-
-
[原创]反StrongOD原理和实例(二)
-
发表于:
2012-2-5 11:24
13321
-
反StrongOD原理和实例(二)
上次说了一个反StrongOD原理和实例,是关于ntdll.NtQueryObject的,这次来说说用ntdll.NtSetInformationThread过StrongOD,我通过实践发现,当传递一个错误的句柄给ntdll.NtSetInformationThread函数,在StrongOD里返回值为
0,而在正常的OD里返回值为错误号C0000008,根据这个原理我写了一个程序,这个程序用到了二次ntdll.NtSetInformationThread,一次是正常的NtSetInformationThread反调试,是用来对付正常的OD的,另外一个
NtSetInformationThread反调试是用来对付StrongOD的。
以下程序在WINDOWS2003、XP和7.0测试通过。
00401000 ThreadHi.<ModuleE>/$ FF15 04204000 call dword ptr ds:[<&kernel32.GetCurrentThread>] ; kernel32.GetCurrentThread,正常的NtSetInformationThread开始
00401006 |. 6A 00 push 0
00401008 |. 6A 00 push 0
0040100A |. 6A 11 push 11
0040100C |. 50 push eax ; 正确的句柄
0040100D |. FF15 0C204000 call dword ptr ds:[<&ntdll.NtSetInformationThread>] ; ntdll.NtSetInformationThread
00401013 |. B8 EDAC8700 mov eax,87ACED ;
00401018 |. 6A 00 push 0
0040101A |. 6A 00 push 0
0040101C |. 6A 11 push 11
0040101E |. 50 push eax ; 错误的句柄
0040101F |. FF15 0C204000 call dword ptr ds:[<&ntdll.NtSetInformationThread>] ; ntdll.NtSetInformationThread
00401025 |. 83F8 00 cmp eax,0
00401028 |. 74 16 je short ThreadHi.00401040
0040102A |. 6A 00 push 0 ; Style = MB_OK|MB_APPLMODAL
0040102C |. 68 40214000 push ThreadHi.00402140 ; Title = "结果"
00401031 |. 68 54214000 push ThreadHi.00402154 ; Text = "无调试器"
00401036 |. 6A 00 push 0 ; hOwner = NULL
00401038 |. FF15 14204000 call dword ptr ds:[<&user32.MessageBoxA>] ; MessageBoxA
0040103E |. EB 14 jmp short ThreadHi.00401054
00401040 |> 6A 00 push 0 ; Style = MB_OK|MB_APPLMODAL
00401042 |. 68 40214000 push ThreadHi.00402140 ; Title = "结果"
00401047 |. 68 48214000 push ThreadHi.00402148 ; Text = "有调试器"
0040104C |. 6A 00 push 0 ; hOwner = NULL
0040104E |. FF15 14204000 call dword ptr ds:[<&user32.MessageBoxA>] ; MessageBoxA
00401054 |> 6A 00 push 0 ; ExitCode = 0
00401056 \. FF15 00204000 call dword ptr ds:[<&kernel32.ExitProcess>] ; ExitProcess
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!