做固定背景网站,免费发布信息网平台,兴国建设局网站,seo快速排名上首页突然看到了一种反调试的手段#xff0c;检测api函数的首字节是否为0xcc#xff0c;即int 3类型的断点#xff0c;来反调试#xff0c;尝试一下
#includestdio.h
#includestdlib.h
void fun(int a) {a;a--;a 5;a - 5;return;
}
int main() {void (*ptr)(i…突然看到了一种反调试的手段检测api函数的首字节是否为0xcc即int 3类型的断点来反调试尝试一下
#includestdio.h
#includestdlib.h
void fun(int a) {a;a--;a 5;a - 5;return;
}
int main() {void (*ptr)(int) NULL;ptr fun;int i 0; char *arr(char*)(ptr);for (i 0; i 99; i) {printf(0x%2x\t, arr[i]);}return 0;
}
最开始的时候就遇到了一个问题我用的virtual studio 但是这是c编译的导致最后的函数指针不是指向的fun函数这里可以很清楚的看到。 额不太清楚编译的原理那我用纯c直接用devc里面有自带的gcc编译器 然后就和我预想的一样了fun就是那个函数指针在fun里多打一点断点有个问题为什么fun函数编译出来会有个nop不是很懂 执行结果上面就有预期的0xCC了可见ida确实是用的int 3断点 这种方法很简单也很容易绕过我们来看一下硬件断点硬件断点基于DRx寄存器换句话说可以通过检测DRx寄存器来检测硬件断点
可以通过SetThreadContext直接设置指定线程的调试寄存器
DRx寄存器可以直接操作但是需要设置特权级CPL等于0这里采用比较简单的方法直接用GetThreadContext获取当前线程的上下文 我一共下了3个硬件断点执行结果如下 可见确实用DRx寄存器来设置了硬件断点而该程序正常执行情况没有断点如下 #includestdio.h
#includestdlib.h
#includeWindows.h
const char *strr (const char*)hello touful;
int main()
{ printf(enter\n);//获取当前线程的句柄HANDLE hThread GetCurrentThread();//创建一个CONTEXT结构体CONTEXT threadContext;threadContext.ContextFlags CONTEXT_ALL;//获取当前线程的运行上下文if (!GetThreadContext(hThread, threadContext)){printf(GetThreadContext failed\n);return 0;}printf(DRO 0x%x\n, threadContext.Dr0);printf(DR1 0x%x\n, threadContext.Dr1);printf(DR2 0x%x\n, threadContext.Dr2);printf(DR3 0x%x\n, threadContext.Dr3);printf(exit\n);return 0;
}
这里顺便贴出CONTEXT结构体的定义
typedef struct DECLSPEC_NOINITALL _CONTEXT {//// The flags values within this flag control the contents of// a CONTEXT record.//// If the context record is used as an input parameter, then// for each portion of the context record controlled by a flag// whose value is set, it is assumed that that portion of the// context record contains valid context. If the context record// is being used to modify a threads context, then only that// portion of the threads context will be modified.//// If the context record is used as an IN OUT parameter to capture// the context of a thread, then only those portions of the threads// context corresponding to set flags will be returned.//// The context record is never used as an OUT only parameter.//DWORD ContextFlags;//// This section is specified/returned if CONTEXT_DEBUG_REGISTERS is// set in ContextFlags. Note that CONTEXT_DEBUG_REGISTERS is NOT// included in CONTEXT_FULL.//DWORD Dr0;DWORD Dr1;DWORD Dr2;DWORD Dr3;DWORD Dr6;DWORD Dr7;//// This section is specified/returned if the// ContextFlags word contians the flag CONTEXT_FLOATING_POINT.//FLOATING_SAVE_AREA FloatSave;//// This section is specified/returned if the// ContextFlags word contians the flag CONTEXT_SEGMENTS.//DWORD SegGs;DWORD SegFs;DWORD SegEs;DWORD SegDs;//// This section is specified/returned if the// ContextFlags word contians the flag CONTEXT_INTEGER.//DWORD Edi;DWORD Esi;DWORD Ebx;DWORD Edx;DWORD Ecx;DWORD Eax;//// This section is specified/returned if the// ContextFlags word contians the flag CONTEXT_CONTROL.//DWORD Ebp;DWORD Eip;DWORD SegCs; // MUST BE SANITIZEDDWORD EFlags; // MUST BE SANITIZEDDWORD Esp;DWORD SegSs;//// This section is specified/returned if the ContextFlags word// contains the flag CONTEXT_EXTENDED_REGISTERS.// The format and contexts are processor specific//BYTE ExtendedRegisters[MAXIMUM_SUPPORTED_EXTENSION];} CONTEXT;
对于内存断点是以页的方式添加的设置页的权限位就行了最常用的两种断点实现了最常用的检测方式
