- 注册时间
- 2011-8-8
- 最后登录
- 1970-1-1
该用户从未签到
|
某P太过霸道..限制OD附加它保护的进程可以理解.但限制不能调式其它进程就很变态了..我的机器我做主.再叼就把你给卸载了..
没有文化.又没有基础.写的又不好。大家随便骂......大牛省点口水直接飘走吧.
先从无法附加来分析...发现是NtDebugActiveProcess()函数返回0C0000022h.导致OD无法附加进程的..
OK跟踪一下这个函数的执行看看哪里出了问题...
nt!NtDebugActiveProcess:
80644c82 8bff mov edi,edi
80644c84 55 push ebp
80644c85 8bec mov ebp,esp
80644c87 51 push ecx
80644c88 64a124010000 mov eax,dword ptr fs:[00000124h] //ETHREAD结构地址
80644c8e 8a8040010000 mov al,byte ptr [eax+140h] //ETHREAD + 140 = KTHREAD.PreviousMode
80644c94 6a00 push 0 [参:OUT POBJECT_HANDLE_INFORMATION HandleInformation]
80644c96 8845fc mov byte ptr [ebp-4],al
80644c99 8d4508 lea eax,[ebp+8]
80644c9c 50 push eax [参:OUT PVOID *Object]
80644c9d ff75fc push dword ptr [ebp-4] [参:IN KPROCESSOR_MODE AccessMode]
80644ca0 ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)] [参:IN POBJECT_TYPE ObjectType]
80644ca6 6800080000 push 800h [参:IN ACCESS_MASK DesiredAccess]
80644cab ff7508 push dword ptr [ebp+8] [参:IN HANDLE Handle]
80644cae e82b78f7ff call nt!ObReferenceObjectByHandle (805bc4de)
80644cb3 85c0 test eax,eax
80644cb5 0f8c8e000000 jl nt!NtDebugActiveProcess+0xc7 (80644d49)
80644cbb 53 push ebx
80644cbc 56 push esi
80644cbd 64a124010000 mov eax,dword ptr fs:[00000124h] // ETHREAD结构地址
80644cc3 8b7508 mov esi,dword ptr [ebp+8]
80644cc6 3b7044 cmp esi,dword ptr [eax+44h] // _EPROCESS
80644cc9 746e je nt!NtDebugActiveProcess+0xb7 (80644d39)
80644ccb 3b35b4495680 cmp esi,dword ptr [nt!PsInitialSystemProcess (805649b4)]
80644cd1 7466 je nt!NtDebugActiveProcess+0xb7 (80644d39)
80644cd3 6a00 push 0
80644cd5 8d4508 lea eax,[ebp+8]
80644cd8 50 push eax
80644cd9 ff75fc push dword ptr [ebp-4]
80644cdc ff3540a55580 push dword ptr [nt!DbgkDebugObjectType (8055a540)]
80644ce2 6a02 push 2
80644ce4 ff750c push dword ptr [ebp+0Ch] //参:调式对象句柄
80644ce7 e8f277f7ff call nt!ObReferenceObjectByHandle (805bc4de) 这里返回:0C0000022h
到这里已经确定是 nt!ObReferenceObjectByHandle 的问题了.跟进去看看..
nt!ObReferenceObjectByHandle:
805bc4de 8bff mov edi,edi
805bc4e0 55 push ebp
805bc4e1 8bec mov ebp,esp
805bc4e3 51 push ecx
805bc4e4 53 push ebx
805bc4e5 56 push esi
805bc4e6 57 push edi
805bc4e7 64a124010000 mov eax,dword ptr fs:[00000124h] // ETHREAD结构地址
805bc4ed 8b5d18 mov ebx,dword ptr [ebp+18h] OUT PVOID *Object
805bc4f0 33d2 xor edx,edx
805bc4f2 395508 cmp dword ptr [ebp+8],edx 判断Handle类型 大于零为用户层句柄
805bc4f5 8bf0 mov esi,eax
805bc4f7 8913 mov dword ptr [ebx],edx
805bc4f9 0f8daa000000 jge nt!ObReferenceObjectByHandle+0xcb (805bc5a9) 这里直接跳走
......................
......................
805bc5a9 8b4644 mov eax,dword ptr [esi+44h] // _EPROCESS
805bc5ac 8b80c4000000 mov eax,dword ptr [eax+0C4h] // _EPROCESS->ObjectTable
805bc5b2 ff7514 push dword ptr [ebp+14h] [参:AccessMode]
805bc5b5 ff8ed4000000 dec dword ptr [esi+0D4h] ETHREAD->KTHREAD->KernelApcDisable
805bc5bb ff7508 push dword ptr [ebp+8] [参:Handle]
805bc5be 8945fc mov dword ptr [ebp-4],eax
805bc5c1 50 push eax [参:ObjectTable]
805bc5c2 e825340500 call nt!ExMapHandleToPointerEx (8060f9ec) ExMapHandleToPointerEx(HandleTable, Handle, AccessMode)
805bc5c7 8bf8 mov edi,eax
805bc5c9 85ff test edi,edi
805bc5cb 0f8422010000 je nt!ObReferenceObjectByHandle+0x215 (805bc6f3)
805bc5d1 8b1f mov ebx,dword ptr [edi] mov OBJECT_HEADER,[TableEntry]
805bc5d3 8b4510 mov eax,dword ptr [ebp+10h] [参:ObjectType=nt!DbgkDebugObjectType]
805bc5d6 83e3f8 and ebx,0FFFFFFF8h //去低3位 得到真正的 OBJECT_HEADER 头
805bc5d9 394308 cmp dword ptr [ebx+8],eax
805bc5dc 740b je nt!ObReferenceObjectByHandle+0x10b (805bc5e9)
805bc5de 85c0 test eax,eax
805bc5e0 7407 je nt!ObReferenceObjectByHandle+0x10b (805bc5e9)
805bc5e2 bb240000c0 mov ebx,0C0000024h //返回错误:0C0000024h
805bc5e7 eb48 jmp nt!ObReferenceObjectByHandle+0x153 (805bc631)
805bc5e9 f605edb7558020 test byte ptr [nt!NtGlobalFlag+0x1 (8055b7ed)],20h
805bc5f0 741a je nt!ObReferenceObjectByHandle+0x12e (805bc60c)
805bc5f2 807d1400 cmp byte ptr [ebp+14h],0 比较 KTHREAD.PreviousMode = 0
805bc5f6 7506 jne nt!ObReferenceObjectByHandle+0x120 (805bc5fe) 到这里跳......
805bc5f8 837d1c00 cmp dword ptr [ebp+1Ch],0
805bc5fc 741e je nt!ObReferenceObjectByHandle+0x13e (805bc61c)
805bc5fe 33c0 xor eax,eax
805bc600 668b4704 mov ax,word ptr [edi+4] //TableEntry->GrantedAccessIndex
805bc604 50 push eax
805bc605 e87c150000 call nt!ObpTranslateGrantedAccessIndex (805bdb86)
805bc60a eb0d jmp nt!ObReferenceObjectByHandle+0x13b (805bc619)
805bc60c 8b0d142e5580 mov ecx,dword ptr [nt!ObpAccessProtectCloseBit (80552e14)]
805bc612 8b4704 mov eax,dword ptr [edi+4]
805bc615 f7d1 not ecx
805bc617 23c1 and eax,ecx
805bc619 894510 mov dword ptr [ebp+10h],eax //GrantedAccessIndex 权限.....
805bc61c 8b4510 mov eax,dword ptr [ebp+10h]
805bc61f f7d0 not eax
805bc621 85450c test dword ptr [ebp+0Ch],eax [DesiredAccess=2H]
805bc624 7419 je nt!ObReferenceObjectByHandle+0x161 (805bc63f) 为2就跳走
805bc626 807d1400 cmp byte ptr [ebp+14h],0
805bc62a 7413 je nt!ObReferenceObjectByHandle+0x161 (805bc63f)
805bc62c bb220000c0 mov ebx,0C0000022h 到这里错误了......
分析下来发现为TableEntry->GrantedAccessIndex 值为零导致OD无法附加的...
调式对象的TableEntry->GrantedAccessIndex 值引用来源于哪里呢? OBJECT_HEADER->OBJECT_TYPE->ValidAccessMask.
看一下ValidAccessMask的值确实被置零了....
通过分析已经了解到某P是通过修改全局结构.DbgkDebugObjectType.ValidAccessMask值为零来达到目的的..
那么怎么应对呢?方法太多了..
1:HOOk NtDebugActiveProcess 函数然后 _EPROCESS->ObjectTable 通过句柄找出调式对象地址修改为正常的值.
2:直接修改NtDebugActiveProcess :80644ce2 6a02 push 2 参数
3:直接修改ObReferenceObjectByHandle :805bc624 7419 je nt!ObReferenceObjectByHandle+0x161 (805bc63f) 为JMP
......上面的只针对附加 加载的其实也非常简..方法无数种...... |
|