详解壳保护技术 Anti 之IsDebuggerPresent及Anti-Anti

XuZhenG · 发表于 2008-10-11 22:47

【文章作者】: XuZhenG[LCG]
【作者邮箱】: xuzheng1111@126.com
【作者主页】: http://hi.baidu.com/xuzheng1111
http://xz.bee.pl
【软件名称】: 自己写的
【下载地址】: 自己写的
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
如有人将此用入商业用途，给作者造成损失本人概不负责。
--------------------------------------------------------------------------------
【详细过程】

废话：
今天写一个壳的Anti与Anti-Anti; 就是IsDebuggerPresent 的Anti深入原理和Anti-Anti的方法
由于最近老是看英文的Documentation 所以讲解部分可能会E文比较多,谅解...

正文：

A Sample Visual C++ Code:

// IsDebuggerPresent.cpp : Defines the entry point for the application.
//
//---------------------------------------------------------------------
//- Code By XuZhenG[LCG]-
//---------------------------------------------------------------------

#include "stdafx.h"

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.

if(::IsDebuggerPresent())
{
MessageBox(NULL,"A debugger attaching me was found.","Found it!",MB_ICONSTOP);
}
else
{
MessageBox(NULL,"No debugger was found.","Debugger no found!",MB_ICONINFORMATION);
}

return 0;
}

Compile it & Use OD to Attach it!

Let's take a look at the assembly code of the program

0040102A|.FF15 90A14200 calldword ptr [<&KERNEL32.IsDebugger>; [IsDebuggerPresent00401030|.3BF4cmp esi, esp00401032|.E8 89000000 call_chkesp00401037|.85C0testeax, eax00401039|.74 1F jeshort 0040105A0040103B|.8BF4mov esi, esp0040103D|.6A 10 push10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL0040103F|.68 7C204200 push0042207C ; |Title = "Found it!"00401044|.68 50204200 push00422050 ; |Text = "A debugger attaching me was found."00401049|.6A 00 push0; |hOwner = NULL0040104B|.FF15 B4A24200 calldword ptr [<&USER32.MessageBoxA>>; \MessageBoxA00401051|.3BF4cmp esi, esp00401053|.E8 68000000 call_chkesp00401058|.EB 1D jmp short 004010770040105A|>8BF4mov esi, esp0040105C|.6A 40 push40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL0040105E|.68 38204200 push00422038 ; |Title = "Debugger no found!"00401063|.68 1C204200 push0042201C ; |Text = "No debugger was found."00401068|.6A 00 push0; |hOwner = NULL0040106A|.FF15 B4A24200 calldword ptr [<&USER32.MessageBoxA>>; \MessageBoxA00401070|.3BF4cmp esi, esp00401072|.E8 49000000 call_chkesp00401077|>33C0xor eax, eax00401079|.5Fpop edi

Let's step into the function IsDebuggerPresent...

7C813123 >64:A1 18000000mov eax, dword ptr fs:[18]7C8131298B40 30 mov eax, dword ptr [eax+30]7C81312C0FB640 02 movzx eax, byte ptr [eax+2]7C813130C3retn

Quite simple,yeh?

It is to get the variable named BeingDebugged.

BeingDebugged is a variable of the structure named PEB.
PEB is short for
Process Environment Block (进程环境块)

We can got a pointor to PEB structure using this code.

#include "Winternl.h"PEB* peb;__asm{mov eax,fs:0x30mov peb,eax}

但是貌似 VC6 没有这个Winternl.h我的Visual Studio Team System 2008 Team Suite上面有...

Let's get more information on PEB from Microsoft Developer Network(MSDN)

PEB Structure
[This structure may be altered in future versions of Windows.]

Contains process information.

Syntax

typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB,*PPEB;

BeingDebugged
Indicates whether the specified process is currently being debugged. The PEB structure, however, is an internal operating-system structure whose layout may

change in the future. It is best to use the CheckRemoteDebuggerPresent function instead.

知道了如何获得PEB结构的地址，和IsDebuggerPresent的代码之后
我们不难发现，其实IsDebuggerPresent函数只不过是把进程PEB中的第二个变量BeingDebugged数值赋给了EAX

所以要想Anti - Anti 也就不难了
我们把代码修改成这样

// IsDebuggerPresent.cpp : Defines the entry point for the application.
//
//---------------------------------------------------------------------
//- Code By XuZhenG[LCG]-
//---------------------------------------------------------------------

#include "stdafx.h"

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
__asm
{
mov eax,fs:0x30
mov byte ptr ds:[eax+2],0
}

if(::IsDebuggerPresent())
{
MessageBox(NULL,"A debugger attaching me was found.","Found it!",MB_ICONSTOP);
}
else
{
MessageBox(NULL,"No debugger was found.","Debugger no found!",MB_ICONINFORMATION);
}

return 0;
}

看那个__asm块里面的代码
作用就是将 PEB结构中 BeingDebugged 变量归零这样就不会检测到调试器了...

【总结】
--------------------------------------------------------------------------------
知己知彼，方能百战不殆！

这是我编译的程序...放上来吧大家回去慢慢玩
Anti_Anti-Anti.rar

mycsy · 发表于 2008-10-11 22:52

[s:41]我晕大大为什么不连试炼程序一同发出……

Hmily · 发表于 2008-10-11 23:11

XuZhenG最近向编程方面发展了~

ximo · 发表于 2008-10-11 23:16

7C813123 >64:A1 18000000mov eax, dword ptr fs:[18]
7C8131298B40 30 mov eax, dword ptr [eax+30]
7C81312C0FB640 02 movzx eax, byte ptr [eax+2]
7C813130C3retn

IsDebuggerPresent的实现代码其实也就是这么几句:

7C813123 >64:A1 18000000mov eax, dword ptr fs:[18]// 得到当前 TEB
7C8131298B40 30 mov eax, dword ptr [eax+30]// 得到TEB 结构中的 PEB 结构
7C81312C0FB640 02 movzx eax, byte ptr [eax+2] // 得到 PEB 结构中的 BeingDebugged 标记
7C813130C3retn

哈哈，想避开解密者的跟踪,可以自己写个IsDebuggerPresent函数就可以轻松的避开

 bool my IsDebuggerPresent (){__asm{ moveax, dword ptr fs:[18] moveax, [eax+30h] movzxeax, byte ptr [eax+2]}}

这样,就跟踪不到了.

mycsy · 发表于 2008-10-11 23:29

膜拜超人大哥……

IsDebuggerPresent函数

那么神奇吗？

为什么很多人不用？

技术含量很高？

ychyax · 发表于 2008-10-12 13:59

看不懂啊！！！！！！！！！！！！！！！！！！！！！！！111

zxc410058664 · 发表于 2008-10-12 14:48

看不懂啊
我也是
汗 [s:17][s:17]

wgz001 · 发表于 2008-10-12 19:09

搬个板凳座下来学习 [s:43]

yu87602547 · 发表于 2008-10-13 12:03

[s:38] 看得一头雾水 [s:17]

XuZhenG · 发表于 2008-10-14 18:48

慢慢看吧
C的程序应该比汇编容易读吧...

如果你没学过 C 我就不说什么了...

[s:44]

帐号		自动登录	找回密码
密码			注册[Register]

[原创] 详解壳保护技术 Anti 之IsDebuggerPresent及Anti-Anti

Re:XuZhenG[LCG]详解壳保护技术 Anti 之IsDebuggerPresent及Anti-Anti