Home

Awesome

GitHub All Releases

<p align="center"> <img src="https://user-images.githubusercontent.com/16742566/80297653-a1b54d80-87b7-11ea-8758-9590f5989a33.png"> </p>

Navy_public

轻量级自动分析病毒程序调用上下文、游戏反调试实现技术...

使用

  1. 启动Navy32/64.EXEalt+a选择要监控的进程 image

快捷键

json数据库

  1. 示例
{
    "supportedFunctions": ["NtCreateProcess", "NtQueryInformationProcess"],// 数据库已支持函数(数据库未支持的未显示在gui
    "NtCreateProcess": {
        "hasResult": true, // 函数是否有返回值
        "paraCount": 8, / 函数参数个数(不包括返回值)
        "paras": {
            "para0": { // 函数返回结果(若无也需要保留该字段
                "type": "NSTATUS", // 类型
                "name": "result", // 名称
                "hasPreValue": false // 是否有预定义值 可参考`DB/NTDLL.JSON -> NtQueryInformationProcess`
            },
            "para1": {// 第一个参数
                "type": "PHANDLE",
                "name": "ProcessHandle",
                "hasPreValue": false
            },
            "para2": { // 第二个参数
                "type": "ACCESS_MASK",
                "name": "DesiredAccess",
                "hasPreValue": false
            },
            "para3": {
                "type": "POBJECT_ATTRIBUTES",
                "name": "ObjectAttributes",
                "hasPreValue": false
            },
            "para4": {
                "type": "HANDLE",
                "name": "ParentProcess",
                "hasPreValue": false
            },
            "para5": {
                "type": "BOOLEAN",
                "name": "InheritObjectTable",
                "hasPreValue": false
            },
            "para6": {
                "type": "HANDLE",
                "name": "SectionHandle",
                "hasPreValue": false
            },
            "para7": {
                "type": "HANDLE",
                "name": "DebugPort",
                "hasPreValue": false
            },
            "para8": {
                "type": "HANDLE",
                "name": "ExceptionPort",
                "hasPreValue": false
            }
        }
    }
}
  1. 如果有数据显示类似以下结果

函数返回类型 函数结果名称(原值/预定义值(若已设置)) 调用类型 (参数返回类型 参数名称(原值/预定义值(若已设置))[预定义注释], ...)

3.1 调用前:未调用NtQueryInformationProcess时参数的内容

NSTATUS result(无返回值) __stdcall (HANDLE ProcessHandle(0xffffffff), PROCESSINFOCLASS ProcessInformationClass(ProcessBasicInformation)[there is any comments], PVOID ProcessInformation(0x695198), ULONG ProcessInformationLength(0x18), PULONG ReturnLength(0x6951b0))

3.2 调用后:调用NtQueryInformationProcess后参数的内容

NSTATUS result(0x0) __stdcall (HANDLE ProcessHandle(0xffffffff), PROCESSINFOCLASS ProcessInformationClass(ProcessBasicInformation)[there is any comments], PVOID ProcessInformation(0x695198), ULONG ProcessInformationLength(0x18), PULONG ReturnLength(0x6951b0))

已支持函数

示例

image

计划列表

  1. 支持多进程、支持64位、更多模块(kener32、user32...) 更多api支持、支持脚本自动拦截并设置参数及返回值

依赖

  1. qt5.14.2
  2. simdjson

...

其它