- UID
- 2
- 精华
- 积分
- 7770
- 威望
- 点
- 宅币
- 个
- 贡献
- 次
- 宅之契约
- 份
- 最后登录
- 1970-1-1
- 在线时间
- 小时
|
楼主 |
发表于 2015-7-6 22:51:38
|
显示全部楼层
- //DbgSsReserved[0]->PDBGSS_THREAD_DATA*
- //DbgSsReserved[1]->DebugObjectHandle
- BOOL WINAPI ContinueDebugEvent(DWORD dwProcessId, DWORD dwThreadId, DWORD dwContinueStatus)
- {
- ClientId.UniqueProcess = (HANDLE)dwProcessId;
- ClientId.UniqueThread = (HANDLE)dwThreadId;
- ZwDebugContinue(NtCurrentTeb()->DbgSsReserved[1], ClientId, dwContinueStatus);
- //移除进程线程句柄
- ThreadData = (PDBGSS_THREAD_DATA*)NtCurrentTeb()->DbgSsReserved;
- ThisData = *ThreadData;
- while(ThisData)
- {
- if ((ThisData->HandleMarked) && ((ThisData->ProcessId == dwProcessId) || (ThisData->ThreadId == dwThreadId)))
- {
- if (ThisData->ThreadHandle) CloseHandle(ThisData->ThreadHandle);
- if (ThisData->ProcessHandle) CloseHandle(ThisData->ProcessHandle);
- *ThreadData = ThisData->Next;
- RtlFreeHeap(RtlGetProcessHeap(), 0, ThisData);
- }
- else
- {
- ThreadData = &ThisData->Next;
- }
- ThisData = *ThreadData;
- }
- }
- BOOL WINAPI DebugActiveProcess(DWORD dwProcessId)
- {
- //创建调试对象
- InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, 0);
- Status = ZwCreateDebugObject(&NtCurrentTeb()->DbgSsReserved[1], DEBUG_OBJECT_ALL_ACCESS, &ObjectAttributes, DBGK_KILL_PROCESS_ON_EXIT);
- //OpenProcess获取进程句柄
- ClientId.UniqueThread = NULL;
- ClientId.UniqueProcess = UlongToHandle(dwProcessId);
- InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
- Status = NtOpenProcess(&Handle, PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
- | PROCESS_SUSPEND_RESUME | PROCESS_QUERY_INFORMATION, &ObjectAttributes, &ClientId);
- Status = NtDebugActiveProcess(Process, NtCurrentTeb()->DbgSsReserved[1]);
- //注入并设置int 3
- NtClose(Handle);
- }
- BOOL WINAPI DebugActiveProcessStop(DWORD dwProcessId)
- {
- //OpenProcess获取进程句柄
- ClientId.UniqueThread = NULL;
- ClientId.UniqueProcess = UlongToHandle(dwProcessId);
- InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
- Status = NtOpenProcess(&Handle, PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
- | PROCESS_SUSPEND_RESUME | PROCESS_QUERY_INFORMATION, &ObjectAttributes, &ClientId);
- //关闭所有进程句柄
- ThreadData = (PDBGSS_THREAD_DATA*)NtCurrentTeb()->DbgSsReserved;
- ThisData = *ThreadData;
- while(ThisData)
- {
- if (ThisData->ProcessId == dwProcessId)
- {
- if (ThisData->ThreadHandle) CloseHandle(ThisData->ThreadHandle);
- if (ThisData->ProcessHandle) CloseHandle(ThisData->ProcessHandle);
- *ThreadData = ThisData->Next;
- RtlFreeHeap(RtlGetProcessHeap(), 0, ThisData);
- }
- else
- {
- ThreadData = &ThisData->Next;
- }
- ThisData = *ThreadData;
- }
- Status = NtRemoveProcessDebug(Process, NtCurrentTeb()->DbgSsReserved[1]);
- NtClose(Handle);
- }
- BOOL WINAPI DebugSetProcessKillOnExit(BOOL KillOnExit)
- {
- STATE = KillOnExit != 0;
- Handle = NtCurrentTeb()->DbgSsReserved[1];
- Status = NtSetInformationDebugObject(Handle, DebugObjectKillProcessOnExitInformation, &State, sizeof(State), NULL);
- }
- BOOL WINAPI WaitForDebugEvent(LPDEBUG_EVENT lpDebugEvent, DWORD dwMilliseconds)
- {
- do
- {
- Status = NtWaitForDebugEvent(NtCurrentTeb()->DbgSsReserved[1], TRUE, TimeOut, &WaitStateChange);
- } while ((Status == STATUS_ALERTED) || (Status == STATUS_USER_APC));
- lpDebugEvent->dwProcessId = (DWORD)WaitStateChange->AppClientId.UniqueProcess;
- lpDebugEvent->dwThreadId = (DWORD)WaitStateChange->AppClientId.UniqueThread;
- switch (WaitStateChange->NewState)
- {
- case DbgCreateThreadStateChange:
- DebugEvent->dwDebugEventCode = CREATE_THREAD_DEBUG_EVENT;
- DebugEvent->u.CreateThread.hThread = WaitStateChange->StateInfo.CreateThread.HandleToThread;
- DebugEvent->u.CreateThread.lpStartAddress = WaitStateChange->StateInfo.CreateThread.NewThread.StartAddress;
- Status = NtQueryInformationThread(WaitStateChange->StateInfo.CreateThread.HandleToThread, ThreadBasicInformation, &ThreadBasicInfo, sizeof(ThreadBasicInfo), NULL);
- DebugEvent->u.CreateThread.lpThreadLocalBase = ThreadBasicInfo.TebBaseAddress;
- break;
- case DbgCreateProcessStateChange:
- DebugEvent->dwDebugEventCode = CREATE_PROCESS_DEBUG_EVENT;
- DebugEvent->u.CreateProcessInfo.hProcess = WaitStateChange->StateInfo.CreateProcessInfo.HandleToProcess;
- DebugEvent->u.CreateProcessInfo.hThread = WaitStateChange->StateInfo.CreateProcessInfo.HandleToThread;
- DebugEvent->u.CreateProcessInfo.hFile = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.FileHandle;
- DebugEvent->u.CreateProcessInfo.lpBaseOfImage = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.BaseOfImage;
- DebugEvent->u.CreateProcessInfo.dwDebugInfoFileOffset = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.DebugInfoFileOffset;
- DebugEvent->u.CreateProcessInfo.nDebugInfoSize = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.DebugInfoSize;
- DebugEvent->u.CreateProcessInfo.lpStartAddress = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.InitialThread.StartAddress;
- Status = NtQueryInformationThread(WaitStateChange->StateInfo.CreateProcessInfo.HandleToThread, ThreadBasicInformation,
- &ThreadBasicInfo, sizeof(ThreadBasicInfo), NULL);
- DebugEvent->u.CreateProcessInfo.lpThreadLocalBase = ThreadBasicInfo.TebBaseAddress;
- DebugEvent->u.CreateProcessInfo.lpImageName = NULL;
- DebugEvent->u.CreateProcessInfo.fUnicode = TRUE;
- break;
- case DbgExitThreadStateChange:
- DebugEvent->dwDebugEventCode = EXIT_THREAD_DEBUG_EVENT;
- DebugEvent->u.ExitThread.dwExitCode = WaitStateChange->StateInfo.ExitThread.ExitStatus;
- break;
- case DbgExitProcessStateChange:
- DebugEvent->dwDebugEventCode = EXIT_PROCESS_DEBUG_EVENT;
- DebugEvent->u.ExitProcess.dwExitCode = WaitStateChange->StateInfo.ExitProcess.ExitStatus;
- break;
- case DbgExceptionStateChange:
- case DbgBreakpointStateChange:
- case DbgSingleStepStateChange:
- if (WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionCode == DBG_PRINTEXCEPTION_C)
- {
- DebugEvent->dwDebugEventCode = OUTPUT_DEBUG_STRING_EVENT;
- DebugEvent->u.DebugString.lpDebugStringData = (PVOID)WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionInformation[1];
- DebugEvent->u.DebugString.nDebugStringLength = WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionInformation[0];
- DebugEvent->u.DebugString.fUnicode = FALSE;
- }
- else if (WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionCode == DBG_RIPEXCEPTION)
- {
- DebugEvent->dwDebugEventCode = RIP_EVENT;
- DebugEvent->u.RipInfo.dwType = WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionInformation[1];
- DebugEvent->u.RipInfo.dwError = WaitStateChange->StateInfo.Exception.ExceptionRecord.ExceptionInformation[0];
- }
- else
- {
- DebugEvent->dwDebugEventCode = EXCEPTION_DEBUG_EVENT;
- DebugEvent->u.Exception.ExceptionRecord = WaitStateChange->StateInfo.Exception.ExceptionRecord;
- DebugEvent->u.Exception.dwFirstChance = WaitStateChange->StateInfo.Exception.FirstChance;
- }
- break;
- case DbgLoadDllStateChange:
- DebugEvent->dwDebugEventCode = LOAD_DLL_DEBUG_EVENT;
- DebugEvent->u.LoadDll.lpBaseOfDll = WaitStateChange->StateInfo.LoadDll.BaseOfDll;
- DebugEvent->u.LoadDll.hFile = WaitStateChange->StateInfo.LoadDll.FileHandle;
- DebugEvent->u.LoadDll.dwDebugInfoFileOffset = WaitStateChange->StateInfo.LoadDll.DebugInfoFileOffset;
- DebugEvent->u.LoadDll.nDebugInfoSize = WaitStateChange->StateInfo.LoadDll.DebugInfoSize;
- InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
- Status = NtOpenThread(&ThreadHandle, THREAD_QUERY_INFORMATION, &ObjectAttributes, &WaitStateChange->AppClientId);
- Status = NtQueryInformationThread(ThreadHandle, ThreadBasicInformation, &ThreadBasicInfo, sizeof(ThreadBasicInfo), NULL);
- NtClose(ThreadHandle);
- DebugEvent->u.LoadDll.lpImageName = ((PTEB)ThreadBasicInfo.TebBaseAddress)->NtTib.ArbitraryUserPointer;
- DebugEvent->u.LoadDll.fUnicode = TRUE;
- break;
- case DbgUnloadDllStateChange:
- DebugEvent->dwDebugEventCode = UNLOAD_DLL_DEBUG_EVENT;
- DebugEvent->u.UnloadDll.lpBaseOfDll = WaitStateChange->StateInfo.UnloadDll.BaseAddress;
- break;
- default:
- return STATUS_UNSUCCESSFUL;
- }
- switch (lpDebugEvent->dwDebugEventCode)
- {
- case CREATE_THREAD_DEBUG_EVENT:
- SaveThreadHandle(lpDebugEvent->dwProcessId, lpDebugEvent->dwThreadId, lpDebugEvent->u.CreateThread.hThread);
- break;
- case CREATE_PROCESS_DEBUG_EVENT:
- SaveProcessHandle(lpDebugEvent->dwProcessId, lpDebugEvent->u.CreateProcessInfo.hProcess);
- SaveThreadHandle(lpDebugEvent->dwProcessId, lpDebugEvent->dwThreadId, lpDebugEvent->u.CreateProcessInfo.hThread);
- break;
- case EXIT_PROCESS_DEBUG_EVENT:
- MarkProcessHandle(lpDebugEvent->dwProcessId);
- case EXIT_THREAD_DEBUG_EVENT:
- MarkThreadHandle(lpDebugEvent->dwThreadId);
- break;
- case EXCEPTION_DEBUG_EVENT:
- case LOAD_DLL_DEBUG_EVENT:
- case UNLOAD_DLL_DEBUG_EVENT:
- case OUTPUT_DEBUG_STRING_EVENT:
- case RIP_EVENT:
- break;
- default:
- return FALSE;
- }
- }
复制代码 |
|