/**************************************
/* 作者:半斤八兩
/* 博客:http://cnblogs.com/bjblcracked
/* 日期:2013-12-11 00:00
/**************************************
只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
相信大家都有用过海风前辈写的strongod反反调试插件.用起来是十分方便的. strongod 是属于驱动级别的插件, 如果是我们自己写的应用层软件,如何来对付strongod呢?
在strongod早些版本的时候,我们是可以通过符号链接来做检测的.早些版本符号链接是写死的.
名为 fengyue .但是到后来,符号链接,弄成自定义的了,缺省的,还是不变的. 大多数人都会通过strongod的ini配置文件来修改缺省的名字.
它的INI配置是直接写入OD 的 ollydbg.ini 里面. 打开ollydbg.ini 直接搜索 strongod 就能搜到如下内容,
[Plugin StrongOD]
CreateProcessMode=0
HidePEB=1
IsPatchFloat=1
IsAdvGoto=1
KernelMode=1
KillPEBug=1
SuperEnumMod=1
AdvAttach=1
SkipExpection=1
HideWindow=1
HideProcess=1
ProtectProcess=1
DriverKey=-82693034
DriverName=fengyue
OrdFirst=0
BreakOnLdr=0
BreakOnTls=0
RemoveEpOneShot=1
ShowBar=17
LoadSym=1
AutoUpdate=0
UpdateURL=http://sod.ibt.name/update.txt
其中 DriverName=fengyue 就是我们关心的. 虽然现在符号连接是"随机的" 但是我们还是有办法获取真实的符号链接名~ 具体的看源码吧.
1 DWORD IsEnumProcess() 2 { 3 DWORD dwPidTemp = 0; 4 5 HANDLE procSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 6 if(procSnap == INVALID_HANDLE_VALUE) 7 { 8 return -1; 9 } 10 11 PROCESSENTRY32 procEntry = {0}; 12 13 procEntry.dwSize = sizeof(PROCESSENTRY32); 14 15 BOOL bRet = Process32First(procSnap,&procEntry); 16 17 while(bRet) 18 { 19 if(0 == strcmp(procEntry.szExeFile, "csrss.exe")) 20 { 21 dwPidTemp = procEntry.th32ProcessID; 22 return TRUE; 23 } 24 25 bRet = Process32Next(procSnap, &procEntry); 26 } 27 28 CloseHandle(procSnap); 29 30 return dwPidTemp; 31 } 32 33 34 BOOL CCheckStrongOD::IsDebugSymbolicLink() 35 { 36 UNICODE_STRING strDirName; 37 OBJECT_ATTRIBUTES oba; 38 NTSTATUS ntStatus; 39 HANDLE hDirectory; 40 41 RtlInitUnicodeString(&strDirName, L"\\global??"); 42 InitializeObjectAttributes(&oba, &strDirName, OBJ_CASE_INSENSITIVE, NULL, NULL); 43 44 ntStatus = ZwOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &oba); 45 46 if (ntStatus != STATUS_SUCCESS) 47 { 48 if (hDirectory != NULL) 49 { 50 ZwClose(hDirectory); 51 } 52 53 return NULL; 54 } 55 56 UNICODE_STRING symbolicLink; 57 BYTE buffer[2048] = {0}; 58 ULONG ulLength = 2048; 59 ULONG ulContext = 0; 60 ULONG ulRet = 0; 61 62 RtlInitUnicodeString(&symbolicLink, L"SymbolicLink"); 63 64 tagSTRONGOD tagStrongOD = {0}; 65 66 tagStrongOD.m_dwFlag = 123456789; 67 tagStrongOD.m_dwCressPID = IsEnumProcess(); 68 tagStrongOD.m_wMePid = (WORD)GetCurrentProcessId(); 69 70 do{ 71 ntStatus = ZwQueryDirectoryObject(hDirectory, buffer, ulLength, 72 TRUE, FALSE, &ulContext, &ulRet); 73 74 if ((ntStatus != STATUS_SUCCESS) && (ntStatus != STATUS_NO_MORE_ENTRIES)) 75 { 76 if (hDirectory != NULL) 77 { 78 ZwClose(hDirectory); 79 } 80 } 81 else if (STATUS_NO_MORE_ENTRIES == ntStatus) 82 { 83 if (hDirectory != NULL) 84 { 85 ZwClose(hDirectory); 86 } 87 88 return NULL; 89 } 90 91 PDIRECTORY_BASIC_INFORMATION directoryInfo = (PDIRECTORY_BASIC_INFORMATION)buffer; 92 93 WCHAR szSymbolicLink[MAXBYTE] = L"\\\\.\\"; 94 wcscat(szSymbolicLink, directoryInfo->ObjectName.Buffer); 95 96 int nLen = wcslen(szSymbolicLink); 97 98 if(nLen > 0xc) 99 { 100 continue; 101 } 102 103 BYTE szControlCode1[MAXBYTE] = {0}; 104 DWORD dwBytesReturned = 0; 105 106 HANDLE hFile = 107 CreateFileW(szSymbolicLink, GENERIC_READ|GENERIC_WRITE, 108 FILE_SHARE_READ|FILE_SHARE_WRITE, 109 NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 110 111 if(hFile != (HANDLE)-1) 112 { 113 114 } 115 else 116 { 117 continue; 118 } 119 120 *(PDWORD)&szControlCode1[0] = tagStrongOD.m_dwFlag; 121 *(PDWORD)&szControlCode1[4] = tagStrongOD.m_dwCressPID; 122 *(PDWORD)&szControlCode1[8] = 1; 123 *(PDWORD)&szControlCode1[0xc] = 1; 124 *(PDWORD)&szControlCode1[0x10] = 1; 125 *(PDWORD)&szControlCode1[0x14] = 1; 126 *(PDWORD)&szControlCode1[0x18] = 1; 127 *(PDWORD)&szControlCode1[0x1c] = 0; 128 *(PWORD)&szControlCode1[0x20] = tagStrongOD.m_wMePid; 129 *(PWORD)&szControlCode1[0x22] = 0; 130 131 BYTE szControlCode2[0x24] = { 132 0x42, 0xa3, 0x53, 0x04, 0x4D, 0x4B, 0xA3, 0xC4, 0xEC, 0xF8, 133 0xE5, 0x41, 0x9D, 0xEF, 0xAE, 0x46, 0x95, 0x59, 0x7D, 0xF3, 134 0x98, 0xBD, 0xDC, 0xD4, 0x1F, 0xE9, 0xC1, 0xD9, 0xFB, 0xF1, 135 0xE9, 0x8D, 0x85, 0x0B, 0x7B, 0x14}; 136 137 138 BYTE szOutBuffer[0x4] = {0xff, 0xff, 0xff, 0xff}; 139 140 for(int i = 0; i < 0x24; i++) 141 { 142 szControlCode1[i] ^= szControlCode2[i]; 143 } 144 145 146 if(TRUE == DeviceIoControl(hFile, 0x22215c, 147 szControlCode2, 0x24, NULL, 0, &dwBytesReturned, NULL)) 148 { 149 150 } 151 else 152 { 153 CloseHandle(hFile); 154 continue; 155 } 156 157 *(PDWORD)&szControlCode1[0] = tagStrongOD.m_dwFlag; 158 *(PDWORD)&szControlCode1[4] = 0; 159 *(PDWORD)&szControlCode1[8] = 0; 160 *(PDWORD)&szControlCode1[0xc] = 0; 161 *(PDWORD)&szControlCode1[0x10] = 0; 162 *(PDWORD)&szControlCode1[0x14] = 0; 163 *(PDWORD)&szControlCode1[0x18] = 0; 164 *(PDWORD)&szControlCode1[0x1c] = 0; 165 *(PWORD)&szControlCode1[0x20] = 0; 166 *(PWORD)&szControlCode1[0x22] = 0; 167 168 169 for(i = 0; i < 0x24; i++) 170 { 171 szControlCode1[i] ^= szControlCode2[i]; 172 } 173 174 if(0 == DeviceIoControl(hFile, 0x222178, szControlCode1, 175 0x24, NULL, 0, &dwBytesReturned, NULL)) 176 { 177 178 } 179 else 180 { 181 CloseHandle(hFile); 182 continue; 183 } 184 185 186 187 *(PDWORD)&szControlCode1[0] = tagStrongOD.m_dwFlag; 188 *(PDWORD)&szControlCode1[4] = 0; 189 *(PDWORD)&szControlCode1[8] = 0; 190 *(PDWORD)&szControlCode1[0xc] = 0; 191 *(PDWORD)&szControlCode1[0x10] = 0; 192 *(PDWORD)&szControlCode1[0x14] = 0; 193 *(PDWORD)&szControlCode1[0x18] = 0; 194 *(PDWORD)&szControlCode1[0x1c] = 0; 195 *(PWORD)&szControlCode1[0x20] = tagStrongOD.m_wMePid; 196 *(PWORD)&szControlCode1[0x22] = 0; 197 198 199 for(i = 0; i < 0x24; i++) 200 { 201 szControlCode1[i] ^= szControlCode2[i]; 202 } 203 204 205 206 if(TRUE == DeviceIoControl(hFile, 0x222160, szControlCode2, 207 0x24, szOutBuffer, 0x4, &dwBytesReturned, NULL)) 208 { 209 // MessageBox(0, 0, 0, 0); 210 211 _putws(szSymbolicLink); 212 213 return TRUE; 214 } 215 else 216 { 217 CloseHandle(hFile); 218 continue; 219 } 220 221 }while(TRUE); 222 223 224 if (hDirectory != NULL) 225 { 226 ZwClose(hDirectory); 227 } 228 229 return FALSE; 230 } 231 232 233 CCheckStrongOD::CCheckStrongOD() 234 { 235 system("chcp 936 & cls & color 0a & title 检测StrongOD Kernel Mode"); 236 } 237 238 CCheckStrongOD::~CCheckStrongOD() 239 { 240 system("pause"); 241 }
本文没任何技术含量,只是一个思路~ 抛砖~
SRC和BIN下载地址:<<<看雪学院>>>