我搜集的,和人家搜集的。别的还有很多,自己多看看。搞到后也给我说说吧。
Anti-Debug
1.MeltICE子类型
类型:检测SoftICE、TRW2000
平台:Windows9x、Windows NT
原理:用CreateFileA( )或_lopen( )函数试图获得SoftICE的驱动程序"\\.\SICE"(Windows9X版本)、"\\.\SIWDEBUG"、"\\.\NTICE"(Windows NT版本)、"\\.\SIWVID"等的句柄,如果成功则说明SoftICE驻留在内存中。
2.VWIN32_Int41Dispatch子类型
类型:检测SoftICE
平台:Windows9x
原理:VWIN32.VxD(其VxD ID为0x002A)提供一个名为VWIN32_Int41Dispatch的VxD service(其service ID为0x002A),系统内核使用此服务来与系统级调试器如WinDBG、SoftICE等进行通信。其中0x4F号子功能是用来查询调试器是否已经驻留内存并能否处理保护模式程序,如果是的话则调试器应返回0xF386。
3.给SoftICE发送命令
类型:检测SoftICE
平台:Windows9x、Windows NT
原理:通过调试中断int 3给SoftICE发送命令让其执行,其中SI和DI寄存器中放的分别是固定值0x4647("FG")和0x4A4D("JM")。AX中存放的是子功能号,值为0x0911则表示让SoftICE执行命令,此时DX指向一个命令字符串如"HBOOT"等。AX还可以为其它子功能号,比如让SoftICE修改断点设置等。
4、BoundsChecker后门
类型:检测SoftICE
平台:Windows9x、Windows NT
原理:这是SoftICE为BoundsChecker留的一个公开的接口,入口参数EBP = 0x4243484B(即"BCHK"),AL =4,如果SoftICE在内存中则应返回AL = 0。
这种方法一般也要结合SEH?(结构异常处理)来实现,否则当SoftICE不存在时就会引起非法操作。
5.ICECream子类型
类型:检测SoftICE、TRW2000
平台:Windows9x
原理:调试器驻留后修改INT 1和INT 3的入口,指向它自己的处理程序,所以入口高位偏移与其他中断不同。其他所有中断入口高位偏移都相同。
6.INT 68h子类型
类型:检测SoftICE
平台:Windows9x
原理:
MOV AH, 43h
INT 68h
CMP AX, 0F386h ;检测此处是否被调试器设置0F386h
JZ SoftICE_is_here
7.搜索特征串
类型:检测SoftICE
平台:Windows9x
原理:通过在内存中搜索SoftICE的特征串来发现SoftICE,这一般要结合SEH一起使用,以防止引起内存保护出错而使得程序被终止。这种方法在DOS下是可行的。由于Windows95之后的操作系统中的每个ring 3进程的地址空间是独立的,使得这种方法受到限制。比如在内存中搜索"WINICE.BR"。
8.IsDebuggerPresent子类型
类型:检测SoftICE
平台:Windows NT
原理:调用kernel32.dll输出的函数IsDebuggerPresent()来检测是否有调试器存在。这个函数只能检查使用Debug API来跟踪程序的调试器,无法检测SoftICE之类的系统级调试器。
我搜集的一些,比较凌乱:
check daemon.anticrack.de
RTDSC trick
CreateToolhelp32Snapshot,Process32First,Process32Next
FS:[20] trick (SEH ?没比吧)
calling two times GetProcAddress with same parameters and checking the base addresses of the APIs.If no application-level debugger present they should be equal
Causing intentional exceptions in a high rate (e.g in the WinMain loop) will cause a debugger to hang and the cracker to get busy for some time.. (Xacker has a Crackme that uses this)..
As we all know Turbo Debugger sets all general registers to 0. When we some perform operation like
xor cx, bp
... some code not affecting cx
cmp cx, 93Eh
jne TD_is_here
... no debuger here
This way we can easy escape from debugger
RDTSC is an asm instruction (ReaD from Time Stamp Counter). It reads a 64 bits value in the TSC register, and put in in the EAX/EDX registers.The TSC register is incremented at each CPU cycle.(if I remeber correctly EDX is the High DWORD and EAX is the Low Dword).
When you're in a debugger, it takes more time to execute each instruction (and sometimes you can break or step, so it takes more more time). If you place an RDTSC instruction beetween two block of code and compare each values, if the difference is too high, it means the code has been debugged.
Warning: You must put the CPUID instruction before using the RDTSC, otherwise it could lead to strange result. The CPUID instruction ensures that all instructions have been executed before (see intels manual for more explanations).
The CreateToolhelp32Snapshot API take a snapshot (as it name implied) of all the process running at a T time (in fact when the snapshot is taken). You can retrive many information with this API (use it in conjunction with Process32first and Process32Next). For example, if OllyDbg is running, you can know it, and then apply something (like exiting from your apps, killing OllyDbg, displaying a warning, etc.). It's up to you to do want you want...
Hope it could help.
Regards, Neitsa.
主要讲了RDTSC 指令的利用和CreateToolhelp32Snapshot 函数的利用.很有道理.
http://bcg.9sky.net/Article_Show.asp?ArticleID=285
软件反调试功能解除事例
http://bbs.pediy.com/showthread.php?s=&postid=31451#post31451http://bbs.pediy.com/showthread.php?s=&threadid=5635&perpage=15&pagenumber=1
老罗写的断点工具。我想可以对付一些anti