|
|
本帖子部分代码由comodo的某工程师提供,特此感谢。
PatchGuard引发蓝屏的方式:- KeBugCheckEx(0x109,0x0,0x0,0x0,0x7);
我的反蓝屏方法:
让执行蓝屏的线程在KeBugCheckEx中死循环。这种方法的缺点很严重,就是极耗费CPU(几乎独占一个核心)。
- PVOID GetFunctionAddr(PCWSTR FunctionName)
- {
- UNICODE_STRING UniCodeFunctionName;
- RtlInitUnicodeString( &UniCodeFunctionName, FunctionName );
- return MmGetSystemRoutineAddress( &UniCodeFunctionName );
- }
- void WPOFFx64()
- {
- UINT64 cr0=__readcr0();
- cr0 &= 0xfffffffffffeffff;
- __writecr0(cr0);
- _disable();
- }
- void WPONx64()
- {
- UINT64 cr0=__readcr0();
- cr0 |= 0x10000;
- _enable();
- __writecr0(cr0);
- }
- VOID AntiBugCheck_1() //SUCCESS
- {
- //KeBugCheckEx
- //fffff800`03c81f00 48894c2408 mov qword ptr [rsp+8],rcx
- UCHAR fuckcode[210]={0};
- KIRQL OldIrql;
- ULONG jmpcode;
- //get address
- PVOID bcaddr = GetFunctionAddr(L"KeBugCheckEx");
- //set memory
- memset(fuckcode,0x90,210);
- memset((PVOID)((UINT64)fuckcode+201),0xE9,1);
- //calc shellcode
- jmpcode=(ULONG)((ULONG64)bcaddr-((ULONG64)bcaddr+201)-5);
- memcpy(fuckcode+202,&jmpcode,4);
- //patch
- WPOFFx64();
- OldIrql = KeRaiseIrqlToDpcLevel();
- RtlMoveMemory(bcaddr,fuckcode,210);
- KeLowerIrql(OldIrql);
- WPONx64();
- }
|
-
-
录像.7z
3.71 MB, 下载次数: 5333
|
发表于 2011-4-12 18:48:03
发表于 2011-11-1 08:28:08
