-
-
[原创]VEH-硬件断点+dll劫持内存补丁
-
发表于:
2013-6-26 08:28
22607
-
学习加密三内存补丁一节时做的。高手莫要见笑. 下面是用了加密三中的CrackMeNet.exe做的示范.
//设置硬件断点函数
void SetHwBreakpoint()
{
//添加VEH 参数1=1表示插入Veh链的头部,=0表示插入到VEH链的尾部
AddVectoredExceptionHandler(1, VectoredHandler);
//寄存器相关的结构体
CONTEXT _ConText = {CONTEXT_DEBUG_REGISTERS};
//得到当前线程
HANDLE hThread = GetCurrentThread();
// 得到指定线程的环境(上下文)
GetThreadContext(hThread, &_ConText);
//给调试寄存器值
if (0X0 == _ConText.Dr0 && 0X0 == _ConText.Dr1 && 0X0 == _ConText.Dr2)
{
_ConText.Dr0 = 0X00401489;
_ConText.Dr1 = 0X0;
_ConText.Dr2 = 0X0;
_ConText.Dr3 = 0x0;
_ConText.Dr7 = 0x405;
// 设置线程的环境(上下文)
SetThreadContext(hThread, &_ConText);
}
if (0X0 != _ConText.Dr0 || 0X0 != _ConText.Dr1 || 0X0 != _ConText.Dr2 || 0X0 != _ConText.Dr3)
{
MessageBox(NULL,"设置硬件断点成功..", "(^_^)", MB_OK);
}
else
{
MessageBox(NULL,"设置失败,", "提示", MB_OK);
}
}
// VEH回调函数
LONG WINAPI VectoredHandler(
PEXCEPTION_POINTERS ExceptionInfo
)
{
//判断是否为我们设置的异常地址
if(ExceptionInfo->ExceptionRecord->ExceptionAddress == (PVOID)0X00401489)
{
MessageBox(NULL, "成功触发异常", "(^_^)", MB_ICONINFORMATION);
// 修改当前异常中断的EIP
ExceptionInfo->ContextRecord->Eip = 0x00401721;//指向要执行代码的内存地址
// 处理异常.
return EXCEPTION_CONTINUE_EXECUTION;
}
return EXCEPTION_CONTINUE_SEARCH;
}
ALCDECL MemCode_connect(void)
{
SetHwBreakpoint();//调用设置硬件断点
GetAddress("connect");
__asm JMP EAX;
}
00401474 |. 6A 10 push 10 ; /AddrLen = 10 (16.)
00401476 |. 8D85 B0FDFFFF lea eax,[local.148] ; |
0040147C |. 50 push eax ; |pSockAddr
0040147D |. 8B8D 00FEFFFF mov ecx,[local.128] ; |
00401483 |. 51 push ecx ; |Socket
00401484 |. E8 43050000 call <jmp.&WS2_32.#4> ; \connect
00401489 |. 8985 04FEFFFF mov [local.127],eax ; --设置异常地址
0040148F |. 83BD 04FEFFFF>cmp [local.127],-1
00401721 |. 8BF4 mov esi,esp ; ---异常发生后直接跳到这里执行.
00401723 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401725 |. 68 887A4100 push CrackMeN.00417A88 ; |Title = "Crackne net-2"
0040172A |. 68 987A4100 push CrackMeN.00417A98 ; |Text = "Registration successful !"
0040172F |. 8B15 90B14100 mov edx,dword ptr ds:[41B190] ; |
00401735 |. 52 push edx ; |hOwner => 001D016C ('Pediy - Crackme (net) 20061204',class='myWindowClass')
00401736 |. FF15 D0D34100 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
bin.rar
vs2008_src.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课