52ky 发表于 2021-4-1 18:40:26

AttachAnyway

AttachAnyway是一个PoC OllyDbg插件,用于演示如何通过Piotr Bania设计的反调试器attach方法删除NtContinue上的进程挂钩,如下所示:
这并不是一个针对所有反连接方法的通用插件,只是一个示例。它的工作原理是枚举所有进程,在NtContinue方法上搜索虚拟内存空间中的JMP钩子,然后用非钩子进程中的原始字节替换跳转,然后调用OllyDbg attachtoactiveprocessapi。

(AttachAnyway is a PoC OllyDbg plugin designed to show how to remove a process' hook on NtContinue by the anti-debugger-attach method devised by Piotr Bania here:
This is not intended to be a universal plugin for all anti-attach methods, just one example of how you can do it. It works by enumerating all processes, searching their virtual memory space for a JMP hook on the NtContinue method, then replacing the jump with the original bytes from a non-hooked process, then calling the OllyDbg Attachtoactiveprocess API.)



页: [1]
查看完整版本: AttachAnyway