-
-
[原创]反硬件断点检测附源码
-
发表于: 2023-1-18 01:48
-
话不多说上代码
在前辈的文章中是使用了纯汇编的写法,我这里将其简单转成了C++的格式并且动态定位Hook函数,使用PolyHook2,Hook了RtlExceptionDispatcher,在其中将DR寄存器清0,然后利用析构函数的特性会待RtlExceptionDispatcher函数执行完之后将其修复,我个人按照前辈的方法使用纯汇编Hook KiUserExceptionDispatcher是存在一些问题的,所以换了一条路
最后附上使用本例子Hook DX9的效果图
也算是在2023年交了份2013年的作业吧哈哈
最后感谢前辈们的辛勤付出,正所谓前人栽树后人乘凉,如果没有你们我作为一个后生无法在这个知识付费的时代享受到如此优质的资源
参考资料:
1.PolyHook2 https://github.com/stevemk14ebr/polyhook_2_0
2.[原创]抛砖引玉—硬件断点的检测和反检测 https://bbs.kanxue.com/thread-181720.htm
namespace VEHShut{ byte* func = NULL;
int BeckupHardwareBP[5] = { 0 };
int cAddrRtlDispatchException = NULL;
class hooks
{
public:
CONTEXT backUpcontext;
PCONTEXT SetContext;
hooks(PCONTEXT context)
{
backUpcontext = *context;
}
~hooks()noexcept
{
SetContext->Dr0 = backUpcontext.Dr0;
SetContext->Dr1 = backUpcontext.Dr1;
SetContext->Dr2 = backUpcontext.Dr2;
SetContext->Dr3 = backUpcontext.Dr3;
SetContext->Dr6 = backUpcontext.Dr6;
SetContext->Dr7 = backUpcontext.Dr7;
}
};
bool GetRtlDispatcherAddr()
{
if (cAddrRtlDispatchException)return true;
func = (byte*)GetProcAddress(GetModuleHandleA(XorString("ntdll.dll")), XorString("RtlUnwind"));
func += 0x20;
if (!func)
{
DbgPrintA("[-]未找到RtlUnwind");
return false;;
}
for (int i = 0; i < 0x200; i++)
{
//8B FF 55 8B EC
if (func[i] == 0x8B&& func[i+1] == 0xFF && func[i+2] == 0x55 && func[i+3] == 0x8B && func[i+4] == 0xEC)
{
cAddrRtlDispatchException = (int)func+i;
printf("cAddrRtlDispatchException -> 0x%X\r\n", cAddrRtlDispatchException);
return true;
}
}
return false;
}
typedef void(_stdcall* _RtlExceptionDispatche)(PEXCEPTION_RECORD ExceptionRecord, PCONTEXT Context);
_RtlExceptionDispatche Old_RtlExceptionDispatche = NULL;
uint64_t o_RtlExceptionDispatcher = NULL;
NOINLINE void _stdcall RtlExceptionDispatcher(PEXCEPTION_RECORD ExceptionRecord, PCONTEXT Context)noexcept
{
auto reset = hooks(Context);
if (Context)
{
if (Context->ContextFlags & CONTEXT_DEBUG_REGISTERS)
{
Context->Dr0 = 0;
Context->Dr1 = 0;
Context->Dr2 = 0;
Context->Dr3 = 0;
Context->Dr6 = 0;
Context->Dr7 = 0;
}
}
return PLH::FnCast(o_RtlExceptionDispatcher, Old_RtlExceptionDispatche)(ExceptionRecord, Context);
}
void ShutUpVEH()
{
if (GetRtlDispatcherAddr())
{
PLH::CapstoneDisassembler dis(PLH::Mode::x86);
Old_RtlExceptionDispatche = (_RtlExceptionDispatche)cAddrRtlDispatchException;
PLH::x86Detour detour_RtlExceptionDispatcher((char*)cAddrRtlDispatchException, (char*)&RtlExceptionDispatcher, &o_RtlExceptionDispatcher, dis);
if (!detour_RtlExceptionDispatcher.hook())
{
DbgPrintA("[-] detour_RtlExceptionDispatcher Failed\r\n");
}
}
}
}namespace VEHShut{ byte* func = NULL;
int BeckupHardwareBP[5] = { 0 };
int cAddrRtlDispatchException = NULL;
class hooks
{
public:
CONTEXT backUpcontext;
PCONTEXT SetContext;
hooks(PCONTEXT context)
{
backUpcontext = *context;
}
~hooks()noexcept
{
SetContext->Dr0 = backUpcontext.Dr0;
SetContext->Dr1 = backUpcontext.Dr1;
SetContext->Dr2 = backUpcontext.Dr2;
SetContext->Dr3 = backUpcontext.Dr3;
SetContext->Dr6 = backUpcontext.Dr6;
SetContext->Dr7 = backUpcontext.Dr7;
}
};
bool GetRtlDispatcherAddr()
{
if (cAddrRtlDispatchException)return true;
func = (byte*)GetProcAddress(GetModuleHandleA(XorString("ntdll.dll")), XorString("RtlUnwind"));
func += 0x20;
if (!func)
{
DbgPrintA("[-]未找到RtlUnwind");
return false;;
}
for (int i = 0; i < 0x200; i++)
{
//8B FF 55 8B EC
if (func[i] == 0x8B&& func[i+1] == 0xFF && func[i+2] == 0x55 && func[i+3] == 0x8B && func[i+4] == 0xEC)
{
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2023-1-18 02:28
被AlexLoNe编辑
,原因:
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
