Reverse_PEB

关于这道题目的反调试知识

PEB结构体

+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged    : UChar
+0x003 SpareBool        : UChar
+0x004 Mutant           : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr              : Ptr32 _PEB_LDR_DATA
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData    : Ptr32 Void
+0x018 ProcessHeap      : Ptr32 Void
+0x01c FastPebLock      : Ptr32 _RTL_CRITICAL_SECTION
+0x020 FastPebLockRoutine : Ptr32 Void
+0x024 FastPebUnlockRoutine : Ptr32 Void
+0x028 EnvironmentUpdateCount : Uint4B
+0x02c KernelCallbackTable : Ptr32 Void
+0x030 SystemReserved   : [1] Uint4B
+0x034 AtlThunkSListPtr32 : Uint4B
+0x038 FreeList         : Ptr32 _PEB_FREE_BLOCK
+0x03c TlsExpansionCounter : Uint4B
+0x040 TlsBitmap        : Ptr32 Void
+0x044 TlsBitmapBits    : [2] Uint4B
+0x04c ReadOnlySharedMemoryBase : Ptr32 Void
+0x050 ReadOnlySharedMemoryHeap : Ptr32 Void
+0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
+0x058 AnsiCodePageData : Ptr32 Void
+0x05c OemCodePageData  : Ptr32 Void
+0x060 UnicodeCaseTableData : Ptr32 Void
+0x064 NumberOfProcessors : Uint4B
+0x068 NtGlobalFlag     : Uint4B
+0x070 CriticalSectionTimeout : _LARGE_INTEGER
+0x078 HeapSegmentReserve : Uint4B
+0x07c HeapSegmentCommit : Uint4B
+0x080 HeapDeCommitTotalFreeThreshold : Uint4B
+0x084 HeapDeCommitFreeBlockThreshold : Uint4B
+0x088 NumberOfHeaps    : Uint4B
+0x08c MaximumNumberOfHeaps : Uint4B
+0x090 ProcessHeaps     : Ptr32 Ptr32 Void
+0x094 GdiSharedHandleTable : Ptr32 Void
+0x098 ProcessStarterHelper : Ptr32 Void
+0x09c GdiDCAttributeList : Uint4B
+0x0a0 LoaderLock       : Ptr32 Void
+0x0a4 OSMajorVersion   : Uint4B
+0x0a8 OSMinorVersion   : Uint4B
+0x0ac OSBuildNumber    : Uint2B
+0x0ae OSCSDVersion     : Uint2B
+0x0b0 OSPlatformId     : Uint4B
+0x0b4 ImageSubsystem   : Uint4B
+0x0b8 ImageSubsystemMajorVersion : Uint4B
+0x0bc ImageSubsystemMinorVersion : Uint4B
+0x0c0 ImageProcessAffinityMask : Uint4B
+0x0c4 GdiHandleBuffer  : [34] Uint4B
+0x14c PostProcessInitRoutine : Ptr32     void 
+0x150 TlsExpansionBitmap : Ptr32 Void
+0x154 TlsExpansionBitmapBits : [32] Uint4B
+0x1d4 SessionId        : Uint4B
+0x1d8 AppCompatFlags   : _ULARGE_INTEGER
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER_ULARGE_INTEGER
+0x1e8 pShimData        : Ptr32 Void
+0x1ec AppCompatInfo    : Ptr32 Void
+0x1f0 CSDVersion       : _UNICODE_STRING
+0x1f8 ActivationContextData : Ptr32 Void
+0x1fc ProcessAssemblyStorageMap : Ptr32 Void
+0x200 SystemDefaultActivationContextData : Ptr32 Void
+0x204 SystemAssemblyStorageMap : Ptr32 Void
+0x208 MinimumStackCommit : Uint4B

IDA中反编译的结果以及对于PEB结构体的定义描述与真实情况有些出入, 需要以汇编代码为准

1	if ( ((_DWORD )NtCurrentPeb()->ProcessHeap + 0x0C) != 2 )

.text:004015D4                 mov     eax, large fs:30h
.text:004015DA                 mov     eax, [eax+18h]
.text:004015DD                 mov     eax, [eax+0Ch]
.text:004015E0                 cmp     eax, 2
.text:004015E3                 jz      short loc_401628

1	if ( ((_DWORD )NtCurrentPeb()->ProcessHeap + 0x0C) != 2 )

.text:00401985                 mov     eax, large fs:30h
.text:0040198B                 mov     eax, [eax+18h]
.text:0040198E                 mov     eax, [eax+0Ch]
.text:00401991                 cmp     eax, 2
.text:00401994                 jz      short loc_4019A2

HEAP结构体

+0×000 Entry	:_HEAP_ENTRY
+0×008 Signature	:Uint4B
+0×00c Flags	:Uint4B
+0×010 ForceFlags	:Uint4B
+0×014 VirtualMemoryThreshold 	:Uint4B
+0×018 SegmentReserve	:Uint4B
+0×01c SegmentCommit	:Uint4B
+0×020 DeCommitFreeBlockThreshold	 :Uint4B
...

1	if ( ((int)NtCurrentPeb()->NtGlobalFlag & 0x70) != 0 )

.text:00401ADA                 mov     eax, large fs:30h
.text:00401AE0                 mov     eax, [eax+68h]
.text:00401AE3                 and     eax, 70h
.text:00401AE6                 test    eax, eax
.text:00401AE8                 jz      short loc_401B00

1	if ( (unsigned __int8)(_DWORD )&NtCurrentPeb()->BeingDebugged )

.text:00401B4D                 mov     eax, large fs:30h
.text:00401B53                 inc     eax
.text:00401B54                 inc     eax
.text:00401B55                 mov     eax, [eax]
.text:00401B57                 and     eax, 0FFh
.text:00401B5C                 test    eax, eax
.text:00401B5E                 jz      short loc_401B6E

当程序被调试时, 以上if语句均可能成立, 从而对程序的流程产生影响

~~所以基本看到PEB出现NOP就完事了~~

《逆向工程核心原理》 Page.529