本帖最后由 等雨听风 于 2014-4-1 19:30 编辑
原创:http://blog.csdn.net/fenqingfj/article/details/22750907 恢复OD进程附加原理
1、恢复DbgBreakPoint和DbgUiRemoteBreakin被HOOK代码
//由于我是使用ntdll SDK,可直接使用NTDLL中的API,如果你们不能使用,直接用GetProcAddress获取API 注意该处的修复,自己可以写个HOOK,放到LoadLibrary,每次加载DLL时候,就处理一次,防止某些DLL还有TMD壳,又会被恢复 ntdll->DbgBreakPoint 被TMD壳修改为retn-> 0xC3
DWORD lpflOldProtect;
LPVOID ulAddress= DbgBreakPoint;
VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpflOldProtect); *(BYTE*)(ulAddress) =0xCC;
ntdll->DbgUiRemoteBreakin 被TMD修改为JMP LdrShutdownProcess ulAddress = DbgUiRemoteBreakin VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpProtect);
*(BYTE*)(ulAddress) =0x6A;
*(DWORD*)((BYTE*)ulAddress+1)= 0xFC686808;
2、修复允许CE的附加 第一步虽然修复了允许附加,但TMD壳本身还自带线程检查ANTI,所以我们要终止掉这些线程
BOOL WINAPI _AhnHS_GetThreadModuleName(char* szModuleName,DWORD szThreadId,LPVOID & StartAddress,HANDLE & hThread)
{
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, szThreadId);
if (!hThread) return FALSE;
LONG status= ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &StartAddress, sizeof(StartAddress), NULL);
if(status <0)
{
CloseHandle(hThread);
SetLastError(RtlNtStatusToDosError(status));
return FALSE;
}
return (GetMappedFileNameA(GetCurrentProcess(), StartAddress, szModuleName, MAX_PATH)>=0) ? TRUE : FALSE;
}
void WINAPI _AhnHS_PassThreadByTMD()
{
HANDLE hThreadSnap , hThread;
THREADENTRY32 te32= {0};
CONTEXT context= {0};
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if ( hThreadSnap == INVALID_HANDLE_VALUE )
return;
memset(&te32, 0, sizeof(THREADENTRY32));
te32.dwSize = sizeof(THREADENTRY32);
BOOL dwRet= Thread32First(hThreadSnap, &te32);
DWORD dwCurrentProcessId= GetCurrentProcessId();
do
{
if (te32.th32OwnerProcessID != dwCurrentProcessId) continue;
char szModuleFileName[MAX_PATH];
LPVOID StartAddress;
if(!_AhnHS_GetThreadModuleName(szModuleFileName,te32.th32ThreadID,StartAddress,hThread)) continue;
char* pszName= (strrchr(szModuleFileName,'\\')) ? strrchr(szModuleFileName,'\\')+1 : szModuleFileName;
//AntiHookGetMainThreadId()=主线程ID,可自行修改
if(lstrcmpiA(pszName,AntiHookGetModuleInfo()->AppName)==0 && AntiHookGetMainThreadId()!=te32.th32ThreadID)
{
//远程线程非代码块,为其它检查线程,终止
HMODULE lib = GetModuleHandleA(pszName);
PIMAGE_NT_HEADERSnth = PIMAGE_NT_HEADERS(PBYTE(lib) + PIMAGE_DOS_HEADER(lib)->e_lfanew);
IMAGE_SECTION_HEADER*pSection =(IMAGE_SECTION_HEADER*)((DWORD)nth + sizeof(IMAGE_NT_HEADERS));
if((DWORD)StartAddress>(pSection[0].VirtualAddress+(DWORD)lib) && (DWORD)StartAddress<pSection[1].VirtualAddress+(DWORD)lib) continue;
TerminateThread(hThread,0);
}
CloseHandle(hThread);
}while(Thread32Next(hThreadSnap, &te32));
CloseHandle(hThreadSnap);
}
OK,万事大吉,世界清静了 | 
发表于 2014-4-1 19:29
