进入x64时代后,windbg一直没有现成的反”反调试”插件,但windbg可以借助其他工具实现反”反调试”。
参看
https://github.com/x64dbg/ScyllaHide
ScyllaHide没有现成的windbg插件,但ScyllaHide有独立运行版本,理论上可与任意调试器配合使用,实现反”反调试”。
“X:\path\ScyllaHide\ScyllaTest_x64.exe”
ScyllaTest含有很多”反调试”检查。直接执行该程序,循环输出如下
————————————————————————–
Starting test loop. Press CTRL+C or the power button on your PC to exit.
PEB_BeingDebugged: OK (绿色)
Wow64PEB64_BeingDebugged: SKIP
PEB_NtGlobalFlag: OK
Wow64PEB64_NtGlobalFlag: SKIP
PEB_HeapFlags: OK
Wow64PEB64_HeapFlags: SKIP
PEB_ProcessParameters: OK
Wow64PEB64_ProcessParameters: SKIP
IsDebuggerPresent: OK
CheckRemoteDebuggerPresent: OK
OutputDebugStringA_LastError: SKIP
OutputDebugStringA_Exception: OK
OutputDebugStringW_Exception: OK
NtQueryInformationProcess_ProcessDebugPort: OK
NtQuerySystemInformation_KernelDebugger: OK
NtQuery_OverlappingReturnLength: OK
NtClose: OK
OtherOperationCount: OK
————————————————————————–
各项检查显示OK或SKIP,表示未检测到调试器。
cdb.exe -noinh -snul -hd -o "X:\path\ScyllaHide\ScyllaTest_x64.exe"
停在ibp后g起来,可能会碰上
testtest(13c0.13dc): Invalid handle - code c0000008 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll!KiRaiseUserExceptionDispatcher+0x3a:
00007ffb`ad9598fa 8b8424c0000000 mov eax,dword ptr [rsp+0C0h] ss:00000049`8e2ff830=c0000008
此时用”gN”继续,将异常传给被调试进程,有可能直接僵死,有可能看到这种输出
————————————————————————–
Starting test loop. Press CTRL+C or the power button on your PC to exit.
PEB_BeingDebugged: DETECTD (红色)
Wow64PEB64_BeingDebugged: SKIP
PEB_NtGlobalFlag: OK
Wow64PEB64_NtGlobalFlag: SKIP
PEB_HeapFlags: OK
Wow64PEB64_HeapFlags: SKIP
PEB_ProcessParameters: DETECTD
Wow64PEB64_ProcessParameters: SKIP
IsDebuggerPresent: DETECTD
CheckRemoteDebuggerPresent: DETECTD
OutputDebugStringA_LastError: SKIP
OutputDebugStringA_Exception: DETECTD
OutputDebugStringW_Exception: DETECTD
NtQueryInformationProcess_ProcessDebugPort: DETECTD
NtQuerySystemInformation_KernelDebugger: OK
NtQuery_OverlappingReturnLength: OK
NtClose: DETECTD
OtherOperationCount: DETECTD
————————————————————————–
各项检查显示DETECTD,表示检测到调试器。重新调试
cdb.exe -noinh -snul -hd -o "X:\path\ScyllaHide\ScyllaTest_x64.exe"
假设停在ibp,获取目标PID,比如
? @$tpid
tasklist | findstr ScyllaTest
向目标进程注入相应反”反调试”DLL
"X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait
成功时会输出
————————————————————————–
Loaded VA for NtUserBlockInput = 0x00007FFBA9DE7870
Loaded VA for NtUserQueryWindow = 0x00007FFBA9DE1290
Loaded VA for NtUserGetForegroundWindow = 0x00007FFBA9DE1810
Loaded VA for NtUserBuildHwndList = 0x00007FFBA9DE1410
Loaded VA for NtUserFindWindowEx = 0x00007FFBA9DE1E30
Loaded VA for NtUserGetClassName = 0x00007FFBA9DE1FD0
Loaded VA for NtUserInternalGetWindowText = 0x00007FFBA9DE1CD0
Loaded VA for NtUserGetThreadState = 0x00007FFBA9DE1090
PID : 3908 0xF44
DLL Path: X:\path\ScyllaHide\HookLibraryx64.dll
Hook injection successful, image base 000001E4501B0000
————————————————————————–
回到ibp处g起来,ScyllaTest没有僵死,正常执行,大部分”反调试”检查被屏蔽,只剩一个
————————————————————————–
OtherOperationCount: DETECTD
————————————————————————–
“X:\path\ScyllaHide\scylla_hide.ini”默认用”VMProtect x86/x64″,可以对付绝大多数情况,但其未设置
NtQuerySystemInformationHook=1
无法屏蔽OtherOperationCount检查。设置之后,ScyllaTest的所有”反调试”检查都被屏蔽。
向目标进程注入相应反”反调试”DLL,可以不在其他cmd中进行,而是在cdb提示符下用”.shell”命令
? @$tpid
.shell "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait
.shell -x "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait
不指定”-x”时,可以看到InjectorCLI回显,提示”Hook injection successful”,回车再继续。指定”-x”时,看不到InjectorCLI回显,若有绝对把握成功,指定”-x”更好。
本想在”.shell”中直接指定”pid:@$tpid”,达不到预期效果。尝试过脚本方案
$ vi hideself.txt
————————————————————————–
.shell -x "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:${$arg1} "X:\path\ScyllaHide\HookLibraryx64.dll" nowait
————————————————————————–
在cdb提示符下执行
$$>a< "X:\path\ScyllaHide\hideself.txt" @$tpid
达不到预期效果。只能这样用
? @$tpid
$$>a< "X:\path\ScyllaHide\hideself.txt" 3908
上述情形之外的任何使用形式,均需提前向绿盟科技(010-68438880-5462)申请版权授权。如擅自使用,绿盟科技保留追责权利。同时,如因擅自使用博客内容引发法律纠纷,由使用者自行承担全部法律责任,与绿盟科技无关。