吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 13410|回复: 25
收起左侧

[原创] 详解壳保护技术 Anti 之IsDebuggerPresent及Anti-Anti

[复制链接]
XuZhenG 发表于 2008-10-11 22:47
【文章作者】: XuZhenG[LCG]
【作者邮箱】: xuzheng1111@126.com
【作者主页】: http://hi.baidu.com/xuzheng1111
http://xz.bee.pl
【软件名称】: 自己写的
【下载地址】: 自己写的
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
如有人将此用入商业用途,给作者造成损失本人概不负责。
--------------------------------------------------------------------------------
【详细过程】

废话:
今天写一个壳的Anti与Anti-Anti; 就是IsDebuggerPresent 的Anti深入原理和Anti-Anti的方法
由于最近老是看英文的Documentation 所以讲解部分可能会E文比较多,谅解...

正文:

A Sample Visual C++ Code:

// IsDebuggerPresent.cpp : Defines the entry point for the application.
//
//---------------------------------------------------------------------
//- Code By XuZhenG[LCG]-
//---------------------------------------------------------------------

#include "stdafx.h"


int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.


if(::IsDebuggerPresent())
{
MessageBox(NULL,"A debugger attaching me was found.","Found it!",MB_ICONSTOP);
}
else
{
MessageBox(NULL,"No debugger was found.","Debugger no found!",MB_ICONINFORMATION);
}

return 0;
}


Compile it & Use OD to Attach it!

Let's take a look at the assembly code of the program


0040102A|.FF15 90A14200 calldword ptr [<&KERNEL32.IsDebugger>; [IsDebuggerPresent00401030|.3BF4cmp esi, esp00401032|.E8 89000000 call_chkesp00401037|.85C0testeax, eax00401039|.74 1F jeshort 0040105A0040103B|.8BF4mov esi, esp0040103D|.6A 10 push10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL0040103F|.68 7C204200 push0042207C ; |Title = "Found it!"00401044|.68 50204200 push00422050 ; |Text = "A debugger attaching me was found."00401049|.6A 00 push0; |hOwner = NULL0040104B|.FF15 B4A24200 calldword ptr [<&USER32.MessageBoxA>>; \MessageBoxA00401051|.3BF4cmp esi, esp00401053|.E8 68000000 call_chkesp00401058|.EB 1D jmp short 004010770040105A|>8BF4mov esi, esp0040105C|.6A 40 push40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL0040105E|.68 38204200 push00422038 ; |Title = "Debugger no found!"00401063|.68 1C204200 push0042201C ; |Text = "No debugger was found."00401068|.6A 00 push0; |hOwner = NULL0040106A|.FF15 B4A24200 calldword ptr [<&USER32.MessageBoxA>>; \MessageBoxA00401070|.3BF4cmp esi, esp00401072|.E8 49000000 call_chkesp00401077|>33C0xor eax, eax00401079|.5Fpop edi


Let&#39;s step into the function IsDebuggerPresent...

7C813123 >64:A1 18000000mov eax, dword ptr fs:[18]7C8131298B40 30 mov eax, dword ptr [eax+30]7C81312C0FB640 02 movzx eax, byte ptr [eax+2]7C813130C3retn


Quite simple,yeh?

It is to get the variable named BeingDebugged.

BeingDebugged is a variable of the structure named PEB.
PEB is short for
Process Environment Block (进程环境块)

We can got a pointor to PEB structure using this code.
#include "Winternl.h"PEB* peb;__asm{mov eax,fs:0x30mov peb,eax}
但是貌似 VC6 没有这个Winternl.h我的Visual Studio Team System 2008 Team Suite上面有...

Let&#39;s get more information on PEB from Microsoft Developer Network(MSDN)


PEB Structure
[This structure may be altered in future versions of Windows.]


Contains process information.

Syntax

typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB,*PPEB;


BeingDebugged
Indicates whether the specified process is currently being debugged. The PEB structure, however, is an internal operating-system structure whose layout may

change in the future. It is best to use the CheckRemoteDebuggerPresent function instead.



知道了如何获得PEB结构的地址,和IsDebuggerPresent的代码之后
我们不难发现,其实IsDebuggerPresent函数只不过是把进程PEB中的第二个变量BeingDebugged数值赋给了EAX


所以要想Anti - Anti 也就不难了
我们把代码修改成这样



// IsDebuggerPresent.cpp : Defines the entry point for the application.
//
//---------------------------------------------------------------------
//- Code By XuZhenG[LCG]-
//---------------------------------------------------------------------

#include "stdafx.h"

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
__asm
{
mov eax,fs:0x30
mov byte ptr ds:[eax+2],0
}


if(::IsDebuggerPresent())
{
MessageBox(NULL,"A debugger attaching me was found.","Found it!",MB_ICONSTOP);
}
else
{
MessageBox(NULL,"No debugger was found.","Debugger no found!",MB_ICONINFORMATION);
}

return 0;
}


看那个__asm块里面的代码
作用就是将 PEB结构中 BeingDebugged 变量归零 这样就不会检测到调试器了...


【总结】
--------------------------------------------------------------------------------
知己知彼,方能百战不殆!


这是我编译的程序...放上来吧大家回去慢慢玩
Anti_Anti-Anti.rar

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

mycsy 发表于 2008-10-11 22:52
[s:41]我晕 大大为什么不连试炼程序一同发出……
Hmily 发表于 2008-10-11 23:11
ximo 发表于 2008-10-11 23:16

Re:XuZhenG[LCG]详解壳保护技术 Anti 之IsDebuggerPresent及Anti-Anti

7C813123 >64:A1 18000000mov eax, dword ptr fs:[18]
7C8131298B40 30 mov eax, dword ptr [eax+30]
7C81312C0FB640 02 movzx eax, byte ptr [eax+2]
7C813130C3retn

IsDebuggerPresent的 实现代码其实也就是这么几句:
7C813123 >64:A1 18000000mov eax, dword ptr fs:[18]// 得到当前 TEB
7C8131298B40 30 mov eax, dword ptr [eax+30]// 得到TEB 结构中的 PEB 结构
7C81312C0FB640 02 movzx eax, byte ptr [eax+2] // 得到 PEB 结构中的 BeingDebugged 标记
7C813130C3retn


哈哈,想避开解密者的跟踪,可以自己写个IsDebuggerPresent函数就可以轻松的避开
 bool my IsDebuggerPresent (){__asm{ moveax, dword ptr fs:[18] moveax, [eax+30h] movzxeax, byte ptr [eax+2]}}
这样,就跟踪不到了.
mycsy 发表于 2008-10-11 23:29
膜拜超人大哥……

IsDebuggerPresent函数

那么神奇吗?

为什么很多人不用?

技术含量很高?
ychyax 发表于 2008-10-12 13:59
看不懂啊!!!!!!!!!!!!!!!!!!!!!!!111
zxc410058664 发表于 2008-10-12 14:48
看不懂啊
我也是
汗 [s:17][s:17]
wgz001 发表于 2008-10-12 19:09
搬个板凳座下来学习 [s:43]
yu87602547 发表于 2008-10-13 12:03
[s:38] 看得一头雾水 [s:17]
 楼主| XuZhenG 发表于 2008-10-14 18:48
慢慢看吧
C的程序应该比 汇编容易读吧...

如果你没学过 C 我就不说什么了...


[s:44]
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-22 21:52

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表