lkd> dt _EPROCESSnt!_EPROCESS +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER +0x078 ExitTime : _LARGE_INTEGER +0x080 RundownProtect : _EX_RUNDOWN_REF +0x084 UniqueProcessId : Ptr32 Void +0x088 ActiveProcessLinks : _LIST_ENTRY +0x090 QuotaUsage : [3] Uint4B +0x09c QuotaPeak : [3] Uint4B +0x0a8 CommitCharge : Uint4B +0x0ac PeakVirtualSize : Uint4B +0x0b0 VirtualSize : Uint4B +0x0b4 SessionProcessLinks : _LIST_ENTRY +0x0bc DebugPort : Ptr32 Void +0x0c0 ExceptionPort : Ptr32 Void +0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE +0x0c8 Token : _EX_FAST_REF +0x0cc WorkingSetLock : _FAST_MUTEX +0x0ec WorkingSetPage : Uint4B +0x0f0 AddressCreationLock : _FAST_MUTEX +0x110 HyperSpaceLock : Uint4B +0x114 ForkInProgress : Ptr32 _ETHREAD +0x118 HardwareTrigger : Uint4B +0x11c VadRoot : Ptr32 Void +0x120 VadHint : Ptr32 Void +0x124 CloneRoot : Ptr32 Void +0x128 NumberOfPrivatePages : Uint4B +0x12c NumberOfLockedPages : Uint4B +0x130 Win32Process : Ptr32 Void +0x134 Job : Ptr32 _EJOB +0x138 SectionObject : Ptr32 Void +0x13c SectionBaseAddress : Ptr32 Void +0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK +0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY +0x148 Win32WindowStation : Ptr32 Void +0x14c InheritedFromUniqueProcessId : Ptr32 Void +0x150 LdtInformation : Ptr32 Void +0x154 VadFreeHint : Ptr32 Void +0x158 VdmObjects : Ptr32 Void +0x15c DeviceMap : Ptr32 Void +0x160 PhysicalVadList : _LIST_ENTRY +0x168 PageDirectoryPte : _HARDWARE_PTE +0x168 Filler : Uint8B +0x170 Session : Ptr32 Void +0x174 ImageFileName : [16] UChar +0x184 JobLinks : _LIST_ENTRY +0x18c LockedPagesList : Ptr32 Void +0x190 ThreadListHead : _LIST_ENTRY +0x198 SecurityPort : Ptr32 Void +0x19c PaeTop : Ptr32 Void +0x1a0 ActiveThreads : Uint4B +0x1a4 GrantedAccess : Uint4B +0x1a8 DefaultHardErrorProcessing : Uint4B +0x1ac LastThreadExitStatus : Int4B +0x1b0 Peb : Ptr32 _PEB +0x1b4 PrefetchTrace : _EX_FAST_REF +0x1b8 ReadOperationCount : _LARGE_INTEGER +0x1c0 WriteOperationCount : _LARGE_INTEGER +0x1c8 OtherOperationCount : _LARGE_INTEGER +0x1d0 ReadTransferCount : _LARGE_INTEGER +0x1d8 WriteTransferCount : _LARGE_INTEGER +0x1e0 OtherTransferCount : _LARGE_INTEGER +0x1e8 CommitChargeLimit : Uint4B +0x1ec CommitChargePeak : Uint4B +0x1f0 AweInfo : Ptr32 Void +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO +0x1f8 Vm : _MMSUPPORT +0x238 LastFaultCount : Uint4B +0x23c ModifiedPageCount : Uint4B +0x240 NumberOfVads : Uint4B +0x244 JobStatus : Uint4B +0x248 Flags : Uint4B +0x248 CreateReported : Pos 0, 1 Bit +0x248 NoDebugInherit : Pos 1, 1 Bit +0x248 ProcessExiting : Pos 2, 1 Bit +0x248 ProcessDelete : Pos 3, 1 Bit +0x248 Wow64SplitPages : Pos 4, 1 Bit +0x248 VmDeleted : Pos 5, 1 Bit +0x248 OutswapEnabled : Pos 6, 1 Bit +0x248 Outswapped : Pos 7, 1 Bit +0x248 ForkFailed : Pos 8, 1 Bit +0x248 HasPhysicalVad : Pos 9, 1 Bit +0x248 AddressSpaceInitialized : Pos 10, 2 Bits +0x248 SetTimerResolution : Pos 12, 1 Bit +0x248 BreakOnTermination : Pos 13, 1 Bit +0x248 SessionCreationUnderway : Pos 14, 1 Bit +0x248 WriteWatch : Pos 15, 1 Bit +0x248 ProcessInSession : Pos 16, 1 Bit +0x248 OverrideAddressSpace : Pos 17, 1 Bit +0x248 HasAddressSpace : Pos 18, 1 Bit +0x248 LaunchPrefetched : Pos 19, 1 Bit +0x248 InjectInpageErrors : Pos 20, 1 Bit +0x248 VmTopDown : Pos 21, 1 Bit +0x248 Unused3 : Pos 22, 1 Bit +0x248 Unused4 : Pos 23, 1 Bit +0x248 VdmAllowed : Pos 24, 1 Bit +0x248 Unused : Pos 25, 5 Bits +0x248 Unused1 : Pos 30, 1 Bit +0x248 Unused2 : Pos 31, 1 Bit +0x24c ExitStatus : Int4B +0x250 NextPageColor : Uint2B +0x252 SubSystemMinorVersion : UChar +0x253 SubSystemMajorVersion : UChar +0x252 SubSystemVersion : Uint2B +0x254 PriorityClass : UChar +0x255 WorkingSetAcquiredUnsafe : UChar +0x258 Cookie : Uint4B
// Post a recent study on debugport clearing of a drive. I learned how to use windbg to view the _ eprocess structure address and use syser to locate the clearing code. The following describes how to view the _ eprocess structure of a process in windbg. Everyone knows that every process corresponds to a _ eprocess structure. How do we determine the _ eprocess address of a process? Use notepad.exe as an example to use windbg's kernel debug and enter the command lkd>! Process 0 0 // view the current process 8a5e7088 sessionid: 0 CID: 0ff0 peb: 7ffdd000 parentcid: 0324 dirbase: 0ac40520 objecttable: e1a13a30 handlecount: 65. image: windbg.exe process 882f2650 sessionid: 0 CID: 07d8 peb: 7ffd7000 parentcid: 0324 dirbase: 0ac404e0 objecttable: e506af88 handlecount: 48. image: notepad.exe ..... You can see the _ eprocess structure address of process 882f2650,882f265020.notepad.exe lkd> dt _ eprocess 882f2650 // _ eprocessnt of notepad.exe! _ Eprocess + 0x000 PCB: _ kprocess + 0x06c processlock: _ ex_push_lock + 0x070 createtime: _ large_integer 0x1cb68eb '1575a5ee + 0x078 exittime: _ large_integer 0x0 + 0x080 rundownprotect: _ ex_rundown_ref + 0x084 uniqueprocessid: Invalid void + 0x088 activeprocesslinks: _ list_entry [empty-Keys] + 0x090 quotausage: [3] 0xc58 + 0x09c quotapeak: [3] 0x1080 + 0x0a8 commitcharge: 0x220 + 0x0a C peakvirtualsize: 0x2453000 + 0x0b0 virtualsize: 0x22bf000 + 0x0b4 values: _ list_entry [bytes-ranges] + 0x0bc debugport: (null) + 0x0c0 predictionport: Invalid void + 0x0c4 objecttable: export _ handle_table + 0x0c8 token: _ ex_fast_ref + 0x0cc workingsetlock: _ fast_mutex + 0x0ec workingsetpage: 0x7bbc2 + 0x0f0 addresscreationlock: _ fast_mutex + 0x110 hyperspacelock: 0 + 0x114 forkinprogress: (null) + 0x118 hardwaretrigger: 0 + 0x11c vadroot: 0x8a626df0 void + 0x120 vadhint: 0x88380130 void + 0x124 cloneroot: (null) _ eprocess + BC is the debugprot address. You can use syser to disconnect BPM 882f2650 + bc W from the debugport of notepad.exe. If any processing is performed on it, it will be broken ..
// Resend
If you want the final result directly, Please bypass it. Here we only reverse the debugport clearing code.
Because TX has anti-windbg, windbg can run well after the last method, but the author is keen on standalone debugging. In an accidental situation, it is found that TX does not perform anti on syserdebugger. Here we worship the author of syserdebugger. The debugger is said to have been developed by the author alone, and the author's familiarity with the kernel is a bit confusing.
Whether it's windbg or syserdbg, you can write the following breakpoint to eprocess + 0xbc.
Windbg Ba W ADDR
Syser BPM ADDR W
Here we can see that syser is compatible with SoftICE commands. The debugport is frequently cleared.
The menu of the syser debugger sometimes does not work. Currently, you can only use commands. Eip-40.
We can clearly see how tessafe. sys clears debugport
MoV EDI, EDI
Push EBP
MoV EBP, ESP
Push ECx
Push EBX
Xor ebx, EBX
Cmp dword ptr [b1dd4050], 5
Push ESI
MoV byte PTR [ebp-2], 1
JNE short b1dcb575
Cmp dword ptr [b1dd4054], EBX
MoV byte PTR [ebp-1], 1
Je short b1dcb578
MoV byte PTR [ebp-1], BL
MoV ECx, b1dd90b0
Call dword ptr [<& Hal. kfacquirespinlock>]
MoV ESI, dword ptr [b1dd8f60]
Cmp esi, b1dd8f60
MoV byte PTR [ebp-3], Al
Je b1dcb61b
MoV byte PTR [ebp-2], BL
Push EDI
MoV ECx, dword ptr [b1dd4ec0]
MoV ECx, dword ptr [ECx + 4]
Lea edX, dword ptr [esi-10]
Add ECx, dword ptr [edX]
XOR eax, eax
Xchg dword ptr [ECx], eax
CMP byte PTR [b1dd4ec8], BL
Je short b1dcb610
CMP byte PTR [ebp-1], BL
MoV ECx, dword ptr [b1dd4ec0]
MoV eax, dword ptr [edX]
MoV ECx, dword ptr [ECx + C]
MoV EDI, dword ptr [eax + ECx]
Je short b1dcb5e0
Cmp edi, EBX
JNE short b1dcb610
MoV ECx, dword ptr [b1dd4ec0]
MoV ECx, dword ptr [ECx]
Cmp dword ptr [eax + ECx], 103
Je short b1dcb610
JMP short b1dcb5f2
MoV ECx, dword ptr [b1dd4ec0]
MoV ECx, dword ptr [ECx + 10]
Cmp dword ptr [eax + ECx], EBX
JNE short b1dcb610
Cmp edi, EBX
JNE short b1dcb610
MoV eax, dword ptr [esi]
MoV ECx, dword ptr [ESI + 4]
MoV dword ptr [ECx], eax
MoV dword ptr [eax + 4], ECx
MoV eax, b1dd529c
Or ECX, ffffffff
Lock xadd dword ptr [eax], ECx
Push EBX
Push edX
Call dword ptr [<& ntoskrnl. exfreepoolwithtag>]
MoV ESI, dword ptr [esi]
Cmp esi, b1dd8f60
JNE short b1dcb59c
Pop EDI
MoV DL, byte PTR [ebp-3]
MoV ECx, b1dd90b0
Call dword ptr [<& Hal. kfreleasespinlock>]
MoV Al, byte PTR [ebp-2]
Pop ESI
Pop EBX
Leave
Retn
Int3
Int3
Int3
Int3
Int3
Int3
That's it... Suddenly tired, don't want to write .... Get rid of the pointer and do not change the code
The new version of dxxxxfffefefe is very strict with the original verification. This method has long been unavailable. Only according to tufuzi, repair affected functions.