-
-
[原创]DTrace 研究
-
发表于: 2022-9-27 17:18
-
Windbg调试器单步异常,直接gn不处理。
DTrace
DTrace on Windows - Windows drivers
使用D语言编写监控
效果发现其检测内核调试器的存在。
使用Dtrace进行追踪
使用WinArk做inline hook。
成功绕过vmp3.6 反内核调试器。
32.0: kd:x86> gn
The context is partially valid. Only x86 user-mode context is available.
WOW64 single step exception - code 4000001e (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
vmp3_6+0x4fa074:
00000000`008fa074 90 nop
32.0: kd:x86> ub
vmp3_6+0x4fa063:
00000000`008fa063 33d3 xor edx,ebx
00000000`008fa065 ffca dec edx
00000000`008fa067 41 inc ecx
00000000`008fa068 84d9 test cl,bl
00000000`008fa06a f7da neg edx
00000000`008fa06c e91832f0ff jmp vmp3_6+0x3fd289 (007fd289)
00000000`008fa071 9d popfd
00000000`008fa072 0f31 rdtsc
32.0: kd:x86> gn
32.0: kd:x86> gn
The context is partially valid. Only x86 user-mode context is available.
WOW64 single step exception - code 4000001e (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
vmp3_6+0x4fa074:
00000000`008fa074 90 nop
32.0: kd:x86> ub
vmp3_6+0x4fa063:
00000000`008fa063 33d3 xor edx,ebx
00000000`008fa065 ffca dec edx
00000000`008fa067 41 inc ecx
00000000`008fa068 84d9 test cl,bl
00000000`008fa06a f7da neg edx
00000000`008fa06c e91832f0ff jmp vmp3_6+0x3fd289 (007fd289)
00000000`008fa071 9d popfd
00000000`008fa072 0f31 rdtsc
32.0: kd:x86> gn
#pragma D option quiet#pragma D option destructivesyscall::Nt*:entry
/ execname == $1 /
{ /*printf("%s [Caller %s]\n",probefunc, execname);*/
if(probefunc == "NtQuerySystemInformation") {
if(arg0 == 35){
printf("Detect Kernel Debugger\n");
}
}
if(probefunc == "NtQueryInformationProcess") {
if(arg1 == 0x7){
printf("Detect ProcessDebutPort\n");
}
if(arg1 == 0x1E){
printf("Detect ProcessDebugObjectHandle\n");
}
if(arg1 == 0x1F){
printf("Detect DebugFlags");
}
}
if(probefunc == "NtSetInformationThread"){
if(arg1 == 0x11){
printf("HideFromDebugger\n");
}
}
if(probefunc == "NtQueryInformationProcess"){
if(arg1 == 0){
printf("Query Process Basic Information \n");
}
}
if(probefunc == "NtQueryObject"){
if(arg1 == 2) {
printf("Query Object Type Information\n");
}
if(arg1 == 3) {
printf("Query Object Types Information\n");
}
}
if(probefunc == "NtClose") {
printf("Close Handle : 0x%x\n",arg0);
}
if(probefunc == "NtSetInformationObject") {
if(arg1 == 4){
printf("Set Handle Flag\n");
}
}
if(probefunc == "NtGetContextThread"){
printf("Get thread by thread handle : 0x%x",arg0);
}
if(probefunc == "NtYieldExecution") {
printf("NtYieldExecution\n");
}
if(probefunc == "DbgSetDebugFilterState") {
printf("DbgSetDebugFilterState\n");
}
}#pragma D option quiet#pragma D option destructivesyscall::Nt*:entry
/ execname == $1 /
{ /*printf("%s [Caller %s]\n",probefunc, execname);*/
if(probefunc == "NtQuerySystemInformation") {
if(arg0 == 35){
printf("Detect Kernel Debugger\n");
}
}
if(probefunc == "NtQueryInformationProcess") {
if(arg1 == 0x7){
printf("Detect ProcessDebutPort\n");
}
if(arg1 == 0x1E){
printf("Detect ProcessDebugObjectHandle\n");
}
if(arg1 == 0x1F){
printf("Detect DebugFlags");
}
}
if(probefunc == "NtSetInformationThread"){
if(arg1 == 0x11){
printf("HideFromDebugger\n");
}
}
if(probefunc == "NtQueryInformationProcess"){
if(arg1 == 0){
printf("Query Process Basic Information \n");
}
}
if(probefunc == "NtQueryObject"){
if(arg1 == 2) {
printf("Query Object Type Information\n");
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
