通过反调试学习Windbg
反调试方法
IsDebuggerPresent
x86
0:000> u kernelbase!IsDebuggerPresent L3
KERNELBASE!IsDebuggerPresent:
76a4c8f0 64a130000000 mov eax,dword ptr fs:[00000030h]
76a4c8f6 0fb64002 movzx eax,byte ptr [eax+2]
76a4c8fa c3 ret
0:000> dt _PEB -y BeingDebugged
ntdll!_PEB
+0x002 BeingDebugged : UChar
x64
0:000> u kernelbase!IsDebuggerPresent L3
KERNELBASE!IsDebuggerPresent:
00007ffb`8b9a4da0 65488b042560000000 mov rax,qword ptr gs:[60h]
00007ffb`8b9a4da9 0fb64002 movzx eax,byte ptr [rax+2]
00007ffb`8b9a4dad c3 ret
NtGlobalFlag
x86
0:000> dt _PEB NtGlobalFlag @$peb
ntdll!_PEB
+0x068 NtGlobalFlag : 0x70
x64
0:000> dt _PEB NtGlobalFlag @$peb
ntdll!_PEB
+0x0bc NtGlobalFlag : 0x70
Heap Flags & ForceFlags
x86
0:000> dt _PEB ProcessHeap @$peb
ntdll!_PEB
+0x018 ProcessHeap : 0x02d20000 Void
0:000> dt _HEAP Flags ForceFlags 0x02d20000
ntdll!_HEAP
+0x040 Flags : 0x40000062
+0x044 ForceFlags : 0x40000060
x64
0:000> dt _PEB ProcessHeap @$peb
ntdll!_PEB
+0x030 ProcessHeap : 0x000001a2`53e70000 Void
0:000> dt _HEAP Flags ForceFlags 0x000001a2`53e70000
ntdll!_HEAP
+0x070 Flags : 0x40000062
+0x074 ForceFlags : 0x40000060
x86
0:000> uf kernelbase!CheckRemoteDebuggerPresent
KERNELBASE!CheckRemoteDebuggerPresent:
76ada0d0 8bff mov edi,edi
76ada0d2 55 push ebp
76ada0d3 8bec mov ebp,esp
76ada0d5 51 push ecx
76ada0d6 837d0800 cmp dword ptr [ebp+8],0
76ada0da 56 push esi
76ada0db 7436 je KERNELBASE!CheckRemoteDebuggerPresent+0x43 (76ada113) Branch
KERNELBASE!CheckRemoteDebuggerPresent+0xd:
76ada0dd 8b750c mov esi,dword ptr [ebp+0Ch]
76ada0e0 85f6 test esi,esi
76ada0e2 742f je KERNELBASE!CheckRemoteDebuggerPresent+0x43 (76ada113) Branch
KERNELBASE!CheckRemoteDebuggerPresent+0x14:
76ada0e4 6a00 push 0
76ada0e6 6a04 push 4
76ada0e8 8d45fc lea eax,[ebp-4]
76ada0eb 50 push eax
76ada0ec 6a07 push 7
76ada0ee ff7508 push dword ptr [ebp+8]
76ada0f1 ff150433b076 call dword ptr [KERNELBASE!_imp__NtQueryInformationProcess (76b03304)]
76ada0f7 85c0 test eax,eax
76ada0f9 7909 jns KERNELBASE!CheckRemoteDebuggerPresent+0x34 (76ada104) Branch
KERNELBASE!CheckRemoteDebuggerPresent+0x2b:
76ada0fb 8bc8 mov ecx,eax
76ada0fd e8be9af5ff call KERNELBASE!BaseSetLastNTError (76a33bc0)
76ada102 eb17 jmp KERNELBASE!CheckRemoteDebuggerPresent+0x4b (76ada11b) Branch
KERNELBASE!CheckRemoteDebuggerPresent+0x34:
76ada104 33c0 xor eax,eax
76ada106 3945fc cmp dword ptr [ebp-4],eax
76ada109 0f95c0 setne al
76ada10c 8906 mov dword ptr [esi],eax
76ada10e 33c0 xor eax,eax
76ada110 40 inc eax
76ada111 eb0a jmp KERNELBASE!CheckRemoteDebuggerPresent+0x4d (76ada11d) Branch
KERNELBASE!CheckRemoteDebuggerPresent+0x43:
76ada113 6a57 push 57h
76ada115 ff15c830b076 call dword ptr [KERNELBASE!_imp__RtlSetLastWin32Error (76b030c8)]
KERNELBASE!CheckRemoteDebuggerPresent+0x4b:
76ada11b 33c0 xor eax,eax
KERNELBASE!CheckRemoteDebuggerPresent+0x4d:
76ada11d 5e pop esi
76ada11e c9 leave
76ada11f c20800 ret 8
x64
0:000> uf kernelbase!CheckRemoteDebuggerPresent
KERNELBASE!CheckRemoteDebuggerPresent:
00007ffb`8b9df1b0 48895c2410 mov qword ptr [rsp+10h],rbx
00007ffb`8b9df1b5 57 push rdi
00007ffb`8b9df1b6 4883ec30 sub rsp,30h
00007ffb`8b9df1ba 33db xor ebx,ebx
00007ffb`8b9df1bc 488bfa mov rdi,rdx
00007ffb`8b9df1bf 4885c9 test rcx,rcx
00007ffb`8b9df1c2 0f840de50300 je KERNELBASE!CheckRemoteDebuggerPresent+0x3e525 (00007ffb`8ba1d6d5) Branch
KERNELBASE!CheckRemoteDebuggerPresent+0x18:
00007ffb`8b9df1c8 4885d2 test rdx,rdx
00007ffb`8b9df1cb 0f8404e50300 je KERNELBASE!CheckRemoteDebuggerPresent+0x3e525 (00007ffb`8ba1d6d5) Branch
KERNELBASE!CheckRemoteDebuggerPresent+0x21:
00007ffb`8b9df1d1 448d4b08 lea r9d,[rbx+8]
00007ffb`8b9df1d5 48895c2420 mov qword ptr [rsp+20h],rbx
00007ffb`8b9df1da 4c8d442440 lea r8,[rsp+40h]
00007ffb`8b9df1df 8d5307 lea edx,[rbx+7]
00007ffb`8b9df1e2 48ff1577751400 call qword ptr [KERNELBASE!_imp_NtQueryInformationProcess (00007ffb`8bb26760)]
00007ffb`8b9df1e9 0f1f440000 nop dword ptr [rax+rax]
00007ffb`8b9df1ee 85c0 test eax,eax
00007ffb`8b9df1f0 0f88d6e40300 js KERNELBASE!CheckRemoteDebuggerPresent+0x3e51c (00007ffb`8ba1d6cc) Branch
KERNELBASE!CheckRemoteDebuggerPresent+0x46:
00007ffb`8b9df1f6 48395c2440 cmp qword ptr [rsp+40h],rbx
00007ffb`8b9df1fb b801000000 mov eax,1
00007ffb`8b9df200 0f95c3 setne bl
00007ffb`8b9df203 891f mov dword ptr [rdi],ebx
KERNELBASE!CheckRemoteDebuggerPresent+0x55:
00007ffb`8b9df205 488b5c2448 mov rbx,qword ptr [rsp+48h]
00007ffb`8b9df20a 4883c430 add rsp,30h
00007ffb`8b9df20e 5f pop rdi
00007ffb`8b9df20f c3 ret
KERNELBASE!CheckRemoteDebuggerPresent+0x3e51c:
00007ffb`8ba1d6cc 8bc8 mov ecx,eax
00007ffb`8ba1d6ce e80d83f7ff call KERNELBASE!BaseSetLastNTError (00007ffb`8b9959e0)
00007ffb`8ba1d6d3 eb11 jmp KERNELBASE!CheckRemoteDebuggerPresent+0x3e536 (00007ffb`8ba1d6e6) Branch
KERNELBASE!CheckRemoteDebuggerPresent+0x3e525:
00007ffb`8ba1d6d5 b957000000 mov ecx,57h
00007ffb`8ba1d6da 48ff159f8a1000 call qword ptr [KERNELBASE!_imp_RtlSetLastWin32Error (00007ffb`8bb26180)]
00007ffb`8ba1d6e1 0f1f440000 nop dword ptr [rax+rax]
KERNELBASE!CheckRemoteDebuggerPresent+0x3e536:
00007ffb`8ba1d6e6 33c0 xor eax,eax
00007ffb`8ba1d6e8 e9181bfcff jmp KERNELBASE!CheckRemoteDebuggerPresent+0x55 (00007ffb`8b9df205) Branch
硬件断点
x86
0:000> u Kernelbase!GetThreadContext L6
KERNELBASE!GetThreadContext:
76add730 8bff mov edi,edi
76add732 55 push ebp
76add733 8bec mov ebp,esp
76add735 ff750c push dword ptr [ebp+0Ch]
76add738 ff7508 push dword ptr [ebp+8]
76add73b ff15fc38b076 call dword ptr [KERNELBASE!_imp__NtGetContextThread (76b038fc)]
x64
0:000> u kernelbase!GetThreadContext L6
KERNELBASE!GetThreadContext:
00007ffb`8b9ddf70 4883ec28 sub rsp,28h
00007ffb`8b9ddf74 48ff157d921400 call qword ptr [KERNELBASE!_imp_NtGetContextThread (00007ffb`8bb271f8)]
00007ffb`8b9ddf7b 0f1f440000 nop dword ptr [rax+rax]
00007ffb`8b9ddf80 85c0 test eax,eax
00007ffb`8b9ddf82 0f8882f30300 js KERNELBASE!GetThreadContext+0x3f39a (00007ffb`8ba1d30a)
00007ffb`8b9ddf88 b801000000 mov eax,1
SEH
x86
0:000> dt ntdll!_EXCEPTION_REGISTRATION_RECORD
+0x000 Next : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0x004 Handler : Ptr32 _EXCEPTION_DISPOSITION
0:000> !exchain
008dfa10: ntdll!_except_handler4+0 (76feae60)
CRT scope 0, filter: ntdll!LdrpDoDebuggerBreak+2e (77021ee5)
func: ntdll!LdrpDoDebuggerBreak+32 (77021ee9)
008dfc78: ntdll!_except_handler4+0 (76feae60)
CRT scope 0, func: ntdll!LdrpInitializeProcess+2056 (7701c636)
008dfcd0: ntdll!_except_handler4+0 (76feae60)
CRT scope 0, filter: ntdll!_LdrpInitialize+3dcee (77014185)
func: ntdll!_LdrpInitialize+3dd01 (77014198)
Invalid exception stack at ffffffff
0:000> uf ntdll!ExecuteHandler2
ntdll!ExecuteHandler2:
76ff8b8c 55 push ebp
76ff8b8d 8bec mov ebp,esp
76ff8b8f ff750c push dword ptr [ebp+0Ch]
76ff8b92 52 push edx
76ff8b93 64ff3500000000 push dword ptr fs:[0]
76ff8b9a 64892500000000 mov dword ptr fs:[0],esp
76ff8ba1 ff7514 push dword ptr [ebp+14h]
76ff8ba4 ff7510 push dword ptr [ebp+10h]
76ff8ba7 ff750c push dword ptr [ebp+0Ch]
76ff8baa ff7508 push dword ptr [ebp+8]
76ff8bad 8b4d18 mov ecx,dword ptr [ebp+18h]
76ff8bb0 ffd1 call ecx
76ff8bb2 648b2500000000 mov esp,dword ptr fs:[0]
76ff8bb9 648f0500000000 pop dword ptr fs:[0]
76ff8bc0 8be5 mov esp,ebp
76ff8bc2 5d pop ebp
76ff8bc3 c21400 ret 14h
x64
0:000> dt ntdll!_EXCEPTION_REGISTRATION_RECORD
+0x000 Next : Ptr64 _EXCEPTION_REGISTRATION_RECORD
+0x008 Handler : Ptr64 _EXCEPTION_DISPOSITION
0:000> !exchain
5 stack frames, scanning for handlers...
Frame 0x00: ntdll!LdrpDoDebuggerBreak+0x30 (00007ffb`8e320950)
ehandler ntdll!_C_specific_handler (00007ffb`8e2dc7e0)
Frame 0x01: ntdll!LdrpInitializeProcess+0x20f5 (00007ffb`8e323ff5)
ehandler ntdll!_GSHandlerCheck_SEH (00007ffb`8e2ecc44)
Frame 0x02: ntdll!LdrpInitialize+0x15f (00007ffb`8e2c4deb)
ehandler ntdll!_C_specific_handler (00007ffb`8e2dc7e0)
0:000> x ntdll!*ExecuteHandler*
00007ffb`8e2f2410 ntdll!RtlpExecuteHandlerForException (RtlpExecuteHandlerForException)
00007ffb`8e2f2490 ntdll!RtlpExecuteHandlerForUnwind (RtlpExecuteHandlerForUnwind)
0:000> uf ntdll!RtlpExecuteHandlerForException
ntdll!RtlpExecuteHandlerForException:
00007ffb`8e2f2410 4883ec28 sub rsp,28h
00007ffb`8e2f2414 4c894c2420 mov qword ptr [rsp+20h],r9
00007ffb`8e2f2419 498b4130 mov rax,qword ptr [r9+30h]
00007ffb`8e2f241d ffd0 call rax
00007ffb`8e2f241f 90 nop
00007ffb`8e2f2420 4883c428 add rsp,28h
00007ffb`8e2f2424 c3 ret
0:000> uf ntdll!RtlpExecuteHandlerForUnwind
ntdll!RtlpExecuteHandlerForUnwind:
00007ffb`8e2f2490 4883ec28 sub rsp,28h
00007ffb`8e2f2494 4c894c2420 mov qword ptr [rsp+20h],r9
00007ffb`8e2f2499 498b4130 mov rax,qword ptr [r9+30h]
00007ffb`8e2f249d ffd0 call rax
00007ffb`8e2f249f 90 nop
00007ffb`8e2f24a0 4883c428 add rsp,28h
00007ffb`8e2f24a4 c3 ret
VEH
x86
0:000> kn L
# ChildEBP RetAddr
00 010ff17c 76fdcee8 ChromePassword!ExceptionHandler+0xa1
01 010ff1cc 76fd916b ntdll!RtlpCallVectoredHandlers+0xd7
02 010ff260 76fe5006 ntdll!RtlDispatchException+0x6f
03 010ff260 0015b1ef ntdll!KiUserExceptionDispatcher+0x26
04 010ff874 002267a3 ChromePassword!main+0x2f
05 010ff894 002265f7 ChromePassword!invoke_main+0x33
06 010ff8f0 0022648d ChromePassword!__scrt_common_main_seh+0x157
07 010ff8f8 00226828 ChromePassword!__scrt_common_main+0xd
08 010ff900 75e1fa29 ChromePassword!mainCRTStartup+0x8
09 010ff910 76fd7bbe KERNEL32!BaseThreadInitThunk+0x19
0a 010ff96c 76fd7b8e ntdll!__RtlUserThreadStart+0x2f
0b 010ff97c 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> ub eip
ntdll!RtlpCallVectoredHandlers+0xb9:
76fdceca f7416800008000 test dword ptr [ecx+68h],800000h
76fdced1 0f854abb0300 jne ntdll!RtlpCallVectoredHandlers+0x3bc10 (77018a21)
76fdced7 8d4dcc lea ecx,[ebp-34h]
76fdceda 51 push ecx
76fdcedb 8bc8 mov ecx,eax
76fdcedd ff15e0910977 call dword ptr [ntdll!__guard_check_icall_fptr (770991e0)]
76fdcee3 8b45f4 mov eax,dword ptr [ebp-0Ch]
76fdcee6 ffd0 call eax
x64
0:000> kn L
# Child-SP RetAddr Call Site
00 00000005`ef52ee70 00007ffb`8e2c8b4c ChromePassword!ExceptionHandler+0x88
01 00000005`ef52ef90 00007ffb`8e2a12c6 ntdll!RtlpCallVectoredHandlers+0x108
02 00000005`ef52f030 00007ffb`8e2f0f4e ntdll!RtlDispatchException+0x66
03 00000005`ef52f240 00007ff7`cf4e8f8b ntdll!KiUserExceptionDispatch+0x2e
04 00000005`ef52f9e0 00007ff7`cf5d11c9 ChromePassword!main+0x3b
05 00000005`ef52fb40 00007ff7`cf5d106e ChromePassword!invoke_main+0x39
06 00000005`ef52fb90 00007ff7`cf5d0f2e ChromePassword!__scrt_common_main_seh+0x12e
07 00000005`ef52fc00 00007ff7`cf5d125e ChromePassword!__scrt_common_main+0xe
08 00000005`ef52fc30 00007ffb`8c867034 ChromePassword!mainCRTStartup+0xe
09 00000005`ef52fc60 00007ffb`8e2a26a1 KERNEL32!BaseThreadInitThunk+0x14
0a 00000005`ef52fc90 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:000> bp ntdll!RtlpCallVectoredHandlers
0:000> g
...
0:000> p
ntdll!RtlpCallVectoredHandlers+0x102:
00007ffb`8e2c8b46 ff15b4c41000 call qword ptr [ntdll!_guard_dispatch_icall_fptr (00007ffb`8e3d5000)] ds:00007ffb`8e3d5000={ntdll!guard_dispatch_icall_nop (00007ffb`8e2f0b90)}
0:000> p
Breakpoint 0 hit
ChromePassword!ExceptionHandler+0x88:
00007ff7`cf4e8d58 488b4508 mov rax,qword ptr [rbp+8] ss:000000aa`a38fea98=000000aaa38fee40
0:000> dq ntdll!_guard_dispatch_icall_fptr
00007ffb`8e3d5000 00007ffb`8e2f0b90 00000000`00000000
00007ffb`8e3d5010 00000000`00000000 00000000`00000000
00007ffb`8e3d5020 00000000`00000000 00000000`00000000
00007ffb`8e3d5030 00000000`00000000 00000000`00000000
00007ffb`8e3d5040 00000000`00000000 00000000`00000000
00007ffb`8e3d5050 00000000`00000000 00000000`00000000
00007ffb`8e3d5060 00000000`00000000 00000000`00000000
00007ffb`8e3d5070 00000000`00000000 00000000`00000000
0:000> u 00007ffb`8e2f0b90
ntdll!guard_dispatch_icall_nop:
00007ffb`8e2f0b90 ffe0 jmp rax
00007ffb`8e2f0b92 cc int 3
x86
kd> dt _ETHREAD HideFromDebugger @$thread
nt!_ETHREAD
+0x280 HideFromDebugger : 0y0
x64
0:000> dt _ETHREAD HideFromDebugger @$thread
ntdll!_ETHREAD
+0x510 HideFromDebugger : 0y0
[复制链接]
发表于 2022-11-1 10:31
收藏
淘帖
有用
分享到朋友圈
