首页
社区
课程
招聘
[求助]调试TMD,HOOK了ntsetinfomatiothread还是不行,求指点
发表于: 2012-4-30 22:18 7823

[求助]调试TMD,HOOK了ntsetinfomatiothread还是不行,求指点

2012-4-30 22:18
7823
调试TMD,HOOK了ntsetinfomatiothread还是不行

SOD 挂接上之后 ,一运行软件就退出,之前有朋友告诉说,要在驱动里hOOK ntsetinfomatinthread 的17号服务。
但HOOK 之后,还是一样的退出,。

请问怎样才能调试新版的TMD呢。。。。

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (7)
雪    币: 949
活跃值: (18)
能力值: ( LV9,RANK:330 )
在线值:
发帖
回帖
粉丝
2
1.BeginDebugger 标志
2.ZwClose()                  
3.ZwQueryInformationProcess()
4.ZwSetInformationThread()
5.FindWindowsA()

就这5个,搞好就能调,全r3 无需r0
2012-4-30 23:11
0
雪    币: 61
活跃值: (51)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
能详细点嘛,偶也不懂
2012-4-30 23:39
0
雪    币: 949
活跃值: (18)
能力值: ( LV9,RANK:330 )
在线值:
发帖
回帖
粉丝
4
lua代码,看思路就行了。

module("Anti",package.seeall)
_LOAD_DLL_DEBUG_EVENT  = 0
_EXCEPTION_DEBUG_EVENT = 0

--处理BeginDebugger 标志
function BeginDebugger(debugevent)
	if _EXCEPTION_DEBUG_EVENT > 0 then return end
	-- LOAD_DLL_DEBUG_EVENT 1  清除PEB BeginDebugger 标志
	-- LOAD_DLL_DEBUG_EVENT 2  设置PEB BeginDebugger 标志
	-- EXCEPTION_DEBUG_EVENT 1 清除PEB BeginDebugger 标志
	local event = ffi.cast("int *",debugevent)
	if event[0] == win.LOAD_DLL_DEBUG_EVENT then
		if _LOAD_DLL_DEBUG_EVENT == 0 then
			local PEB = win.GetPEB(event[1])
			local hProcess = od._process()
			local ret = win.WriteMemory(hProcess,PEB + 2,"\x00")
			-- od.Addtolist(string.format("Anti LOAD_DLL_DEBUG_EVENT 1"))
		elseif _LOAD_DLL_DEBUG_EVENT == 1 then
			local PEB = win.GetPEB(event[1])
			local hProcess = od._process()
			local ret = win.WriteMemory(hProcess,PEB + 2,"\x01")
			-- od.Addtolist(string.format("Anti LOAD_DLL_DEBUG_EVENT 2"))		
		end
		_LOAD_DLL_DEBUG_EVENT = _LOAD_DLL_DEBUG_EVENT + 1
	end
	if _EXCEPTION_DEBUG_EVENT == 0 and event[0] == win.EXCEPTION_DEBUG_EVENT then
		local PEB = win.GetPEB(event[1])
		local hProcess = od._process()
		local ret = win.WriteMemory(hProcess,PEB + 2,"\x00")
		od.Addtolist("Anti BeginDebugger Ok!",0,1)		
		_EXCEPTION_DEBUG_EVENT = 1
	end	
end

--od 重启后清除一些变量
function PluginReset()
	_LOAD_DLL_DEBUG_EVENT  = 0
	_EXCEPTION_DEBUG_EVENT = 0
end


--调试模式时用无效的句柄调用CloseHandle()会发生异常
--hook ZwClose 添加一个带SEH的调用处理掉异常
function ZwClose()
	local a = 0
	local s = 0
	local ip = od.getAddress("ntdll.ZwClose")
	local disasm
	local ocode = ""
	local mem = win.remoteVirtualAlloc(0x1000)

	while a < 2 do
		disasm = od.Disasm(ip + s)
		a = a + 1
		s = s + disasm.size
		ocode = ocode .. od.astring(disasm.result) .. "\n"	
	end

	--jmp到stub
	local FakeCode = string.format("push 0%08X\n ret\n",mem)
	local bin,_txt = od.assemble(FakeCode,ip)
	od.Writememory(ip,bin)

	--前2条指 和jmp
	ocode = ocode .. string.format("jmp 0x%08X\n",ip + s)

	--带seh的调用,seh中不处理继续运行
	local sehfunc = 
	[[
		call seh
		xor eax,eax
		retn 10
	seh:
		push DWORD fs:[0]
		mov  DWORD fs:[0],esp
		push DWORD [esp + c]
		call stub	
		pop DWORD fs:[0]
		add esp ,4
		retn 4	
	]]
	local PatchCode = sehfunc .. "stub:\n" .. ocode .. "\n"
	bin,_txt = od.assemble(PatchCode,mem)
	od.Writememory(mem,bin)
	od.Addtolist("Anti ZwClose Ok!",0,1)		
end

--ProcessInfoClass 
-- 0x7  debug 端口
-- 0x1e dbgflag
-- 0x1f dbgobject
function ZwQueryInformationProcess()
	local a = 0
	local s = 0
	local ip = od.getAddress("ntdll.ZwQueryInformationProcess")
	local disasm
	local ocode = ""
	local mem = win.remoteVirtualAlloc(0x1000)

	while a < 2 do
		disasm = od.Disasm(ip + s)
		a = a + 1
		s = s + disasm.size
		ocode = ocode .. od.astring(disasm.result) .. "\n"	
	end

	--到patch
	local ord = string.format("push 0%08X\n ret\n",mem)
	local bin,_txt = od.assemble(ord,ip)
	od.Writememory(ip,bin)

	local PatchCode = 
	[[
		cmp DWORD [esp + 8],07
		je dbgport
		cmp DWORD [esp + 8],01f
		je dbgobject
		cmp DWORD [esp + 8],01e
		je dbgflag
		push 0%08X
		ret
		
	dbgport:
		mov eax ,[esp + 0c]
		push 0
		pop DWORD [eax]
		xor eax,eax
		retn 14
		
	dbgobject:
		mov eax ,[esp + 0c]
		push 1
		pop DWORD [eax]
		xor eax,eax
		retn 14
		
	dbgflag:
		mov eax ,[esp + 0c]
		push 0
		pop DWORD [eax]
		mov eax,0C0000353
		retn 14		
	]]
	PatchCode = PatchCode:format(ip + s)
	code = ocode .. "\n" .. PatchCode
	bin,_txt = od.assemble(code,mem)
	od.Writememory(mem,bin)
	od.Addtolist("Anti ZwQueryInformationProcess Ok!",0,1)	
end

--处理ThreadHideFromDebugger
function ZwSetInformationThread()
	local a = 0
	local s = 0
	local ip = od.getAddress("ntdll.ZwSetInformationThread")
	local disasm
	local ocode = ""
	local mem = win.remoteVirtualAlloc(0x1000)

	while a < 2 do
		disasm = od.Disasm(ip + s)
		a = a + 1
		s = s + disasm.size
		ocode = ocode .. od.astring(disasm.result) .. "\n"	
	end

	--到patch
	local ord = string.format("push 0%08X\n ret\n",mem)
	local bin,_txt = od.assemble(ord,ip)
	od.Writememory(ip,bin)

	local PatchCode = 
	[[
		cmp DWORD [esp + 8],0x11
		je Hide		
		push 0%08X
		ret
	Hide:
		xor eax,eax
		retn 10
	]]
	PatchCode = PatchCode:format(ip + s)
	code = ocode .. "\n" .. PatchCode
	bin,_txt = od.assemble(code,mem)
	od.Writememory(mem,bin)
	od.Addtolist("Anti ZwSetInformationThread Ok!",0,1)	
end
2012-4-30 23:50
0
雪    币: 220
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
呵呵 嗯 思路不错 楼上的
2012-7-20 02:35
0
雪    币: 257
活跃值: (67)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
6
lua里面调用汇编,不错
2012-7-20 07:53
0
雪    币: 255
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
问一下,楼上提到的这5点,是不是strongod都已经做了?
2012-7-21 22:14
0
雪    币: 114
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
哈哈哈,是的,只要有strongod插件,先开OD再开游戏就能调试了.
2012-7-22 00:10
0
游客
登录 | 注册 方可回帖
返回
//