[求助]调试TMD，HOOK了ntsetinfomatiothread还是不行，求指点-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (7)
jasonnbfan 雪币： 949 活跃值： (18) 能力值： ( LV9，RANK：330 ) 在线值：发帖 60 回帖 265 粉丝 2 关注私信	jasonnbfan 8 2 楼 1.BeginDebugger 标志 2.ZwClose() 3.ZwQueryInformationProcess() 4.ZwSetInformationThread() 5.FindWindowsA() 就这5个，搞好就能调,全r3 无需r0 2012-4-30 23:11 0
fkueihcy 雪币： 61 活跃值： (51) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 36 粉丝 0 关注私信	fkueihcy 3 楼能详细点嘛，偶也不懂 2012-4-30 23:39 0
jasonnbfan 雪币： 949 活跃值： (18) 能力值： ( LV9，RANK：330 ) 在线值：发帖 60 回帖 265 粉丝 2 关注私信	jasonnbfan 8 4 楼 lua代码，看思路就行了。 module("Anti",package.seeall) _LOAD_DLL_DEBUG_EVENT = 0 _EXCEPTION_DEBUG_EVENT = 0 --处理BeginDebugger 标志 function BeginDebugger(debugevent) if _EXCEPTION_DEBUG_EVENT > 0 then return end -- LOAD_DLL_DEBUG_EVENT 1 清除PEB BeginDebugger 标志 -- LOAD_DLL_DEBUG_EVENT 2 设置PEB BeginDebugger 标志 -- EXCEPTION_DEBUG_EVENT 1 清除PEB BeginDebugger 标志 local event = ffi.cast("int *",debugevent) if event[0] == win.LOAD_DLL_DEBUG_EVENT then if _LOAD_DLL_DEBUG_EVENT == 0 then local PEB = win.GetPEB(event[1]) local hProcess = od._process() local ret = win.WriteMemory(hProcess,PEB + 2,"\x00") -- od.Addtolist(string.format("Anti LOAD_DLL_DEBUG_EVENT 1")) elseif _LOAD_DLL_DEBUG_EVENT == 1 then local PEB = win.GetPEB(event[1]) local hProcess = od._process() local ret = win.WriteMemory(hProcess,PEB + 2,"\x01") -- od.Addtolist(string.format("Anti LOAD_DLL_DEBUG_EVENT 2")) end _LOAD_DLL_DEBUG_EVENT = _LOAD_DLL_DEBUG_EVENT + 1 end if _EXCEPTION_DEBUG_EVENT == 0 and event[0] == win.EXCEPTION_DEBUG_EVENT then local PEB = win.GetPEB(event[1]) local hProcess = od._process() local ret = win.WriteMemory(hProcess,PEB + 2,"\x00") od.Addtolist("Anti BeginDebugger Ok!",0,1) _EXCEPTION_DEBUG_EVENT = 1 end end --od 重启后清除一些变量 function PluginReset() _LOAD_DLL_DEBUG_EVENT = 0 _EXCEPTION_DEBUG_EVENT = 0 end --调试模式时用无效的句柄调用CloseHandle()会发生异常 --hook ZwClose 添加一个带SEH的调用处理掉异常 function ZwClose() local a = 0 local s = 0 local ip = od.getAddress("ntdll.ZwClose") local disasm local ocode = "" local mem = win.remoteVirtualAlloc(0x1000) while a < 2 do disasm = od.Disasm(ip + s) a = a + 1 s = s + disasm.size ocode = ocode .. od.astring(disasm.result) .. "\n" end --jmp到stub local FakeCode = string.format("push 0%08X\n ret\n",mem) local bin,_txt = od.assemble(FakeCode,ip) od.Writememory(ip,bin) --前2条指和jmp ocode = ocode .. string.format("jmp 0x%08X\n",ip + s) --带seh的调用，seh中不处理继续运行 local sehfunc = [[ call seh xor eax,eax retn 10 seh: push DWORD fs:[0] mov DWORD fs:[0],esp push DWORD [esp + c] call stub pop DWORD fs:[0] add esp ,4 retn 4 ]] local PatchCode = sehfunc .. "stub:\n" .. ocode .. "\n" bin,_txt = od.assemble(PatchCode,mem) od.Writememory(mem,bin) od.Addtolist("Anti ZwClose Ok!",0,1) end --ProcessInfoClass -- 0x7 debug 端口 -- 0x1e dbgflag -- 0x1f dbgobject function ZwQueryInformationProcess() local a = 0 local s = 0 local ip = od.getAddress("ntdll.ZwQueryInformationProcess") local disasm local ocode = "" local mem = win.remoteVirtualAlloc(0x1000) while a < 2 do disasm = od.Disasm(ip + s) a = a + 1 s = s + disasm.size ocode = ocode .. od.astring(disasm.result) .. "\n" end --到patch local ord = string.format("push 0%08X\n ret\n",mem) local bin,_txt = od.assemble(ord,ip) od.Writememory(ip,bin) local PatchCode = [[ cmp DWORD [esp + 8],07 je dbgport cmp DWORD [esp + 8],01f je dbgobject cmp DWORD [esp + 8],01e je dbgflag push 0%08X ret dbgport: mov eax ,[esp + 0c] push 0 pop DWORD [eax] xor eax,eax retn 14 dbgobject: mov eax ,[esp + 0c] push 1 pop DWORD [eax] xor eax,eax retn 14 dbgflag: mov eax ,[esp + 0c] push 0 pop DWORD [eax] mov eax,0C0000353 retn 14 ]] PatchCode = PatchCode:format(ip + s) code = ocode .. "\n" .. PatchCode bin,_txt = od.assemble(code,mem) od.Writememory(mem,bin) od.Addtolist("Anti ZwQueryInformationProcess Ok!",0,1) end --处理ThreadHideFromDebugger function ZwSetInformationThread() local a = 0 local s = 0 local ip = od.getAddress("ntdll.ZwSetInformationThread") local disasm local ocode = "" local mem = win.remoteVirtualAlloc(0x1000) while a < 2 do disasm = od.Disasm(ip + s) a = a + 1 s = s + disasm.size ocode = ocode .. od.astring(disasm.result) .. "\n" end --到patch local ord = string.format("push 0%08X\n ret\n",mem) local bin,_txt = od.assemble(ord,ip) od.Writememory(ip,bin) local PatchCode = [[ cmp DWORD [esp + 8],0x11 je Hide push 0%08X ret Hide: xor eax,eax retn 10 ]] PatchCode = PatchCode:format(ip + s) code = ocode .. "\n" .. PatchCode bin,_txt = od.assemble(code,mem) od.Writememory(mem,bin) od.Addtolist("Anti ZwSetInformationThread Ok!",0,1) end 2012-4-30 23:50 0
广海混沌雪币： 220 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 272 粉丝 1 关注私信	广海混沌 5 楼呵呵嗯思路不错楼上的 2012-7-20 02:35 0
AioliaSky 雪币： 257 活跃值： (67) 能力值： ( LV4，RANK：50 ) 在线值：发帖 11 回帖 668 粉丝 0 关注私信	AioliaSky 1 6 楼 lua里面调用汇编，不错 2012-7-20 07:53 0
humorz 雪币： 255 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 13 粉丝 0 关注私信	humorz 7 楼问一下，楼上提到的这5点，是不是strongod都已经做了？ 2012-7-21 22:14 0
南山小松雪币： 114 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 56 粉丝 0 关注私信	南山小松 8 楼哈哈哈,是的,只要有strongod插件,先开OD再开游戏就能调试了. 2012-7-22 00:10 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

jasonnbfan

雪币： 949

活跃值： (18)

能力值：

( LV9，RANK：330 )

在线值：

发帖

60

回帖

265

粉丝

2

关注

私信

jasonnbfan 8: 2 楼

1.BeginDebugger 标志
2.ZwClose()
3.ZwQueryInformationProcess()
4.ZwSetInformationThread()
5.FindWindowsA()

就这5个，搞好就能调,全r3 无需r0

2012-4-30 23:11

0

fkueihcy

雪币： 61

活跃值： (51)

能力值：

( LV2，RANK：10 )

在线值：

发帖

1

回帖

36

粉丝

0

关注

私信

fkueihcy: 3 楼

能详细点嘛，偶也不懂

2012-4-30 23:39

0

jasonnbfan

雪币： 949

活跃值： (18)

能力值：

( LV9，RANK：330 )

在线值：

发帖

60

回帖

265

粉丝

2

关注

私信

jasonnbfan 8: 4 楼

lua代码，看思路就行了。

module("Anti",package.seeall)
_LOAD_DLL_DEBUG_EVENT  = 0
_EXCEPTION_DEBUG_EVENT = 0

--处理BeginDebugger 标志
function BeginDebugger(debugevent)
	if _EXCEPTION_DEBUG_EVENT > 0 then return end
	-- LOAD_DLL_DEBUG_EVENT 1  清除PEB BeginDebugger 标志
	-- LOAD_DLL_DEBUG_EVENT 2  设置PEB BeginDebugger 标志
	-- EXCEPTION_DEBUG_EVENT 1 清除PEB BeginDebugger 标志
	local event = ffi.cast("int *",debugevent)
	if event[0] == win.LOAD_DLL_DEBUG_EVENT then
		if _LOAD_DLL_DEBUG_EVENT == 0 then
			local PEB = win.GetPEB(event[1])
			local hProcess = od._process()
			local ret = win.WriteMemory(hProcess,PEB + 2,"\x00")
			-- od.Addtolist(string.format("Anti LOAD_DLL_DEBUG_EVENT 1"))
		elseif _LOAD_DLL_DEBUG_EVENT == 1 then
			local PEB = win.GetPEB(event[1])
			local hProcess = od._process()
			local ret = win.WriteMemory(hProcess,PEB + 2,"\x01")
			-- od.Addtolist(string.format("Anti LOAD_DLL_DEBUG_EVENT 2"))		
		end
		_LOAD_DLL_DEBUG_EVENT = _LOAD_DLL_DEBUG_EVENT + 1
	end
	if _EXCEPTION_DEBUG_EVENT == 0 and event[0] == win.EXCEPTION_DEBUG_EVENT then
		local PEB = win.GetPEB(event[1])
		local hProcess = od._process()
		local ret = win.WriteMemory(hProcess,PEB + 2,"\x00")
		od.Addtolist("Anti BeginDebugger Ok!",0,1)		
		_EXCEPTION_DEBUG_EVENT = 1
	end	
end

--od 重启后清除一些变量
function PluginReset()
	_LOAD_DLL_DEBUG_EVENT  = 0
	_EXCEPTION_DEBUG_EVENT = 0
end


--调试模式时用无效的句柄调用CloseHandle()会发生异常
--hook ZwClose 添加一个带SEH的调用处理掉异常
function ZwClose()
	local a = 0
	local s = 0
	local ip = od.getAddress("ntdll.ZwClose")
	local disasm
	local ocode = ""
	local mem = win.remoteVirtualAlloc(0x1000)

	while a < 2 do
		disasm = od.Disasm(ip + s)
		a = a + 1
		s = s + disasm.size
		ocode = ocode .. od.astring(disasm.result) .. "\n"	
	end

	--jmp到stub
	local FakeCode = string.format("push 0%08X\n ret\n",mem)
	local bin,_txt = od.assemble(FakeCode,ip)
	od.Writememory(ip,bin)

	--前2条指 和jmp
	ocode = ocode .. string.format("jmp 0x%08X\n",ip + s)

	--带seh的调用，seh中不处理继续运行
	local sehfunc = 
	[[
		call seh
		xor eax,eax
		retn 10
	seh:
		push DWORD fs:[0]
		mov  DWORD fs:[0],esp
		push DWORD [esp + c]
		call stub	
		pop DWORD fs:[0]
		add esp ,4
		retn 4	
	]]
	local PatchCode = sehfunc .. "stub:\n" .. ocode .. "\n"
	bin,_txt = od.assemble(PatchCode,mem)
	od.Writememory(mem,bin)
	od.Addtolist("Anti ZwClose Ok!",0,1)		
end

--ProcessInfoClass 
-- 0x7  debug 端口
-- 0x1e dbgflag
-- 0x1f dbgobject
function ZwQueryInformationProcess()
	local a = 0
	local s = 0
	local ip = od.getAddress("ntdll.ZwQueryInformationProcess")
	local disasm
	local ocode = ""
	local mem = win.remoteVirtualAlloc(0x1000)

	while a < 2 do
		disasm = od.Disasm(ip + s)
		a = a + 1
		s = s + disasm.size
		ocode = ocode .. od.astring(disasm.result) .. "\n"	
	end

	--到patch
	local ord = string.format("push 0%08X\n ret\n",mem)
	local bin,_txt = od.assemble(ord,ip)
	od.Writememory(ip,bin)

	local PatchCode = 
	[[
		cmp DWORD [esp + 8],07
		je dbgport
		cmp DWORD [esp + 8],01f
		je dbgobject
		cmp DWORD [esp + 8],01e
		je dbgflag
		push 0%08X
		ret
		
	dbgport:
		mov eax ,[esp + 0c]
		push 0
		pop DWORD [eax]
		xor eax,eax
		retn 14
		
	dbgobject:
		mov eax ,[esp + 0c]
		push 1
		pop DWORD [eax]
		xor eax,eax
		retn 14
		
	dbgflag:
		mov eax ,[esp + 0c]
		push 0
		pop DWORD [eax]
		mov eax,0C0000353
		retn 14		
	]]
	PatchCode = PatchCode:format(ip + s)
	code = ocode .. "\n" .. PatchCode
	bin,_txt = od.assemble(code,mem)
	od.Writememory(mem,bin)
	od.Addtolist("Anti ZwQueryInformationProcess Ok!",0,1)	
end

--处理ThreadHideFromDebugger
function ZwSetInformationThread()
	local a = 0
	local s = 0
	local ip = od.getAddress("ntdll.ZwSetInformationThread")
	local disasm
	local ocode = ""
	local mem = win.remoteVirtualAlloc(0x1000)

	while a < 2 do
		disasm = od.Disasm(ip + s)
		a = a + 1
		s = s + disasm.size
		ocode = ocode .. od.astring(disasm.result) .. "\n"	
	end

	--到patch
	local ord = string.format("push 0%08X\n ret\n",mem)
	local bin,_txt = od.assemble(ord,ip)
	od.Writememory(ip,bin)

	local PatchCode = 
	[[
		cmp DWORD [esp + 8],0x11
		je Hide		
		push 0%08X
		ret
	Hide:
		xor eax,eax
		retn 10
	]]
	PatchCode = PatchCode:format(ip + s)
	code = ocode .. "\n" .. PatchCode
	bin,_txt = od.assemble(code,mem)
	od.Writememory(mem,bin)
	od.Addtolist("Anti ZwSetInformationThread Ok!",0,1)	
end

2012-4-30 23:50

0