-
-
实现DebugPort清零
-
2022-2-11 15:40
-
最近开始学习windows内核,记录一下,在windows进程中,有个叫_EPROCESS的结构体,该结构体中有个成员是DebugPort,DebugPort是用于调试的一个端口,如果把这个端口清零,常规手段则无法调试我们的进程。
有了这个概念就可以写个驱动测试一下,清零notepad的DebugPort看看od还能不能调试notepad,要清零DebugPort首先要获取到目标进程的EPROCESS,这里我选择使用PsGetCurrentProcess来获取当前出进程的EPROCESS,然后遍历系统所有的进程来寻找notepad,找到以后对其进行清零,由于系统会往DebugPort写值,所以我们要写一个线程来进行清零,具体代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 | #include <ntddk.h>enum XP_SYSTEM{ xpNextProcess = 0x88, xpPrevProcess = 0x8c, xpImageFileName = 0x174, xpDebugProt = 0x0bc};PETHREAD pThreadObj = NULL;BOOLEAN bTerminated = FALSE;VOID DebugPortReset(PVOID pContext);VOID DriverUnload(PDRIVER_OBJECT pDriverObject){ bTerminated = TRUE; KeWaitForSingleObject(pThreadObj, Executive, KernelMode, FALSE, NULL); ObDereferenceObject(pThreadObj);}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){ HANDLE hThread = 0; NTSTATUS status = STATUS_SUCCESS; KdPrint(("Driver Entry\n")); pDriverObject->DriverUnload = DriverUnload; status = PsCreateSystemThread(&hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, DebugPortReset, NULL); if (NT_SUCCESS(status)) { KdPrint(("Thread Created\n")); status = ObReferenceObjectByHandle(hThread, THREAD_ALL_ACCESS, *PsThreadType, KernelMode, &pThreadObj, NULL); ZwClose(hThread); if (!NT_SUCCESS(status)) { bTerminated = TRUE; } } return status;}VOID DebugPortReset(PVOID pContext){ PEPROCESS pCurrentProcess = NULL; PEPROCESS pPreviousProcess = NULL; LARGE_INTEGER inteval; inteval.QuadPart = -20000000; KeSetPriorityThread(KeGetCurrentThread(), LOW_REALTIME_PRIORITY); while (!bTerminated) { pCurrentProcess = PsGetCurrentProcess(); pPreviousProcess = (PEPROCESS)(*((PULONG_PTR)((ULONG_PTR)pCurrentProcess + xpPrevProcess)) - xpNextProcess); while (pCurrentProcess != pPreviousProcess) { if (strcmp(((PCHAR)((ULONG_PTR)pCurrentProcess + xpImageFileName)), "notepad.exe") == 0) { KdPrint(("找到notepad进程 开始清零\n")); *(PULONG)((ULONG)pCurrentProcess + xpDebugProt) = 0; break; } pCurrentProcess = (PEPROCESS)(*((PULONG_PTR)((ULONG_PTR)pCurrentProcess + xpNextProcess)) - xpNextProcess); } KeDelayExecutionThread(KernelMode, FALSE, &inteval); }} |
效果如下所示:
window7及以上系统只要改掉枚举中的偏移即可,64位没有研究过,还望大佬们不吝赐教
志同道合的小伙伴们可以加群一起交流技术,共同进步 788518452
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
