让windbg反”反调试”

进入x64时代后,windbg一直没有现成的反”反调试”插件,但windbg可以借助其他工具实现反”反调试”。

参看

https://github.com/x64dbg/ScyllaHide

ScyllaHide没有现成的windbg插件,但ScyllaHide有独立运行版本,理论上可与任意调试器配合使用,实现反”反调试”。

“X:\path\ScyllaHide\ScyllaTest_x64.exe”

ScyllaTest含有很多”反调试”检查。直接执行该程序,循环输出如下

————————————————————————–
Starting test loop. Press CTRL+C or the power button on your PC to exit.

PEB_BeingDebugged: OK (绿色)
Wow64PEB64_BeingDebugged: SKIP
PEB_NtGlobalFlag: OK
Wow64PEB64_NtGlobalFlag: SKIP
PEB_HeapFlags: OK
Wow64PEB64_HeapFlags: SKIP
PEB_ProcessParameters: OK
Wow64PEB64_ProcessParameters: SKIP
IsDebuggerPresent: OK
CheckRemoteDebuggerPresent: OK
OutputDebugStringA_LastError: SKIP
OutputDebugStringA_Exception: OK
OutputDebugStringW_Exception: OK
NtQueryInformationProcess_ProcessDebugPort: OK
NtQuerySystemInformation_KernelDebugger: OK
NtQuery_OverlappingReturnLength: OK
NtClose: OK
OtherOperationCount: OK
————————————————————————–

各项检查显示OK或SKIP,表示未检测到调试器。

cdb.exe -noinh -snul -hd -o "X:\path\ScyllaHide\ScyllaTest_x64.exe"

停在ibp后g起来,可能会碰上

testtest(13c0.13dc): Invalid handle - code c0000008 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll!KiRaiseUserExceptionDispatcher+0x3a:
00007ffb`ad9598fa 8b8424c0000000 mov eax,dword ptr [rsp+0C0h] ss:00000049`8e2ff830=c0000008

此时用”gN”继续,将异常传给被调试进程,有可能直接僵死,有可能看到这种输出

————————————————————————–
Starting test loop. Press CTRL+C or the power button on your PC to exit.

PEB_BeingDebugged: DETECTD (红色)
Wow64PEB64_BeingDebugged: SKIP
PEB_NtGlobalFlag: OK
Wow64PEB64_NtGlobalFlag: SKIP
PEB_HeapFlags: OK
Wow64PEB64_HeapFlags: SKIP
PEB_ProcessParameters: DETECTD
Wow64PEB64_ProcessParameters: SKIP
IsDebuggerPresent: DETECTD
CheckRemoteDebuggerPresent: DETECTD
OutputDebugStringA_LastError: SKIP
OutputDebugStringA_Exception: DETECTD
OutputDebugStringW_Exception: DETECTD
NtQueryInformationProcess_ProcessDebugPort: DETECTD
NtQuerySystemInformation_KernelDebugger: OK
NtQuery_OverlappingReturnLength: OK
NtClose: DETECTD
OtherOperationCount: DETECTD
————————————————————————–

各项检查显示DETECTD,表示检测到调试器。重新调试

cdb.exe -noinh -snul -hd -o "X:\path\ScyllaHide\ScyllaTest_x64.exe"

假设停在ibp,获取目标PID,比如

? @$tpid
tasklist | findstr ScyllaTest

向目标进程注入相应反”反调试”DLL

"X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait

成功时会输出

————————————————————————–
Loaded VA for NtUserBlockInput = 0x00007FFBA9DE7870
Loaded VA for NtUserQueryWindow = 0x00007FFBA9DE1290
Loaded VA for NtUserGetForegroundWindow = 0x00007FFBA9DE1810
Loaded VA for NtUserBuildHwndList = 0x00007FFBA9DE1410
Loaded VA for NtUserFindWindowEx = 0x00007FFBA9DE1E30
Loaded VA for NtUserGetClassName = 0x00007FFBA9DE1FD0
Loaded VA for NtUserInternalGetWindowText = 0x00007FFBA9DE1CD0
Loaded VA for NtUserGetThreadState = 0x00007FFBA9DE1090

PID : 3908 0xF44
DLL Path: X:\path\ScyllaHide\HookLibraryx64.dll

Hook injection successful, image base 000001E4501B0000
————————————————————————–

回到ibp处g起来,ScyllaTest没有僵死,正常执行,大部分”反调试”检查被屏蔽,只剩一个

————————————————————————–
OtherOperationCount: DETECTD
————————————————————————–

“X:\path\ScyllaHide\scylla_hide.ini”默认用”VMProtect x86/x64″,可以对付绝大多数情况,但其未设置

NtQuerySystemInformationHook=1

无法屏蔽OtherOperationCount检查。设置之后,ScyllaTest的所有”反调试”检查都被屏蔽。

向目标进程注入相应反”反调试”DLL,可以不在其他cmd中进行,而是在cdb提示符下用”.shell”命令

? @$tpid
.shell "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait
.shell -x "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait

不指定”-x”时,可以看到InjectorCLI回显,提示”Hook injection successful”,回车再继续。指定”-x”时,看不到InjectorCLI回显,若有绝对把握成功,指定”-x”更好。

本想在”.shell”中直接指定”pid:@$tpid”,达不到预期效果。尝试过脚本方案

$ vi hideself.txt

————————————————————————–
.shell -x "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:${$arg1} "X:\path\ScyllaHide\HookLibraryx64.dll" nowait
————————————————————————–

在cdb提示符下执行

$$>a< "X:\path\ScyllaHide\hideself.txt" @$tpid

达不到预期效果。只能这样用

? @$tpid
$$>a< "X:\path\ScyllaHide\hideself.txt" 3908

版权声明
本站“技术博客”所有内容的版权持有者为绿盟科技集团股份有限公司(“绿盟科技”)。作为分享技术资讯的平台,绿盟科技期待与广大用户互动交流,并欢迎在标明出处(绿盟科技-技术博客)及网址的情形下,全文转发。
上述情形之外的任何使用形式,均需提前向绿盟科技(010-68438880-5462)申请版权授权。如擅自使用,绿盟科技保留追责权利。同时,如因擅自使用博客内容引发法律纠纷,由使用者自行承担全部法律责任,与绿盟科技无关。

Spread the word. Share this post!

Meet The Author

C/ASM程序员