一次面试的问题:你知道IsDebuggerPresent怎么实现的吗
IsDebuggerPresent实现原理
IsDebuggerPresent函数反汇编代码:
mov eax,dword ptr fs:[00000018h] mov eax,dword ptr [eax+30h] movzx eax,byte ptr [eax+2] ret
fs:[0]是本线程TEB的头部, fs:[18h]是一个指向自身的指针,[eax+30h]就是获得PEB的地址
0:000> dt -b ntdll!_TEB +0x000 NtTib : _NT_TIB +0x000 ExceptionList : Ptr32 +0x004 StackBase : Ptr32 +0x008 StackLimit : Ptr32 +0x00c SubSystemTib : Ptr32 +0x010 FiberData : Ptr32 +0x010 Version : Uint4B +0x014 ArbitraryUserPointer : Ptr32 +0x018 Self : Ptr32 +0x01c EnvironmentPointer : Ptr32 +0x020 ClientId : _CLIENT_ID +0x000 UniqueProcess : Ptr32 +0x004 UniqueThread : Ptr32 +0x028 ActiveRpcHandle : Ptr32 +0x02c ThreadLocalStoragePointer : Ptr32 +0x030 ProcessEnvironmentBlock : Ptr32 +0x034 LastErrorValue : Uint4B
PEB结构如下,ptr [eax+2]指的是BeingDebugged的值,1为处于被调试状态,0为未处于
0:000> dt -b ntdll!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 SpareBool : UChar +0x004 Mutant : Ptr32 +0x008 ImageBaseAddress : Ptr32 +0x00c Ldr : Ptr32 +0x010 ProcessParameters : Ptr32