VB.NET 从PEB->BeingDebugged标志位判断被调试

说实在的我本是想从PEB中保存调试对象句柄的标志位判断是

否被调试的，可惜搞了个多小时也没搞定实在算不准偏移到底

是好多、当然可以在WinDbg在DT !PEB不过真的很麻烦，我在

网上找了一些PEB结构的声明，最后我再Nirsoft.NET上找到了

一个很全面地PEB结构声明，说实在话看的我不知所云、好吧

保存调试对象句柄的标志位为 ->ULONG SystemReserved[1];

当然我个体也只记得在什么Reserved[1]中，毕竟我也是很久以

前看过点相关的资料、当然从Reserved[1]中判断是否被调试也

有一定缺点，现在过保护驱动可以过掉也就是说你不一定还能

检查的出来、你们可以参考下反调试技术揭秘上的资料，当然

有兴趣可以研究!PEB / KernelStruct、它在某些时候的很有用

BeingDebugged 当进程被调试器附加时，操作系统会自动设置这

个标志位一般来说我们只需要在一个额外线程中循环定期检查

就可以了、当然如果要比较好的方法可能是从HeapFlags判断了

不过都可以从上面的反调试技术揭秘中找到、

上面先通过NtQueryInformationProcess获取PBI(进程基类信息)

这个信息里面包含了，PEB入口点、宿主进程、退出代码、等

当然从PBI中获取PEB入口地址是比较亲民的做法，难道你要在

VB.NET中利用汇编从FS(标志段)寄存器中去获取到PEB吗？

在PEB入口点偏移0x2的位置是BeingDebugged、

示例代码：

Imports System.Runtime.InteropServices
Imports System.Text.RegularExpressions

Module MainModule

    Declare Function NtQueryInformationProcess Lib "ntdll.dll" (ProcessHandle As IntPtr,InformationClass As Integer,ByRef ProcessInformation As PROCESS_BASIC_INFORMATION,ProcessInformationLength As Integer,ReturnLength As Integer) As Integer

    Declare Function GetCurrentProcess Lib "kernel32.dll" () As IntPtr

    <StructLayout(LayoutKind.Sequential)>
    Structure PROCESS_BASIC_INFORMATION
        Public ExitStatus As Integer
        Public PebBaseAddress As IntPtr
        Public AffinityMask As Integer
        Public BasePriority As Integer
        Public UniqueProcessId As Integer
        Public InheritedFromUniqueProcessId As Integer
    End Structure

    <StructLayout(LayoutKind.Sequential)>
    Structure PEB
        Public InheritedAddressSpace As Byte
        Public ReadImageFileExecOptions As Byte
        Public BeingDebugged As Byte
        Public SpareBool As Byte
        Public Mutant As IntPtr
        Public ImageBaseAddress As IntPtr
        Public Ldr As IntPtr
    End Structure

    Const NULL As Integer = 0
    Const STATUS_SUCCESS As Integer = NULL
    Const SystemBasicInformation As Integer = 0

    Sub Main()
        Console.WriteLine(IsDebuggerPresent())
        Debugger.Break()
    End Sub

    Function IsDebuggerPresent() As Boolean
        Dim pbi = New PROCESS_BASIC_INFORMATION()
        If (STATUS_SUCCESS <> NtQueryInformationProcess(GetCurrentProcess(),SystemBasicInformation,pbi,Marshal.SizeOf(pbi),NULL)) Then
            Throw New Exception("Unable to get pbi.")
        End If
        Dim peb = CType(Marshal.PtrToStructure(pbi.PebBaseAddress,GetType(PEB)),PEB)
        Return peb.BeingDebugged <> 0
    End Function

End Module

原文链接：https://www.f2er.com/vb/257211.html

VB.NET 从PEB->BeingDebugged标志位判断被调试

猜你在找的VB相关文章