过某P之KdEnteredDebugger检测

Posted 2020-06-29 一条咸鱼干

某p在双机调试时，会检测KdEnteredDebugger是否等于1，如果等于1就重启。

我们的办法是让检测永远检测到0。经过分析，当位置为KdEnteredDebugger+0x20时值是0。我们可以修改指向。只要inline hook IoAllocateMdl 即可

PMDL MyIoAllocateMdl(
	__in_opt PVOID  VirtualAddress,
	__in ULONG  Length,
	__in BOOLEAN  SecondaryBuffer,
	__in BOOLEAN  ChargeQuota,
	__inout_opt PIRP  Irp  OPTIONAL)
{
	PVOID pKdEnteredDebugger = (PVOID)GetKdEnteredDebuggerAddr();
	if (pKdEnteredDebugger == VirtualAddress)
	{
		VirtualAddress = (PVOID)((SIZE_T)pKdEnteredDebugger + 0x20);  //+0x20  是让他读到其他的位置
	}
	

	return old_IoAllocateMdl(VirtualAddress, Length, SecondaryBuffer, ChargeQuota, Irp);
}

　　具体代码实现：

#include<NTDDK.H>
#include<windef.h>
#include<ntstatus.h>

BYTE OriginalBytes[5] = {0};
BYTE HookCode[5] = {0xe9,0,0,0,0};//跳转地址
BYTE JmpCode[7] = {0xea,0,0,0,0,0x08,0};//cs模式为1b，内核位08
ULONG  CR0VALUE;
#define kmalloc(_s)    ExAllocatePoolWithTag(NonPagedPool, _s, ‘SYSQ‘)


// 查找KdEnteredDebugger地址 
extern SIZE_T KdEnteredDebugger;
SIZE_T GetKdEnteredDebuggerAddr()
{
    return KdEnteredDebugger;
}

// HookIoAllocMdl
typedef PMDL(__stdcall *_MyIoAllocateMdl)(
    _In_opt_     PVOID VirtualAddress,
    _In_         ULONG Length,
    _In_         BOOLEAN SecondaryBuffer,
    _In_         BOOLEAN ChargeQuota,
    _Inout_opt_  PIRP Irp
    );

_MyIoAllocateMdl old_IoAllocateMdl;
PMDL MyIoAllocateMdl(
    __in_opt PVOID  VirtualAddress,
    __in ULONG  Length,
    __in BOOLEAN  SecondaryBuffer,
    __in BOOLEAN  ChargeQuota,
    __inout_opt PIRP  Irp  OPTIONAL)
{
    PVOID pKdEnteredDebugger = (PVOID)GetKdEnteredDebuggerAddr();
    if (pKdEnteredDebugger == VirtualAddress)
    {
        VirtualAddress = (PVOID)((SIZE_T)pKdEnteredDebugger + 0x20);  //+0x20  是让他读到其他的位置
    }
    

    return old_IoAllocateMdl(VirtualAddress, Length, SecondaryBuffer, ChargeQuota, Irp);
}
void hookIoAllocateMdl()
{
    KIRQL Irql;
    DbgPrint("NtIoAllocateMdl] :0x%x",IoAllocateMdl);
    DbgPrint("[MyIoAllocateMdl] :0x%x",MyIoAllocateMdl);  //地址验证
    RtlCopyMemory(OriginalBytes,(BYTE *)IoAllocateMdl,5);
    *(ULONG *)(HookCode+1) = (ULONG)MyIoAllocateMdl - ((ULONG)IoAllocateMdl+5);
    DbgPrint("*(ULONG *)(HookCode+1) = (ULONG)MyIoAllocateMdl - ((ULONG)IoAllocateMdl+5);");
    *(ULONG *)(JmpCode+1) = (ULONG)((BYTE*)IoAllocateMdl +5);
    RtlCopyMemory((BYTE*)old_IoAllocateMdl,OriginalBytes,5);
    RtlCopyMemory((BYTE*)old_IoAllocateMdl+5,JmpCode,7);
    //去除写保护
    _asm            
         {
                 push eax
                         
                         mov eax, cr0 
                         mov CR0VALUE, eax 
                         and eax, 0fffeffffh  
                         mov cr0, eax
                         pop eax
         }
         //提升IRQL中断级别
         Irql = KeRaiseIrqlToDpcLevel();
         DbgPrint(" Irql = KeRaiseIrqlToDpcLevel();");
         RtlCopyMemory((BYTE*)IoAllocateMdl,HookCode,5);
          DbgPrint("RtlCopyMemory((BYTE*)IoAllocateMdl,HookCode,5);");
         KeLowerIrql(Irql);

         //开启写保护  
         __asm
                 
         {       
                 
                     push eax
                         
                         mov eax, CR0VALUE 
                         
                         mov cr0, eax
                         
                         pop eax
                         
         };
         DbgPrint("已经hook");
 
}
void myDriverUnload(PDRIVER_OBJECT P)
{

    DbgPrint("已经恢复");
}
NTSTATUS DriverEntry(
    IN OUT PDRIVER_OBJECT DriverObject,
    IN PUNICODE_STRING RegistryPath
    )
{
    DbgPrint("开始hook");
    DriverObject->DriverUnload = myDriverUnload;
    old_IoAllocateMdl = (_MyIoAllocateMdl)kmalloc(20);
    memset(old_IoAllocateMdl, 0x90, 20);
    hookIoAllocateMdl();
    return STATUS_SUCCESS;
}