第09章:反调试与防篡改
9.1 反调试技术
9.1.1 反调试概述
反调试技术用于检测和防止调试器附加到应用程序,保护代码不被动态分析。
9.1.2 检测方法
-
检测调试器附加
if (System.Diagnostics.Debugger.IsAttached) {Environment.Exit(1); } -
检测调试端口
- NtQueryInformationProcess
- CheckRemoteDebuggerPresent
-
时间检测
- 检测执行时间异常
- 识别单步执行
9.1.3 配置反调试
Settings → Protection → Anti-Debug☑ Enable Anti-Debug ProtectionMethods:
☑ Detect Debugger Attach
☑ Detect Debug Port
☑ Detect Time Manipulation
☑ Detect Memory ScannersActions:
● Exit Application
○ Display Warning
○ Corrupt Data
○ Custom Handler
9.2 防篡改技术
9.2.1 完整性检查
程序集哈希验证:
☑ Enable Integrity CheckCheck Timing:
☑ On Startup
☑ During Execution
☑ Before Critical OperationsHash Algorithm:
● SHA256
○ SHA512
○ Custom
9.2.2 自校验代码
.NET Reactor 自动注入:
// 自动注入的完整性检查
private static bool VerifyIntegrity()
{byte[] expected = { /* 预计算的哈希 */ };byte[] actual = ComputeAssemblyHash();return CompareHashes(expected, actual);
}
9.2.3 防修改
Settings → Protection → Anti-Tampering☑ Enable Anti-TamperingProtection Levels:
○ Basic (基础检查)
● Standard (标准检查)
○ Strong (强检查)Options:
☑ Protect Code Sections
☑ Protect Resources
☑ Protect Metadata
☑ Continuous Monitoring
9.3 反转储保护
9.3.1 内存保护
防止内存转储:
☑ Anti-Dump ProtectionMethods:
☑ Protect Memory Pages
☑ Encrypt in Memory
☑ Clear After Use
☑ Detect Memory Scanners
9.3.2 防止进程监控
检测:
- Process Explorer
- Process Monitor
- WinDbg
- OllyDbg
- x64dbg
9.4 虚拟机检测
9.4.1 检测虚拟化环境
Settings → Protection → VM Detection☑ Detect Virtual MachinesDetect:
☑ VMware
☑ VirtualBox
☑ Hyper-V
☑ Parallels
☑ QEMUAction:
○ Allow
● Warn
○ Deny
9.4.2 沙箱检测
☑ Detect SandboxesDetect:
☑ Cuckoo Sandbox
☑ Anubis
☑ Joe Sandbox
☑ ThreatAnalyzer
9.5 代码注入防护
9.5.1 DLL注入检测
// 检测未授权的 DLL
private static bool DetectInjectedDLLs()
{var modules = Process.GetCurrentProcess().Modules;foreach (ProcessModule module in modules){if (!IsAuthorizedModule(module.FileName)){return true; // 检测到注入}}return false;
}
9.5.2 代码钩子检测
检测技术:
- IAT Hook 检测
- Inline Hook 检测
- SSDT Hook 检测
9.6 实战示例
综合保护实现:
public class SecurityManager
{public static bool Initialize(){// 1. 检测调试器if (AntiDebug.IsDebuggerPresent()){HandleSecurityViolation("Debugger detected");return false;}// 2. 验证完整性if (!IntegrityChecker.Verify()){HandleSecurityViolation("Tampering detected");return false;}// 3. 检测虚拟机if (VMDetector.IsVirtualMachine()){// 可以选择继续或退出LogWarning("Running in VM");}// 4. 检测注入if (InjectionDetector.HasInjectedCode()){HandleSecurityViolation("Code injection detected");return false;}return true;}private static void HandleSecurityViolation(string reason){// 记录日志Logger.Security($"Security violation: {reason}");// 清理敏感数据SecureDataManager.Clear();// 退出程序Environment.Exit(1);}
}
9.7 性能影响
检测频率配置:
Continuous Monitoring:
Check Interval: [5000] msPerformance Mode:
○ High Security (频繁检查)
● Balanced (平衡)
○ Low Overhead (最小开销)
9.8 本章小结
本章介绍了反调试和防篡改技术,这些是保护应用程序运行时安全的重要手段。通过合理配置这些保护机制,可以有效防止动态分析和恶意修改。