2014. 10. 22. 17:37
728x90
몰랐던 디버거 체크 트릭 부분.....오호?
CsrGetProcessId를 이요하여 탐지
Other AntiDebug tricks
I came across this one individual’s page whom is an avid reverse engineer with some great material.
Check out his pdf cheat sheet on anti-debugging. There were a few in there I didn’t know about like the ‘csr’ trick which involves calling an undocumented ‘CsrGetProcessId’ function within OpenProcess. CsrGetProcessId is a native API that returns the PID of csrss.exe.
Evidently if you call OpenProcess and pass the ID returned by CsrGetProcessId(), no error will occur if the SeDebugPrivilege has been set with SetPrivilege() / AdjustTokenPrivileges(). How about some code with that shake?
#include <stdio.h> #include <windows.h> typedef HANDLE (*_CsrGetProcessId)(); int main(void) { HMODULE nt=GetModuleHandle("ntdll.dll"); _CsrGetProcessId CsrGetProcessId=(_CsrGetProcessId)GetProcAddress(nt,"CsrGetProcessId"); HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS,FALSE,CsrGetProcessId()); if(!proc) { printf("debugger is present!"); } }
The cheat sheet has other stuff in it. Check it out some time. Better yet, check out the guy’s bloginstead.
Happy cracking!
Tags: anti-debug
728x90
'리버싱' 카테고리의 다른 글
Exe32Pack 1.4x (Unpacking) (0) | 2014.10.30 |
---|---|
RunAsInvoker 로 UAC 우회 (0) | 2014.10.23 |
ida 6,5 "win64_remotex64.exe" 리모트 디버깅을 위한 파일 (0) | 2014.08.29 |
마우스 포인트로 안티리버싱 (0) | 2014.08.29 |
메모리에 올라온 데이터 리버싱할때 (0) | 2014.07.18 |