|
Windows Vista引入了NtCreateThreadEx函数,其函数如下:
- NTSTATUS NTAPI NtCreateThreadEx (
- _Out_ PHANDLE ThreadHandle,
- _In_ ACCESS_MASK DesiredAccess,
- _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
- _In_ HANDLE ProcessHandle,
- _In_ PVOID StartRoutine,
- _In_opt_ PVOID Argument,
- _In_ ULONG CreateFlags,
- _In_opt_ ULONG_PTR ZeroBits,
- _In_opt_ SIZE_T StackSize,
- _In_opt_ SIZE_T MaximumStackSize,
- _In_opt_ PVOID AttributeList
- );
最风趣的参数是CreateFlags,这个参数的标识如下:
- #define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
- #define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
- #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
- #define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010
- #define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
- #define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
假如一个新线程获取了THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER标识,它将在调试器建设时被潜匿。它是由NtSetInformationThread函数配置的ThreadHideFromDebugger,认真安详运行的代码可以在配置了THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER标识的线程中执行。
怎样避开NtCreateThreadEx
该技能可以通过钩子NtCreateThreadEx函数来避开,个中THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER将被重置。
如那里理赏罚跟踪
从Windows XP开始,体系就设置了内核工具句柄跟踪的机制。当跟踪模式打开时,具有处理赏罚措施的全部操纵都将生涯到轮回缓冲区,同时也实行行使不存在的处理赏罚措施,譬喻,行使CloseHandle函数封锁它,将天生EXCEPTION_INVALID_HADNLE非常。假如历程不是从调试器启动,那么CloseHandle函数将返回FALSE。以下就是基于CloseHandle的防调试掩护:
- EXCEPTION_DISPOSITION ExceptionRoutine(
- PEXCEPTION_RECORD ExceptionRecord,
- PVOID EstablisherFrame,
- PCONTEXT ContextRecord,
- PVOID DispatcherContext)
- {
- if (EXCEPTION_INVALID_HANDLE == ExceptionRecord->ExceptionCode)
- {
- std::cout << "Stop debugging program!" << std::endl;
- exit(-1);
- }
- return ExceptionContinueExecution;
- }
- int main()
- {
- __asm
- {
- // set SEH handler
- push ExceptionRoutine
- push dword ptr fs : [0]
- mov dword ptr fs : [0], esp
- }
- CloseHandle((HANDLE)0xBAAD);
- __asm
- {
- // return original SEH handler
- mov eax, [esp]
- mov dword ptr fs : [0], eax
- add esp, 8
- }
- return 0
- }
仓库段操纵 (编辑:湖南网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
