| Back to logs list
152766 2010 年 12 月 10 日 10:03 Reading (loading. ..) Comments (0) Category: MSN-computer
from:
a program is ring3 debugger to debug, there are a lot of debugging features can be detected, the forum also has a special post in detail, but there is a very fundamental is able to detect signs ring3 The few people mentioned that _EPROCESS.DebugPort. DebugPort for ring3 debugger is very important, without it can not debug the normal ring3 conducted. Of course, this flag to test the premise that the program can read ring0 memory, more than in the XP system has a very simple way is to use ZwSystemDebugControl the SysDbgReadVirtualMemory method, we can also map physicalmemory to operate. DebugPort be detected before the first process eprocess address, which can be obtained by ZwQuerySystemInformation the SystemHandleInformation can also directly search ring0 memory eprocess structure.
ring3 for direct detection of DebugPort, we can prohibit access to ring0 memory of the process to deal with, but once the use of a driver to detect the target, then it is very cumbersome. Here are a hidden _EPROCESS.DebugPort the approach that the basic idea is to debug the process of a normal DebugPort be set to zero, the correction of all affected functions, so that our debugger can be normal. These functions are as follows:
PspCreateProcess, MmCreatePeb process creation, setting DebugPort
DbgkCreateThread thread or process is created to send debugging information
KiDispatchException, DbgkForwardException and DbgkpQueueMessage exception debugging information sent
PspExitThread, DbgkExitThread and DbgkExitProcess sending thread to exit, the process to exit the debugging information
; DbgkMapViewOfSection and DbgkUnMapViewOfSection debugging information to send the image loading and unloading and DbgkpMarkProcessPeb
DbgkpSetProcessDebugObject process as set when the debugger is attached DebugPort
; such functions very much, and if all HOOK deal, it was horrible, here using a very simple way: steal the Dragon turn phoenix. We look at the system access code DebugPort are like (XP)
8b89bc000000 mov ; ecx, dword ptr [ecx +0 BCh] / / 0BCh is offset DebugPort
DebugPort we can transfer to another _EPROCESS a place, for example, I use the +0 x070 CreateTime,
paul smith sale, it is a time of record creation process, the process created, in the process to exit before the system will not make any changes to it, and we modified the system or process does not in any way. So that we can change the above code so
8b8970000000 mov ecx , dword ptr [ecx +070 h] / / point to CreateTime, the actual DebugPort has been moved to here
only need to modify a byte, very simple.
course, where this method is to locate the most trouble DebugPort reference to the function (I just made for the signature of different XP systems are too tired to spit blood), these functions are not exported, if a specific system, the easiest way is to WinDbg-> uf *** directly to address hard-coded, just a few minutes.
I would like to look winded, the code above we see a lot of functions there is a NOPCode, this is actually against the thread PS_CROSS_THREAD_FLAGS_HIDEFROMDBG of, NOP out the relevant local, even though the thread is set to ThreadHideFromDebugger can not stop the debugger to receive debugging information.
******************************************** ********************
I wish you all Ox technology more and more cattle, and other side dishes ready I could see the cattle in the Year of the Ox item can be back!
Saturn's note: This article may be time issues, now is not very applicable in this article, the first of 13 more than the above address, followed if Modify CreateTime causes blue screen