一、32位系統(tǒng)

nt!_PEB
???+0x000 InheritedAddressSpace?:?UChar
???+0x001 ReadImageFileExecOptions?:?UChar
???+0x002 BeingDebugged????:?UChar??????????????? isDbg值，8字節(jié)
???+0x003 BitField?????????:?UChar
???+0x003 ImageUsesLargePages?:?Pos 0, 1 Bit
???+0x003 IsProtectedProcess?:?Pos 1, 1 Bit
???+0x003 IsLegacyProcess??:?Pos 2, 1 Bit
???+0x003 IsImageDynamicallyRelocated?:?Pos 3, 1 Bit
???+0x003 SkipPatchingUser32Forwarders?:?Pos 4, 1 Bit
???+0x003 SpareBits????????:?Pos 5, 3 Bits
???+0x004 Mutant?????? ????:?Ptr32 Void
???+0x008 ImageBaseAddress?:?Ptr32 Void??????????????鏡像基址
???+0x00c Ldr??????????????:?Ptr32 _PEB_LDR_DATA???????????? _PEB_LDR_DATA結(jié)構(gòu)
???+0x010 ProcessParameters?:?Ptr32 _RTL_USER_PROCESS_PARAMETERS
???+0x014 SubSystemData????:?Ptr32 Void
???+0x018 ProcessHeap??????:?Ptr32 Void?????????????
???+0x01c FastPebLock??????:?Ptr32 _RTL_CRITICAL_SECTION
???+0x020 AtlThunkSListPtr?:?Ptr32 Void
???+0x024 IFEOKey??????????:?Ptr32 Void
???+0x028 CrossProcessFlags?:?Uint4B
???+0x028 ProcessInJob?????:?Pos 0, 1 Bit
???+0x028 ProcessInitializing?:?Pos 1, 1 Bit
???+0x028 ProcessUsingVEH??:?Pos 2, 1 Bit
???+0x028 ProcessUsingVCH??:?Pos 3, 1 Bit
???+0x028 ProcessUsingFTH??:?Pos 4, 1 Bit
???+0x028 ReservedBits0????:?Pos 5, 27 Bits
???+0x02c KernelCallbackTable?:?Ptr32 Void
???+0x02c UserSharedInfoPtr?:?Ptr32 Void
???+0x030 SystemReserved???:?[1]?Uint4B
???+0x034 AtlThunkSListPtr32?:?Uint4B
???+0x038 ApiSetMap????????:?Ptr32 Void
???+0x03c TlsExpansionCounter?:?Uint4B
???+0x040 TlsBitmap????????:?Ptr32 Void
???+0x044 TlsBitmapBits????:?[2]?Uint4B
???+0x04c ReadOnlySharedMemoryBase?:?Ptr32 Void
???+0x050 HotpatchInformation?:?Ptr32 Void
???+0x054 ReadOnlyStaticServerData?:?Ptr32 Ptr32 Void
???+0x058 AnsiCodePageData?:?Ptr32 Void
???+0x05c OemCodePageData??:?Ptr32 Void
???+0x060 UnicodeCaseTableData?:?Ptr32 Void
???+0x064 NumberOfProcessors?:?Uint4B??????????? CPU的個(gè)數(shù)
???+0x068 NtGlobalFlag?????:?Uint4B
?? .
?? .
?? .

PEB?有一個(gè)名為NtGlobalFlag（32位系統(tǒng)下偏移量0x68）的字段，程序可以挑戰(zhàn)該字段以確定它們是否正在被調(diào)試。通常，當(dāng)進(jìn)程未被調(diào)試時(shí)，NtGlobalFlag字段包含值0x0。調(diào)試進(jìn)程時(shí)，該字段通常包含值0x70，表示設(shè)置了以下標(biāo)志：

標(biāo)志

FLG_HEAP_ENABLE_TAIL_CHECK

FLG_HEAP_ENABLE_FREE_CHECK

FLG_HEAP_VALIDATE_PARAMETERS

其余

所以可以通過(guò)檢測(cè)此標(biāo)志位來(lái)檢測(cè)是否被調(diào)試。
實(shí)現(xiàn)代碼可以通過(guò)匯編或者通過(guò)C++實(shí)現(xiàn)，匯編實(shí)現(xiàn)如下：

DWORD?MyIsDebug1(){
??? DWORD Flag?=?0;
??? __asm?{
??? mov eax,fs:[30h]
??? mov eax,[eax+68h]
??? mov Flag,eax
}
????return?Flag;
}

完整代碼如下：

// ConsoleApplication1.cpp :?此文件包含?"main"?函數(shù)。程序執(zhí)行將在此處開(kāi)始并結(jié)束。
//

#include?
#include?
DWORD MyIsDebug1(){
??? DWORD Flag?=?0;
??? __asm?{
??? mov eax,fs:[30h]
??? mov eax,[eax+68h]
??? mov Flag,eax
}
????return?Flag;
}

DWORD WINAPI MyIsDebug(
??? LPVOID lpThreadParameter
)
{
??? DWORD myFlag?=?0;
????while?(1)?{
?????? myFlag?=?MyIsDebug1();
???????if?(myFlag?==?0x70)
???????{
?????????? MessageBox(NULL,?L"警告",?L"調(diào)試中",?MB_OK);
???????}
????}
????return?1;
}

int?main()
{
????//IsDebuggerPresent();
??? CreateThread(NULL,?NULL,?MyIsDebug,?NULL,?NULL,?NULL);
??? std::cout?<<?"Hello World!\n";
??? system("pause");
????return?0;
}

二、64位系統(tǒng)

ntdll!_PEB
??+0x000 InheritedAddressSpace?:?UChar
??+0x001 ReadImageFileExecOptions?:?UChar
??+0x002 BeingDebugged????:?UChar
??+0x003 BitField?????????:?UChar
??+0x003 ImageUsesLargePages?:?Pos 0, 1 Bit
??+0x003 IsProtectedProcess?:?Pos 1, 1 Bit
??+0x003 IsImageDynamicallyRelocated?:?Pos 2, 1 Bit
??+0x003 SkipPatchingUser32Forwarders?:?Pos 3, 1 Bit
??+0x003 IsPackagedProcess?:?Pos 4, 1 Bit
??+0x003 IsAppContainer???:?Pos 5, 1 Bit
??+0x003 IsProtectedProcessLight?:?Pos 6, 1 Bit
??+0x003 IsLongPathAwareProcess?:?Pos 7, 1 Bit
??+0x004 Padding0?????????:?[4]?UChar
??+0x008 Mutant???????????:?Ptr64 Void
??+0x010 ImageBaseAddress?:?Ptr64 Void
??+0x018 Ldr??????????????:?Ptr64 _PEB_LDR_DATA
??+0x020 ProcessParameters?:?Ptr64 _RTL_USER_PROCESS_PARAMETERS
??+0x028 SubSystemData????:?Ptr64 Void
??+0x030 ProcessHeap??????:?Ptr64 Void
??+0x038 FastPebLock??????:?Ptr64 _RTL_CRITICAL_SECTION
??+0x040 AtlThunkSListPtr?:?Ptr64 _SLIST_HEADER
??+0x048 IFEOKey??????????:?Ptr64 Void
??+0x050 CrossProcessFlags?:?Uint4B
??+0x050 ProcessInJob?????:?Pos 0, 1 Bit
??+0x050 ProcessInitializing?:?Pos 1, 1 Bit
??+0x050 ProcessUsingVEH??:?Pos 2, 1 Bit
??+0x050 ProcessUsingVCH??:?Pos 3, 1 Bit
??+0x050 ProcessUsingFTH??:?Pos 4, 1 Bit
??+0x050 ProcessPreviouslyThrottled?:?Pos 5, 1 Bit
??+0x050 ProcessCurrentlyThrottled?:?Pos 6, 1 Bit
??+0x050 ReservedBits0????:?Pos 7, 25 Bits
??+0x054 Padding1?????????:?[4]?UChar
??+0x058 KernelCallbackTable?:?Ptr64 Void
??+0x058 UserSharedInfoPtr?:?Ptr64 Void
??+0x060 SystemReserved???:?Uint4B
??+0x064 AtlThunkSListPtr32?:?Uint4B
??+0x068 ApiSetMap????????:?Ptr64 Void
??+0x070 TlsExpansionCounter?:?Uint4B
??+0x074 Padding2?????????:?[4]?UChar
??+0x078 TlsBitmap????????:?Ptr64 Void
??+0x080 TlsBitmapBits????:?[2]?Uint4B
??+0x088 ReadOnlySharedMemoryBase?:?Ptr64 Void
??+0x090 SharedData???????:?Ptr64 Void
??+0x098 ReadOnlyStaticServerData?:?Ptr64 Ptr64 Void
??+0x0a0 AnsiCodePageData?:?Ptr64 Void
??+0x0a8 OemCodePageData??:?Ptr64 Void
??+0x0b0 UnicodeCaseTableData?:?Ptr64 Void
??+0x0b8 NumberOfProcessors?:?Uint4B
??+0x0bc NtGlobalFlag?? ??:?Uint4B

可以看到64位系統(tǒng)下面，NtGlobalFlag標(biāo)志位有所不同，位于PEB偏移0xbc。其余和x86沒(méi)有區(qū)別。可以通過(guò)readgsqword(60h)獲取到PED地址，再檢查偏移0xbc位置標(biāo)志位達(dá)到反調(diào)試效果。

三、反反調(diào)試

1.?手動(dòng)修改標(biāo)志位

2.?使用OD插件

3.?在WinDbg中，在禁用調(diào)試堆的情況下啟動(dòng)程序?( windbg -hd program.exe )