├── CHANGELOG.MD ├── README.md └── config ├── win10 ├── 10.0.18362.295.mv └── 10.0.18362.356.mv └── win7 └── 6.1.7600.mv /CHANGELOG.MD: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | #### 2020-02-24 9 | 0. 增强反虚拟机检测:[issues/8](https://github.com/stonedreamforest/Mirage/issues/8) 10 | 11 | 12 | 13 | #### 2020-01-08 14 | 0. 提升稳定性 15 | 16 | ---------------------------------------------------------------- 17 | 18 | #### 2019-12-13 19 | 0. 加载驱动逻辑调整 20 | 1. 反反调试功能增强 21 | 22 | #### 2019-12-09 23 | 0. 添加windbg插件 用法: 24 | > 命令行启动:`windbg -a Mirage.dll` 25 | 26 | #### 2019-11-17 27 | 0. [修复错误提示在非中文系统乱码的问题 issues/6](https://github.com/stonedreamforest/Mirage/issues/6) 28 | 29 | #### 2019-11-16 30 | 0. 修复[issues/5](https://github.com/stonedreamforest/Mirage/issues/5) 31 | 1. 将`Mirage.sys`的默认目录设为`C:\Windows\System32\drivers\`目录下 避免创建多个副本 32 | 2. 一些bug修复 33 | 34 | #### 2019-11-11 35 | 0. 修复[issues 2](https://github.com/stonedreamforest/Mirage/issues/2) 36 | 1. 添加`config`离线文件 可以根据自己需要使用 每个人都可以上传相应版本配置到此仓库。格式:`版本.mv`(可以使用cmd查看 37 | 38 | ![image](https://user-images.githubusercontent.com/16742566/68569294-b9627900-0498-11ea-90c1-35d2f3af2ad6.png) 39 | 40 | 2. 一些UI逻辑调整 41 | 3. 其它版本也可以尝试使用(win7和win7sp1变化相差不大应该可以用,至于win10看天意... 42 | 43 | 44 | #### 2019-11-10 45 | 0. 修复隐藏bug 46 | 1. 添加`MVConfigBuild.exe`生成私人配置文件,增强兼容性:`对相应已支持的系统即使在打了内核补丁的情况下可能也支持`。 47 | - 之前支持: 48 | > Microsoft Windows [版本 10.0.18362.**418**] //`19h1` 49 | - 现在支持 50 | > Microsoft Windows [版本 10.0.18362.**xxx**] //`19h1` 51 | 52 | 53 | 54 | 2. 使用前自动检查系统版本、降低蓝屏几率 55 | 56 | 57 | 58 | 59 | #### 2019-11-08 60 | 公开下载 61 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![Mirage](https://img.shields.io/github/tag/stonedreamforest/Mirage?style=flat-square) 2 | ![Mirage](https://img.shields.io/github/release/stonedreamforest/Mirage/all.svg?style=flat-square) 3 | ![GitHub issues](https://img.shields.io/github/issues-raw/stonedreamforest/mirage?style=flat-square) 4 | ![GitHub closed issues](https://img.shields.io/github/issues-closed-raw/stonedreamforest/mirage?style=flat-square) 5 | ![GitHub Releases](https://img.shields.io/github/downloads/stonedreamforest/Mirage/latest/total?style=flat-square&logo=github) 6 | ![GitHub All Releases](https://img.shields.io/github/downloads/stonedreamforest/Mirage/total?label=downloads-total&logo=github&style=flat-square) 7 | [![HitCount](http://hits.dwyl.io/stonedreamforest/Mirage.svg)](http://hits.dwyl.io/stonedreamforest/Mirage) 8 | 9 | 10 | # Mirage 11 | > 驱动已签名,由于使用泄露签名,使用前请关闭杀毒软件。 12 | 13 | 14 | 15 | 16 | #### 说明 17 | 1. 基于intel vtx && ept 技术 18 | 2. 不与其它反反调试插件冲突 19 | 20 | 21 | #### 功能支持 22 | 23 | - [x] IsDebuggerPresent 24 | - [x] CheckRemoteDebuggerPresent 25 | - [x] Process Environment Block (BeingDebugged) 26 | - [x] Process Environment Block (NtGlobalFlag) 27 | - [x] ProcessHeap (Flags) 28 | - [x] ProcessHeap (ForceFlags) 29 | - [x] NtQueryInformationProcess (ProcessDebugPort) 30 | - [x] NtQueryInformationProcess (ProcessDebugFlags) 31 | - [x] NtQueryInformationProcess (ProcessDebugObject) 32 | - [x] NtSetInformationThread (HideThreadFromDebugger) 33 | - [x] NtQueryObject (ObjectTypeInformation) 34 | - [x] NtQueryObject (ObjectAllTypesInformation) 35 | - [x] CloseHanlde (NtClose) Invalide Handle 36 | - [x] SetHandleInformation (Protected Handle) 37 | - [x] Hardware Breakpoints (SEH / GetThreadContext) 38 | - [x] NtYieldExecution / SwitchToThread 39 | - [x] Process jobs 40 | - [x] Memory write watching 41 | > 仅聚焦内核模式能处理的检测功能 (如有遗漏或你有任何想法、建议请告诉我 42 | 43 | 测试程序:[al-khaser](https://github.com/LordNoteworthy/al-khaser) 44 | 45 | #### 系统支持 46 | 1. win7 x64 ( *`6.1.7600`*) 47 | 2. win10 19h1 x64 (*`10.0.18362.XXXX`*) 48 | 49 | 50 | #### 调试器支持 51 | 1. 现支持[x64dbg](https://github.com/x64dbg/x64dbg),而且会持续更新... 52 | 2. 不会支持OD [支持OD?点击回复投票](https://github.com/stonedreamforest/Mirage/issues/4) 53 | 3. 计划支持~~已支持windbg~~、[cutter](https://github.com/radareorg/cutter)、[ghidra](https://github.com/NationalSecurityAgency/ghidra) 。后俩者需要它们本身先支持调试功能 54 | 55 | 56 | #### 使用 57 | 0. 使用[`PDBDownloader.exe`](https://github.com/rajkumar-rangaraj/PDB-Downloader)下载`ntoskrnl.exe`的`pdb`文件 (默认在下载在C盘 58 | 59 | ![image](https://user-images.githubusercontent.com/16742566/68540402-a6827280-03cc-11ea-9e5e-b54916db71f5.png) 60 | 61 | ------------------------------------------ 62 | 63 | 64 | 1. 使用`MVConfigBuild.exe ntoskrnl.pdb`生成`config.mv`配置文件 并将之移动到c盘根目录`C:\` 65 | 66 | *管理员启动CMD*: 67 | 68 | > MVConfigBuild.exe `C:\symbols\ntkrnlmp.pdb\hashxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\ntkrnlmp.pdb` (你应该确保`MVConfigBuild.exe` 和`msdia140.dll`在同一目录下 69 | 70 | ![image](https://user-images.githubusercontent.com/16742566/68540440-0da02700-03cd-11ea-9810-4bda0d9e1c18.png) 71 | 72 | *可用离线版:[离线版config](https://github.com/stonedreamforest/Mirage/tree/master/config) (每个人都可以上传相应版本配置到此仓库.* 73 | 74 | *格式:[版本.mv] 比如 :**10.0.18362.295.mv**(可以使用cmd查看* 75 | 76 | ![image](https://user-images.githubusercontent.com/16742566/68569294-b9627900-0498-11ea-90c1-35d2f3af2ad6.png) 77 | 78 | 79 | ------------------------------------------ 80 | 81 | 82 | 83 | 2. 文件放置 84 | + x64dbg: 85 | > 将`MirageV.dp32`、`MirageV.dp64`移动到对应`\plugins\`目录下 86 | ![image](https://user-images.githubusercontent.com/16742566/68994420-b4009680-08bd-11ea-8a21-43a52dd789a9.png) 87 | 88 | 1. 运行:菜单栏-插件-幻境-进入 89 | 90 | ![image](https://user-images.githubusercontent.com/16742566/68471759-d5c4a280-0259-11ea-8922-46569af7d9be.png) 91 | 92 | + windbg: 93 | > 将`MirageV.dll`移动到对应`\Debuggers\bit??\`目录下 94 | ![image](https://user-images.githubusercontent.com/16742566/70392479-7a81fd80-1a1b-11ea-86ed-6af8d0ab5379.png) 95 | 96 | 1. 运行:`windbg -a MirageV.dll ` 97 | 2. 再次运行:`!MirageVRun` 98 | 99 | 100 | + 驱动: 101 | > 将`Mirage.sys`移动到`C:\Windows\System32\drivers\`目录下 102 | ![image](https://user-images.githubusercontent.com/16742566/68994431-d5618280-08bd-11ea-88f8-63cbf0bec16a.png) 103 | 104 | ------------------------------------------ 105 | 106 | 107 | 3. 使用 108 | 109 | - 附加 110 | > 输入进程id - 点击`附加进程` - 点击`开启` 111 | 112 | ![image](https://user-images.githubusercontent.com/16742566/68471844-06a4d780-025a-11ea-9c12-0c07e11b53d5.png) 113 | 114 | 115 | - 启动调试 116 | > 直接点击开启 117 | 118 | ![image](https://user-images.githubusercontent.com/16742566/68471860-13293000-025a-11ea-8319-1707dcb9a0d2.png) 119 | 120 | 121 | #### 演示 122 | ![Bn2pqgw32f](https://user-images.githubusercontent.com/16742566/68470102-5e414400-0256-11ea-8f85-aa0e893f71ea.gif) 123 | 124 | 125 | 126 | #### 当前版本 127 | [v20200224](https://github.com/stonedreamforest/Mirage/releases/tag/v20200224) 128 | 129 | #### [点击查看:历史版本及最新版](https://github.com/stonedreamforest/Mirage/releases) 130 | 131 | 132 | #### 更新日志 133 | [CHANGELOG](https://github.com/stonedreamforest/Mirage/blob/master/CHANGELOG.MD) 134 | 135 | #### 相关 136 | - [Navy: 轻量级自动分析病毒程序调用上下文、游戏反调试实现技术...](https://github.com/stonedreamforest/Navy_public) 137 | 138 | ## 最后 139 | 未来的某一天会公开代码... 140 | 141 | -------------------------------------------------------------------------------- /config/win10/10.0.18362.295.mv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stonedreamforest/Mirage/861830dd2da25ebcf342231f54823e5d706a7d63/config/win10/10.0.18362.295.mv -------------------------------------------------------------------------------- /config/win10/10.0.18362.356.mv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stonedreamforest/Mirage/861830dd2da25ebcf342231f54823e5d706a7d63/config/win10/10.0.18362.356.mv -------------------------------------------------------------------------------- /config/win7/6.1.7600.mv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stonedreamforest/Mirage/861830dd2da25ebcf342231f54823e5d706a7d63/config/win7/6.1.7600.mv --------------------------------------------------------------------------------