コード例 #1
0
ファイル: EVLog_debugger.cpp プロジェクト: kamilkk/akt
void EV_cbVirtualProtect()
{
    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
    unsigned int sec_addr=0;
    unsigned int sec_size=0;
    unsigned int esp_addr=0;
    BYTE* sec_data=0;
    esp_addr=(long)GetContextData(UE_ESP);

    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0);
    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0);
    sec_data=(BYTE*)malloc2(sec_size);
    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0);
    unsigned int SetEnvA=0,SetEnvW=0;
    SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr;
    if(!(SetEnvW-sec_addr))
    {
        SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr;
        if(!(SetEnvW-sec_addr))
        {
            SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr;
            if(!(SetEnvW-sec_addr))
                EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia...");
        }
    }
    SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW);
    SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr;
    if(!(SetEnvA-sec_addr))
    {
        SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr;
        if(!(SetEnvA-sec_addr))
        {
            SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr;
            if(!(SetEnvA-sec_addr))
                EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia...");
        }
    }
    SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA);
}
コード例 #2
0
ファイル: Test.cpp プロジェクト: Izib/dbg
//
//  函数: WndProc(HWND, UINT, WPARAM, LPARAM)
//
//  目的: 处理主窗口的消息。
//
//  WM_COMMAND	- 处理应用程序菜单
//  WM_PAINT	- 绘制主窗口
//  WM_DESTROY	- 发送退出消息并返回
//
//
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
	int wmId, wmEvent;
	PAINTSTRUCT ps;
	HDC hdc;
	OPENFILENAME stOFN;
	char stFilePath[1000];	//保存文件路径
	char szBuf[1000];		//保存内存读取来的数据

	memset(&stOFN, 0, sizeof(stOFN));
	memset(stFilePath, 0, 100);

	//initial stOFN
	stOFN.lStructSize      =sizeof(stOFN);
	stOFN.nMaxFile         =MAX_PATH;
	stOFN.lpstrFile        =(LPWSTR)stFilePath;

	switch (message)
	{
	case WM_COMMAND:
		wmId    = LOWORD(wParam);
		wmEvent = HIWORD(wParam);
		// 分析菜单选择:
		switch (wmId)
		{
		case IDM_OPEN:
			{
				GetOpenFileName(&stOFN);
				LoadDebuggedProcess(stOFN.lpstrFile);

			}
			break;
		case IDM_START:
			{
				static int i = 0;
				if(i == 0)
				{
					if(!ResumeDebuggedThread())			//检验是否加载进程
						break;
					StopOnException();
					
					ResumeDebuggedThread();
					StopOnException();
					i++;
				}
				else 
				{
					ResumeDebuggedThread();
					StopOnException();
				}
			}
			//DestroyWindow(hWnd);
			break;
		case ID_NORMAL:
			{
				DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1);
				if(AddressOfBreak != 0)
					SetNormalBreakPoint(AddressOfBreak);
			}
			break;
		case ID_HARDWARE:
			{
				DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1);
				if(AddressOfBreak != 0)
					SetHardwareBreakPoint(AddressOfBreak, 0, 000);
			}
			break;
		case ID_DELNORMAL:
			{
				DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1);
				if(AddressOfBreak != 0)
					DelNormalBreakPoint(AddressOfBreak);
			}
			break;
		case ID_DELHARDWARE:
			{
				DelHardwareBreakPoint(0);
			}
			break;
		case ID_MEMORY:
			{				
				DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1);
				if(AddressOfBreak != 0)
					SetMemoryBreakPoint(AddressOfBreak, 3);
			}break;
		case ID_DELMEM:
			{
				DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1);
				if(AddressOfBreak != 0)
					DelMemoryBreakPoint(AddressOfBreak);
			}break;
		case ID_GO:
			{
				StopOnException();			
			}
			break;
		case ID_DISASM:
			{
				if( stProcessInfo.hProcess == 0)
				{
					MessageBox(hWnd, _T("也许你还没有加载进程"), _T("出错"), MB_OK);
					break;
				}
				char sz[10];				//保存地址
				DWORD OutAddress = NULL;	//保存输出地址

				DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG2), hWnd, DlgProc2);
				if(StartAddress == 0)
					break;				//判断是否成功加载进程
				if(!ReadProcessMemory(stProcessInfo.hProcess, (LPCVOID)StartAddress, szBuf, Size, NULL))
				{
					MessageBox(NULL, _T("读取内存失败,你确认你的权限"), _T("出错"), MB_OK);
				}
				char *Linear=szBuf;		//Pointer to linear address
				DWORD Index=0;			// Index of opcoded to decode
				DISASSEMBLY dis;
				std::string out;		//输出字符串
				while(Index < Size)
				{
					int i = 0;
					memset(&dis,0,sizeof(DISASSEMBLY));
					dis.Address = Index;
					Decode(&dis,Linear,&Index);
					OutAddress = dis.Address + StartAddress;
					sprintf(sz,"%0x",OutAddress);
					OutAddress--;
					out += sz;	
					out += "   ";
					out += dis.Assembly;
					out += "\r\n";
					Index++;
					i--;
				}
				SetWindowTextA(GetWindow(hWnd, GW_CHILD), out.c_str());
			}

			break;
		case ID_MEM:
			{	/*
				std::string out;
				char sz[10];
				int j;

				DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG2), hWnd, DlgProc2);
				ReadProcessMemory(stProcessInfo.hProcess, (LPCVOID)StartAddress, szBuf, Size, NULL);
				for(int i = 0; i < Size; i ++)
				{
				StartAddress = StartAddress + i;
				sprintf(sz,"%0x",StartAddress);
				out += sz;
				out += " ";	
				j = szBuf[i];
				sprintf(sz,"%0x",j);
				out += sz;
				out += "\r\n";
				}
				SetWindowTextA(GetWindow(hWnd, GW_CHILD), out.c_str());
				*/
			}
			break;
		case ID_SHOW:
			{
				std::string out;
				char sz[10];
				DWORD Address;

				for(int i = 1; Address = GetNormalBreakPoints( i ); i++)		
				{
					sprintf(sz, "%0x", Address);
					out += sz;
					out += "\r\n";
				}
				SetWindowTextA(GetWindow(hWnd, GW_CHILD), out.c_str());
			}
			break;
		case ID_ABOUT:
			DialogBox(hInst, MAKEINTRESOURCE(IDD_ABOUTBOX), hWnd, About);
			break;
		default:
			return DefWindowProc(hWnd, message, wParam, lParam);
		}
		break;
	case WM_PAINT:
		hdc = BeginPaint(hWnd, &ps);
		// TODO: 在此添加任意绘图代码...
		EndPaint(hWnd, &ps);
		break;
	case WM_DESTROY:
		PostQuitMessage(0);
		break;
	default:
		return DefWindowProc(hWnd, message, wParam, lParam);
	}
	return 0;
}
コード例 #3
0
ファイル: CertTool_debugger.cpp プロジェクト: cdaze/akt
void CT_cbVirtualProtect()
{
    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
    long esp_addr=GetContextData(UE_ESP);
    unsigned int security_code_base=0,security_code_size=0;
    if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+4), &security_code_base, 4, 0))
    {
        CT_FatalError(rpmerror());
        return;
    }
    if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+8), &security_code_size, 4, 0))
    {
        CT_FatalError(rpmerror());
        return;
    }
    BYTE* security_code=(BYTE*)malloc2(security_code_size);
    BYTE* header_code=(BYTE*)malloc2(0x1000);
    if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)security_code_base, security_code, security_code_size, 0))
    {
        CT_FatalError(rpmerror());
        return;
    }
    if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(security_code_base-0x1000), header_code, 0x1000, 0))
    {
        CT_FatalError(rpmerror());
        return;
    }
    IMAGE_DOS_HEADER *pdh=(IMAGE_DOS_HEADER*)((DWORD)header_code);
    IMAGE_NT_HEADERS *pnth=(IMAGE_NT_HEADERS*)((DWORD)header_code+pdh->e_lfanew);
    CT_cert_data->timestamp=pnth->FileHeader.TimeDateStamp;
    free2(header_code);

    //Certificate data
    unsigned int breakpoint_addr=CT_FindCertificateFunctionNew(security_code, security_code_size);
    if(!breakpoint_addr)
        breakpoint_addr=CT_FindCertificateFunctionOld(security_code, security_code_size);
    if(!breakpoint_addr)
    {
        CT_FatalError("Could not find NextDword...");
        return;
    }
    SetHardwareBreakPoint((security_code_base+breakpoint_addr), UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbCertificateFunction);

    //Magic
    magic_value_addr=CT_FindMagicPattern(security_code, security_code_size, &magic_ebp_sub);
    if(magic_value_addr)
        SetHardwareBreakPoint((security_code_base+magic_value_addr), UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbMagicValue);

    //Magic MD5=0
    if(magic_value_addr)
    {
        unsigned int end_search=CT_FindEndInitSymVerifyPattern(security_code+magic_value_addr, security_code_size-magic_value_addr);
        unsigned int md5_move=CT_FindPubMd5MovePattern(security_code+magic_value_addr, security_code_size-magic_value_addr);
        if(end_search and md5_move and md5_move>end_search) //Arma with MD5=0 in SymVerify
            CT_cert_data->zero_md5_symverify=true;
    }
    else if(CT_cert_data->timestamp<0x49000000) //~v6 (before sometimes it failed)
        CT_cert_data->zero_md5_symverify=true;

    //Encrypted cert data
    unsigned int push400=CT_FindDecryptKey1Pattern(security_code, security_code_size);
    if(push400)
    {
        magic_byte=CT_FindMagicJumpPattern(security_code+push400, security_code_size-push400, &cmp_data);
        if(magic_byte)
        {
            magic_byte+=push400;
            unsigned int pushff=CT_FindPushFFPattern(security_code+magic_byte, security_code_size-magic_byte);
            if(pushff)
            {
                pushff+=magic_byte;
                tea_decrypt=CT_FindTeaDecryptPattern(security_code+pushff, security_code_size-magic_byte);
                if(tea_decrypt)
                {
                    tea_decrypt+=pushff;
                    noteax=CT_FindVerifySymPattern(security_code+tea_decrypt, security_code_size-tea_decrypt);
                    if(noteax)
                    {
                        noteax+=tea_decrypt;
                        end_big_loop=CT_FindReturnPattern(security_code+noteax, security_code_size-noteax);
                        //end_big_loop=CT_FindEndLoopPattern(security_code+noteax, security_code_size-noteax);
                        if(end_big_loop)
                        {
                            end_big_loop+=noteax+security_code_base;
                            noteax+=security_code_base;
                            tea_decrypt+=security_code_base;
                            magic_byte+=security_code_base;
                        }
                    }
                }
            }
        }
    }

    if(CT_FindECDSAVerify(security_code, security_code_size))
        CT_cert_data->checksumv8=true;
    if(CT_cert_data->timestamp>0x4C100000) //v7.40 (just before)
    {
        //Salt
        salt_func_addr=FindSalt1Pattern(security_code, security_code_size); //v9.60
        if(!salt_func_addr)
            salt_func_addr=FindSalt2Pattern(security_code, security_code_size);
        if(salt_func_addr)
        {
            memcpy(salt_code, (void*)(salt_func_addr+security_code), 60);
            salt_func_addr+=(unsigned int)security_code_base;
        }
    }
    free2(security_code);
}