首页课程文章
无痕注入APC注入线程注入读写驱动注入技术句柄表进程线程系统调用保护模式内存管理远程CALL软件调试驱动封装云下发驱动开发FPS数据方框透视FPS方框FPS自瞄CED3DHOOKD3D绘制Imgui绘制DWM
内核课程驱动出租学习路线聊天室免责声明提问技巧

软件逆向-DTrace 研究

推荐 原创

周杰伦

文章分类游戏基址二进制漏洞 密码应用智能设备阅读数 : 695阅读时长 : 9分钟

DTrace 研究

Windbg调试器单步异常,直接gn不处理。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
32.0 : kd:x86> gn
The context is partially valid. Only x86 user - mode context is available.
WOW64 single step exception - code 4000001e (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
vmp3_6 + 0x4fa074 :
00000000 ` 008fa074 90              nop
32.0 : kd:x86> ub
vmp3_6 + 0x4fa063 :
00000000 ` 008fa063 33d3            xor     edx,ebx
00000000 ` 008fa065 ffca            dec     edx
00000000 ` 008fa067 41              inc     ecx
00000000 ` 008fa068 84d9            test    cl,bl
00000000 ` 008fa06a f7da            neg     edx
00000000 ` 008fa06c e91832f0ff      jmp     vmp3_6 + 0x3fd289 ( 007fd289 )
00000000 ` 008fa071 9d              popfd
00000000 ` 008fa072 0f31            rdtsc
32.0 : kd:x86> gn

DTrace

 

 

使用D语言编写监控

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#pragma D option quiet
#pragma D option destructive
 
syscall::Nt * :entry
/ execname = = $ 1 /
{
     / * printf( "%s [Caller %s]\n" ,probefunc, execname); * /
     if (probefunc = = "NtQuerySystemInformation" ) {
         if (arg0 = = 35 ){
             printf( "Detect Kernel Debugger\n" );
         }
     }
 
     if (probefunc = = "NtQueryInformationProcess" ) {
         if (arg1 = = 0x7 ){
             printf( "Detect ProcessDebutPort\n" );
         }
 
         if (arg1 = = 0x1E ){
             printf( "Detect ProcessDebugObjectHandle\n" );
         }
 
         if (arg1 = = 0x1F ){
             printf( "Detect DebugFlags" );
         }
     }
 
     if (probefunc = = "NtSetInformationThread" ){
         if (arg1 = = 0x11 ){
             printf( "HideFromDebugger\n" );
         }
     }
 
     if (probefunc = = "NtQueryInformationProcess" ){
         if (arg1 = = 0 ){
             printf( "Query Process Basic Information \n" );
         }
     }
 
     if (probefunc = = "NtQueryObject" ){
         if (arg1 = = 2 ) {
             printf( "Query Object Type Information\n" );
         }
 
         if (arg1 = = 3 ) {
             printf( "Query Object Types Information\n" );
         }
     }
 
     if (probefunc = = "NtClose" ) {
         printf( "Close Handle : 0x%x\n" ,arg0);
     }
 
     if (probefunc = = "NtSetInformationObject" ) {
         if (arg1 = = 4 ){
             printf( "Set Handle Flag\n" );
         }
     }
 
     if (probefunc = = "NtGetContextThread" ){
         printf( "Get thread by thread handle : 0x%x" ,arg0);
     }
 
     if (probefunc = = "NtYieldExecution" ) {
         printf( "NtYieldExecution\n" );
     }
 
     if (probefunc = = "DbgSetDebugFilterState" ) {
         printf( "DbgSetDebugFilterState\n" );
     }
}

效果发现其检测内核调试器的存在。

 

使用Dtrace进行追踪

1
dtrace.exe - s test.d vmp3. 6.exe

 

使用WinArk做inline hook。

 

 

成功绕过vmp3.6 反内核调试器。

 

其他研究

1
2
3
4
5
6
7
8
0033 : 00000000 ` 00e06169 48c7c101000000     mov     rcx, 1
0033 : 00000000 ` 00e06170 48c7c21b52e000     mov     rdx, 0E0521Bh
0033 : 00000000 ` 00e06177 ff1425d1c09a00     call    qword ptr [ 9AC0D1h ]
0033 : 00000000 ` 00e0617e cc                 int     3
0033 : 00000000 ` 00e0617f 488bc8             mov     rcx, rax
0033 : 00000000 ` 00e06182 ff142577c19a00     call    qword ptr [ 9AC177h ]
0033 : 00000000 ` 00e06189 4883c428           add     rsp, 28h
0033 : 00000000 ` 00e0618d cb                 retf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
0 : kd> gn
The context is partially valid. Only x86 user - mode context is available.
WOW64 single step exception - code 4000001e (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00000000 ` 00528bd5 e948073800      jmp     008a9322
32.0 : kd:x86> gn
The context is partially valid. Only x86 user - mode context is available.
WOW64 single step exception - code 4000001e (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00000000 ` 0052a6b6 e98dee3700      jmp     008a9548
32.0 : kd:x86> gn
The context is partially valid. Only x86 user - mode context is available.
WOW64 single step exception - code 4000001e (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00000000 ` 00529a6a e9f7f93700      jmp     008a9466
32.0 : kd:x86> gn
The context is partially valid. Only x86 user - mode context is available.
WOW64 single step exception - code 4000001e (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
00000000 ` 00527c85 e9c6153800      jmp     008a9250
32.0 : kd:x86> gn


更多【DTrace 研究】相关视频教程:www.yxfzedu.com




相关文章推荐

记录自己的技术轨迹
文章规则:
1):文章标题请尽量与文章内容相符
2):严禁色情、血腥、暴力
3):严禁发布任何形式的广告贴
4):严禁发表关于中国的政治类话题
5):严格遵守中国互联网法律法规
6):有侵权,疑问可发邮件至service@yxfzedu.com
近期原创 更多

Markdown Editor

友情链接
内核结构FAQ
免责声明
课程目录
Windows内核
游戏逆向(FPS)
技术交流QQ群
342478842215039827137189196
314055665159620936
www.yxfzedu.com是一个分享游戏安全,游戏外挂与反外挂,游戏驱动保护的视频网站!
接各种驱动定制如:游戏读写驱动,软件内存保护,防止调试等功能定制。
出租读写驱动,调试驱动,无痕注入支持各种游戏。
邮箱:service@yxfzedu.com
QQ:851920120
特别说明:不接游戏数据分析,外挂编写,登陆协议等类似业务。