-
-
[非提问]双机调试解决了,Tp检测TesSafe模块内地址是否被下硬件断点
-
发表于: 2013-7-26 14:39
-
双机调试很叼,但是我还是能调试了
虽然是被动下段但也是可以的
在windbg 输入
bp kddisabledebugger+7
bp kddisabledebuggerwithlock // 以防万一
虽然能双机调试 但是我要搞清零 总得让我下访问断点吧
TP居然硬件断点都不让下 ,当然仅仅是Tesafe模块内地址
目测是有一个线程监视硬件断点情况
具体是监视dr寄存器还是其他方法不得而知
继续研究 继续撸 撸到深处撸自身
这真的很不乖哦
以下是解决双机调试的代码,如果以后TP加个【调用检测】,那么以下方法就无效了
虽然是被动下段但也是可以的在windbg 输入
bp kddisabledebugger+7
bp kddisabledebuggerwithlock // 以防万一
虽然能双机调试 但是我要搞清零 总得让我下访问断点吧
TP居然硬件断点都不让下 ,当然仅仅是Tesafe模块内地址
目测是有一个线程监视硬件断点情况
具体是监视dr寄存器还是其他方法不得而知
继续研究 继续撸 撸到深处撸自身
这真的很不乖哦
以下是解决双机调试的代码,如果以后TP加个【调用检测】,那么以下方法就无效了
/***************************************************************************************
* AUTHOR : pudge
* DATE : 2012-9-8
* MODULE : PassKddisabledebugger.C
*
* Command:
* Source of IOCTRL Sample Driver
*
* Description:
* Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 pudge.
****************************************************************************************/
//#######################################################################################
//# I N C L U D E S
//#######################################################################################
#ifndef CXX_PASSKDDISABLEDEBUGGER_H
#include "PassKddisabledebugger.h"
#endif
#include <ntddk.h>
#include "function.h"
#include "myfunc.h"
VOID LoadImageRoutine(
__in_opt PUNICODE_STRING FullImageName,
__in HANDLE ProcessId,
__in PIMAGE_INFO ImageInfo
);
void SearchFeatureEx(int nAddr,char* pFeature,int ModuleSize,int nLeng);
void PassGlobalStaticCrcEx();
DWORD NTAPI MyVectoredExceptionHead(EXCEPTION_POINTERS * ExceptionInfo);
ULONG fuckaddr1;
DWORD pShutdown[10000]={0};
BYTE _pMirror[1282048]={0};
DWORD pMirror=(DWORD)_pMirror;
DWORD TesSafeBase=0;
BYTE mKdDisableDebugger[5]={0};
DWORD kdRet=0;
int n=0;
PDRIVER_OBJECT g_pObj=NULL;
//////////////////////////////////////////////////////////////////////////
//#######################################################################################
//@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
//@@@@@@@@ D R I V E R E N T R Y P O I N T @@@@@@@@
//@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
//#######################################################################################
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
int i = 0;
g_pObj=pDriverObj;
dprintf("EasySys Sample Driver\r\n"
"Compiled %s %s\r\nIn DriverEntry : %wZ\r\n",
__DATE__, __TIME__, pRegistryString);
// Register dispatch routines
/*
for(i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
pDriverObj->MajorFunction[i] = DispatchCommon;
}
*/
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
// Dispatch routine for communications
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
// Unload routine
pDriverObj->DriverUnload = DriverUnload;
// Initialize the device name.
RtlInitUnicodeString(&ustrDevName, NT_DEVICE_NAME);
// Create the device object and device extension
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
if(!NT_SUCCESS(status))
{
dprintf("Error, IoCreateDevice = 0x%x\r\n", status);
return status;
}
//// Get a pointer to our device extension
//deviceExtension = (PDEVICE_EXTENSION) deviceObject->DeviceExtension;
//// Save a pointer to the device object
//deviceExtension->DeviceObject = deviceObject;
if(IoIsWdmVersionAvailable(1,0x10))
{
//如果是支持符号链接用户相关性的系统
RtlInitUnicodeString(&ustrLinkName, SYMBOLIC_LINK_GLOBAL_NAME);
}
else
{
//不支持
RtlInitUnicodeString(&ustrLinkName, SYMBOLIC_LINK_NAME);
}
// Create a symbolic link to allow USER applications to access it.
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status))
{
dprintf("Error, IoCreateSymbolicLink = 0x%x\r\n", status);
IoDeleteDevice(pDevObj);
return status;
}
//
// TODO: Add initialization code here.
//设备开始
PsSetLoadImageNotifyRoutine(LoadImageRoutine);
//
//// Tell the I/O Manger to do BUFFERED IO
//deviceObject->Flags |= DO_BUFFERED_IO;
//// Save the DeviveObject
//deviceExtension->DeviceObject = deviceObject;
dprintf("DriverEntry Success\r\n");
DbgPrint("DriverEntry Success\r\n");
return STATUS_SUCCESS;
}
VOID
DriverUnload(IN PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING strLink;
// Unloading - no resources to free so just return.
dprintf("Unloading...\r\n");;
DbgPrint("Unloading...\r\n");
//
// TODO: Add uninstall code here.
//关闭设备
UnInLineHookEngine((int)KdDisableDebugger,(char *)mKdDisableDebugger,5);
PsRemoveLoadImageNotifyRoutine(LoadImageRoutine);
//NtFreeVirtualMemory((HANDLE)-1,pMirror,(PSIZE_T)0x139000,MEM_COMMIT);
DbgPrint("unNotifyRoutine is OK");
//
// Delete the symbolic link
RtlInitUnicodeString(&strLink, SYMBOLIC_LINK_NAME);
IoDeleteSymbolicLink(&strLink);
// Delete the DeviceObject
IoDeleteDevice(pDriverObj->DeviceObject);
dprintf("Unloaded Success\r\n");
DbgPrint("Unloaded Success\r\n");
return;
}
NTSTATUS
DispatchCreate(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchClose(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
// Return success
return STATUS_SUCCESS;
}
NTSTATUS
DispatchCommon(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0L;
IoCompleteRequest( pIrp, 0 );
// Return success
return STATUS_SUCCESS;
}
NTSTATUS
DispatchDeviceControl(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST; // STATUS_UNSUCCESSFUL
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG uIoControlCode = 0;
PVOID pIoBuffer = NULL;
ULONG uInSize = 0;
ULONG uOutSize = 0;
// Get the IoCtrl Code
uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch(uIoControlCode)
{
case IOCTL_HELLO_WORLD:
{
dprintf("MY_CTL_CODE(0)=%d\r\n,MY_CTL_CODE");
// Return success
status = STATUS_SUCCESS;
}
break;
case IOCTRL_REC_FROM_APP:
{
// Receive data form Application
//dprintf("IOCTRL_REC_FROM_APP\r\n");
// Do we have any data?
if( uInSize > 0 )
{
dprintf("Get Data from App: %ws\r\n", pIoBuffer);
}
// Return success
status = STATUS_SUCCESS;
}
break;
case IOCTRL_SEND_TO_APP:
{
// Send data to Application
//dprintf("IOCTRL_SEND_TO_APP\r\n");
// If we have enough room copy the data upto the App - note copy the terminating character as well...
if( uOutSize >= strlen( DATA_TO_APP ) + 1 )
{
RtlCopyMemory( pIoBuffer,
DATA_TO_APP,
strlen( DATA_TO_APP ) + 1 );
// Update the length for the App
pIrp->IoStatus.Information = strlen( DATA_TO_APP ) + 1;
dprintf("Send Data to App: %s\r\n", pIoBuffer);
// Return success
status = STATUS_SUCCESS;
}
}
break;
//
// TODO: Add execute code here.执行
//
default:
{
// Invalid code sent
dprintf("Unknown IOCTL: 0x%X (%04X,%04X)\r\n",
uIoControlCode,
DEVICE_TYPE_FROM_CTL_CODE(uIoControlCode),
IoGetFunctionCodeFromCtlCode(uIoControlCode));
status = STATUS_INVALID_PARAMETER;
}
break;
}
if(status == STATUS_SUCCESS)
{
pIrp->IoStatus.Information = uOutSize;
}
else
{
pIrp->IoStatus.Information = 0;
}
// Complete the I/O Request
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
__declspec(naked) void MyKdDisableDebugger()
{
__asm
{
push eax
mov eax,[esp+0x4]
sub eax,TesSafeBase
add eax,pMirror
mov [esp+0x4],eax
pop eax
jmp kdRet
}
}
//
// TODO: Add your module definitions here.
//
VOID LoadImageRoutine(
__in_opt PUNICODE_STRING FullImageName,
__in HANDLE ProcessId,
__in PIMAGE_INFO ImageInfo
)
{
if(wcsstr(FullImageName->Buffer, L"TesSafe.sys")!=0)
{
DbgPrint("TesSafe has been discovered");
ULONG uImageInfo=(ULONG)ImageInfo->ImageBase;
DbgPrint("TesSafeBase is %x",uImageInfo);
TesSafeBase=uImageInfo;
PMDL pMdl;
pMdl = IoAllocateMdl(_pMirror,0x139000,FALSE,FALSE,NULL);
MmProtectMdlSystemAddress(pMdl,PAGE_EXECUTE_READWRITE);
IoFreeMdl(pMdl);
//NtAllocateVirtualMemory((HANDLE)-1,pMirror,0,(PSIZE_T)0x139000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
UnInLineHookEngine((int)_pMirror,(char *)TesSafeBase,0x139000);
//PassGlobalStaticCrcEx();
kdRet=(DWORD)KdDisableDebugger+0x7;
UnInLineHookEngine((int)mKdDisableDebugger,(char *)KdDisableDebugger,5);
InLineHookEngine((ULONG)KdDisableDebugger,(int)MyKdDisableDebugger);
DbgPrint("MirrorBase is %x",(int)pMirror);
if(*(PUCHAR)(pMirror+0x92c1)==0x75)
{
*(PUSHORT)(pMirror+0x92c1)=0x9090;
DbgPrint("TesSafeOffset1 is %x",pMirror+0x92c1);
}
if(*(PUCHAR)(pMirror+0x92c1+0x12e)==0x74)
{
*(PUCHAR)(pMirror+0x92c1+0x12e)=0xeb;
DbgPrint("TesSafeOffset2 is %x",pMirror+0x92c1+0x12e);
}
}
return;
}
/* EOF */
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
第一次遇到内核下不让下硬件断点
这招太阴了
|
|
|
|
|
|
|
|
|
不重启啊,那句你看出会重启?
|
|
|
|
|
|
|
|
|
|
|
|
不是TP模块内 都能下断
|
|
|
不信你试试
|
|
|
|
|
|
|
|
|
被动断额,主动break不行,硬件断点不在tp内也能断,在tp内就重启
|
|
|
|
|
|
我真的黔驴技穷了,方法2系统不支持,只能走方法1了
|
|
|
|
