|
在CheckRemoteDebuggerPresent的内部,调用NtQueryInformationProcess函数:
- 0:000> uf kernelbase!CheckRemotedebuggerPresent
- KERNELBASE!CheckRemoteDebuggerPresent:
- ...
- 75207a24 6a00 push 0
- 75207a26 6a04 push 4
- 75207a28 8d45fc lea eax,[ebp-4]
- 75207a2b 50 push eax
- 75207a2c 6a07 push 7
- 75207a2e ff7508 push dword ptr [ebp+8]
- 75207a31 ff151c602775 call dword ptr [KERNELBASE!_imp__NtQueryInformationProcess (7527601c)]
- 75207a37 85c0 test eax,eax
- 75207a39 0f88607e0100 js KERNELBASE!CheckRemoteDebuggerPresent+0x2b (7521f89f)
- ...
如果我们来看看NtQueryInformationProcess文档,那么这个Assembler列表将向我们展示CheckRemoteDebuggerPresent函数获取DebugPort值,因为ProcessInformationClass参数值(第二个)为7,以下反调试代码就是基于调用NtQueryInformationProcess:
- typedef NTSTATUS(NTAPI *pfnNtQueryInformationProcess)(
- _In_ HANDLE ProcessHandle,
- _In_ UINT ProcessInformationClass,
- _Out_ PVOID ProcessInformation,
- _In_ ULONG ProcessInformationLength,
- _Out_opt_ PULONG ReturnLength
- );
- const UINT ProcessDebugPort = 7;
- int main(int argc, char *argv[])
- {
- pfnNtQueryInformationProcess NtQueryInformationProcess = NULL;
- NTSTATUS status;
- DWORD isDebuggerPresent = 0;
- HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
-
- if (NULL != hNtDll)
- {
- NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(hNtDll, "NtQueryInformationProcess");
- if (NULL != NtQueryInformationProcess)
- {
- status = NtQueryInformationProcess(
- GetCurrentProcess(),
- ProcessDebugPort,
- &isDebuggerPresent,
- sizeof(DWORD),
- NULL);
- if (status == 0x00000000 && isDebuggerPresent != 0)
- {
- std::cout << "Stop debugging program!" << std::endl;
- exit(-1);
- }
- }
- }
- return 0;
- }
如何避开CheckRemoteDebuggerPresent和NtQueryInformationProcess (编辑:威海站长网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
