-
-
关于HProteect.sys双机
-
发表于: 2013-1-1 16:35
-
HProteect.sys驱动一直调用KdDisableDebugger函数来禁止断点
于是在头部返回
单步跟到这里,很明显是VM了
b277e696 50 push eax //eax=80556a41
b277e697 e803000000 call HPLoader+0x2b69f (b277e69f)
b277e69c 0f1f80588d400f nop dword ptr [eax+0F408D58h]
b277e6a3 870424 xchg eax,dword ptr [esp]
b277e6a6 e90be4ffff jmp HPLoader+0x29ab6 (b277cab6)
b277e6ab 2d042d0f2d sub eax,2D0F2D04h
b277e6b0 1f pop ds
b277e6b1 2d072d0d2d sub eax,2D0D2D07h
b277e6b6 182d1a2d1d2d sbb byte ptr ds:[2D1D2D1Ah],ch
b277e6bc 0c2d or al,2Dh
b277e6be 014b04 add dword ptr [ebx+4],ecx
b277e6c1 012401 add dword ptr [ecx+eax],esp
b277e6c4 0d6129ffff or eax,0FFFF2961h
b277e6c9 ff16 call dword ptr [esi]
b277e6cb 4e dec esi
b277e6cc 16 push ss
b277e6cd 61 popad
b277e6ce cf iretd
b277e6cf 800100 add byte ptr [ecx],0
b277e6d2 1e push ds
b277e6d3 4b dec ebx
b277e6d4 0112 add dword ptr [edx],edx
b277e6d6 2412 and al,12h
b277e6d8 1e push ds
b277e6d9 091e or dword ptr [esi],ebx
b277e6db 196a1b sbb dword ptr [edx+1Bh],ebp
dd 80556a41 //b277e696 50 push eax
80556a41 01000001 00000000 01000000 03000000
80556a51 00000000 00000000 00000000 02000000
80556a61 0f000000 02000000 ff00006b c0a0017f
看下CALL的地址b277e69f
b277e69f 58 pop eax
b277e6a0 8d400f lea eax,[eax+0Fh]
b277e6a3 870424 xchg eax,dword ptr [esp]
b277e6a6 e90be4ffff jmp HPLoader+0x29ab6 (b277cab6)
b277e6ab 2d042d0f2d sub eax,2D0F2D04h
b277e6b0 1f pop ds
b277e6b1 2d072d0d2d sub eax,2D0D2D07h
b277e6b6 182d1a2d1d2d sbb byte ptr ds:[2D1D2D1Ah],ch
b277e6bc 0c2d or al,2Dh
b277e6be 014b04 add dword ptr [ebx+4],ecx
b277e6c1 012401 add dword ptr [ecx+eax],esp
b277e6c4 0d6129ffff or eax,0FFFF2961h
b277e6c9 ff16 call dword ptr [esi]
b277e6cb 4e dec esi
b277e6cc 16 push ss
b277e6cd 61 popad
b277e6ce cf iretd
b277e6cf 800100 add byte ptr [ecx],0
b277e6d2 1e push ds
b277e6d3 4b dec ebx
b277e6d4 0112 add dword ptr [edx],edx
b277e6d6 2412 and al,12h
b277e6d8 1e push ds
都有一个jmp b277cab6
单步跟,好象是个死循环
那么怎么解决他调用KdDisableDebugger
求指点
于是在头部返回
单步跟到这里,很明显是VM了
b277e696 50 push eax //eax=80556a41
b277e697 e803000000 call HPLoader+0x2b69f (b277e69f)
b277e69c 0f1f80588d400f nop dword ptr [eax+0F408D58h]
b277e6a3 870424 xchg eax,dword ptr [esp]
b277e6a6 e90be4ffff jmp HPLoader+0x29ab6 (b277cab6)
b277e6ab 2d042d0f2d sub eax,2D0F2D04h
b277e6b0 1f pop ds
b277e6b1 2d072d0d2d sub eax,2D0D2D07h
b277e6b6 182d1a2d1d2d sbb byte ptr ds:[2D1D2D1Ah],ch
b277e6bc 0c2d or al,2Dh
b277e6be 014b04 add dword ptr [ebx+4],ecx
b277e6c1 012401 add dword ptr [ecx+eax],esp
b277e6c4 0d6129ffff or eax,0FFFF2961h
b277e6c9 ff16 call dword ptr [esi]
b277e6cb 4e dec esi
b277e6cc 16 push ss
b277e6cd 61 popad
b277e6ce cf iretd
b277e6cf 800100 add byte ptr [ecx],0
b277e6d2 1e push ds
b277e6d3 4b dec ebx
b277e6d4 0112 add dword ptr [edx],edx
b277e6d6 2412 and al,12h
b277e6d8 1e push ds
b277e6d9 091e or dword ptr [esi],ebx
b277e6db 196a1b sbb dword ptr [edx+1Bh],ebp
dd 80556a41 //b277e696 50 push eax
80556a41 01000001 00000000 01000000 03000000
80556a51 00000000 00000000 00000000 02000000
80556a61 0f000000 02000000 ff00006b c0a0017f
看下CALL的地址b277e69f
b277e69f 58 pop eax
b277e6a0 8d400f lea eax,[eax+0Fh]
b277e6a3 870424 xchg eax,dword ptr [esp]
b277e6a6 e90be4ffff jmp HPLoader+0x29ab6 (b277cab6)
b277e6ab 2d042d0f2d sub eax,2D0F2D04h
b277e6b0 1f pop ds
b277e6b1 2d072d0d2d sub eax,2D0D2D07h
b277e6b6 182d1a2d1d2d sbb byte ptr ds:[2D1D2D1Ah],ch
b277e6bc 0c2d or al,2Dh
b277e6be 014b04 add dword ptr [ebx+4],ecx
b277e6c1 012401 add dword ptr [ecx+eax],esp
b277e6c4 0d6129ffff or eax,0FFFF2961h
b277e6c9 ff16 call dword ptr [esi]
b277e6cb 4e dec esi
b277e6cc 16 push ss
b277e6cd 61 popad
b277e6ce cf iretd
b277e6cf 800100 add byte ptr [ecx],0
b277e6d2 1e push ds
b277e6d3 4b dec ebx
b277e6d4 0112 add dword ptr [edx],edx
b277e6d6 2412 and al,12h
b277e6d8 1e push ds
都有一个jmp b277cab6
单步跟,好象是个死循环
那么怎么解决他调用KdDisableDebugger
求指点
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
