Anti StrongOD Kernel Mode

/**************************************
/* 作者:半斤八兩
/* 博客:http://cnblogs.com/bjblcracked
/* 日期:2013-12-11  00:00
/**************************************

只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!


  相信大家都有用过海风前辈写的strongod反反调试插件.用起来是十分方便的. strongod 是属于驱动级别的插件, 如果是我们自己写的应用层软件,如何来对付strongod呢? 

在strongod早些版本的时候,我们是可以通过符号链接来做检测的.早些版本符号链接是写死的.

名为 fengyue .但是到后来,符号链接,弄成自定义的了,缺省的,还是不变的. 大多数人都会通过strongod的ini配置文件来修改缺省的名字. 

它的INI配置是直接写入OD 的 ollydbg.ini 里面. 打开ollydbg.ini 直接搜索 strongod 就能搜到如下内容, 

[Plugin StrongOD]
CreateProcessMode=0
HidePEB=1
IsPatchFloat=1
IsAdvGoto=1
KernelMode=1
KillPEBug=1
SuperEnumMod=1
AdvAttach=1
SkipExpection=1
HideWindow=1
HideProcess=1
ProtectProcess=1
DriverKey=-82693034
DriverName=fengyue
OrdFirst=0
BreakOnLdr=0
BreakOnTls=0
RemoveEpOneShot=1
ShowBar=17
LoadSym=1
AutoUpdate=0
UpdateURL=http://sod.ibt.name/update.txt

其中 DriverName=fengyue 就是我们关心的. 虽然现在符号连接是"随机的" 但是我们还是有办法获取真实的符号链接名~ 具体的看源码吧. 

 

  1 DWORD IsEnumProcess()
  2 {
  3     DWORD dwPidTemp = 0;
  4     
  5     HANDLE procSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  6     if(procSnap == INVALID_HANDLE_VALUE)
  7     {
  8         return -1;
  9     }
 10     
 11     PROCESSENTRY32 procEntry = {0};
 12     
 13     procEntry.dwSize = sizeof(PROCESSENTRY32);
 14     
 15     BOOL bRet = Process32First(procSnap,&procEntry);
 16     
 17     while(bRet)
 18     {
 19         if(0 == strcmp(procEntry.szExeFile, "csrss.exe"))
 20         {
 21             dwPidTemp = procEntry.th32ProcessID;
 22             return TRUE;
 23         }
 24         
 25         bRet = Process32Next(procSnap, &procEntry);
 26     }
 27     
 28     CloseHandle(procSnap);
 29     
 30     return dwPidTemp;
 31 }
 32 
 33 
 34 BOOL CCheckStrongOD::IsDebugSymbolicLink()
 35 {
 36     UNICODE_STRING     strDirName;
 37     OBJECT_ATTRIBUTES  oba;
 38     NTSTATUS           ntStatus; 
 39     HANDLE             hDirectory;
 40     
 41     RtlInitUnicodeString(&strDirName, L"\\global??");
 42     InitializeObjectAttributes(&oba, &strDirName, OBJ_CASE_INSENSITIVE, NULL, NULL);
 43     
 44     ntStatus = ZwOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &oba);
 45 
 46     if (ntStatus != STATUS_SUCCESS)
 47     {
 48         if (hDirectory != NULL)
 49         {
 50             ZwClose(hDirectory);
 51         }
 52         
 53         return NULL;
 54     }
 55     
 56     UNICODE_STRING symbolicLink;
 57     BYTE           buffer[2048] = {0};
 58     ULONG          ulLength  = 2048;
 59     ULONG          ulContext = 0;
 60     ULONG          ulRet     = 0;
 61 
 62     RtlInitUnicodeString(&symbolicLink, L"SymbolicLink");
 63     
 64     tagSTRONGOD tagStrongOD = {0};
 65     
 66     tagStrongOD.m_dwFlag = 123456789;
 67     tagStrongOD.m_dwCressPID = IsEnumProcess();
 68     tagStrongOD.m_wMePid = (WORD)GetCurrentProcessId();
 69 
 70     do{
 71         ntStatus = ZwQueryDirectoryObject(hDirectory, buffer, ulLength,
 72             TRUE, FALSE, &ulContext, &ulRet);
 73 
 74         if ((ntStatus != STATUS_SUCCESS) && (ntStatus != STATUS_NO_MORE_ENTRIES))
 75         {
 76             if (hDirectory != NULL)
 77             {
 78                 ZwClose(hDirectory);
 79             }
 80         }
 81         else if (STATUS_NO_MORE_ENTRIES == ntStatus)
 82         {
 83             if (hDirectory != NULL)
 84             {
 85                 ZwClose(hDirectory);
 86             }
 87             
 88             return NULL;
 89         }
 90 
 91         PDIRECTORY_BASIC_INFORMATION  directoryInfo = (PDIRECTORY_BASIC_INFORMATION)buffer;
 92        
 93         WCHAR szSymbolicLink[MAXBYTE] = L"\\\\.\\";
 94         wcscat(szSymbolicLink, directoryInfo->ObjectName.Buffer);
 95 
 96         int nLen = wcslen(szSymbolicLink);
 97 
 98         if(nLen > 0xc)
 99         {
100             continue;
101         }
102 
103         BYTE szControlCode1[MAXBYTE] = {0};
104         DWORD dwBytesReturned = 0;
105 
106         HANDLE hFile = 
107             CreateFileW(szSymbolicLink, GENERIC_READ|GENERIC_WRITE,
108             FILE_SHARE_READ|FILE_SHARE_WRITE,
109             NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
110 
111         if(hFile != (HANDLE)-1)
112         {
113 
114         }
115         else
116         {
117             continue;
118         }
119 
120         *(PDWORD)&szControlCode1[0] = tagStrongOD.m_dwFlag;
121         *(PDWORD)&szControlCode1[4] = tagStrongOD.m_dwCressPID;
122         *(PDWORD)&szControlCode1[8] = 1;
123         *(PDWORD)&szControlCode1[0xc] = 1;
124         *(PDWORD)&szControlCode1[0x10] = 1;
125         *(PDWORD)&szControlCode1[0x14] = 1;
126         *(PDWORD)&szControlCode1[0x18] = 1;
127         *(PDWORD)&szControlCode1[0x1c] = 0;
128         *(PWORD)&szControlCode1[0x20] = tagStrongOD.m_wMePid;
129         *(PWORD)&szControlCode1[0x22] = 0;
130 
131         BYTE szControlCode2[0x24] = {
132             0x42, 0xa3, 0x53, 0x04, 0x4D, 0x4B, 0xA3, 0xC4, 0xEC, 0xF8, 
133             0xE5, 0x41, 0x9D, 0xEF, 0xAE, 0x46, 0x95, 0x59, 0x7D, 0xF3, 
134             0x98, 0xBD, 0xDC, 0xD4, 0x1F, 0xE9, 0xC1, 0xD9, 0xFB, 0xF1, 
135             0xE9, 0x8D, 0x85, 0x0B, 0x7B, 0x14};
136 
137 
138         BYTE szOutBuffer[0x4] = {0xff, 0xff, 0xff, 0xff};
139 
140         for(int i = 0; i < 0x24; i++)
141         {
142             szControlCode1[i] ^= szControlCode2[i];
143         }
144 
145 
146         if(TRUE == DeviceIoControl(hFile, 0x22215c, 
147             szControlCode2, 0x24, NULL, 0, &dwBytesReturned, NULL))
148         {
149 
150         }
151         else
152         {
153             CloseHandle(hFile);
154             continue;
155         }
156 
157         *(PDWORD)&szControlCode1[0] = tagStrongOD.m_dwFlag;
158         *(PDWORD)&szControlCode1[4] = 0;
159         *(PDWORD)&szControlCode1[8] = 0;
160         *(PDWORD)&szControlCode1[0xc] = 0;
161         *(PDWORD)&szControlCode1[0x10] = 0;
162         *(PDWORD)&szControlCode1[0x14] = 0;
163         *(PDWORD)&szControlCode1[0x18] = 0;
164         *(PDWORD)&szControlCode1[0x1c] = 0;
165         *(PWORD)&szControlCode1[0x20] = 0;
166         *(PWORD)&szControlCode1[0x22] = 0;
167 
168 
169         for(i = 0; i < 0x24; i++)
170         {
171             szControlCode1[i] ^= szControlCode2[i];
172         }
173 
174         if(0 == DeviceIoControl(hFile, 0x222178, szControlCode1,
175             0x24, NULL, 0, &dwBytesReturned, NULL))
176         {
177             
178         }
179         else
180         {
181             CloseHandle(hFile);
182             continue;
183         }
184 
185         
186 
187         *(PDWORD)&szControlCode1[0] = tagStrongOD.m_dwFlag;
188         *(PDWORD)&szControlCode1[4] = 0;
189         *(PDWORD)&szControlCode1[8] = 0;
190         *(PDWORD)&szControlCode1[0xc] = 0;
191         *(PDWORD)&szControlCode1[0x10] = 0;
192         *(PDWORD)&szControlCode1[0x14] = 0;
193         *(PDWORD)&szControlCode1[0x18] = 0;
194         *(PDWORD)&szControlCode1[0x1c] = 0;
195         *(PWORD)&szControlCode1[0x20] = tagStrongOD.m_wMePid;
196         *(PWORD)&szControlCode1[0x22] = 0;
197 
198 
199         for(i = 0; i < 0x24; i++)
200         {
201             szControlCode1[i] ^= szControlCode2[i];
202         }
203 
204 
205 
206         if(TRUE == DeviceIoControl(hFile, 0x222160, szControlCode2,
207             0x24, szOutBuffer, 0x4, &dwBytesReturned, NULL))
208         {
209 //            MessageBox(0, 0, 0, 0);
210 
211             _putws(szSymbolicLink);
212 
213             return TRUE;
214         }
215         else
216         {
217             CloseHandle(hFile);
218             continue;
219         }
220 
221     }while(TRUE);
222 
223 
224     if (hDirectory != NULL)
225     {
226         ZwClose(hDirectory);
227     }
228 
229     return FALSE;
230 }
231 
232 
233 CCheckStrongOD::CCheckStrongOD()
234 {
235     system("chcp 936 & cls & color 0a & title 检测StrongOD Kernel Mode");
236 }
237 
238 CCheckStrongOD::~CCheckStrongOD()
239 {
240     system("pause");
241 }

 


本文没任何技术含量,只是一个思路~ 抛砖~ 

 

SRC和BIN下载地址:<<<看雪学院>>>

posted @ 2013-12-12 00:12  半斤八兩  阅读(2090)  评论(0编辑  收藏  举报