本帖最后由 古月不傲 于 2020-3-16 14:14 编辑
NtDebugActiveProcess:
[C] 纯文本查看 复制代码 NTSTATUS
NTAPI
NtDebugActiveProcess(IN HANDLE ProcessHandle,
IN HANDLE DebugHandle)
{
PEPROCESS Process;
PDEBUG_OBJECT DebugObject;
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
PETHREAD LastThread;
NTSTATUS Status;
PAGED_CODE();
DBGKTRACE(DBGK_PROCESS_DEBUG, "Process: %p Handle: %p\n",
ProcessHandle, DebugHandle);
/* Reference the process */
//通过传过来的句柄获取进程对象
Status = ObReferenceObjectByHandle(ProcessHandle,
PROCESS_SUSPEND_RESUME,
PsProcessType,
PreviousMode,
(PVOID*)&Process,
NULL);
if (!NT_SUCCESS(Status)) return Status;
/* Don't allow debugging the current process or the system process */
//不允许调试当前进程或者系统进程
if ((Process == PsGetCurrentProcess()) ||
(Process == PsInitialSystemProcess))
{
/* Dereference and fail */
ObDereferenceObject(Process);
return STATUS_ACCESS_DENIED;
}
/* Reference the debug object */
//通过传过来的句柄获取调试对象
Status = ObReferenceObjectByHandle(DebugHandle,
DEBUG_OBJECT_ADD_REMOVE_PROCESS,
DbgkDebugObjectType,
PreviousMode,
(PVOID*)&DebugObject,
NULL);
if (!NT_SUCCESS(Status))
{
/* Dereference the process and exit */
ObDereferenceObject(Process);
return Status;
}
/* Acquire process rundown protection */
//对进程进行保护
if (!ExAcquireRundownProtection(&Process->RundownProtect))
{
/* Dereference the process and debug object and exit */
ObDereferenceObject(Process);
ObDereferenceObject(DebugObject);
return STATUS_PROCESS_IS_TERMINATING;
}
/* Send fake create messages for debuggers to have a consistent state */
//由于进程已经运行 所以要发送假的创建信息给调试器
Status = DbgkpPostFakeProcessCreateMessages(Process,
DebugObject,
&LastThread);
//构建桥梁 让调试进程和调试器之间通信 通过设置调试进程的调试端口
Status = DbgkpSetProcessDebugObject(Process,
DebugObject,
Status,
LastThread);
/* Release rundown protection */
//恢复进程保护
ExReleaseRundownProtection(&Process->RundownProtect);
/* Dereference the process and debug object and return status */
//恢复对象引用计数
ObDereferenceObject(Process);
ObDereferenceObject(DebugObject);
return Status;
}
模块断链:
[C] 纯文本查看 复制代码 #include <iostream>
#include <Windows.h>
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
typedef struct _PEB_LDR_DATA
{
ULONG Length;
UCHAR Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
PVOID SectionPointer;
ULONG CheckSum;
ULONG TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
void HideModule(CONST TCHAR *strModuleName)
{
HMODULE hModule;
PLIST_ENTRY pCurrentModule, pNextModule;
PPEB_LDR_DATA pLdr;
PLDR_DATA_TABLE_ENTRY pLdrModuleInfo;
hModule = GetModuleHandle(strModuleName);
//指向LDR_DATA_TABLE_ENTRY
__asm
{
mov eax, fs:[0x30]
mov ecx, [eax + 0x0c]
mov pLdr, ecx
}
pCurrentModule = &(pLdr->InLoadOrderModuleList);
pNextModule = pCurrentModule->Flink;
do
{
//获取下一个LDR_DATA_TABLE_ENTRY基址
pLdrModuleInfo = CONTAINING_RECORD(pNextModule, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);
//找到Kernel32.dll 断链
if (hModule == pLdrModuleInfo->BaseAddress)
{
pLdrModuleInfo->InLoadOrderModuleList.Blink->Flink = pLdrModuleInfo->InLoadOrderModuleList.Flink;
pLdrModuleInfo->InLoadOrderModuleList.Flink->Blink = pLdrModuleInfo->InLoadOrderModuleList.Blink;
pLdrModuleInfo->InInitializationOrderModuleList.Blink->Flink = pLdrModuleInfo->InInitializationOrderModuleList.Flink;
pLdrModuleInfo->InInitializationOrderModuleList.Flink->Blink = pLdrModuleInfo->InInitializationOrderModuleList.Blink;
pLdrModuleInfo->InMemoryOrderModuleList.Blink->Flink = pLdrModuleInfo->InMemoryOrderModuleList.Flink;
pLdrModuleInfo->InMemoryOrderModuleList.Flink->Blink = pLdrModuleInfo->InMemoryOrderModuleList.Blink;
break;
}
pNextModule = pNextModule->Flink;
} while (pCurrentModule != pNextModule);
}
int main()
{
getchar();
HideModule(TEXT("kernel32.dll"));
printf("断链完成\n");
system("pause");
return 0;
}
上面断链是没用的 我只是水一下 !vad指令还是可以看见的。 | 
发表于 2020-3-16 14:02
