当前位置:网站首页>Anti debugging (basic principles of debugger Design & NT NP and other anti debugging principles)
Anti debugging (basic principles of debugger Design & NT NP and other anti debugging principles)
2022-07-05 03:33:00 【#A#】
Add application level anti debugging function to the game ( No write drive ), Make it resistant to general debugging tools , such as OllyDbg、CE、x96dbg wait ..、
The level of de debugging :
- Prohibit or destroy the debugging function
- Detection of debugging status
The basic principle of software debugger design :
BOOL DebugByCreate;//TRUE Debug new process FALSE Create a process and debug
DWORD dwPID; // Of the debugged process ID
DEBUG_EVENT dbgevent;
if (!DebugByCreate)
{
CreateProcess(..., DEBUG_PROCESS, ...);
}
else {
DebugActiveProcess(dwPID);// Debug the existing process
}
while (WaitForDebugEvent(&dbgevent, INFINITE) == TRUE)
{
switch (dbgevent.dwDebugEventCode)
{
// Handle debugging events
}
ContinueDebugEvent(...);
}
CreateProcess Create the underlying implementation of the debugged process
BOOL
WINAPI
CreateProcessA(
_In_opt_ LPCSTR lpApplicationName,
_Inout_opt_ LPSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags, // Process creation flag bit
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCSTR lpCurrentDirectory,
_In_ LPSTARTUPINFOA lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
);
dwCreationFlags Value :
DEBUG_PROCESS 0x1 [ Debug the process and its child processes ]
DEBUG_ONLY_THIS_PROCESS 0x2 [ Only debug this process ]
Bottom call :
[1] DbgUiConnectToDbg();// The debugger process establishes a connection with the debugging subsystem
establish DEBUG_OBJECT Kernel object
preservation DEBUG_OBJECT Data to thread environment DbgSsReserved[1]
[2] NtCreateProcess() / NtCreateProcessEx()
take DbgSsReserved[1] Pass to the kernel process manager
PsCreateProcess take DbgSsReserved Data transfer to EPROCESS Structural DebugPort Field
PsCreateProcess call MmCeatePeb Create a process PEB data
MmCreatePeb The function will DebugPort Not empty adjustment PEB Of BeingDebugged Field is 1
DebugActiveProcess Debug the underlying call of the process :
[1]DbgUiconnectToDbg(); // The debugger process establishes a connection with the debugging subsystem
[2]ProcessIdToHandle(); // Get process handle Internal calls OpenProcess->NtOpenProcess
[3]DbgUiDebugActiveProcess();// Set the debugging state of the process
>>NtDebugActiveProccess(); // Get according to the specified process handle EPROCESS structure
>>DbgkpSetProcessDebugObject Attach debug objects to EPROCESS Of DebugPort
>>DbgfkpMarkProcessPeb To set the debug process PEB->BeingDebuggged
Conclusion : A process is debugged , In kernel state EPROCESS Structural DebugPort It must not be for 0
In user mode PEB Structural BeingDebuged It must not be for 0
TP NP Wait for the principle of anti debugging drive :
The basic working state of a debugger is CreateProcess Create and DebugActiveProcess additional Two structures
CreateProcess:
You must call several functions under the kernel , When the application layer reaches the kernel . The most typical takeover is HOOK, You can also use the callback function now Windows The change of ,HOOK It's not a good way anymore , Basically, the callback function is used , It's easy to see with callback function PsCreateProcess The situation of , You can see who the created path is , Found to be xxx Go straight back to failure Even the process can't run , Let alone build and debug .
Generally speaking There are few processes to create . More is to add to debug .
about DebugActiveProcess :
In the second step , OpenProcess->NtOpenProcess When To take over NtProcess It's easy to see who the debugging target is If it is xx Direct to failure You can't run directly , The back can also be destroyed , The more damage , The more places to recover , The more difficult it is to attack
For both methods, we should DebugPort Attach to debug object Maybe DebugPort Zero clearing Delete here It's equivalent to the port being killed The information about establishing channels is recorded in a place , Removing this will destroy the channel
In addition to opening the process , Also read and write processes , Dispose of all these places , And that's what happened
边栏推荐
- Is there any way to change the height of the uinavigationbar in the storyboard without using the UINavigationController?
- The perfect car for successful people: BMW X7! Superior performance, excellent comfort and safety
- SQL performance optimization skills
- C file in keil cannot be compiled
- Breaking the information cocoon - my method of actively obtaining information - 3
- Linux安装Redis
- There is a question about whether the parallelism can be set for Flink SQL CDC. If the parallelism is greater than 1, will there be a sequence problem?
- Azkaban安装部署
- Returns the lowest common ancestor of two nodes in a binary tree
- Apache Web page security optimization
猜你喜欢
New interesting test applet source code_ Test available
Tencent cloud, realize image upload
2. Common request methods
为什么腾讯阿里等互联网大厂诞生的好产品越来越少?
Use of kubesphere configuration set (configmap)
How to define a unified response object gracefully
Redis6-01nosql database
Three line by line explanations of the source code of anchor free series network yolox (a total of ten articles, which are guaranteed to be explained line by line. After reading it, you can change the
线程基础知识
Why are there fewer and fewer good products produced by big Internet companies such as Tencent and Alibaba?
随机推荐
Linux Installation redis
Flex flexible layout
Pytest (4) - test case execution sequence
El tree whether leaf node or not, the drop-down button is permanent
Asp+access campus network goods trading platform
FBO and RBO disappeared in webgpu
[daily problem insight] Li Kou - the 280th weekly match (I really didn't know it could be so simple to solve other people's problems)
Unity implements the code of the attacked white flash (including shader)
New interesting test applet source code_ Test available
The perfect car for successful people: BMW X7! Superior performance, excellent comfort and safety
Use of kubesphere configuration set (configmap)
Six stone programming: advantages of automated testing
Apache build web host
Devtools的简单使用
Usage scenarios and solutions of ledger sharing
Azkaban overview
Voice chip wt2003h4 B008 single chip to realize the quick design of intelligent doorbell scheme
1.五层网络模型
This + closure + scope interview question
About MySQL database connection exceptions