小弟为解决某游戏DebugPort清零,根据wowelf大牛的帖子,写了个驱动:
#define PspCreateProcessAddr 0x805d1858
#define MmCreatePebAddr 0x805b0b30
#define DbgkCreateThreadAddr 0x80644484
#define KiDispatchExceptionAddr 0x804ff466
#define DbgkForwardExceptionAddr 0x806442d8
#define DbgkpQueueMessageAddr 0x80642fe4
#define PspExitThreadAddr 0x805d3086
#define DbgkExitThreadAddr 0x80644822
#define DbgkExitProcessAddr 0x8064489c
#define DbgkMapViewOfSectionAddr 0x80644916
#define DbgkUnMapViewOfSectionAddr 0x806449ec
#define DbgkpSetProcessDebugObjectAddr 0x80643d28
#define DbgkpMarkProcessPebAddr 0x80642cf2
//函数中与DebugPort有关的偏移
#define PspCreateProcessOffset 0x1a9
#define MmCreatePebOffset1 0xd6
#define MmCreatePebOffset2 0x24f
#define DbgkCreateThreadOffset 0x125
#define KiDispatchExceptionOffset 0x187
#define DbgkForwardExceptionOffset 0x3e
#define DbgkpQueueMessageOffset 0x7b
#define PspExitThreadOffset 0x266
#define DbgkExitThreadOffset 0x20
#define DbgkExitProcessOffset 0x20
#define DbgkMapViewOfSectionOffset 0x3f
#define DbgkUnMapViewOfSectionOffset 0x2f
#define DbgkpSetProcessDebugObjectOffset1 0x56
#define DbgkpSetProcessDebugObjectOffset2 0x64
#define DbgkpSetProcessDebugObjectOffset3 0x7e
#define DbgkpSetProcessDebugObjectOffset4 0xc8
#define DbgkpSetProcessDebugObjectOffset5 0x10a
#define DbgkpMarkProcessPebOffset 0x42
UCHAR ChangeComand[4] = {0x78, 0x00, 0x00, 0x00};
//去除写保护
VOID MemOpen()
{
__asm {
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
//恢复写保护
VOID MemClose()
{
__asm {
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
VOID Hook_TesSafe_DebugPort()
{
MemOpen();
//修改DebugPort到ExitTime
RtlCopyMemory((PUCHAR)(PspCreateProcessAddr + PspCreateProcessOffset + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(MmCreatePebAddr + MmCreatePebOffset1 + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(MmCreatePebAddr + MmCreatePebOffset2 + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkCreateThreadAddr + DbgkCreateThreadOffset + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(KiDispatchExceptionAddr + KiDispatchExceptionOffset + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkForwardExceptionAddr + DbgkForwardExceptionOffset + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkpQueueMessageAddr + DbgkpQueueMessageOffset + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(PspExitThreadAddr + PspExitThreadOffset + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkExitThreadAddr + DbgkExitThreadOffset + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkExitProcessAddr + DbgkExitProcessOffset + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkMapViewOfSectionAddr + DbgkMapViewOfSectionOffset + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkUnMapViewOfSectionAddr + DbgkUnMapViewOfSectionOffset + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkpSetProcessDebugObjectAddr + DbgkpSetProcessDebugObjectOffset1 + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkpSetProcessDebugObjectAddr + DbgkpSetProcessDebugObjectOffset2 + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkpSetProcessDebugObjectAddr + DbgkpSetProcessDebugObjectOffset3 + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkpSetProcessDebugObjectAddr + DbgkpSetProcessDebugObjectOffset4 + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkpSetProcessDebugObjectAddr + DbgkpSetProcessDebugObjectOffset5 + 2), ChangeComand, 4);
RtlCopyMemory((PUCHAR)(DbgkpMarkProcessPebAddr + DbgkpMarkProcessPebOffset + 2), ChangeComand, 4);
DbgPrint("[TesSafe_DebugPort]Hook_TesSafe_DebugPort() Success!!!!!");
MemClose();
}
这样HOOK了与DebugPort相关的函数,将偏移BC移至78处后,使用OD附加蓝屏,请教各位蓝屏会是由什么引起?
不胜感激!!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
