-
-
[原创]DTrace 研究
-
2022-9-27 17:18
-
DTrace 研究
Windbg调试器单步异常,直接gn不处理。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | 32.0: kd:x86> gnThe context is partially valid. Only x86 user-mode context is available.WOW64 single step exception - code 4000001e (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.vmp3_6+0x4fa074:00000000`008fa074 90 nop32.0: kd:x86> ubvmp3_6+0x4fa063:00000000`008fa063 33d3 xor edx,ebx00000000`008fa065 ffca dec edx00000000`008fa067 41 inc ecx00000000`008fa068 84d9 test cl,bl00000000`008fa06a f7da neg edx00000000`008fa06c e91832f0ff jmp vmp3_6+0x3fd289 (007fd289)00000000`008fa071 9d popfd00000000`008fa072 0f31 rdtsc32.0: kd:x86> gn |
DTrace
DTrace on Windows - Windows drivers
使用D语言编写监控
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 | #pragma D option quiet#pragma D option destructivesyscall::Nt*:entry / execname == $1 /{ /*printf("%s [Caller %s]\n",probefunc, execname);*/ if(probefunc == "NtQuerySystemInformation") { if(arg0 == 35){ printf("Detect Kernel Debugger\n"); } } if(probefunc == "NtQueryInformationProcess") { if(arg1 == 0x7){ printf("Detect ProcessDebutPort\n"); } if(arg1 == 0x1E){ printf("Detect ProcessDebugObjectHandle\n"); } if(arg1 == 0x1F){ printf("Detect DebugFlags"); } } if(probefunc == "NtSetInformationThread"){ if(arg1 == 0x11){ printf("HideFromDebugger\n"); } } if(probefunc == "NtQueryInformationProcess"){ if(arg1 == 0){ printf("Query Process Basic Information \n"); } } if(probefunc == "NtQueryObject"){ if(arg1 == 2) { printf("Query Object Type Information\n"); } if(arg1 == 3) { printf("Query Object Types Information\n"); } } if(probefunc == "NtClose") { printf("Close Handle : 0x%x\n",arg0); } if(probefunc == "NtSetInformationObject") { if(arg1 == 4){ printf("Set Handle Flag\n"); } } if(probefunc == "NtGetContextThread"){ printf("Get thread by thread handle : 0x%x",arg0); } if(probefunc == "NtYieldExecution") { printf("NtYieldExecution\n"); } if(probefunc == "DbgSetDebugFilterState") { printf("DbgSetDebugFilterState\n"); }} |
效果发现其检测内核调试器的存在。
使用Dtrace进行追踪
1 | dtrace.exe -s test.d vmp3.6.exe |
使用WinArk做inline hook。
成功绕过vmp3.6 反内核调试器。
其他研究
1 2 3 4 5 6 7 8 | 0033:00000000`00e06169 48c7c101000000 mov rcx, 10033:00000000`00e06170 48c7c21b52e000 mov rdx, 0E0521Bh0033:00000000`00e06177 ff1425d1c09a00 call qword ptr [9AC0D1h]0033:00000000`00e0617e cc int 30033:00000000`00e0617f 488bc8 mov rcx, rax0033:00000000`00e06182 ff142577c19a00 call qword ptr [9AC177h]0033:00000000`00e06189 4883c428 add rsp, 28h0033:00000000`00e0618d cb retf |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | 0: kd> gnThe context is partially valid. Only x86 user-mode context is available.WOW64 single step exception - code 4000001e (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.00000000`00528bd5 e948073800 jmp 008a932232.0: kd:x86> gnThe context is partially valid. Only x86 user-mode context is available.WOW64 single step exception - code 4000001e (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.00000000`0052a6b6 e98dee3700 jmp 008a954832.0: kd:x86> gnThe context is partially valid. Only x86 user-mode context is available.WOW64 single step exception - code 4000001e (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.00000000`00529a6a e9f7f93700 jmp 008a946632.0: kd:x86> gnThe context is partially valid. Only x86 user-mode context is available.WOW64 single step exception - code 4000001e (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.00000000`00527c85 e9c6153800 jmp 008a925032.0: kd:x86> gn |
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
