1、PEB反调试
BeingDebugged :1
NtGlobalFlag :0x70
```cpp
#include "..//ntdll//ntdll.h"//导入ntdll.h头文件
#pragma comment(lib, "..//ntdll//ntdll_x86.lib")//静态链接库
#define OUTMESSAGE(a,b) printf("%-36s %s\n",a,b ? "Being debuged":"Running Normal!")//定义一个宏显示调试信息
void test()
{
PEB *peb;
BOOL bl = FALSE;
_asm
{//FS:[0x30]获取peb的地址
mov eax, dword ptr fs : [0x30]
mov peb,eax
}
if (peb->BeingDebugged)
{
bl = TRUE;
}
if (peb->NtGlobalFlag & 0x70)
{
bl = TRUE;
}
OUTMESSAGE(__FUNCTION__, bl);
}
2 IsDebuggerPresent
IsDebuggerPresent函数检测,被调试时返回1
void _IsDebugPresent()
{
BOOL bl = FALSE;
if (IsDebuggerPresent())
{
bl = TRUE;
}
OUTMESSAGE(__FUNCTION__, bl);
}
3 CheckRemoteDebuggerPresent
CheckRemoteDebuggerPresent检测是通过ZwQueryInformationProcess实现的
NTSTATUS NtQueryInformationProcess (
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
这里第二个参数是7,实际上被定义为ProcessDebugPort
过掉方法:Hook住CheckRemoteDebuggerPresent,调用了ZwQueryInformationProcess之前的je改成jmp来跳过Zw这个函数~~OD还会在ZwQueryInformationProcess这个函数的调用地址强行改了,去调用作者的一个函数,该函数中根据是否查询的是7来决定时候调用ZwQueryInformationProcess:
4、NtQuerySystemInformation
NtQuerySystemInformation是检测有没有系统内核调试器
void _NtQuerySystemInformation()
{
BOOL bl = FALSE;
NTSTATUS status;
SYSTEM_KERNEL_DEBUGGER_INFORMATION pKerDbgInfo;
ULONG returnlen;
status = NtQuerySystemInformation(SystemKernelDebuggerInformation,
&p