCacheInformation, SystemPoolTagInformation, SystemProcessorStatistics, SystemDpcInformation, SystemNotImplemented6, SystemLoadImage, SystemUnloadImage, SystemTimeAdjustment, SystemNotImplemented7, SystemNotImplemented8, SystemNotImplemented9, SystemCrashDumpInformation, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemLoadAndCallImage, SystemPrioritySeparation, SystemNotImplemented10, SystemNotImplemented11, SystemInvalidInfoClass2, SystemInvalidInfoClass3, SystemTimeZoneInformation, SystemLookasideInformation, SystemSetTimeSlipEvent, SystemCreateSession, SystemDeleteSession, SystemInvalidInfoClass4, SystemRangeStartInformation, SystemVerifierInformation, SystemAddVerifier, SystemSessionProcessesInformation } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation ( __in SYSTEM_INFORMATION_CLASS SystemInformationClass, __out_bcount_opt(SystemInformationLength) PVOID SystemInformation, __in ULONG SystemInformationLength, __out_opt PULONG ReturnLength ); int GetSSDTFunctionAddr(int nSSDTIndex) { int Addr; __asm { mov ebx,nSSDTIndex shl ebx,2 mov eax,KeServiceDescriptorTable mov eax,[eax] add eax,ebx mov ecx,[eax] mov Addr,ecx } return Addr; } typedef CCHAR KPROCESSOR_MODE; typedef struct _OBJECT_CREATE_INFORMATION { ULONG Attributes; HANDLE RootDirectory; PVOID ParseContext; KPROCESSOR_MODE ProbeMode; ULONG PagedPoolCharge; ULONG NonPagedPoolCharge; ULONG SecurityDescriptorCharge; PSECURITY_DESCRIPTOR SecurityDescriptor; PSECURITY_QUALITY_OF_SERVICE SecurityQos; SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService; } OBJECT_CREATE_INFORMATION; // begin_ntosp typedef struct _OBJECT_CREATE_INFORMATION *POBJECT_CREATE_INFORMATION;; typedef struct _OBJECT_TYPE_INITIALIZER { USHORT Length; BOOLEAN UseDefaultObject; BOOLEAN CaseInsensitive; ULONG InvalidAttributes; GENERIC_MAPPING GenericMapping; ULONG ValidAccessMask; BOOLEAN SecurityRequired; BOOLEAN MaintainHandleCount; BOOLEAN MaintainTypeList; POOL_TYPE PoolType; ULONG DefaultPagedPoolCharge; ULONG DefaultNonPagedPoolCharge; PVOID DumpProcedure; PVOID OpenProcedure; PVOID CloseProcedure; PVOID DeleteProcedure; PVOID ParseProcedure; PVOID SecurityProcedure; PVOID QueryNameProcedure; PVOID OkayToCloseProcedure; } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; #define OBJECT_LOCK_COUNT 4 typedef struct _OBJECT_TYPE { ERESOURCE Mutex; LIST_ENTRY TypeList; UNICODE_STRING Name; // Copy from object header for convenience PVOID DefaultObject; ULONG Index; ULONG TotalNumberOfObjects; ULONG TotalNumberOfHandles; ULONG HighWaterNumberOfObjects; ULONG HighWaterNumberOfHandles; OBJECT_TYPE_INITIALIZER TypeInfo; #ifdef POOL_TAGGING ULONG Key; #endif //POOL_TAGGING ERESOURCE ObjectLocks[ OBJECT_LOCK_COUNT ]; } OBJECT_TYPE, *POBJECT_TYPE; typedef struct _OBJECT_HEADER { LONG_PTR PointerCount; union { LONG_PTR HandleCount; PVOID NextToFree; }; POBJECT_TYPE Type; UCHAR NameInfoOffset; UCHAR HandleInfoOffset; UCHAR QuotaInfoOffset; UCHAR Flags; union { POBJECT_CREATE_INFORMATION ObjectCreateInfo; PVOID QuotaBlockCharged; }; PSECURITY_DESCRIPTOR SecurityDescriptor; QUAD Body; } OBJECT_HEADER, *POBJECT_HEADER; POBJECT_TYPE MyDbgkDebugObjectType=NULL; POBJECT_TYPE DbgkDebugObjectType=NULL; int * newaddr=NULL; void WPON() { __asm{//恢复内存保护 mov eax,cr0 or eax,10000h mov cr0,eax sti } } void WPOFF() { __asm{//去掉内存保护 cli mov eax,cr0 and eax,not 10000h mov cr0,eax } } struct _str_debugport { ULONG DbgkOpenProcessDebugPort; }str_debugport; #pragma PAGEDCODE VOID Hook_DebugPort() { BYTE* _bp; NTSTATUS status; ULONG len; PVOID p_Buffer; ULONG u_addr; PSYSTEM_MODULE_INFORMATION Mode_data; status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,NULL,0,&len); p_Buffer=ExAllocatePool(NonPagedPool,len); if(p_Buffer==NULL) { KdPrint(("分配内存出错!\r\n")); return ; } status=ZwQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11,p_Buffer,len,0); Mode_data=(PSYSTEM_MODULE_INFORMATION)p_Buffer; u_addr=(ULONG)Mode_data->Module[0].Base; ExFreePool(p_Buffer); _bp=(BYTE*)u_addr; while(1) { if((*(_bp-4)==0x56)&&(*(_bp-3)==0x8B)&&(*(_bp)==0x81)&&(*(_bp+1)==0xC6)&&(*(_bp+6)==0x83)) { str_debugport.DbgkOpenProcessDebugPort=(ULONG)_bp+2; KdPrint(("DbgkOpenProcessDebugPort的地址为:%x\r\n",str_debugport.DbgkOpenProcessDebugPort)); break; } _bp++; } } NTKERNELAPI NTSTATUS ObCreateObjectType( __in PUNICODE_STRING TypeName, __in POBJECT_TYPE_INITIALIZER ObjectTypeInitializer, __in_opt PSECURITY_DESCRIPTOR SecurityDesorintor, __in POBJECT_TYPE *ObjectType ); NTSTATUS CreatemyObjectTypeByName( IN PCWSTR ObjectTypeName,//要创建的对象类型的名字 IN POBJECT_TYPE pObjectTypeForCopy,//原始的ObjectType OUT POBJECT_TYPE *pNewObjectType)//返回新创建的ObjectType { UNICODE_STRING NameString; OBJECT_TYPE_INITIALIZER ObjectTypeInitializer; NTSTATUS status; RtlInitUnicodeString (&NameString, ObjectTypeName); RtlZeroMemory (&ObjectTypeInitializer, sizeof (OBJECT_TYPE_INITIALIZER)); ObjectTypeInitializer.Length=pObjectTypeForCopy->TypeInfo.Length; ObjectTypeInitializer.UseDefaultObject=pObjectTypeForCopy->TypeInfo.UseDefaultObject; ObjectTypeInitializer.CaseInsensitive=pObjectTypeForCopy->TypeInfo.CaseInsensitive; ObjectTypeInitializer.InvalidAttributes=pObjectTypeForCopy->TypeInfo.InvalidAttributes; ObjectTypeInitializer.GenericMapping=pObjectTypeForCopy->TypeInfo.GenericMapping; ObjectTypeInitializer.ValidAccessMask=0x1f000f; ObjectTypeInitializer.SecurityRequired=pObjectTypeForCopy->TypeInfo.SecurityRequired; ObjectTypeInitializer.MaintainHandleCount=pObjectTypeForCopy->TypeInfo.MaintainHandleCount; ObjectTypeInitializer.MaintainTypeList=pObjectTypeForCopy->TypeInfo.MaintainTypeList; ObjectTypeInitializer.PoolType=pObjectTypeForCopy->TypeInfo.PoolType; ObjectTypeInitializer.DefaultPagedPoolCharge=pObjectTypeForCopy->TypeInfo.DefaultPagedPoolCharge; ObjectTypeInitializer.DefaultNonPagedPoolCharge=pObjectTypeForCopy->TypeInfo.DefaultNonPagedPoolCharge; ObjectTypeInitializer.DumpProcedure=pObjectTypeForCopy->TypeInfo.DumpProcedure; ObjectTypeInitializer.OpenProcedure=pObjectTypeForCopy->TypeInfo.OpenProcedure; ObjectTypeInitializer.CloseProcedure=pObjectTypeForCopy->TypeInfo.CloseProcedure; ObjectTypeInitializer.DeleteProcedure=pObjectTypeForCopy->TypeInfo.DeleteProcedure; ObjectTypeInitializer.ParseProcedure=pObjectTypeForCopy->TypeInfo.ParseProcedure; ObjectTypeInitializer.SecurityProcedure=pObjectTypeForCopy->TypeInfo.SecurityProcedure; ObjectTypeInitializer.QueryNameProcedure=pObjectTypeForCopy->TypeInfo.QueryNameProcedure; ObjectTypeInitializer.OkayToCloseProcedure=pObjectTypeForCopy->TypeInfo.OkayToCloseProcedure; status=ObCreateObjectType (&NameString, &ObjectTypeInitializer, (PSECURITY_DESCRIPTOR) NULL, pNewObjectType); if (NT_SUCCESS(status)) { DbgPrint("NewType=0x%08X\n",*pNewObjectType); } else { DbgPrint("Failed! status=0x%08X\n",status); } return status; } void myDebugObjectType() { int *passaddr=NULL; DbgkDebugObjectTypeaddr=GetSSDTFunctionAddr(57)+0x5c; DbgkDebugObjectTypeaddr=*(int*)DbgkDebugObjectTypeaddr; DbgkDebugObjectTypeaddrold=DbgkDebugObjectTypeaddr; DbgkDebugObjectType=(POBJECT_TYPE)(*(int*)DbgkDebugObjectTypeaddr); //passPspCreateProcess=GetFunCtionAddr(L"PspCreateProcess"); CreateNewObjectTypeByName(L"MyDebugObject",DbgkDebugObjectType,&MyDbgkDebugObjectType); passDbgkOpenProcessDebugPort=str_debugport.DbgkOpenProcessDebugPort+0x4c; passNtSetInformationDebugObject=GetSSDTFunctionAddr(223)+0xbc; PassNtDebugActiveProcess=GetSSDTFunctionAddr(57)+0x5c; PassNtCreateDebugObject=GetSSDTFunctionAddr(33)+0x60; PassNtWaitForDebugEvent=GetSSDTFunctionAddr(269)+0xa7; PassNtDebugContinue=GetSSDTFunctionAddr(58)+0x7b; PassNtRemoveProcessDebug=GetSSDTFunctionAddr(191)+0x42; DbgPrint("DbgkDebugObjectType is %x!\n",DbgkDebugObjectTypeaddr); DbgPrint("PassNtDebugActiveProcess is %x!\n",PassNtDebugActiveProcess); DbgPrint("PassNtCreateDebugObject is %x!\n",PassNtCreateDebugObject); DbgPrint("PassNtWaitForDebugEvent is %x!\n",PassNtWaitForDebugEvent); DbgPrint("PassNtDebugContinue is %x!\n",PassNtDebugContinue); DbgPrint("PassNtRemoveProcessDebug is %x!\n",PassNtRemoveProcessDebug); DbgPrint("passDbgkOpenProcessDebugPort is %x!\n",passDbgkOpenProcessDebugPort); DbgPrint("passNtSetInformationDebugObject is %x!\n",passNtSetInformationDebugObject); DbgPrint("MyDbgkDebugObjectType is %x!\n",MyDbgkDebugObjectType); newaddr=MyDbgkDebugObjectType; passaddr=&newaddr; DbgPrint("newaddr is %x!\n",&newaddr); DbgPrint("passaddr is %x!\n",passaddr); if(MyDbgkDebugObjectType!=NULL) { if (PassNtDebugActiveProcess!=NULL) { WPOFF(); //(int*)(PassNtDebugActiveProcess)=&newaddr; __asm{ mov eax,PassNtDebugActiveProcess mov ebx,passaddr mov [eax],ebx } WPON(); } if (PassNtCreateDebugObject!=NULL) { WPOFF(); //(int*)(PassNtCreateDebugObject)=&newaddr; __asm{ mov eax,PassNtCreateDebugObject mov ebx,passaddr mov [eax],ebx } WPON(); } if (PassNtWaitForDebugEvent!=NULL) { WPOFF(); //(int*)(PassNtWaitForDebugEvent)=&newaddr; __asm{ mov eax,PassNtWaitForDebugEvent mov ebx,passaddr mov [eax],ebx } WPON(); } if (PassNtDebugContinue!=NULL) { WPOFF(); //(int*)(PassNtDebugContinue)=&newaddr; __asm{ mov eax,PassNtDebugContinue mov ebx,passaddr mov [eax],ebx } WPON(); } if (PassNtRemoveProcessDebug!=NULL) { WPOFF(); //(int*)(PassNtRemoveProcessDebug)=&newaddr; __asm{ mov eax,PassNtRemoveProcessDebug mov ebx,passaddr mov [eax],ebx } WPON(); } if (passDbgkOpenProcessDebugPort!=NULL) { WPOFF(); //(int*)(PassNtRemoveProcessDebug)=&newaddr; __asm{ mov eax,passDbgkOpenProcessDebugPort mov ebx,passaddr mov [eax],ebx } WPON(); } if (passNtSetInformationDebugObject!=NULL) { WPOFF(); //(int*)(PassNtRemoveProcessDebug)=&newaddr; __asm{ mov eax,passNtSetInformationDebugObject mov ebx,passaddr mov [eax],ebx } WPON(); } DbgPrint("PatchDebugObjectType is succeed!\n"); } else { DbgPrint("PatchDebugObjectType is failed!\n"); } } void UnmyDebugObjectType() { if(DbgkDebugObjectTypeaddrold!=NULL) { if (PassNtDebugActiveProcess!=NULL) { WPOFF(); //(int*)(PassNtDebugActiveProcess)=&newaddr; __asm{ mov eax,PassNtDebugActiveProcess mov ebx,DbgkDebugObjectTypeaddrold mov [eax],ebx } WPON(); } if (PassNtCreateDebugObject!=NULL) { WPOFF(); //(int*)(PassNtCreateDebugObject)=&newaddr; __asm{ mov eax,PassNtCreateDebugObject mov ebx,DbgkDebugObjectTypeaddrold mov [eax],ebx } WPON(); } if (PassNtWaitForDebugEvent!=NULL) { WPOFF(); //(int*)(PassNtWaitForDebugEvent)=&newaddr; __asm{ mov eax,PassNtWaitForDebugEvent mov ebx,DbgkDebugObjectTypeaddrold mov [eax],ebx } WPON(); } if (PassNtDebugContinue!=NULL) { WPOFF(); //(int*)(PassNtDebugContinue)=&newaddr; __asm{ mov eax,PassNtDebugContinue mov ebx,DbgkDebugObjectTypeaddrold mov [eax],ebx } WPON(); } if (PassNtRemoveProcessDebug!=NULL) { WPOFF(); //(int*)(PassNtRemoveProcessDebug)=&newaddr; __asm{ mov eax,PassNtRemoveProcessDebug mov ebx,DbgkDebugObjectTypeaddrold mov [eax],ebx } WPON(); } if (passDbgkOpenProcessDebugPort!=NULL) { WPOFF(); //(int*)(PassNtRemoveProcessDebug)=&newaddr; __asm{ mov eax,passDbgkOpenProcessDebugPort mov ebx,DbgkDebugObjectTypeaddrold mov [eax],ebx } WPON(); } if (passNtSetInformationDebugObject!=NULL) { WPOFF(); //(int*)(PassNtRemoveProcessDebug)=&newaddr; __asm{ mov eax,passNtSetInformationDebugObject mov ebx,DbgkDebugObjectTypeaddrold mov [eax],ebx } WPON(); } DbgPrint("................"); } else { DbgPrint("............................."); } } |
|
[原创]女人是不是不适合学逆向啊
我和我的小伙伴都惊呆了 |
|
[求助]c语言写windows程序的问题
太好了我看看 |
|
[求助]c语言写windows程序的问题
谢谢两位,我不想拖控件,我想纯c加api,算是打个基础吧 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值