PEB标记反调试方法

一丶PEB结构简介

  PEB.简称进程环境快. 我们在讲DLL隐藏的时候已经说过了.

具体博客链接: https://www.cnblogs.com/iBinary/p/9601860.html

那么我们现在直接看下PEB结构体吧

[+0x000] InheritedAddressSpace : 0x0 [Type: unsigned char]

    [+0x001] ReadImageFileExecOptions : 0x0 [Type: unsigned char]

    [+0x002] BeingDebugged    : 0x1 [Type: unsigned char]           //一个char类型.为1表示调试状态.为0表示没有调试.可以用于反调试. API也是从这里获取的标志

    [+0x003] BitField         : 0x8 [Type: unsigned char]

    [+0x003 ( : )] ImageUsesLargePages : 0x0 [Type: unsigned char]

    [+0x003 ( : )] IsProtectedProcess : 0x0 [Type: unsigned char]

    [+0x003 ( : )] IsLegacyProcess  : 0x0 [Type: unsigned char]

    [+0x003 ( : )] IsImageDynamicallyRelocated : 0x1 [Type: unsigned char]

    [+0x003 ( : )] SkipPatchingUser32Forwarders : 0x0 [Type: unsigned char]

    [+0x003 ( : )] SpareBits        : 0x0 [Type: unsigned char]

    [+0x004] Mutant           : 0xffffffff [Type: void *]

    [+0x008] ImageBaseAddress : 0x11d0000 [Type: void *]

    [+0x00c] Ldr              : 0x77190200 [Type: _PEB_LDR_DATA *]   //用于模块隐藏的结构体

    [+0x010] ProcessParameters : 0x7216d0 [Type: _RTL_USER_PROCESS_PARAMETERS *]

    [+0x014] SubSystemData    : 0x0 [Type: void *]

    [+0x018] ProcessHeap      : 0x720000 [Type: void *]

    [+0x01c] FastPebLock      : 0x77192100 [Type: _RTL_CRITICAL_SECTION *]

    [+0x020] AtlThunkSListPtr : 0x0 [Type: void *]

    [+0x024] IFEOKey          : 0x0 [Type: void *]

    [+0x028] CrossProcessFlags : 0x2 [Type: unsigned long]

    [+0x028 ( : )] ProcessInJob     : 0x0 [Type: unsigned long]

    [+0x028 ( : )] ProcessInitializing : 0x1 [Type: unsigned long]

    [+0x028 ( : )] ProcessUsingVEH  : 0x0 [Type: unsigned long]

    [+0x028 ( : )] ProcessUsingVCH  : 0x0 [Type: unsigned long]

    [+0x028 ( : )] ProcessUsingFTH  : 0x0 [Type: unsigned long]

    [+0x028 (: )] ReservedBits0    : 0x0 [Type: unsigned long]

    [+0x02c] KernelCallbackTable : 0x0 [Type: void *]

    [+0x02c] UserSharedInfoPtr : 0x0 [Type: void *]

    [+0x030] SystemReserved   [Type: unsigned long []]

    [+0x034] AtlThunkSListPtr32 : 0x0 [Type: unsigned long]

    [+0x038] ApiSetMap        : 0x40000 [Type: void *]

    [+0x03c] TlsExpansionCounter : 0x0 [Type: unsigned long]

    [+0x040] TlsBitmap        : 0x77194250 [Type: void *]

    [+0x044] TlsBitmapBits    [Type: unsigned long []]

    [+0x04c] ReadOnlySharedMemoryBase : 0x7efe0000 [Type: void *]

    [+0x050] HotpatchInformation : 0x0 [Type: void *]

    [+0x054] ReadOnlyStaticServerData : 0x7efe0a90 [Type: void * *]

    [+0x058] AnsiCodePageData : 0x7efa0000 [Type: void *]

    [+0x05c] OemCodePageData  : 0x7efa0000 [Type: void *]

    [+0x060] UnicodeCaseTableData : 0x7efd0028 [Type: void *]

    [+0x064] NumberOfProcessors : 0x8 [Type: unsigned long]

    [+0x068] NtGlobalFlag     : 0x70 [Type: unsigned long]

    [+0x070] CriticalSectionTimeout : {-} [Type: _LARGE_INTEGER]

    [+0x078] HeapSegmentReserve : 0x100000 [Type: unsigned long]

    [+0x07c] HeapSegmentCommit : 0x2000 [Type: unsigned long]

    [+0x080] HeapDeCommitTotalFreeThreshold : 0x10000 [Type: unsigned long]

    [+0x084] HeapDeCommitFreeBlockThreshold : 0x1000 [Type: unsigned long]

    [+0x088] NumberOfHeaps    : 0x1 [Type: unsigned long]

    [+0x08c] MaximumNumberOfHeaps : 0x10 [Type: unsigned long]

    [+0x090] ProcessHeaps     : 0x77194760 [Type: void * *]

    [+0x094] GdiSharedHandleTable : 0x0 [Type: void *]

    [+0x098] ProcessStarterHelper : 0x0 [Type: void *]

    [+0x09c] GdiDCAttributeList : 0x0 [Type: unsigned long]

    [+0x0a0] LoaderLock       : 0x771920c0 [Type: _RTL_CRITICAL_SECTION *]

    [+0x0a4] OSMajorVersion   : 0x6 [Type: unsigned long]

    [+0x0a8] OSMinorVersion   : 0x1 [Type: unsigned long]

    [+0x0ac] OSBuildNumber    : 0x1db1 [Type: unsigned short]

    [+0x0ae] OSCSDVersion     : 0x100 [Type: unsigned short]

    [+0x0b0] OSPlatformId     : 0x2 [Type: unsigned long]

    [+0x0b4] ImageSubsystem   : 0x3 [Type: unsigned long]

    [+0x0b8] ImageSubsystemMajorVersion : 0x6 [Type: unsigned long]

    [+0x0bc] ImageSubsystemMinorVersion : 0x0 [Type: unsigned long]

    [+0x0c0] ActiveProcessAffinityMask : 0xff [Type: unsigned long]

    [+0x0c4] GdiHandleBuffer  [Type: unsigned long []]

    [+0x14c] PostProcessInitRoutine : 0x0 [Type: void (*)()]

    [+0x150] TlsExpansionBitmap : 0x77194248 [Type: void *]

    [+0x154] TlsExpansionBitmapBits [Type: unsigned long []]

    [+0x1d4] SessionId        : 0x1 [Type: unsigned long]

    [+0x1d8] AppCompatFlags   : {0x0} [Type: _ULARGE_INTEGER]

    [+0x1e0] AppCompatFlagsUser : {0x0} [Type: _ULARGE_INTEGER]

    [+0x1e8] pShimData        : 0x0 [Type: void *]

    [+0x1ec] AppCompatInfo    : 0x0 [Type: void *]

    [+0x1f0] CSDVersion       : "Service Pack 1" [Type: _UNICODE_STRING]

    [+0x1f8] ActivationContextData : 0x60000 [Type: _ACTIVATION_CONTEXT_DATA *]

    [+0x1fc] ProcessAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *]

    [+0x200] SystemDefaultActivationContextData : 0x50000 [Type: _ACTIVATION_CONTEXT_DATA *]

    [+0x204] SystemAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *]

    [+0x208] MinimumStackCommit : 0x0 [Type: unsigned long]

    [+0x20c] FlsCallback      : 0x0 [Type: _FLS_CALLBACK_INFO *]

    [+0x210] FlsListHead      [Type: _LIST_ENTRY]

    [+0x218] FlsBitmap        : 0x77194240 [Type: void *]

    [+0x21c] FlsBitmapBits    [Type: unsigned long []]

    [+0x22c] FlsHighIndex     : 0x0 [Type: unsigned long]

    [+0x230] WerRegistrationData : 0x0 [Type: void *]

    [+0x234] WerShipAssertPtr : 0x0 [Type: void *]

    [+0x238] pContextData     : 0x70000 [Type: void *]

    [+0x23c] pImageHeaderHash : 0x0 [Type: void *]

    [+0x240] TracingFlags     : 0x0 [Type: unsigned long]

    [+0x240 ( : )] HeapTracingEnabled : 0x0 [Type: unsigned long]

    [+0x240 ( : )] CritSecTracingEnabled : 0x0 [Type: unsigned long]

    [+0x240 (: )] SpareTracingBits : 0x0 [Type: unsigned long]

可以看到在加2的地方是表示是否被调试的标志.我们可以利用这个表示.请看下方代码.

二丶具体代码实现.

  

// PEB反调试.cpp : 定义控制台应用程序的入口点。

//

#include "stdafx.h"

#include <Windows.h>

int main()

{

    DWORD dwIsDebug = ;

    //dwIsDebug = ::IsDebuggerPresent();  IsDebuggerPresent的表示就是从PEB获取的.

    __asm

    {

        mov eax, fs:[0x18];   //获取TEB

        mov eax, [eax + 0x30];// 获取PEB

        movzx eax, [eax + ];//获取调试标志

        mov dwIsDebug,eax

    }

    if ( == dwIsDebug)

    {

        printf("你的程序正在被调试\r\n");

        getchar();

    }

    else

    {

        printf("你的程序没有被调试\r\n");

        getchar();

    }

    return ;

}

而操作系统提供了一个API就是判断是否被调试的.其实内部也是获取PEB标志,有兴趣的可以反汇编查看.

三丶实现结果

  x32dbg启动

正常启动

PEB标记反调试方法的更多相关文章

  1. Windows 下常见的反调试方法

    稍稍总结一下在Crack或Rervese中比较常见的一些反调试方法,实现起来也比较简单,之后有写的Demo源码参考,没有太大的难度. ①最简单也是最基础的,Windows提供的API接口:IsDebu ...

  2. so层反调试方法以及部分反反调试的方法

    1.检测ida远程调试所占的常用端口23946,是否被占用 //检测idaserver是否占用了23946端口 void CheckPort23946ByTcp() { FILE* pfile=NUL ...

  3. 手动绕过百度加固Debug.isDebuggerConnected反调试的方法

    本文博客地址:http://blog.csdn.net/qq1084283172/article/details/78237571 1.调用Debug.isDebuggerConnected函数这种反 ...

  4. IsDebuggerPresent的反调试与反反调试

    一.调用系统的IsDebuggerPresent函数 (1)实现程序 最简单也是最基础的,Windows提供的API接口:IsDebuggerPresent(),这API实际上就是访问PEB的Bein ...

  5. ELF反调试初探

    ELF反调试初探 http://www.freebuf.com/sectool/83509.html ELF(Executable and Linkable Format)是Unix及类Unix系统下 ...

  6. APP加固反调试(Anti-debugging)技术点汇总

    0x00 时间相关反调试 通过计算某部分代码的执行时间差来判断是否被调试,在Linux内核下可以通过time.gettimeofday,或者直接通过sys call来获取当前时间.另外,还可以通过自定 ...

  7. C/C++ 程序反调试的方法

    C/C++ 要实现程序反调试有多种方法,BeingDebugged,NtGlobalFlag,ProcessHeap,CheckRemoteDebuggerPresent,STARTUPINFO,Is ...

  8. APP安全防护基本方法(混淆/签名验证/反调试)

    本教程所用Android Studio测试项目已上传:https://github.com/PrettyUp/SecTest 一.混淆 对于很多人而言是因为java才接触到“混淆”这个词,由于在前移动 ...

  9. 反调试技术常用API,用来对付检测od和自动退出程序

    在调试一些病毒程序的时候,可能会碰到一些反调试技术,也就是说,被调试的程序可以检测到自己是否被调试器附加了,如果探知自己正在被调试,肯定是有人试图反汇编啦之类的方法破解自己.为了了解如何破解反调试技术 ...

随机推荐

  1. python -----一个简单的小程序(监控电脑内存,cpu,硬盘)

    一个简单的小程序 用函数实现!~~ 实现: cpu 使用率大于百分之50 时  ,  C 盘容量不足5 G 时, 内存 低于2G 时. 出现以上其中一种情况,发送自动报警邮件! 主要运用 到了两个 模 ...

  2. vue 图片下载到本地,图片保存到本地

    必须同源(访问的网站域名与服务器域名一致)才能下载 downs() { var alink = document.createElement("a"); alink.href = ...

  3. mybatis递归查询

    <!--mybatis递归查询--><resultMap id="recursionMenuMap" type="AgentMenu" ext ...

  4. Github使用:使用github用作自己的免费域名

    1.创建一个新仓库 --- 删除里面的文件 --- Git上传文件到新仓库(必须有index.html) 2. 点击新仓库的setting,下滑找到GitHub Pages ---- 点击第一行的链接 ...

  5. redis操作(String,Hash,List,Set,其他操作)

    一.String操作 String操作,redis中的String在在内存中按照一个name对应一个value来存储.如图: set(name,value,ex=None,px=None,nx=Fal ...

  6. PHP引用(&)练习

    <?php class talker { private $data = 'Hi'; public function & get(){ //返回值指向一个内容,这里是指向$data的内容 ...

  7. Z-Stack - Modification of Zigbee Device Object for better network access management

    写一份赏心悦目的工程文档,是很困难的事情.若想写得完善,不仅得用对工具(use the right tools),注重文笔,还得投入大把时间,真心是一件难度颇高的事情.但,若是真写好了,也是善莫大焉: ...

  8. Centos7 网络报错Job for iptables.service failed because the control process exited with error code.

    今天在进行项目联系的时候,启动在待机的虚拟机,发现虚拟机的网络设置又出现了问题. 我以为像往常一样重启网卡服务就能成功,但是它却报了Job for iptables.service failed be ...

  9. Debian 8.x / Ubuntu 16.04.x 搭建 Ghost 教程

    Ghost 是一款使用 Node.js 开发的博客系统,相对于使用 PHP 开发的 WordPress 更轻巧友好,所以本站已经从 WordPress 切换至 Ghost,本文介绍在 Debian 8 ...

  10. 判断是否为AVL树

    时间复杂度:O(n) // 判断是否为AVL树 public int isAVL(TreeNode node) { if (node == null) { return 0; } int left = ...