Over TP protection DebugPort Clear Zero, Popular Science _ Plug Research
Source: Internet
Author: User
We know that DebugPort is located in the structure of eprocess.
No, I don't know. Go to the kindergarten and ask the kids
My shift here is 0X0BC, the system is not the same, the offset value is not the same
Can use WinDbg view, open local kernel debugging, input command: DT _eprocess
This is not much introduction, details to search the Internet
In addition, DNF.exe will invoke ntopenprocess for reverse debugging detection
So we don't waste, local materials, start from here
Set a hook at ntopenprocess, SSDT Hook believes most students will
There is no need to do any special filtering, just print some DNF related information
I give the idea and key code:
Ansi_string str1,str2;
Peprocess processeprocess;
Put the DNF.exe process name into the STR1
Rtlinitansistring (&STR1, "DNF.exe");
Get the caller's eprocess
Processeprocess = Iogetcurrentprocess ();
Save the caller's process name to STR2, my process name offset is 0x174
Rtlinitansistring (&STR2, (Pcsz) ((ULONG) processeprocess+0x174));
According to the process name to judge
if (rtlcomparestring (&str1,&str2,true) = = 0)
{
Description is DNF.exe called here, printing process information
Kdprint ("DNF.exe eprocess address is%x", (ULONG) processeprocess));
Kdprint ("DNF.exe debugport address is%x", (ULONG) PROCESSEPROCESS+0X0BC));
}
Jump to Ntopenprocess, here's the code you write yourself
Okay, DNF.exe's debugport address is available, so we open the kernel view tool
Enter that address, see not. The value in it is 0.
It's our core detective artifact, Syser.
Give a warm welcome to ...
Press CTRL+F12 to activate kernel debugging, and speed as fast as possible.
For example, 0xXXXXXXXX is our DNF.exe debugport address.
Then we're down there. Memory Write Breakpoint
Input BPM 0xXXXXXXXX W, enter, then press F5 to get the system running
Blink of an hour, Syser broke down, see the broken down address it.
What are you waiting for, just write down the address and delete the breakpoint, and F5 continue to run
Then open the kernel tool, disassemble, and look up at the zero address.
See the int 3 and MOV edi,edi instructions. This is the zero function head.
and cover it up with something, you're pretending, damn it.
Take the knife, chop it off, cut it.
Change the Mov edi,edi into NOP and RETN,0X90C3,
Continue to DebugPort where memory is written to the breakpoint, repeat the steps above
And then continue down there and write the breakpoint in memory, see?
Half a day has not broken down, indicating that there is no code in there to clear 0, OK.
DebugPort 01 is a total of 2, so simply passed
There is also a thread of surveillance, the method is the same, I will not put more
Drive me to upload, only over debugport clear 0 and surveillance, you can restore a few hooks
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
