PEB标记反调试方法

2019-05-25 16:23:30 浏览数 (1)

            PEB标记反调试方法

一丶PEB结构简介

  PEB.简称进程环境快. 我们在讲DLL隐藏的时候已经说过了.

具体博客链接: https://cloud.tencent.com/developer/article/1432475

那么我们现在直接看下PEB结构体吧

代码语言:javascript复制
[ 0x000] InheritedAddressSpace : 0x0 [Type: unsigned char]
    [ 0x001] ReadImageFileExecOptions : 0x0 [Type: unsigned char]
    [ 0x002] BeingDebugged    : 0x1 [Type: unsigned char]           //一个char类型.为1表示调试状态.为0表示没有调试.可以用于反调试. API也是从这里获取的标志
    [ 0x003] BitField         : 0x8 [Type: unsigned char]
    [ 0x003 ( 0: 0)] ImageUsesLargePages : 0x0 [Type: unsigned char]
    [ 0x003 ( 1: 1)] IsProtectedProcess : 0x0 [Type: unsigned char]
    [ 0x003 ( 2: 2)] IsLegacyProcess  : 0x0 [Type: unsigned char]
    [ 0x003 ( 3: 3)] IsImageDynamicallyRelocated : 0x1 [Type: unsigned char]
    [ 0x003 ( 4: 4)] SkipPatchingUser32Forwarders : 0x0 [Type: unsigned char]
    [ 0x003 ( 7: 5)] SpareBits        : 0x0 [Type: unsigned char]
    [ 0x004] Mutant           : 0xffffffff [Type: void *]
    [ 0x008] ImageBaseAddress : 0x11d0000 [Type: void *]
    [ 0x00c] Ldr              : 0x77190200 [Type: _PEB_LDR_DATA *]   //用于模块隐藏的结构体
    [ 0x010] ProcessParameters : 0x7216d0 [Type: _RTL_USER_PROCESS_PARAMETERS *]
    [ 0x014] SubSystemData    : 0x0 [Type: void *]
    [ 0x018] ProcessHeap      : 0x720000 [Type: void *]
    [ 0x01c] FastPebLock      : 0x77192100 [Type: _RTL_CRITICAL_SECTION *]
    [ 0x020] AtlThunkSListPtr : 0x0 [Type: void *]
    [ 0x024] IFEOKey          : 0x0 [Type: void *]
    [ 0x028] CrossProcessFlags : 0x2 [Type: unsigned long]
    [ 0x028 ( 0: 0)] ProcessInJob     : 0x0 [Type: unsigned long]
    [ 0x028 ( 1: 1)] ProcessInitializing : 0x1 [Type: unsigned long]
    [ 0x028 ( 2: 2)] ProcessUsingVEH  : 0x0 [Type: unsigned long]
    [ 0x028 ( 3: 3)] ProcessUsingVCH  : 0x0 [Type: unsigned long]
    [ 0x028 ( 4: 4)] ProcessUsingFTH  : 0x0 [Type: unsigned long]
    [ 0x028 (31: 5)] ReservedBits0    : 0x0 [Type: unsigned long]
    [ 0x02c] KernelCallbackTable : 0x0 [Type: void *]
    [ 0x02c] UserSharedInfoPtr : 0x0 [Type: void *]
    [ 0x030] SystemReserved   [Type: unsigned long [1]]
    [ 0x034] AtlThunkSListPtr32 : 0x0 [Type: unsigned long]
    [ 0x038] ApiSetMap        : 0x40000 [Type: void *]
    [ 0x03c] TlsExpansionCounter : 0x0 [Type: unsigned long]
    [ 0x040] TlsBitmap        : 0x77194250 [Type: void *]
    [ 0x044] TlsBitmapBits    [Type: unsigned long [2]]
    [ 0x04c] ReadOnlySharedMemoryBase : 0x7efe0000 [Type: void *]
    [ 0x050] HotpatchInformation : 0x0 [Type: void *]
    [ 0x054] ReadOnlyStaticServerData : 0x7efe0a90 [Type: void * *]
    [ 0x058] AnsiCodePageData : 0x7efa0000 [Type: void *]
    [ 0x05c] OemCodePageData  : 0x7efa0000 [Type: void *]
    [ 0x060] UnicodeCaseTableData : 0x7efd0028 [Type: void *]
    [ 0x064] NumberOfProcessors : 0x8 [Type: unsigned long]
    [ 0x068] NtGlobalFlag     : 0x70 [Type: unsigned long]
    [ 0x070] CriticalSectionTimeout : {-25920000000000} [Type: _LARGE_INTEGER]
    [ 0x078] HeapSegmentReserve : 0x100000 [Type: unsigned long]
    [ 0x07c] HeapSegmentCommit : 0x2000 [Type: unsigned long]
    [ 0x080] HeapDeCommitTotalFreeThreshold : 0x10000 [Type: unsigned long]
    [ 0x084] HeapDeCommitFreeBlockThreshold : 0x1000 [Type: unsigned long]
    [ 0x088] NumberOfHeaps    : 0x1 [Type: unsigned long]
    [ 0x08c] MaximumNumberOfHeaps : 0x10 [Type: unsigned long]
    [ 0x090] ProcessHeaps     : 0x77194760 [Type: void * *]
    [ 0x094] GdiSharedHandleTable : 0x0 [Type: void *]
    [ 0x098] ProcessStarterHelper : 0x0 [Type: void *]
    [ 0x09c] GdiDCAttributeList : 0x0 [Type: unsigned long]
    [ 0x0a0] LoaderLock       : 0x771920c0 [Type: _RTL_CRITICAL_SECTION *]
    [ 0x0a4] OSMajorVersion   : 0x6 [Type: unsigned long]
    [ 0x0a8] OSMinorVersion   : 0x1 [Type: unsigned long]
    [ 0x0ac] OSBuildNumber    : 0x1db1 [Type: unsigned short]
    [ 0x0ae] OSCSDVersion     : 0x100 [Type: unsigned short]
    [ 0x0b0] OSPlatformId     : 0x2 [Type: unsigned long]
    [ 0x0b4] ImageSubsystem   : 0x3 [Type: unsigned long]
    [ 0x0b8] ImageSubsystemMajorVersion : 0x6 [Type: unsigned long]
    [ 0x0bc] ImageSubsystemMinorVersion : 0x0 [Type: unsigned long]
    [ 0x0c0] ActiveProcessAffinityMask : 0xff [Type: unsigned long]
    [ 0x0c4] GdiHandleBuffer  [Type: unsigned long [34]]
    [ 0x14c] PostProcessInitRoutine : 0x0 [Type: void (*)()]
    [ 0x150] TlsExpansionBitmap : 0x77194248 [Type: void *]
    [ 0x154] TlsExpansionBitmapBits [Type: unsigned long [32]]
    [ 0x1d4] SessionId        : 0x1 [Type: unsigned long]
    [ 0x1d8] AppCompatFlags   : {0x0} [Type: _ULARGE_INTEGER]
    [ 0x1e0] AppCompatFlagsUser : {0x0} [Type: _ULARGE_INTEGER]
    [ 0x1e8] pShimData        : 0x0 [Type: void *]
    [ 0x1ec] AppCompatInfo    : 0x0 [Type: void *]
    [ 0x1f0] CSDVersion       : "Service Pack 1" [Type: _UNICODE_STRING]
    [ 0x1f8] ActivationContextData : 0x60000 [Type: _ACTIVATION_CONTEXT_DATA *]
    [ 0x1fc] ProcessAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *]
    [ 0x200] SystemDefaultActivationContextData : 0x50000 [Type: _ACTIVATION_CONTEXT_DATA *]
    [ 0x204] SystemAssemblyStorageMap : 0x0 [Type: _ASSEMBLY_STORAGE_MAP *]
    [ 0x208] MinimumStackCommit : 0x0 [Type: unsigned long]
    [ 0x20c] FlsCallback      : 0x0 [Type: _FLS_CALLBACK_INFO *]
    [ 0x210] FlsListHead      [Type: _LIST_ENTRY]
    [ 0x218] FlsBitmap        : 0x77194240 [Type: void *]
    [ 0x21c] FlsBitmapBits    [Type: unsigned long [4]]
    [ 0x22c] FlsHighIndex     : 0x0 [Type: unsigned long]
    [ 0x230] WerRegistrationData : 0x0 [Type: void *]
    [ 0x234] WerShipAssertPtr : 0x0 [Type: void *]
    [ 0x238] pContextData     : 0x70000 [Type: void *]
    [ 0x23c] pImageHeaderHash : 0x0 [Type: void *]
    [ 0x240] TracingFlags     : 0x0 [Type: unsigned long]
    [ 0x240 ( 0: 0)] HeapTracingEnabled : 0x0 [Type: unsigned long]
    [ 0x240 ( 1: 1)] CritSecTracingEnabled : 0x0 [Type: unsigned long]
    [ 0x240 (31: 2)] SpareTracingBits : 0x0 [Type: unsigned long]

可以看到在加2的地方是表示是否被调试的标志.我们可以利用这个表示.请看下方代码.

二丶具体代码实现.

代码语言:javascript复制
// PEB反调试.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <Windows.h>

int main()
{
    
    DWORD dwIsDebug = 0;
    //dwIsDebug = ::IsDebuggerPresent();  IsDebuggerPresent的表示就是从PEB获取的.
    __asm
    {
        mov eax, fs:[0x18];   //获取TEB  
        mov eax, [eax   0x30];// 获取PEB
        movzx eax, [eax   2];//获取调试标志
        mov dwIsDebug,eax
    }
    if (1 == dwIsDebug)
    {
        printf("你的程序正在被调试rn");
        getchar();
    }
    else
    {
        printf("你的程序没有被调试rn");
        getchar();
    }
    return 0;
}

而操作系统提供了一个API就是判断是否被调试的.其实内部也是获取PEB标志,有兴趣的可以反汇编查看.

三丶实现结果

  x32dbg启动

正常启动

api dll 博客 操作系统 调试

0 人点赞