2

为什么这段代码能让我检测到调试器?

上面的链接告诉了我使用预取队列进行反调试的方法,然后我尝试使用下面的代码进行测试,但失败了。谁能帮我指出我的代码是否错误。我的 CPU 是 Intel(R) Core(TM) i7-2630QM 2.00GHz。非常感谢

ML : D:\Programs\masm32\Bin\ML.EXE /c /coff /Cp /nologo /I"D:\Programs\masm32\Include" "AntiDebug.asm"

链接:D:\Programs\masm32\Bin\LINK.EXE /SECTION:.text,RWE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"D:\Programs\masm32\Lib" /OUT:"AntiDebug. exe" "反调试.obj"

无论我是否在调试,它总是执行调试标签,并且永远不会执行'jmp normal'。

.386
.model flat, stdcall  ;32 bit memory model
option casemap :none  ;case sensitive

include windows.inc
include kernel32.inc
include user32.inc

includelib kernel32.lib
includelib user32.lib

.data
szDebug     db  'Hey, you are debugging!!!',0
szError     db  'Error',0
szNormal    db  'You are running it without debugging',0
szPrompt    db  'Prompt',0

.code
start:
    call IsDebug
debug:
    invoke MessageBox, NULL, addr szDebug, addr szError, MB_OK
    invoke ExitProcess, -1
normal:
    invoke MessageBox, NULL, addr szNormal, addr szPrompt, MB_OK
    invoke ExitProcess, 0
IsDebug:
    mov al, 0c3h
    mov edi, offset IsDebug
    mov cx, 20h
    rep stosb
    jmp normal
end start
4

1 回答 1

0

我不知道你的 isdebug proc 在做什么。

这是我的代码,它在我的电脑上运行良好。

.386
.model flat, stdcall  ;32 bit memory model
option casemap :none  ;case sensitive

include c:\masm32\include\windows.inc
include c:\masm32\include\kernel32.inc
include c:\masm32\include\user32.inc

includelib C:\masm32\lib\kernel32.lib
includelib C:\masm32\lib\user32.lib

.data
szDebug     db  'Hey, you are debugging!!!',0
szError     db  'Error',0
szNormal    db  'You are running it without debugging',0
szPrompt    db  'Prompt',0

.code
start:
    call IsDebug
debug:
    invoke MessageBox, NULL, addr szDebug, addr szError, MB_OK
    invoke ExitProcess, -1
normal:
    invoke MessageBox, NULL, addr szNormal, addr szPrompt, MB_OK
    invoke ExitProcess, 0
IsDebug:
    invoke IsDebuggerPresent
    test eax,eax
    je normal
    ret
end start
于 2015-08-25T11:25:42.090 回答