64 Fifth Lecture kernel development, debugging and anti-debugging

Others 2019-06-08 15:45:16 views: null

table of Contents

Anti-debugging and anti-anti-debugging

A Dian several methods of anti-debugging

1.DebugPort port cleared

debugport in EPROCESS structure. debugging time will pass DebugPort port for debugging the debug event is sent to ring3 If it is set to 0. ring3 can not debug it
means you can not step up. debugging and other related operations of .

If you do anti-debugging turned on a continuous thread of this DebugPort cleared.
Further anti-debugging
ideas:
1. Find EPROCESS structure of the current process
. 2. Locate this position through hard-coded (hard-coded)
if it is hard-coded . we need to judge themselves according to the system.

2.KdDisableDebugger

After calling this function in the kernel, it detects whether or not detect whether or not to mount a windbg.
Is open threads. Continually call.

3.ring3 under isDebuggerpresent and CheckRemoteDebuggerPresent

The application layer calling these two functions is determined

4. Hook means.

As performed in the kernel HOOK

Listed below are the function name

Function name effect After HOOK
NtOpenThread Create a kernel thread Prevent the debugger to create threads inside
NtOpenProcess Open the process Prevent OD and other debugging tools to see in the debug list
kiAttachProcess Additional debugging process To prevent additional
NtReadVirtualMemory Virtual memory is read Prevent myself from being read process memory (ReadProcessMemory)
NtWriteVirtualMemory Write memory Prevent memory is written
KdReceivePacket Com KDCOM.dll function in the serial data received Make your own filters
KdSendPacket Com KDCOM.dll the serial data transmission function HOOK above with this function can prevent two-machine debugging

Two Dian anti-anti-debugging

It says that defense, then we can attack

1. For DebugPort

1. DebugPort may be present at a break point. Once the program has to be modified. Will be off the next.
To find the corresponding anti-debugging code to the code patch.

2. Can self debugging system. It does not take Furthermore bypass this protection.

2. For KdDisableDebugger

This function detects the debugger. Debugging is thus prohibited.

Segment can point at addresses corresponding to these functions are then related to the code of the patch., Such as for return.

3. For HOOK
. HOOK If we can use some tools to recover course, if you can recover can also write the code that you see the needs of the time...
Common on such as: pchunter PowerTools anti (Ann Day)

3. Flower instruction

Anti-debugging can be added to flower. Deliberately carried out dry.

Such as:

push edx
pop edx
inc ecx
dec ecx
add  esp,1
sub esp,1

A register directly added. Then subtract operation complete register will not affect the original value.

jmp LABEL
db opcode
LABEL

There is such a middle add a db. But he will affect you.

db Opcode combined with the subsequent instruction will be disturbed, but will not affect the normal program execution.

jz  label
jnz label
db opcode
Label

Whether or not correct. Will be forced to jump Further interference.

Guess you like

Origin www.cnblogs.com/iBinary/p/10990674.html
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com