DebugActiveProcess

古月不傲 发表于 2020-3-16 14:02

本帖最后由古月不傲于 2020-3-16 14:14 编辑

NtDebugActiveProcess：
NTSTATUS
NTAPI
NtDebugActiveProcess(IN HANDLE ProcessHandle,
                  IN HANDLE DebugHandle)
{
PEPROCESS Process;
PDEBUG_OBJECT DebugObject;
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
PETHREAD LastThread;
NTSTATUS Status;
PAGED_CODE();
DBGKTRACE(DBGK_PROCESS_DEBUG, "Process: %p Handle: %p\n",
         ProcessHandle, DebugHandle);

/* Reference the process */
//通过传过来的句柄获取进程对象
Status = ObReferenceObjectByHandle(ProcessHandle,
                                    PROCESS_SUSPEND_RESUME,
                                    PsProcessType,
                                    PreviousMode,
                                    (PVOID*)&Process,
                                    NULL);
if (!NT_SUCCESS(Status)) return Status;

/* Don't allow debugging the current process or the system process */
//不允许调试当前进程或者系统进程
if ((Process == PsGetCurrentProcess()) ||
      (Process == PsInitialSystemProcess))
{
   /* Dereference and fail */
   ObDereferenceObject(Process);
   return STATUS_ACCESS_DENIED;
}

/* Reference the debug object */
//通过传过来的句柄获取调试对象
Status = ObReferenceObjectByHandle(DebugHandle,
                                    DEBUG_OBJECT_ADD_REMOVE_PROCESS,
                                    DbgkDebugObjectType,
                                    PreviousMode,
                                    (PVOID*)&DebugObject,
                                    NULL);
if (!NT_SUCCESS(Status))
{
   /* Dereference the process and exit */
   ObDereferenceObject(Process);
   return Status;
}

/* Acquire process rundown protection */
//对进程进行保护
if (!ExAcquireRundownProtection(&Process->RundownProtect))
{
   /* Dereference the process and debug object and exit */
   ObDereferenceObject(Process);
   ObDereferenceObject(DebugObject);
   return STATUS_PROCESS_IS_TERMINATING;
}

/* Send fake create messages for debuggers to have a consistent state */
//由于进程已经运行所以要发送假的创建信息给调试器
Status = DbgkpPostFakeProcessCreateMessages(Process,
                                             DebugObject,
                                             &LastThread);
//构建桥梁让调试进程和调试器之间通信通过设置调试进程的调试端口
Status = DbgkpSetProcessDebugObject(Process,
                                    DebugObject,
                                    Status,
                                    LastThread);

/* Release rundown protection */
//恢复进程保护
ExReleaseRundownProtection(&Process->RundownProtect);

/* Dereference the process and debug object and return status */
//恢复对象引用计数
ObDereferenceObject(Process);
ObDereferenceObject(DebugObject);
return Status;
}
模块断链：
#include <iostream>
#include <Windows.h>

typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTRBuffer;
}UNICODE_STRING, *PUNICODE_STRING;

typedef struct _PEB_LDR_DATA
{
ULONG Length;
UCHAR Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY       InLoadOrderModuleList;
LIST_ENTRY       InMemoryOrderModuleList;
LIST_ENTRY       InInitializationOrderModuleList;
PVOID             BaseAddress;
PVOID             EntryPoint;
ULONG             SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING    BaseDllName;
ULONG             Flags;
USHORT          LoadCount;
USHORT          TlsIndex;
LIST_ENTRY HashLinks;
PVOID SectionPointer;
ULONG             CheckSum;
ULONG             TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

void HideModule(CONST TCHAR *strModuleName)
{
HMODULE hModule;
PLIST_ENTRY pCurrentModule, pNextModule;
PPEB_LDR_DATA pLdr;
PLDR_DATA_TABLE_ENTRY pLdrModuleInfo;

hModule = GetModuleHandle(strModuleName);
//指向LDR_DATA_TABLE_ENTRY
__asm
{
   mov eax, fs:
   mov ecx,
   mov pLdr, ecx
}
pCurrentModule = &(pLdr->InLoadOrderModuleList);
pNextModule = pCurrentModule->Flink;
do
{
//获取下一个LDR_DATA_TABLE_ENTRY基址
   pLdrModuleInfo = CONTAINING_RECORD(pNextModule, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);
//找到Kernel32.dll 断链
   if (hModule == pLdrModuleInfo->BaseAddress)
{
         pLdrModuleInfo->InLoadOrderModuleList.Blink->Flink = pLdrModuleInfo->InLoadOrderModuleList.Flink;
         pLdrModuleInfo->InLoadOrderModuleList.Flink->Blink = pLdrModuleInfo->InLoadOrderModuleList.Blink;

         pLdrModuleInfo->InInitializationOrderModuleList.Blink->Flink = pLdrModuleInfo->InInitializationOrderModuleList.Flink;
         pLdrModuleInfo->InInitializationOrderModuleList.Flink->Blink = pLdrModuleInfo->InInitializationOrderModuleList.Blink;

         pLdrModuleInfo->InMemoryOrderModuleList.Blink->Flink = pLdrModuleInfo->InMemoryOrderModuleList.Flink;
         pLdrModuleInfo->InMemoryOrderModuleList.Flink->Blink = pLdrModuleInfo->InMemoryOrderModuleList.Blink;
         break;
   }
   pNextModule = pNextModule->Flink;
} while (pCurrentModule != pNextModule);
}

int main()
{
getchar();
HideModule(TEXT("kernel32.dll"));
printf("断链完成\n");

system("pause");
return 0;
}
上面断链是没用的我只是水一下 !vad指令还是可以看见的。

yzc55 发表于 2020-3-16 14:04

这是那门子天书
请大佬翻译一下:loveliness:

黑龍发表于 2020-3-16 14:42

为啥子我评分出那玩意，网页过滤插件的问题么

页: [1]

吾爱破解 - 52pojie.cn's Archiver

DebugActiveProcess