HookDbg

本文最后更新于:1 年前

使用远程进程注入调试硬指令实现调试器功能的简单Demo

一、HookDbg前提条件
1.windows在动态链接库的使用时在各个进程中的虚拟地址是相同的,所以调试器中的kernel32.dll地址可以当做要被注入的进程的地址用。
2.有相关的权限,调试器的权限要能打开目标权限,以及分配内存和写入内存。

二、HookDbg的相关步骤
1.提高当前调试器进程权限
2.获取被调试进程的PID(进程ID)
3.使调试器附加到PID对应的活动进程并且调试它

三、HookDbg代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
#include <windows.h>
#include <iostream>
#include <tchar.h>
#include <TlHelp32.h>
using namespace std;
BOOL SeEnableSeDebugPrivilege(HANDLE ProcessHandle, BOOL IsEnable); //提权
BOOL SeGetProcessIdentify(HANDLE* ProcessIdentify, ULONG_PTR ProcessIdentifyLength, const TCHAR* ImageName, ULONG_PTR ImageNameLength);
LPVOID __WriteFile = NULL;
CREATE_PROCESS_DEBUG_INFO __CreateProcessDebugInfo;;
BYTE  __Int3Code = 0xCC;  //软件断点
BYTE __0riginalCode = 0;

BOOL OnCreateProcessDebugEvent(LPDEBUG_EVENT DebugEvent)
{
	// 获取WriteFile() API的地址
	__WriteFile = GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "WriteFile");
	_tprintf(_T("__WriteFile:%p\n"), __WriteFile);
	// API钩子 WriteFile()
	memcpy(&__CreateProcessDebugInfo, &DebugEvent->u.CreateProcessInfo, sizeof(CREATE_PROCESS_DEBUG_INFO));
	ReadProcessMemory(__CreateProcessDebugInfo.hProcess, __WriteFile,
		&__0riginalCode, sizeof(BYTE), NULL);
	DWORD OldProtect = 0;
	VirtualProtectEx(__CreateProcessDebugInfo.hProcess, __WriteFile, 0x1000, PAGE_EXECUTE_READWRITE, &OldProtect);
	WriteProcessMemory(__CreateProcessDebugInfo.hProcess, __WriteFile,
		&__Int3Code, sizeof(BYTE), NULL);
	VirtualProtectEx(__CreateProcessDebugInfo.hProcess, __WriteFile, 0x1000, OldProtect, &OldProtect);
	return TRUE;
}

BOOL OnExceptionDebugEvent(LPDEBUG_EVENT DebugEvent)
{
	CONTEXT Context;
	PBYTE VirtualAddress = NULL;
	ULONG_PTR Buffer = 0;
	ULONG_PTR NumberOfBytesToWrite;
	int i;
	PEXCEPTION_RECORD ExceptionRecord = &DebugEvent->u.Exception.ExceptionRecord;

	if (EXCEPTION_BREAKPOINT == ExceptionRecord->ExceptionCode)
	{
		if (__WriteFile == ExceptionRecord->ExceptionAddress)
		{
			DWORD OldProtect = 0;
			VirtualProtectEx(__CreateProcessDebugInfo.hProcess, __WriteFile, 0x1000, PAGE_EXECUTE_READWRITE, &OldProtect);
			WriteProcessMemory(__CreateProcessDebugInfo.hProcess, __WriteFile,
				&__0riginalCode, sizeof(BYTE), NULL);
			VirtualProtectEx(__CreateProcessDebugInfo.hProcess, __WriteFile, 0x1000, OldProtect, &OldProtect);
			// 获取线程上下文


			// 获取WriteFile的第2,3个参数

#ifdef _WIN64
			Context.ContextFlags = CONTEXT_ALL;
			GetThreadContext(__CreateProcessDebugInfo.hThread, &Context);
			Buffer = Context.Rdx;
			NumberOfBytesToWrite = Context.R8;
	
#else

			Context.ContextFlags = CONTEXT_CONTROL;
			GetThreadContext(__CreateProcessDebugInfo.hThread, &Context);
			ReadProcessMemory(__CreateProcessDebugInfo.hProcess, (LPCVOID)(Context.Esp + 8),
				&Buffer, sizeof(ULONG_PTR), NULL);
			ReadProcessMemory(__CreateProcessDebugInfo.hProcess, (LPCVOID)(Context.Esp + 0xc),
				&NumberOfBytesToWrite, sizeof(DWORD), NULL);

#endif
		
		

			// 分配临时缓冲区
			VirtualAddress = (PBYTE)malloc(NumberOfBytesToWrite + 1);
			memset(VirtualAddress, 0, NumberOfBytesToWrite + 1);
	
			// 复制WriteFile缓冲区到临时缓冲区
			ReadProcessMemory(__CreateProcessDebugInfo.hProcess, (LPCVOID)Buffer,
				VirtualAddress, NumberOfBytesToWrite, NULL);
			printf("\n Original String:%s\n", VirtualAddress);   //这里是ASCII字符数据
	
			//小写字母转大写字母
			for (i = 0; i < NumberOfBytesToWrite; i++)
			{
				if (0x61 <= VirtualAddress[i] && VirtualAddress[i] <= 0x7A)
				{
					VirtualAddress[i] = VirtualAddress[i] - 0x20;
				}
			}


			WriteProcessMemory(__CreateProcessDebugInfo.hProcess, (LPVOID)Buffer,
				VirtualAddress, NumberOfBytesToWrite, NULL);
	
			free(VirtualAddress);

#ifdef _WIN64
			Context.Rip = (ULONG_PTR)__WriteFile;
#else
			Context.Eip = (ULONG_PTR)__WriteFile;
#endif


			SetThreadContext(__CreateProcessDebugInfo.hThread, &Context);
			ContinueDebugEvent(DebugEvent->dwProcessId, DebugEvent->dwThreadId, DBG_CONTINUE);
			Sleep(0);
	
			VirtualProtectEx(__CreateProcessDebugInfo.hProcess, __WriteFile, 0x1000, PAGE_EXECUTE_READWRITE, &OldProtect);
			WriteProcessMemory(__CreateProcessDebugInfo.hProcess, __WriteFile, &__Int3Code,
				sizeof(BYTE), NULL);
			VirtualProtectEx(__CreateProcessDebugInfo.hProcess, __WriteFile, 0x1000, OldProtect, &OldProtect);
			return TRUE;
		}
	}
	return FALSE;

}

void DebugLoop()
{
	DEBUG_EVENT DebugEvent;
	DWORD ContinueStatus;
	while (WaitForDebugEvent(&DebugEvent, INFINITE))
	{
		ContinueStatus = DBG_CONTINUE;
		// 被调试进程生成或附加
		if (CREATE_PROCESS_DEBUG_EVENT == DebugEvent.dwDebugEventCode)
			OnCreateProcessDebugEvent(&DebugEvent);
		// 异常
		else if (EXCEPTION_DEBUG_EVENT == DebugEvent.dwDebugEventCode)
		{
			if (OnExceptionDebugEvent(&DebugEvent))
				continue;
		}
		// 中止
		else if (EXIT_PROCESS_DEBUG_EVENT == DebugEvent.dwDebugEventCode)
			break;
		ContinueDebugEvent(DebugEvent.dwProcessId, DebugEvent.dwThreadId, ContinueStatus);
	}
}

int main(int argc, char* argv[])
{
	SeEnableSeDebugPrivilege(GetCurrentProcess(), TRUE);
	HANDLE ProcessIdentify;
	TCHAR ImageName[MAX_PATH] = { _T("notepad.exe") };

	SeGetProcessIdentify(&ProcessIdentify, sizeof(HANDLE),
		ImageName, MAX_PATH * sizeof(TCHAR));




	// 使调试器附加到一个活动进程并且调试它
	if (!DebugActiveProcess((DWORD)ProcessIdentify)) //激活调试进程
	{
		
		return 1;
	}
	DebugLoop();
	return 0;

}

BOOL SeEnableSeDebugPrivilege(HANDLE ProcessHandle, BOOL IsEnable)
{
	DWORD  LastError;
	HANDLE TokenHandle = 0;

	if (!OpenProcessToken(ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle))
	{
		LastError = GetLastError();
		if (TokenHandle)
			CloseHandle(TokenHandle);
		return LastError;
	}
	TOKEN_PRIVILEGES TokenPrivileges;
	memset(&TokenPrivileges, 0, sizeof(TOKEN_PRIVILEGES));
	LUID v1;
	if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &v1))
	{
		LastError = GetLastError();
		CloseHandle(TokenHandle);
		return LastError;
	}
	TokenPrivileges.PrivilegeCount = 1;
	TokenPrivileges.Privileges[0].Luid = v1;
	if (IsEnable)
		TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	else
		TokenPrivileges.Privileges[0].Attributes = 0;
	AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
	LastError = GetLastError();
	CloseHandle(TokenHandle);
	return LastError;

}
BOOL SeGetProcessIdentify(HANDLE* ProcessIdentify, ULONG_PTR ProcessIdentifyLength, const TCHAR* ImageName, ULONG_PTR ImageNameLength)
{
	BOOL IsOk = FALSE;
	HANDLE SnapshotHandle = INVALID_HANDLE_VALUE;
	PROCESSENTRY32 ProcessEntry32;
	ProcessEntry32.dwSize = sizeof(PROCESSENTRY32);
	int LastError = 0;
	if (IsBadWritePtr(ProcessIdentify, ProcessIdentifyLength) ||
		IsBadReadPtr(ImageName, ImageNameLength))
	{

		LastError = ERROR_INVALID_PARAMETER;
		goto Exit;
	}
	SnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (SnapshotHandle == INVALID_HANDLE_VALUE)
	{
		LastError = GetLastError();
		return FALSE;
	}
	
	if (!Process32First(SnapshotHandle, &ProcessEntry32))
	{
	
		LastError = GetLastError();
		goto Exit;
	}
	
	do
	{
	
		if (_tcsicmp(ProcessEntry32.szExeFile, ImageName) == 0)
		{
			*ProcessIdentify = (HANDLE)ProcessEntry32.th32ProcessID;
			IsOk = TRUE;
			goto Exit;
		}
	
	} while (Process32Next(SnapshotHandle, &ProcessEntry32));



	LastError = ERROR_MOD_NOT_FOUND;

Exit:

	if (SnapshotHandle != INVALID_HANDLE_VALUE)
	{
		CloseHandle(SnapshotHandle);
	}
	SnapshotHandle = INVALID_HANDLE_VALUE;
	SetLastError(LastError);
	return IsOk;

}
HOOK
#调试器 #注入 #提权
HookDbg
https://wlpswmt.github.io/2023/01/29/HookDbg/
作者
Sivan Zhang
发布于
2023年1月29日
许可协议