让windbg反"反调试"
2022-5-2 02:0:0 Author: mp.weixin.qq.com(查看原文) 阅读量:81 收藏

创建: 2022-04-28 13:26
http://scz.617.cn:8/windows/202204281326.txt

进入x64时代后,windbg一直没有现成的反"反调试"插件,但windbg可以借助其他工具实现反"反调试"。

参看

https://github.com/x64dbg/ScyllaHide

ScyllaHide没有现成的windbg插件,但ScyllaHide有独立运行版本,理论上可与任意调试器配合使用,实现反"反调试"。

"X:\path\ScyllaHide\ScyllaTest_x64.exe"

ScyllaTest含有很多"反调试"检查。直接执行该程序,循环输出如下

Starting test loop. Press CTRL+C or the power button on your PC to exit.

PEB_BeingDebugged:                              OK (绿色)
Wow64PEB64_BeingDebugged:                       SKIP
PEB_NtGlobalFlag:                               OK
Wow64PEB64_NtGlobalFlag:                        SKIP
PEB_HeapFlags:                                  OK
Wow64PEB64_HeapFlags:                           SKIP
PEB_ProcessParameters:                          OK
Wow64PEB64_ProcessParameters:                   SKIP
IsDebuggerPresent:                              OK
CheckRemoteDebuggerPresent:                     OK
OutputDebugStringA_LastError:                   SKIP
OutputDebugStringA_Exception:                   OK
OutputDebugStringW_Exception:                   OK
NtQueryInformationProcess_ProcessDebugPort:     OK
NtQuerySystemInformation_KernelDebugger:        OK
NtQuery_OverlappingReturnLength:                OK
NtClose:                                        OK
OtherOperationCount:                            OK

各项检查显示OK或SKIP,表示未检测到调试器。

cdb.exe -noinh -snul -hd -o "X:\path\ScyllaHide\ScyllaTest_x64.exe"

停在ibp后g起来,可能会碰上

testtest(13c0.13dc): Invalid handle - code c0000008 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll!KiRaiseUserExceptionDispatcher+0x3a:
00007ffb`ad9598fa 8b8424c0000000  mov     eax,dword ptr [rsp+0C0h] ss:00000049`8e2ff830=c0000008

此时用"gN"继续,将异常传给被调试进程,有可能直接僵死,有可能看到这种输出

Starting test loop. Press CTRL+C or the power button on your PC to exit.

PEB_BeingDebugged:                              DETECTD (红色)
Wow64PEB64_BeingDebugged:                       SKIP
PEB_NtGlobalFlag:                               OK
Wow64PEB64_NtGlobalFlag:                        SKIP
PEB_HeapFlags:                                  OK
Wow64PEB64_HeapFlags:                           SKIP
PEB_ProcessParameters:                          DETECTD
Wow64PEB64_ProcessParameters:                   SKIP
IsDebuggerPresent:                              DETECTD
CheckRemoteDebuggerPresent:                     DETECTD
OutputDebugStringA_LastError:                   SKIP
OutputDebugStringA_Exception:                   DETECTD
OutputDebugStringW_Exception:                   DETECTD
NtQueryInformationProcess_ProcessDebugPort:     DETECTD
NtQuerySystemInformation_KernelDebugger:        OK
NtQuery_OverlappingReturnLength:                OK
NtClose:                                        DETECTD
OtherOperationCount:                            DETECTD

各项检查显示DETECTD,表示检测到调试器。重新调试

cdb.exe -noinh -snul -hd -o "X:\path\ScyllaHide\ScyllaTest_x64.exe"

假设停在ibp,获取目标PID,比如

? @$tpid
tasklist | findstr ScyllaTest

向目标进程注入相应反"反调试"DLL

"X:\path\ScyllaHide\InjectorCLIx64.exepid:3908 "X:\path\ScyllaHide\HookLibraryx64.dllnowait

成功时会输出

Loaded VA for NtUserBlockInput = 0x00007FFBA9DE7870
Loaded VA for NtUserQueryWindow = 0x00007FFBA9DE1290
Loaded VA for NtUserGetForegroundWindow = 0x00007FFBA9DE1810
Loaded VA for NtUserBuildHwndList = 0x00007FFBA9DE1410
Loaded VA for NtUserFindWindowEx = 0x00007FFBA9DE1E30
Loaded VA for NtUserGetClassName = 0x00007FFBA9DE1FD0
Loaded VA for NtUserInternalGetWindowText = 0x00007FFBA9DE1CD0
Loaded VA for NtUserGetThreadState = 0x00007FFBA9DE1090

PID     : 3908 0xF44
DLL Path: X:\path\ScyllaHide\HookLibraryx64.dll

Hook injection successful, image base 000001E4501B0000

回到ibp处g起来,ScyllaTest没有僵死,正常执行,大部分"反调试"检查被屏蔽,只剩一个

OtherOperationCount:                            DETECTD

"X:\path\ScyllaHide\scylla_hide.ini"默认用"VMProtect x86/x64",可以对付绝大多数情况,但其未设置

NtQuerySystemInformationHook=1

无法屏蔽OtherOperationCount检查。设置之后,ScyllaTest的所有"反调试"检查都被屏蔽。

向目标进程注入相应反"反调试"DLL,可以不在其他cmd中进行,而是在cdb提示符下用".shell"命令

? @$tpid
.shell "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait
.shell -x "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait

不指定"-x"时,可以看到InjectorCLI回显,提示"Hook injection successful",回车再继续。指定"-x"时,看不到InjectorCLI回显,若有绝对把握成功,指定"-x"更好。

本想在".shell"中直接指定"pid:@$tpid",达不到预期效果。尝试过脚本方案

$ vi hideself.txt

.shell -x "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:${$arg1} "X:\path\ScyllaHide\HookLibraryx64.dll" nowait

在cdb提示符下执行

$$>a< "X:\path\ScyllaHide\hideself.txt" @$tpid

达不到预期效果。只能这样用

? @$tpid
$$>a< "X:\path\ScyllaHide\hideself.txt" 3908

文章来源: http://mp.weixin.qq.com/s?__biz=MzUzMjQyMDE3Ng==&mid=2247485855&idx=1&sn=ea08bcb54aa5441c99b0f7c3cc237a39&chksm=fab2caa0cdc543b6bf52f050bf02fffac1dd2612e876274f512fa47674b7c00acc70e5de91e6#rd
如有侵权请联系:admin#unsafe.sh