-
-
[原创]E盾-反调试分析(1) - 每日一记
-
发表于: 2020-8-28 20:59
-
E盾 模块反编译后 分析E盾使用的反调试方案,和反反调试思路
每天分析几个,奥里给,干就完了。
哪里分析有问题,希望师傅们多多指教。
GetStartupInfo在程序启动后,会有一个StartupInfo的结构体变量,来保存程序启动的信息,我们通过其中参数的改变来检测程序是正常运行还是在调试器中运行的参考地址:ce7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2U0L8X3u0D9L8$3N6K6i4K6u0W2j5$3!0E0i4K6u0r3P5X3W2G2L8r3!0Q4x3V1k6H3i4K6u0r3x3K6b7K6y4o6R3I4y4g2)9J5k6h3S2@1L8h3H3`.
参考地址:409K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8Y4c8C8z5o6j5&6x3K6f1K6y4U0N6Q4x3V1k6S2M7Y4c8A6j5$3I4W2i4K6u0r3k6r3g2@1j5h3W2D9M7#2)9J5c8U0R3I4y4K6b7K6y4U0R3`.
E盾V51代码:
BOOL UseGetStartupInfoCheckDebug() { STARTUPINFO startUpInfo; startUpInfo.cb = sizeof(startUpInfo); GetStartupInfo(&startUpInfo); if (startUpInfo.dwX != 0 || startUpInfo.dwY != 0 || startUpInfo.dwXCountChars != 0 || startUpInfo.dwYCountChars != 0 || startUpInfo.dwFillAttribute != 0 || startUpInfo.dwXSize != 0 || startUpInfo.dwYSize != 0 || (startUpInfo.dwFlags & STARTF_FORCEOFFFEEDBACK)) { std::cout << "! GetStartupInfo debugger" << std::endl; return true; } return false; }反反调试方案: Hook GetStartupInfo 返回一个 非0值 就好了
IsDebuggerPresent这个函数可以用在程序中,检测当前程序是否正在被调试,从而执行退出等行为,达到反调试的作用。该函数通过 fs:[0x18] 获取 TEB -> TEB:[0x30] 获取 PEB -> PEB:[0x2] BeingDebugged:UChar 调试标志, 通过调试标志 来判断是否调试
参考资料:f62K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8X3y4Z5M7X3W2*7i4K6g2X3N6#2)9J5c8X3q4J5N6r3W2U0L8r3g2Q4x3V1k6V1k6i4c8S2K9h3I4K6i4K6u0r3y4e0t1H3z5e0j5#2y4e0t1`.
参考资料:e21K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6T1L8r3!0Y4i4K6u0W2j5%4y4V1L8W2)9J5k6h3&6W2N6q4)9J5c8X3I4K6x3e0p5$3x3q4)9J5c8X3q4J5N6r3W2U0L8r3g2Q4x3V1k6V1k6i4c8S2K9h3I4K6i4K6u0r3x3K6R3I4x3o6f1^5y4K6x3`.
E盾V51代码:
BOOL UseIsDebuggerPresentCheckDebug() { if (IsDebuggerPresent()) { std::cout << "! IsDebuggerPresent debugger" << std::endl; return true; } return false; }反反调试方案:hook函数直接返回false
心得
- 部分根据标志来判断反调试的,可以通过 直接使用汇编来写反调试 比如:
IsDebuggerPresent
|
|
|---|---|
|
|
|
|
|
|
|
|
嗯,本来是每天一记。。。然后只有第一天记了一下 后面的还没来得急搞...慢慢来 哈哈哈 |
|
|
|
