Comments (11)
huoji120
commented on September 15, 2024
刚刚测试了,我这边可以正常检测到: x64框架和X86框架 CS版本是4.0
如果你觉得回溯效果不好的,可以改CheckThreadAddressIsExcute的StackFarmeEx.AddrPC.Offset,我目前用的是RIP寄存器,你可以自己改为你喜欢的,比如RSP寄存器
from duckmemoryscan.
ck00004
commented on September 15, 2024
想请教大佬一个内存的问题 x64下VirtualAlloc申请内存的时候设置Memory Protection Constants为PAGE_EXECUTE_READWRITE(0x40),但是AllocationProtect获取到的却是PAGE_READWRITE(0x04)这也是我这边测试检测内存区域无效的原因
from duckmemoryscan.
huoji120
commented on September 15, 2024
如果可以的能提供一个样本吗?
检查是否有rootkit
正常情况下,如果程序没有被hook or 有rootkit存在的话,VAD的属性映射应该与PTE里面是一致的
如果出现你所说的情况,那么应该是PTE与VAD不符合,
请检查是否有vad modify的情况.
PTE.exucte控制着代码执行,VAD只是PTE的一个映射,然而这个工具用的API会查询VAD而不是PTE.因此可能会出现你所说的"用exucte属性申请的内存却没有excute属性"
from duckmemoryscan.
ck00004
commented on September 15, 2024
unsigned char shellcode[] = "";
PVOID shellcode_exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
RtlCopyMemory(shellcode_exec, shellcode, sizeof shellcode);
DWORD threadID;
for (int i = 0; i < sizeof shellcode; i++)
{
((char*)shellcode_exec)[i] = (((char*)shellcode_exec)[i]) ^ '\x37';//异或55位
}
HANDLE hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)shellcode_exec, NULL, 0, &threadID);
WaitForSingleObject(hThread, INFINITE);
return 0;
核心代码就是这样,没有rootkit cs版本4.2
vs2017 release x64 编译 我这边测试运行系统是windows 2012 没有杀软
我在测试时发现,x64情况下,如果cs服务端关闭时能正常识别到PAGE_EXECUTE_READWRITE属性,如果cs服务端正常运行上线,就会变成PAGE_READWRITE
from duckmemoryscan.
huoji120
commented on September 15, 2024
完整执行程序能否给一份,这边不好生成
from duckmemoryscan.
huoji120
commented on September 15, 2024
我这边测试
int main() {
PVOID shellcode_exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
RtlCopyMemory(shellcode_exec, shellcode, sizeof shellcode);
DWORD threadID;
HANDLE hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)shellcode_exec, NULL, 0, &threadID);
WaitForSingleObject(hThread, INFINITE);
system("pause");
return 0;
}
依然是有效果的
虚拟机 windows 2012 x64
建议你使用pchunter或者火绒剑等ARK工具查看现在的内存与扫描rootkit是否存在 因为这种情况理论上除了rootkit纯R3是无法做到的
from duckmemoryscan.
ck00004
commented on September 15, 2024
大概找到问题了 pchunter 显示内存状态是正确的,但是 DuckMemoryScan没有检测到这块内存
from duckmemoryscan.
huoji120
commented on September 15, 2024
有联系方式吗? 方便远程查看吗?
from duckmemoryscan.
huoji120
commented on September 15, 2024
想了想,你是不是直接编译32位的程序了.32位程序不能回溯64进程数据
from duckmemoryscan.
ck00004
commented on September 15, 2024
并不是我编译的是64位的。。。。
from duckmemoryscan.
huoji120
commented on September 15, 2024
如果可以将你的联系方式私聊我,我们线上解决会比较好邮箱 [email protected]
from duckmemoryscan.
Related Issues (4)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from duckmemoryscan.