本文介绍了一种检测程序是否处于调试状态的方法。通过读取进程环境块(PEB)中的BeingDebugged标志位来判断当前进程是否正被调试工具监控。这种方法对于开发防调试或自我保护的应用程序非常有用。
push ********
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
mov esi,0
mov eax,dword ptr ds:[esi]
其中*********的地方是你要跳转的地址
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push ********
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
mov esi,0
mov eax,dword ptr ds:[esi]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push ********
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
mov ebx,0
div ebx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nop
push ********
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
int 3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push ********
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
nop
int 68
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push ********
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
nop
vxdcall 134543
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push ********
mov eax,dword ptr fs:[0]
push eax
mov dword ptr fs:[0],esp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push xxx
push dword ptr fs:[0]
mov fs:[0], esp
stc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push xxx
push dword ptr fs:[0]
mov fs:[0], esp
JMP 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push xxx
push dword ptr fs:[0]
mov fs:[0], esp
ret
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push xxx
push dword ptr fs:[0]
mov fs:[0], esp
pop ss
通过检查PEB中的BeingDebugged标志位,判断是否被调试
asm
mov eax,fs:[$30]
//获取PEB偏移2h处BeingDebugged的值
movzx eax,byte ptr[eax+$2]
or al,al
jz @No
jnz @Yes
@No:
mov NInt,1
@Yes:
Mov YInt,1
end;
扫一扫
559
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
