2023年4月

x64 inlinehook调用OutputDebugString一直崩溃, x64dbg跟踪发现崩溃在:

<ntdll.RtlCaptureContext>            
| 48:9C                              | pushfq      
| 8C49 38                            | mov word ptr ds:[rcx+38],cs                       
| 8C59 3A                            | mov word ptr ds:[rcx+3A],ds                       
| 8C41 3C                            | mov word ptr ds:[rcx+3C],es                       
| 8C51 42                            | mov word ptr ds:[rcx+42],ss                       
| 8C61 3E                            | mov word ptr ds:[rcx+3E],fs                       
| 8C69 40                            | mov word ptr ds:[rcx+40],gs                       
| 48:8941 78                         | mov qword ptr ds:[rcx+78],rax                     
| 48:8989 80000000                   | mov qword ptr ds:[rcx+80],rcx                     
| 48:8991 88000000                   | mov qword ptr ds:[rcx+88],rdx                     
| 48:8999 90000000                   | mov qword ptr ds:[rcx+90],rbx                     
| 48:8D4424 10                       | lea rax,qword ptr ss:[rsp+10]                     
| 48:8981 98000000                   | mov qword ptr ds:[rcx+98],rax                     
| 48:89A9 A0000000                   | mov qword ptr ds:[rcx+A0],rbp                     
| 48:89B1 A8000000                   | mov qword ptr ds:[rcx+A8],rsi                     
| 48:89B9 B0000000                   | mov qword ptr ds:[rcx+B0],rdi                     
| 4C:8981 B8000000                   | mov qword ptr ds:[rcx+B8],r8                      
| 4C:8989 C0000000                   | mov qword ptr ds:[rcx+C0],r9                      
| 4C:8991 C8000000                   | mov qword ptr ds:[rcx+C8],r10                     
| 4C:8999 D0000000                   | mov qword ptr ds:[rcx+D0],r11                     
| 4C:89A1 D8000000                   | mov qword ptr ds:[rcx+D8],r12                     
| 4C:89A9 E0000000                   | mov qword ptr ds:[rcx+E0],r13                     
| 4C:89B1 E8000000                   | mov qword ptr ds:[rcx+E8],r14                     
| 4C:89B9 F0000000                   | mov qword ptr ds:[rcx+F0],r15                     
| 0FAE81 00010000                    | fxsave ds:[rcx+100]                 <<崩溃行

查资料得:
对xmm操作是需要16byte对齐, 当rcx没有16对齐时就会报错,也就是 fxsave操作地址必须16位对齐,而rcx是通过sub rsp得到,所以调用OutputDebugString时,RSP必须为0x10的倍数地址。

所以通过自己sub rsp 8x(可为8倍数), 再调用OutputDebugString,结尾add rsp 8x调整堆栈平衡解决。

头大,x64存在一些x86不用考虑的问题,害我研究了一整天。

wget https://go.dev/dl/go1.22.2.linux-amd64.tar.gz
tar -zxvf go1.22.2.linux-amd64.tar.gz -C /usr/local/

cp /etc/profile /etc/profile.bak
echo export GOROOT=/usr/local/go >> /etc/profile
echo export PATH=/usr/local/go/bin:$PATH >> /etc/profile
source /etc/profile
go version

go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive

如果第二条指令执行出错,可以尝试执行go env -w GO111MODULE=on 再重试,还不行的话请自行搜索升级go版本方法

acme.sh申请证书

转换密码

{
  order forward_proxy before file_server
}
:443, na.daehub.com {
  tls /etc/letsencrypt/live/daehub.com/fullchain.pem /etc/letsencrypt/live/daehub.com/privkey.pem
  forward_proxy {
    basic_auth user password
    hide_ip
    hide_via
    probe_resistance
  }
  file_server {
    root /usr/share/nginx/html
  }
}
caddy fmt --overwrite Caddyfile
caddy adapt Caddyfile > config.json

config.json

{
 "apps": {
   "http": {
     "servers": {
       "srv0": {
         "listen": [
           ":57418"
         ],
         "routes": [
           {
             "handle": [
               {
                 "auth_credentials": [
                                        "ZFhObGNqcHdZWE56"
                  ],
                 "handler": "forward_proxy",
                 "hide_ip": true,
                 "hide_via": true,
                 "probe_resistance": {}
               }
             ]
           },
           {
             "handle": [
               {
                 "handler": "reverse_proxy",
                 "headers": {
                   "request": {
                     "set": {
                       "Host": [
                         "{http.reverse_proxy.upstream.hostport}"
                       ],
                       "X-Forwarded-Host": [
                         "{http.request.host}"
                       ]
                     }
                   }
                 },
                 "transport": {
                   "protocol": "http",
                   "tls": {}
                 },
                 "upstreams": [
                   {
                     "dial": "www.cloudreve.org:443"
                   }
                 ]
               }
             ]
           }
         ],
         "tls_connection_policies": [
           {
             "match": {
               "sni": [
                 "1199.eu.org"
               ]
             },
             "certificate_selection": {
               "any_tag": [
                 "cert0"
               ]
             }
           }
         ],
         "automatic_https": {
           "disable": true
         }
       }
     }
   },
   "tls": {
     "certificates": {
       "load_files": [
         {
           "certificate": "/root/.acme.sh/1199.eu.org/fullchain.cer",
           "key": "/root/.acme.sh/1199.eu.org/1199.eu.org.key",
           "tags": [
             "cert0"
           ]
         }
       ]
     }
   }
 }
}

ln -s /root/caddy /usr/bin/caddy

/etc/systemd/system/naive.service

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=root
Group=root
ExecStart=/usr/bin/caddy run --environ --config /root/config.json
ExecReload=/usr/bin/caddy reload --config /root/config.json
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

systemctl enable naive.service
systemctl start naive.service

如果懒,也可以一键脚本

wget -N https://gitlab.com/rwkgyg/naiveproxy-yg/raw/main/naiveproxy.sh && bash naiveproxy.sh