正常的程序OpenProcess可以成功的代码:
kd> r
eax=0000007a ebx=00000001 ecx=0040ca29 edx=0012f810 esi=00000000 edi=00000111
eip=7c92eb8d esp=0012f810 ebp=0012f84c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCall+0x2:
001b:7c92eb8d 0f34 sysenter
kd> t
ntdll!ZwOpenProcess+0xc:
001b:7c92dd87 c21000 ret 10h
kd> r
eax=00000000 ebx=00000001 ecx=00000001 edx=ffffffff esi=00000000 edi=00000111
eip=7c92dd87 esp=0012f814 ebp=0012f84c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!ZwOpenProcess+0xc:
001b:7c92dd87 c21000 ret 10h
kd> p
kernel32!OpenProcess+0x49:
001b:7c830a2a 3bc6 cmp eax,esi //
这里eax=esi=0
kd> p
kernel32!OpenProcess+0x4b:
001b:7c830a2c 5e pop esi
kd> p
kernel32!OpenProcess+0x4c:
001b:7c830a2d 0f8cb7710000 jl kernel32!Beep+0x173 (7c837bea)//
这里没跳
kd> p
kernel32!OpenProcess+0x52:
001b:7c830a33 8b4510 mov eax,dword ptr [ebp+10h]
kd> p
kernel32!OpenProcess+0x55:
001b:7c830a36 c9 leave
kd> p
kernel32!OpenProcess+0x56:
001b:7c830a37 c20c00 ret 0Ch
到这里成功返回以下是加保护的代码:
eax=0000007a ebx=00000001 ecx=0040ca29 edx=0012f810 esi=00000000 edi=00000111
eip=7c92eb8d esp=0012f810 ebp=0012f84c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCall+0x2:
001b:7c92eb8d 0f34 sysenter
eax=c0000022 ebx=00000001 ecx=00000001 edx=ffffffff esi=00000000 edi=00000111
eip=7c92dd87 esp=0012f814 ebp=0012f84c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!ZwOpenProcess+0xc:
001b:7c92dd87 c21000 ret 10h
kd> p
kernel32!OpenProcess+0x49:
001b:7c830a2a 3bc6 cmp eax,esi //
eax=0x22!=esi
kd> p
kernel32!OpenProcess+0x4b:
001b:7c830a2c 5e pop esi
kd> p
kernel32!OpenProcess+0x4c:
001b:7c830a2d 0f8cb7710000 jl kernel32!Beep+0x173 (7c837bea)//
这里开始跳了kd> p
kernel32!Beep+0x173:
001b:7c837bea 50 push eax
kd> p
kernel32!Beep+0x174:
001b:7c837beb e87b17fdff call kernel32!GetTickCount+0xcf (7c80936b)
好关键是eax在sysenter后不一样,前面的我查了,都是一样的,有谁知道这是哪里被hook了,该用什么工具来查
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法