LyScript实现Hook隐藏调试器的方法详解

目录
  • Patch_PEB
  • Patch_IsDebuggerPresent
  • Patch_CheckRemoteDebuggerPresent
  • Patch_GetTickCount
  • Patch_ZwQueryInformationProcess
  • Patch_FindWindow
  • Patch_EnumWindows

LyScript 插件集成的内置API函数可灵活的实现绕过各类反调试保护机制,前段时间发布的那一篇文章并没有详细讲解各类反调试机制的绕过措施,本次将补充这方面的知识点,运用LyScript实现绕过大多数通用调试机制,实现隐藏调试器的目的。

我们以此实现Patches如下函数:

  • IsDebuggerPresent
  • ZwQueryInformationProcess
  • CheckRemoteDebuggerPresent
  • PEB.IsDebugged
  • PEB.ProcessHeap.Flag
  • PEB.NtGlobalFlag
  • PEB.Ldr 0xFEEEFEEE filling
  • GetTickCount
  • ZwQuerySystemInformation
  • FindWindowA
  • FindWindowW
  • FindWindowExA
  • FindWindowExW
  • EnumWindows

首先第一步我们需要自己封装实现一个反汇编转机器码的函数,其作用是当用户传入汇编列表时,自动将其转为机器码并输出为列表格式。

from LyScript32 import MyDebug

# 传入汇编代码,得到对应机器码
def get_opcode_from_assemble(dbg_ptr,asm):
    byte_code = bytearray()

    addr = dbg_ptr.create_alloc(1024)
    if addr != 0:
        asm_size = dbg_ptr.assemble_code_size(asm)
        # print("汇编代码占用字节: {}".format(asm_size))

        write = dbg_ptr.assemble_write_memory(addr,asm)
        if write == True:
            for index in range(0,asm_size):
                read = dbg_ptr.read_memory_byte(addr + index)
                # print("{:02x} ".format(read),end="")
                byte_code.append(read)
        dbg_ptr.delete_alloc(addr)
        return byte_code
    else:
        return bytearray(0)

# 传入汇编机器码得到机器码列表
def GetOpCode(dbg, Code):
    ShellCode = []

    for index in Code:
        ref = get_opcode_from_assemble(dbg,index)
        for opcode in ref:
            ShellCode.append(opcode)

    return ShellCode

if __name__ == "__main__":
    dbg = MyDebug()

    connect = dbg.connect()

    ShellCode = GetOpCode(dbg, ["DB 0x64","mov eax,dword ptr ds:[18]","sub eax,eax","ret"])

    print(ShellCode)

    dbg.close()

输出效果如下:

Patch_PEB

PEB结构存在许多反调试变量,首先我们需要先将这些变量填充为空。

# ----------------------------------------------
# By: LyShark
# Email: me@lyshark.com
# Project: https://github.com/lyshark/LyScript
# ----------------------------------------------

from LyScript32 import MyDebug

# 传入汇编代码,得到对应机器码
def get_opcode_from_assemble(dbg_ptr,asm):
    byte_code = bytearray()

    addr = dbg_ptr.create_alloc(1024)
    if addr != 0:
        asm_size = dbg_ptr.assemble_code_size(asm)
        # print("汇编代码占用字节: {}".format(asm_size))

        write = dbg_ptr.assemble_write_memory(addr,asm)
        if write == True:
            for index in range(0,asm_size):
                read = dbg_ptr.read_memory_byte(addr + index)
                # print("{:02x} ".format(read),end="")
                byte_code.append(read)
        dbg_ptr.delete_alloc(addr)
        return byte_code
    else:
        return bytearray(0)

# 传入汇编机器码得到机器码列表
def GetOpCode(dbg, Code):
    ShellCode = []

    for index in Code:
        ref = get_opcode_from_assemble(dbg,index)
        for opcode in ref:
            ShellCode.append(opcode)

    return ShellCode

def Patch_PEB(dbg):
    PEB = dbg.get_peb_address(dbg.get_process_id())
    if PEB == 0:
        return 0

    # 写出0 Patching PEB.IsDebugged
    dbg.write_memory_byte(PEB + 0x2,GetOpCode(dbg,["db 0"])[0])
    print("补丁地址: {}".format(hex(PEB+0x2)))

    # 写出0 Patching PEB.ProcessHeap.Flag
    temp = dbg.read_memory_dword(PEB + 0x18)
    temp += 0x10
    dbg.write_memory_dword(temp, GetOpCode(dbg,["db 0"])[0])
    print(("补丁地址: {}".format(hex(temp))))

    # 写出0 atching PEB.NtGlobalFlag
    dbg.write_memory_dword(PEB+0x68, 0)
    print(("补丁地址: {}".format(hex(PEB+0x68))))

    # 循环替换 Patch PEB_LDR_DATA 0xFEEEFEEE fill bytes about 3000 of them
    addr = dbg.read_memory_dword(PEB + 0x0c)

    while addr != 0:
        addr += 1

        try:
            b = dbg.read_memory_dword(addr)
            c = dbg.read_memory_dword(addr + 4)

            # 仅修补填充运行
            print(b)
            if (b == 0xFEEEFEEE) and (c == 0xFEEEFEEE):
                dbg.write_memory_dword(addr,0)
                dbg.write_memory_dword(addr + 4, 0)
                print("patch")
        except Exception:
            break

if __name__ == "__main__":
    dbg = MyDebug()

    connect = dbg.connect()

    Patch_PEB(dbg)

    dbg.close()

Patch_IsDebuggerPresent

该函数用于检测自身是否处于调试状态,其C系列代码如下所示,绕过此种方式很简单,只需要在函数头部写出ret指令即可。

#include <Windows.h>
#include <stdio.h>

int _tmain(int argc, _TCHAR* argv[])
{
	BOOL ref = IsDebuggerPresent();
	printf("是否被调试: %d \n", ref);

	getchar();
	return 0;
}

注意:此Api检查PEB中的值,因此如果修补PEB,则无需修补Api,这段绕过代码如下。

from LyScript32 import MyDebug

# 传入汇编代码,得到对应机器码
def get_opcode_from_assemble(dbg_ptr,asm):
    byte_code = bytearray()

    addr = dbg_ptr.create_alloc(1024)
    if addr != 0:
        asm_size = dbg_ptr.assemble_code_size(asm)
        # print("汇编代码占用字节: {}".format(asm_size))

        write = dbg_ptr.assemble_write_memory(addr,asm)
        if write == True:
            for index in range(0,asm_size):
                read = dbg_ptr.read_memory_byte(addr + index)
                # print("{:02x} ".format(read),end="")
                byte_code.append(read)
        dbg_ptr.delete_alloc(addr)
        return byte_code
    else:
        return bytearray(0)

# 传入汇编机器码得到机器码列表
def GetOpCode(dbg, Code):
    ShellCode = []

    for index in Code:
        ref = get_opcode_from_assemble(dbg,index)
        for opcode in ref:
            ShellCode.append(opcode)

    return ShellCode

def Patch_IsDebuggerPresent(dbg):
    # 得到模块句柄
    ispresent = dbg.get_module_from_function("kernel32.dll","IsDebuggerPresent")
    print(hex(ispresent))

    if(ispresent <= 0):
        print("无法得到模块基地址,请以管理员方式运行调试器.")
        return 0

    # 将反调试语句转为机器码
    ShellCode = GetOpCode(dbg, ["DB 0x64", "mov eax,dword ptr ds:[18]", "sub eax,eax", "ret"])
    print(ShellCode)

    flag = 0
    for index in range(0,len(ShellCode)):
        flag = dbg.write_memory_byte(ispresent + index,ShellCode[index])
        if flag:
            flag = 1
        else:
            flag = 0
    return flag

if __name__ == "__main__":
    dbg = MyDebug()

    connect = dbg.connect()

    ref = Patch_IsDebuggerPresent(dbg)
    print("补丁状态: {}".format(ref))

    dbg.close()

当程序运行后会向IsDebuggerPresent函数写出返回,从而实现绕过调试的目的。

Patch_CheckRemoteDebuggerPresent

此Api调用ZwQueryInformationProcess因此通常不需要对两者进行修补。

from LyScript32 import MyDebug

# 传入汇编代码,得到对应机器码
def get_opcode_from_assemble(dbg_ptr,asm):
    byte_code = bytearray()

    addr = dbg_ptr.create_alloc(1024)
    if addr != 0:
        asm_size = dbg_ptr.assemble_code_size(asm)
        # print("汇编代码占用字节: {}".format(asm_size))

        write = dbg_ptr.assemble_write_memory(addr,asm)
        if write == True:
            for index in range(0,asm_size):
                read = dbg_ptr.read_memory_byte(addr + index)
                # print("{:02x} ".format(read),end="")
                byte_code.append(read)
        dbg_ptr.delete_alloc(addr)
        return byte_code
    else:
        return bytearray(0)

# 传入汇编机器码得到机器码列表
def GetOpCode(dbg, Code):
    ShellCode = []

    for index in Code:
        ref = get_opcode_from_assemble(dbg,index)
        for opcode in ref:
            ShellCode.append(opcode)

    return ShellCode

def Patch_CheckRemoteDebuggerPresent(dbg):
    # 得到模块句柄
    ispresent = dbg.get_module_from_function("kernel32.dll","CheckRemoteDebuggerPresent")
    print(hex(ispresent))

    # 将反调试语句转为机器码
    ShellCode = GetOpCode(dbg,
                          [
                              "mov edi,edi",
                              "push ebp",
                              "mov ebp,esp",
                              "mov eax,[ebp+0xc]",
                              "push 0",
                              "pop dword ptr ds:[eax]",
                              "xor eax,eax",
                              "pop ebp",
                              "ret 8"
                          ]
                          )

    print(ShellCode)

    flag = 0
    for index in range(0,len(ShellCode)):
        flag = dbg.write_memory_byte(ispresent + index,ShellCode[index])
        if flag:
            flag = 1
        else:
            flag = 0
    return flag

if __name__ == "__main__":
    dbg = MyDebug()

    connect = dbg.connect()

    ref = Patch_CheckRemoteDebuggerPresent(dbg)
    print("写出状态: {}".format(ref))

    dbg.close()

写出效果如下:

Patch_GetTickCount

GetTickCount返回(retrieve)从操作系统启动所经过(elapsed)的毫秒数,常用于定时计数,绕过方式只需初始化即可。

from LyScript32 import MyDebug

# 传入汇编代码,得到对应机器码
def get_opcode_from_assemble(dbg_ptr,asm):
    byte_code = bytearray()

    addr = dbg_ptr.create_alloc(1024)
    if addr != 0:
        asm_size = dbg_ptr.assemble_code_size(asm)
        # print("汇编代码占用字节: {}".format(asm_size))

        write = dbg_ptr.assemble_write_memory(addr,asm)
        if write == True:
            for index in range(0,asm_size):
                read = dbg_ptr.read_memory_byte(addr + index)
                # print("{:02x} ".format(read),end="")
                byte_code.append(read)
        dbg_ptr.delete_alloc(addr)
        return byte_code
    else:
        return bytearray(0)

# 传入汇编机器码得到机器码列表
def GetOpCode(dbg, Code):
    ShellCode = []

    for index in Code:
        ref = get_opcode_from_assemble(dbg,index)
        for opcode in ref:
            ShellCode.append(opcode)

    return ShellCode

def Patch_GetTickCount(dbg):
    # 得到模块句柄
    ispresent = dbg.get_module_from_function("kernel32.dll","GetTickCount")
    print(hex(ispresent))

    # 将反调试语句转为机器码
    ShellCode = GetOpCode(dbg,
                          [
                              "mov edx,0x7ffe0000",
                              "sub eax,eax",
                              "add eax,0xB0B1560D",
                              "ret"
                          ]
                          )

    print(ShellCode)

    flag = 0
    for index in range(0,len(ShellCode)):
        flag = dbg.write_memory_byte(ispresent + index,ShellCode[index])
        if flag:
            flag = 1
        else:
            flag = 0
    return flag

if __name__ == "__main__":
    dbg = MyDebug()

    connect = dbg.connect()

    ref = Patch_GetTickCount(dbg)
    print("写出状态: {}".format(ref))

    dbg.close()

写出效果如下:

Patch_ZwQueryInformationProcess

此函数打补丁需要跳转两次,原因是因为函数开头部分无法填充更多指令,需要我们自己来申请空间,并实现跳转。

# ----------------------------------------------
# By: LyShark
# Email: me@lyshark.com
# Project: https://github.com/lyshark/LyScript
# ----------------------------------------------

from LyScript32 import MyDebug

# 传入汇编代码,得到对应机器码
def get_opcode_from_assemble(dbg_ptr,asm):
    byte_code = bytearray()

    addr = dbg_ptr.create_alloc(1024)
    if addr != 0:
        asm_size = dbg_ptr.assemble_code_size(asm)
        # print("汇编代码占用字节: {}".format(asm_size))

        write = dbg_ptr.assemble_write_memory(addr,asm)
        if write == True:
            for index in range(0,asm_size):
                read = dbg_ptr.read_memory_byte(addr + index)
                # print("{:02x} ".format(read),end="")
                byte_code.append(read)
        dbg_ptr.delete_alloc(addr)
        return byte_code
    else:
        return bytearray(0)

# 传入汇编机器码得到机器码列表
def GetOpCode(dbg, Code):
    ShellCode = []

    for index in Code:
        ref = get_opcode_from_assemble(dbg,index)
        for opcode in ref:
            ShellCode.append(opcode)

    return ShellCode

# 获取指定位置前index条指令的长度
def GetOpCodeSize(dbg,address,index):
    ref_size = 0

    dasm = dbg.get_disasm_code(address,index)
    for index in dasm:
        count = dbg.assemble_code_size(index.get("opcode"))
        ref_size += count
    return ref_size

def Patch_ZwQueryInformationProcess(dbg):
    # 得到模块句柄
    ispresent = dbg.get_module_from_function("ntdll.dll","ZwQueryInformationProcess")
    print(hex(ispresent))

    create_address = dbg.create_alloc(1024)
    print("分配空间: {}".format(hex(create_address)))

    # 将反调试语句转为机器码
    ShellCode = GetOpCode(dbg,
                          [
                              "cmp dword [esp + 8],7",
                              "DB 0x74",
                              "DB 0x06",
                              f"push {hex(ispresent)}",
                              "ret",
                              "mov eax,dword [esp +0x0c]",
                              "push 0",
                              "pop dword [eax]",
                              "xor eax,eax",
                              "ret 14"
                          ]
                          )

    print(ShellCode)

    # 把shellcode写出到自己分配的堆中
    flag = 0
    for index in range(0,len(ShellCode)):
        flag = dbg.write_memory_byte(create_address + index,ShellCode[index])
        if flag:
            flag = 1
        else:
            flag = 0

    # 填充跳转位置
    jmp_shellcode = GetOpCode(dbg,
                              [
                                  f"push {hex(create_address)}",
                                  "ret"
                              ]
                              )
    for index in range(0,len(jmp_shellcode)):
        flag = dbg.write_memory_byte(ispresent + index,jmp_shellcode[index])
        if flag:
            flag = 1
        else:
            flag = 0

    return flag

if __name__ == "__main__":
    dbg = MyDebug()

    connect = dbg.connect()

    ref = Patch_ZwQueryInformationProcess(dbg)

    print("补丁状态: {}".format(ref))

    dbg.close()

这段代码运行后,首先会申请内存,然后将特定的一段机器码写出到此内存中。

内存写出以后,再将函数头部替换为跳转,这样一来当函数被调用,也就自动转向了。

Patch_FindWindow

FindWindow函数功能是取窗体句柄,有AW与Ex系列,使用同上方法替代即可。

# ----------------------------------------------
# By: LyShark
# Email: me@lyshark.com
# Project: https://github.com/lyshark/LyScript
# ----------------------------------------------

from LyScript32 import MyDebug
import ctypes

# 传入汇编代码,得到对应机器码
def get_opcode_from_assemble(dbg_ptr,asm):
    byte_code = bytearray()

    addr = dbg_ptr.create_alloc(1024)
    if addr != 0:
        asm_size = dbg_ptr.assemble_code_size(asm)
        # print("汇编代码占用字节: {}".format(asm_size))

        write = dbg_ptr.assemble_write_memory(addr,asm)
        if write == True:
            for index in range(0,asm_size):
                read = dbg_ptr.read_memory_byte(addr + index)
                # print("{:02x} ".format(read),end="")
                byte_code.append(read)
        dbg_ptr.delete_alloc(addr)
        return byte_code
    else:
        return bytearray(0)

# 传入汇编机器码得到机器码列表
def GetOpCode(dbg, Code):
    ShellCode = []

    for index in Code:
        ref = get_opcode_from_assemble(dbg,index)
        for opcode in ref:
            ShellCode.append(opcode)

    return ShellCode

def Patch_FindWindow(dbg):
    # 得到模块句柄
    FindWindowA = dbg.get_module_from_function("user32.dll","FindWindowA")
    FindWindowW = dbg.get_module_from_function("user32.dll","FindWindowW")
    FindWindowExA = dbg.get_module_from_function("user32.dll","FindWindowExA")
    FindWindowExW = dbg.get_module_from_function("user32.dll","FindWindowExW")
    print("A = {} w = {} exA = {} exW = {}".format(hex(FindWindowA),hex(FindWindowW),hex(FindWindowExA),hex(FindWindowExW)))

    # 将反调试语句转为机器码
    ShellCode = GetOpCode(dbg,
                          [
                              "xor eax,eax",
                              "ret 0x8",
                          ]
                          )

    ShellCodeEx = GetOpCode(dbg,
                            [
                                "xor eax,eax",
                                "ret 0x10",
                            ]
                            )
    # 写出
    flag = 0
    for index in range(0,len(ShellCode)):
        flag = dbg.write_memory_byte(FindWindowA + index,ShellCode[index])
        flag = dbg.write_memory_byte(FindWindowW + index,ShellCode[index])
        if flag:
            flag = 1
        else:
            flag = 0

    for index in range(0,len(ShellCodeEx)):
        flag = dbg.write_memory_byte(FindWindowExA + index,ShellCodeEx[index])
        flag = dbg.write_memory_byte(FindWindowExW + index,ShellCodeEx[index])
        if flag:
            flag = 1
        else:
            flag = 0

    return flag

if __name__ == "__main__":
    dbg = MyDebug()

    connect = dbg.connect()

    ref = Patch_FindWindow(dbg)
    print("补丁状态: {}".format(ref))

    dbg.close()

补丁应用会分别替换四个函数。

Patch_EnumWindows

枚举窗体的补丁与上方代码一致,此处就不再分析了。

如下案例,实现了在枚举窗体过程中实现弹窗,并不影响窗体的枚举。

from LyScript32 import MyDebug

# 传入汇编代码,得到对应机器码
def get_opcode_from_assemble(dbg_ptr,asm):
    byte_code = bytearray()

    addr = dbg_ptr.create_alloc(1024)
    if addr != 0:
        asm_size = dbg_ptr.assemble_code_size(asm)
        # print("汇编代码占用字节: {}".format(asm_size))

        write = dbg_ptr.assemble_write_memory(addr,asm)
        if write == True:
            for index in range(0,asm_size):
                read = dbg_ptr.read_memory_byte(addr + index)
                # print("{:02x} ".format(read),end="")
                byte_code.append(read)
        dbg_ptr.delete_alloc(addr)
        return byte_code
    else:
        return bytearray(0)

# 传入汇编机器码得到机器码列表
def GetOpCode(dbg, Code):
    ShellCode = []

    for index in Code:
        ref = get_opcode_from_assemble(dbg,index)
        for opcode in ref:
            ShellCode.append(opcode)

    return ShellCode

# 获取指定位置前index条指令的长度
def GetOpCodeSize(dbg,address,index):
    ref_size = 0

    dasm = dbg.get_disasm_code(address,index)
    for index in dasm:
        count = dbg.assemble_code_size(index.get("opcode"))
        ref_size += count
    return ref_size

def Patch_EnumWindows(dbg):
    # 得到模块句柄
    address = dbg.get_module_from_function("user32.dll","EnumWindows")
    print(hex(address))

    msg_box = dbg.get_module_from_function("user32.dll","MessageBoxA")
    print(hex(msg_box))

    create_address = dbg.create_alloc(1024)
    print("分配空间: {}".format(hex(create_address)))

    # 找call地址,找到后取出他的内存地址
    dasm_list = dbg.get_disasm_code(address,20)
    call_addr = 0
    call_next_addr = 0
    for index in range(0,len(dasm_list)):

        # 如果找到了call,取出call地址以及下一条地址
        if dasm_list[index].get("opcode").split(" ")[0] == "call":
            call_addr = dasm_list[index].get("addr")
            call_next_addr = dasm_list[index+1].get("addr")
            print("call = {} call_next = {}".format(hex(call_addr),hex(call_next_addr)))

    # 将反调试语句转为机器码
    ShellCode = GetOpCode(dbg,
                          [
                              "push 0",
                              "push 0",
                              "push 0",
                              "push 0",
                              f"call {hex(msg_box)}",
                              "mov eax,1",
                              "pop ebp",
                              "ret 10",

                              f"call {hex(call_addr)}",
                              "pop ebp",
                              "ret 8"
                          ]
                          )

    print(ShellCode)

    # 把shellcode写出到自己分配的堆中
    flag = 0
    for index in range(0,len(ShellCode)):
        flag = dbg.write_memory_byte(create_address + index,ShellCode[index])
        if flag:
            flag = 1
        else:
            flag = 0

    # 填充跳转位置
    jmp_shellcode = GetOpCode(dbg,
                              [
                                  f"push {hex(create_address)}",
                                  "ret"
                              ]
                              )
    for index in range(0,len(jmp_shellcode)):
        flag = dbg.write_memory_byte(call_addr + index,jmp_shellcode[index])
        if flag:
            flag = 1
        else:
            flag = 0

    return flag

if __name__ == "__main__":
    dbg = MyDebug()
    connect = dbg.connect()

    ref = Patch_EnumWindows(dbg)

    dbg.close()

输出效果如下:

以上就是LyScript实现Hook隐藏调试器的方法详解的详细内容,更多关于LyScript Hook隐藏调试器的资料请关注我们其它相关文章!

(0)

相关推荐

  • 利用LyScript实现应用层钩子扫描器

    Capstone 是一个轻量级的多平台.多架构的反汇编框架,该模块支持目前所有通用操作系统,反汇编架构几乎全部支持,本篇文章将运用LyScript插件结合Capstone反汇编引擎实现一个钩子扫描器. 要实现应用层钩子扫描,我们需要得到程序内存文件的机器码以及磁盘中的机器码,并通过capstone这个第三方反汇编引擎,对两者进行反汇编,最后逐条对比汇编指令,实现进程钩子扫描的效果. LyScript项目地址:https://github.com/lyshark/LyScript 通过LyScri

  • Python利用LyScript插件实现批量打开关闭进程

    LyScript是一款x64dbg主动化操控插件,经过Python操控X64dbg,完成了远程动态调试,解决了逆向工作者剖析漏洞,寻觅指令片段,原生脚本不行强壮的问题,经过与Python相结合使用Python语法的灵活性以及丰富的第三方库,进步剖析功率,完成主动化剖析代码. python包请装置与插件一致的版别,在cmd命令行下履行pip命令即可装置. 装置Python包:pipinstallLyScript32或者pipinstallLyScript64 其次你需求手动下载对应x64dbg版别

  • LyScript实现指令查询功能的示例代码

    目录 搜索内存中的机器码 搜索内存反汇编代码 通过对LyScript自动化插件进行二次封装,实现从内存中读入目标进程解码后的机器码,并通过Python代码在这些机器码中寻找特定的十六进制字符数组,或直接检索是否存在连续的反汇编指令片段等功能. LyScript项目地址:https://github.com/lyshark/LyScript 搜索内存中的机器码 内存机器码需要配合LyScript32插件,从内存中寻找指令片段. from LyScript32 import MyDebug # 将可

  • LyScript实现对内存堆栈扫描的方法详解

    LyScript插件中提供了三种基本的堆栈操作方法,其中push_stack用于入栈,pop_stack用于出栈,而最有用的是peek_stack函数,该函数可用于检查指定堆栈位置处的内存参数,利用这个特性就可以实现,对堆栈地址的检测,或对堆栈的扫描等. LyScript项目地址:https://github.com/lyshark/LyScript peek_stack命令传入的是堆栈下标位置默认从0开始,并输出一个十进制有符号长整数,首先实现有符号与无符号数之间的转换操作,为后续堆栈扫描做准

  • LyScript实现Hook改写MessageBox的方法详解

    LyScript 可实现自定义汇编指令的替换功能,用户可以自行编写一段汇编指令,将程序中特定的通用函数进行功能改写与转向操作,此功能原理是简单的Hook操作. 首先我们先来实现一个Hook模板,在代码中实现中转机制,如下代码以MessageBoxA函数为案例实现修改汇编参数传递. from LyScript32 import MyDebug # 传入汇编列表,写出到内存 def assemble(dbg, address=0, asm_list=[]): asm_len_count = 0 fo

  • LyScript实现Hook隐藏调试器的方法详解

    目录 Patch_PEB Patch_IsDebuggerPresent Patch_CheckRemoteDebuggerPresent Patch_GetTickCount Patch_ZwQueryInformationProcess Patch_FindWindow Patch_EnumWindows LyScript 插件集成的内置API函数可灵活的实现绕过各类反调试保护机制,前段时间发布的那一篇文章并没有详细讲解各类反调试机制的绕过措施,本次将补充这方面的知识点,运用LyScript

  • LyScript实现绕过反调试保护的示例详解

    LyScript插件中内置的方法可实现各类反调试以及屏蔽特定API函数的功能,这类功能在应对病毒等恶意程序时非常有效,例如当程序调用特定API函数时我们可以将其拦截,从而实现保护系统在调试时不被破坏的目的. LyScript项目地址: https://github.com/lyshark/LyScript 绕过反调试机制: 最常用的反调试机制就是用IsDebuggerPresent该标志检查PEB+2位置处的内容,如果为1则表示正在被调试,我们运行脚本直接将其设置为0即可绕过反调试机制. 也就是

  • Spring Boot项目中定制拦截器的方法详解

    这篇文章主要介绍了Spring Boot项目中定制拦截器的方法详解,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友可以参考下 Servlet 过滤器属于Servlet API,和Spring关系不大.除了使用过滤器包装web请求,Spring MVC还提供HandlerInterceptor(拦截器)工具.根据文档,HandlerInterceptor的功能跟过滤器类似,但拦截器提供更精细的控制能力:在request被响应之前.request被响应之后.视

  • SpringBoot实现登录拦截器的方法详解

    在项目目录下建立两个包:inter 与contsfig 在inter新建层中实现HandlerInterceptor的继承类 package com.example.gameboxadminserver.inter; import com.example.gameboxadminserver.entity.User; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.

  • LyScript寻找ROP漏洞指令片段的方法详解

    ROP绕过片段简单科普一下,你可以理解成一个可以关闭系统自身内存保护的一段机器指令,这段代码需要我们自己构造,这就涉及到在对端内存搜寻这样的指令,LyScript插件增强了指令片段的查找功能,但需要我们在LyScript插件基础上封装一些方法,实现起来也不难. LScript项目地址:https://github.com/lyshark/LyScript 封装机器码获取功能: 首先封装一个方法,当用户传入指定汇编指令的时候,自动的将其转换成对应的机器码,这是为搜索ROP片段做铺垫的,代码很简单,

  • Android高级组件ImageSwitcher图像切换器使用方法详解

    图像切换器(ImageSwitcher),用于实现类似于Windows操作系统的"Windows照片查看器"中的上一张.下一张切换图片的功能.在使用ImageSwitcher时,必须实现ViewSwitcher.ViewFactory接口,并通过makeView()方法来创建用于显示图片的ImageView.makeView()方法将返回一个显示图片的ImageView.在使用图像切换器时,还有一个方法非常重要,那就是setImageResource方法,该方法用于指定要在ImageS

  • jQuery实现侧边栏隐藏与显示的方法详解

    本文实例讲述了jQuery实现侧边栏隐藏与显示的方法.分享给大家供大家参考,具体如下: web项目中经常会出现左侧侧边栏,右侧显示内容的web页面. 效果如图: 如何实现点击本周食谱,本周食谱的列表隐藏或显示切换,并关闭下周食谱列表显示,点击下周食谱,让下周食谱的列表隐藏切换显示,并关闭本周食谱列表显示 实现思路: 1.布局: 布局顶部的topDiv,左侧的leftDiv(optionDiv,navListUl), 布局右侧的contentDiv. 布局如图: 2.js控制optionDiv和n

  • Python函数装饰器实现方法详解

    本文实例讲述了Python函数装饰器实现方法.分享给大家供大家参考,具体如下: 编写函数装饰器 这里主要介绍编写函数装饰器的相关内容. 跟踪调用 如下代码定义并应用一个函数装饰器,来统计对装饰的函数的调用次数,并且针对每一次调用打印跟踪信息. class tracer: def __init__(self,func): self.calls = 0 self.func = func def __call__(self,*args): self.calls += 1 print('call %s

  • jQuery实现基本隐藏与显示效果的方法详解

    本文实例讲述了jQuery实现基本隐藏与显示效果的方法.分享给大家供大家参考,具体如下: jQuery 隐藏/显示 语法: $(selector).hide(speed,callback); $(selector).show(speed,callback); eg1: <!DOCTYPE html> <html> <head> <script src="http://libs.baidu.com/jquery/2.0.0/jquery.min.js&qu

随机推荐