要去看埃菲尔铁塔的顶
欢迎关注本人微博:t.cn/RGSLVUk
基于 NtQueryInformationProcess API
来探测进程调试端口,调试对象,调试标志以便进行反调试
破解方法,少量调用可直接修改传入的枚举类型=0
大量使用时,勾取 NtQueryInformationProcess
根据传入的 探测值 来自定义返回值,绕开检测。
#include "tchar.h"
#include "windows.h"
enum PROCESSINFOCLASS//
{
ProcessBasicInformation = 0,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort = 7,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers,
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
MaxProcessInfoClass,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessDebugObjectHandle = 30,
ProcessDebugFlags = 31,
SystemKernelDebuggerInformation = 35
};
void NtQueryInformationProcess()//探测进程信息
{
//定义函数原型
typedef NTSTATUS(WINAPI* NTQUERYINFORMATIONPROCESS)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
NTQUERYINFORMATIONPROCESS pNtQueryInformationProcess = NULL;
// 获得函数地址
pNtQueryInformationProcess = (NTQUERYINFORMATIONPROCESS) \
GetProcAddress(\
GetModuleHandle(L"ntdll.dll"), \
"NtQueryInformationProcess");
//ProcessDebugPort ( 0x7 )
DWORD dwDebugPort = 0;
pNtQueryInformationProcess(GetCurrentProcess(),
ProcessDebugPort,//0x7
&dwDebugPort,
sizeof(dwDebugPort),
NULL
);
printf("NtQueryInformationProcess(ProcessDebugPort) = %X\n ", dwDebugPort);
if (dwDebugPort != 0x0)printf("\nDebugging..!\n");
elseprintf("\nNot Debugging\n");
// ProcessDebugObjectHandle (0x1E)
HANDLE hDebugObject = NULL;
pNtQueryInformationProcess(GetCurrentProcess(),
ProcessDebugObjectHandle,//0x7
&hDebugObject,
sizeof(hDebugObject),
NULL
);
printf("NtQueryInformationProcess(ProcessDebugObjectHandle) = %X\n ", dwDebugPort);
if (hDebugObject != 0x0)printf("\nDebugging..!\n");
elseprintf("\nNot Debugging\n");
// ProcessDebugFlags (0x1F)
BOOL bDebugFlag = TRUE;
pNtQueryInformationProcess(GetCurrentProcess(),
ProcessDebugFlags,//0x7
&bDebugFlag,
sizeof(bDebugFlag),
NULL
);
printf("NtQueryInformationProcess(ProcessDebugFlags) = %X\n ", dwDebugPort);
if (bDebugFlag == 0x0)printf("\nDebugging..!\n");
elseprintf("\nNot Debugging\n");
}
int _tmain(int argc, _TCHAR* argv[])
{
printf("\nNtQueryInformationProcess \n---->反调试\n");
NtQueryInformationProcess();
printf("\npress any key to quit..\n");
_gettch();
return 0;
}