win7x64虚拟机(过NP TP VMP SE GK G盾无限替换vmx)

win7x64虚拟机(过NPTPVMPSEGKG盾无限替换vmx)是一款VMP过虚拟机检测系统，早期时候做了一个过G盾的，重新做个新的吧.花了一晚上时间做出,虚拟机过NPTPVMPSEGKG盾。压缩的时候忘记随机mac了，大家换个吧,这个大体不影响。

系统说明

可以玩DNFCF一些游戏

提取码：ah3f

关于Win7x64下过TP保护

调试对象：DXF调试工具：OD、Windbg调试环境：Win7SP1X64

内核层部分：x64下因为有PatchGuard的限制，很多保护都被巨硬给抹掉了。比如SSDTHookInlineHook所以TP无法继续使用这些保护手段了。除非腾Xun冒着被巨硬吊销数字签名的风险来阻止我们调试。我曾经在看雪论坛里看过有个人写的文章，它亲自测试在x64环境下清零调试端口，结果发生了蓝屏，所以在x64下TP是不会清零的。这样就省了不少的事情。但是自从那次TP大更新后新加入了ValidAccessMask清零。那么在ring0中TP除了ValidAccessMask清零，还有反双机调试，这里不是我们讨论的范畴。我们只是讨论如何才能正常调试游戏，于是在内核层我们只要解决ValidAccessMask清零就可以了。调试权限（ValidAccessMask）的清零这个标志位其实是DebugObject（调试对象）的权限，如果为0将导致无法创建调试对象（缺少权限）。常见的情况就是OD无法附加任何进程，这个保护刚刚出的时候很多菜鸟都没搞懂，包括我自己（知道被我师傅说我等级太低时的心情是什么？。这个DebugObject在很多调试函数中都有用到，比如NtCreateDebugObject就有需要访问调试对象。所以要想办法恢复这个标志位。我们有三种选择：1、自己恢复原来的值2、找到TP清零的位置Nop掉3、移位(重建DebugObject)这里我选择了第一种。具体步骤如下：①定位DebugObject：在NtCreateDebugObject里就有DebugObject的地址。1:kdufNtCreateDebugObjectnt!NtCreateDebugObject:fffff800`042697a048895c2408????mov????qwordptr[rsp+8],rbxfffff800`042697a54889742410????mov????qwordptr[rsp+10h],rsifffff800`042697aa57??????????push??rdifffff800`042697ab4883ec70??????sub????rsp,70hfffff800`042697af418bf9??????mov????edi,r9dfffff800`042697b28bf2????????mov????esi,edxfffff800`042697b4488bd9??????mov????rbx,rcxfffff800`042697b765488b042588010000mov??rax,qwordptrgs:[188h]fffff800`042697c0448a90f6010000??mov????r10b,byteptr[rax+1F6h]fffff800`042697c74584d2??????test??r10b,r10bfffff800`042697ca7414????????je????nt!NtCreateDebugObject+0x40(fffff800`042697e0)nt!NtCreateDebugObject+0x2c:fffff800`042697cc488b052d38e5ff??mov????rax,qwordptr[nt!MmUserProbeAddress(fffff800`040bd000)]fffff800`042697d3483bc8??????cmp????rcx,raxfffff800`042697d6480f43c8??????cmovae??rcx,raxfffff800`042697da488b01??????mov????rax,qwordptr[rcx]fffff800`042697dd488901??????mov????qwordptr[rcx],raxnt!NtCreateDebugObject+0x40:fffff800`042697e048832300??????and????qwordptr[rbx],0fffff800`042697e441f7c1feffffff??test??r9d,0FFFFFFFEhfffff800`042697eb740a????????je????nt!NtCreateDebugObject+0x57(fffff800`042697f7)nt!NtCreateDebugObject+0x4d:fffff800`042697edb80d0000c0????mov????eax,0C000000Dhfffff800`042697f2e9e4000000????jmp????nt!NtCreateDebugObject+0x13b(fffff800`042698db)nt!NtCreateDebugObject+0x57:fffff800`042697f7488d442450????lea????rax,[rsp+50h]fffff800`042697fc4889442440????mov????qwordptr[rsp+40h],raxfffff800`042698018364243800????and????dwordptr[rsp+38h],0fffff800`042698068364243000????and????dwordptr[rsp+30h],0fffff800`0426980bc744242868000000mov????dwordptr[rsp+28h],68hfffff800`04269813488364242000??and????qwordptr[rsp+20h],0fffff800`04269819458aca??????mov????r9b,r10bfffff800`0426981c488b158dd3daff??mov????rdx,qwordptr[nt!DbgkDebugObjectType(fffff800`04016bb0)]fffff800`04269823418aca??????mov????cl,r10bfffff800`04269826e84572f1ff????call??nt!ObCreateObject(fffff800`04180a70)fffff800`0426982b4c8b4c2450????mov????r9,qwordptr[rsp+50h]fffff800`042698304c894c2460????mov????qwordptr[rsp+60h],r9fffff800`0426983585c0????????test??eax,eaxfffff800`042698370f889e000000??js????nt!NtCreateDebugObject+0x13b(fffff800`042698db)这个红字就是了继续定位ValidAccessMask的地址。1:kddqfffff800`04016bb0fffff800`04016bb0??fffffa80`00c3320000000000`00000000fffff800`04016bc0??fffff8a0`0009a0100000002a`00000012fffff800`04016bd0??00000024`000000a1fffff880`0119d9a0fffff800`04016be0??00000002`00000001fffff880`095deaccfffff800`04016bf0??fffff800`03f873f000000000`00000007fffff800`04016c00??00000003`00000000fffff800`03e10448fffff800`04016c10??fffffa80`01bae06000000000`00000000fffff800`04016c20??00000000`0000000000000003`000001011:kddt_OBJECT_TYPEfffffa80`00c33200nt!_OBJECT_TYPE+0x000TypeList??????:_LIST_ENTRY[0xfffffa80`00c33200-0xfffffa80`00c33200]+0x010Name????????:_UNICODE_STRING"DebugObject"+0x020DefaultObject??:(null)+0x028Index????????:0xb''+0x02cTotalNumberOfObjects:0+0x030TotalNumberOfHandles:0+0x034HighWaterNumberOfObjects:0+0x038HighWaterNumberOfHandles:0+0x040TypeInfo??????:_OBJECT_TYPE_INITIALIZER+0x0b0TypeLock??????:_EX_PUSH_LOCK+0x0b8Key??????????:0x75626544+0x0c0CallbackList????:_LIST_ENTRY[0xfffffa80`00c332c0-0xfffffa80`00c332c0]1:kddt_OBJECT_TYPE_INITIALIZER?fffffa80`00c33200+40nt!_OBJECT_TYPE_INITIALIZER+0x000Length????????:0x70+0x002ObjectTypeFlags??:0x8''+0x002CaseInsensitive??:0y0+0x002UnnamedObjectsOnly:0y0+0x002UseDefaultObject:0y0+0x002SecurityRequired:0y1+0x002MaintainHandleCount:0y0+0x002MaintainTypeList:0y0+0x002SupportsObjectCallbacks:0y0+0x002CacheAligned????:0y0+0x004ObjectTypeCode??:0+0x008InvalidAttributes:0+0x00cGenericMapping??:_GENERIC_MAPPING+0x01cValidAccessMask??:0x1f000f+0x020RetainAccess????:0+0x024PoolType??????:0(NonPagedPool)+0x028DefaultPagedPoolCharge:0+0x02cDefaultNonPagedPoolCharge:0x58+0x030DumpProcedure??:(null)+0x038OpenProcedure??:(null)+0x040CloseProcedure??:0xfffff800`042b18e0????void??nt!DbgkpCloseObject+0+0x048DeleteProcedure??:0xfffff800`04105200????void??nt!xHalEndOfBoot+0+0x050ParseProcedure??:(null)+0x058SecurityProcedure:0xfffff800`04170530????long??nt!SeDefaultObjectMethod+0+0x060QueryNameProcedure:(null)+0x068OkayToCloseProcedure:(null)于是我们就定位到了VaildAccessMask的地址了。②恢复工作它的默认值是0x1F000F当我们自己手动修改成0时。使用OD附加任意进程。

Tags:x64dbg使用,永久激活,虚拟机系统.