首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[求助]这是一种什么检测,有码。英文不好
发表于: 2012-12-29 08:26 6559

[求助]这是一种什么检测,有码。英文不好

hrpirip 活跃值
1
2012-12-29 08:26
6559
Once the location of the TIB is found, the offset 0xBFC from the start of the TIB is read and the pointer checked. If this value is 0x00000C00 we then read the string at offset 0xC00 and compare this value to the Unicode string “HookSwitchHookEnabledEvent”. We check the pointer to ensure that we have a string located in the pointed to address and as a second level of assurance for the accuracy of this method. If we pass this final test we can be sure that our process running under Windows Vista was started from within a debugger.

wchar_t *hookStr = _TEXT("HookSwitchHookEnabledEvent");
strPtr = TIB+0xBFC;

delta = (int)(*strPtr) - (int)strPtr;
if (delta == 0x04) {
   if (wcscmp(*strPtr, hookStr)==0) {
      MessageBox(NULL, L"Debugger Detected Via Vista TEB System DLL PTR", L"Debugger Detected", MB_OK);
    } else {
      MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK);
    }
} else {
   MessageBox(NULL, L"No Debugger Detected", L"No Debugger", MB_OK);
}

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (6)
hrpirip
雪    币: 55
活跃值: (519)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
私信
2
意思是调试状态下,这里strPtr 指针所指向的就是指针本身所在位置+0x04,且这个所指位置上的内容必须为Unicode::"HookSwitchHookEnabledEvent"。
非调试状态下,指针指向地址和strPtr间的地址如果不为0x04则非调试状态,如果为0x04,那么这个地址上保存的也不会是HookSwitchHookEnabledEvent对么。
2012-12-29 08:36
0
hrpirip
雪    币: 55
活跃值: (519)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
私信
3
在VISTA系统下,如果程序是用调试器打开运行,系统自动会主线程环境的上下文中的KERNEL32.DLL的名字改为HookSwitchHookEnabledEvent
2012-12-29 08:46
0
zhingma
雪    币: 5
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
HookSwitchHookEnabledEvent是不是这个有问题,你里面调试的代码,看来无法在vista上调试才会这样子。xp系统试试。
2012-12-29 09:46
0
hrpirip
雪    币: 55
活跃值: (519)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
私信
5
难道上述代码是Vista的一个特性利用?
2012-12-29 10:29
0
XiaoAiWhc
雪    币: 209
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
在symantec网站有一个关于Vista检测debugger的介绍,但是没有说那个Unicode一定是"HookSwitchHookEnabledEvent", 可以是系统dll名字。
http://www.symantec.com/connect/articles/windows-anti-debug-reference

(5) Vista anti-debug (no name)

Here's an anti-debug specific to Windows Vista that I found by comparing memory dumps of a program running with and without control of a debugger. I'm not sure of its realiability, but it's worth mentionning (tested on Windows Vista 32 bits, SP0, English version).

When a process is debugged, its main thread TEB, at offset 0xBFC, contains a pointer to a unicode string referencing a system dll. Moreover, the string follows this pointer (therefore, located at offset 0xC00 in the TEB). If the process is not debugged, the pointer is set to NULL and the string is not present.

Example:
call GetVersion
cmp al, 6
jne @NotVista
push offset _seh
push dword fs:[0]
mov fs:[0], esp
mov eax, fs:[18h] ; teb
add eax, 0BFCh
mov ebx, [eax] ; pointer to a unicode string
test ebx, ebx ; (ntdll.dll, gdi32.dll,...)
je @DebuggerNotFound
sub ebx, eax ; the unicode string follows the
sub ebx, 4 ; pointer
jne @DebuggerNotFound
;debugger detected if it reaches this point
2012-12-29 11:56
0
hrpirip
雪    币: 55
活跃值: (519)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
私信
7
果然还是Google好啊。
2012-12-29 13:19
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//