终极方法：debugport清零过NP

逍遥公子

1. 
   
2. 绕过inline HOOK对于很多人而言应该不难实现。而主要影响很多人的是debugport清零等东西。
   
3. 让我们改造WRK实现自己的方便调试的内核吧。下次有时间讲intel的vt下的IDT Redirect
   
4. debugport清零免疫与防nprotect断链的改造 文件base\ntos\inc\ps.h中修改EPROCESS结构~
   
5. // Process structure.
   
6. //
   
7. // If you remove a field from this structure, please also
   
8. // remove the reference to it from within the kernel debugger
   
9. // (nt\private\sdktools\ntsd\ntkext.c)
   
10. //
    
11. typedef struct _EPROCESS {
    
12.     KPROCESS Pcb;
    
13.     //
    
14.     // Lock used to protect:
    
15.     // The list of threads in the process.
    
16.     // Process token.
    
17.     // Win32 process field.
    
18.     // Process and thread affinity setting.
    
19.     //
    
20.     EX_PUSH_LOCK ProcessLock;
    
21.     LARGE_INTEGER CreateTime;
    
22.     LARGE_INTEGER ExitTime;
    
23.     //
    
24.     // Structure to allow lock free cross process access to the process
    
25.     // handle table, process section and address space. Acquire rundown
    
26.     // protection with this if you do cross process handle table, process
    
27.     // section or address space references.
    
28.     //
    
29.     EX_RUNDOWN_REF RundownProtect;
    
30.     HANDLE UniqueProcessId;
    
31.     //
    
32.     // Global list of all processes in the system. Processes are removed
    
33.     // from this list in the object deletion routine. References to
    
34.     // processes in this list must be done with ObReferenceObjectSafe
    
35.     // because of this.
    
36.     //
    
37.     LIST_ENTRY FakeActiveProcessLinks;
    
38.     //
    
39.     // Quota Fields.
    
40.     //
    
41.     SIZE_T QuotaUsage[PsQuotaTypes];
    
42.     SIZE_T QuotaPeak[PsQuotaTypes];
    
43.     SIZE_T CommitCharge;
    
44.     //
    
45.     // VmCounters.
    
46.     //
    
47.     SIZE_T PeakVirtualSize;
    
48.     SIZE_T VirtualSize;
    
49.     LIST_ENTRY SessionProcessLinks;
    
50.     PVOID FakeDebugPort;
    
51.     PVOID ExceptionPort;
    
52.     PHANDLE_TABLE ObjectTable;
    
53.     //
    
54.     // Security.
    
55.     //
    
56.     EX_FAST_REF Token;
    
57.     PFN_NUMBER WorkingSetPage;
    
58.     KGUARDED_MUTEX AddressCreationLock;
    
59.     KSPIN_LOCK HyperSpaceLock;
    
60.     struct _ETHREAD *ForkInProgress;
    
61.     ULONG_PTR HardwareTrigger;
    
62.     PMM_AVL_TABLE PhysicalVadRoot;
    
63.     PVOID CloneRoot;
    
64.     PFN_NUMBER NumberOfPrivatePages;
    
65.     PFN_NUMBER NumberOfLockedPages;
    
66.     PVOID Win32Process;
    
67.     struct _EJOB *Job;
    
68.     PVOID SectionObject;
    
69.     PVOID SectionBaseAddress;
    
70.     PEPROCESS_QUOTA_BLOCK QuotaBlock;
    
71.     PPAGEFAULT_HISTORY WorkingSetWatch;
    
72.     HANDLE Win32WindowStation;
    
73.     HANDLE InheritedFromUniqueProcessId;
    
74.     PVOID LdtInformation;
    
75.     PVOID VadFreeHint;
    
76.     PVOID VdmObjects;
    
77.     PVOID DeviceMap;
    
78.     PVOID Spare0[3];
    
79.     union {
    
80.         HARDWARE_PTE PageDirectoryPte;
    
81.         ULONGLONG Filler;
    
82.     };
    
83.     PVOID Session;
    
84.     UCHAR ImageFileName[ 16 ];
    
85.     LIST_ENTRY JobLinks;
    
86.     PVOID LockedPagesList;
    
87.     LIST_ENTRY ThreadListHead;
    
88.     //
    
89.     // Used by rdr/security for authentication.
    
90.     //
    
91.     PVOID SecurityPort;
    
92. #ifdef _WIN64
    
93.     PWOW64_PROCESS Wow64Process;
    
94. #else
    
95.     PVOID PaeTop;
    
96. #endif
    
97.     ULONG ActiveThreads;
    
98.     ACCESS_MASK GrantedAccess;
    
99.     ULONG DefaultHardErrorProcessing;
    
100.     NTSTATUS LastThreadExitStatus;
     
101.     //
     
102.     // Peb
     
103.     //
     
104.     PPEB Peb;
     
105.     //
     
106.     // Pointer to the prefetches trace block.
     
107.     //
     
108.     EX_FAST_REF PrefetchTrace;
     
109.     LARGE_INTEGER ReadOperationCount;
     
110.     LARGE_INTEGER WriteOperationCount;
     
111.     LARGE_INTEGER OtherOperationCount;
     
112.     LARGE_INTEGER ReadTransferCount;
     
113.     LARGE_INTEGER WriteTransferCount;
     
114.     LARGE_INTEGER OtherTransferCount;
     
115.     SIZE_T CommitChargeLimit;
     
116.     SIZE_T CommitChargePeak;
     
117.     PVOID AweInfo;
     
118.     //
     
119.     // This is used for SeAuditProcessCreation.
     
120.     // It contains the full path to the image file.
     
121.     //
     
122.     SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
     
123.     MMSUPPORT Vm;
     
124. #if !defined(_WIN64)
     
125.     LIST_ENTRY MmProcessLinks;
     
126. #else
     
127.     ULONG Spares[2];
     
128. #endif
     
129.     ULONG ModifiedPageCount;
     
130.     #define PS_JOB_STATUS_NOT_REALLY_ACTIVE      0x00000001UL
     
131.     #define PS_JOB_STATUS_ACCOUNTING_FOLDED      0x00000002UL
     
132.     #define PS_JOB_STATUS_NEW_PROCESS_REPORTED   0x00000004UL
     
133.     #define PS_JOB_STATUS_EXIT_PROCESS_REPORTED 0x00000008UL
     
134.     #define PS_JOB_STATUS_REPORT_COMMIT_CHANGES 0x00000010UL
     
135.     #define PS_JOB_STATUS_LAST_REPORT_MEMORY     0x00000020UL
     
136.     #define PS_JOB_STATUS_REPORT_PHYSICAL_PAGE_CHANGES 0x00000040UL
     
137.     ULONG JobStatus;
     
138. 
     
139.     //
     
140.     // Process flags. Use interlocked operations with PS_SET_BITS, etc
     
141.     // to modify these.
     
142.     //
     
143.     #define PS_PROCESS_FLAGS_CREATE_REPORTED        0x00000001UL // Create process debug call has occurred
     
144.     #define PS_PROCESS_FLAGS_NO_DEBUG_INHERIT       0x00000002UL // Don't inherit debug port
     
145.     #define PS_PROCESS_FLAGS_PROCESS_EXITING        0x00000004UL // PspExitProcess entered
     
146.     #define PS_PROCESS_FLAGS_PROCESS_DELETE         0x00000008UL // Delete process has been issued
     
147.     #define PS_PROCESS_FLAGS_WOW64_SPLIT_PAGES      0x00000010UL // Wow64 split pages
     
148.     #define PS_PROCESS_FLAGS_VM_DELETED             0x00000020UL // VM is deleted
     
149.     #define PS_PROCESS_FLAGS_OUTSWAP_ENABLED        0x00000040UL // Outswap enabled
     
150.     #define PS_PROCESS_FLAGS_OUTSWAPPED             0x00000080UL // Outswapped
     
151.     #define PS_PROCESS_FLAGS_FORK_FAILED            0x00000100UL // Fork status
     
152.     #define PS_PROCESS_FLAGS_WOW64_4GB_VA_SPACE     0x00000200UL // Wow64 process with 4gb virtual address space
     
153.     #define PS_PROCESS_FLAGS_ADDRESS_SPACE1         0x00000400UL // Addr space state1
     
154.     #define PS_PROCESS_FLAGS_ADDRESS_SPACE2         0x00000800UL // Addr space state2
     
155.     #define PS_PROCESS_FLAGS_SET_TIMER_RESOLUTION   0x00001000UL // SetTimerResolution has been called
     
156.     #define PS_PROCESS_FLAGS_BREAK_ON_TERMINATION   0x00002000UL // Break on process termination
     
157.     #define PS_PROCESS_FLAGS_CREATING_SESSION       0x00004000UL // Process is creating a session
     
158.     #define PS_PROCESS_FLAGS_USING_WRITE_WATCH      0x00008000UL // Process is using the write watch APIs
     
159.     #define PS_PROCESS_FLAGS_IN_SESSION             0x00010000UL // Process is in a session
     
160.     #define PS_PROCESS_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00020000UL // Process must use native address space (Win64 only)
     
161.     #define PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE      0x00040000UL // This process has an address space
     
162.     #define PS_PROCESS_FLAGS_LAUNCH_PREFETCHED      0x00080000UL // Process launch was prefetched
     
163.     #define PS_PROCESS_INJECT_INPAGE_ERRORS         0x00100000UL // Process should be given inpage errors - hardcoded in trap.asm too
     
164.     #define PS_PROCESS_FLAGS_VM_TOP_DOWN            0x00200000UL // Process memory allocations default to top-down
     
165.     #define PS_PROCESS_FLAGS_IMAGE_NOTIFY_DONE      0x00400000UL // We have sent a message for this image
     
166.     #define PS_PROCESS_FLAGS_PDE_UPDATE_NEEDED      0x00800000UL // The system PDEs need updating for this process (NT32 only)
     
167.     #define PS_PROCESS_FLAGS_VDM_ALLOWED            0x01000000UL // Process allowed to invoke NTVDM support
     
168.     #define PS_PROCESS_FLAGS_SMAP_ALLOWED           0x02000000UL // Process allowed to invoke SMAP support
     
169.     #define PS_PROCESS_FLAGS_CREATE_FAILED          0x04000000UL // Process create failed
     
170.     #define PS_PROCESS_FLAGS_DEFAULT_IO_PRIORITY    0x38000000UL // The default I/O priority for created threads. (3 bits)
     
171.     #define PS_PROCESS_FLAGS_PRIORITY_SHIFT         27
     
172.    
     
173.     #define PS_PROCESS_FLAGS_EXECUTE_SPARE1         0x40000000UL //
     
174.     #define PS_PROCESS_FLAGS_EXECUTE_SPARE2         0x80000000UL //
     
175. 
     
176.     union {
     
177.         ULONG Flags;
     
178.         //
     
179.         // Fields can only be set by the PS_SET_BITS and other interlocked
     
180.         // macros. Reading fields is best done via the bit definitions so
     
181.         // references are easy to locate.
     
182.         //
     
183.         struct {
     
184.             ULONG CreateReported            : 1;
     
185.             ULONG NoDebugInherit            : 1;
     
186.             ULONG ProcessExiting            : 1;
     
187.             ULONG ProcessDelete             : 1;
     
188.             ULONG Wow64SplitPages           : 1;
     
189.             ULONG VmDeleted                 : 1;
     
190.             ULONG OutswapEnabled            : 1;
     
191.             ULONG Outswapped                : 1;
     
192.             ULONG ForkFailed                : 1;
     
193.             ULONG Wow64VaSpace4Gb           : 1;
     
194.             ULONG AddressSpaceInitialized   : 2;
     
195.             ULONG SetTimerResolution        : 1;
     
196.             ULONG BreakOnTermination        : 1;
     
197.             ULONG SessionCreationUnderway   : 1;
     
198.             ULONG WriteWatch                : 1;
     
199.             ULONG ProcessInSession          : 1;
     
200.             ULONG OverrideAddressSpace      : 1;
     
201.             ULONG HasAddressSpace           : 1;
     
202.             ULONG LaunchPrefetched          : 1;
     
203.             ULONG InjectInpageErrors        : 1;
     
204.             ULONG VmTopDown                 : 1;
     
205.             ULONG ImageNotifyDone           : 1;
     
206.             ULONG PdeUpdateNeeded           : 1;    // NT32 only
     
207.             ULONG VdmAllowed                : 1;
     
208.             ULONG SmapAllowed               : 1;
     
209.             ULONG CreateFailed              : 1;
     
210.             ULONG DefaultIoPriority         : 3;
     
211.             ULONG Spare1                    : 1;
     
212.             ULONG Spare2                    : 1;
     
213.         };
     
214.     };
     
215.     NTSTATUS ExitStatus;
     
216.     USHORT NextPageColor;
     
217.     union {
     
218.         struct {
     
219.             UCHAR SubSystemMinorVersion;
     
220.             UCHAR SubSystemMajorVersion;
     
221.         };
     
222.         USHORT SubSystemVersion;
     
223.     };
     
224.     UCHAR PriorityClass;
     
225.     MM_AVL_TABLE VadRoot;
     
226.     ULONG Cookie;
     
227. 
     
228. PVOID DebugPort;
     
229. LIST_ENTRY ActiveProcessLinks;
     
230. } EPROCESS, *PEPROCESS;
     

复制代码

qq839295616

哈哈哈呵呵

狼六戒

高手，看不懂啊~~~~

xxoo

非常强大，收藏了