PEB标记反调试方法
一丶PEB结构简介
PEB.简称进程环境快. 我们在讲DLL隐藏的时候已经说过了.
具体博客链接: https://www.cnblogs.com/iBinary/p/9601860.html
那么我们现在直接看下PEB结构体吧
[+0x000] InheritedAddressSpace : 0x0 [Type: unsigned char] [+0x001] ReadImageFileExecOptions : 0x0 [Type: unsigned char] [+0x002] BeingDebugged : 0x1 [Type: unsigned char] //一个char类型.为1表示调试状态.为0表示没有调试.可以用于反调试. API也是从这里获取的标志 [+0x003] BitField : 0x8 [Type: unsigned char] [+0x003 ( 0: 0)] ImageUsesLargePages : 0x0 [Type: unsigned char] [+0x003 ( 1: 1)] IsProtectedProcess : 0x0 [Type: unsigned char] [+0x003 ( 2: 2)] IsLegacyProcess : 0x0 [Type: unsigned char] [+0x003 ( 3: 3)] IsImageDynamicallyRelocated : 0x1 [Type: unsigned char] [+0x003 ( 4: 4)] SkipPatchingUser32Forwarders : 0x0 [Type: unsigned char] [+0x003 ( 7: 5)] SpareBits : 0x0 [Type: unsigned char] [+0x004] Mutant : 0xffffffff [Type: void *] [+0x008] ImageBaseAddress : 0x11d0000 [Type: void *] [+0x00c] Ldr : 0x77190200 [Type: _PEB_LDR_DATA *] //用于模块隐藏的结构体 [+0x010] ProcessParameters : 0x7216d0 [Type: _RTL_USER_PROCESS_PARAMETERS *] [+0x014] SubSystemData : 0x0 [Type: void *] [+0x018] ProcessHeap : 0x720000 [Type: void *] [+0x01c] FastPebLock : 0x77192100 [Type: _RTL_CRITICAL_SECTION *] [+0x020] AtlThunkSListPtr : 0x0 [Type: void *] [+0x024] IFEOKey : 0x0 [Type: void *] [+0x028] CrossProcessFlags : 0x2 [Type: unsigned long] [+0x028 ( 0: 0)] ProcessInJob : 0x0 [Type: unsigned long] [+0x028 ( 1: 1)] ProcessInitializing : 0x1 [Type: unsigned long] [+0x028 ( 2: 2)] ProcessUsingVEH : 0x0 [Type: unsigned long] [+0x028 ( 3: 3)] ProcessUsingVCH : 0x0 [Type: unsigned long] [+0x028 ( 4: 4)] ProcessUsingFTH : 0x0 [Type: unsigned long] [+0x028 (31: 5)] ReservedBits0 : 0x0 [Type: unsigned long] [+0x02c] KernelCallbackTable : 0x0 [Type: void *] [+0x02c] UserSharedInfoPtr : 0x0 [Type: void *] [+0x030] SystemReserved [Type: unsigned long [1]] [+0x034] AtlThunkSListPtr32 : 0x0 [Type: unsigned long] [+0x038] ApiSetMap : 0x40000 [Type: void *] [+0x03c] TlsExpansionCounter : 0x0 [Type: unsigned long] [+0x040] TlsBitmap : 0x77194250 [Type: void *] [+0x044] TlsBitmapBits [Type: unsigned long [2]] [+0x04c] ReadOnlySharedMemoryBase : 0x7efe0000 [Type: void *] [+0x050] HotpatchInformation : 0x0 [Type: void *] [+0x054] ReadOnlyStaticServerData : 0x7efe0a90 [Type: void * *] [+0x058] AnsiCodePageData : 0x7efa0000 [Type: void *] [+0x05c] OemCodePageData : 0x7efa0000 [Type: void *] [+0x060] UnicodeCaseTableData : 0x7efd0028 [Type: void *] [+0x064] NumberOfProcessors : 0x8 [Type: unsigned long] [+0x068] NtGlobalFlag : 0x70 [Type: unsigned long] [+0x070] CriticalSectionTimeout : {-25920000000000} [Type: _LARGE_INTEGER] [+0x078] HeapSegmentReserve : 0x100000 [Type: unsigned long] [+0x07c] HeapSegmentCommit : 0x2000 [Type: unsigned long] [+0x080] HeapDeCommitTotalFreeThreshold : 0x10000 [Type: unsigned long] [+0x084] HeapDeCommitFreeBlockThreshold : 0x1000 [Type: unsigned long] [+0x088] NumberOfHeaps : 0x1 [Type: unsigned long] [+0x08c] MaximumNumberOfHeaps : 0x10 [Type: unsigned long] [+0x090] ProcessHeaps : 0x77194760 [Type: void * *] [+0x094] GdiSharedHandleTable : 0x0 [Type: void *] [+0x098] ProcessStarterHelper : 0x0 [Type: void *] [+0x09c] GdiDCAttributeList : 0x0 [Type: unsigned long] [+0x0a0] LoaderLock : 0x771920c0 [Type: _RTL_CRITICAL_SECTION *] [+0x0a4] OSMajorVersion : 0x6 [Type: unsigned long] [+0x0a8] OSMinorVersion : 0x1 [Type: unsigned long] [+0x0ac] OSBuildNumber : 0x1db1 [Type: unsigned short] [+0x0ae] OSCSDVersion : 0x100 [Type: unsigned short] [+0x0b0] OSPlatformId : 0x2 [Type: unsigned long] [+0x0b4] ImageSubsystem : 0x3 [Type: unsigned long] [+0x0b8] ImageSubsystemMajorVersion : 0x6 [Type: unsigned long] [+0x0bc] ImageSubsystemMinorVersion : 0x0 [Type: unsigned long] [+0x0c0] ActiveProcessAffinityMask : 0xff [Type: unsigned long] [+0x0c4] GdiHandleBuffer [Type: unsigned long [34]] [+0x14c] PostProcessInitRoutine : 0x0 [Type: void (*)()] [+0x150] TlsExpansionBitmap : 0x77194248 [Type: void *] [+0x154] TlsExpansionBitmapBits [Type: unsigned long [32]] [+0x1d4] SessionId : 0x1 [Type: unsigned long] [+0x1d8] AppCompatFlags : {0x0} [Type: _ULARGE_INTEGER] [+0x1e0] AppCompatFlagsUser : {0x0} [Type: _ULARGE_INTEGER] [+0x1e8] pShimData : 0x0 [Type: void *] [+0x1ec] AppCompatInfo : 0x0 [Type: void *] [+0x1f0] CSDVersion : "Service Pack 1" [Type: _UNICODE_STRING] [+0x1f8] ActivationContextData : 0x60000 [Type: _ACTIVATION_CONTEXT_DATA *] [+0x1fc] ProcessAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *] [+0x200] SystemDefaultActivationContextData : 0x50000 [Type: _ACTIVATION_CONTEXT_DATA *] [+0x204] SystemAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *] [+0x208] MinimumStackCommit : 0x0 [Type: unsigned long] [+0x20c] FlsCallback : 0x0 [Type: _FLS_CALLBACK_INFO *] [+0x210] FlsListHead [Type: _LIST_ENTRY] [+0x218] FlsBitmap : 0x77194240 [Type: void *] [+0x21c] FlsBitmapBits [Type: unsigned long [4]] [+0x22c] FlsHighIndex : 0x0 [Type: unsigned long] [+0x230] WerRegistrationData : 0x0 [Type: void *] [+0x234] WerShipAssertPtr : 0x0 [Type: void *] [+0x238] pContextData : 0x70000 [Type: void *] [+0x23c] pImageHeaderHash : 0x0 [Type: void *] [+0x240] TracingFlags : 0x0 [Type: unsigned long] [+0x240 ( 0: 0)] HeapTracingEnabled : 0x0 [Type: unsigned long] [+0x240 ( 1: 1)] CritSecTracingEnabled : 0x0 [Type: unsigned long] [+0x240 (31: 2)] SpareTracingBits : 0x0 [Type: unsigned long]
可以看到在加2的地方是表示是否被调试的标志.我们可以利用这个表示.请看下方代码.
二丶具体代码实现.
// PEB反调试.cpp : 定义控制台应用程序的入口点。 // #include "stdafx.h" #include <Windows.h> int main() { DWORD dwIsDebug = 0; //dwIsDebug = ::IsDebuggerPresent(); IsDebuggerPresent的表示就是从PEB获取的. __asm { mov eax, fs:[0x18]; //获取TEB mov eax, [eax + 0x30];// 获取PEB movzx eax, [eax + 2];//获取调试标志 mov dwIsDebug,eax } if (1 == dwIsDebug) { printf("你的程序正在被调试 "); getchar(); } else { printf("你的程序没有被调试 "); getchar(); } return 0; }
而操作系统提供了一个API就是判断是否被调试的.其实内部也是获取PEB标志,有兴趣的可以反汇编查看.
三丶实现结果
x32dbg启动
正常启动
