首页
论坛
专栏
课程

攻破 Window AMD64 平台的 PatchGuard - 让 PatchGuard Context 失效

2018-11-27 22:37 2105

攻破 Window AMD64 平台的 PatchGuard - 让 PatchGuard Context 失效

2018-11-27 22:37
2105
        前文说到如何找到加密的 PatchGuard Context, 先来看一下 CmpAppendDllSection (window 10 build 10.0.17763.1) 函数 :
从函数内部,很轻易的就可以分析出头部的地址的计算方法, Context + *(LONG*)(Context + 7e8h(各版本不同)), 再来看一下入口函数:
这里可以看到 14034eed 这里请了DR7 寄存器, 让硬件断点失效, 所以调试的时候硬件断点要放在这个地址之前, 再来看一下结尾部分的代码:

函数在结束的时候进入了SdbpCheckDll,
这个函数什么也没做, 就是把栈和寄存器清空了.

       看过很多别出心裁的方法让 PatchGuard  失效, 我使用的方法比较简单, 直接HOOK入口点让代码正常返回, 这里有两种情况, 先看一下版本号小于 17134, 没有开启btc的情况 :
VOID
NTAPI
SetNewEntryForEncryptedContext(
    __inout PPATCHGUARD_BLOCK PatchGuardBlock,
    __in PVOID PatchGuardContext,
    __in ULONG64 RorKey
)
{
    ULONG64 LastRorKey = 0;
    ULONG RvaOfEntry = 0;
    ULONG64 FieldBuffer[PG_COMPARE_FIELDS_COUNT] = { 0 };
    ULONG FieldIndex = 0;
    ULONG Index = 0;
    PCHAR ControlPc = NULL;

    // 这里先取 RVA 的偏移, 8字节对齐, 计算密钥的加密次数

    FieldIndex = (PatchGuardBlock->RvaOffsetOfEntry -
        PatchGuardBlock->SizeOfCmpAppendDllSection) / sizeof(ULONG64);

    // 复制到缓存中

    RtlCopyMemory(
        FieldBuffer,
        (PCHAR)PatchGuardContext + (PatchGuardBlock->RvaOffsetOfEntry & ~7),
        sizeof(FieldBuffer));

    // 计算缓存的最后一个密钥

    LastRorKey = RorKey;

    for (Index = 0;
        Index < FieldIndex;
        Index++) {
        LastRorKey = __ROL64(LastRorKey, Index);
    }

    // 解密缓存

    for (Index = 0;
        Index < RTL_NUMBER_OF(FieldBuffer);
        Index++) {
        LastRorKey = __ROL64(LastRorKey, FieldIndex + Index);
        FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey;
    }

    // 计算入口的地址

    RvaOfEntry = *(PULONG)((PCHAR)FieldBuffer + (PatchGuardBlock->RvaOffsetOfEntry & 7));

    //  计算密钥的加密次数

    FieldIndex = (RvaOfEntry - PatchGuardBlock->SizeOfCmpAppendDllSection) / sizeof(ULONG64);

    // 复制入口的代码到缓存 这里考虑到对齐 需要最少 24 个字节

    RtlCopyMemory(
        FieldBuffer,
        (PCHAR)PatchGuardContext + (RvaOfEntry & ~7),
        sizeof(FieldBuffer));

    // 计算缓存的最后一个密钥

    LastRorKey = RorKey;

    for (Index = 0;
        Index < FieldIndex;
        Index++) {
        LastRorKey = __ROL64(LastRorKey, Index);
    }

    // 解密缓存

    for (Index = 0;
        Index < RTL_NUMBER_OF(FieldBuffer);
        Index++) {
        LastRorKey = __ROL64(LastRorKey, FieldIndex + Index);
        FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey;
    }

    // 生成 HOOK 代码 "\xff\x25\x00\x00\x00\x00"

    ControlPc = (PCHAR)FieldBuffer + (RvaOfEntry & 7);

    BuildJumpCode(
        PatchGuardBlock->_ClearEncryptedContext._ShellCode,
        &ControlPc);

	// 重新加密缓存
	
    while (Index--) {
        FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey;
        LastRorKey = __ROR64(LastRorKey, FieldIndex + Index);
    }

	// 替换掉原始加密数据
	
    RtlCopyMemory(
        (PCHAR)PatchGuardContext + (RvaOfEntry & ~7),
        FieldBuffer,
        sizeof(FieldBuffer));
}

在 17134 版本之后由于 RVA 被加密, 并且无法正常加密 CONTEXT, 所以我采用了另外一种方法去找入口点, 方法类似上文找Context 的方法, 由4个Field 碰撞成功已经可以确认这是一个 PatchGuard 的 Context, 继续用入口点的真实代码去碰撞这段内存, 就可以100% 命中.
下面看代码,
 
VOID
NTAPI
SetNewEntryForEncryptedWithBtcContext(
    __inout PPATCHGUARD_BLOCK PatchGuardBlock,
    __in PVOID PatchGuardContext,
    __in SIZE_T ContextSize
)
{
    ULONG64 RorKey = 0;
    ULONG64 LastRorKey = 0;
    ULONG LastRorKeyOffset = 0;
    ULONG64 FieldBuffer[PG_COMPARE_FIELDS_COUNT] = { 0 };
    ULONG FieldIndex = 0;
    ULONG AlignOffset = 0;
    ULONG Index = 0;
    PULONG64 ControlPc = NULL;
    PULONG64 TargetPc = NULL;
    ULONG CompareCount = 0;

	// 由于头部的第一个字节可能不对齐 所以我们最多可能需要循环 7 次

    CompareCount = (ContextSize - PatchGuardBlock->SizeOfCmpAppendDllSection) / 8 - 1;

    for (AlignOffset = 0;
        AlignOffset < 8;
        AlignOffset++) {
        ControlPc = (PULONG64)((PCHAR)PatchGuardBlock->EntryPoint + AlignOffset);
        TargetPc = (PULONG64)((PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection);

        for (Index = 0;
            Index < CompareCount;
            Index++) {
            RorKey = TargetPc[Index + 1] ^ ControlPc[1];
            LastRorKey = RorKey;
            RorKey = __ROR64(RorKey, Index + 1);
            RorKey = _btc64(RorKey, RorKey);

            if ((TargetPc[Index] ^ RorKey) == ControlPc[0]) {
                // 命中数据

                goto found;
            }
        }
    }

found:
    // 判断没有没命中 当然这几乎不太可能发生
	
    if (Index != CompareCount) {
        // 计算对齐点
	
        FieldIndex = Index - (0 == (AlignOffset & 7) ? 0 : 1);
        LastRorKeyOffset = 2 + (0 == (AlignOffset & 7) ? 0 : 1);

        // 复制代码到缓存
	
        RtlCopyMemory(
            FieldBuffer,
            (PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection + FieldIndex * 8,
            sizeof(FieldBuffer));

        // 解密缓存代码
	
        RorKey = LastRorKey;
        Index = LastRorKeyOffset;

        while (Index--) {
            FieldBuffer[Index] = FieldBuffer[Index] ^ RorKey;
            RorKey = __ROR64(RorKey, FieldIndex + Index);
            RorKey = _btc64(RorKey, RorKey);
        }

        // 生成 HOOK 代码
	
        ControlPc = (PCHAR)FieldBuffer + 8 - AlignOffset;

        BuildJumpCode(
            PatchGuardBlock->_ClearEncryptedContext._ShellCode,
            &ControlPc);

        // 重新加密代码
	
        RorKey = LastRorKey;
        Index = LastRorKeyOffset;

        while (Index--) {
            FieldBuffer[Index] = FieldBuffer[Index] ^ RorKey;
            RorKey = __ROR64(RorKey, FieldIndex + Index);
            RorKey = _btc64(RorKey, RorKey);
        }

        // 写回去
	
        RtlCopyMemory(
            (PCHAR)PatchGuardContext + PatchGuardBlock->SizeOfCmpAppendDllSection + FieldIndex * 8,
            FieldBuffer,
            sizeof(FieldBuffer));
    }
}

        再来看一下HOOK后的操作 :
        add rsp, 30h
        ret

        讲下这里 为啥是 30h, 入口是从CmpAppendDllSection 进入的 入口代码是 :
        sub rsp, 28h
        call rax

      28h + call 压入的ret 地址 刚好是30h 这样就返回了上层调用函数, 因为PatchGuard 实际上什么也没干所以直接就可以返回了, 到这里加密 Context 部分的操作要点基本就说完了, 当 Context 已经解密并且已经在执行的时候应该怎么办, 这个留到下节再说. 最后我在贴一个DPC 触发异常进入CmpAppendDllSection 的代码, 当然只是10种解密中的一个, 有兴趣可以调试看看:
.text:00000001401CA89A                                                 ExpCenturyDpcRoutine$fin$0:             ; DATA XREF: .rdata:00000001403D09AC↓o
.text:00000001401CA89A                                                                                         ; .pdata:000000014047B220↓o
.text:00000001401CA89A                                                 ;   __finally // owned by 14015AABE
.text:00000001401CA89A 40 53                                                           push    rbx
.text:00000001401CA89C 55                                                              push    rbp
.text:00000001401CA89D 48 83 EC 38                                                     sub     rsp, 38h
.text:00000001401CA8A1 48 8B EA                                                        mov     rbp, rdx
.text:00000001401CA8A4 88 4D 50                                                        mov     [rbp+50h], cl
.text:00000001401CA8A7 84 C9                                                           test    cl, cl
.text:00000001401CA8A9 0F 84 0E 02 00 00                                               jz      loc_1401CAABD
.text:00000001401CA8AF E9 36 01 00 00                                                  jmp     loc_1401CA9EA
.text:00000001401CA8B4                                                 ; ---------------------------------------------------------------------------
.text:00000001401CA8B4
.text:00000001401CA8B4                                                 loc_1401CA8B4:                          ; CODE XREF: ExpCenturyDpcRoutine+7004C↓j
.text:00000001401CA8B4 45 33 D2                                                        xor     r10d, r10d
.text:00000001401CA8B7 44 89 55 54                                                     mov     [rbp+54h], r10d
.text:00000001401CA8BB 48 8B 5D 38                                                     mov     rbx, [rbp+38h]
.text:00000001401CA8BF
.text:00000001401CA8BF                                                 loc_1401CA8BF:                          ; CODE XREF: ExpCenturyDpcRoutine+6FF1F↓j
.text:00000001401CA8BF 4D 8B 01                                                        mov     r8, [r9]
.text:00000001401CA8C2 4C 89 85 18 01 00 00                                            mov     [rbp+118h], r8
.text:00000001401CA8C9 49 8B D0                                                        mov     rdx, r8
.text:00000001401CA8CC 48 8B 05 95 AD 2F 00                                            mov     rax, cs:KiWaitNever
.text:00000001401CA8D3 48 33 D0                                                        xor     rdx, rax
.text:00000001401CA8D6 8B C8                                                           mov     ecx, eax
.text:00000001401CA8D8 48 D3 C2                                                        rol     rdx, cl
.text:00000001401CA8DB 48 33 D3                                                        xor     rdx, rbx
.text:00000001401CA8DE 48 0F CA                                                        bswap   rdx
.text:00000001401CA8E1 48 33 15 80 AF 2F 00                                            xor     rdx, cs:KiWaitAlways
.text:00000001401CA8E8 49 89 11                                                        mov     [r9], rdx
.text:00000001401CA8EB 41 8B C2                                                        mov     eax, r10d
.text:00000001401CA8EE 49 0F AF C3                                                     imul    rax, r11
.text:00000001401CA8F2 48 03 C2                                                        add     rax, rdx
.text:00000001401CA8F5 49 89 01                                                        mov     [r9], rax
.text:00000001401CA8F8 41 8B C8                                                        mov     ecx, r8d
.text:00000001401CA8FB F7 D1                                                           not     ecx
.text:00000001401CA8FD 83 E1 3F                                                        and     ecx, 3Fh
.text:00000001401CA900 B8 C8 00 00 00                                                  mov     eax, 0C8h
.text:00000001401CA905 41 2B C2                                                        sub     eax, r10d
.text:00000001401CA908 41 0F AF C2                                                     imul    eax, r10d
.text:00000001401CA90C 48 D3 C8                                                        ror     rax, cl
.text:00000001401CA90F 48 33 D8                                                        xor     rbx, rax
.text:00000001401CA912 48 89 5D 38                                                     mov     [rbp+38h], rbx
.text:00000001401CA916 41 83 E0 3F                                                     and     r8d, 3Fh
.text:00000001401CA91A 41 8A C8                                                        mov     cl, r8b
.text:00000001401CA91D 48 D3 C3                                                        rol     rbx, cl
.text:00000001401CA920 48 89 5D 38                                                     mov     [rbp+38h], rbx
.text:00000001401CA924 49 03 DB                                                        add     rbx, r11
.text:00000001401CA927 48 89 5D 38                                                     mov     [rbp+38h], rbx
.text:00000001401CA92B 45 33 C0                                                        xor     r8d, r8d
.text:00000001401CA92E 44 89 45 58                                                     mov     [rbp+58h], r8d
.text:00000001401CA932
.text:00000001401CA932                                                 loc_1401CA932:                          ; CODE XREF: ExpCenturyDpcRoutine+6FF0A↓j
.text:00000001401CA932 41 0F B6 01                                                     movzx   eax, byte ptr [r9]
.text:00000001401CA936 83 E0 0F                                                        and     eax, 0Fh
.text:00000001401CA939 0F B6 54 05 40                                                  movzx   edx, byte ptr [rbp+rax+40h]
.text:00000001401CA93E 49 83 21 F0                                                     and     qword ptr [r9], 0FFFFFFFFFFFFFFF0h
.text:00000001401CA942 49 0B 11                                                        or      rdx, [r9]
.text:00000001401CA945 49 89 11                                                        mov     [r9], rdx
.text:00000001401CA948 48 C1 CA 04                                                     ror     rdx, 4
.text:00000001401CA94C 49 89 11                                                        mov     [r9], rdx
.text:00000001401CA94F 41 FF C0                                                        inc     r8d
.text:00000001401CA952 44 89 45 58                                                     mov     [rbp+58h], r8d
.text:00000001401CA956 41 83 F8 10                                                     cmp     r8d, 10h
.text:00000001401CA95A 72 D6                                                           jb      short loc_1401CA932
.text:00000001401CA95C 49 83 C1 08                                                     add     r9, 8
.text:00000001401CA960 4C 89 4D 60                                                     mov     [rbp+60h], r9
.text:00000001401CA964 41 FF C2                                                        inc     r10d
.text:00000001401CA967 44 89 55 54                                                     mov     [rbp+54h], r10d
.text:00000001401CA96B 41 83 FA 19                                                     cmp     r10d, 19h
.text:00000001401CA96F 0F 82 4A FF FF FF                                               jb      loc_1401CA8BF
.text:00000001401CA975 48 B9 F5 6F 1B AD 5F 93 44 62                                   mov     rcx, 6244935FAD1B6FF5h
.text:00000001401CA97F 49 8B 03                                                        mov     rax, [r11]
.text:00000001401CA982 48 33 C1                                                        xor     rax, rcx
.text:00000001401CA985 48 89 45 38                                                     mov     [rbp+38h], rax
.text:00000001401CA989 48 8B 45 38                                                     mov     rax, [rbp+38h]
.text:00000001401CA98D 48 B9 DB 27 2A BC 17 A2 15 6A                                   mov     rcx, 6A15A217BC2A27DBh
.text:00000001401CA997 48 33 C1                                                        xor     rax, rcx
.text:00000001401CA99A 48 89 45 38                                                     mov     [rbp+38h], rax
.text:00000001401CA99E 41 C6 03 2E                                                     mov     byte ptr [r11], 2Eh		; 写入 CmpAppendDllSection 头部4字节解密数据
.text:00000001401CA9A2 41 C6 43 01 48                                                  mov     byte ptr [r11+1], 48h
.text:00000001401CA9A7 41 C6 43 02 31                                                  mov     byte ptr [r11+2], 31h
.text:00000001401CA9AC 41 C6 43 03 11                                                  mov     byte ptr [r11+3], 11h
.text:00000001401CA9B1 45 33 C9                                                        xor     r9d, r9d
.text:00000001401CA9B4 45 33 C0                                                        xor     r8d, r8d
.text:00000001401CA9B7 48 8B 55 38                                                     mov     rdx, [rbp+38h]
.text:00000001401CA9BB 49 8B CB                                                        mov     rcx, r11
.text:00000001401CA9BE 49 8B C3                                                        mov     rax, r11
.text:00000001401CA9C1 E8 4A ED FE FF                                                  call    _guard_dispatch_icall ;这里进入 CmpAppendDllSection
.text:00000001401CA9C6 C7 45 5C 01 00 00 00                                            mov     dword ptr [rbp+5Ch], 1
.text:00000001401CA9CD 8B 45 30                                                        mov     eax, [rbp+30h]
.text:00000001401CA9D0 83 C0 02                                                        add     eax, 2
.text:00000001401CA9D3 89 45 30                                                        mov     [rbp+30h], eax
.text:00000001401CA9D6 48 8D 15 FD 00 F9 FF                                            lea     rdx, loc_14015AADA
.text:00000001401CA9DD 48 8B 8D 38 01 00 00                                            mov     rcx, [rbp+138h]
.text:00000001401CA9E4 E8 77 42 FC FF                                                  call    _local_unwind
.text:00000001401CA9E9 90                                                              nop
.text:00000001401CA9EA
.text:00000001401CA9EA                                                 loc_1401CA9EA:                          ; CODE XREF: ExpCenturyDpcRoutine+6FE5F↑j
.text:00000001401CA9EA 8B 45 30                                                        mov     eax, [rbp+30h]
.text:00000001401CA9ED 83 F8 02                                                        cmp     eax, 2
.text:00000001401CA9F0 0F 85 AB 00 00 00                                               jnz     loc_1401CAAA1
.text:00000001401CA9F6 48 8B 8D CA 00 00 00                                            mov     rcx, [rbp+0CAh]
.text:00000001401CA9FD 48 89 8D E8 00 00 00                                            mov     [rbp+0E8h], rcx
.text:00000001401CAA04 4C 8B 85 C2 00 00 00                                            mov     r8, [rbp+0C2h]
.text:00000001401CAA0B 48 8B 85 CA 00 00 00                                            mov     rax, [rbp+0CAh]
.text:00000001401CAA12 48 89 85 00 01 00 00                                            mov     [rbp+100h], rax
.text:00000001401CAA19 48 8B 55 7A                                                     mov     rdx, [rbp+7Ah]
.text:00000001401CAA1D 49 D3 C8                                                        ror     r8, cl
.text:00000001401CAA20 8B C8                                                           mov     ecx, eax
.text:00000001401CAA22 48 D3 C2                                                        rol     rdx, cl
.text:00000001401CAA25 4C 8B 5A 40                                                     mov     r11, [rdx+40h]
.text:00000001401CAA29 4C 89 5D 38                                                     mov     [rbp+38h], r11
.text:00000001401CAA2D 4D 33 D8                                                        xor     r11, r8
.text:00000001401CAA30 48 B8 00 00 00 00 00 80 FF FF                                   mov     rax, 0FFFF800000000000h
.text:00000001401CAA3A 4C 0B D8                                                        or      r11, rax
.text:00000001401CAA3D 4C 89 9D 10 01 00 00                                            mov     [rbp+110h], r11
.text:00000001401CAA44 4D 8B CB                                                        mov     r9, r11
.text:00000001401CAA47 4C 89 5D 60                                                     mov     [rbp+60h], r11
.text:00000001401CAA4B 41 8B CB                                                        mov     ecx, r11d
.text:00000001401CAA4E 83 E1 3F                                                        and     ecx, 3Fh
.text:00000001401CAA51 49 8B C3                                                        mov     rax, r11
.text:00000001401CAA54 48 D3 C8                                                        ror     rax, cl
.text:00000001401CAA57 48 89 45 38                                                     mov     [rbp+38h], rax
.text:00000001401CAA5B C7 45 40 09 0A 0C 01                                            mov     dword ptr [rbp+40h], 10C0A09h
.text:00000001401CAA62 C7 45 44 0F 00 05 0E                                            mov     dword ptr [rbp+44h], 0E05000Fh
.text:00000001401CAA69 C7 45 48 04 03 07 0D                                            mov     dword ptr [rbp+48h], 0D070304h
.text:00000001401CAA70 C7 45 4C 08 06 02 0B                                            mov     dword ptr [rbp+4Ch], 0B020608h
.text:00000001401CAA77 33 D2                                                           xor     edx, edx
.text:00000001401CAA79 89 55 54                                                        mov     [rbp+54h], edx
.text:00000001401CAA7C 8B C2                                                           mov     eax, edx
.text:00000001401CAA7E 4C 8D 45 40                                                     lea     r8, [rbp+40h]
.text:00000001401CAA82 4C 03 C0                                                        add     r8, rax
.text:00000001401CAA85
.text:00000001401CAA85                                                 loc_1401CAA85:                          ; CODE XREF: ExpCenturyDpcRoutine+7004A↓j
.text:00000001401CAA85 41 8A 08                                                        mov     cl, [r8]
.text:00000001401CAA88 83 F1 09                                                        xor     ecx, 9
.text:00000001401CAA8B 88 4C 15 40                                                     mov     [rbp+rdx+40h], cl
.text:00000001401CAA8F FF C2                                                           inc     edx
.text:00000001401CAA91 89 55 54                                                        mov     [rbp+54h], edx
.text:00000001401CAA94 49 FF C0                                                        inc     r8
.text:00000001401CAA97 83 FA 10                                                        cmp     edx, 10h
.text:00000001401CAA9A 72 E9                                                           jb      short loc_1401CAA85
.text:00000001401CAA9C E9 13 FE FF FF                                                  jmp     loc_1401CA8B4
.text:00000001401CAAA1                                                 ; ---------------------------------------------------------------------------
.text:00000001401CAAA1
.text:00000001401CAAA1                                                 loc_1401CAAA1:                          ; CODE XREF: ExpCenturyDpcRoutine+6FFA0↑j
.text:00000001401CAAA1 48 8B 85 CA 00 00 00                                            mov     rax, [rbp+0CAh]
.text:00000001401CAAA8 48 89 85 40 01 00 00                                            mov     [rbp+140h], rax
.text:00000001401CAAAF 48 8B 95 C2 00 00 00                                            mov     rdx, [rbp+0C2h]
.text:00000001401CAAB6 8B C8                                                           mov     ecx, eax
.text:00000001401CAAB8 48 D3 CA                                                        ror     rdx, cl
.text:00000001401CAABB 8B 02                                                           mov     eax, [rdx]
.text:00000001401CAABD
.text:00000001401CAABD                                                 loc_1401CAABD:                          ; CODE XREF: ExpCenturyDpcRoutine+6FE59↑j
.text:00000001401CAABD 48 83 C4 38                                                     add     rsp, 38h
.text:00000001401CAAC1 5D                                                              pop     rbp
.text:00000001401CAAC2 5B                                                              pop     rbx
.text:00000001401CAAC3 C3                                                              retn

源码 :Shark


[推荐]看雪企服平台,提供安全分析、定制项目开发、APP等级保护、渗透测试等安全服务!

上一主题 下一主题
最新回复 (29)
刘铠文 2018-11-27 22:42
2
1
沙发
最后于 2018-11-27 22:43 被刘铠文编辑 ,原因:
小艾 2018-11-27 22:44
3
1
补充一下, 因为 Context 是接力式触发, 所以打断之后就不会有下文了.
FANTASYING 2018-11-27 23:10
4
1
飞哥牛批
Foodie 2018-11-27 23:10
5
1
学习
qdjytony 2018-11-27 23:22
6
1
顶飞哥.
二娃 2018-11-27 23:24
7
1
飞总牛逼
sxpp 1 2018-11-28 00:24
8
1
飞总牛逼
HlccFu 2018-11-28 08:30
9
1
流弊
感谢楼主分享
万剑归宗 1 2018-11-28 08:42
10
1
joker陈 2018-11-28 09:21
11
1
飞总牛逼
hzqst 3 2018-11-28 11:10
12
2
一大群某地科学家大手子正在路上。。。
(ps:据最新消息已经有大手子用上了)
Tennn 5 2018-11-28 11:40
13
0
支持一个。现在天天加班周末也加。都没业余时间搞了驱动玩了 
yy虫子yy 2018-11-30 02:02
14
0
CmpAppendDllSection直接返回就不用计算入口了,可行?
hzqst 3 2018-11-30 10:41
15
0
yy虫子yy CmpAppendDllSection直接返回就不用计算入口了,可行?
前面说了,CmpAppendDllSection本身双加密了,暴力搜索搜不到的
wowocock 1 2018-11-30 11:09
16
0
你们再这样下去估计微软要在VT 中使用EPT来保护他的PATCHGUARD代码了。
hzqst 3 2018-11-30 14:56
17
0
wowocock 你们再这样下去估计微软要在VT 中使用EPT来保护他的PATCHGUARD代码了。
DeviceGuard了解一下
小光前辈 2018-12-4 20:50
18
0
流弊
感谢楼主分享
黑洛 2019-1-19 01:45
19
0
hzqst 一大群某地科学家大手子正在路上。。。 (ps:据最新消息已经有大手子用上了)
不止某地,拆迁6也有人用上了。 
如斯咩咩咩 2019-1-19 03:59
20
0
飞哥牛逼
JACK李冰 2019-1-20 14:29
21
0
又可以抄代码了
小乔xiaoqiao 5天前
22
0
我在win8.1 9600.17415上面,用楼主的方法搜到了上下文,+0xc8处的函数指针数组也对的上,可是按照偏移计算出来的入口点处的指令和PatchGuardEntryPoint匹配不上。甚至解密整个上下文后,去搜索PatchGuardEntryPoint头部指令都搜索不到。有人遇到过类似的情况吗
小艾 5天前
23
0
小乔xiaoqiao 我在win8.1 9600.17415上面,用楼主的方法搜到了上下文,+0xc8处的函数指针数组也对的上,可是按照偏移计算出来的入口点处的指令和PatchGuardEntryPoint匹配不上。甚至解 ...
如果是乱码 看看是不是ror的计算次数搞错了 另外PatchGuardEntryPoint 这段搜索代码 是从ntos文件中获取的
小乔xiaoqiao 5天前
24
0
小艾 如果是乱码 看看是不是ror的计算次数搞错了 另外PatchGuardEntryPoint 这段搜索代码 是从ntos文件中获取的
win8.1 9600.17415上面,PatchGuardEntryPoint相对于上下文的RVA是存在上下文+0x420处,在0x424和0x428处还存了RtlLookupFunctionEntryEx和FsRtlUninitializeSmallMcb相对于上下文的RVA。我每次解密上下文,这三处的值都是固定不变的,这说明我的ROR计算次数应该没问题。PatchGuardEntryPoint的头部指令也是从ntos中重新提取的。
小艾 5天前
25
0
小乔xiaoqiao win8.1 9600.17415上面,PatchGuardEntryPoint相对于上下文的RVA是存在上下文+0x420处,在0x424和0x428处还存了RtlLookupFunctionEnt ...
这就不太清楚了 根据RVA算下地址看看 会不会是已经被修改了
小乔xiaoqiao 5天前
26
0
小艾 这就不太清楚了 根据RVA算下地址看看 会不会是已经被修改了
这个可能性是存在的,但是没有一次能找到入口点这就有点说不过去了。我用同样的方式,在win7上可以找到入口点,但是在win10 16299上又找不到了(和win8.1 9600现象一样)。我甚至将key 多或少 ror了几次,依然找不到入口点。我在win8.1 9600.17415上的入口点RVA是0xb36e或0xb35e,win10 16299.15上的入口点RVA是0x18483。你在自己的机器上,和我的这些数据出入大不大?
小艾 4天前
27
0
小乔xiaoqiao 这个可能性是存在的,但是没有一次能找到入口点这就有点说不过去了。我用同样的方式,在win7上可以找到入口点,但是在win10 16299上又找不到了(和win8.1 9600现象一样)。我甚至将key ...
自己调试吧 调试工具又不是给你看的
小乔xiaoqiao 4天前
28
0
小艾 自己调试吧 调试工具又不是给你看的
请教下,该怎么过它的调试检测?
小艾 4天前
29
0
先搜索 然后在入口处下硬件断点
小乔xiaoqiao 3天前
30
0
小艾 先搜索 然后在入口处下硬件断点
谢谢指教。我调了下,跟我解密出来的入口点RVA是一致的。但是我只在刚开机后的2分钟内搜索到过正确的入口点,其余时候解密出来的上下文中的入口点都不正确。不知道有什么好的方式没。
游客
登录 | 注册 方可回帖
返回