sharpod·´·´µ÷½Ú²å¼þ²åµÄ¶þÕÅͼ£¬Ò»¸öÊǸòå¼þÔÚollydbgµÄÍƼöÅäÖÃÉ趨£¬Ò»¸öÊÇÔÚx64dbgÀïµÄ£¬Öîλ¿ÉÒÔ²ÎÕÕ¿´Ò»Ï£¬ÖÕ¾¿ÔÚ²»Ò»ÑùµÄ·´»ã±àÈí¼þÀµ¼½ø¸Ã²å¼þ£¬¾¡¹ÜÔÚ×÷ÓÃÑ¡ÔñÏîÉÏÒ»Ö£¬¿ÉÊÇÊDz»ÊÇ¿ÉÒÔ´ò¿ªºÍ¼æÈÝÊÇ·ñ£¬»òÊDZØÐ뿼Á¿µÄÎÊÌ⣡

sharpod²å¼þ½éÉÜ

SharpOD x64 ²å¼þÊÇÒ»¿îÖ»ÊÊÓÃ64λϵͳÈí¼þµÄ(win7,8,10) ·´·´µ÷½Ú²å¼þ£¬¶øÇÒÊÊÓÃx32dbgºÍx64dbg

Éý¼¶±íÃ÷

1.ÌáÉý x64dbg Remove EP Break

2.ÌáÉý x64dbg Atti_Atti Attach

3.ÌáÉý ollydbg ÈÎÒâÈý¼¶²Ëµ¥À¸ÎÄÕ±êÌâ

4.½¡È«Ï VMP3.1(above)×÷Óá£

5.ÐÞ²¹ x64dbg ÒÔ¹ÜÀíÈËÔ±ÖØÆô£¬¶Ô»°¿òÐÅϢδ¸´Ô­£¬±¼À£µÄBUG

6.ÐÞ²¹ x64dbg 64λ³ÌÐòÁ÷³ÌÓë»ðÈÞ°²È«Èí¼þÇÀHookµãÔì³É³ÌÐòÁ÷³Ì±ÀÀ£µÄBUG

7.ÐÞ²¹ È¡explorer.exe ½ø³ÌPID²»ÉÏ£¬¸¸½ø³ÌPID±äΪ4µÄ×´¿ö¡£

9.ÌáÉý±àÂë

sharpodÈçºÎʹÓÃ

°²Ñb

Ollydbg: ¸´ÖÆSharpOD x64.dll µ½ÄúµÄOD²å¼þÎļþĿ¼£¬¶øÇÒ¸´ÖÆStrongOD²å¼þµ½OD²å¼þÎļþĿ¼(StrongODÔÚ64λÉÏÊÊÓÃÓÚÐÞ²¹ODµÄBUGºÍÊ®·ÖʵÓõļüÅÌ¿ì½Ý¼ü)

ËæºóÖØÐÂÆô¶¯µ÷ÊÔÆ÷ÔÚ²å¼þ²Ëµ¥À¸ÖÐÅ䱸

x64dbg: ¸´ÖÆÏàÆ¥Åä°æ±¾ºÅµÄ²å¼þµ½ÄãµÄx64dbg²å¼þÎļþĿ¼,Èç64λ,¸´ÖÆSharpOD x64.dp64Îĵµ,ËæºóÖØÐÂÆô¶¯µ÷ÊÔÆ÷ÔÚ²å¼þ²Ëµ¥À¸ÖÐÅ䱸

¿´·¨ÏÈÀ´Ì¸Ò»Ì¸¸÷²å¼þ×÷ÓÃ

StrongOD£ºÊ®·Ö³öÉ«µÄÒ»¿î²å¼þ£¬¼¸ºõ¼«Ö£¬ÒòÔÚ64λϵͳÈí¼þÔØÈë²»ÁËÍƶ¯£¬Ö»ÓÐÔÚ32λϵͳÈí¼þÉϳä·Ö·¢»ÓÆäɱÉËÁ¦£¬ÇåÁ¹º£·ç´óÉñҲû¿ÕÉý¼¶£¬ÕâÕæµÄÊǸö²»ÐÒ¡£

PhantOm: ²å¼þ¾«¼õ¸ßЧÂÊ£¬µ«Ó¦ÓÃÁËSSDT IndexÓ²±àÂëÀ´×èÀ¹ wow64cpu!Wow64Transition(32λת64λ·½Ê½µÄµØÇø jmp 0033:xxxxxxxxx)Ôì³É¼æÈÝģʽҲ²»ÊÇÄÇüNµÄºÃ¡£

²¢ÇÒ½â¾öµÄ–|Î÷Ò²ºÜÉÙ£¬Wow64½ø³ÌµÄpeb64¶¼Ã»Óнâ¾ö£¬¹ÊÔì³ÉÐí¶àµÄ·´µ÷½Ú×ß²»¹ýÈ¥¡£

scyllaHide: x64dbg´´×÷Õß¿ª·¢Éè¼ÆµÄÒ»¿îÊ®·Ö³öÉ«Ñڲزå¼þ£¬¸úÉÏÃæÒ»ÑùÒ²ÊÇHook wow64cpu!Wow64Transition(32λת64λ·½Ê½µÄµØÇø jmp 0033:xxxxxxxxx),²¢ÇÒ½â¾öÁËÊ®·Ö¶àµÄµØÇø¡£

ÎÒ¿´ÍêÁËscyllaHideµÄÔ´Â룬ҳÃæ·±ÔÓ£¬·¢¾õ´´×÷ÕßÓеã¶ùÀµ - -£¡£¬Ðí¶àµØÇø½â¾ö²»×ãϸÖ£¬¶øÇÒÓ²¼þÅäÖÃÖжϵãά»¤´´×÷ÕßÏÓ64λ²»±ãÒ²ÊDz»Ð´£¬¶øÇÒHook²¿Î»²»×ãÉî,ËûÈËËæÒâ¶ÁÈ¡¸ö64λAPI¾Í̽²âµ½ÁË¡£

titanHide: ÔÚ64λϵͳÈí¼þÉÏSSDT Hook£¬×îÏÈ¿Í»§¾ÍÐèÒªÀ´¹ýÒ»±éPGÁË£¬²¢ÇÒ½â¾öµÄµØ·½Ò²ºÜÉÙ¡£

ÒÔÉϲå¼þ¶¼¸÷ÓÐÆäÓŵãºÍȱµã£¬±ãÊÇÕÒ²»×ÅÒ»¸ö¼«ÖµãµÄ£¬ÇÒÈç½ñºÜ¶àµÄ64λϵͳÈí¼þ£¬ÔÚ64λϵͳÈí¼þÉÏδÄÜÑ°ÕÒÒ»¿îËæÊÖ²å¼þÔì³É±»Ðí¶àAPPantiµ½,¹Ê׫дÁËSharpOD x64²å¼þ¡£¡£

SharpOD x64¹Ø¼üÍê³ÉÊÇÏòwow64½ø³Ì £¬ÒýÈë´¿64λcode£¬¶øÇÒhook ntdll64 apiÀ´Íê³ÉµÄ£¬ÄÇÑù×öÒª±ÈHook wow64cpu!Wow64TransitionÒª×îµ×²ãµÄ¶à¡£

×÷ÓñíÃ÷

-Hide PEB (ÇáÔسÌÐòÁ÷³ÌÉúЧ)

1

ÑÚ²ØPEB£¬½â¾öµôÏÂÁÐÌصã

peb.BeingDebugged wow64.peb64.BeingDebugged

peb.NtGlobalFlag wow64.peb64.NtGlobalFlag

peb.processHeap.HeapFlags wow64.peb64.processHeap.HeapFlags

peb.processHeap.ForceFlags wow64.peb64.processHeap.ForceFlags

- Change Caption (ÖØÐÂÆô¶¯µ÷ÊÔÆ÷ÉúЧ)

1

2

¿ªÊ¼»³ÒÉÈËÉúµÄ×÷Óã¬Ë¡ÎÒÖ±ÑÔ£¬Ò»ÇдøÌصãµÄ·´µ÷½ÚÈ«ÊDz»°²È«µÄ¡£

¶øÕâÒ»Ìصã±ãÊÇÔÚ¸ü¸Äµ÷ÊÔÆ÷ ¶Ô»°¿òÎÄÕ±êÌâ¡¢²Ëµ¥Ãû³Æ À´±ÜÃâÖÐСѧÉúµÄö¾ÙÀàÐͶԻ°¿ò¼°Æä²Ëµ¥À¸¼ìÑé¡£

- Hide Process (ÇáÔسÌÐòÁ÷³ÌÉúЧ)

1

Ñڲؽø³Ì×÷Óã¬Ö»¶ÔÓÚÒѾ­µ÷½ÚµÄ½ø³Ì£¬ÔÚNtQuerySystemInformation¶ÏÏß

- Fake ParentProcess (ÇáÔسÌÐòÁ÷³ÌÉúЧ)

1

¸Ä¶¯¸¸½ø³Ì±êÖ¾·û£¬µ÷½ÚµÄ½ø³Ì ¸¸½ø³Ì»á±äΪexplorer.exeµÄ£¬¼ÙÈçÈ¡²»ÉÏexplorer.exe µÄpid£¬Ôò»á°Ñ¸¸½ø³Ì±äΪ4.

- Drag Attach (ÖØÐÂÆô¶¯µ÷ÊÔÆ÷ÉúЧ)

1

¾õµÃÕâ¸öÊÇ×î½oÁ¦µÄÉý¼¶ÁË£¬Ö»ÐèÍÏקµ÷ÊÔÆ÷×óÉÏ·½µÄ±êÖ¾ µ½×ÜÌåÄ¿±ê¶Ô»°¿òÉÏ£¬¾Í¿ÉÒÔ¶îÍâ½ø³Ì¡£

-Hook *ZwFunctions (ÇáÔسÌÐòÁ÷³ÌÉúЧ)

1

2

Hook ZwϵÁвúÆ·º¯Êý¹«Ê½

ÕâÒ»½â¾öµÄ–|Î÷Ì«¶àÁË£¬ÏÂÁÐNtº¯Êý¹«Ê½

NtQuerySystemInformation

SystemKernelDebuggerInformation

SystemProcessInformation

SystemHandleInformation

NtClose

invalid Handle

NtQueryInformationProcess

ProcessBasicInformation

ProcessDebugPort

ProcessDebugObjectHandle

ProcessDebugFlags

NtSetInformationThread

ThreadHideFromDebugger

NtDuplicateObject

NtQueryObject

ObjectTypesInformation - DebugObject

NtYieldExecution

return STATUS_NO_YIELD_PERFORMED

- Remove DebugProvileges (ÇáÔسÌÐòÁ÷³ÌÉúЧ)

1

2

Çå³ýµ÷½Ú½ø³ÌµÄµ÷½Ú¹ÜÀíȨÏÞ

ÓÉÓÚĬÈÏÉèÖÃ×´¿öϽø³Ì›]ÓÐSeDebugPrivilege¹ÜÀíȨÏÞ£¬µ÷½ÚµÄʱºò»á´Óµ÷ÊÔÆ÷³Ð¼ÌÕâÒ»¹ÜÀíȨÏÞ,ÒÔÃâ²»ÁËÓÐЩÈËÔËÓÃÕâÒ»µã¡£Ä¬ÈÏÉèÖò»½¨Òé´ò¿ª

- VMP 3.1(above) (ÇáÔسÌÐòÁ÷³ÌÉúЧ)

1

2

3

¹ýVMP3.1ÒÔÉÏÐͺŵķ´µ÷½Ú

VMProtect 3.1°æ±¾ºÅÖð½¥ÓкܴóµÄÉý¼¶£¬´ÓÕâÒ»°æ±¾ºÅÖð½¥£¬Á¢¼´·ÂÕæÄ£ÄâWow64 ¶ÁÈ¡syscall½øµ½ºËÐÄ£¬32λµÄÌåϵҲÊÇͬʱ¶ÁȡȨÀûÃüÁîsystnter½øµ½ºËÐÄ£¬²é¿´¼ìÑéProcessDebugObjectHandle£¬Òò´ËÔÚÍøÂç²ã¼¸ºõûÓа취×èÀ¹Ëû¡£

ÎÒÕâÀïÓ¦ÓÃÁËÒ»¸öСtrick±Ü¹ýÁËËûµÄ¼ìÑé¡£

- Protect Drx (ÇáÔسÌÐòÁ÷³ÌÉúЧ)

1

ά»¤Ó²¼þÅäÖÃÖжϵã

ZwSetcontextThread

ZwGetContextThread

KiUserExceptionDispatcher - if Wow64PrepareForException

RtlDispatchException

RtlRestoreContext

-Driver Hook SSDT (ÖØÐÂÆô¶¯µ÷ÊÔÆ÷ÉúЧ)

1

Ó¦ÓôË×÷Óã¬È«²¿¿Í»§µçÄÔÉ϶¼µÃÀ´¹ýPatchGuard£¬Ê®·Ö²»±ã£¬µÈ±ØÐèµÄÇé¿öÏÂÔÚÔÙ¼ÓÉÏÈ¥¡£

-Driver Hook ShadowSSDT (ÖØÐÂÆô¶¯µ÷ÊÔÆ÷ÉúЧ)

1

-Driver Dbg ValidAccessMask (ÖØÐÂÆô¶¯µ÷ÊÔÆ÷ÉúЧ)

1

2

´Ë×÷ÓÃÕë¶ÔÕâЩ Ч·ÂTP·´µ÷½Ú À´Ïû³ýÄãµÄDebugObject-ValidAccessMask ,Ë­ÈÃÄãµÄÕâô´óµÄÀûÒæÀ´È«¾ÖÐÔÏû³ýÎÒÉ豸µÄµ÷½ÚÄ¿±ê?

×´¿ö¾ÍÊÇÄãµÄµ÷ÊÔÆ÷û·¨ÍϽøÒ»ÇгÌÐòÁ÷³Ì¡£

-Driver bypass ObjectHook (ÖØÐÂÆô¶¯µ÷ÊÔÆ÷ÉúЧ)

1

2

±Ü¹ý object hook£¬Õâһά»¤ÔÚ 64λϵͳÈí¼þÉϷŵĽ϶࣬Ëû¿ÉÒÔɸѡµôÄ㿪Æô½ø³ÌµÄ¹ÜÀíȨÏÞ¡£

ÀýÈçʹÄãû·¨¶Ô×ÜÌåÄ¿±ê½ø³ÌÔËÐÐÄÚ´æ¶ÁдÄÜÁ¦µÈ¡£´ò¿ªÕâÒ»×÷ÓþͿÉÒԱܹýÕâһά»¤¡£µ«·Â·ðwin10ϵͳÈí¼þÏÂÄÜ¿ªÆôPG