详解壳保护技术 Anti 之IsDebuggerPresent及Anti-Anti
【文章作者】: XuZhenG【作者邮箱】: xuzheng1111@126.com
【作者主页】: http://hi.baidu.com/xuzheng1111
http://xz.bee.pl
【软件名称】: 自己写的
【下载地址】: 自己写的
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
如有人将此用入商业用途,给作者造成损失本人概不负责。
--------------------------------------------------------------------------------
【详细过程】
废话:
今天写一个壳的Anti与Anti-Anti; 就是IsDebuggerPresent 的Anti深入原理和Anti-Anti的方法
由于最近老是看英文的Documentation 所以讲解部分可能会E文比较多,谅解...
正文:
A Sample Visual C++ Code:
// IsDebuggerPresent.cpp : Defines the entry point for the application.
//
//---------------------------------------------------------------------
//- Code By XuZhenG-
//---------------------------------------------------------------------
#include "stdafx.h"
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
if(::IsDebuggerPresent())
{
MessageBox(NULL,"A debugger attaching me was found.","Found it!",MB_ICONSTOP);
}
else
{
MessageBox(NULL,"No debugger was found.","Debugger no found!",MB_ICONINFORMATION);
}
return 0;
}
Compile it & Use OD to Attach it!
Let's take a look at the assembly code of the program
0040102A|.FF15 90A14200 calldword ptr [<&KERNEL32.IsDebugger>; [IsDebuggerPresent
00401030|.3BF4cmp esi, esp
00401032|.E8 89000000 call_chkesp
00401037|.85C0testeax, eax
00401039|.74 1F jeshort 0040105A
0040103B|.8BF4mov esi, esp
0040103D|.6A 10 push10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0040103F|.68 7C204200 push0042207C ; |Title = "Found it!"
00401044|.68 50204200 push00422050 ; |Text = "A debugger attaching me was found."
00401049|.6A 00 push0; |hOwner = NULL
0040104B|.FF15 B4A24200 calldword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00401051|.3BF4cmp esi, esp
00401053|.E8 68000000 call_chkesp
00401058|.EB 1D jmp short 00401077
0040105A|>8BF4mov esi, esp
0040105C|.6A 40 push40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040105E|.68 38204200 push00422038 ; |Title = "Debugger no found!"
00401063|.68 1C204200 push0042201C ; |Text = "No debugger was found."
00401068|.6A 00 push0; |hOwner = NULL
0040106A|.FF15 B4A24200 calldword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00401070|.3BF4cmp esi, esp
00401072|.E8 49000000 call_chkesp
00401077|>33C0xor eax, eax
00401079|.5Fpop edi
Let's step into the function IsDebuggerPresent...
7C813123 >64:A1 18000000mov eax, dword ptr fs:
7C8131298B40 30 mov eax, dword ptr
7C81312C0FB640 02 movzx eax, byte ptr
7C813130C3retn
Quite simple,yeh?
It is to get the variable named BeingDebugged.
BeingDebugged is a variable of the structure named PEB.
PEB is short for
Process Environment Block (进程环境块)
We can got a pointor to PEB structure using this code.
#include "Winternl.h"
PEB* peb;
__asm
{
mov eax,fs:0x30
mov peb,eax
}
但是貌似 VC6 没有这个Winternl.h我的Visual Studio Team System 2008 Team Suite上面有...
Let's get more information on PEB from Microsoft Developer Network(MSDN)
PEB Structure
Contains process information.
Syntax
typedef struct _PEB {
BYTE Reserved1;
BYTE BeingDebugged;
BYTE Reserved2;
PVOID Reserved3;
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4;
PVOID Reserved5;
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6;
PVOID Reserved7;
ULONG SessionId;
} PEB,*PPEB;
BeingDebugged
Indicates whether the specified process is currently being debugged. The PEB structure, however, is an internal operating-system structure whose layout may
change in the future. It is best to use the CheckRemoteDebuggerPresent function instead.
知道了如何获得PEB结构的地址,和IsDebuggerPresent的代码之后
我们不难发现,其实IsDebuggerPresent函数只不过是把进程PEB中的第二个变量BeingDebugged数值赋给了EAX
所以要想Anti - Anti 也就不难了
我们把代码修改成这样
// IsDebuggerPresent.cpp : Defines the entry point for the application.
//
//---------------------------------------------------------------------
//- Code By XuZhenG-
//---------------------------------------------------------------------
#include "stdafx.h"
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
__asm
{
mov eax,fs:0x30
mov byte ptr ds:,0
}
if(::IsDebuggerPresent())
{
MessageBox(NULL,"A debugger attaching me was found.","Found it!",MB_ICONSTOP);
}
else
{
MessageBox(NULL,"No debugger was found.","Debugger no found!",MB_ICONINFORMATION);
}
return 0;
}
看那个__asm块里面的代码
作用就是将 PEB结构中 BeingDebugged 变量归零 这样就不会检测到调试器了...
【总结】
--------------------------------------------------------------------------------
知己知彼,方能百战不殆!
这是我编译的程序...放上来吧大家回去慢慢玩
Anti_Anti-Anti.rar 我晕 大大为什么不连试炼程序一同发出…… XuZhenG最近向编程方面发展了~
Re:XuZhenG[LCG]详解壳保护技术 Anti 之IsDebuggerPresent及Anti-Anti
7C813123 >64:A1 18000000mov eax, dword ptr fs:
7C8131298B40 30 mov eax, dword ptr
7C81312C0FB640 02 movzx eax, byte ptr
7C813130C3retn
IsDebuggerPresent的 实现代码其实也就是这么几句:
7C813123 >64:A1 18000000mov eax, dword ptr fs:// 得到当前 TEB
7C8131298B40 30 mov eax, dword ptr // 得到TEB 结构中的 PEB 结构
7C81312C0FB640 02 movzx eax, byte ptr // 得到 PEB 结构中的 BeingDebugged 标记
7C813130C3retn
哈哈,想避开解密者的跟踪,可以自己写个IsDebuggerPresent函数就可以轻松的避开
bool my IsDebuggerPresent ()
{
__asm
{
moveax, dword ptr fs:
moveax,
movzxeax, byte ptr
}
}
这样,就跟踪不到了. 膜拜超人大哥……
IsDebuggerPresent函数
那么神奇吗?
为什么很多人不用?
技术含量很高? 看不懂啊!!!!!!!!!!!!!!!!!!!!!!!111 看不懂啊
我也是
汗 搬个板凳座下来学习 看得一头雾水 慢慢看吧
C的程序应该比 汇编容易读吧...
如果你没学过 C 我就不说什么了...