04-标志位
01-NtGlobalFlag
默认条件下,PEB(进程环境块)中的NtGlobalFlag标志位(32位系统中偏移是0x68,64位系统中偏移是0xbc)的值是0,如果是在调试状态NtGlobalFlag的值就是0x70
调试状态的时候,下面标志位会被设置
FLG_HEAP_ENABLE_TAIL_CHECK (0x10)
FLG_HEAP_ENABLE_FREE_CHECK (0x20)
FLG_HEAP_VALIDATE_PARAMETERS (0x40)NtGlobalFlag等于上面三个标志位与运算
#include <stdio.h>
#include <windows.h>
#include <winternl.h>
#define FLG_HEAP_ENABLE_TAIL_CHECK 0x10
#define FLG_HEAP_ENABLE_FREE_CHECK 0x20
#define FLG_HEAP_VALIDATE_PARAMETERS 0x40
#define NT_GLOBAL_FLAG_DEBUGGED (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)
#pragma comment (lib, "user32.lib")
DWORD checkNtGlobalFlag() {
PPEB ppeb = (PPEB)__readgsqword(0x60);
DWORD myNtGlobalFlag = *(PDWORD)((PBYTE)ppeb + 0xBC);
MessageBox(NULL, myNtGlobalFlag & NT_GLOBAL_FLAG_DEBUGGED ? "Bow-wow!" : "Meow-meow!", "=^..^=", MB_OK);
return 0;
}
int main(int argc, char* argv[]) {
DWORD check = checkNtGlobalFlag();
return 0;
}编译
x86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissivewindows10上用调试器加载运行
02-ProcessDebugFlags
EPROCESS结构中ProcessDebugFlags如果是0说明处于调试状态
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
typedef NTSTATUS(NTAPI *fNtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN DWORD ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength
);
// Function to check if a debugger is present
bool DebuggerCheck() {
BOOL result;
DWORD rProcDebugFlags;
DWORD returned;
const DWORD ProcessDebugFlags = 0x1f;
HMODULE nt = LoadLibraryA("ntdll.dll");
fNtQueryInformationProcess myNtQueryInformationProcess = (fNtQueryInformationProcess)
GetProcAddress(nt, "NtQueryInformationProcess");
myNtQueryInformationProcess(GetCurrentProcess(), ProcessDebugFlags,
&rProcDebugFlags, sizeof(DWORD), &returned);
result = BOOL(rProcDebugFlags == 0);
return result;
}
// Function that simulates the main functionality
void hack() {
MessageBox(NULL, "Meow!", "=^..^=", MB_OK);
}
int main() {
// Check if a debugger is present
if (DebuggerCheck()) {
MessageBox(NULL, "Bow-wow!", "=^..^=", MB_OK);
return 1; // exit if a debugger is present
}
// Main functionality
hack();
return 0;
}编译
x86_64-w64-mingw32-g++ -O2 hack2.c -o hack2.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissivewindows10上调试器运行
原文始发于微信公众号(高级红队专家):【MalDev-07】Anti-Debugging反调试-3
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论