当前位置：首页 > news >正文

反调试防护-API

news 2025/8/9 4:56:14

IsDebuggerPresent()

CheckRemoteDebuggerPresent()

其内部实际调用NtQueryInformationProcess()

bool _stdcall ThreadCall()
{while (true){BOOL  pbDebuggerPresent = FALSE;CheckRemoteDebuggerPresent(GetCurrentProcess(), &pbDebuggerPresent);if (pbDebuggerPresent !=0){printf("debug\n");system("pause");exit(-1);}if (IsDebuggerPresent()!=0){printf("debug\n");system("pause");exit(-1);}}
}int main()
{CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadCall, NULL, 0, NULL);system("pause");return 0;
}

FS/GS寄存器

debug标志：

X86：FS：0x30

FS指向TEB，FS：30指向PEB，PEB+2指向debug标志。

X64: GS：0x60

GS指向TEB，GS：60指向PEB，PEB+2指向debug标志。

NtGlobalFlag标志：

在PEB里面

—raedfsdword()：

bool _stdcall ThreadCall()
{while (true){//	DWORD dwPeb = __readfsdword(0x30);//	UCHAR BeingDebugged = *(UCHAR *)(dwPeb + 2);//	ULONGLONG ullPeb = __readgsqword(0x60);//	UCHAR BeingDebugged = *(UCHAR *)(ullPeb + 2);//	DWORD dwPeb = __readfsdword(0x30);//	DWORD NtGlobalFlag = *(DWORD *)(dwPeb + 0x68);//  if (NtGlobalFlag == 0x70) printf("debug");//	ULONGLONG dwPeb = __readgsqword(0x60);//	DWORD NtGlobalFlag = *(DWORD *)(dwPeb + 0xbc);//  if (NtGlobalFlag == 0x70) printf("debug");}
}int main()
{CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadCall, NULL, 0, NULL);system("pause");return 0;
}

Heap标志：

bool _stdcall ThreadCall()
{while (true){/*DWORD dwPeb = __readfsdword(0x30);DWORD ProcessHeap = *(DWORD*)(dwPeb + 0x18);DWORD dwFlags = *(DWORD*)(ProcessHeap + 0x40);DWORD dwForceFlags = *(DWORD*)(ProcessHeap + 0x44);if (dwFlags != 0x2 || dwForceFlags != 0){printf("debug\n");system("pause");exit(0);}*/UINT64 dwPeb = __readgsqword(0x60);UINT64 ProcessHeap = *(PUINT64)(dwPeb + 0x30);DWORD dwFlags = *(DWORD*)(ProcessHeap + 0x70);DWORD dwForceFlags = *(DWORD*)(ProcessHeap + 0x74);if (dwFlags != 0x2 || dwForceFlags != 0){printf("debug\n");system("pause");exit(0);}}
}int main()
{CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadCall, NULL, 0, NULL);system("pause");return 0;
}

上面有些都是依靠api，如果对方挂钩了，api就失效，只有手动实现标志位检查

ZwQueryInformationProcess手动实现

拿PEB：

bool _stdcall ThreadCall()
{MyZwQueryInformationProcess Func = (MyZwQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryInformationProcess");PROCESS_BASIC_INFORMATION pbi = { 0 };while (true){Func(GetCurrentProcess(), ProcessBasicInformation, &pbi, sizeof(pbi), NULL);CHAR flag = *((PCHAR)(pbi.PebBaseAddress) + 2);if (flag == TRUE){printf("debug\n");system("pause");exit(0);}}
}int main()
{CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadCall, NULL, 0, NULL);system("pause");return 0;
}

调试端口：

bool _stdcall ThreadCall()
{MyZwQueryInformationProcess Func = (MyZwQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryInformationProcess");DWORD isDebugPort = 0;while (true){Func(GetCurrentProcess(), ProcessDebugPort, &isDebugPort, sizeof(isDebugPort), NULL);if (isDebugPort == TRUE){printf("debug\n");system("pause");exit(0);}}
}int main()
{CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadCall, NULL, 0, NULL);system("pause");return 0;
}

隐藏端口：

    DWORD isProcessDebugFlags = 0;func(GetCurrentProcess(), (PROCESSINFOCLASS)0x1F, &isProcessDebugFlags,             sizeof(isProcessDebugFlags), NULL);if (isProcessDebugFlags == 0){printf("debug\n");system("pause");exit(0);}DWORD isProcessDebugObjectHandle = 0;func(GetCurrentProcess(), (PROCESSINFOCLASS)0x1E, &isProcessDebugObjectHandle, sizeof(isProcessDebugObjectHandle), NULL);if (isProcessDebugObjectHandle != 0){printf("debug\n");system("pause");exit(0);}