dbSTI db 0FBh
MyWaitForDebugEvent proc uses esi lpDebugEvent,dwMilliseconds
invoke WaitForDebugEvent,lpDebugEvent,dwMilliseconds
mov esi, lpDebugEvent
assume esi:ptr DEBUG_EVENT
.if [esi].dwDebugEventCode == EXCEPTION_DEBUG_EVENT &&\
[esi].u.Exception.pExceptionRecord.ExceptionCode == EXCEPTION_PRIV_INSTRUCTION
mov [esi].u.Exception.pExceptionRecord.ExceptionCode, EXCEPTION_BREAKPOINT
.endif
ret
MyWaitForDebugEvent endp
local tempbuf[5]:BYTE
comment*
004197AD |. C645 F3 CC mov byte ptr [ebp-D],0CC ; INT 3
00418CA4 |. 81FA CC000000 cmp edx,0CC ; INT 3
00418D4F |. 68 CC000000 push 0CC ; INT 3
00418D06 |. 68 CC000000 push 0CC ; INT3
*
invoke WriteProcessMemory,-1,004197ADh+3,offset dbSTI,1,NULL
invoke WriteProcessMemory,-1,00418CA4h+2,offset dbSTI,1,NULL
invoke WriteProcessMemory,-1,00418D4Fh+1,offset dbSTI,1,NULL
invoke WriteProcessMemory,-1,00418D06h+1,offset dbSTI,1,NULL
comment*
00439618 . 68 14574D00 push 004D5714 ; |pDebugEvent = OllyICE.004D5714
0043961D . E8 E85B0700 call <jmp.&KERNEL32.WaitForDebugEvent>; \WaitForDebugEvent
00439622 . 85C0 test eax,eax
*
lea eax, tempbuf
mov ecx, offset MyWaitForDebugEvent
sub ecx, 0043961Dh+1
sub ecx, 4
mov DWORD ptr[eax], ecx
invoke WriteProcessMemory,-1,0043961Dh+1,eax,4,0
把OD写内存的BUF(INT 3)换成了sti,,并且HOOK了WaitForDebugEvent伪造消息可以达到不用INT3调试的目的,当然完全不用INT 3还有很多事情要做,但这段代码可以对抗低级anti debug,特别是检测CC的
由于用的是硬编码,也不放编译好的东东上来了,还有为了避免,,部分代码没发出来
- 标 题:让OD不靠INT3调试
- 作 者:雪精灵
- 时 间:2010-12-05 11:49:24
- 链 接:http://bbs.pediy.com/showthread.php?t=126015