欢迎光临
我们一直在努力

通过反调试学习Windbg

通过反调试学习Windbg

反调试方法

IsDebuggerPresent

x86

0:000> u kernelbase!IsDebuggerPresent L3
KERNELBASE!IsDebuggerPresent:
76a4c8f0 64a130000000    mov     eax,dword ptr fs:[00000030h]
76a4c8f6 0fb64002        movzx   eax,byte ptr [eax+2]
76a4c8fa c3              ret
0:000> dt _PEB -y BeingDebugged
ntdll!_PEB
   +0x002 BeingDebugged : UChar

x64

0:000> u kernelbase!IsDebuggerPresent L3
KERNELBASE!IsDebuggerPresent:
00007ffb`8b9a4da0 65488b042560000000 mov   rax,qword ptr gs:[60h]
00007ffb`8b9a4da9 0fb64002        movzx   eax,byte ptr [rax+2]
00007ffb`8b9a4dad c3              ret

NtGlobalFlag

x86

0:000> dt _PEB NtGlobalFlag @$peb
ntdll!_PEB
   +0x068 NtGlobalFlag : 0x70

x64

0:000> dt _PEB NtGlobalFlag @$peb
ntdll!_PEB
   +0x0bc NtGlobalFlag : 0x70

Heap Flags & ForceFlags

x86

0:000> dt _PEB ProcessHeap @$peb
ntdll!_PEB
   +0x018 ProcessHeap : 0x02d20000 Void
0:000> dt _HEAP Flags ForceFlags 0x02d20000
ntdll!_HEAP
   +0x040 Flags      : 0x40000062
   +0x044 ForceFlags : 0x40000060

x64

0:000> dt _PEB ProcessHeap @$peb
ntdll!_PEB
   +0x030 ProcessHeap : 0x000001a2`53e70000 Void
0:000> dt _HEAP Flags ForceFlags 0x000001a2`53e70000
ntdll!_HEAP
   +0x070 Flags      : 0x40000062
   +0x074 ForceFlags : 0x40000060

CheckRemoteDebuggerPresent & NtQueryInformationProcess

x86

0:000> uf kernelbase!CheckRemoteDebuggerPresent
KERNELBASE!CheckRemoteDebuggerPresent:
76ada0d0 8bff            mov     edi,edi
76ada0d2 55              push    ebp
76ada0d3 8bec            mov     ebp,esp
76ada0d5 51              push    ecx
76ada0d6 837d0800        cmp     dword ptr [ebp+8],0
76ada0da 56              push    esi
76ada0db 7436            je      KERNELBASE!CheckRemoteDebuggerPresent+0x43 (76ada113)  Branch

KERNELBASE!CheckRemoteDebuggerPresent+0xd:
76ada0dd 8b750c          mov     esi,dword ptr [ebp+0Ch]
76ada0e0 85f6            test    esi,esi
76ada0e2 742f            je      KERNELBASE!CheckRemoteDebuggerPresent+0x43 (76ada113)  Branch

KERNELBASE!CheckRemoteDebuggerPresent+0x14:
76ada0e4 6a00            push    0
76ada0e6 6a04            push    4
76ada0e8 8d45fc          lea     eax,[ebp-4]
76ada0eb 50              push    eax
76ada0ec 6a07            push    7
76ada0ee ff7508          push    dword ptr [ebp+8]
76ada0f1 ff150433b076    call    dword ptr [KERNELBASE!_imp__NtQueryInformationProcess (76b03304)]
76ada0f7 85c0            test    eax,eax
76ada0f9 7909            jns     KERNELBASE!CheckRemoteDebuggerPresent+0x34 (76ada104)  Branch

KERNELBASE!CheckRemoteDebuggerPresent+0x2b:
76ada0fb 8bc8            mov     ecx,eax
76ada0fd e8be9af5ff      call    KERNELBASE!BaseSetLastNTError (76a33bc0)
76ada102 eb17            jmp     KERNELBASE!CheckRemoteDebuggerPresent+0x4b (76ada11b)  Branch

KERNELBASE!CheckRemoteDebuggerPresent+0x34:
76ada104 33c0            xor     eax,eax
76ada106 3945fc          cmp     dword ptr [ebp-4],eax
76ada109 0f95c0          setne   al
76ada10c 8906            mov     dword ptr [esi],eax
76ada10e 33c0            xor     eax,eax
76ada110 40              inc     eax
76ada111 eb0a            jmp     KERNELBASE!CheckRemoteDebuggerPresent+0x4d (76ada11d)  Branch

KERNELBASE!CheckRemoteDebuggerPresent+0x43:
76ada113 6a57            push    57h
76ada115 ff15c830b076    call    dword ptr [KERNELBASE!_imp__RtlSetLastWin32Error (76b030c8)]

KERNELBASE!CheckRemoteDebuggerPresent+0x4b:
76ada11b 33c0            xor     eax,eax

KERNELBASE!CheckRemoteDebuggerPresent+0x4d:
76ada11d 5e              pop     esi
76ada11e c9              leave
76ada11f c20800          ret     8

x64

0:000> uf kernelbase!CheckRemoteDebuggerPresent
KERNELBASE!CheckRemoteDebuggerPresent:
00007ffb`8b9df1b0 48895c2410      mov     qword ptr [rsp+10h],rbx
00007ffb`8b9df1b5 57              push    rdi
00007ffb`8b9df1b6 4883ec30        sub     rsp,30h
00007ffb`8b9df1ba 33db            xor     ebx,ebx
00007ffb`8b9df1bc 488bfa          mov     rdi,rdx
00007ffb`8b9df1bf 4885c9          test    rcx,rcx
00007ffb`8b9df1c2 0f840de50300    je      KERNELBASE!CheckRemoteDebuggerPresent+0x3e525 (00007ffb`8ba1d6d5)  Branch

KERNELBASE!CheckRemoteDebuggerPresent+0x18:
00007ffb`8b9df1c8 4885d2          test    rdx,rdx
00007ffb`8b9df1cb 0f8404e50300    je      KERNELBASE!CheckRemoteDebuggerPresent+0x3e525 (00007ffb`8ba1d6d5)  Branch

KERNELBASE!CheckRemoteDebuggerPresent+0x21:
00007ffb`8b9df1d1 448d4b08        lea     r9d,[rbx+8]
00007ffb`8b9df1d5 48895c2420      mov     qword ptr [rsp+20h],rbx
00007ffb`8b9df1da 4c8d442440      lea     r8,[rsp+40h]
00007ffb`8b9df1df 8d5307          lea     edx,[rbx+7]
00007ffb`8b9df1e2 48ff1577751400  call    qword ptr [KERNELBASE!_imp_NtQueryInformationProcess (00007ffb`8bb26760)]
00007ffb`8b9df1e9 0f1f440000      nop     dword ptr [rax+rax]
00007ffb`8b9df1ee 85c0            test    eax,eax
00007ffb`8b9df1f0 0f88d6e40300    js      KERNELBASE!CheckRemoteDebuggerPresent+0x3e51c (00007ffb`8ba1d6cc)  Branch

KERNELBASE!CheckRemoteDebuggerPresent+0x46:
00007ffb`8b9df1f6 48395c2440      cmp     qword ptr [rsp+40h],rbx
00007ffb`8b9df1fb b801000000      mov     eax,1
00007ffb`8b9df200 0f95c3          setne   bl
00007ffb`8b9df203 891f            mov     dword ptr [rdi],ebx

KERNELBASE!CheckRemoteDebuggerPresent+0x55:
00007ffb`8b9df205 488b5c2448      mov     rbx,qword ptr [rsp+48h]
00007ffb`8b9df20a 4883c430        add     rsp,30h
00007ffb`8b9df20e 5f              pop     rdi
00007ffb`8b9df20f c3              ret

KERNELBASE!CheckRemoteDebuggerPresent+0x3e51c:
00007ffb`8ba1d6cc 8bc8            mov     ecx,eax
00007ffb`8ba1d6ce e80d83f7ff      call    KERNELBASE!BaseSetLastNTError (00007ffb`8b9959e0)
00007ffb`8ba1d6d3 eb11            jmp     KERNELBASE!CheckRemoteDebuggerPresent+0x3e536 (00007ffb`8ba1d6e6)  Branch

KERNELBASE!CheckRemoteDebuggerPresent+0x3e525:
00007ffb`8ba1d6d5 b957000000      mov     ecx,57h
00007ffb`8ba1d6da 48ff159f8a1000  call    qword ptr [KERNELBASE!_imp_RtlSetLastWin32Error (00007ffb`8bb26180)]
00007ffb`8ba1d6e1 0f1f440000      nop     dword ptr [rax+rax]

KERNELBASE!CheckRemoteDebuggerPresent+0x3e536:
00007ffb`8ba1d6e6 33c0            xor     eax,eax
00007ffb`8ba1d6e8 e9181bfcff      jmp     KERNELBASE!CheckRemoteDebuggerPresent+0x55 (00007ffb`8b9df205)  Branch

硬件断点

x86

0:000> u Kernelbase!GetThreadContext L6
KERNELBASE!GetThreadContext:
76add730 8bff            mov     edi,edi
76add732 55              push    ebp
76add733 8bec            mov     ebp,esp
76add735 ff750c          push    dword ptr [ebp+0Ch]
76add738 ff7508          push    dword ptr [ebp+8]
76add73b ff15fc38b076    call    dword ptr [KERNELBASE!_imp__NtGetContextThread (76b038fc)]

x64

0:000> u kernelbase!GetThreadContext L6
KERNELBASE!GetThreadContext:
00007ffb`8b9ddf70 4883ec28        sub     rsp,28h
00007ffb`8b9ddf74 48ff157d921400  call    qword ptr [KERNELBASE!_imp_NtGetContextThread (00007ffb`8bb271f8)]
00007ffb`8b9ddf7b 0f1f440000      nop     dword ptr [rax+rax]
00007ffb`8b9ddf80 85c0            test    eax,eax
00007ffb`8b9ddf82 0f8882f30300    js      KERNELBASE!GetThreadContext+0x3f39a (00007ffb`8ba1d30a)
00007ffb`8b9ddf88 b801000000      mov     eax,1

SEH

x86

0:000> dt ntdll!_EXCEPTION_REGISTRATION_RECORD
   +0x000 Next             : Ptr32 _EXCEPTION_REGISTRATION_RECORD
   +0x004 Handler          : Ptr32     _EXCEPTION_DISPOSITION
0:000> !exchain
008dfa10: ntdll!_except_handler4+0 (76feae60)
  CRT scope  0, filter: ntdll!LdrpDoDebuggerBreak+2e (77021ee5)
                func:   ntdll!LdrpDoDebuggerBreak+32 (77021ee9)
008dfc78: ntdll!_except_handler4+0 (76feae60)
  CRT scope  0, func:   ntdll!LdrpInitializeProcess+2056 (7701c636)
008dfcd0: ntdll!_except_handler4+0 (76feae60)
  CRT scope  0, filter: ntdll!_LdrpInitialize+3dcee (77014185)
                func:   ntdll!_LdrpInitialize+3dd01 (77014198)
Invalid exception stack at ffffffff
0:000> uf ntdll!ExecuteHandler2
ntdll!ExecuteHandler2:
76ff8b8c 55              push    ebp
76ff8b8d 8bec            mov     ebp,esp
76ff8b8f ff750c          push    dword ptr [ebp+0Ch]
76ff8b92 52              push    edx
76ff8b93 64ff3500000000  push    dword ptr fs:[0]
76ff8b9a 64892500000000  mov     dword ptr fs:[0],esp
76ff8ba1 ff7514          push    dword ptr [ebp+14h]
76ff8ba4 ff7510          push    dword ptr [ebp+10h]
76ff8ba7 ff750c          push    dword ptr [ebp+0Ch]
76ff8baa ff7508          push    dword ptr [ebp+8]
76ff8bad 8b4d18          mov     ecx,dword ptr [ebp+18h]
76ff8bb0 ffd1            call    ecx
76ff8bb2 648b2500000000  mov     esp,dword ptr fs:[0]
76ff8bb9 648f0500000000  pop     dword ptr fs:[0]
76ff8bc0 8be5            mov     esp,ebp
76ff8bc2 5d              pop     ebp
76ff8bc3 c21400          ret     14h

x64

0:000> dt ntdll!_EXCEPTION_REGISTRATION_RECORD
   +0x000 Next             : Ptr64 _EXCEPTION_REGISTRATION_RECORD
   +0x008 Handler          : Ptr64     _EXCEPTION_DISPOSITION
0:000> !exchain
5 stack frames, scanning for handlers...
Frame 0x00: ntdll!LdrpDoDebuggerBreak+0x30 (00007ffb`8e320950)
  ehandler ntdll!_C_specific_handler (00007ffb`8e2dc7e0)
Frame 0x01: ntdll!LdrpInitializeProcess+0x20f5 (00007ffb`8e323ff5)
  ehandler ntdll!_GSHandlerCheck_SEH (00007ffb`8e2ecc44)
Frame 0x02: ntdll!LdrpInitialize+0x15f (00007ffb`8e2c4deb)
  ehandler ntdll!_C_specific_handler (00007ffb`8e2dc7e0)
0:000> x ntdll!*ExecuteHandler*
00007ffb`8e2f2410 ntdll!RtlpExecuteHandlerForException (RtlpExecuteHandlerForException)
00007ffb`8e2f2490 ntdll!RtlpExecuteHandlerForUnwind (RtlpExecuteHandlerForUnwind)
0:000> uf ntdll!RtlpExecuteHandlerForException
ntdll!RtlpExecuteHandlerForException:
00007ffb`8e2f2410 4883ec28        sub     rsp,28h
00007ffb`8e2f2414 4c894c2420      mov     qword ptr [rsp+20h],r9
00007ffb`8e2f2419 498b4130        mov     rax,qword ptr [r9+30h]
00007ffb`8e2f241d ffd0            call    rax
00007ffb`8e2f241f 90              nop
00007ffb`8e2f2420 4883c428        add     rsp,28h
00007ffb`8e2f2424 c3              ret
0:000> uf ntdll!RtlpExecuteHandlerForUnwind
ntdll!RtlpExecuteHandlerForUnwind:
00007ffb`8e2f2490 4883ec28        sub     rsp,28h
00007ffb`8e2f2494 4c894c2420      mov     qword ptr [rsp+20h],r9
00007ffb`8e2f2499 498b4130        mov     rax,qword ptr [r9+30h]
00007ffb`8e2f249d ffd0            call    rax
00007ffb`8e2f249f 90              nop
00007ffb`8e2f24a0 4883c428        add     rsp,28h
00007ffb`8e2f24a4 c3              ret

VEH

x86

0:000> kn L
 # ChildEBP RetAddr      
00 010ff17c 76fdcee8     ChromePassword!ExceptionHandler+0xa1
01 010ff1cc 76fd916b     ntdll!RtlpCallVectoredHandlers+0xd7
02 010ff260 76fe5006     ntdll!RtlDispatchException+0x6f
03 010ff260 0015b1ef     ntdll!KiUserExceptionDispatcher+0x26
04 010ff874 002267a3     ChromePassword!main+0x2f
05 010ff894 002265f7     ChromePassword!invoke_main+0x33
06 010ff8f0 0022648d     ChromePassword!__scrt_common_main_seh+0x157
07 010ff8f8 00226828     ChromePassword!__scrt_common_main+0xd
08 010ff900 75e1fa29     ChromePassword!mainCRTStartup+0x8
09 010ff910 76fd7bbe     KERNEL32!BaseThreadInitThunk+0x19
0a 010ff96c 76fd7b8e     ntdll!__RtlUserThreadStart+0x2f
0b 010ff97c 00000000     ntdll!_RtlUserThreadStart+0x1b
0:000> ub eip
ntdll!RtlpCallVectoredHandlers+0xb9:
76fdceca f7416800008000  test    dword ptr [ecx+68h],800000h
76fdced1 0f854abb0300    jne     ntdll!RtlpCallVectoredHandlers+0x3bc10 (77018a21)
76fdced7 8d4dcc          lea     ecx,[ebp-34h]
76fdceda 51              push    ecx
76fdcedb 8bc8            mov     ecx,eax
76fdcedd ff15e0910977    call    dword ptr [ntdll!__guard_check_icall_fptr (770991e0)]
76fdcee3 8b45f4          mov     eax,dword ptr [ebp-0Ch]
76fdcee6 ffd0            call    eax

x64

0:000> kn L
 # Child-SP          RetAddr               Call Site
00 00000005`ef52ee70 00007ffb`8e2c8b4c     ChromePassword!ExceptionHandler+0x88
01 00000005`ef52ef90 00007ffb`8e2a12c6     ntdll!RtlpCallVectoredHandlers+0x108
02 00000005`ef52f030 00007ffb`8e2f0f4e     ntdll!RtlDispatchException+0x66
03 00000005`ef52f240 00007ff7`cf4e8f8b     ntdll!KiUserExceptionDispatch+0x2e
04 00000005`ef52f9e0 00007ff7`cf5d11c9     ChromePassword!main+0x3b
05 00000005`ef52fb40 00007ff7`cf5d106e     ChromePassword!invoke_main+0x39
06 00000005`ef52fb90 00007ff7`cf5d0f2e     ChromePassword!__scrt_common_main_seh+0x12e
07 00000005`ef52fc00 00007ff7`cf5d125e     ChromePassword!__scrt_common_main+0xe
08 00000005`ef52fc30 00007ffb`8c867034     ChromePassword!mainCRTStartup+0xe
09 00000005`ef52fc60 00007ffb`8e2a26a1     KERNEL32!BaseThreadInitThunk+0x14
0a 00000005`ef52fc90 00000000`00000000     ntdll!RtlUserThreadStart+0x21
0:000> bp ntdll!RtlpCallVectoredHandlers
0:000> g
...
0:000> p
ntdll!RtlpCallVectoredHandlers+0x102:
00007ffb`8e2c8b46 ff15b4c41000    call    qword ptr [ntdll!_guard_dispatch_icall_fptr (00007ffb`8e3d5000)] ds:00007ffb`8e3d5000={ntdll!guard_dispatch_icall_nop (00007ffb`8e2f0b90)}
0:000> p
Breakpoint 0 hit
ChromePassword!ExceptionHandler+0x88:
00007ff7`cf4e8d58 488b4508        mov     rax,qword ptr [rbp+8] ss:000000aa`a38fea98=000000aaa38fee40
0:000> dq ntdll!_guard_dispatch_icall_fptr
00007ffb`8e3d5000  00007ffb`8e2f0b90 00000000`00000000
00007ffb`8e3d5010  00000000`00000000 00000000`00000000
00007ffb`8e3d5020  00000000`00000000 00000000`00000000
00007ffb`8e3d5030  00000000`00000000 00000000`00000000
00007ffb`8e3d5040  00000000`00000000 00000000`00000000
00007ffb`8e3d5050  00000000`00000000 00000000`00000000
00007ffb`8e3d5060  00000000`00000000 00000000`00000000
00007ffb`8e3d5070  00000000`00000000 00000000`00000000
0:000> u 00007ffb`8e2f0b90
ntdll!guard_dispatch_icall_nop:
00007ffb`8e2f0b90 ffe0            jmp     rax
00007ffb`8e2f0b92 cc              int     3

NtSetInformationThread & NtCreateThreadEx

x86

kd> dt _ETHREAD HideFromDebugger @$thread
nt!_ETHREAD
   +0x280 HideFromDebugger : 0y0

x64

0:000> dt _ETHREAD HideFromDebugger @$thread
ntdll!_ETHREAD
   +0x510 HideFromDebugger : 0y0
赞(0) 打赏
未经允许不得转载:哈哈网 » 通过反调试学习Windbg

相关推荐

  • 暂无文章

评论 抢沙发

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续提供更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏