PEB标记反调试方法
PEB标记反调试方法
一丶PEB结构简介
PEB.简称进程环境快. 我们在讲DLL隐藏的时候已经说过了.
具体博客链接: https://www.cnblogs.com/iBinary/p/9601860.html
那么我们现在直接看下PEB结构体吧
[+0x000] InheritedAddressSpace : 0x0 [Type: unsigned char]
[+0x001] ReadImageFileExecOptions : 0x0 [Type: unsigned char]
[+0x002] BeingDebugged : 0x1 [Type: unsigned char] //一个char类型.为1表示调试状态.为0表示没有调试.可以用于反调试. API也是从这里获取的标志
[+0x003] BitField : 0x8 [Type: unsigned char]
[+0x003 ( : )] ImageUsesLargePages : 0x0 [Type: unsigned char]
[+0x003 ( : )] IsProtectedProcess : 0x0 [Type: unsigned char]
[+0x003 ( : )] IsLegacyProcess : 0x0 [Type: unsigned char]
[+0x003 ( : )] IsImageDynamicallyRelocated : 0x1 [Type: unsigned char]
[+0x003 ( : )] SkipPatchingUser32Forwarders : 0x0 [Type: unsigned char]
[+0x003 ( : )] SpareBits : 0x0 [Type: unsigned char]
[+0x004] Mutant : 0xffffffff [Type: void *]
[+0x008] ImageBaseAddress : 0x11d0000 [Type: void *]
[+0x00c] Ldr : 0x77190200 [Type: _PEB_LDR_DATA *] //用于模块隐藏的结构体
[+0x010] ProcessParameters : 0x7216d0 [Type: _RTL_USER_PROCESS_PARAMETERS *]
[+0x014] SubSystemData : 0x0 [Type: void *]
[+0x018] ProcessHeap : 0x720000 [Type: void *]
[+0x01c] FastPebLock : 0x77192100 [Type: _RTL_CRITICAL_SECTION *]
[+0x020] AtlThunkSListPtr : 0x0 [Type: void *]
[+0x024] IFEOKey : 0x0 [Type: void *]
[+0x028] CrossProcessFlags : 0x2 [Type: unsigned long]
[+0x028 ( : )] ProcessInJob : 0x0 [Type: unsigned long]
[+0x028 ( : )] ProcessInitializing : 0x1 [Type: unsigned long]
[+0x028 ( : )] ProcessUsingVEH : 0x0 [Type: unsigned long]
[+0x028 ( : )] ProcessUsingVCH : 0x0 [Type: unsigned long]
[+0x028 ( : )] ProcessUsingFTH : 0x0 [Type: unsigned long]
[+0x028 (: )] ReservedBits0 : 0x0 [Type: unsigned long]
[+0x02c] KernelCallbackTable : 0x0 [Type: void *]
[+0x02c] UserSharedInfoPtr : 0x0 [Type: void *]
[+0x030] SystemReserved [Type: unsigned long []]
[+0x034] AtlThunkSListPtr32 : 0x0 [Type: unsigned long]
[+0x038] ApiSetMap : 0x40000 [Type: void *]
[+0x03c] TlsExpansionCounter : 0x0 [Type: unsigned long]
[+0x040] TlsBitmap : 0x77194250 [Type: void *]
[+0x044] TlsBitmapBits [Type: unsigned long []]
[+0x04c] ReadOnlySharedMemoryBase : 0x7efe0000 [Type: void *]
[+0x050] HotpatchInformation : 0x0 [Type: void *]
[+0x054] ReadOnlyStaticServerData : 0x7efe0a90 [Type: void * *]
[+0x058] AnsiCodePageData : 0x7efa0000 [Type: void *]
[+0x05c] OemCodePageData : 0x7efa0000 [Type: void *]
[+0x060] UnicodeCaseTableData : 0x7efd0028 [Type: void *]
[+0x064] NumberOfProcessors : 0x8 [Type: unsigned long]
[+0x068] NtGlobalFlag : 0x70 [Type: unsigned long]
[+0x070] CriticalSectionTimeout : {-} [Type: _LARGE_INTEGER]
[+0x078] HeapSegmentReserve : 0x100000 [Type: unsigned long]
[+0x07c] HeapSegmentCommit : 0x2000 [Type: unsigned long]
[+0x080] HeapDeCommitTotalFreeThreshold : 0x10000 [Type: unsigned long]
[+0x084] HeapDeCommitFreeBlockThreshold : 0x1000 [Type: unsigned long]
[+0x088] NumberOfHeaps : 0x1 [Type: unsigned long]
[+0x08c] MaximumNumberOfHeaps : 0x10 [Type: unsigned long]
[+0x090] ProcessHeaps : 0x77194760 [Type: void * *]
[+0x094] GdiSharedHandleTable : 0x0 [Type: void *]
[+0x098] ProcessStarterHelper : 0x0 [Type: void *]
[+0x09c] GdiDCAttributeList : 0x0 [Type: unsigned long]
[+0x0a0] LoaderLock : 0x771920c0 [Type: _RTL_CRITICAL_SECTION *]
[+0x0a4] OSMajorVersion : 0x6 [Type: unsigned long]
[+0x0a8] OSMinorVersion : 0x1 [Type: unsigned long]
[+0x0ac] OSBuildNumber : 0x1db1 [Type: unsigned short]
[+0x0ae] OSCSDVersion : 0x100 [Type: unsigned short]
[+0x0b0] OSPlatformId : 0x2 [Type: unsigned long]
[+0x0b4] ImageSubsystem : 0x3 [Type: unsigned long]
[+0x0b8] ImageSubsystemMajorVersion : 0x6 [Type: unsigned long]
[+0x0bc] ImageSubsystemMinorVersion : 0x0 [Type: unsigned long]
[+0x0c0] ActiveProcessAffinityMask : 0xff [Type: unsigned long]
[+0x0c4] GdiHandleBuffer [Type: unsigned long []]
[+0x14c] PostProcessInitRoutine : 0x0 [Type: void (*)()]
[+0x150] TlsExpansionBitmap : 0x77194248 [Type: void *]
[+0x154] TlsExpansionBitmapBits [Type: unsigned long []]
[+0x1d4] SessionId : 0x1 [Type: unsigned long]
[+0x1d8] AppCompatFlags : {0x0} [Type: _ULARGE_INTEGER]
[+0x1e0] AppCompatFlagsUser : {0x0} [Type: _ULARGE_INTEGER]
[+0x1e8] pShimData : 0x0 [Type: void *]
[+0x1ec] AppCompatInfo : 0x0 [Type: void *]
[+0x1f0] CSDVersion : "Service Pack 1" [Type: _UNICODE_STRING]
[+0x1f8] ActivationContextData : 0x60000 [Type: _ACTIVATION_CONTEXT_DATA *]
[+0x1fc] ProcessAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *]
[+0x200] SystemDefaultActivationContextData : 0x50000 [Type: _ACTIVATION_CONTEXT_DATA *]
[+0x204] SystemAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *]
[+0x208] MinimumStackCommit : 0x0 [Type: unsigned long]
[+0x20c] FlsCallback : 0x0 [Type: _FLS_CALLBACK_INFO *]
[+0x210] FlsListHead [Type: _LIST_ENTRY]
[+0x218] FlsBitmap : 0x77194240 [Type: void *]
[+0x21c] FlsBitmapBits [Type: unsigned long []]
[+0x22c] FlsHighIndex : 0x0 [Type: unsigned long]
[+0x230] WerRegistrationData : 0x0 [Type: void *]
[+0x234] WerShipAssertPtr : 0x0 [Type: void *]
[+0x238] pContextData : 0x70000 [Type: void *]
[+0x23c] pImageHeaderHash : 0x0 [Type: void *]
[+0x240] TracingFlags : 0x0 [Type: unsigned long]
[+0x240 ( : )] HeapTracingEnabled : 0x0 [Type: unsigned long]
[+0x240 ( : )] CritSecTracingEnabled : 0x0 [Type: unsigned long]
[+0x240 (: )] SpareTracingBits : 0x0 [Type: unsigned long]
可以看到在加2的地方是表示是否被调试的标志.我们可以利用这个表示.请看下方代码.
二丶具体代码实现.
// PEB反调试.cpp : 定义控制台应用程序的入口点。
// #include "stdafx.h"
#include <Windows.h> int main()
{ DWORD dwIsDebug = ;
//dwIsDebug = ::IsDebuggerPresent(); IsDebuggerPresent的表示就是从PEB获取的.
__asm
{
mov eax, fs:[0x18]; //获取TEB
mov eax, [eax + 0x30];// 获取PEB
movzx eax, [eax + ];//获取调试标志
mov dwIsDebug,eax
}
if ( == dwIsDebug)
{
printf("你的程序正在被调试\r\n");
getchar();
}
else
{
printf("你的程序没有被调试\r\n");
getchar();
}
return ;
}
而操作系统提供了一个API就是判断是否被调试的.其实内部也是获取PEB标志,有兴趣的可以反汇编查看.
三丶实现结果
x32dbg启动
正常启动
PEB标记反调试方法的更多相关文章
- Windows 下常见的反调试方法
稍稍总结一下在Crack或Rervese中比较常见的一些反调试方法,实现起来也比较简单,之后有写的Demo源码参考,没有太大的难度. ①最简单也是最基础的,Windows提供的API接口:IsDebu ...
- so层反调试方法以及部分反反调试的方法
1.检测ida远程调试所占的常用端口23946,是否被占用 //检测idaserver是否占用了23946端口 void CheckPort23946ByTcp() { FILE* pfile=NUL ...
- 手动绕过百度加固Debug.isDebuggerConnected反调试的方法
本文博客地址:http://blog.csdn.net/qq1084283172/article/details/78237571 1.调用Debug.isDebuggerConnected函数这种反 ...
- IsDebuggerPresent的反调试与反反调试
一.调用系统的IsDebuggerPresent函数 (1)实现程序 最简单也是最基础的,Windows提供的API接口:IsDebuggerPresent(),这API实际上就是访问PEB的Bein ...
- ELF反调试初探
ELF反调试初探 http://www.freebuf.com/sectool/83509.html ELF(Executable and Linkable Format)是Unix及类Unix系统下 ...
- APP加固反调试(Anti-debugging)技术点汇总
0x00 时间相关反调试 通过计算某部分代码的执行时间差来判断是否被调试,在Linux内核下可以通过time.gettimeofday,或者直接通过sys call来获取当前时间.另外,还可以通过自定 ...
- C/C++ 程序反调试的方法
C/C++ 要实现程序反调试有多种方法,BeingDebugged,NtGlobalFlag,ProcessHeap,CheckRemoteDebuggerPresent,STARTUPINFO,Is ...
- APP安全防护基本方法(混淆/签名验证/反调试)
本教程所用Android Studio测试项目已上传:https://github.com/PrettyUp/SecTest 一.混淆 对于很多人而言是因为java才接触到“混淆”这个词,由于在前移动 ...
- 反调试技术常用API,用来对付检测od和自动退出程序
在调试一些病毒程序的时候,可能会碰到一些反调试技术,也就是说,被调试的程序可以检测到自己是否被调试器附加了,如果探知自己正在被调试,肯定是有人试图反汇编啦之类的方法破解自己.为了了解如何破解反调试技术 ...
随机推荐
- PIL: 建立一个GIF图
PIL: 建立一个GIF图 一.下载PIL库: PIL库的下载是:pip install pillow(pillow就是PIL函数了) 二.采用以下代码(有注释): import PIL.Imag ...
- centos7安装配置nfs
操作系统版本:3.10.0-123.el7.x86_64 192.168.137.11 nfs服务端 192.168.137.10 nfs客户端 一.安装nfs服务端(在192.168.137.1 ...
- vue webpack打包后 iconfont引入路径不对
vue webpack打包后 iconfont引入路径不对 { test: /\.(woff2?|eot|ttf|otf)(\?.*)?$/, loader: 'url-loader', option ...
- retrofit+rxjava封装
public class RetrofitHelper { private static OkHttpClient okHttpClient; private static ServiceAPI se ...
- OC数组的简单使用、NSArray
和上一篇文章一样,数组的重要性不言而喻,在OC编程的过程中我们会不断的使用到NSArray,和C语言不同的是,我们这里的数组只能存OC对象类型,不能存C语言基本数据类型,也不能存NSNull类型,但是 ...
- android 界面设计
wm = (WindowManager) getSystemService(Context.WINDOW_SERVICE); DisplayMetrics dm = new DisplayMetric ...
- 《python语言程序设计》_第二章笔记
#2.2_编写一个简单的程序 项目1: 设计:radius=20,求面积area? 程序: radius=20 #给变量radius复制area=radius*radius*3.14159 #编写ar ...
- oracle数据导入
1.删除原有数据库的内容 drop user username cascade; 我的数据库名为test,所以sql语句为: drop user test cascade; 2.创建表空间: 语句为: ...
- jQuery-事件命名空间
<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8" ...
- 自学自用 = B站(操作系统_清华大学(向勇、陈渝)) 未完待续。。
视频地址 https://www.bilibili.com/video/av6538245 介绍 本篇博客,旨在记录视频学习的要点,所以格式随意, 方便本人日后自考和回忆,有兴趣的朋友可以评论讨论. ...