Navy_public

轻量级自动分析病毒程序调用上下文、游戏反调试实现技术...

使用

1. 启动Navy32/64.EXE 按alt+a选择要监控的进程

快捷键

• ALT + A: 打开进程列表
• CTRL + L: 清屏

json数据库

1. 示例

{
    "supportedFunctions": ["NtCreateProcess", "NtQueryInformationProcess"],// 数据库已支持函数（数据库未支持的未显示在gui
    "NtCreateProcess": {
        "hasResult": true, // 函数是否有返回值
        "paraCount": 8, / 函数参数个数（不包括返回值）
        "paras": {
            "para0": { // 函数返回结果（若无也需要保留该字段
                "type": "NSTATUS", // 类型
                "name": "result", // 名称
                "hasPreValue": false // 是否有预定义值 可参考`DB/NTDLL.JSON -> NtQueryInformationProcess`
            },
            "para1": {// 第一个参数
                "type": "PHANDLE",
                "name": "ProcessHandle",
                "hasPreValue": false
            },
            "para2": { // 第二个参数
                "type": "ACCESS_MASK",
                "name": "DesiredAccess",
                "hasPreValue": false
            },
            "para3": {
                "type": "POBJECT_ATTRIBUTES",
                "name": "ObjectAttributes",
                "hasPreValue": false
            },
            "para4": {
                "type": "HANDLE",
                "name": "ParentProcess",
                "hasPreValue": false
            },
            "para5": {
                "type": "BOOLEAN",
                "name": "InheritObjectTable",
                "hasPreValue": false
            },
            "para6": {
                "type": "HANDLE",
                "name": "SectionHandle",
                "hasPreValue": false
            },
            "para7": {
                "type": "HANDLE",
                "name": "DebugPort",
                "hasPreValue": false
            },
            "para8": {
                "type": "HANDLE",
                "name": "ExceptionPort",
                "hasPreValue": false
            }
        }
    }
}    

3. 如果有数据显示类似以下结果

函数返回类型 函数结果名称(原值/预定义值(若已设置)) 调用类型 (参数返回类型 参数名称(原值/预定义值(若已设置))[预定义注释], ...)

3.1 调用前：未调用NtQueryInformationProcess时参数的内容

NSTATUS result(无返回值) __stdcall (HANDLE ProcessHandle(0xffffffff), PROCESSINFOCLASS ProcessInformationClass(ProcessBasicInformation)[there is any comments], PVOID ProcessInformation(0x695198), ULONG ProcessInformationLength(0x18), PULONG ReturnLength(0x6951b0))

3.2 调用后：调用NtQueryInformationProcess后参数的内容

NSTATUS result(0x0) __stdcall (HANDLE ProcessHandle(0xffffffff), PROCESSINFOCLASS ProcessInformationClass(ProcessBasicInformation)[there is any comments], PVOID ProcessInformation(0x695198), ULONG ProcessInformationLength(0x18), PULONG ReturnLength(0x6951b0))

已支持函数

• ntdll.dll
• NtCreateProcess
• NtCreateProcessEx
• NtOpenProcess
• NtTerminateProcess
• NtSuspendProcess
• NtResumeProcess
• NtQueryInformationProcess
• NtGetNextProcess
• NtGetNextThread
• NtSetInformationProcess
• NtQueryPortInformationProcess
• NtCreateThread
• NtOpenThread
• NtTerminateThread
• NtSuspendThread
• NtResumeThread
• NtGetCurrentProcessorNumber
• NtGetContextThread
• NtSetContextThread
• NtQueryInformationThread
• NtSetInformationThread
• NtAlertThread
• NtAlertResumeThread
• NtImpersonateThread
• NtTestAlert
• NtRegisterThreadTerminatePort
• NtSetLdtEntries
• NtQueueApcThread
• NtQueueApcThreadEx
• NtCreateUserProcess
• NtCreateThreadEx
• NtOpenJobObject
• NtCreateJobObject
• NtAssignProcessToJobObject
• NtTerminateJobObject
• NtIsProcessInJob
• NtQueryInformationJobObject
• NtSetInformationJobObject
• NtCreateJobSet
• NtCreateFile
• NtCreateNamedPipeFile
• NtCreateMailslotFile
• NtOpenFile
• NtDeleteFile
• NtFlushBuffersFile
• NtQueryInformationFile
• NtSetInformationFile
• NtQueryDirectoryFile
• NtQueryEaFile
• NtSetEaFile
• NtQueryQuotaInformationFile
• NtSetQuotaInformationFile
• NtQueryVolumeInformationFile
• NtSetVolumeInformationFile
• NtCancelIoFile
• NtCancelIoFileEx
• NtCancelSynchronousIoFile
• NtDeviceIoControlFile
• NtFsControlFile
• NtReadFile
• NtWriteFile
• NtReadFileScatter
• NtWriteFileGather
• NtLockFile
• NtUnlockFile
• NtQueryAttributesFile
• NtQueryFullAttributesFile
• NtNotifyChangeDirectoryFile
• NtLoadDriver
• NtUnloadDriver
• NtCreateIoCompletion
• NtOpenIoCompletion
• NtQueryIoCompletion
• NtSetIoCompletion
• NtSetIoCompletionEx
• NtRemoveIoCompletion
• NtRemoveIoCompletionEx
• NtAllocateVirtualMemory
• NtFreeVirtualMemory
• NtReadVirtualMemory
• NtWriteVirtualMemory
• NtProtectVirtualMemory
• NtQueryVirtualMemory
• NtLockVirtualMemory
• NtUnlockVirtualMemory
• NtCreateSection
• NtOpenSection
• NtMapViewOfSection
• NtUnmapViewOfSection
• NtExtendSection
• NtQuerySection
• NtAreMappedFilesTheSame
• NtMapUserPhysicalPages
• NtMapUserPhysicalPagesScatter
• NtAllocateUserPhysicalPages
• NtFreeUserPhysicalPages
• NtOpenSession
• NtGetWriteWatch
• NtResetWriteWatch
• NtCreatePagingFile
• NtFlushInstructionCache
• NtFlushWriteBuffer
• NtCreateEnclave
• NtLoadEnclaveData
• NtInitializeEnclave
• NtTerminateEnclave
• NtCallEnclave

示例

计划列表

1. 支持多进程、支持64位、更多模块（kener32、user32...） 更多api支持、支持脚本自动拦截并设置参数及返回值

依赖

1. qt5.14.2
2. simdjson

...

其它

• 下载：v20200621
• 更新日志