table of Contents
Anti-debugging and anti-anti-debugging
A Dian several methods of anti-debugging
1.DebugPort port cleared
debugport in EPROCESS structure. debugging time will pass DebugPort port for debugging the debug event is sent to ring3 If it is set to 0. ring3 can not debug it
means you can not step up. debugging and other related operations of .
If you do anti-debugging turned on a continuous thread of this DebugPort cleared.
Further anti-debugging
ideas:
1. Find EPROCESS structure of the current process
. 2. Locate this position through hard-coded (hard-coded)
if it is hard-coded . we need to judge themselves according to the system.
2.KdDisableDebugger
After calling this function in the kernel, it detects whether or not detect whether or not to mount a windbg.
Is open threads. Continually call.
3.ring3 under isDebuggerpresent and CheckRemoteDebuggerPresent
The application layer calling these two functions is determined
4. Hook means.
As performed in the kernel HOOK
Listed below are the function name
Function name | effect | After HOOK |
---|---|---|
NtOpenThread | Create a kernel thread | Prevent the debugger to create threads inside |
NtOpenProcess | Open the process | Prevent OD and other debugging tools to see in the debug list |
kiAttachProcess | Additional debugging process | To prevent additional |
NtReadVirtualMemory | Virtual memory is read | Prevent myself from being read process memory (ReadProcessMemory) |
NtWriteVirtualMemory | Write memory | Prevent memory is written |
KdReceivePacket | Com KDCOM.dll function in the serial data received | Make your own filters |
KdSendPacket | Com KDCOM.dll the serial data transmission function | HOOK above with this function can prevent two-machine debugging |
Two Dian anti-anti-debugging
It says that defense, then we can attack
1. For DebugPort
1. DebugPort may be present at a break point. Once the program has to be modified. Will be off the next.
To find the corresponding anti-debugging code to the code patch.
2. Can self debugging system. It does not take Furthermore bypass this protection.
2. For KdDisableDebugger
This function detects the debugger. Debugging is thus prohibited.
Segment can point at addresses corresponding to these functions are then related to the code of the patch., Such as for return.
3. For HOOK
. HOOK If we can use some tools to recover course, if you can recover can also write the code that you see the needs of the time...
Common on such as: pchunter PowerTools anti (Ann Day)
3. Flower instruction
Anti-debugging can be added to flower. Deliberately carried out dry.
Such as:
push edx
pop edx
inc ecx
dec ecx
add esp,1
sub esp,1
A register directly added. Then subtract operation complete register will not affect the original value.
jmp LABEL
db opcode
LABEL
There is such a middle add a db. But he will affect you.
db Opcode combined with the subsequent instruction will be disturbed, but will not affect the normal program execution.
jz label
jnz label
db opcode
Label
Whether or not correct. Will be forced to jump Further interference.