![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/7-1711672334.jpg)
#define FLAG_FULLON (FLAG_CHECKSUM_NTOSKRNL | FLAG_CHECKSUM_CODESECTION |
FLAG_DETECT_DEBUGGER | FLAG_DETECT_HARDWAREBREAKPOINT)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/9-1711672334.jpeg)
_isArch64 代表是64位架构
_isWow64 代表是64位环境运行32位程序
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/7-1711672335.jpeg)
NtSetInformationThread 设置线程的优先级
句柄-1 是进程的句柄 -2是当前线程的句柄
0x11 ThreadHideFromDebugger = 17,
wrk源码
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/10-1711672335.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/5-1711672336.jpeg)
然后继续调用但是传递了错误的地址 如果没调试器应该返回错误 调试器可能处理全部设置为0 证明其存在
运行XAD_Initialize函数
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/10-1711672336.jpg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/1-1711672337.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/1-1711672337.jpg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/1-1711672338.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/1-1711672338.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/10-1711672339.jpg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/6-1711672339.jpeg)
然后调用XAD_ExecuteDetect进行检测
1 crc 检测 节表 我们的构造的系统调用 可以防止下代码段被修改
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/7-1711672340.jpeg)
2 IsDebuggerPresent 检测当前是否正在被调试
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/0-1711672340.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/4-1711672340.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/2-1711672341.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/9-1711672341.jpg)
检测BeingDebugged的值。
3 CheckRemoteDebuggerPresent
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/0-1711672342.jpg)
实际上是查询NtQueryInformationProcess ProcessDebugPort。
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/6-1711672342.jpg)
4 关闭一个无效句柄 如果被调试会进入异常
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/8-1711672343.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/10-1711672343.jpeg)
5 使用DuplicateHandle进行检测
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/4-1711672344.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/3-1711672344.jpeg)
6 检测StrongOD
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/0-1711672344.jpeg)
7 NtQueryInformationProcess检测 0x1E ProcessDebugObjectHandle
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/4-1711672345.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/0-1711672345.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/1-1711672345.jpeg)
8 内核二次覆盖的BUG来检测反调试
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/9-1711672346.jpeg)
9 使用GetThreadContext检测 检测当前线程是否使用硬件断点
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/10-1711672346.jpeg)
10 使用VEH检测
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/6-1711672347.jpeg)
调用HardwareBreakpointRoutine触发异常 检测硬件断点。
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/6-1711672347.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/1-1711672347.jpeg)
看雪ID:tian_chen
https://bbs.kanxue.com/user-home-941362.htm
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/2-1711672348.png)
# 往期推荐
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/4-1711672349.jpeg)
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/9-1711672349.gif)
球分享
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/1-1711672350.gif)
球点赞
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/6-1711672350.gif)
球在看
![XAntiDenbug的检测逻辑与基本反调试 XAntiDenbug的检测逻辑与基本反调试](https://ctfiot.oss-cn-beijing.aliyuncs.com/uploads/2024/03/2-1711672351.gif)
点击阅读原文查看更多
原文始发于微信公众号(看雪学苑):XAntiDenbug的检测逻辑与基本反调试