PEB标记反调试方法

一丶PEB结构简介

  PEB.简称进程环境快. 我们在讲DLL隐藏的时候已经说过了.

具体博客链接: https://www.cnblogs.com/iBinary/p/9601860.html

那么我们现在直接看下PEB结构体吧

[+0x000] InheritedAddressSpace : 0x0 [Type: unsigned char]

    [+0x001] ReadImageFileExecOptions : 0x0 [Type: unsigned char]

    [+0x002] BeingDebugged    : 0x1 [Type: unsigned char]           //一个char类型.为1表示调试状态.为0表示没有调试.可以用于反调试. API也是从这里获取的标志

    [+0x003] BitField         : 0x8 [Type: unsigned char]

    [+0x003 ( : )] ImageUsesLargePages : 0x0 [Type: unsigned char]

    [+0x003 ( : )] IsProtectedProcess : 0x0 [Type: unsigned char]

    [+0x003 ( : )] IsLegacyProcess  : 0x0 [Type: unsigned char]

    [+0x003 ( : )] IsImageDynamicallyRelocated : 0x1 [Type: unsigned char]

    [+0x003 ( : )] SkipPatchingUser32Forwarders : 0x0 [Type: unsigned char]

    [+0x003 ( : )] SpareBits        : 0x0 [Type: unsigned char]

    [+0x004] Mutant           : 0xffffffff [Type: void *]

    [+0x008] ImageBaseAddress : 0x11d0000 [Type: void *]

    [+0x00c] Ldr              : 0x77190200 [Type: _PEB_LDR_DATA *]   //用于模块隐藏的结构体

    [+0x010] ProcessParameters : 0x7216d0 [Type: _RTL_USER_PROCESS_PARAMETERS *]

    [+0x014] SubSystemData    : 0x0 [Type: void *]

    [+0x018] ProcessHeap      : 0x720000 [Type: void *]

    [+0x01c] FastPebLock      : 0x77192100 [Type: _RTL_CRITICAL_SECTION *]

    [+0x020] AtlThunkSListPtr : 0x0 [Type: void *]

    [+0x024] IFEOKey          : 0x0 [Type: void *]

    [+0x028] CrossProcessFlags : 0x2 [Type: unsigned long]

    [+0x028 ( : )] ProcessInJob     : 0x0 [Type: unsigned long]

    [+0x028 ( : )] ProcessInitializing : 0x1 [Type: unsigned long]

    [+0x028 ( : )] ProcessUsingVEH  : 0x0 [Type: unsigned long]

    [+0x028 ( : )] ProcessUsingVCH  : 0x0 [Type: unsigned long]

    [+0x028 ( : )] ProcessUsingFTH  : 0x0 [Type: unsigned long]

    [+0x028 (: )] ReservedBits0    : 0x0 [Type: unsigned long]

    [+0x02c] KernelCallbackTable : 0x0 [Type: void *]

    [+0x02c] UserSharedInfoPtr : 0x0 [Type: void *]

    [+0x030] SystemReserved   [Type: unsigned long []]

    [+0x034] AtlThunkSListPtr32 : 0x0 [Type: unsigned long]

    [+0x038] ApiSetMap        : 0x40000 [Type: void *]

    [+0x03c] TlsExpansionCounter : 0x0 [Type: unsigned long]

    [+0x040] TlsBitmap        : 0x77194250 [Type: void *]

    [+0x044] TlsBitmapBits    [Type: unsigned long []]

    [+0x04c] ReadOnlySharedMemoryBase : 0x7efe0000 [Type: void *]

    [+0x050] HotpatchInformation : 0x0 [Type: void *]

    [+0x054] ReadOnlyStaticServerData : 0x7efe0a90 [Type: void * *]

    [+0x058] AnsiCodePageData : 0x7efa0000 [Type: void *]

    [+0x05c] OemCodePageData  : 0x7efa0000 [Type: void *]

    [+0x060] UnicodeCaseTableData : 0x7efd0028 [Type: void *]

    [+0x064] NumberOfProcessors : 0x8 [Type: unsigned long]

    [+0x068] NtGlobalFlag     : 0x70 [Type: unsigned long]

    [+0x070] CriticalSectionTimeout : {-} [Type: _LARGE_INTEGER]

    [+0x078] HeapSegmentReserve : 0x100000 [Type: unsigned long]

    [+0x07c] HeapSegmentCommit : 0x2000 [Type: unsigned long]

    [+0x080] HeapDeCommitTotalFreeThreshold : 0x10000 [Type: unsigned long]

    [+0x084] HeapDeCommitFreeBlockThreshold : 0x1000 [Type: unsigned long]

    [+0x088] NumberOfHeaps    : 0x1 [Type: unsigned long]

    [+0x08c] MaximumNumberOfHeaps : 0x10 [Type: unsigned long]

    [+0x090] ProcessHeaps     : 0x77194760 [Type: void * *]

    [+0x094] GdiSharedHandleTable : 0x0 [Type: void *]

    [+0x098] ProcessStarterHelper : 0x0 [Type: void *]

    [+0x09c] GdiDCAttributeList : 0x0 [Type: unsigned long]

    [+0x0a0] LoaderLock       : 0x771920c0 [Type: _RTL_CRITICAL_SECTION *]

    [+0x0a4] OSMajorVersion   : 0x6 [Type: unsigned long]

    [+0x0a8] OSMinorVersion   : 0x1 [Type: unsigned long]

    [+0x0ac] OSBuildNumber    : 0x1db1 [Type: unsigned short]

    [+0x0ae] OSCSDVersion     : 0x100 [Type: unsigned short]

    [+0x0b0] OSPlatformId     : 0x2 [Type: unsigned long]

    [+0x0b4] ImageSubsystem   : 0x3 [Type: unsigned long]

    [+0x0b8] ImageSubsystemMajorVersion : 0x6 [Type: unsigned long]

    [+0x0bc] ImageSubsystemMinorVersion : 0x0 [Type: unsigned long]

    [+0x0c0] ActiveProcessAffinityMask : 0xff [Type: unsigned long]

    [+0x0c4] GdiHandleBuffer  [Type: unsigned long []]

    [+0x14c] PostProcessInitRoutine : 0x0 [Type: void (*)()]

    [+0x150] TlsExpansionBitmap : 0x77194248 [Type: void *]

    [+0x154] TlsExpansionBitmapBits [Type: unsigned long []]

    [+0x1d4] SessionId        : 0x1 [Type: unsigned long]

    [+0x1d8] AppCompatFlags   : {0x0} [Type: _ULARGE_INTEGER]

    [+0x1e0] AppCompatFlagsUser : {0x0} [Type: _ULARGE_INTEGER]

    [+0x1e8] pShimData        : 0x0 [Type: void *]

    [+0x1ec] AppCompatInfo    : 0x0 [Type: void *]

    [+0x1f0] CSDVersion       : "Service Pack 1" [Type: _UNICODE_STRING]

    [+0x1f8] ActivationContextData : 0x60000 [Type: _ACTIVATION_CONTEXT_DATA *]

    [+0x1fc] ProcessAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *]

    [+0x200] SystemDefaultActivationContextData : 0x50000 [Type: _ACTIVATION_CONTEXT_DATA *]

    [+0x204] SystemAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *]

    [+0x208] MinimumStackCommit : 0x0 [Type: unsigned long]

    [+0x20c] FlsCallback      : 0x0 [Type: _FLS_CALLBACK_INFO *]

    [+0x210] FlsListHead      [Type: _LIST_ENTRY]

    [+0x218] FlsBitmap        : 0x77194240 [Type: void *]

    [+0x21c] FlsBitmapBits    [Type: unsigned long []]

    [+0x22c] FlsHighIndex     : 0x0 [Type: unsigned long]

    [+0x230] WerRegistrationData : 0x0 [Type: void *]

    [+0x234] WerShipAssertPtr : 0x0 [Type: void *]

    [+0x238] pContextData     : 0x70000 [Type: void *]

    [+0x23c] pImageHeaderHash : 0x0 [Type: void *]

    [+0x240] TracingFlags     : 0x0 [Type: unsigned long]

    [+0x240 ( : )] HeapTracingEnabled : 0x0 [Type: unsigned long]

    [+0x240 ( : )] CritSecTracingEnabled : 0x0 [Type: unsigned long]

    [+0x240 (: )] SpareTracingBits : 0x0 [Type: unsigned long]

可以看到在加2的地方是表示是否被调试的标志.我们可以利用这个表示.请看下方代码.

二丶具体代码实现.

  

// PEB反调试.cpp : 定义控制台应用程序的入口点。

//

#include "stdafx.h"

#include <Windows.h>

int main()

{

    DWORD dwIsDebug = ;

    //dwIsDebug = ::IsDebuggerPresent();  IsDebuggerPresent的表示就是从PEB获取的.

    __asm

    {

        mov eax, fs:[0x18];   //获取TEB

        mov eax, [eax + 0x30];// 获取PEB

        movzx eax, [eax + ];//获取调试标志

        mov dwIsDebug,eax

    }

    if ( == dwIsDebug)

    {

        printf("你的程序正在被调试\r\n");

        getchar();

    }

    else

    {

        printf("你的程序没有被调试\r\n");

        getchar();

    }

    return ;

}

而操作系统提供了一个API就是判断是否被调试的.其实内部也是获取PEB标志,有兴趣的可以反汇编查看.

三丶实现结果

  x32dbg启动

正常启动

PEB标记反调试方法的更多相关文章

  1. Windows 下常见的反调试方法

    稍稍总结一下在Crack或Rervese中比较常见的一些反调试方法,实现起来也比较简单,之后有写的Demo源码参考,没有太大的难度. ①最简单也是最基础的,Windows提供的API接口:IsDebu ...

  2. so层反调试方法以及部分反反调试的方法

    1.检测ida远程调试所占的常用端口23946,是否被占用 //检测idaserver是否占用了23946端口 void CheckPort23946ByTcp() { FILE* pfile=NUL ...

  3. 手动绕过百度加固Debug.isDebuggerConnected反调试的方法

    本文博客地址:http://blog.csdn.net/qq1084283172/article/details/78237571 1.调用Debug.isDebuggerConnected函数这种反 ...

  4. IsDebuggerPresent的反调试与反反调试

    一.调用系统的IsDebuggerPresent函数 (1)实现程序 最简单也是最基础的,Windows提供的API接口:IsDebuggerPresent(),这API实际上就是访问PEB的Bein ...

  5. ELF反调试初探

    ELF反调试初探 http://www.freebuf.com/sectool/83509.html ELF(Executable and Linkable Format)是Unix及类Unix系统下 ...

  6. APP加固反调试(Anti-debugging)技术点汇总

    0x00 时间相关反调试 通过计算某部分代码的执行时间差来判断是否被调试,在Linux内核下可以通过time.gettimeofday,或者直接通过sys call来获取当前时间.另外,还可以通过自定 ...

  7. C/C++ 程序反调试的方法

    C/C++ 要实现程序反调试有多种方法,BeingDebugged,NtGlobalFlag,ProcessHeap,CheckRemoteDebuggerPresent,STARTUPINFO,Is ...

  8. APP安全防护基本方法(混淆/签名验证/反调试)

    本教程所用Android Studio测试项目已上传:https://github.com/PrettyUp/SecTest 一.混淆 对于很多人而言是因为java才接触到“混淆”这个词,由于在前移动 ...

  9. 反调试技术常用API,用来对付检测od和自动退出程序

    在调试一些病毒程序的时候,可能会碰到一些反调试技术,也就是说,被调试的程序可以检测到自己是否被调试器附加了,如果探知自己正在被调试,肯定是有人试图反汇编啦之类的方法破解自己.为了了解如何破解反调试技术 ...

随机推荐

  1. zepto 源码 $.contains 学习笔记

    $.contains(parent,node)  返回值为一个布尔值 ==> boolean parent,node我们需要检查的节点检查父节点是否包含给定的dom节点,如果两者是相同的节点,返 ...

  2. mybatis递归查询

    <!--mybatis递归查询--><resultMap id="recursionMenuMap" type="AgentMenu" ext ...

  3. 【翻译】Flume 1.8.0 User Guide(用户指南) Sink

    翻译自官网flume1.8用户指南,原文地址:Flume 1.8.0 User Guide 篇幅限制,分为以下5篇: [翻译]Flume 1.8.0 User Guide(用户指南) [翻译]Flum ...

  4. C语言 指针基础篇 数组,函数与指针的运用 2 14

    下面看看如何在函数中运用指针吧 下面是往函数传入指针的简单操作,不是传入数组的.判断一个a是否大于b是的话给,是的话对其进行操作,不是的话就直接返回. #include <stdio.h> ...

  5. mysql5.7安装记录

    mysql安装记录 版本5.7 windows系统 一.缺少my.ini文件 [mysql]# 设置mysql客户端默认字符集default-character-set=utf8 [mysqld]#设 ...

  6. pip3 install的时候报错timed out

    问题: 执行pip install requests报错 Read timed out.   解决方法: 修改超时时间: pip --default-timeout=1000 install -U r ...

  7. android:动态申请权限(一)

    环境: android版本6.0 对应SDK版本23 动态申请权限说明:所有动态申请的权限,必须在AndroidManifest.xml中进行声明 步骤 1.新建一个android工程 默认创建即可 ...

  8. 【repost】js window对象属性和方法相关资料整理

    window对象有以下方法: open close alert confirm prompt setTimeout clearTimeout setInterval clearInterval mov ...

  9. Express实例代码分析1——简单的用户验证登录文件

    /** * Module dependencies. */ var express = require('../..');// ../..是上级目录的上级目录 var hash = require(' ...

  10. 基本数据类型的包装类(Interger)

    基本数据类型 vs包装类 byte Byte short Short char Character int Integer long Long float Float double Double bo ...