DebugActiveProcess

古月不傲 · 发表于 2020-3-16 14:02

本帖最后由古月不傲于 2020-3-16 14:14 编辑

NtDebugActiveProcess：

[C] 纯文本查看 复制代码

NTSTATUS
NTAPI
NtDebugActiveProcess(IN HANDLE ProcessHandle,
                     IN HANDLE DebugHandle)
{
    PEPROCESS Process;
    PDEBUG_OBJECT DebugObject;
    KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
    PETHREAD LastThread;
    NTSTATUS Status;
    PAGED_CODE();
    DBGKTRACE(DBGK_PROCESS_DEBUG, "Process: %p Handle: %p\n",
              ProcessHandle, DebugHandle);

    /* Reference the process */ 
    //通过传过来的句柄获取进程对象
    Status = ObReferenceObjectByHandle(ProcessHandle,
                                       PROCESS_SUSPEND_RESUME,
                                       PsProcessType,
                                       PreviousMode,
                                       (PVOID*)&Process,
                                       NULL);
    if (!NT_SUCCESS(Status)) return Status;

    /* Don't allow debugging the current process or the system process */  
    //不允许调试当前进程或者系统进程
    if ((Process == PsGetCurrentProcess()) ||
         (Process == PsInitialSystemProcess))
    {
        /* Dereference and fail */
        ObDereferenceObject(Process);
        return STATUS_ACCESS_DENIED;
    }

    /* Reference the debug object */
    //通过传过来的句柄获取调试对象
    Status = ObReferenceObjectByHandle(DebugHandle,
                                       DEBUG_OBJECT_ADD_REMOVE_PROCESS,
                                       DbgkDebugObjectType,
                                       PreviousMode,
                                       (PVOID*)&DebugObject,
                                       NULL);
    if (!NT_SUCCESS(Status))
    {
        /* Dereference the process and exit */
        ObDereferenceObject(Process);
        return Status;
    }

    /* Acquire process rundown protection */
    //对进程进行保护
    if (!ExAcquireRundownProtection(&Process->RundownProtect))
    {
        /* Dereference the process and debug object and exit */
        ObDereferenceObject(Process);
        ObDereferenceObject(DebugObject);
        return STATUS_PROCESS_IS_TERMINATING;
    }
    
    /* Send fake create messages for debuggers to have a consistent state */
    //由于进程已经运行 所以要发送假的创建信息给调试器
    Status = DbgkpPostFakeProcessCreateMessages(Process,
                                                DebugObject,
                                                &LastThread);
    //构建桥梁 让调试进程和调试器之间通信 通过设置调试进程的调试端口
    Status = DbgkpSetProcessDebugObject(Process,
                                        DebugObject,
                                        Status,
                                        LastThread);

    /* Release rundown protection */
    //恢复进程保护                                                                  
    ExReleaseRundownProtection(&Process->RundownProtect);
    
    /* Dereference the process and debug object and return status */
    //恢复对象引用计数
    ObDereferenceObject(Process);
    ObDereferenceObject(DebugObject);
    return Status;
}

模块断链：

[C] 纯文本查看 复制代码

 #include <iostream>
 #include <Windows.h>

typedef struct _UNICODE_STRING 
{
	USHORT Length;
	USHORT MaximumLength;
	PWSTR  Buffer;
}UNICODE_STRING, *PUNICODE_STRING;

typedef struct _PEB_LDR_DATA
{
    ULONG		Length;							
    UCHAR		Initialized;							
    PVOID		SsHandle;								
    LIST_ENTRY	InLoadOrderModuleList;			
    LIST_ENTRY	InMemoryOrderModuleList;			
    LIST_ENTRY	InInitializationOrderModuleList;	
	PVOID		EntryInProgress;
} PEB_LDR_DATA, *PPEB_LDR_DATA;					

typedef struct _LDR_DATA_TABLE_ENTRY 
{
    LIST_ENTRY          InLoadOrderModuleList;
    LIST_ENTRY          InMemoryOrderModuleList;
    LIST_ENTRY          InInitializationOrderModuleList;
    PVOID               BaseAddress;
	PVOID               EntryPoint;
    ULONG               SizeOfImage;
    UNICODE_STRING		FullDllName;
    UNICODE_STRING      BaseDllName;
    ULONG               Flags;
    USHORT              LoadCount;
	USHORT              TlsIndex;
	LIST_ENTRY			HashLinks;
	PVOID				SectionPointer;
    ULONG               CheckSum;
    ULONG               TimeDateStamp;
	PVOID				LoadedImports;
	PVOID				EntryPointActivationContext;
	PVOID				PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

void HideModule(CONST TCHAR *strModuleName)
{
    HMODULE hModule;
    PLIST_ENTRY pCurrentModule, pNextModule;
    PPEB_LDR_DATA pLdr;
	PLDR_DATA_TABLE_ENTRY pLdrModuleInfo;

	hModule = GetModuleHandle(strModuleName);
	//指向LDR_DATA_TABLE_ENTRY
    __asm 
	{
        mov eax, fs:[0x30]
        mov ecx, [eax + 0x0c]  
        mov pLdr, ecx
    }
    pCurrentModule = &(pLdr->InLoadOrderModuleList);
    pNextModule = pCurrentModule->Flink;
    do
	{
		//获取下一个LDR_DATA_TABLE_ENTRY基址
        pLdrModuleInfo = CONTAINING_RECORD(pNextModule, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);
		//找到Kernel32.dll	断链
        if (hModule == pLdrModuleInfo->BaseAddress)
		{
            pLdrModuleInfo->InLoadOrderModuleList.Blink->Flink = pLdrModuleInfo->InLoadOrderModuleList.Flink;
            pLdrModuleInfo->InLoadOrderModuleList.Flink->Blink = pLdrModuleInfo->InLoadOrderModuleList.Blink;

            pLdrModuleInfo->InInitializationOrderModuleList.Blink->Flink = pLdrModuleInfo->InInitializationOrderModuleList.Flink;
            pLdrModuleInfo->InInitializationOrderModuleList.Flink->Blink = pLdrModuleInfo->InInitializationOrderModuleList.Blink;

            pLdrModuleInfo->InMemoryOrderModuleList.Blink->Flink = pLdrModuleInfo->InMemoryOrderModuleList.Flink;
            pLdrModuleInfo->InMemoryOrderModuleList.Flink->Blink = pLdrModuleInfo->InMemoryOrderModuleList.Blink;
            break;
        }
        pNextModule = pNextModule->Flink;
    } while (pCurrentModule != pNextModule);
}

int main() 
{
	getchar();
    HideModule(TEXT("kernel32.dll"));
    printf("断链完成\n");
    
	system("pause");
	return 0;
 }

上面断链是没用的我只是水一下 !vad指令还是可以看见的。

yzc55 · 发表于 2020-3-16 14:04

这是那门子天书
请大佬翻译一下

黑龍 · 发表于 2020-3-16 14:42

为啥子我评分出那玩意，网页过滤插件的问题么

帐号		自动登录	找回密码
密码			注册[Register]

[C&C++ 原创] DebugActiveProcess

免费评分