-
-
[原创][开源]PEB相关AntiDebug及Od反AntiDebug
-
发表于: 2015-11-28 18:19
-
推荐下上篇帖子
巧妙利用SEH异常链AntiDebug及Od反AntiDebug:
http://bbs.pediy.com/showthread.php?p=1403799#post1403799
准备了四篇帖子把
●
bool PEB_BegingDebugged()
{
bool BegingDebugged=false;
__asm{
mov eax,DWORD ptr fs:[0x30]; //获取PEB地址
mov al,BYTE ptr ds:[eax+0x02]; //获取PEB.begind.....
mov BegingDebugged,al;
}
return BegingDebugged;
}
CPU Disasm 地址 十六进制数据 指令 注释 00361440 55 PUSH EBP ; INT BegingDebugged.wmain(void) 00361441 8BEC MOV EBP,ESP 00361443 81EC C0000000 SUB ESP,0C0 00361449 53 PUSH EBX 0036144A 56 PUSH ESI 0036144B 57 PUSH EDI 0036144C 8DBD 40FFFFFF LEA EDI,[EBP-0C0] 00361452 B9 30000000 MOV ECX,30 00361457 B8 CCCCCCCC MOV EAX,CCCCCCCC 0036145C F3:AB REP STOS DWORD PTR ES:[EDI] 0036145E E8 60FCFFFF CALL 003610C3 00361463 0FB6C0 MOVZX EAX,AL [B][COLOR="DarkRed"]00361466 85C0 TEST EAX,EAX 00361468 74 1F JE SHORT 00361489 0036146A 8BF4 MOV ESI,ESP 0036146C 6A 00 PUSH 0 0036146E 68 58583600 PUSH OFFSET 00365858 ; UNICODE "提示" 00361473 68 60583600 PUSH OFFSET 00365860 ; UNICODE "被调试" 00361478 6A 00 PUSH 0 0036147A FF15 40933600 CALL DWORD PTR DS:[<&USER32.MessageBoxW> 00361480 3BF4 CMP ESI,ESP 00361482 E8 BEFCFFFF CALL 00361145 00361487 EB 1D JMP SHORT 003614A6 00361489 8BF4 MOV ESI,ESP 0036148B 6A 00 PUSH 0 0036148D 68 58583600 PUSH OFFSET 00365858 ; UNICODE "提示" 00361492 68 6C583600 PUSH OFFSET 0036586C ; UNICODE "正常运行" 00361497 6A 00 PUSH 0 00361499 FF15 40933600 CALL DWORD PTR DS:[<&USER32.MessageBoxW> 0036149F 3BF4 CMP ESI,ESP 003614A1 E8 9FFCFFFF CALL 00361145 003614A6 33C0 XOR EAX,EAX[/COLOR][/B] 003614A8 5F POP EDI 003614A9 5E POP ESI 003614AA 5B POP EBX 003614AB 81C4 C0000000 ADD ESP,0C0 003614B1 3BEC CMP EBP,ESP 003614B3 E8 8DFCFFFF CALL 00361145 003614B8 8BE5 MOV ESP,EBP 003614BA 5D POP EBP 003614BB C3 RETN
bool PEB_ProcessHeap()
{
int Flags=0;
int ForceFlags=0;
__asm
{
PUSHAD; //PUSHAD指令压入32位寄存器
MOV EAX,DWORD PTR FS:[0X30]; //获取PEB地址
MOV EAX,DWORD PTR DS:[EAX+0X18]; //获取PEB.ProcessHeap
MOV EBX,DWORD PTR DS:[EAX+0X0C]; //获取PEB.pro...p.Flags
MOV ECX,DWORD PTR DS:[EAX+0X10]; //获取PEB.Pro...p.Forc...
MOV Flags,EBX;
MOV ForceFlags,ECX;
POPAD;
}
return (Flags==2&&ForceFlags==0)?false:true;
}
bool PEB_NtGlobalFlag()
{
int NtGlobalFlag=0;
__asm
{
MOV EAX,DWORD PTR FS:[0X30];
MOV EAX,DWORD PTR DS:[EAX+0X68];
MOV NtGlobalFlag,EAX;
}
return NtGlobalFlag==0X70?true:false;
}
CPU Disasm 地址 十六进制数据 指令 注释 011F1470 55 PUSH EBP ; UNICODE "4" 011F1471 8BEC MOV EBP,ESP 011F1473 81EC C0000000 SUB ESP,0C0 011F1479 53 PUSH EBX 011F147A 56 PUSH ESI 011F147B 57 PUSH EDI 011F147C 8DBD 40FFFFFF LEA EDI,[EBP-0C0] 011F1482 B9 30000000 MOV ECX,30 011F1487 B8 CCCCCCCC MOV EAX,CCCCCCCC 011F148C F3:AB REP STOS DWORD PTR ES:[EDI] 011F148E E8 DAFCFFFF CALL 011F116D 011F1493 0FB6C0 MOVZX EAX,AL [COLOR="DarkRed"][B]011F1496 85C0 TEST EAX,EAX 011F1498 74 1F JE SHORT 011F14B9 011F149A 8BF4 MOV ESI,ESP 011F149C 6A 00 PUSH 0 011F149E 68 58581F01 PUSH OFFSET 011F5858 ; UNICODE "提示" 011F14A3 68 60581F01 PUSH OFFSET 011F5860 ; UNICODE "被调试" 011F14A8 6A 00 PUSH 0 011F14AA FF15 40931F01 CALL DWORD PTR DS:[<&USER32.MessageBoxW> 011F14B0 3BF4 CMP ESI,ESP 011F14B2 E8 89FCFFFF CALL 011F1140 011F14B7 EB 1D JMP SHORT 011F14D6 011F14B9 8BF4 MOV ESI,ESP 011F14BB 6A 00 PUSH 0 011F14BD 68 58581F01 PUSH OFFSET 011F5858 ; UNICODE "提示" 011F14C2 68 6C581F01 PUSH OFFSET 011F586C ; UNICODE "正常运行" 011F14C7 6A 00 PUSH 0 011F14C9 FF15 40931F01 CALL DWORD PTR DS:[<&USER32.MessageBoxW> 011F14CF 3BF4 CMP ESI,ESP 011F14D1 E8 6AFCFFFF CALL 011F1140 011F14D6 33C0 XOR EAX,EAX[/B][/COLOR] 011F14D8 5F POP EDI 011F14D9 5E POP ESI 011F14DA 5B POP EBX 011F14DB 81C4 C0000000 ADD ESP,0C0 011F14E1 3BEC CMP EBP,ESP 011F14E3 E8 58FCFFFF CALL 011F1140 011F14E8 8BE5 MOV ESP,EBP 011F14EA 5D POP EBP 011F14EB C3 RETN
- 找MAIN函数:
- 找关键跳[红色高亮]:
- 找MAIN函数:
- 找关键跳[红色高亮]:
- 找MAIN函数:
- 找关键跳[红色高亮]:
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
