7-amaliy ish. Yuklanuvchi ko’rinishidagi dasturiy vositalarni tahlillash Amaliy ishdan maqsad
Yüklə 0,99 Mb.
|
|
Topshiriq
1. NtGlobalFlag va IMAGE_LOAD_CONFIG_DIRECTORY dan foydalanib, debaggerni aniqlash ketma-ketligini ko’rsating. 2. Heap Flags va ForceFlags holatlarini tekshirish orqali debaggerni aniqlash ketma-ketligini ko’rsating. 2. Heap Flags and ForceFlags dan foydalanib, debaggerni aniqlash ketma-ketligini ko’rsatish: #include #include #include #define FLG_HEAP_ENABLE_TAIL_CHECK 0x10 #define FLG_HEAP_ENABLE_FREE_CHECK 0x20 #define FLG_HEAP_VALIDATE_PARAMETERS 0x40 #define NT_GLOBAL_FLAG_DEBUGGED (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS) using namespace std; PVOID GetPEB() { #ifdef _WIN64 return (PVOID)__readgsqword(0x0C * sizeof(PVOID)); #else
return (PVOID)__readfsdword(0x0C * sizeof(PVOID)); #endif
} void CheckNtGlobalFlag() { PVOID pPeb = GetPEB(); DWORD offsetNtGlobalFlag = 0; #ifdef _WIN offsetNtGlobalFlag = 0xBC; #else
offsetNtGlobalFlag = 0x68; #endif
DWORD NtGlobalFlag = *(PDWORD)((PBYTE)pPeb + offsetNtGlobalFlag); if (NtGlobalFlag & NT_GLOBAL_FLAG_DEBUGGED) { std::cout << "Stop debugging program!" << std::endl; exit(-1); } if (pPeb) { DWORD NtGlobalFlagWow = *(PDWORD)((PBYTE)pPeb + 0xBC); if (NtGlobalFlagWow & NT_GLOBAL_FLAG_DEBUGGED) { std::cout << "Stop debugging program!" << std::endl; exit(-1); } } } int main(){ CheckNtGlobalFlag(); }
Yüklə 0,99 Mb. Dostları ilə paylaş:
|