Kernel Anit Anit Debug Plugins 内核反反调试插件
内核反反调试插件 Kernel Anit-Anit-Debug Plugins
English(Translation from https://github.com/finch7)
通过重写 By rewrite
NtDebugActiveProcess DbgkpQueueMessage KiDispatchException DebugActiveProcess DbgUixxx
等函数绕过调试对象(Process->DebugObject)以及其他关键位置实现反反调试效果 such functions to bypass debugging object (Process->DebugObject)and other key locations to achiece anti-anti-debugging effects
Kernel bypss DebugPort
应用层绕过DbgUiDebugObjectHandle (NtCurrentTeb()->DbgSsReserved[1])
R3 bypass DbgUiDebugObjectHandle (NtCurrentTeb()->DbgSsReserved[1])
应用层绕过PEB->BeingDebugged
R3 bypass PEB->BeingDebugged
支持创建进程和附加进程
Support creation process and attacth process
支持配合ScyllaHide插件同时使用
Support simultaneous use with ScyllaHide plugin
支持x64dbg
Support x64dbg
绕过VMP SE等反调试加壳
Bypass VMP SE and other anti-debug packers
支持wow64
Support wow64
....
不支持32位系统
Does not support 32-bit systems
未知
Unknow
(Completed to be tested) Support cheat-engine
(Completed, some of the kernel projects are too big, it is better to do processing at the application layer, if the kernel does it, the gain is not worth the loss) bypass most al-khaser Application layer anti-debugging methods
Support virtual machine dual-machine debugging, rewrite kernel debugging function, bypass kernel anti-debugging detection
虚拟机双机调试支持VirtualKD -Virtual machine dual-machine debugging support VirtualKD
支持Win10
Support Win10
绕过部分游戏反调试保护(HS BE TP ...)
Bypass some game anti-debugging protection(HS BE TP ...)
从左到右依次为 From left to right
Kernel mode is not enabled The virtual machine is running al-khaser
AADebugTest启动al-khaser
AADebugTest start al-khaser
x64dbg无插件模式下启动al-khaser
Start al-khaser in x64dbg plug-in mode
从左到右依次为 From left to right - 虚拟机正常运行al-khaser - The virtual machine is running al-khaser normally
https://github.com/MeeSong/KTL 启用内核STL Enable kernel STL
https://github.com/MeeSong/TrialSword (private project) 参考了不少该项目代码
https://github.com/matt-wu 部分代码被我放在了该项目中 不过那部分代码已经从公开库中删除
I put part of the code in the project, but that part of the code has been deleted from the public library
注:仅供windows内核技术交流 入群审核较严格 申请加群后 我会添加好友 麻烦各位通过好友请求并耐心等待审核
546110133