標 題: 【原創】Hide your DebugPort in ring0
作 者: wowelf
時 間: 2009-01-26,11:00
鏈 接: http://bbs.pediy.com/showthread.php?t=80971
一個程序被ring3調試器調試時,有很多的調試特徵可以檢測,本論壇也有專門的帖子詳細論述,但有個非常根本的標誌ring3也是可以檢測的比較少人提及,那就是_EPROCESS.DebugPort。DebugPort對於ring3調試器來說非常重要,沒有它正常的ring3調試是無法進行的。當然要檢測這個標誌的前提是程序能夠讀取ring0內存,在XP以上的系統有個非常簡單的方法就是使用ZwSystemDebugControl的SysDbgReadVirtualMemory方法,我們也可以map physicalmemory來操作。檢測DebugPort之前首先要得到進程的eprocess地址,這可以通過ZwQuerySystemInformation的SystemHandleInformation方法得到,也可以直接搜索ring0內存的eprocess結構。
對於ring3直接檢測DebugPort,我們可以通過禁止該進程訪問ring0內存來對付,但是目標一旦使用驅動來檢測,那麼就非常麻煩了。下面介紹一種隱藏_EPROCESS.DebugPort的方法,這種方法的基本思路是,將一個正常被調試進程的DebugPort置零後,修正所有受影響的函數,使我們的調試器能夠正常進行。這些函數如下:
PspCreateProcess、MmCreatePeb 進程創建,設置DebugPort
DbgkCreateThread 發送線程或者進程創建的調試信息
KiDispatchException、DbgkForwardException和DbgkpQueueMessage 發送異常調試信息
PspExitThread、DbgkExitThread和DbgkExitProcess 發送線程退出、進程退出的調試信息
DbgkMapViewOfSection和DbgkUnMapViewOfSection 發送映像裝載卸載調試信息
DbgkpSetProcessDebugObject和DbgkpMarkProcessPeb 當調試器附加進程時設置DebugPort
這類函數非常多的,如果都HOOK處理的話,那太恐怖了,這裏使用一個非常簡單的辦法:偷龍轉鳳。我們看系統訪問DebugPort的代碼都是這樣的(XP)
8b89bc000000 mov ecx,dword ptr [ecx+0BCh] //0BCh就是DebugPort的偏移
我們可以把DebugPort轉移到_EPROCESS的另外一個地方,比如我使用+0x070 CreateTime,它是紀錄進程創建時間的,進程創建之後,在進程退出前系統不會對它進行任何修改,而且我們修改後對系統或進程沒有任何影響。這樣我們可以把上面的代碼改成這樣
8b8970000000 mov ecx,dword ptr [ecx+070h] //指向CreateTime,實際的DebugPort已經被移到這裏
只需要修改一個字節,非常簡單。
當然這種方法最麻煩的地方就是定位引用到DebugPort的函數(本人僅僅針對不同的XP系統製作特徵碼都累到吐血),這些函數都是不導出的,如果是特定系統,最簡單的方法就是WinDbg->uf *** 直接找地址硬編碼,只需要幾分鐘時間。
BOOLEAN InitHackAddress() { _SEH_TRY { g_KernelBase = GetKernelBaseAndSize( &g_KernelSize ); g_HackPspCreateProcess = SearchHackPspCreateProcess( &g_NopPspCreateProcess.Address ); g_HackKiDispatchException = SearchKiDispatchException( g_KernelBase,g_KernelSize ); g_HackDbgkpQueueMessage = SearchDbgkpQueueMessage( g_KernelBase,g_KernelSize ); g_HackDbgkCreateThread = SearchDbgkCreateThread( g_KernelBase,g_KernelSize ); SearchDbgkNotifyRoutine( g_KernelBase,g_KernelSize ); g_HackPspExitThread = SearchPspExitThread(); g_HackMmCreatePeb = SearchMmCreatePeb( g_HackPspCreateProcess ); SearchDbgkpSetProcessDebugObject( g_KernelBase,g_KernelSize ); if( g_HackDbgkpSetProcessDebugObject[3] ) g_HackDbgkpMarkProcessPeb = SearchDbgkpMarkProcessPeb( g_HackDbgkpSetProcessDebugObject[3] ) ; if( g_NopPspCreateProcess.Address != 0 ){ RtlFillMemory( g_NopPspCreateProcess.NopCode,sizeof(g_NopPspCreateProcess.NopCode),0x90 ); g_NopPspCreateProcess.Size = 9; RtlCopyMemory( g_NopPspCreateProcess.OrigCode,(PVOID)g_NopPspCreateProcess.Address,g_NopPspCreateProcess.Size ); } if( g_NopDbgkForwardException.Address != 0 ){ RtlFillMemory( g_NopDbgkForwardException.NopCode,sizeof(g_NopDbgkForwardException.NopCode),0x90 ); RtlCopyMemory( g_NopDbgkForwardException.OrigCode,(PVOID)g_NopDbgkForwardException.Address,g_NopDbgkForwardException.Size ); } if( g_NopDbgkExitThread.Address != 0 ){ RtlFillMemory( g_NopDbgkExitThread.NopCode,sizeof(g_NopDbgkExitThread.NopCode),0x90 ); RtlCopyMemory( g_NopDbgkExitThread.OrigCode,(PVOID)g_NopDbgkExitThread.Address,g_NopDbgkExitThread.Size ); } if( g_NopDbgkExitProcess.Address != 0 ){ RtlFillMemory( g_NopDbgkExitProcess.NopCode,sizeof(g_NopDbgkExitProcess.NopCode),0x90 ); RtlCopyMemory( g_NopDbgkExitProcess.OrigCode,(PVOID)g_NopDbgkExitProcess.Address,g_NopDbgkExitProcess.Size ); } if( g_NopDbgkMapViewOfSection.Address != 0){ RtlFillMemory( g_NopDbgkMapViewOfSection.NopCode,sizeof(g_NopDbgkMapViewOfSection.NopCode),0x90 ); RtlCopyMemory( g_NopDbgkMapViewOfSection.OrigCode,(PVOID)g_NopDbgkMapViewOfSection.Address,g_NopDbgkMapViewOfSection.Size ); } if( g_NopDbgkUnMapViewOfSection.Address != 0 ){ RtlFillMemory( g_NopDbgkUnMapViewOfSection.NopCode,sizeof(g_NopDbgkUnMapViewOfSection.NopCode),0x90 ); RtlCopyMemory( g_NopDbgkUnMapViewOfSection.OrigCode,(PVOID)g_NopDbgkUnMapViewOfSection.Address,g_NopDbgkUnMapViewOfSection.Size ); } } _SEH_HANDLER { DbgPrint( "InitHackAddress Exception!/n" ); } return ( g_HackPspCreateProcess != 0 && g_HackKiDispatchException != 0 && g_HackDbgkForwardException != 0 && g_HackDbgkpQueueMessage != 0 && g_NopPspCreateProcess.Address != 0 && g_NopDbgkForwardException.Address != 0 && g_HackDbgkCreateThread != 0 && g_HackDbgkExitThread != 0 && g_NopDbgkExitThread.Address != 0 && g_HackDbgkExitProcess != 0 && g_NopDbgkExitProcess.Address != 0 && g_HackDbgkMapViewOfSection != 0 && g_NopDbgkMapViewOfSection.Address != 0 && g_HackDbgkUnMapViewOfSection != 0 && g_NopDbgkUnMapViewOfSection.Address != 0 && g_HackPspExitThread != 0 && g_HackMmCreatePeb != 0 && g_HackDbgkpSetProcessDebugObject[0] != 0 && g_HackDbgkpSetProcessDebugObject[1] != 0 && g_HackDbgkpSetProcessDebugObject[2] != 0 && g_HackDbgkpSetProcessDebugObject[3] != 0 && g_HackDbgkpMarkProcessPeb != 0 ); }
//修改已經運行進程的DebugPort位置 BOOLEAN ChangeProcessDebugPort( BOOLEAN Hide ) { ULONG eProcess = (ULONG)PsInitialSystemProcess; PLIST_ENTRY pListHead,pListWalk; ULONG DebugObject; if( !g_bIsAddressStartup ){ return FALSE; } pListHead = (PLIST_ENTRY)( eProcess + ACTIVE_LINKS_OFFSET ); pListWalk = pListHead; _SEH_TRY { do{ if( pListWalk == NULL || eProcess == 0 ) break; eProcess = ( (ULONG)pListWalk - ACTIVE_LINKS_OFFSET ); if( Hide ){ DebugObject = *(ULONG*)( eProcess + DEBUG_PORT_OFFSET ); *(ULONG*)( eProcess + CREATE_TIME_OFFSET ) = DebugObject; *(ULONG*)( eProcess + DEBUG_PORT_OFFSET ) = 0; }else{ DebugObject = *(ULONG*)( eProcess + CREATE_TIME_OFFSET ); *(ULONG*)( eProcess + DEBUG_PORT_OFFSET ) = DebugObject; } pListWalk = pListWalk->Flink; }while( pListWalk != pListHead ); } _SEH_HANDLER { DbgPrint( "ChangeProcessDebugPort exception!/n" ); } return TRUE; }
BOOLEAN ModifyDebugFunction() { if( !g_bIsAddressStartup ){ return FALSE; } __asm{ cli mov eax,cr0 and eax,not 10000h mov cr0,eax } *(ULONG*)g_HackPspCreateProcess = CREATE_TIME_OFFSET; *(ULONG*)g_HackKiDispatchException = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkForwardException = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkpQueueMessage = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkCreateThread = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkExitThread = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkExitProcess = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkMapViewOfSection = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkUnMapViewOfSection = CREATE_TIME_OFFSET; *(ULONG*)g_HackPspExitThread = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkpMarkProcessPeb = CREATE_TIME_OFFSET; *(ULONG*)g_HackMmCreatePeb = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkpSetProcessDebugObject[0] = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkpSetProcessDebugObject[1] = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkpSetProcessDebugObject[2] = CREATE_TIME_OFFSET; *(ULONG*)g_HackDbgkpSetProcessDebugObject[3] = CREATE_TIME_OFFSET; RtlCopyMemory( (PVOID)g_NopPspCreateProcess.Address,g_NopPspCreateProcess.NopCode,g_NopPspCreateProcess.Size ); RtlCopyMemory( (PVOID)g_NopDbgkForwardException.Address,g_NopDbgkForwardException.NopCode,g_NopDbgkForwardException.Size ); RtlCopyMemory( (PVOID)g_NopDbgkExitThread.Address,g_NopDbgkExitThread.NopCode,g_NopDbgkExitThread.Size ); RtlCopyMemory( (PVOID)g_NopDbgkExitProcess.Address,g_NopDbgkExitProcess.NopCode,g_NopDbgkExitProcess.Size ); RtlCopyMemory( (PVOID)g_NopDbgkMapViewOfSection.Address,g_NopDbgkMapViewOfSection.NopCode,g_NopDbgkMapViewOfSection.Size ); RtlCopyMemory( (PVOID)g_NopDbgkUnMapViewOfSection.Address,g_NopDbgkUnMapViewOfSection.NopCode,g_NopDbgkUnMapViewOfSection.Size ); __asm{ mov eax,cr0 or eax,10000h mov cr0,eax sti } return TRUE; } BOOLEAN WriteBackDebugFunction() { if( !g_bIsAddressStartup ){ return FALSE; } __asm{ cli mov eax,cr0 and eax,not 10000h mov cr0,eax } *(ULONG*)g_HackPspCreateProcess = DEBUG_PORT_OFFSET; *(ULONG*)g_HackKiDispatchException = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkForwardException = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkpQueueMessage = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkCreateThread = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkExitThread = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkExitProcess = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkMapViewOfSection = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkUnMapViewOfSection = DEBUG_PORT_OFFSET; *(ULONG*)g_HackPspExitThread = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkpMarkProcessPeb = DEBUG_PORT_OFFSET; *(ULONG*)g_HackMmCreatePeb = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkpSetProcessDebugObject[0] = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkpSetProcessDebugObject[1] = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkpSetProcessDebugObject[2] = DEBUG_PORT_OFFSET; *(ULONG*)g_HackDbgkpSetProcessDebugObject[3] = DEBUG_PORT_OFFSET; RtlCopyMemory( (PVOID)g_NopPspCreateProcess.Address,g_NopPspCreateProcess.OrigCode,g_NopPspCreateProcess.Size ); RtlCopyMemory( (PVOID)g_NopDbgkForwardException.Address,g_NopDbgkForwardException.OrigCode,g_NopDbgkForwardException.Size ); RtlCopyMemory( (PVOID)g_NopDbgkExitThread.Address,g_NopDbgkExitThread.OrigCode,g_NopDbgkExitThread.Size ); RtlCopyMemory( (PVOID)g_NopDbgkExitProcess.Address,g_NopDbgkExitProcess.OrigCode,g_NopDbgkExitProcess.Size ); RtlCopyMemory( (PVOID)g_NopDbgkMapViewOfSection.Address,g_NopDbgkMapViewOfSection.OrigCode,g_NopDbgkMapViewOfSection.Size ); RtlCopyMemory( (PVOID)g_NopDbgkUnMapViewOfSection.Address,g_NopDbgkUnMapViewOfSection.OrigCode,g_NopDbgkUnMapViewOfSection.Size ); __asm{ mov eax,cr0 or eax,10000h mov cr0,eax sti } return TRUE; }
我想再囉嗦一下,上面代碼大家看到很多函數有個NOPCode,這個實際上是對付線程PS_CROSS_THREAD_FLAGS_HIDEFROMDBG的,NOP掉相關地方後,就算線程被設置爲ThreadHideFromDebugger也無法阻擋調試器接收調試信息。