天马阁论坛 › 64位驱动编程 › 过TP之创建CreateMyDbgkDebugObjectType

丁侦球 发表于 2024-3-11 13:36:41

过TP之创建CreateMyDbgkDebugObjectType

因为TP有个线程不断的对这个清零,测试过以下方案:
1.直接恢复结构,马上会被清零,od提示无法附加进程,放弃
2.inlinehook,调用ob***之前恢复结构,因为tp清零太快,od提示无法附加进程,放弃

还有个难点就是debugport清零了,我已经解决了,至于方法就不直接说了,提示一下:
修改31处系统函数的debugport偏移,但是有一处tp有检测,我是用Inlinehook绕过的,不修改这一处偏移,在自己的代码里写上新偏移.
至于是检测了哪一处,你们自己测试,我曾经inlinehook了31处才确定的.汗啊!
等哪天tp增加检测的位置,我那31个inlinehook代码又要用上了.

总结:
1.不能修改TesSafe.sys代码,有校验,修改任何一个字节会重启,如果有能力过掉校验就没问题,好像很麻烦,我就不走这条路了.
2.修改系统函数代码,如果有检测,会弹出警告,此时就要改变修改位置,比如双机调试的inlinehook.


ULONG DbgkDebugObjectTypeAddr = 0;
POBJECT_TYPE DbgkDebugObjectType = NULL, MyDbgkDebugObjectType = NULL;
OBJECT_TYPE_INITIALIZER ObjectTypeInitializer;
BOOLEAN bEditDbgkDebugObjectType = FALSE;

BOOLEAN CreateMyDbgkDebugObjectType()
{
    ULONG NtDebugActiveProcess;
    UNICODE_STRING MyObjectTypeName;

    NtDebugActiveProcess = GetSSDTFunctionAddr(SysFuncIdx.NtDebugActiveProcess);
    DbgkDebugObjectTypeAddr = *(PULONG)(NtDebugActiveProcess + 0x5a + 2);
    KdPrint(("DbgkDebugObjectTypeAddr: 0x%8x\n", DbgkDebugObjectTypeAddr)); //8055a540
    if (DbgkDebugObjectTypeAddr == 0)
    {
      KdPrint(("DbgkDebugObjectTypeAddr == 0!"));
      return FALSE;
    }
    DbgkDebugObjectType = (POBJECT_TYPE)(*(PULONG)DbgkDebugObjectTypeAddr);
    KdPrint(("DbgkDebugObjectType: 0x%8x\n", DbgkDebugObjectType)); //863bb040
    KdPrint(("DbgkDebugObjectType->Name: %ws\n", DbgkDebugObjectType->Name.Buffer));
    KdPrint(("TypeInfo.GenericMapping.GenericRead: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericRead)); //00020001
    KdPrint(("TypeInfo.GenericMapping.GenericWrite: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericWrite)); //00020002
    KdPrint(("TypeInfo.GenericMapping.GenericExecute: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericExecute)); //00120000
    KdPrint(("TypeInfo.GenericMapping.GenericAll: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericAll)); //001f000f
    KdPrint(("TypeInfo.ValidAccessMask: 0x%08x\n", DbgkDebugObjectType->TypeInfo.ValidAccessMask)); //001f000f   
    if (wcscmp(DbgkDebugObjectType->Name.Buffer, L"MyDebugObject") == 0)
    {
      KdPrint(("已经修改为MyDebugObject.\n"));
      return FALSE;
    }

    RtlCopyMemory(&ObjectTypeInitializer, &DbgkDebugObjectType->TypeInfo, sizeof(ObjectTypeInitializer));
    if (DbgkDebugObjectType->TypeInfo.ValidAccessMask == 0)
    {
      KdPrint(("DbgkDebugObjectType->TypeInfo.ValidAccessMask被清零,开始恢复.\n"));
      ObjectTypeInitializer.GenericMapping.GenericRead = 0x00020001;
      ObjectTypeInitializer.GenericMapping.GenericWrite = 0x00020002;
      ObjectTypeInitializer.GenericMapping.GenericExecute = 0x00120000;
      ObjectTypeInitializer.GenericMapping.GenericAll = 0x001f000f;
      ObjectTypeInitializer.ValidAccessMask = 0x001f000f;
    }
    RtlInitUnicodeString(&MyObjectTypeName, L"MyDebugObject");
    return (STATUS_SUCCESS == ObCreateObjectType(&MyObjectTypeName, &ObjectTypeInitializer, (PSECURITY_DESCRIPTOR)NULL, &MyDbgkDebugObjectType));

    //0: kd> uf nt!NtDebugActiveProcess
    //nt!NtDebugActiveProcess:
    //80644cb2 8bff            mov   edi,edi
    //80644cb4 55            push    ebp
    //80644cb5 8bec            mov   ebp,esp
    //...
    //nt!NtDebugActiveProcess+0x51:
    //80644d03 6a00            push    0
    //80644d05 8d4508          lea   eax,
    //80644d08 50            push    eax
    //80644d09 ff75fc          push    dword ptr
    //80644d0c ff3540a55580    push    dword ptr
    //80644d12 6a02            push    2
    //80644d14 ff750c          push    dword ptr
    //80644d17 e8ee77f7ff      call    nt!ObReferenceObjectByHandle (805bc50a)
}

VOID EditDbgkDebugObjectType()
{
    if (bEditDbgkDebugObjectType)
      return;
    if (CreateMyDbgkDebugObjectType())
    {
      WPOFF();
      *(PULONG)DbgkDebugObjectTypeAddr = (ULONG)MyDbgkDebugObjectType;
      WPON();
      bEditDbgkDebugObjectType = TRUE;
    }

    //lkd> dd nt!DbgkDebugObjectType
    //8055a540863bb040 00000000 00000000 00000000

    //加载tp前:
    //0: kd> dd 863bb040+68
    //863bb0a800020001 00020002 00120000 001f000f
    //863bb0b8001f000f 00000001 00000000 00000000

    //加载tp后:
    //0: kd> dd 863bb040+68
    //863bb0a800000000 00000000 00000000 00000000
    //863bb0b800000000 00000001 00000000 00000000
}

VOID UnEditDbgkDebugObjectType()
{
    if (!bEditDbgkDebugObjectType)
      return;
    WPOFF();
    *(PULONG)DbgkDebugObjectTypeAddr = (ULONG)DbgkDebugObjectType;
    WPON();
    ObfDereferenceObject(MyDbgkDebugObjectType);
    bEditDbgkDebugObjectType = FALSE;
}

RaymondNar 发表于 7 天前

Why you need to try this right now

Burst conduits? Congested pipelines? Seeping faucets? Never permit system emergencies spoil every day! The skilled team from PlumbFix is present with protect any house using fast, reliable, as well as affordable immediate hydraulics assistance. Accessible 24/7, our crew tackle every trouble—significant or slight—through superb proficiency and care. In overflowed lower levels to faulty thermal heaters, we’ve got got all assured. Call us now plus allow our experts repair the ease of heart via fast, competent repairs. Your house deserves truly ultimate—count on us to fix all flawlessly our first time!
Call right now - 8338561951, USA

查看完整版本: 过TP之创建CreateMyDbgkDebugObjectType