首页
社区
课程
招聘
[原创]反硬件断点检测附源码
发表于: 2023-1-18 01:48 13075

[原创]反硬件断点检测附源码

2023-1-18 01:48
13075

话不多说上代码

在前辈的文章中是使用了纯汇编的写法,我这里将其简单转成了C++的格式并且动态定位Hook函数,使用PolyHook2,Hook了RtlExceptionDispatcher,在其中将DR寄存器清0,然后利用析构函数的特性会待RtlExceptionDispatcher函数执行完之后将其修复,我个人按照前辈的方法使用纯汇编Hook KiUserExceptionDispatcher是存在一些问题的,所以换了一条路
最后附上使用本例子Hook DX9的效果图

也算是在2023年交了份2013年的作业吧哈哈
最后感谢前辈们的辛勤付出,正所谓前人栽树后人乘凉,如果没有你们我作为一个后生无法在这个知识付费的时代享受到如此优质的资源

参考资料:
1.PolyHook2 https://github.com/stevemk14ebr/polyhook_2_0
2.[原创]抛砖引玉—硬件断点的检测和反检测 https://bbs.kanxue.com/thread-181720.htm

namespace VEHShut
{
 
    byte* func = NULL;
    int BeckupHardwareBP[5] = { 0 };
    int cAddrRtlDispatchException = NULL;
 
 
 
    class hooks
    {
    public:
        CONTEXT backUpcontext;
        PCONTEXT SetContext;
        hooks(PCONTEXT context)
        {
            backUpcontext = *context;
        }
        ~hooks()noexcept
        {
            SetContext->Dr0 = backUpcontext.Dr0;
            SetContext->Dr1 = backUpcontext.Dr1;
            SetContext->Dr2 = backUpcontext.Dr2;
            SetContext->Dr3 = backUpcontext.Dr3;
            SetContext->Dr6 = backUpcontext.Dr6;
            SetContext->Dr7 = backUpcontext.Dr7;
        }
    };
 
 
 
    bool GetRtlDispatcherAddr()
    {
 
        if (cAddrRtlDispatchException)return true;
        func = (byte*)GetProcAddress(GetModuleHandleA(XorString("ntdll.dll")), XorString("RtlUnwind"));
 
 
 
 
        func += 0x20;
        if (!func)
        {
            DbgPrintA("[-]未找到RtlUnwind");
            return false;;
        }
 
 
        for (int i = 0; i < 0x200; i++)
        {
            //8B FF 55 8B EC
            if (func[i] == 0x8B&& func[i+1] == 0xFF && func[i+2] == 0x55 && func[i+3] == 0x8B && func[i+4] == 0xEC)
            {
 
                cAddrRtlDispatchException = (int)func+i;
                printf("cAddrRtlDispatchException -> 0x%X\r\n", cAddrRtlDispatchException);
                return true;
            }
        }
        return false;
    }
 
 
    typedef void(_stdcall* _RtlExceptionDispatche)(PEXCEPTION_RECORD ExceptionRecord, PCONTEXT  Context);
 
    _RtlExceptionDispatche Old_RtlExceptionDispatche = NULL;
    uint64_t o_RtlExceptionDispatcher = NULL;
 
    NOINLINE void _stdcall RtlExceptionDispatcher(PEXCEPTION_RECORD ExceptionRecord, PCONTEXT  Context)noexcept
    {
        auto reset = hooks(Context);
        if (Context)
        {
 
            if (Context->ContextFlags & CONTEXT_DEBUG_REGISTERS)
            {
                Context->Dr0 = 0;
                Context->Dr1 = 0;
                Context->Dr2 = 0;
                Context->Dr3 = 0;
                Context->Dr6 = 0;
                Context->Dr7 = 0;
 
            }
        }
        return PLH::FnCast(o_RtlExceptionDispatcher, Old_RtlExceptionDispatche)(ExceptionRecord, Context);
    }
 
 
 
 
 
    void ShutUpVEH()
    {
        if (GetRtlDispatcherAddr())
        {
 
            PLH::CapstoneDisassembler dis(PLH::Mode::x86);
            Old_RtlExceptionDispatche = (_RtlExceptionDispatche)cAddrRtlDispatchException;
            PLH::x86Detour detour_RtlExceptionDispatcher((char*)cAddrRtlDispatchException, (char*)&RtlExceptionDispatcher, &o_RtlExceptionDispatcher, dis);
            if (!detour_RtlExceptionDispatcher.hook())
            {
                DbgPrintA("[-] detour_RtlExceptionDispatcher Failed\r\n");
            }
 
        }       
    }
 
 
}
namespace VEHShut
{
 
    byte* func = NULL;
    int BeckupHardwareBP[5] = { 0 };
    int cAddrRtlDispatchException = NULL;
 
 
 
    class hooks
    {
    public:
        CONTEXT backUpcontext;
        PCONTEXT SetContext;
        hooks(PCONTEXT context)
        {
            backUpcontext = *context;
        }
        ~hooks()noexcept
        {
            SetContext->Dr0 = backUpcontext.Dr0;
            SetContext->Dr1 = backUpcontext.Dr1;
            SetContext->Dr2 = backUpcontext.Dr2;
            SetContext->Dr3 = backUpcontext.Dr3;
            SetContext->Dr6 = backUpcontext.Dr6;
            SetContext->Dr7 = backUpcontext.Dr7;
        }
    };
 
 
 
    bool GetRtlDispatcherAddr()
    {
 
        if (cAddrRtlDispatchException)return true;
        func = (byte*)GetProcAddress(GetModuleHandleA(XorString("ntdll.dll")), XorString("RtlUnwind"));
 
 
 
 
        func += 0x20;
        if (!func)
        {
            DbgPrintA("[-]未找到RtlUnwind");
            return false;;
        }
 
 
        for (int i = 0; i < 0x200; i++)
        {
            //8B FF 55 8B EC
            if (func[i] == 0x8B&& func[i+1] == 0xFF && func[i+2] == 0x55 && func[i+3] == 0x8B && func[i+4] == 0xEC)
            {
 

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2023-1-18 02:28 被AlexLoNe编辑 ,原因:
收藏
免费 6
支持
分享
最新回复 (7)
雪    币: 9034
活跃值: (5281)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
jgs
2
收藏学习,谢谢楼主提供
2023-1-18 06:36
0
雪    币: 14633
活跃值: (17729)
能力值: ( LV12,RANK:290 )
在线值:
发帖
回帖
粉丝
3
感谢分享
2023-1-18 09:05
0
雪    币: 3836
活跃值: (4142)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
2023-5-19 23:39
0
雪    币: 1922
活跃值: (4165)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
感谢分享
2023-5-22 21:56
0
雪    币: 3535
活跃值: (31016)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
感谢分享
2023-5-23 09:03
1
雪    币: 3700
活跃值: (4091)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
大佬,这段代码要如何调用呢?
2023-5-24 20:59
0
雪    币: 499
活跃值: (1096)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
8
大佬请问支持64位吗???
2024-9-29 11:31
0
游客
登录 | 注册 方可回帖
返回
//