为什么这个code使我能够检测调试器? [英] Why does this code enable me to detect a debugger?
问题描述
为什么下面的汇编code是一个反调试工具?
Why the following assembly code is an anti-debugging tool?
l1:
call l3
l2:
;some code
l3:
mov al, 0c3h
mov edi, offset l3
or ecx, -1
rep stosb
我知道,反应3h 是 RETN ,我知道 stobs 在人写入值作为根据运code在 EDI 偏移,它是用于 ECX 完成,因为代表的次。
I know that C3h is RETN and I know that stobs writes the value in al as opcode according to the offset in edi and it is done for ecx times because of rep.
我也知道一个事实,即 stobs 和 STOSW ,如果他们将运行pre牵强英特尔架构作为其原始格式。
I am also aware the fact that stobs and stosw will run if they were pre-fetched on intel architecture as their original format.
如果我们运行在调试模式下该程序的$ P $对 - 取是无关紧要的并且L2标签将运行(因为它是单步),否则,如果没有调试这将是L1和L3之间的乒乓对吗?
If we run the program in debugged mode the pre-fetch is irrelevant and the l2 label will run (because it is single-step) otherwise if there is no debugger it will be ping-pong between l1 and l3 am I right?
推荐答案
在程序调试(即单步)prefetch队列在每个步骤刷新(当中断发生)。然而,正常执行时不会发生在代表STOSB 。较老的处理器没有刷新它甚至当有内存写入到缓存区,以支持自修改code被更改,除了代表MOVS 和代表STOSB 。 (IIRC它最终定格在i7处理器。)
When program is debugged (i.e. single step) prefetch queue is flushed at each step (when interrupt occurs). However, when executed normally that will not happen to rep stosb. Older processors didn't flushed it even when there was memory write to the cached area, in order to support self-modifying code that was changed except rep movs and rep stosb. (IIRC it was eventually fixed in i7 processors.)
这就是为什么如果有一个调试器(单步)code能够正确执行,当代表STOSB 被替换 RET 12 将被执行。当没有调试器代表STOSB 将继续,因为 ECX 是最大可能最终会写的地方是不应该写,并会出现异常。
That's why if there is a debugger (single step) code will execute correctly and when rep stosb is replaced by ret l2 will be executed. When there is no debugger rep stosb will continue, since ecx is the biggest possible it will eventually write somewhere it is not supposed to write and an exception will occur.
这反调试技术在本文描述。
这篇关于为什么这个code使我能够检测调试器?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
