#include <windows.h>BOOL EnableDebugPrivilege(BOOL bEnable){ BOOL fOK = FALSE; //Assume function fails HANDLE hToken; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { //Attempt to modify the "Debug" privilege TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0; AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); fOK = (GetLastError() == 0); CloseHandle(hToken); } return fOK;}int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd ){ LPSTR pFind = strstr(lpCmdLine, "pid="); if (0 == pFind) { // 创建子进程,并以父进程的PID为命令行参数,让子进程尝试attach 父进程 char path[MAX_PATH], format[MAX_PATH]; GetModuleFileNameA(NULL, path, sizeof(path)); wsprintfA(format, "pid=%d", GetCurrentProcessId()); ShellExecuteA(NULL, "open", path, format, NULL, 0); // 只是起不让父进程退出的作用 MessageBoxA(NULL, "just keep process running", NULL, 0); } else { // 子进程 // attach 需要调试权限 EnableDebugPrivilege(TRUE); pFind += 4; long pid = atol(pFind); if(!DebugActiveProcess(pid)) { // 可能被调试了 DWORD err = GetLastError(); char error[MAX_PATH]; wsprintfA(error, "attach failed with error code:0x%0x\n", GetLastError()); MessageBoxA(NULL, error, NULL, 0); } else { // 没有被调试 DebugActiveProcessStop(pid); MessageBoxA(NULL, "process is not debugged!", NULL, 0); } }}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
