反调试技术

朱雀 2022-12-19 01:17 126阅读 0赞

### 目录 ###

*  Windows反调试技术
 *   *  Windows API反调试
     *   *  IsDebuggerPresent
         *   *  反调试示例
             *  反反调试
         *  CheckRemoteDebuggerPresent
         *   *  反调试示例
             *  反反调试
         *  NtQueryInformationProcess
         *   *  反调试示例
             *  反反调试
         *  NtQuerySystemInfomation
         *  NtQueryObject
         *  GetLastError
         *   *  反调试示例
             *  反反调试
         *  ZwSetInformationThread
 *  参考

# Windows反调试技术 #

## Windows API反调试 ##

### IsDebuggerPresent ###

用OD加载一个带IsDebuggerPresent的程序，在IsDebuggerPresent下硬件断点跟进，发现IsDebuggerPresent的汇编实现如下：

MOV EAX,DWORD PTR FS:[0x30]
    MOVZX EAX,BYTE PTR DS:[EAX+0x2]
    RETN

FS寄存器指向的是TEB（线程环境块），其数据结构如下：

typedef struct _NT_TEB
    {
        NT_TIB Tib;                         // 00h
        PVOID EnvironmentPointer;           // 1Ch
        CLIENT_ID Cid;                      // 20h
        PVOID ActiveRpcInfo;                // 28h
        PVOID ThreadLocalStoragePointer;    // 2Ch
        PPEB Peb;                           // 30h          <--这里是FS:[0x30]
        ULONG LastErrorValue;               // 34h
        ULONG CountOfOwnedCriticalSections; // 38h
        PVOID CsrClientThread;              // 3Ch
        PVOID Win32ThreadInfo;              // 40h
        ULONG Win32ClientInfo[0x1F];        // 44h
        PVOID WOW32Reserved;                // C0h
        ULONG CurrentLocale;                // C4h
        ULONG FpSoftwareStatusRegister;     // C8h
        PVOID SystemReserved1[0x36];        // CCh
        PVOID Spare1;                       // 1A4h
        LONG ExceptionCode;                 // 1A8h
        ULONG SpareBytes1[0x28];            // 1ACh
        PVOID SystemReserved2[0xA];         // 1D4h
        GDI_TEB_BATCH GdiTebBatch;          // 1FCh
        ULONG gdiRgn;                       // 6DCh
        ULONG gdiPen;                       // 6E0h
        ULONG gdiBrush;                     // 6E4h
        CLIENT_ID RealClientId;             // 6E8h
        PVOID GdiCachedProcessHandle;       // 6F0h
        ULONG GdiClientPID;                 // 6F4h
        ULONG GdiClientTID;                 // 6F8h
        PVOID GdiThreadLocaleInfo;          // 6FCh
        PVOID UserReserved[5];              // 700h
        PVOID glDispatchTable[0x118];       // 714h
        ULONG glReserved1[0x1A];            // B74h
        PVOID glReserved2;                  // BDCh
        PVOID glSectionInfo;                // BE0h
        PVOID glSection;                    // BE4h
        PVOID glTable;                      // BE8h
        PVOID glCurrentRC;                  // BECh
        PVOID glContext;                    // BF0h
        NTSTATUS LastStatusValue;           // BF4h
        UNICODE_STRING StaticUnicodeString; // BF8h
        WCHAR StaticUnicodeBuffer[0x105];   // C00h
        PVOID DeallocationStack;            // E0Ch
        PVOID TlsSlots[0x40];               // E10h
        LIST_ENTRY TlsLinks;                // F10h
        PVOID Vdm;                          // F18h
        PVOID ReservedForNtRpc;             // F1Ch
        PVOID DbgSsReserved[0x2];           // F20h
        ULONG HardErrorDisabled;            // F28h
        PVOID Instrumentation[0x10];        // F2Ch
        PVOID WinSockData;                  // F6Ch
        ULONG GdiBatchCount;                // F70h
        ULONG Spare2;                       // F74h
        ULONG Spare3;                       // F78h
        ULONG Spare4;                       // F7Ch
        PVOID ReservedForOle;               // F80h
        ULONG WaitingOnLoaderLock;          // F84h
        PVOID StackCommit;                  // F88h
        PVOID StackCommitMax;               // F8Ch
        PVOID StackReserve;                 // F90h
        PVOID MessageQueue;                 // ???
    }

PEB（进程环境块）的数据结构如下：

typedef struct _PEB
    {
        UCHAR InheritedAddressSpace;                     // 00h
        UCHAR ReadImageFileExecOptions;                  // 01h
        UCHAR BeingDebugged;                             // 02h    这里是FS:[0x30] + 0x2
        UCHAR Spare;                                     // 03h
        PVOID Mutant;                                    // 04h
        PVOID ImageBaseAddress;                          // 08h
        PPEB_LDR_DATA Ldr;                               // 0Ch
        PRTL_USER_PROCESS_PARAMETERS ProcessParameters;  // 10h
        PVOID SubSystemData;                             // 14h
        PVOID ProcessHeap;                               // 18h
        PVOID FastPebLock;                               // 1Ch
        PPEBLOCKROUTINE FastPebLockRoutine;              // 20h
        PPEBLOCKROUTINE FastPebUnlockRoutine;            // 24h
        ULONG EnvironmentUpdateCount;                    // 28h
        PVOID* KernelCallbackTable;                      // 2Ch
        PVOID EventLogSection;                           // 30h
        PVOID EventLog;                                  // 34h
        PPEB_FREE_BLOCK FreeList;                        // 38h
        ULONG TlsExpansionCounter;                       // 3Ch
        PVOID TlsBitmap;                                 // 40h
        ULONG TlsBitmapBits[0x2];                        // 44h
        PVOID ReadOnlySharedMemoryBase;                  // 4Ch
        PVOID ReadOnlySharedMemoryHeap;                  // 50h
        PVOID* ReadOnlyStaticServerData;                 // 54h
        PVOID AnsiCodePageData;                          // 58h
        PVOID OemCodePageData;                           // 5Ch
        PVOID UnicodeCaseTableData;                      // 60h
        ULONG NumberOfProcessors;                        // 64h
        ULONG NtGlobalFlag;                              // 68h    <--这里也很重要
        UCHAR Spare2[0x4];                               // 6Ch
        LARGE_INTEGER CriticalSectionTimeout;            // 70h
        ULONG HeapSegmentReserve;                        // 78h
        ULONG HeapSegmentCommit;                         // 7Ch
        ULONG HeapDeCommitTotalFreeThreshold;            // 80h
        ULONG HeapDeCommitFreeBlockThreshold;            // 84h
        ULONG NumberOfHeaps;                             // 88h
        ULONG MaximumNumberOfHeaps;                      // 8Ch
        PVOID** ProcessHeaps;                            // 90h
        PVOID GdiSharedHandleTable;                      // 94h
        PVOID ProcessStarterHelper;                      // 98h
        PVOID GdiDCAttributeList;                        // 9Ch
        PVOID LoaderLock;                                // A0h
        ULONG OSMajorVersion;                            // A4h
        ULONG OSMinorVersion;                            // A8h
        ULONG OSBuildNumber;                             // ACh
        ULONG OSPlatformId;                              // B0h
        ULONG ImageSubSystem;                            // B4h
        ULONG ImageSubSystemMajorVersion;                // B8h
        ULONG ImageSubSystemMinorVersion;                // C0h
        ULONG GdiHandleBuffer[0x22];                     // C4h
        PVOID ProcessWindowStation;                      // ???
    }

汇编代码通过FS:\[0x30\]获取到PEB的地址并赋值给EAX，再通过EAX + 0x2找到PEB的BeingDebugged成员，如果进程没有运行在调试器环境中，BeingDebugged成员的值为0；如果调试附加了进程，BeingDebugged成员的值为1。

补充：进程被调试时，PEB.NtGlobalFlag会被置为0x70，为下列flag异或的结果

FLG_HEAP_ENABLE_TAIL_CHECK     	0x10
    FLG_HEAP_ENABLE_FREE_CHECK	    0x20
    FLG_HEAP_VALIDATE_PARAMETERS	0x40

已经已经运行的进程被附加到调试器时，PEB.NtGlobalFlag的值不变。

#### 反调试示例 ####

知道原理IsDebuggerPresent的原理之后，可以通过下面的代码来简单地防止调试。

IsDebugged = IsDebuggerPresent()
    if (IsDebugged)
    { 
    	MessageBoxA(NULL, "Debug is not allowed!", "warning", MB_OK);
    	hProcess = GetCurrentProcess();
    	TerminateProcess(hProcess, wTerminateCode);
    }

#### 反反调试 ####

1.  找到PEB的地址并在内存中找到BeingDebugged成员的位置，将其值更改为0即可绕过。
2.  在调试器找到IsDebuggerPresent函数的调用点，修改函数返回值就可以绕过IsDebuggerPresent的反调试。

注意：由于有的软件会检测PEB中的成员校验数据，所以最好是选择方法1

### CheckRemoteDebuggerPresent ###

CheckRemoteDebuggerPresent与IsDebuggerPresent用法类似。

CheckRemoteDebuggerPresent通过传递的进程句柄来检测进程是否被调试，其原型如下

// https://docs.microsoft.com/en-us/windows/win32/api/debugapi/nf-debugapi-checkremotedebuggerpresent
    BOOL CheckRemoteDebuggerPresent(
      HANDLE hProcess,
      PBOOL  pbDebuggerPresent
    );

*  第一个参数是进程句柄
 *  第二个参数是指针变量，如果传入的进程正在被调试，其值置为TRUE，否为为FALSE
 *  返回值：成功为非0，失败为0

CheckRemoteDebuggerPresent的内部其实是靠NtQueryInformationProcess API实现的，进入OD调试可以发现：

CPU Disasm
    Address   Hex dump          Command                               Comments
    766C0720  /$  8BFF          MOV EDI,EDI
    766C0722  |.  55            PUSH EBP
    766C0723  |.  8BEC          MOV EBP,ESP
    766C0725  |.  51            PUSH ECX
    766C0726  |.  837D 08 00    CMP DWORD PTR SS:[ARG.1],0
    766C072A  |.  56            PUSH ESI
    766C072B  |.  74 36         JE SHORT 766C0763
    766C072D  |.  8B75 0C       MOV ESI,DWORD PTR SS:[ARG.2]
    766C0730  |.  85F6          TEST ESI,ESI
    766C0732  |.  74 2F         JZ SHORT 766C0763
    766C0734  |.  6A 00         PUSH 0                                ; pLength = NULL
    766C0736  |.  6A 04         PUSH 4                                ; Bufsize = 4
    766C0738  |.  8D45 FC       LEA EAX,[LOCAL.1]
    766C073B  |.  50            PUSH EAX                              ; Buffer => OFFSET LOCAL.1
    766C073C  |.  6A 07         PUSH 7                                ; ProcessInfoClass = ProcessDebugPort
    766C073E      FF75 08       PUSH DWORD PTR SS:[EBP+8]
    766C0741  |.  FF15 F0926E76 CALL DWORD PTR DS:[<&ntdll.NtQueryInf ; NtQueryInformationProcess    <-- 调用NtQueryInformationProcess
    766C0747  |.  85C0          TEST EAX,EAX
    766C0749  |.  79 09         JNS SHORT 766C0754
    766C074B  |.  8BC8          MOV ECX,EAX
    766C074D  |.  E8 DE1BF7FF   CALL 76632330                         ; [KERNELBASE.76632330
    766C0752  |.  EB 17         JMP SHORT 766C076B
    766C0754  |>  33C0          XOR EAX,EAX
    766C0756  |.  3945 FC       CMP DWORD PTR SS:[LOCAL.1],EAX       
    766C0759  |.  0F95C0        SETNE AL
    766C075C  |.  8906          MOV DWORD PTR DS:[ESI],EAX
    766C075E  |.  33C0          XOR EAX,EAX
    766C0760  |.  40            INC EAX
    766C0761  |.  EB 0A         JMP SHORT 766C076D
    766C0763  |>  6A 57         PUSH 57                               ; /Arg1 = 57
    766C0765  |.  FF15 C8906E76 CALL DWORD PTR DS:[<&ntdll.RtlSetLast ; \ntdll.RtlRestoreLastWin32Error
    766C076B  |>  33C0          XOR EAX,EAX
    766C076D  |>  5E            POP ESI
    766C076E  |.  8BE5          MOV ESP,EBP
    766C0770  |.  5D            POP EBP
    766C0771  \.  C2 0800       RETN 8

NtQueryInformationProcess的具体分析请看NtQueryInformationProcess小节

#### 反调试示例 ####

通过传递进程自身句柄，可以用下列程序检测本进程是否被调试

BOOL IsDebugged;
    CheckRemoteDebuggerPresent(GetCurrentProcess(), &IsDebugged);
    if (IsDebugged)
    { 
    	printf_s("process is debugged !");
    	exit(0);
    }

#### 反反调试 ####

在调试之后判断之前将CheckRemoteDebuggerPresent第二个变量的值修改为0即可。

### NtQueryInformationProcess ###

这个函数是Ntdll.dll中一个API，其原型

// https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess
    
    __kernel_entry NTSTATUS NtQueryInformationProcess(
      HANDLE           ProcessHandle,
      PROCESSINFOCLASS ProcessInformationClass,
      PVOID            ProcessInformation,
      ULONG            ProcessInformationLength,
      PULONG           ReturnLength
    );

*  第一个参数为进程句柄
 *  第二个参数是枚举型，告诉API查询进程哪些信息。与调试相关的是ProcessDebugPort(0x7)、 ProcessDebugObjectHandle(0x1E)、ProcessDebugFlags(0x1F)
 *  第三个参数是一个缓冲区指针，用于接收查询到的进程信息
 *  第四个参数是第三个参数缓冲区的长度
 *  第五个参数接收实际写入缓冲区的长度

PROCESSINFOCLASS的全部枚举如下：

typedef enum _PROCESSINFOCLASS
    {
        ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
        ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
        ProcessIoCounters, // q: IO_COUNTERS
        ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2
        ProcessTimes, // q: KERNEL_USER_TIMES
        ProcessBasePriority, // s: KPRIORITY
        ProcessRaisePriority, // s: ULONG
        ProcessDebugPort, // q: HANDLE
        ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT
        ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
        ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10
        ProcessLdtSize, // s: PROCESS_LDT_SIZE
        ProcessDefaultHardErrorMode, // qs: ULONG
        ProcessIoPortHandlers, // (kernel-mode only) // PROCESS_IO_PORT_HANDLER_INFORMATION
        ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS
        ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
        ProcessUserModeIOPL, // qs: ULONG (requires SeTcbPrivilege)
        ProcessEnableAlignmentFaultFixup, // s: BOOLEAN
        ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS
        ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed)
        ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20
        ProcessAffinityMask, // s: KAFFINITY
        ProcessPriorityBoost, // qs: ULONG
        ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
        ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION
        ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND
        ProcessWow64Information, // q: ULONG_PTR
        ProcessImageFileName, // q: UNICODE_STRING
        ProcessLUIDDeviceMapsEnabled, // q: ULONG
        ProcessBreakOnTermination, // qs: ULONG
        ProcessDebugObjectHandle, // q: HANDLE // 30
        ProcessDebugFlags, // qs: ULONG
        ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables
        ProcessIoPriority, // qs: IO_PRIORITY_HINT
        ProcessExecuteFlags, // qs: ULONG
        ProcessResourceManagement, // ProcessTlsInformation // PROCESS_TLS_INFORMATION
        ProcessCookie, // q: ULONG
        ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
        ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA
        ProcessPagePriority, // q: PAGE_PRIORITY_INFORMATION
        ProcessInstrumentationCallback, // qs: PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40
        ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
        ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]
        ProcessImageFileNameWin32, // q: UNICODE_STRING
        ProcessImageFileMapping, // q: HANDLE (input)
        ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE
        ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
        ProcessGroupInformation, // q: USHORT[]
        ProcessTokenVirtualizationEnabled, // s: ULONG
        ProcessConsoleHostProcess, // q: ULONG_PTR // ProcessOwnerInformation
        ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50
        ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
        ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
        ProcessDynamicFunctionTableInformation,
        ProcessHandleCheckingMode, // qs: ULONG; s: 0 disables, otherwise enables
        ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
        ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
        ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL
        ProcessHandleTable, // q: ULONG[] // since WINBLUE
        ProcessCheckStackExtentsMode,
        ProcessCommandLineInformation, // q: UNICODE_STRING // 60
        ProcessProtectionInformation, // q: PS_PROTECTION
        ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD
        ProcessFaultInformation, // PROCESS_FAULT_INFORMATION
        ProcessTelemetryIdInformation, // PROCESS_TELEMETRY_ID_INFORMATION
        ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION
        ProcessDefaultCpuSetsInformation,
        ProcessAllowedCpuSetsInformation,
        ProcessSubsystemProcess,
        ProcessJobMemoryInformation, // PROCESS_JOB_MEMORY_INFO
        ProcessInPrivate, // since THRESHOLD2 // 70
        ProcessRaiseUMExceptionOnInvalidHandleClose, // qs: ULONG; s: 0 disables, otherwise enables
        ProcessIumChallengeResponse,
        ProcessChildProcessInformation, // PROCESS_CHILD_PROCESS_INFORMATION
        ProcessHighGraphicsPriorityInformation,
        ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2
        ProcessEnergyValues, // PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES
        ProcessActivityThrottleState, // PROCESS_ACTIVITY_THROTTLE_STATE
        ProcessActivityThrottlePolicy, // PROCESS_ACTIVITY_THROTTLE_POLICY
        ProcessWin32kSyscallFilterInformation,
        ProcessDisableSystemAllowedCpuSets, // 80
        ProcessWakeInformation, // PROCESS_WAKE_INFORMATION
        ProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE
        ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
        ProcessCaptureTrustletLiveDump,
        ProcessTelemetryCoverage,
        ProcessEnclaveInformation,
        ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION
        ProcessUptimeInformation, // PROCESS_UPTIME_INFORMATION
        ProcessImageSection, // q: HANDLE
        ProcessDebugAuthInformation, // since REDSTONE4 // 90
        ProcessSystemResourceManagement, // PROCESS_SYSTEM_RESOURCE_MANAGEMENT
        ProcessSequenceNumber, // q: ULONGLONG
        ProcessLoaderDetour, // since REDSTONE5
        ProcessSecurityDomainInformation, // PROCESS_SECURITY_DOMAIN_INFORMATION
        ProcessCombineSecurityDomainsInformation, // PROCESS_COMBINE_SECURITY_DOMAINS_INFORMATION
        ProcessEnableLogging, // PROCESS_LOGGING_INFORMATION
        ProcessLeapSecondInformation, // PROCESS_LEAP_SECOND_INFORMATION
        ProcessFiberShadowStackAllocation, // PROCESS_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION // since 19H1
        ProcessFreeFiberShadowStackAllocation, // PROCESS_FREE_FIBER_SHADOW_STACK_ALLOCATION_INFORMATION
        ProcessAltSystemCallInformation, // qs: BOOLEAN (kernel-mode only) // since 20H1 // 100
        ProcessDynamicEHContinuationTargets, // PROCESS_DYNAMIC_EH_CONTINUATION_TARGETS_INFORMATION
        MaxProcessInfoClass
    } PROCESSINFOCLASS;

#### 反调试示例 ####

*  ProcessDebugPort(0x7)  
    当一个进程被调试时，系统会为它分配一个调试端口。通过NtQueryInformationProcess查询进程的调试端口信息可以判断进程是否被调试。如果进程被调试，获取到的调试端口值为0xffffffff，否则获取到的调试端口值为0

DWORD dwDebugPort = 0;
    NtQueryInformationProcess(GetCurrentProcess(),
    							ProcessDebugPort,
    							&dwDebugPort,
    							sizeof(dwDebugPort),
    							NULL);
    if (dwDebugPort == 0xffffffff)
    { 
    	printf_s("process is being debugged!");
    	exit(0);
    }

*  ProcessDebugObjectHandle(0x1E)

调试进程时会产生调试对象（Debug Object），通过NtQueryInformationProcess查询进程的调试对象是否存在可以判断进程是否被调试，如果进程被调试，返回调试对象句柄，否则返回NULL

HANDLE hDebugObject;
    NtQueryInformationProcess(GetCurrentProcess(),
    							ProcessDebugPort,
    							&hDebugObject,
    							sizeof(hDebugObject),
    							NULL);
    if (hDebugObject != 0)
    { 
    	printf_s("process is being debugged!");
    	exit(0);
    }

*  ProcessDebugFlags(0x1F)

如果进程被调试，会被设置被调试标志位

BOOL DebugFlag;
    NtQueryInformationProcess(GetCurrentProcess(),
    							ProcessDebugPort,
    							&DebugFlag,
    							sizeof(DebugFlag),
    							NULL);
    if (DebugFlag == FLASE)
    { 
    	printf_s("process is being debugged!");
    	exit(0);
    }

#### 反反调试 ####

如果是几次调用API，手动修改NtQueryInformationProcess 的输出值就可以，否则需要通过HOOK勾取NtQueryInformationProcess调用并修改其输出值。

### NtQuerySystemInfomation ###

### NtQueryObject ###

### GetLastError ###

#### 反调试示例 ####

#### 反反调试 ####

### ZwSetInformationThread ###

# 参考 #

李承运.逆向工程核心原理.人民邮电出版社  
https://bbs.pediy.com/thread-225740.htm