一、32位系統(tǒng)

nt!_PEB???+0x000 InheritedAddressSpace?:?UChar???+0x001 ReadImageFileExecOptions?:?UChar???+0x002 BeingDebugged????:?UChar??????????????? isDbg值，8字節(jié)???+0x003 BitField?????????:?UChar???+0x003 ImageUsesLargePages?:?Pos 0, 1 Bit???+0x003 IsProtectedProcess?:?Pos 1, 1 Bit???+0x003 IsLegacyProcess??:?Pos 2, 1 Bit???+0x003 IsImageDynamicallyRelocated?:?Pos 3, 1 Bit???+0x003 SkipPatchingUser32Forwarders?:?Pos 4, 1 Bit???+0x003 SpareBits????????:?Pos 5, 3 Bits???+0x004 Mutant?????? ????:?Ptr32 Void???+0x008 ImageBaseAddress?:?Ptr32 Void??????????????鏡像基址???+0x00c Ldr??????????????:?Ptr32 _PEB_LDR_DATA???????????? _PEB_LDR_DATA結(jié)構(gòu)???+0x010 ProcessParameters?:?Ptr32 _RTL_USER_PROCESS_PARAMETERS???+0x014 SubSystemData????:?Ptr32 Void???+0x018 ProcessHeap??????:?Ptr32 Void????????????????+0x01c FastPebLock??????:?Ptr32 _RTL_CRITICAL_SECTION???+0x020 AtlThunkSListPtr?:?Ptr32 Void???+0x024 IFEOKey??????????:?Ptr32 Void???+0x028 CrossProcessFlags?:?Uint4B???+0x028 ProcessInJob?????:?Pos 0, 1 Bit???+0x028 ProcessInitializing?:?Pos 1, 1 Bit???+0x028 ProcessUsingVEH??:?Pos 2, 1 Bit???+0x028 ProcessUsingVCH??:?Pos 3, 1 Bit???+0x028 ProcessUsingFTH??:?Pos 4, 1 Bit???+0x028 ReservedBits0????:?Pos 5, 27 Bits???+0x02c KernelCallbackTable?:?Ptr32 Void???+0x02c UserSharedInfoPtr?:?Ptr32 Void???+0x030 SystemReserved???:?[1]?Uint4B???+0x034 AtlThunkSListPtr32?:?Uint4B???+0x038 ApiSetMap????????:?Ptr32 Void???+0x03c TlsExpansionCounter?:?Uint4B???+0x040 TlsBitmap????????:?Ptr32 Void???+0x044 TlsBitmapBits????:?[2]?Uint4B???+0x04c ReadOnlySharedMemoryBase?:?Ptr32 Void???+0x050 HotpatchInformation?:?Ptr32 Void???+0x054 ReadOnlyStaticServerData?:?Ptr32 Ptr32 Void???+0x058 AnsiCodePageData?:?Ptr32 Void???+0x05c OemCodePageData??:?Ptr32 Void???+0x060 UnicodeCaseTableData?:?Ptr32 Void???+0x064 NumberOfProcessors?:?Uint4B??????????? CPU的個(gè)數(shù)???+0x068 NtGlobalFlag?????:?Uint4B?? .?? .?? .

PEB?有一個(gè)名為NtGlobalFlag（32位系統(tǒng)下偏移量0x68）的字段，程序可以挑戰(zhàn)該字段以確定它們是否正在被調(diào)試。通常，當(dāng)進(jìn)程未被調(diào)試時(shí)，NtGlobalFlag字段包含值0x0。調(diào)試進(jìn)程時(shí)，該字段通常包含值0x70，表示設(shè)置了以下標(biāo)志：

(相關(guān)資料圖)

標(biāo)志

FLG_HEAP_ENABLE_TAIL_CHECK

FLG_HEAP_ENABLE_FREE_CHECK

FLG_HEAP_VALIDATE_PARAMETERS

其余

所以可以通過檢測(cè)此標(biāo)志位來檢測(cè)是否被調(diào)試。實(shí)現(xiàn)代碼可以通過匯編或者通過C++實(shí)現(xiàn)，匯編實(shí)現(xiàn)如下：

DWORD?MyIsDebug1(){??? DWORD Flag?=?0;??? __asm?{??? mov eax,fs:[30h]??? mov eax,[eax+68h]??? mov Flag,eax}????return?Flag;}

完整代碼如下：

// :?此文件包含?"main"?函數(shù)。程序執(zhí)行將在此處開始并結(jié)束。//#include?#include?DWORD MyIsDebug1(){??? DWORD Flag?=?0;??? __asm?{??? mov eax,fs:[30h]??? mov eax,[eax+68h]??? mov Flag,eax}????return?Flag;}DWORD WINAPI MyIsDebug(??? LPVOID lpThreadParameter){??? DWORD myFlag?=?0;????while?(1)?{?????? myFlag?=?MyIsDebug1();???????if?(myFlag?==?0x70)???????{?????????? MessageBox(NULL,?L"警告",?L"調(diào)試中",?MB_OK);???????}????}????return?1;}int?main(){????//IsDebuggerPresent();??? CreateThread(NULL,?NULL,?MyIsDebug,?NULL,?NULL,?NULL);??? std::cout?<<?"Hello World!\n";??? system("pause");????return?0;}

二、64位系統(tǒng)

ntdll!_PEB??+0x000 InheritedAddressSpace?:?UChar??+0x001 ReadImageFileExecOptions?:?UChar??+0x002 BeingDebugged????:?UChar??+0x003 BitField?????????:?UChar??+0x003 ImageUsesLargePages?:?Pos 0, 1 Bit??+0x003 IsProtectedProcess?:?Pos 1, 1 Bit??+0x003 IsImageDynamicallyRelocated?:?Pos 2, 1 Bit??+0x003 SkipPatchingUser32Forwarders?:?Pos 3, 1 Bit??+0x003 IsPackagedProcess?:?Pos 4, 1 Bit??+0x003 IsAppContainer???:?Pos 5, 1 Bit??+0x003 IsProtectedProcessLight?:?Pos 6, 1 Bit??+0x003 IsLongPathAwareProcess?:?Pos 7, 1 Bit??+0x004 Padding0?????????:?[4]?UChar??+0x008 Mutant???????????:?Ptr64 Void??+0x010 ImageBaseAddress?:?Ptr64 Void??+0x018 Ldr??????????????:?Ptr64 _PEB_LDR_DATA??+0x020 ProcessParameters?:?Ptr64 _RTL_USER_PROCESS_PARAMETERS??+0x028 SubSystemData????:?Ptr64 Void??+0x030 ProcessHeap??????:?Ptr64 Void??+0x038 FastPebLock??????:?Ptr64 _RTL_CRITICAL_SECTION??+0x040 AtlThunkSListPtr?:?Ptr64 _SLIST_HEADER??+0x048 IFEOKey??????????:?Ptr64 Void??+0x050 CrossProcessFlags?:?Uint4B??+0x050 ProcessInJob?????:?Pos 0, 1 Bit??+0x050 ProcessInitializing?:?Pos 1, 1 Bit??+0x050 ProcessUsingVEH??:?Pos 2, 1 Bit??+0x050 ProcessUsingVCH??:?Pos 3, 1 Bit??+0x050 ProcessUsingFTH??:?Pos 4, 1 Bit??+0x050 ProcessPreviouslyThrottled?:?Pos 5, 1 Bit??+0x050 ProcessCurrentlyThrottled?:?Pos 6, 1 Bit??+0x050 ReservedBits0????:?Pos 7, 25 Bits??+0x054 Padding1?????????:?[4]?UChar??+0x058 KernelCallbackTable?:?Ptr64 Void??+0x058 UserSharedInfoPtr?:?Ptr64 Void??+0x060 SystemReserved???:?Uint4B??+0x064 AtlThunkSListPtr32?:?Uint4B??+0x068 ApiSetMap????????:?Ptr64 Void??+0x070 TlsExpansionCounter?:?Uint4B??+0x074 Padding2?????????:?[4]?UChar??+0x078 TlsBitmap????????:?Ptr64 Void??+0x080 TlsBitmapBits????:?[2]?Uint4B??+0x088 ReadOnlySharedMemoryBase?:?Ptr64 Void??+0x090 SharedData???????:?Ptr64 Void??+0x098 ReadOnlyStaticServerData?:?Ptr64 Ptr64 Void??+0x0a0 AnsiCodePageData?:?Ptr64 Void??+0x0a8 OemCodePageData??:?Ptr64 Void??+0x0b0 UnicodeCaseTableData?:?Ptr64 Void??+0x0b8 NumberOfProcessors?:?Uint4B??+0x0bc NtGlobalFlag?? ??:?Uint4B

可以看到64位系統(tǒng)下面，NtGlobalFlag標(biāo)志位有所不同，位于PEB偏移0xbc。其余和x86沒有區(qū)別。可以通過readgsqword(60h)獲取到PED地址，再檢查偏移0xbc位置標(biāo)志位達(dá)到反調(diào)試效果。

三、反反調(diào)試

1.?手動(dòng)修改標(biāo)志位

2.?使用OD插件

3.?在WinDbg中，在禁用調(diào)試堆的情況下啟動(dòng)程序?( windbg -hd )

標(biāo)簽：

　　 原標(biāo)題：反調(diào)試專題丨反調(diào)試之NtGlobaFlag-當(dāng)前視點(diǎn)