-
-
[讨论]分析个驱动反调试
-
发表于: 2013-9-12 15:24
-
驱动HOOK了5个函数来禁止调试器打开和附加的
直接还原OK
但OD附加程序挂了,又检查了下,没HOOK了
所以用XueTr扫了下R3层
一扫下一跳,XueTr显示钩住了1000多个
但有些没数据,付上图片
[XueTr][game.exe-->Ring3 Hook]: 19976
挂钩对象 挂钩位置 钩子类型 挂钩处当前值 挂钩处原始值
[*]game.exe->KERNEL32.dll:QueryPerformanceCounter 0x7C80A4C7->0x363B94C7 Iat C7 94 3B 36 C7 A4 80 7C
[*]douxian.mod->KERNEL32.dll:GetTickCount 0x7C80934A->0x363B834A Iat 4A 83 3B 36 4A 93 80 7C
kernel32.dll->ntdll.dll:_wcsnicmp 0x7C937A93->0x36486A93 Iat 93 6A 48 36 93 7A 93 7C
[*]kernel32.dll->ntdll.dll:NtFsControlFile 0x7C92D39E->0x3647C39E Iat 9E C3 47 36 9E D3 92 7C
kernel32.dll->ntdll.dll:NtCreateFile 0x7C92D0AE->0x3647C0AE Iat AE C0 47 36 AE D0 92 7C
[*]kernel32.dll->ntdll.dll:RtlAllocateHeap 0x7C9300C4->0x3647F0C4 Iat C4 F0 47 36 C4 00 93 7C
kernel32.dll->ntdll.dll:RtlFreeHeap 0x7C92FF2D->0x3647EF2D Iat 2D EF 47 36 2D FF 92 7C
[*]kernel32.dll->ntdll.dll:NtOpenFile 0x7C92D59E->0x3647C59E Iat 9E C5 47 36 9E D5 92 7C
kernel32.dll->ntdll.dll:NtQueryInformationFile 0x7C92D7CE->0x3647C7CE Iat CE C7 47 36 CE D7 92 7C
[*]kernel32.dll->ntdll.dll:NtQueryEaFile 0x7C92D78E->0x3647C78E Iat 8E C7 47 36 8E D7 92 7C
kernel32.dll->ntdll.dll:RtlLengthSecurityDescriptor 0x7C94ABC5->0x36499BC5 Iat C5 9B 49 36 C5 AB 94 7C
[*]kernel32.dll->ntdll.dll:NtQuerySecurityObject 0x7C92D8DE->0x3647C8DE Iat DE C8 47 36 DE D8 92 7C
kernel32.dll->ntdll.dll:NtSetEaFile 0x7C92DBFE->0x3647CBFE Iat FE CB 47 36 FE DB 92 7C
[*]kernel32.dll->ntdll.dll:NtSetSecurityObject 0x7C92DD2E->0x3647CD2E Iat 2E CD 47 36 2E DD 92 7C
kernel32.dll->ntdll.dll:NtSetInformationFile 0x7C92DC5E->0x3647CC5E Iat 5E CC 47 36 5E DC 92 7C
[*]kernel32.dll->ntdll.dll:CsrClientCallServer 0x7C932C49->0x36481C49 Iat 49 1C 48 36 49 2C 93 7C
kernel32.dll->ntdll.dll:NtDeviceIoControlFile 0x7C92D27E->0x3647C27E Iat 7E C2 47 36 7E D2 92 7C
[*]kernel32.dll->ntdll.dll:NtClose 0x7C92CFEE->0x3647BFEE Iat EE BF 47 36 EE CF 92 7C
kernel32.dll->ntdll.dll:RtlInitUnicodeString 0x7C921295->0x36470295 Iat 95 02 47 36 95 12 92 7C
[*]kernel32.dll->ntdll.dll:wcscspn 0x7C94C543->0x3649B543 Iat 43 B5 49 36 43 C5 94 7C
kernel32.dll->ntdll.dll:RtlUnicodeToMultiByteSize 0x7C9333AB->0x364823AB Iat AB 23 48 36 AB 33 93 7C
[*]kernel32.dll->ntdll.dll:wcslen 0x7C92FE4A->0x3647EE4A Iat 4A EE 47 36 4A FE 92 7C
kernel32.dll->ntdll.dll:_memicmp 0x7C99264A->0x364E164A Iat 4A 16 4E 36 4A 26 99 7C
[*]kernel32.dll->ntdll.dll:memmove 0x7C9220F5->0x364710F5 Iat F5 10 47 36 F5 20 92 7C
kernel32.dll->ntdll.dll:NtQueryValueKey 0x7C92D96E->0x3647C96E Iat 6E C9 47 36 6E D9 92 7C
[*]kernel32.dll->ntdll.dll:NtOpenKey 0x7C92D5CE->0x3647C5CE Iat CE C5 47 36 CE D5 92 7C
kernel32.dll->ntdll.dll:NtFlushKey 0x7C92D34E->0x3647C34E Iat 4E C3 47 36 4E D3 92 7C
[*]kernel32.dll->ntdll.dll:NtSetValueKey 0x7C92DDCE->0x3647CDCE Iat CE CD 47 36 CE DD 92 7C
kernel32.dll->ntdll.dll:NtCreateKey 0x7C92D0EE->0x3647C0EE Iat EE C0 47 36 EE D0 92 7C
[*]kernel32.dll->ntdll.dll:RtlNtStatusToDosError 0x7C92F62D->0x3647E62D Iat 2D E6 47 36 2D F6 92 7C
kernel32.dll->ntdll.dll:RtlFreeUnicodeString 0x7C930466->0x3647F466 Iat 66 F4 47 36 66 04 93 7C
[*]kernel32.dll->ntdll.dll:RtlDnsHostNameToComputerName 0x7C95403B->0x364A303B Iat 3B 30 4A 36 3B 40 95 7C
kernel32.dll->ntdll.dll:wcsncpy 0x7C9305D9->0x3647F5D9 Iat D9 F5 47 36 D9 05 93 7C
[*]kernel32.dll->ntdll.dll:RtlUnicodeStringToAnsiString 0x7C932A6C->0x36481A6C Iat 6C 1A 48 36 6C 2A 93 7C
kernel32.dll->ntdll.dll:RtlxUnicodeStringToAnsiSize 0x7C97FA3B->0x364CEA3B Iat 3B EA 4C 36 3B FA 97 7C
kernel32.dll->ntdll.dll:RtlAnsiStringToUnicodeString 0x7C92EB3B->0x3647DB3B Iat 3B DB 47 36 3B EB 92 7C
[*]kernel32.dll->ntdll.dll:RtlInitAnsiString 0x7C92125D->0x3647025D Iat 5D 02 47 36 5D 12 92 7C
kernel32.dll->ntdll.dll:RtlCreateUnicodeStringFromAsciiz 0x7C932F31->0x36481F31 Iat 31 1F 48 36 31 2F 93 7C
[*]kernel32.dll->ntdll.dll:wcschr 0x7C9341EA->0x364831EA Iat EA 31 48 36 EA 41 93 7C
kernel32.dll->ntdll.dll:wcsstr 0x7C9443CF->0x364933CF Iat CF 33 49 36 CF 43 94 7C
[*]kernel32.dll->ntdll.dll:RtlPrefixString 0x7C950C93->0x3649FC93 Iat 93 FC 49 36 93 0C 95 7C
kernel32.dll->ntdll.dll:_wcsicmp 0x7C933324->0x36482324 Iat 24 23 48 36 24 33 93 7C
[*]kernel32.dll->ntdll.dll:RtlGetFullPathName_U 0x7C933C0F->0x36482C0F Iat 0F 2C 48 36 0F 3C 93 7C
kernel32.dll->ntdll.dll:RtlGetCurrentDirectory_U 0x7C933D6D->0x36482D6D Iat 6D 2D 48 36 6D 3D 93 7C
[*]kernel32.dll->ntdll.dll:NtQueryInformationProcess 0x7C92D7FE->0x3647C7FE Iat FE C7 47 36 FE D7 92 7C
kernel32.dll->ntdll.dll:RtlUnicodeStringToOemString 0x7C947572->0x36496572 Iat 72 65 49 36 72 75 94 7C
[*]kernel32.dll->ntdll.dll:RtlReleasePebLock 0x7C930451->0x3647F451 Iat 51 F4 47 36 51 04 93 7C
kernel32.dll->ntdll.dll:RtlEqualUnicodeString 0x7C932D73->0x36481D73 Iat 73 1D 48 36 73 2D 93 7C
[*]kernel32.dll->ntdll.dll:RtlAcquirePebLock 0x7C93040D->0x3647F40D Iat 0D F4 47 36 0D 04 93 7C
kernel32.dll->ntdll.dll:RtlFreeAnsiString 0x7C930466->0x3647F466 Iat 66 F4 47 36 66 04 93 7C
[*]kernel32.dll->ntdll.dll:RtlSetCurrentDirectory_U 0x7C93BFDD->0x3648AFDD Iat DD AF 48 36 DD BF 93 7C
kernel32.dll->ntdll.dll:RtlTimeToTimeFields 0x7C9325A5->0x364815A5 Iat A5 15 48 36 A5 25 93 7C
[*]kernel32.dll->ntdll.dll:NtSetSystemTime 0x7C92DD7E->0x3647CD7E Iat 7E CD 47 36 7E DD 92 7C
kernel32.dll->ntdll.dll:RtlTimeFieldsToTime 0x7C9398E2->0x364888E2 Iat E2 88 48 36 E2 98 93 7C
[*]kernel32.dll->ntdll.dll:NtQuerySystemInformation 0x7C92D92E->0x3647C92E Iat 2E C9 47 36 2E D9 92 7C
kernel32.dll->ntdll.dll:RtlSetTimeZoneInformation 0x7C981DC3->0x364D0DC3 Iat C3 0D 4D 36 C3 1D 98 7C
[*]kernel32.dll->ntdll.dll:NtSetSystemInformation 0x7C92DD5E->0x3647CD5E Iat 5E CD 47 36 5E DD 92 7C
kernel32.dll->ntdll.dll:RtlCutoverTimeToSystemTime 0x7C94E4A4->0x3649D4A4 Iat A4 D4 49 36 A4 E4 94 7C
用工具一恢复程序马上退出
程序禁止虚拟机,连windbg打开程序也包错,无语了
谁帮小弟分析下
直接还原OK
但OD附加程序挂了,又检查了下,没HOOK了
所以用XueTr扫了下R3层
一扫下一跳,XueTr显示钩住了1000多个
但有些没数据,付上图片
[XueTr][game.exe-->Ring3 Hook]: 19976
挂钩对象 挂钩位置 钩子类型 挂钩处当前值 挂钩处原始值
[*]game.exe->KERNEL32.dll:QueryPerformanceCounter 0x7C80A4C7->0x363B94C7 Iat C7 94 3B 36 C7 A4 80 7C
[*]douxian.mod->KERNEL32.dll:GetTickCount 0x7C80934A->0x363B834A Iat 4A 83 3B 36 4A 93 80 7C
kernel32.dll->ntdll.dll:_wcsnicmp 0x7C937A93->0x36486A93 Iat 93 6A 48 36 93 7A 93 7C
[*]kernel32.dll->ntdll.dll:NtFsControlFile 0x7C92D39E->0x3647C39E Iat 9E C3 47 36 9E D3 92 7C
kernel32.dll->ntdll.dll:NtCreateFile 0x7C92D0AE->0x3647C0AE Iat AE C0 47 36 AE D0 92 7C
[*]kernel32.dll->ntdll.dll:RtlAllocateHeap 0x7C9300C4->0x3647F0C4 Iat C4 F0 47 36 C4 00 93 7C
kernel32.dll->ntdll.dll:RtlFreeHeap 0x7C92FF2D->0x3647EF2D Iat 2D EF 47 36 2D FF 92 7C
[*]kernel32.dll->ntdll.dll:NtOpenFile 0x7C92D59E->0x3647C59E Iat 9E C5 47 36 9E D5 92 7C
kernel32.dll->ntdll.dll:NtQueryInformationFile 0x7C92D7CE->0x3647C7CE Iat CE C7 47 36 CE D7 92 7C
[*]kernel32.dll->ntdll.dll:NtQueryEaFile 0x7C92D78E->0x3647C78E Iat 8E C7 47 36 8E D7 92 7C
kernel32.dll->ntdll.dll:RtlLengthSecurityDescriptor 0x7C94ABC5->0x36499BC5 Iat C5 9B 49 36 C5 AB 94 7C
[*]kernel32.dll->ntdll.dll:NtQuerySecurityObject 0x7C92D8DE->0x3647C8DE Iat DE C8 47 36 DE D8 92 7C
kernel32.dll->ntdll.dll:NtSetEaFile 0x7C92DBFE->0x3647CBFE Iat FE CB 47 36 FE DB 92 7C
[*]kernel32.dll->ntdll.dll:NtSetSecurityObject 0x7C92DD2E->0x3647CD2E Iat 2E CD 47 36 2E DD 92 7C
kernel32.dll->ntdll.dll:NtSetInformationFile 0x7C92DC5E->0x3647CC5E Iat 5E CC 47 36 5E DC 92 7C
[*]kernel32.dll->ntdll.dll:CsrClientCallServer 0x7C932C49->0x36481C49 Iat 49 1C 48 36 49 2C 93 7C
kernel32.dll->ntdll.dll:NtDeviceIoControlFile 0x7C92D27E->0x3647C27E Iat 7E C2 47 36 7E D2 92 7C
[*]kernel32.dll->ntdll.dll:NtClose 0x7C92CFEE->0x3647BFEE Iat EE BF 47 36 EE CF 92 7C
kernel32.dll->ntdll.dll:RtlInitUnicodeString 0x7C921295->0x36470295 Iat 95 02 47 36 95 12 92 7C
[*]kernel32.dll->ntdll.dll:wcscspn 0x7C94C543->0x3649B543 Iat 43 B5 49 36 43 C5 94 7C
kernel32.dll->ntdll.dll:RtlUnicodeToMultiByteSize 0x7C9333AB->0x364823AB Iat AB 23 48 36 AB 33 93 7C
[*]kernel32.dll->ntdll.dll:wcslen 0x7C92FE4A->0x3647EE4A Iat 4A EE 47 36 4A FE 92 7C
kernel32.dll->ntdll.dll:_memicmp 0x7C99264A->0x364E164A Iat 4A 16 4E 36 4A 26 99 7C
[*]kernel32.dll->ntdll.dll:memmove 0x7C9220F5->0x364710F5 Iat F5 10 47 36 F5 20 92 7C
kernel32.dll->ntdll.dll:NtQueryValueKey 0x7C92D96E->0x3647C96E Iat 6E C9 47 36 6E D9 92 7C
[*]kernel32.dll->ntdll.dll:NtOpenKey 0x7C92D5CE->0x3647C5CE Iat CE C5 47 36 CE D5 92 7C
kernel32.dll->ntdll.dll:NtFlushKey 0x7C92D34E->0x3647C34E Iat 4E C3 47 36 4E D3 92 7C
[*]kernel32.dll->ntdll.dll:NtSetValueKey 0x7C92DDCE->0x3647CDCE Iat CE CD 47 36 CE DD 92 7C
kernel32.dll->ntdll.dll:NtCreateKey 0x7C92D0EE->0x3647C0EE Iat EE C0 47 36 EE D0 92 7C
[*]kernel32.dll->ntdll.dll:RtlNtStatusToDosError 0x7C92F62D->0x3647E62D Iat 2D E6 47 36 2D F6 92 7C
kernel32.dll->ntdll.dll:RtlFreeUnicodeString 0x7C930466->0x3647F466 Iat 66 F4 47 36 66 04 93 7C
[*]kernel32.dll->ntdll.dll:RtlDnsHostNameToComputerName 0x7C95403B->0x364A303B Iat 3B 30 4A 36 3B 40 95 7C
kernel32.dll->ntdll.dll:wcsncpy 0x7C9305D9->0x3647F5D9 Iat D9 F5 47 36 D9 05 93 7C
[*]kernel32.dll->ntdll.dll:RtlUnicodeStringToAnsiString 0x7C932A6C->0x36481A6C Iat 6C 1A 48 36 6C 2A 93 7C
kernel32.dll->ntdll.dll:RtlxUnicodeStringToAnsiSize 0x7C97FA3B->0x364CEA3B Iat 3B EA 4C 36 3B FA 97 7C
kernel32.dll->ntdll.dll:RtlAnsiStringToUnicodeString 0x7C92EB3B->0x3647DB3B Iat 3B DB 47 36 3B EB 92 7C
[*]kernel32.dll->ntdll.dll:RtlInitAnsiString 0x7C92125D->0x3647025D Iat 5D 02 47 36 5D 12 92 7C
kernel32.dll->ntdll.dll:RtlCreateUnicodeStringFromAsciiz 0x7C932F31->0x36481F31 Iat 31 1F 48 36 31 2F 93 7C
[*]kernel32.dll->ntdll.dll:wcschr 0x7C9341EA->0x364831EA Iat EA 31 48 36 EA 41 93 7C
kernel32.dll->ntdll.dll:wcsstr 0x7C9443CF->0x364933CF Iat CF 33 49 36 CF 43 94 7C
[*]kernel32.dll->ntdll.dll:RtlPrefixString 0x7C950C93->0x3649FC93 Iat 93 FC 49 36 93 0C 95 7C
kernel32.dll->ntdll.dll:_wcsicmp 0x7C933324->0x36482324 Iat 24 23 48 36 24 33 93 7C
[*]kernel32.dll->ntdll.dll:RtlGetFullPathName_U 0x7C933C0F->0x36482C0F Iat 0F 2C 48 36 0F 3C 93 7C
kernel32.dll->ntdll.dll:RtlGetCurrentDirectory_U 0x7C933D6D->0x36482D6D Iat 6D 2D 48 36 6D 3D 93 7C
[*]kernel32.dll->ntdll.dll:NtQueryInformationProcess 0x7C92D7FE->0x3647C7FE Iat FE C7 47 36 FE D7 92 7C
kernel32.dll->ntdll.dll:RtlUnicodeStringToOemString 0x7C947572->0x36496572 Iat 72 65 49 36 72 75 94 7C
[*]kernel32.dll->ntdll.dll:RtlReleasePebLock 0x7C930451->0x3647F451 Iat 51 F4 47 36 51 04 93 7C
kernel32.dll->ntdll.dll:RtlEqualUnicodeString 0x7C932D73->0x36481D73 Iat 73 1D 48 36 73 2D 93 7C
[*]kernel32.dll->ntdll.dll:RtlAcquirePebLock 0x7C93040D->0x3647F40D Iat 0D F4 47 36 0D 04 93 7C
kernel32.dll->ntdll.dll:RtlFreeAnsiString 0x7C930466->0x3647F466 Iat 66 F4 47 36 66 04 93 7C
[*]kernel32.dll->ntdll.dll:RtlSetCurrentDirectory_U 0x7C93BFDD->0x3648AFDD Iat DD AF 48 36 DD BF 93 7C
kernel32.dll->ntdll.dll:RtlTimeToTimeFields 0x7C9325A5->0x364815A5 Iat A5 15 48 36 A5 25 93 7C
[*]kernel32.dll->ntdll.dll:NtSetSystemTime 0x7C92DD7E->0x3647CD7E Iat 7E CD 47 36 7E DD 92 7C
kernel32.dll->ntdll.dll:RtlTimeFieldsToTime 0x7C9398E2->0x364888E2 Iat E2 88 48 36 E2 98 93 7C
[*]kernel32.dll->ntdll.dll:NtQuerySystemInformation 0x7C92D92E->0x3647C92E Iat 2E C9 47 36 2E D9 92 7C
kernel32.dll->ntdll.dll:RtlSetTimeZoneInformation 0x7C981DC3->0x364D0DC3 Iat C3 0D 4D 36 C3 1D 98 7C
[*]kernel32.dll->ntdll.dll:NtSetSystemInformation 0x7C92DD5E->0x3647CD5E Iat 5E CD 47 36 5E DD 92 7C
kernel32.dll->ntdll.dll:RtlCutoverTimeToSystemTime 0x7C94E4A4->0x3649D4A4 Iat A4 D4 49 36 A4 E4 94 7C
用工具一恢复程序马上退出
程序禁止虚拟机,连windbg打开程序也包错,无语了
谁帮小弟分析下
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
