OD/CE 过掉TMD壳附加检查
2014-04-01 19:23
176 查看
恢复OD进程附加原理
1、恢复DbgBreakPoint和DbgUiRemoteBreakin被HOOK代码
//由于我是使用ntdll SDK,可直接使用NTDLL中的API,如果你们不能使用,直接用GetProcAddress获取API
注意该处的修复,自己可以写个HOOK,放到LoadLibrary,每次加载DLL时候,就处理一次,防止某些DLL还有TMD壳,又会被恢复
ntdll->DbgBreakPoint 被TMD壳修改为retn
-> 0xC3
DWORD lpflOldProtect;
LPVOID ulAddress
= DbgBreakPoint;
VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpflOldProtect);
*(BYTE*)(ulAddress) =
0xCC;
ntdll->DbgUiRemoteBreakin 被TMD修改为JMP LdrShutdownProcess
ulAddress = DbgUiRemoteBreakin
VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpProtect);
*(BYTE*)(ulAddress) =
0x6A;
*(DWORD*)((BYTE*)ulAddress+1)= 0xFC686808;
2、修复允许CE的附加
第一步虽然修复了允许附加,但TMD壳本身还自带线程检查ANTI,所以我们要终止掉这些线程
BOOL WINAPI _AhnHS_GetThreadModuleName(char* szModuleName,DWORD szThreadId,LPVOID & StartAddress,HANDLE & hThread)
{
hThread
= OpenThread(THREAD_ALL_ACCESS, FALSE, szThreadId);
if (!hThread) return FALSE;
LONG status
= ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &StartAddress, sizeof(StartAddress), NULL);
if(status <0)
{
CloseHandle(hThread);
SetLastError(RtlNtStatusToDosError(status));
return FALSE;
}
return (GetMappedFileNameA(GetCurrentProcess(), StartAddress, szModuleName, MAX_PATH)>=0) ? TRUE : FALSE;
}
void WINAPI _AhnHS_PassThreadByTMD()
{
HANDLE hThreadSnap , hThread;
THREADENTRY32 te32
= {0};
CONTEXT context
= {0};
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if ( hThreadSnap == INVALID_HANDLE_VALUE )
return;
memset(&te32, 0, sizeof(THREADENTRY32));
te32.dwSize
= sizeof(THREADENTRY32);
BOOL dwRet
= Thread32First(hThreadSnap, &te32);
DWORD dwCurrentProcessId
= GetCurrentProcessId();
do
{
if (te32.th32OwnerProcessID != dwCurrentProcessId) continue;
char szModuleFileName[MAX_PATH];
LPVOID
StartAddress;
if(!_AhnHS_GetThreadModuleName(szModuleFileName,te32.th32ThreadID,StartAddress,hThread)) continue;
char* pszName
= (strrchr(szModuleFileName,'\\')) ? strrchr(szModuleFileName,'\\')+1 : szModuleFileName;
//AntiHookGetMainThreadId()=主线程ID,可自行修改
if(lstrcmpiA(pszName,AntiHookGetModuleInfo()->AppName)==0 && AntiHookGetMainThreadId()!=te32.th32ThreadID)
{
//远程线程非代码块,为其它检查线程,终止
HMODULE
lib = GetModuleHandleA(pszName);
PIMAGE_NT_HEADERS
nth =
PIMAGE_NT_HEADERS(PBYTE(lib) + PIMAGE_DOS_HEADER(lib)->e_lfanew);
IMAGE_SECTION_HEADER
*pSection =
(IMAGE_SECTION_HEADER*)((DWORD)nth + sizeof(IMAGE_NT_HEADERS));
if((DWORD)StartAddress>(pSection[0].VirtualAddress+(DWORD)lib) && (DWORD)StartAddress<pSection[1].VirtualAddress+(DWORD)lib) continue;
TerminateThread(hThread,0);
}
CloseHandle(hThread);
}while(Thread32Next(hThreadSnap, &te32));
CloseHandle(hThreadSnap);
}
OK,万事大吉,世界清静了
1、恢复DbgBreakPoint和DbgUiRemoteBreakin被HOOK代码
//由于我是使用ntdll SDK,可直接使用NTDLL中的API,如果你们不能使用,直接用GetProcAddress获取API
注意该处的修复,自己可以写个HOOK,放到LoadLibrary,每次加载DLL时候,就处理一次,防止某些DLL还有TMD壳,又会被恢复
ntdll->DbgBreakPoint 被TMD壳修改为retn
-> 0xC3
DWORD lpflOldProtect;
LPVOID ulAddress
= DbgBreakPoint;
VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpflOldProtect);
*(BYTE*)(ulAddress) =
0xCC;
ntdll->DbgUiRemoteBreakin 被TMD修改为JMP LdrShutdownProcess
ulAddress = DbgUiRemoteBreakin
VirtualProtect(ulAddress,1,PAGE_EXECUTE_READWRITE,&lpProtect);
*(BYTE*)(ulAddress) =
0x6A;
*(DWORD*)((BYTE*)ulAddress+1)= 0xFC686808;
2、修复允许CE的附加
第一步虽然修复了允许附加,但TMD壳本身还自带线程检查ANTI,所以我们要终止掉这些线程
BOOL WINAPI _AhnHS_GetThreadModuleName(char* szModuleName,DWORD szThreadId,LPVOID & StartAddress,HANDLE & hThread)
{
hThread
= OpenThread(THREAD_ALL_ACCESS, FALSE, szThreadId);
if (!hThread) return FALSE;
LONG status
= ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &StartAddress, sizeof(StartAddress), NULL);
if(status <0)
{
CloseHandle(hThread);
SetLastError(RtlNtStatusToDosError(status));
return FALSE;
}
return (GetMappedFileNameA(GetCurrentProcess(), StartAddress, szModuleName, MAX_PATH)>=0) ? TRUE : FALSE;
}
void WINAPI _AhnHS_PassThreadByTMD()
{
HANDLE hThreadSnap , hThread;
THREADENTRY32 te32
= {0};
CONTEXT context
= {0};
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if ( hThreadSnap == INVALID_HANDLE_VALUE )
return;
memset(&te32, 0, sizeof(THREADENTRY32));
te32.dwSize
= sizeof(THREADENTRY32);
BOOL dwRet
= Thread32First(hThreadSnap, &te32);
DWORD dwCurrentProcessId
= GetCurrentProcessId();
do
{
if (te32.th32OwnerProcessID != dwCurrentProcessId) continue;
char szModuleFileName[MAX_PATH];
LPVOID
StartAddress;
if(!_AhnHS_GetThreadModuleName(szModuleFileName,te32.th32ThreadID,StartAddress,hThread)) continue;
char* pszName
= (strrchr(szModuleFileName,'\\')) ? strrchr(szModuleFileName,'\\')+1 : szModuleFileName;
//AntiHookGetMainThreadId()=主线程ID,可自行修改
if(lstrcmpiA(pszName,AntiHookGetModuleInfo()->AppName)==0 && AntiHookGetMainThreadId()!=te32.th32ThreadID)
{
//远程线程非代码块,为其它检查线程,终止
HMODULE
lib = GetModuleHandleA(pszName);
PIMAGE_NT_HEADERS
nth =
PIMAGE_NT_HEADERS(PBYTE(lib) + PIMAGE_DOS_HEADER(lib)->e_lfanew);
IMAGE_SECTION_HEADER
*pSection =
(IMAGE_SECTION_HEADER*)((DWORD)nth + sizeof(IMAGE_NT_HEADERS));
if((DWORD)StartAddress>(pSection[0].VirtualAddress+(DWORD)lib) && (DWORD)StartAddress<pSection[1].VirtualAddress+(DWORD)lib) continue;
TerminateThread(hThread,0);
}
CloseHandle(hThread);
}while(Thread32Next(hThreadSnap, &te32));
CloseHandle(hThreadSnap);
}
OK,万事大吉,世界清静了
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- CE+OD无法附加游戏进程的破解方法-不再为不能附加而烦恼了
- CE+OD无法附加游戏进程的破解方法 来吧 别在为这烦恼了
- 蹂躏D&F彻底之二让ce正常附加扫描
- 过HS保护(OD,CE)
- OGG运维优化脚本(十六)-信息同步类--附加日志检查
- <转>挣扎的菜鸟 - 当OD不能装载也不能附加程序时
- OD+CE查找“植物大战僵尸”太阳数目地址
- 从应用层解决TP类游戏无法读写,可OD附加
- ANTI -附加OD 很早的了
- 用OD和CE结合跟踪查找基址
- 游戏外挂四之利用CE和OD查找被选中怪物和怪物列表
- 【SQLServer】【恢复挂起的解决方案】附加文件时候的提示“无法重新生成日志,原因是数据库关闭时存在打开的事务/用户,该数据库没有检查点或者该数据库是只读的。 ”【数据库恢复】
- 没有上下文附加到服务的传入消息,并且当前操作未标有“CanCreateInstance = true”。若要与此服务通信,请检查传入绑定是否支持上下文协议并已初始化了有效的上下文。
- fireforx 省级后每次打开都会出现"正在检查附加组件的兼容性"的对话框
- 更新附加表 `dede_***` 时出错,请检查原因!Unknown column
- 每次打开火狐都要检查附加组件与浏览器的兼容性,如何取消这个页面
- DLINQ 使用DataContext快速构建数据访问层DAL,发现Updata采用Attach(Entity t,true)困难重重!(如果实体声明了版本成员或者没有更新检查策略,则只能将它附加为没有原始状态的已修改实体)的解决办法!
- CE+OD实例——查找人物包裹信息
- Firefox - 附加软件 - Firebug - Net网络视图 - 可以用来检查一个页面中未能加载的引用内容
- OD附加功能分析