反调试防护-API1

向你扔鸡爪

已于 2024-09-29 18:57:16 修改

阅读量328

点赞数 6

分类专栏：反调试文章标签： windows 汇编

于 2024-09-29 15:48:23 首次发布

本文链接：https://blog.csdn.net/weixin_48257887/article/details/142635154

版权

反调试专栏收录该内容

3 篇文章 0 订阅

订阅专栏

IsDebuggerPresent()

CheckRemoteDebuggerPresent()

其内部实际调用NtQueryInformationProcess()

bool _stdcall ThreadCall()
{
	
	while (true)
	{
		BOOL  pbDebuggerPresent = FALSE;
		CheckRemoteDebuggerPresent(GetCurrentProcess(), &pbDebuggerPresent);
		if (pbDebuggerPresent !=0)
		{
			printf("debug\n");
			system("pause");
			exit(-1);
		}
		if (IsDebuggerPresent()!=0)
		{
			printf("debug\n");
			system("pause");
			exit(-1);
		}
	}
}

int main()
{
	CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadCall, NULL, 0, NULL);
	system("pause");
	return 0;
}

FS/GS寄存器

debug标志：

X86：FS：0x30

FS指向TEB，FS：30指向PEB，PEB+2指向debug标志。

X64: GS：0x60

GS指向TEB，GS：60指向PEB，PEB+2指向debug标志。

NtGlobalFlag标志：

在PEB里面

—raedfsdword()：

bool _stdcall ThreadCall()
{
	
	while (true)
	{
		//	DWORD dwPeb = __readfsdword(0x30);
		//	UCHAR BeingDebugged = *(UCHAR *)(dwPeb + 2);
		
		//	ULONGLONG ullPeb = __readgsqword(0x60);
		//	UCHAR BeingDebugged = *(UCHAR *)(ullPeb + 2);

		//	DWORD dwPeb = __readfsdword(0x30);
		//	DWORD NtGlobalFlag = *(DWORD *)(dwPeb + 0x68);
		//  if (NtGlobalFlag == 0x70) printf("debug");

		//	ULONGLONG dwPeb = __readgsqword(0x60);
		//	DWORD NtGlobalFlag = *(DWORD *)(dwPeb + 0xbc);
		//  if (NtGlobalFlag == 0x70) printf("debug");
	}
}

int main()
{
	CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadCall, NULL, 0, NULL);
	system("pause");
	return 0;
}

Heap标志：

bool _stdcall ThreadCall()
{
	
	while (true)
	{
		/*DWORD dwPeb = __readfsdword(0x30);
		DWORD ProcessHeap = *(DWORD*)(dwPeb + 0x18);
		DWORD dwFlags = *(DWORD*)(ProcessHeap + 0x40);
		DWORD dwForceFlags = *(DWORD*)(ProcessHeap + 0x44);
		if (dwFlags != 0x2 || dwForceFlags != 0)
		{
			printf("debug\n");
			system("pause");
			exit(0);
		}*/
		UINT64 dwPeb = __readgsqword(0x60);
		UINT64 ProcessHeap = *(PUINT64)(dwPeb + 0x30);
		DWORD dwFlags = *(DWORD*)(ProcessHeap + 0x70);
		DWORD dwForceFlags = *(DWORD*)(ProcessHeap + 0x74);
		if (dwFlags != 0x2 || dwForceFlags != 0)
		{
			printf("debug\n");
			system("pause");
			exit(0);
		}
	}
}

int main()
{
	CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadCall, NULL, 0, NULL);
	system("pause");
	return 0;
}

上面有些都是依靠api，如果对方挂钩了，api就失效，只有手动实现标志位检查

ZwQueryInformationProcess手动实现

拿PEB：

bool _stdcall ThreadCall()
{
	MyZwQueryInformationProcess Func = (MyZwQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryInformationProcess");
	PROCESS_BASIC_INFORMATION pbi = { 0 };
	while (true)
	{
		Func(GetCurrentProcess(), ProcessBasicInformation, &pbi, sizeof(pbi), NULL);
		CHAR flag = *((PCHAR)(pbi.PebBaseAddress) + 2);
		if (flag == TRUE)
		{
			printf("debug\n");
			system("pause");
			exit(0);
		}
	}
}

int main()
{
	CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadCall, NULL, 0, NULL);
	system("pause");
	return 0;
}

调试端口：

bool _stdcall ThreadCall()
{
	MyZwQueryInformationProcess Func = (MyZwQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryInformationProcess");
	DWORD isDebugPort = 0;
	while (true)
	{
		Func(GetCurrentProcess(), ProcessDebugPort, &isDebugPort, sizeof(isDebugPort), NULL);
		if (isDebugPort == TRUE)
		{
			printf("debug\n");
			system("pause");
			exit(0);
		}
	}
}

int main()
{
	CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadCall, NULL, 0, NULL);
	system("pause");
	return 0;
}

隐藏端口：

    DWORD isProcessDebugFlags = 0;
	func(GetCurrentProcess(), (PROCESSINFOCLASS)0x1F, &isProcessDebugFlags,             sizeof(isProcessDebugFlags), NULL);
	if (isProcessDebugFlags == 0)
	{
		printf("debug\n");
		system("pause");
		exit(0);
	}



DWORD isProcessDebugObjectHandle = 0;
	func(GetCurrentProcess(), (PROCESSINFOCLASS)0x1E, &isProcessDebugObjectHandle, sizeof(isProcessDebugObjectHandle), NULL);
	if (isProcessDebugObjectHandle != 0)
	{
		printf("debug\n");
		system("pause");
		exit(0);
	}