标题: 让windbg反"反调试"

创建: 2022-04-28 13:26
更新:
链接: https://scz.617.cn/windows/202204281326.txt

进入x64时代后，windbg一直没有现成的反"反调试"插件，但windbg可以借助其他工
具实现反"反调试"。

参看

https://github.com/x64dbg/ScyllaHide

ScyllaHide没有现成的windbg插件，但ScyllaHide有独立运行版本，理论上可与任意
调试器配合使用，实现反"反调试"。

"X:\path\ScyllaHide\ScyllaTest_x64.exe"

ScyllaTest含有很多"反调试"检查。直接执行该程序，循环输出如下

--------------------------------------------------------------------------
Starting test loop. Press CTRL+C or the power button on your PC to exit.

PEB_BeingDebugged:                              OK (绿色)
Wow64PEB64_BeingDebugged:                       SKIP
PEB_NtGlobalFlag:                               OK
Wow64PEB64_NtGlobalFlag:                        SKIP
PEB_HeapFlags:                                  OK
Wow64PEB64_HeapFlags:                           SKIP
PEB_ProcessParameters:                          OK
Wow64PEB64_ProcessParameters:                   SKIP
IsDebuggerPresent:                              OK
CheckRemoteDebuggerPresent:                     OK
OutputDebugStringA_LastError:                   SKIP
OutputDebugStringA_Exception:                   OK
OutputDebugStringW_Exception:                   OK
NtQueryInformationProcess_ProcessDebugPort:     OK
NtQuerySystemInformation_KernelDebugger:        OK
NtQuery_OverlappingReturnLength:                OK
NtClose:                                        OK
OtherOperationCount:                            OK
--------------------------------------------------------------------------

各项检查显示OK或SKIP，表示未检测到调试器。

cdb.exe -noinh -snul -hd -o "X:\path\ScyllaHide\ScyllaTest_x64.exe"

停在ibp后g起来，可能会碰上

testtest(13c0.13dc): Invalid handle - code c0000008 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll!KiRaiseUserExceptionDispatcher+0x3a:
00007ffb`ad9598fa 8b8424c0000000  mov     eax,dword ptr [rsp+0C0h] ss:00000049`8e2ff830=c0000008

此时用"gN"继续，将异常传给被调试进程，有可能直接僵死，有可能看到这种输出

--------------------------------------------------------------------------
Starting test loop. Press CTRL+C or the power button on your PC to exit.

PEB_BeingDebugged:                              DETECTD (红色)
Wow64PEB64_BeingDebugged:                       SKIP
PEB_NtGlobalFlag:                               OK
Wow64PEB64_NtGlobalFlag:                        SKIP
PEB_HeapFlags:                                  OK
Wow64PEB64_HeapFlags:                           SKIP
PEB_ProcessParameters:                          DETECTD
Wow64PEB64_ProcessParameters:                   SKIP
IsDebuggerPresent:                              DETECTD
CheckRemoteDebuggerPresent:                     DETECTD
OutputDebugStringA_LastError:                   SKIP
OutputDebugStringA_Exception:                   DETECTD
OutputDebugStringW_Exception:                   DETECTD
NtQueryInformationProcess_ProcessDebugPort:     DETECTD
NtQuerySystemInformation_KernelDebugger:        OK
NtQuery_OverlappingReturnLength:                OK
NtClose:                                        DETECTD
OtherOperationCount:                            DETECTD
--------------------------------------------------------------------------

各项检查显示DETECTD，表示检测到调试器。重新调试

cdb.exe -noinh -snul -hd -o "X:\path\ScyllaHide\ScyllaTest_x64.exe"

假设停在ibp，获取目标PID，比如

? @$tpid
tasklist | findstr ScyllaTest

向目标进程注入相应反"反调试"DLL

"X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait

成功时会输出

--------------------------------------------------------------------------
Loaded VA for NtUserBlockInput = 0x00007FFBA9DE7870
Loaded VA for NtUserQueryWindow = 0x00007FFBA9DE1290
Loaded VA for NtUserGetForegroundWindow = 0x00007FFBA9DE1810
Loaded VA for NtUserBuildHwndList = 0x00007FFBA9DE1410
Loaded VA for NtUserFindWindowEx = 0x00007FFBA9DE1E30
Loaded VA for NtUserGetClassName = 0x00007FFBA9DE1FD0
Loaded VA for NtUserInternalGetWindowText = 0x00007FFBA9DE1CD0
Loaded VA for NtUserGetThreadState = 0x00007FFBA9DE1090

PID     : 3908 0xF44
DLL Path: X:\path\ScyllaHide\HookLibraryx64.dll

Hook injection successful, image base 000001E4501B0000
--------------------------------------------------------------------------

回到ibp处g起来，ScyllaTest没有僵死，正常执行，大部分"反调试"检查被屏蔽，只
剩一个

--------------------------------------------------------------------------
OtherOperationCount:                            DETECTD
--------------------------------------------------------------------------

"X:\path\ScyllaHide\scylla_hide.ini"默认用"VMProtect x86/x64"，可以对付绝
大多数情况，但其未设置

NtQuerySystemInformationHook=1

无法屏蔽OtherOperationCount检查。设置之后，ScyllaTest的所有"反调试"检查都
被屏蔽。

向目标进程注入相应反"反调试"DLL，可以不在其他cmd中进行，而是在cdb提示符下
用".shell"命令

? @$tpid
.shell "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait
.shell -x "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:3908 "X:\path\ScyllaHide\HookLibraryx64.dll" nowait

不指定"-x"时，可以看到InjectorCLI回显，提示"Hook injection successful"，回
车再继续。指定"-x"时，看不到InjectorCLI回显，若有绝对把握成功，指定"-x"更
好。

本想在".shell"中直接指定"pid:@$tpid"，达不到预期效果。尝试过脚本方案

$ vi hideself.txt

--------------------------------------------------------------------------
.shell -x "X:\path\ScyllaHide\InjectorCLIx64.exe" pid:${$arg1} "X:\path\ScyllaHide\HookLibraryx64.dll" nowait
--------------------------------------------------------------------------

在cdb提示符下执行

$$>a< "X:\path\ScyllaHide\hideself.txt" @$tpid

达不到预期效果。只能这样用

? @$tpid
$$>a< "X:\path\ScyllaHide\hideself.txt" 3908