[原创]反硬件断点检测附源码
2023-1-18 01:48:0 Author: bbs.pediy.com(查看原文) 阅读量:8 收藏

namespace VEHShut

{

    byte* func = NULL;

    int BeckupHardwareBP[5] = { 0 };

    int cAddrRtlDispatchException = NULL;

    class hooks

    {

    public:

        CONTEXT backUpcontext;

        PCONTEXT SetContext;

        hooks(PCONTEXT context)

        {

            backUpcontext = *context;

        }

        ~hooks()noexcept

        {

            SetContext->Dr0 = backUpcontext.Dr0;

            SetContext->Dr1 = backUpcontext.Dr1;

            SetContext->Dr2 = backUpcontext.Dr2;

            SetContext->Dr3 = backUpcontext.Dr3;

            SetContext->Dr6 = backUpcontext.Dr6;

            SetContext->Dr7 = backUpcontext.Dr7;

        }

    };

    bool GetRtlDispatcherAddr()

    {

        if (cAddrRtlDispatchException)return true;

        func = (byte*)GetProcAddress(GetModuleHandleA(XorString("ntdll.dll")), XorString("RtlUnwind"));

        func += 0x20;

        if (!func)

        {

            DbgPrintA("[-]未找到RtlUnwind");

            return false;;

        }

        for (int i = 0; i < 0x200; i++)

        {

            //8B FF 55 8B EC

            if (func[i] == 0x8B&& func[i+1] == 0xFF && func[i+2] == 0x55 && func[i+3] == 0x8B && func[i+4] == 0xEC)

            {

                cAddrRtlDispatchException = (int)func+i;

                printf("cAddrRtlDispatchException -> 0x%X\r\n", cAddrRtlDispatchException);

                return true;

            }

        }

        return false;

    }

    typedef void(_stdcall* _RtlExceptionDispatche)(PEXCEPTION_RECORD ExceptionRecord, PCONTEXT  Context);

    _RtlExceptionDispatche Old_RtlExceptionDispatche = NULL;

    uint64_t o_RtlExceptionDispatcher = NULL;

    NOINLINE void _stdcall RtlExceptionDispatcher(PEXCEPTION_RECORD ExceptionRecord, PCONTEXT  Context)noexcept

    {

        auto reset = hooks(Context);

        if (Context)

        {

            if (Context->ContextFlags & CONTEXT_DEBUG_REGISTERS)

            {

                Context->Dr0 = 0;

                Context->Dr1 = 0;

                Context->Dr2 = 0;

                Context->Dr3 = 0;

                Context->Dr6 = 0;

                Context->Dr7 = 0;

            }

        }

        return PLH::FnCast(o_RtlExceptionDispatcher, Old_RtlExceptionDispatche)(ExceptionRecord, Context);

    }

    void ShutUpVEH()

    {

        if (GetRtlDispatcherAddr())

        {

            PLH::CapstoneDisassembler dis(PLH::Mode::x86);

            Old_RtlExceptionDispatche = (_RtlExceptionDispatche)cAddrRtlDispatchException;

            PLH::x86Detour detour_RtlExceptionDispatcher((char*)cAddrRtlDispatchException, (char*)&RtlExceptionDispatcher, &o_RtlExceptionDispatcher, dis);

            if (!detour_RtlExceptionDispatcher.hook())

            {

                DbgPrintA("[-] detour_RtlExceptionDispatcher Failed\r\n");

            }

        }       

    }

}


文章来源: https://bbs.pediy.com/thread-275832.htm
如有侵权请联系:admin#unsafe.sh