Code:
0:000> dt nt!_peb
ntdll!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 SpareBool : UChar
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
0:000> dt nt!_peb
ntdll!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 SpareBool : UChar
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
Zipa ovo moze da se promeni ponasanje programa ako pokusamo da ga pokrenemo kroz debugger =)
Da da =) i meni je upalo u oci BeingDebugged =) byte velicina i sta kaze ->>>
Ako je process u debuggeru to je 1 a ako nije onda 0 =)
Znaci nesto ovako :
Code:
...
mov eax, FS:[30h]
xor ebx, ebx
mov bl, byte ptr[eax+2]
or ebx, ebx
jnz exit
...
...
mov eax, FS:[30h]
xor ebx, ebx
mov bl, byte ptr[eax+2]
or ebx, ebx
jnz exit
...
Evo i example koda na
http://nonenone.cjb.net/progz/tebpebdbg.zip
Mane: proces moze da se lepo disassembluje ali ne mogu da se prate break-pointi normalno ukoliko u dbg-u ne modifikujete EIP ili Z flag(bas pre nego sto dodje do jnz) =)
Eto malo zanimacije pred spavanje =)