stonedreamforest / Mirage
kernel-mode Anti-Anti-Debug plugin. based on intel vt-x && ept technology
Stars: ✭ 272
Projects that are alternatives of or similar to Mirage
Asm Cli
Interactive shell of assembly language(X86/X64) based on unicorn and keystone
Stars: ✭ 211 (-22.43%)
Mutual labels: intel, x86, x64
async
async is a tiny C++ header-only high-performance library for async calls handled by a thread-pool, which is built on top of an unbounded MPMC lock-free queue.
Stars: ✭ 25 (-90.81%)
Mutual labels: x64, x86
Capstone.NET
.NET Core and .NET Framework binding for the Capstone Disassembly Framework
Stars: ✭ 108 (-60.29%)
Mutual labels: x64, x86
Reverse-Engineering
A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit ARM & 64-bit ARM architectures.
Stars: ✭ 7,234 (+2559.56%)
Mutual labels: x64, x86
Prevent Process Creation
Record & prevent process creation in kernel mode
Stars: ✭ 31 (-88.6%)
Mutual labels: driver, windbg
opcodesDB
x86-64 | ARM (AArch32/AArch64/THUMB) full instruction set.
Stars: ✭ 49 (-81.99%)
Mutual labels: x64, x86
x86-Assembly-Reverse-Engineering
🛠 Knowledge about the topic of x86 assembly & disassembly 🛠
Stars: ✭ 27 (-90.07%)
Mutual labels: intel, x86
xgadget
Fast, parallel, cross-variant ROP/JOP gadget search for x86/x64 binaries.
Stars: ✭ 33 (-87.87%)
Mutual labels: x64, x86
x86-csv
A machine-readable representation of the Intel x86 Instruction Set Reference.
Stars: ✭ 20 (-92.65%)
Mutual labels: intel, x86
8086-cheatsheet
8086 Microprocessor Cheat sheet with Programs
Stars: ✭ 81 (-70.22%)
Mutual labels: x64, x86
profiler-api
The portable version of JetBrains profiler API for .NET Framework / .NET Core / .NET / .NET Standard / Mono
Stars: ✭ 21 (-92.28%)
Mutual labels: x64, x86
oberon-07-compiler
Oberon-07 compiler for x64 (Windows, Linux), x86 (Windows, Linux, KolibriOS), MSP430x{1,2}xx, STM32 Cortex-M3
Stars: ✭ 45 (-83.46%)
Mutual labels: x64, x86
fdtd3d
fdtd3d is an open source 1D, 2D, 3D FDTD electromagnetics solver with MPI, OpenMP and CUDA support for x86, arm, arm64 architectures
Stars: ✭ 77 (-71.69%)
Mutual labels: x64, x86
Zydis
Fast and lightweight x86/x86-64 disassembler and code generation library
Stars: ✭ 2,168 (+697.06%)
Mutual labels: intel, x86
Reloaded.Assembler
Minimal .NET wrapper around the simple, easy to use Flat Assembler written by Tomasz Grysztar. Supports both x64 and x86 development.
Stars: ✭ 17 (-93.75%)
Mutual labels: x64, x86
Saraff.Twain.NET
Saraff.Twain.NET is the skillful scanning component which allows you to control work of flatbed scanner, web and digital camera and any other TWAIN device from .NET environment. You can use this library in your programs written in any programming languages compatible with .NET technology.
Stars: ✭ 74 (-72.79%)
Mutual labels: x64, x86
Mirage
驱动已签名,由于使用泄露签名,使用前请关闭杀毒软件。
说明
- 基于intel vtx && ept 技术
- 不与其它反反调试插件冲突
功能支持
- [x] IsDebuggerPresent
- [x] CheckRemoteDebuggerPresent
- [x] Process Environment Block (BeingDebugged)
- [x] Process Environment Block (NtGlobalFlag)
- [x] ProcessHeap (Flags)
- [x] ProcessHeap (ForceFlags)
- [x] NtQueryInformationProcess (ProcessDebugPort)
- [x] NtQueryInformationProcess (ProcessDebugFlags)
- [x] NtQueryInformationProcess (ProcessDebugObject)
- [x] NtSetInformationThread (HideThreadFromDebugger)
- [x] NtQueryObject (ObjectTypeInformation)
- [x] NtQueryObject (ObjectAllTypesInformation)
- [x] CloseHanlde (NtClose) Invalide Handle
- [x] SetHandleInformation (Protected Handle)
- [x] Hardware Breakpoints (SEH / GetThreadContext)
- [x] NtYieldExecution / SwitchToThread
- [x] Process jobs
- [x] Memory write watching
仅聚焦内核模式能处理的检测功能 (如有遗漏或你有任何想法、建议请告诉我
测试程序:al-khaser
系统支持
- win7 x64 (
6.1.7600) - win10 19h1 x64 (
10.0.18362.XXXX)
调试器支持
- 现支持x64dbg,而且会持续更新...
- 不会支持OD 支持OD?点击回复投票
- 计划支持
已支持windbg、cutter、ghidra 。后俩者需要它们本身先支持调试功能
使用
- 使用
PDBDownloader.exe下载ntoskrnl.exe的pdb文件 (默认在下载在C盘
- 使用
MVConfigBuild.exe ntoskrnl.pdb生成config.mv配置文件 并将之移动到c盘根目录C:\
管理员启动CMD:
MVConfigBuild.exe
C:\symbols\ntkrnlmp.pdb\hashxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\ntkrnlmp.pdb(你应该确保MVConfigBuild.exe和msdia140.dll在同一目录下
可用离线版:离线版config (每个人都可以上传相应版本配置到此仓库.
格式:[版本.mv] 比如 :10.0.18362.295.mv(可以使用cmd查看
-
文件放置
- x64dbg:
将
MirageV.dp32、MirageV.dp64移动到对应\plugins\目录下
- 运行:菜单栏-插件-幻境-进入
- windbg:
将
MirageV.dll移动到对应\Debuggers\bit??\目录下
- 运行:
windbg -a MirageV.dll - 再次运行:
!MirageVRun
- 驱动:
将
Mirage.sys移动到C:\Windows\System32\drivers\目录下
- 使用
- 附加
输入进程id - 点击
附加进程- 点击开启
- 启动调试
直接点击开启
演示
当前版本
点击查看:历史版本及最新版
更新日志
相关
最后
未来的某一天会公开代码...
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].