Comments (11)
刚刚测试了,我这边可以正常检测到: x64框架和X86框架 CS版本是4.0
如果你觉得回溯效果不好的,可以改CheckThreadAddressIsExcute的StackFarmeEx.AddrPC.Offset,我目前用的是RIP寄存器,你可以自己改为你喜欢的,比如RSP寄存器
from duckmemoryscan.
想请教大佬一个内存的问题 x64下VirtualAlloc申请内存的时候设置Memory Protection Constants为PAGE_EXECUTE_READWRITE(0x40),但是AllocationProtect获取到的却是PAGE_READWRITE(0x04)这也是我这边测试检测内存区域无效的原因
from duckmemoryscan.
如果可以的能提供一个样本吗?
检查是否有rootkit
正常情况下,如果程序没有被hook or 有rootkit存在的话,VAD的属性映射应该与PTE里面是一致的
如果出现你所说的情况,那么应该是PTE与VAD不符合,
请检查是否有vad modify的情况.
PTE.exucte控制着代码执行,VAD只是PTE的一个映射,然而这个工具用的API会查询VAD而不是PTE.因此可能会出现你所说的"用exucte属性申请的内存却没有excute属性"
from duckmemoryscan.
unsigned char shellcode[] = "";
PVOID shellcode_exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
RtlCopyMemory(shellcode_exec, shellcode, sizeof shellcode);
DWORD threadID;
for (int i = 0; i < sizeof shellcode; i++)
{
((char*)shellcode_exec)[i] = (((char*)shellcode_exec)[i]) ^ '\x37';//异或55位
}
HANDLE hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)shellcode_exec, NULL, 0, &threadID);
WaitForSingleObject(hThread, INFINITE);
return 0;
核心代码就是这样,没有rootkit cs版本4.2
vs2017 release x64 编译 我这边测试运行系统是windows 2012 没有杀软
我在测试时发现,x64情况下,如果cs服务端关闭时能正常识别到PAGE_EXECUTE_READWRITE属性,如果cs服务端正常运行上线,就会变成PAGE_READWRITE
from duckmemoryscan.
完整执行程序能否给一份,这边不好生成
from duckmemoryscan.
我这边测试
int main() {
PVOID shellcode_exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
RtlCopyMemory(shellcode_exec, shellcode, sizeof shellcode);
DWORD threadID;
HANDLE hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)shellcode_exec, NULL, 0, &threadID);
WaitForSingleObject(hThread, INFINITE);
system("pause");
return 0;
}
依然是有效果的
虚拟机 windows 2012 x64
建议你使用pchunter或者火绒剑等ARK工具查看现在的内存与扫描rootkit是否存在 因为这种情况理论上除了rootkit纯R3是无法做到的
from duckmemoryscan.
大概找到问题了 pchunter 显示内存状态是正确的,但是 DuckMemoryScan没有检测到这块内存
from duckmemoryscan.
有联系方式吗? 方便远程查看吗?
from duckmemoryscan.
想了想,你是不是直接编译32位的程序了.32位程序不能回溯64进程数据
from duckmemoryscan.
并不是我编译的是64位的。。。。
from duckmemoryscan.
如果可以将你的联系方式私聊我,我们线上解决会比较好邮箱 [email protected]
from duckmemoryscan.
Related Issues (4)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from duckmemoryscan.