游戏安全C/C++汇编 [2021]过反截图,截图中隐藏自己 dwmcore.dll目前被各大外挂用的如火如荼 它不需要驱动也不需要新的窗口就能绘制外挂的图案. 在这里给几个小技巧: 截图中隐藏自己->hook dwmcore.dll.CDrawingContext::FillRectangularShapeWithColor 这个是绘制黑框的,patch掉就行(win7是CWindowNode::RenderBlackImage(CDrawingContext *)) "无窗口绘制" hook: ```cpp __int64 __fastcall CD3DDeviceLevel1::PresentSwapChain(CD3DDeviceLevel1 *this, struct CSwapChainBase *, const struct CRegion *, unsigned int, unsigned int, const struct RenderTargetPresentParameters *) ``` CSwapChainBase -> IDXGISwapChain -> ID3D11Device 拿到D3D buff 随意绘制(很多外挂使用管道通讯来控制绘制什么) 阅读全文 2021-02-28 huoji 0 条评论
游戏安全C/C++汇编 [2021]瓦罗兰Hypervisor检测 rdtsc检测,出现问题立刻调用KeAccumulateTicks蓝屏: ```cpp push rbx sub rsp, 20h rdtsc shl rdx, 20h or rax, rdx mov [rsp], rax xor eax, eax xor ecx, ecx cpuid lea r8, [rsp+10h] mov [r8], eax mov [r8+4], ebx mov [r8+8], ecx mov [r8+0Ch], edx rdtsc shl rdx, 20h or rax, rdx mov [rsp+8], rax mov rax, [rsp] mov rcx, [rsp+8] sub rcx, rax mov rax, rcx add rsp, 20h pop rbx ``` wrmsr检测: ```cpp push rbp push rcx push r9 movzx r9, bp push r13 movsxd r9, r11d movsx r9w, bl xchg r9b, r9b push r14 movzx r9w, spl cmovno r9d, r9d movsx r9d, dx push rdi setz r9b movsx edi, di push r8 movsx r9, r10w movzx r9, di mov ax, ss pushfq or dword ptr [rsp], 100h popfq and eax, 0FFFFFEFFh wrmsr pushfq mov ss, ax icebp rdmsr pushfq push r10 and dword ptr [rsp], 0FFFFFEFFh popfq push rdx push rax push r15 push rsi mov ecx, 0C0000084h or dword ptr [rsp], 100h popfq syscall mov r10, rcx mov ecx, 0C0000084h pop rax pop rdx push r12 push rbx wrmsr与syscall mov rax, r10 xor eax, eax inc eax ror r9d, 1 not r9d rol r9d, 1 xor r9d, 529C0010h push r10 add r10, rbx bswap r10w xor [rsp+210h+var_210], r9d shld r10, r9, 0B4h rcl r10, cl bsf r10, rbp pop r10 jmp loc_14033A00E ``` 阅读全文 2021-02-25 huoji 0 条评论
二进制安全游戏安全C/C++汇编 [2021]解决掉一些常见的hypervisor检测向量 目标:让游戏能在vmware中顺利运行 CPUID部分: 安排掉CPUID_HYPERVISOR_VENDOR: 阅读全文 2021-02-24 huoji 0 条评论
C/C++一线开发汇编 [2021]基于hypervisor的HIPS架构 从0到1(VT部分) Hypervisor简单不准确概念就是,启用HV后,会有客户机(guest)和主机(host),客户机的CPU的一些操作会经过一个叫做VMCS的结构(占用一个page大小)交给主机处理再交给客户机.如果你用过vmware 那么主机就是你现在的电脑,客户端就是你开的虚拟机里面的东西.介于国内这方面资料很少,所以在这边做个记录. 阅读全文 2021-02-24 huoji 0 条评论
工具软件二进制安全C/C++一线开发汇编Shellcode [2021]一个简单寻找无文件落地后门与内存免杀shellcode的工具 # DuckMemoryScan 一个简单寻找无文件落地后门的工具,由huoji花了1天编写,编写时间2021-02-24 一个简单寻找包括不限于iis劫持,无文件木马,shellcode免杀后门的工具,由huoji花了1天编写,编写时间2021-02-24 !!!本程序需要64位编译才能回溯x64的程序堆栈,请勿执行32位编译!!! !!!本工具不能代替杀毒软件!!! # 运行截图  # 功能列表 1. HWBP hook检测 检测线程中所有疑似被hwbp隐形挂钩 2. 内存免杀shellcode检测(metasploit,Cobaltstrike完全检测) 3. 可疑进程检测(主要针对有逃避性质的进程[如过期签名与多各可执行区段]) 4. 无文件落地木马检测(检测所有已知内存加载木马) 5. 简易rootkit检测(检测证书过期/拦截读取/证书无效的驱动) 6. 检测异常模块,检测绝大部分如"iis劫持"的后门(2021年2月26日新增) # 免杀木马检测原理: 所有所谓的内存免杀后门大部分基于"VirtualAlloc"函数申请内存 之后通过各种莫名其妙的xor甚至是aes加密去混淆shellcode达到"免杀"效果. 本工具通过线程堆栈回溯方法(StackWalkEx函数)遍历线程,寻找系统中在VirtualAlloc区域执行代码的区域,从而揪出"免杀木马" 当然也会存在误报,多常见于加壳程序也会申请VirtualAlloc分配内存. 但大部分普通程序均不会在VirtualAlloc区域内执行代码.一般都是在.text区段内执行代码 # 无文件落地木马检测原理: 所有无文件落地木马都是一个标准PE文件被映射到内存中,主要特征如下: 1. 内存区段有M.Z标志 2. 线程指向一个NOIMAGE内存 本工具将会通过第一种特征检测出所有"无文件落地木马" # 异常模块检测原理 本工具将会扫描所有带签名程序的模块列表并且检测其中模块是否存在签名,如果不存在则发出提示.本检测存在较多误报,但将会检测到类似IIS劫持的特殊模块 # 使用方式 编译 运行 得到信息列表 # 检测出疑似后门后怎么做? 使用其他工具比如Scylla dump内存做进一步分析,本工具不打算做内存dump系列操作(时间有限不想重复造轮子) # 如何让堆栈回溯更精准 目前工具只回溯rip与eip,你可以回溯RSP或者EBP 只需修改StackFarmeEx.AddrPC.Offset即可 # 使用方式 编译 运行 得到信息列表 # 追踪这个项目 https://github.com/huoji120/DuckMemoryScan 阅读全文 2021-02-24 huoji 0 条评论
工具软件二进制安全C/C++一线开发汇编 [2021]基于unicorn engine的反病毒虚拟机&程序沙箱 图片:  详情可看freebuff: https://www.freebuf.com/geek/264093.html 源码: https://github.com/huoji120/Heuristic_antivirus_engine_by_huoji 阅读全文 2021-02-23 huoji 0 条评论
二进制安全C/C++汇编 [2021]CPUID 大全 追踪一些莫名其妙的指令用 ```cpp #ifndef __CPUID_H #define __CPUID_H #if !(__x86_64__ || __i386__) #error this header is for x86 only #endif /* Responses identification request with %eax 0 */ /* AMD: "AuthenticAMD" */ #define signature_AMD_ebx 0x68747541 #define signature_AMD_edx 0x69746e65 #define signature_AMD_ecx 0x444d4163 /* CENTAUR: "CentaurHauls" */ #define signature_CENTAUR_ebx 0x746e6543 #define signature_CENTAUR_edx 0x48727561 #define signature_CENTAUR_ecx 0x736c7561 /* CYRIX: "CyrixInstead" */ #define signature_CYRIX_ebx 0x69727943 #define signature_CYRIX_edx 0x736e4978 #define signature_CYRIX_ecx 0x64616574 /* HYGON: "HygonGenuine" */ #define signature_HYGON_ebx 0x6f677948 #define signature_HYGON_edx 0x6e65476e #define signature_HYGON_ecx 0x656e6975 /* INTEL: "GenuineIntel" */ #define signature_INTEL_ebx 0x756e6547 #define signature_INTEL_edx 0x49656e69 #define signature_INTEL_ecx 0x6c65746e /* TM1: "TransmetaCPU" */ #define signature_TM1_ebx 0x6e617254 #define signature_TM1_edx 0x74656d73 #define signature_TM1_ecx 0x55504361 /* TM2: "GenuineTMx86" */ #define signature_TM2_ebx 0x756e6547 #define signature_TM2_edx 0x54656e69 #define signature_TM2_ecx 0x3638784d /* NSC: "Geode by NSC" */ #define signature_NSC_ebx 0x646f6547 #define signature_NSC_edx 0x79622065 #define signature_NSC_ecx 0x43534e20 /* NEXGEN: "NexGenDriven" */ #define signature_NEXGEN_ebx 0x4778654e #define signature_NEXGEN_edx 0x72446e65 #define signature_NEXGEN_ecx 0x6e657669 /* RISE: "RiseRiseRise" */ #define signature_RISE_ebx 0x65736952 #define signature_RISE_edx 0x65736952 #define signature_RISE_ecx 0x65736952 /* SIS: "SiS SiS SiS " */ #define signature_SIS_ebx 0x20536953 #define signature_SIS_edx 0x20536953 #define signature_SIS_ecx 0x20536953 /* UMC: "UMC UMC UMC " */ #define signature_UMC_ebx 0x20434d55 #define signature_UMC_edx 0x20434d55 #define signature_UMC_ecx 0x20434d55 /* VIA: "VIA VIA VIA " */ #define signature_VIA_ebx 0x20414956 #define signature_VIA_edx 0x20414956 #define signature_VIA_ecx 0x20414956 /* VORTEX: "Vortex86 SoC" */ #define signature_VORTEX_ebx 0x74726f56 #define signature_VORTEX_edx 0x36387865 #define signature_VORTEX_ecx 0x436f5320 /* Features in %ecx for leaf 1 */ #define bit_SSE3 0x00000001 #define bit_PCLMULQDQ 0x00000002 #define bit_PCLMUL bit_PCLMULQDQ /* for gcc compat */ #define bit_DTES64 0x00000004 #define bit_MONITOR 0x00000008 #define bit_DSCPL 0x00000010 #define bit_VMX 0x00000020 #define bit_SMX 0x00000040 #define bit_EIST 0x00000080 #define bit_TM2 0x00000100 #define bit_SSSE3 0x00000200 #define bit_CNXTID 0x00000400 #define bit_FMA 0x00001000 #define bit_CMPXCHG16B 0x00002000 #define bit_xTPR 0x00004000 #define bit_PDCM 0x00008000 #define bit_PCID 0x00020000 #define bit_DCA 0x00040000 #define bit_SSE41 0x00080000 #define bit_SSE4_1 bit_SSE41 /* for gcc compat */ #define bit_SSE42 0x00100000 #define bit_SSE4_2 bit_SSE42 /* for gcc compat */ #define bit_x2APIC 0x00200000 #define bit_MOVBE 0x00400000 #define bit_POPCNT 0x00800000 #define bit_TSCDeadline 0x01000000 #define bit_AESNI 0x02000000 #define bit_AES bit_AESNI /* for gcc compat */ #define bit_XSAVE 0x04000000 #define bit_OSXSAVE 0x08000000 #define bit_AVX 0x10000000 #define bit_F16C 0x20000000 #define bit_RDRND 0x40000000 /* Features in %edx for leaf 1 */ #define bit_FPU 0x00000001 #define bit_VME 0x00000002 #define bit_DE 0x00000004 #define bit_PSE 0x00000008 #define bit_TSC 0x00000010 #define bit_MSR 0x00000020 #define bit_PAE 0x00000040 #define bit_MCE 0x00000080 #define bit_CX8 0x00000100 #define bit_CMPXCHG8B bit_CX8 /* for gcc compat */ #define bit_APIC 0x00000200 #define bit_SEP 0x00000800 #define bit_MTRR 0x00001000 #define bit_PGE 0x00002000 #define bit_MCA 0x00004000 #define bit_CMOV 0x00008000 #define bit_PAT 0x00010000 #define bit_PSE36 0x00020000 #define bit_PSN 0x00040000 #define bit_CLFSH 0x00080000 #define bit_DS 0x00200000 #define bit_ACPI 0x00400000 #define bit_MMX 0x00800000 #define bit_FXSR 0x01000000 #define bit_FXSAVE bit_FXSR /* for gcc compat */ #define bit_SSE 0x02000000 #define bit_SSE2 0x04000000 #define bit_SS 0x08000000 #define bit_HTT 0x10000000 #define bit_TM 0x20000000 #define bit_PBE 0x80000000 /* Features in %ebx for leaf 7 sub-leaf 0 */ #define bit_FSGSBASE 0x00000001 #define bit_SGX 0x00000004 #define bit_BMI 0x00000008 #define bit_HLE 0x00000010 #define bit_AVX2 0x00000020 #define bit_SMEP 0x00000080 #define bit_BMI2 0x00000100 #define bit_ENH_MOVSB 0x00000200 #define bit_INVPCID 0x00000400 #define bit_RTM 0x00000800 #define bit_MPX 0x00004000 #define bit_AVX512F 0x00010000 #define bit_AVX512DQ 0x00020000 #define bit_RDSEED 0x00040000 #define bit_ADX 0x00080000 #define bit_AVX512IFMA 0x00200000 #define bit_CLFLUSHOPT 0x00800000 #define bit_CLWB 0x01000000 #define bit_AVX512PF 0x04000000 #define bit_AVX512ER 0x08000000 #define bit_AVX512CD 0x10000000 #define bit_SHA 0x20000000 #define bit_AVX512BW 0x40000000 #define bit_AVX512VL 0x80000000 /* Features in %ecx for leaf 7 sub-leaf 0 */ #define bit_PREFTCHWT1 0x00000001 #define bit_AVX512VBMI 0x00000002 #define bit_PKU 0x00000004 #define bit_OSPKE 0x00000010 #define bit_WAITPKG 0x00000020 #define bit_AVX512VBMI2 0x00000040 #define bit_SHSTK 0x00000080 #define bit_GFNI 0x00000100 #define bit_VAES 0x00000200 #define bit_VPCLMULQDQ 0x00000400 #define bit_AVX512VNNI 0x00000800 #define bit_AVX512BITALG 0x00001000 #define bit_AVX512VPOPCNTDQ 0x00004000 #define bit_RDPID 0x00400000 #define bit_CLDEMOTE 0x02000000 #define bit_MOVDIRI 0x08000000 #define bit_MOVDIR64B 0x10000000 #define bit_ENQCMD 0x20000000 /* Features in %edx for leaf 7 sub-leaf 0 */ #define bit_AVX5124VNNIW 0x00000004 #define bit_AVX5124FMAPS 0x00000008 #define bit_UINTR 0x00000020 #define bit_SERIALIZE 0x00004000 #define bit_TSXLDTRK 0x00010000 #define bit_PCONFIG 0x00040000 #define bit_IBT 0x00100000 #define bit_AMXBF16 0x00400000 #define bit_AMXTILE 0x01000000 #define bit_AMXINT8 0x02000000 /* Features in %eax for leaf 7 sub-leaf 1 */ #define bit_AVXVNNI 0x00000008 #define bit_AVX512BF16 0x00000020 #define bit_HRESET 0x00400000 /* Features in %eax for leaf 13 sub-leaf 1 */ #define bit_XSAVEOPT 0x00000001 #define bit_XSAVEC 0x00000002 #define bit_XSAVES 0x00000008 /* Features in %eax for leaf 0x14 sub-leaf 0 */ #define bit_PTWRITE 0x00000010 /* Features in %ecx for leaf 0x80000001 */ #define bit_LAHF_LM 0x00000001 #define bit_ABM 0x00000020 #define bit_LZCNT bit_ABM /* for gcc compat */ #define bit_SSE4a 0x00000040 #define bit_PRFCHW 0x00000100 #define bit_XOP 0x00000800 #define bit_LWP 0x00008000 #define bit_FMA4 0x00010000 #define bit_TBM 0x00200000 #define bit_MWAITX 0x20000000 /* Features in %edx for leaf 0x80000001 */ #define bit_MMXEXT 0x00400000 #define bit_LM 0x20000000 #define bit_3DNOWP 0x40000000 #define bit_3DNOW 0x80000000 /* Features in %ebx for leaf 0x80000008 */ #define bit_CLZERO 0x00000001 #define bit_WBNOINVD 0x00000200 ``` 阅读全文 2021-02-20 huoji 0 条评论
