在看雪学习了这么久,也没怎么发过贴,好像有点不好意思,
本人小菜菜,欢迎各位大神,指点,赐教,
前面很多大神已经说过了,我只是更加具体的实践了下,简单点说就是调试权限被清零了,具体可以看下视频,
这个调试权限XP下面已经被玩的熟透了,如果看不懂,大家可以回去找找XP下面的帖子,都一样的,
dq DbgkDebugObjectType
dt _OBJECT_TYPE fffffa80`24e33250
清零前:
1: kd> dt _OBJECT_TYPE_INITIALIZER fffffa80`24e33250+0x040
nt!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0x70
+0x002 ObjectTypeFlags : 0x8 ''
+0x002 CaseInsensitive : 0y0
+0x002 UnnamedObjectsOnly : 0y0
+0x002 UseDefaultObject : 0y0
+0x002 SecurityRequired : 0y1
+0x002 MaintainHandleCount : 0y0
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y0
+0x004 ObjectTypeCode : 0
+0x008 InvalidAttributes : 0
+0x00c GenericMapping : _GENERIC_MAPPING
+0x01c ValidAccessMask : 0x1f000f
+0x020 RetainAccess : 0
+0x024 PoolType : 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge : 0
+0x02c DefaultNonPagedPoolCharge : 0x58
+0x030 DumpProcedure : (null)
+0x038 OpenProcedure : (null)
+0x040 CloseProcedure : 0xfffff800`01f0ddb0 void nt!DbgkpCloseObject+0
+0x048 DeleteProcedure : 0xfffff800`01d66fe0 void nt!CmpConfigureProcessors+0
+0x050 ParseProcedure : (null)
+0x058 SecurityProcedure : 0xfffff800`01dd25f0 long nt!SeDefaultObjectMethod+0
+0x060 QueryNameProcedure : (null)
+0x068 OkayToCloseProcedure : (null)
清零后:
0: kd> dt _OBJECT_TYPE_INITIALIZER fffffa80`24e51250+0x040
nt!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0x70
+0x002 ObjectTypeFlags : 0x8 ''
+0x002 CaseInsensitive : 0y0
+0x002 UnnamedObjectsOnly : 0y0
+0x002 UseDefaultObject : 0y0
+0x002 SecurityRequired : 0y1
+0x002 MaintainHandleCount : 0y0
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y0
+0x004 ObjectTypeCode : 0
+0x008 InvalidAttributes : 0
+0x00c GenericMapping : _GENERIC_MAPPING
+0x01c ValidAccessMask : 0
+0x020 RetainAccess : 0
+0x024 PoolType : 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge : 0
+0x02c DefaultNonPagedPoolCharge : 0x58
+0x030 DumpProcedure : (null)
+0x038 OpenProcedure : (null)
+0x040 CloseProcedure : 0xfffff800`01eb5db0 void nt!DbgkpCloseObject+0
+0x048 DeleteProcedure : 0xfffff800`01d0efe0 void nt!CmpConfigureProcessors+0
+0x050 ParseProcedure : (null)
+0x058 SecurityProcedure : 0xfffff800`01d7a5f0 long nt!SeDefaultObjectMethod+0
+0x060 QueryNameProcedure : (null)
+0x068 OkayToCloseProcedure : (null)
游戏是隔几秒清一次零,我呢则以暴制暴,隔一秒给它还原一次,不是太完美,不过有效就行,呵呵,
下面 这个代码是获取调试权限的
VOID
DeferredRoutine(
__in struct _KDPC *Dpc,
__in_opt PVOID DeferredContext,
__in_opt PVOID SystemArgument1,
__in_opt PVOID SystemArgument2
)
{
//DbgPrint("DpcTimer%p\n",NUM++);
*(ULONG*)ValidAccessMaskAddr =0x1f000f;//0x1f000f;
KeSetTimer(&g_kTimer,largeInt,&g_kDpc);
}
暴力搜索得到调试权限的地址 ValidAccessMask
ULONGLONG MyGetAddress(ULONGLONG startaddr,ULONGLONG endaddr) //我的方法
{
PUCHAR StartSearchAddress = (PUCHAR)startaddr;
PUCHAR EndSearchAddress =(PUCHAR) endaddr;
PUCHAR i = NULL;
UCHAR b1=0,b2=0,b3=0;
ULONG templong=0;
ULONGLONG addr=0;
for(i=StartSearchAddress;i<EndSearchAddress;i++)
{
if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) )
{
b1=*i;
b2=*(i+1);
b3=*(i+2);
if( b1==0x4c && b2==0x8b && b3==0x05 && *(i+7)==0x48 && *(i+8)==0x83) //4c8d15
{
memcpy(&templong,i+3,4);
addr = (ULONG)templong + (ULONG)i + 7;
addr = 0xfffff80000000000+addr;
return addr;
}
}
}
return 0;
}
DbgkDebugObjectTypeAddr = MyGetAddress(NtDebugActiveProcessaddr,NtDebugActiveProcessaddr+0x500);
TEMP = *(ULONG_PTR*)DbgkDebugObjectTypeAddr;
ValidAccessMaskAddr = TEMP+0x40+0x1c;//dd 0xfffffa80`018cdf30 +0x40+0x1c
KeInitializeTimer(&g_kTimer);
KeInitializeDpc(&g_kDpc,DeferredRoutine,0);
largeInt.QuadPart = -1000000;
KeSetTimer(&g_kTimer,largeInt,&g_kDpc);
链接: http://pan.baidu.com/s/1sjDMBed 密码: q563
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课