search

dantmnf / NCSIOverride

You have no Internet connection despite you can open this page. --Microsoft
Do What The F*ck You Want To Public License
175 stars 22 forks source link

请教下修改了代码尝试适配Windows11 23H2但是detours hook函数没有触发如何debug #7

Closed MkfsSion closed 2 months ago

MkfsSion commented 2 months ago

修改:https://github.com/MkfsSion/NCSIOverride/commit/394b7551b03fc1adac3de955496a3e74ea35023b 日志

before detour, realSetCapability:00007FF828BF5ED0
after detour, realSetCapability:00007FF7E8BE0120, MySetCapability:7fff3c08c570

经过windbg uu命令验证,这个地址确实是ncsi!NCSI_INTERFACE_ATTRIBUTES::SetCapability的地址,但是hook就是不触发(MySetCapability没有被调用),尝试过断网改变NCSI cap也没有用(NCSI照常工作,变成小地球) windbg调试记录 某次调试在NCSIOverrideAttach断点拿到的(因为调试麻烦所以是之前的调试的)

0:004> p
nlasvc2!NCSIOverrideAttach+0x72:
00007ffc`a23daf52 488b00          mov     rax,qword ptr [rax] ds:00000078`c207f568={ncsi!NCSI_INTERFACE_ATTRIBUTES::SetCapability (00007ffc`aef75ed0)}
0:004> uu 00007ffcaef75ed0
ncsi!NCSI_INTERFACE_ATTRIBUTES::SetCapability:
00007ffc`aef75ed0 4055            push    rbp
00007ffc`aef75ed2 53              push    rbx
00007ffc`aef75ed3 56              push    rsi
00007ffc`aef75ed4 57              push    rdi
00007ffc`aef75ed5 4154            push    r12
00007ffc`aef75ed7 4155            push    r13
00007ffc`aef75ed9 4156            push    r14
00007ffc`aef75edb 4157            push    r15

hook后的,本次调试的

0:001> uu 00007FF828BF5ED0
ncsi!NCSI_INTERFACE_ATTRIBUTES::SetCapability:
00007ff8`28bf5ed0 e9a3a2febf      jmp     00007ff7`e8be0178
00007ff8`28bf5ed5 4154            push    r12
00007ff8`28bf5ed7 4155            push    r13
00007ff8`28bf5ed9 4156            push    r14
00007ff8`28bf5edb 4157            push    r15
00007ff8`28bf5edd 488dac24d8fdffff lea     rbp,[rsp-228h]
00007ff8`28bf5ee5 4881ec28030000  sub     rsp,328h
00007ff8`28bf5eec 488b05fde80500  mov     rax,qword ptr [ncsi!_security_cookie (00007ff8`28c547f0)]
0:001> uu 00007FF7E8BE0120
00007ff7`e8be0120 4055            push    rbp
00007ff7`e8be0122 53              push    rbx
00007ff7`e8be0123 56              push    rsi
00007ff7`e8be0124 57              push    rdi
00007ff7`e8be0125 ff253d000000    jmp     qword ptr [00007ff7`e8be0168]
00007ff7`e8be012b cc              int     3
00007ff7`e8be012c cc              int     3
00007ff7`e8be012d cc              int     3
0:001> ?? *((uintptr_t*)0x00007ff7e8be0168)
unsigned int64 0x00007ff8`28bf5ed5
0:001> uu 0x00007ff8`28bf5ed5
ncsi!NCSI_INTERFACE_ATTRIBUTES::SetCapability+0x5:
00007ff8`28bf5ed5 4154            push    r12
00007ff8`28bf5ed7 4155            push    r13
00007ff8`28bf5ed9 4156            push    r14
00007ff8`28bf5edb 4157            push    r15
00007ff8`28bf5edd 488dac24d8fdffff lea     rbp,[rsp-228h]
00007ff8`28bf5ee5 4881ec28030000  sub     rsp,328h
00007ff8`28bf5eec 488b05fde80500  mov     rax,qword ptr [ncsi!_security_cookie (00007ff8`28c547f0)]
00007ff8`28bf5ef3 4833c4          xor     rax,rsp
0:001> uu 00007ff7`e8be0178
00007ff7`e8be0178 ff25f2ffffff    jmp     qword ptr [00007ff7`e8be0170]
00007ff7`e8be017e cc              int     3
00007ff7`e8be017f cc              int     3
00007ff7`e8be0180 0000            add     byte ptr [rax],al
00007ff7`e8be0182 0000            add     byte ptr [rax],al
00007ff7`e8be0184 0000            add     byte ptr [rax],al
00007ff7`e8be0186 0000            add     byte ptr [rax],al
00007ff7`e8be0188 0000            add     byte ptr [rax],al
0:001> ?? *((uintptr_t*)0x00007ff7e8be0170)
unsigned int64 0x00007fff`3c08c570
0:001> uu 0x00007fff`3c08c570
nlasvc2!MySetCapability [F:\dev\NCSIOverride\fuckncsi.cpp @ 142]:
00007fff`3c08c570 44894c2420      mov     dword ptr [rsp+20h],r9d
00007fff`3c08c575 4489442418      mov     dword ptr [rsp+18h],r8d
00007fff`3c08c57a 89542410        mov     dword ptr [rsp+10h],edx
00007fff`3c08c57e 48894c2408      mov     qword ptr [rsp+8],rcx
00007fff`3c08c583 53              push    rbx
00007fff`3c08c584 55              push    rbp
00007fff`3c08c585 56              push    rsi
00007fff`3c08c586 57              push    rdi

install.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,6c,00,61,00,73,00,76,00,63,00,32,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\NCSIOverride]
"DefaultOverrideV4"=dword:00000002
"DefaultOverrideV6"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\NCSIOverride\InterfaceOverride]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\NCSIOverride\InterfaceOverride\{4efa6faf-9a7c-47bc-8179-6dc85adc9a59}]
"OverrideV4"=dword:00000000
"OverrideV6"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\NCSIOverride\Offsets]
"NCSI_INTERFACE_ATTRIBUTES_SetCapability"=hex(b):D0,5E,03,00,00,00,00,00

地址偏移:

PS F:\dev\NCSIOverride> .\Update-Offset.ps1
Function offset: 0x35ed0
Successfully set the offset value in registry.

netprofmsvc.dll导出表 image

请问您有没有debug的思路呢?

dantmnf commented 2 months ago 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,6c,00,61,00,73,00,76,00,63,00,32,00,2e,00,64,00,6c,00,6c,00,00,00

这里还是改了 nlasvc 的入口,导致没有注入到 netprofm 服务。我这边测试 24H2 用 x64dbg 给 SetCapability 加断点是可以正常抓到的

MkfsSion commented 2 months ago 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  6e,00,6c,00,61,00,73,00,76,00,63,00,32,00,2e,00,64,00,6c,00,6c,00,00,00

这里还是改了 nlasvc 的入口,导致没有注入到 netprofm 服务。我这边测试 24H2 用 x64dbg 给 SetCapability 加断点是可以正常抓到的

非常感谢,问题解决了