PEB标记反调试方法
PEB标记反调试方法
一丶PEB结构简介
PEB.简称进程环境快. 我们在讲DLL隐藏的时候已经说过了.
具体博客链接: https://www.cnblogs.com/iBinary/p/9601860.html
那么我们现在直接看下PEB结构体吧
[+0x000] InheritedAddressSpace : 0x0 [Type: unsigned char]
[+0x001] ReadImageFileExecOptions : 0x0 [Type: unsigned char]
[+0x002] BeingDebugged : 0x1 [Type: unsigned char] //一个char类型.为1表示调试状态.为0表示没有调试.可以用于反调试. API也是从这里获取的标志
[+0x003] BitField : 0x8 [Type: unsigned char]
[+0x003 ( : )] ImageUsesLargePages : 0x0 [Type: unsigned char]
[+0x003 ( : )] IsProtectedProcess : 0x0 [Type: unsigned char]
[+0x003 ( : )] IsLegacyProcess : 0x0 [Type: unsigned char]
[+0x003 ( : )] IsImageDynamicallyRelocated : 0x1 [Type: unsigned char]
[+0x003 ( : )] SkipPatchingUser32Forwarders : 0x0 [Type: unsigned char]
[+0x003 ( : )] SpareBits : 0x0 [Type: unsigned char]
[+0x004] Mutant : 0xffffffff [Type: void *]
[+0x008] ImageBaseAddress : 0x11d0000 [Type: void *]
[+0x00c] Ldr : 0x77190200 [Type: _PEB_LDR_DATA *] //用于模块隐藏的结构体
[+0x010] ProcessParameters : 0x7216d0 [Type: _RTL_USER_PROCESS_PARAMETERS *]
[+0x014] SubSystemData : 0x0 [Type: void *]
[+0x018] ProcessHeap : 0x720000 [Type: void *]
[+0x01c] FastPebLock : 0x77192100 [Type: _RTL_CRITICAL_SECTION *]
[+0x020] AtlThunkSListPtr : 0x0 [Type: void *]
[+0x024] IFEOKey : 0x0 [Type: void *]
[+0x028] CrossProcessFlags : 0x2 [Type: unsigned long]
[+0x028 ( : )] ProcessInJob : 0x0 [Type: unsigned long]
[+0x028 ( : )] ProcessInitializing : 0x1 [Type: unsigned long]
[+0x028 ( : )] ProcessUsingVEH : 0x0 [Type: unsigned long]
[+0x028 ( : )] ProcessUsingVCH : 0x0 [Type: unsigned long]
[+0x028 ( : )] ProcessUsingFTH : 0x0 [Type: unsigned long]
[+0x028 (: )] ReservedBits0 : 0x0 [Type: unsigned long]
[+0x02c] KernelCallbackTable : 0x0 [Type: void *]
[+0x02c] UserSharedInfoPtr : 0x0 [Type: void *]
[+0x030] SystemReserved [Type: unsigned long []]
[+0x034] AtlThunkSListPtr32 : 0x0 [Type: unsigned long]
[+0x038] ApiSetMap : 0x40000 [Type: void *]
[+0x03c] TlsExpansionCounter : 0x0 [Type: unsigned long]
[+0x040] TlsBitmap : 0x77194250 [Type: void *]
[+0x044] TlsBitmapBits [Type: unsigned long []]
[+0x04c] ReadOnlySharedMemoryBase : 0x7efe0000 [Type: void *]
[+0x050] HotpatchInformation : 0x0 [Type: void *]
[+0x054] ReadOnlyStaticServerData : 0x7efe0a90 [Type: void * *]
[+0x058] AnsiCodePageData : 0x7efa0000 [Type: void *]
[+0x05c] OemCodePageData : 0x7efa0000 [Type: void *]
[+0x060] UnicodeCaseTableData : 0x7efd0028 [Type: void *]
[+0x064] NumberOfProcessors : 0x8 [Type: unsigned long]
[+0x068] NtGlobalFlag : 0x70 [Type: unsigned long]
[+0x070] CriticalSectionTimeout : {-} [Type: _LARGE_INTEGER]
[+0x078] HeapSegmentReserve : 0x100000 [Type: unsigned long]
[+0x07c] HeapSegmentCommit : 0x2000 [Type: unsigned long]
[+0x080] HeapDeCommitTotalFreeThreshold : 0x10000 [Type: unsigned long]
[+0x084] HeapDeCommitFreeBlockThreshold : 0x1000 [Type: unsigned long]
[+0x088] NumberOfHeaps : 0x1 [Type: unsigned long]
[+0x08c] MaximumNumberOfHeaps : 0x10 [Type: unsigned long]
[+0x090] ProcessHeaps : 0x77194760 [Type: void * *]
[+0x094] GdiSharedHandleTable : 0x0 [Type: void *]
[+0x098] ProcessStarterHelper : 0x0 [Type: void *]
[+0x09c] GdiDCAttributeList : 0x0 [Type: unsigned long]
[+0x0a0] LoaderLock : 0x771920c0 [Type: _RTL_CRITICAL_SECTION *]
[+0x0a4] OSMajorVersion : 0x6 [Type: unsigned long]
[+0x0a8] OSMinorVersion : 0x1 [Type: unsigned long]
[+0x0ac] OSBuildNumber : 0x1db1 [Type: unsigned short]
[+0x0ae] OSCSDVersion : 0x100 [Type: unsigned short]
[+0x0b0] OSPlatformId : 0x2 [Type: unsigned long]
[+0x0b4] ImageSubsystem : 0x3 [Type: unsigned long]
[+0x0b8] ImageSubsystemMajorVersion : 0x6 [Type: unsigned long]
[+0x0bc] ImageSubsystemMinorVersion : 0x0 [Type: unsigned long]
[+0x0c0] ActiveProcessAffinityMask : 0xff [Type: unsigned long]
[+0x0c4] GdiHandleBuffer [Type: unsigned long []]
[+0x14c] PostProcessInitRoutine : 0x0 [Type: void (*)()]
[+0x150] TlsExpansionBitmap : 0x77194248 [Type: void *]
[+0x154] TlsExpansionBitmapBits [Type: unsigned long []]
[+0x1d4] SessionId : 0x1 [Type: unsigned long]
[+0x1d8] AppCompatFlags : {0x0} [Type: _ULARGE_INTEGER]
[+0x1e0] AppCompatFlagsUser : {0x0} [Type: _ULARGE_INTEGER]
[+0x1e8] pShimData : 0x0 [Type: void *]
[+0x1ec] AppCompatInfo : 0x0 [Type: void *]
[+0x1f0] CSDVersion : "Service Pack 1" [Type: _UNICODE_STRING]
[+0x1f8] ActivationContextData : 0x60000 [Type: _ACTIVATION_CONTEXT_DATA *]
[+0x1fc] ProcessAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *]
[+0x200] SystemDefaultActivationContextData : 0x50000 [Type: _ACTIVATION_CONTEXT_DATA *]
[+0x204] SystemAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *]
[+0x208] MinimumStackCommit : 0x0 [Type: unsigned long]
[+0x20c] FlsCallback : 0x0 [Type: _FLS_CALLBACK_INFO *]
[+0x210] FlsListHead [Type: _LIST_ENTRY]
[+0x218] FlsBitmap : 0x77194240 [Type: void *]
[+0x21c] FlsBitmapBits [Type: unsigned long []]
[+0x22c] FlsHighIndex : 0x0 [Type: unsigned long]
[+0x230] WerRegistrationData : 0x0 [Type: void *]
[+0x234] WerShipAssertPtr : 0x0 [Type: void *]
[+0x238] pContextData : 0x70000 [Type: void *]
[+0x23c] pImageHeaderHash : 0x0 [Type: void *]
[+0x240] TracingFlags : 0x0 [Type: unsigned long]
[+0x240 ( : )] HeapTracingEnabled : 0x0 [Type: unsigned long]
[+0x240 ( : )] CritSecTracingEnabled : 0x0 [Type: unsigned long]
[+0x240 (: )] SpareTracingBits : 0x0 [Type: unsigned long]
可以看到在加2的地方是表示是否被调试的标志.我们可以利用这个表示.请看下方代码.
二丶具体代码实现.
// PEB反调试.cpp : 定义控制台应用程序的入口点。
// #include "stdafx.h"
#include <Windows.h> int main()
{ DWORD dwIsDebug = ;
//dwIsDebug = ::IsDebuggerPresent(); IsDebuggerPresent的表示就是从PEB获取的.
__asm
{
mov eax, fs:[0x18]; //获取TEB
mov eax, [eax + 0x30];// 获取PEB
movzx eax, [eax + ];//获取调试标志
mov dwIsDebug,eax
}
if ( == dwIsDebug)
{
printf("你的程序正在被调试\r\n");
getchar();
}
else
{
printf("你的程序没有被调试\r\n");
getchar();
}
return ;
}
而操作系统提供了一个API就是判断是否被调试的.其实内部也是获取PEB标志,有兴趣的可以反汇编查看.
三丶实现结果
x32dbg启动
正常启动
PEB标记反调试方法的更多相关文章
- Windows 下常见的反调试方法
稍稍总结一下在Crack或Rervese中比较常见的一些反调试方法,实现起来也比较简单,之后有写的Demo源码参考,没有太大的难度. ①最简单也是最基础的,Windows提供的API接口:IsDebu ...
- so层反调试方法以及部分反反调试的方法
1.检测ida远程调试所占的常用端口23946,是否被占用 //检测idaserver是否占用了23946端口 void CheckPort23946ByTcp() { FILE* pfile=NUL ...
- 手动绕过百度加固Debug.isDebuggerConnected反调试的方法
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/78237571 1.调用Debug.isDebuggerConnected函数这种反 ...
- IsDebuggerPresent的反调试与反反调试
一.调用系统的IsDebuggerPresent函数 (1)实现程序 最简单也是最基础的,Windows提供的API接口:IsDebuggerPresent(),这API实际上就是访问PEB的Bein ...
- ELF反调试初探
ELF反调试初探 http://www.freebuf.com/sectool/83509.html ELF(Executable and Linkable Format)是Unix及类Unix系统下 ...
- APP加固反调试(Anti-debugging)技术点汇总
0x00 时间相关反调试 通过计算某部分代码的执行时间差来判断是否被调试,在Linux内核下可以通过time.gettimeofday,或者直接通过sys call来获取当前时间.另外,还可以通过自定 ...
- C/C++ 程序反调试的方法
C/C++ 要实现程序反调试有多种方法,BeingDebugged,NtGlobalFlag,ProcessHeap,CheckRemoteDebuggerPresent,STARTUPINFO,Is ...
- APP安全防护基本方法(混淆/签名验证/反调试)
本教程所用Android Studio测试项目已上传:https://github.com/PrettyUp/SecTest 一.混淆 对于很多人而言是因为java才接触到“混淆”这个词,由于在前移动 ...
- 反调试技术常用API,用来对付检测od和自动退出程序
在调试一些病毒程序的时候,可能会碰到一些反调试技术,也就是说,被调试的程序可以检测到自己是否被调试器附加了,如果探知自己正在被调试,肯定是有人试图反汇编啦之类的方法破解自己.为了了解如何破解反调试技术 ...
随机推荐
- Newtonsoft.Json 时间格式化
时间序列化经常多个T:“2017-01-23T00:00:00” 解决方案: 日期格式化输出,指定IsoDateTimeConverter的DateTimeFormat即可 IsoDateTimeCo ...
- 每日一练ACM 2019.04.13
2019.04.13 第1002题:A+B Proble Ⅱ Problem DescriptionI have a very simple problem for you. Given two in ...
- python语言相关语法基础
numpy系列import numpya = numpy.array([[1,2], [3,4]])b = numpy.array([[5,6], [7,8]])a*b>>>arra ...
- s6-9 TCP 定时器
TCP 定时器管理 重传定时器(retransmission timer,Positive ackn. with retransmit) 最重要的定时器 TCP 定时器管理 持续定时器(per ...
- python PyInstaller 库
https://www.cnblogs.com/gopythoner/p/6337543.html https://www.cnblogs.com/duan-qs/p/6548875.html htt ...
- REdis之RDB配置问题
RDB配置:save 900 1save 300 10save 60 10000stop-writes-on-bgsave-error nordbcompression yesrdbchecksum ...
- 将preg_replace()改写为preg_replace_callback()
preg_replace()函数使用/e修饰符可能带来安全隐患,PHP5.5之后,该用法被抛弃使用,升级为preg_replace_callback().在新版本下运行老版本的代码,会出现错误,如: ...
- JQuery 操作数组 each、map、grep、filter
Jquery中对数组的操作大致有一下几种形式:1.$.each( collection, callback(indexInArray, valueOfElement) )$.each()函数和$(se ...
- FPGA学习之旅
从大学就开始使用stm32,工作之后,仍然没有摆脱,从f1系列,到f4系列,然后又到L1系列,尽管可以满足工作需要,但还是希望可以摆脱束缚,尝试学习FPGA,希望能够遇到一个好机遇.
- java获取当前日期的前一天和后一天
/** * 获得指定日期的前一天 * @param specifiedDay * @return * @throws Exception */ public static String getSpec ...