大牛绕路!XX同学勿怒!
应朋友的求助,调试了一下XXGAME,发现载入后,断点下不了,OD挂上就是个摆设?
立马想到了 ntdll!ZwSetInformationThread | ThreadHideFromDebugger
载入,下 ZwSetInformationThread 断点,果然。
XXGAME的保护是用ntdll!ZwSetInformationThread传入ThreadHideFromDebugger来进行反调试的,貌似和以前看到牛人分析的bypass themida anti差不多哦,有料可参。
那么这个XX保护也可以这样搞?
试手一下,发现果然。
代码:
代码:
///////////////////////////////////////////////////////////////////////////////
///
/// Copyright (c) 2008 - <dts>
///
/// Original filename: ZwHook.c
/// Project : ZwHook
/// Date of creation : 2008-11-19
/// Author(s) : 梧桐
///
/// Purpose : <description>
///
/// Revisions:
/// 0000 [2008-11-19] Initial revision.
///
///////////////////////////////////////////////////////////////////////////////
#include "ntddk.h"
#pragma pack(1)
typedef struct ServiceDescriptorEntry
{
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook) \
(PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
#define UNHOOK_SYSCALL(_Function, _Hook) \
InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
NTSYSAPI
NTSTATUS
NTAPI ZwSetInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
);
typedef NTSTATUS (*ZWSETINFORMATIONTHREAD)(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
);
ZWSETINFORMATIONTHREAD OldZwSetInformationThread;
NTSTATUS NewZwSetInformationThread(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength)
{
NTSTATUS ntStatus;
if(ThreadInformationClass == 17) //ANTI-DEBUG
ntStatus = STATUS_SUCCESS;
else
ntStatus = ((ZWSETINFORMATIONTHREAD)(OldZwSetInformationThread))(
ThreadHandle,
ThreadInformationClass,
ThreadInformation,
ThreadInformationLength);
return ntStatus;
}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("ROOTKIT: OnUnload called\n");
// unhook system calls
UNHOOK_SYSCALL( ZwSetInformationThread, OldZwSetInformationThread);
// Unlock and Free MDL
if(g_pmdlSystemCall)
{
MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
IoFreeMdl(g_pmdlSystemCall);
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
IN PUNICODE_STRING theRegistryPath)
{
// Register a dispatch function for Unload
theDriverObject->DriverUnload = OnUnload;
// save old system call locations
OldZwSetInformationThread =(ZWSETINFORMATIONTHREAD)(SYSTEMSERVICE(ZwSetInformationThread));
// Map the memory into our domain so we can change the permissions on the MDL
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
// Change the flags of the MDL
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
// hook system calls
HOOK_SYSCALL( ZwSetInformationThread, NewZwSetInformationThread);
return STATUS_SUCCESS;
}