-
-
[分享]VC反调试应用实例之--NativeAPI的使用
-
2013-10-1 21:40
4181
-
[分享]VC反调试应用实例之--NativeAPI的使用
#include <windows.h>
#include <iostream.h>
#define NTAPI __stdcall
typedef long NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS ((NTSTATUS)0L)
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION
{
BOOLEAN DebuggerEnabled;
BOOLEAN DebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
typedef struct _PROCESS_DEBUG_PORT_INFO
{
HANDLE DebugPort;
} PROCESS_DEBUG_PORT_INFO;
enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 };
enum THREAD_INFO_CLASS { ThreadHideFromDebugger = 17 };
enum PROCESS_INFO_CLASS { ProcessDebugPort = 7 };
typedef NTSTATUS (NTAPI *ZW_QUERY_SYSTEM_INFORMATION)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength);
typedef NTSTATUS (NTAPI *ZW_SET_INFORMATION_THREAD)(IN HANDLE ThreadHandle, IN THREAD_INFO_CLASS ThreadInformationClass, IN PVOID ThreadInformation, IN ULONG ThreadInformationLength);
typedef NTSTATUS (NTAPI *ZW_QUERY_INFORMATION_PROCESS)(IN HANDLE ProcessHandle, IN PROCESS_INFO_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength);
void main( )
{
HMODULE hModule = GetModuleHandleW(L"ntdll.dll");
if (hModule == NULL)
{
cout << "Failed: GetModuleHandle" << endl;
cout << "This prog needs WinNT/2K/XP to run." << endl;
return;
}
//------------------------------------------------------------------------------------
ZW_QUERY_SYSTEM_INFORMATION ZwQuerySystemInformation;
ZwQuerySystemInformation = (ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hModule, "ZwQuerySystemInformation");
if (ZwQuerySystemInformation == NULL)
{
cout << "Failed: GetProcAddress ZwQuerySystemInformation" << endl;
return;
}
SYSTEM_KERNEL_DEBUGGER_INFORMATION Info;
if (STATUS_SUCCESS == ZwQuerySystemInformation(SystemKernelDebuggerInformation, &Info, sizeof(Info), NULL))
{
if (Info.DebuggerEnabled)
{
cout << "System debugger enabled" << endl;
if (Info.DebuggerNotPresent)
cout << "System debugger not present" << endl;
else
cout << "System debugger present" << endl;
}
else
cout << "System debugger disabled" << endl;
}
else
{
cout << "Failed: ZwQuerySystemInformation" << endl;
}
//---------------------------------------------------------------------------------------
ZW_SET_INFORMATION_THREAD ZwSetInformationThread;
ZwSetInformationThread = (ZW_SET_INFORMATION_THREAD)GetProcAddress(hModule, "ZwSetInformationThread");
if (ZwSetInformationThread == NULL)
{
cout << "Failed: GetProcAddress ZwSetInformationThread" << endl;
return;
}
if (STATUS_SUCCESS != ZwSetInformationThread(GetCurrentThread( ), ThreadHideFromDebugger, NULL, 0))
cout << "Failed: ZwSetInformationThread" << endl;
//---------------------------------------------------------------------------------------
ZW_QUERY_INFORMATION_PROCESS ZwQueryInformationProcess;
ZwQueryInformationProcess = (ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule, "ZwQueryInformationProcess");
if (ZwQueryInformationProcess == NULL)
{
cout << "Failed: GetProcAddress ZwQueryInformationprocess" << endl;
return;
}
PROCESS_DEBUG_PORT_INFO ProcessInfo;
if (STATUS_SUCCESS != ZwQueryInformationProcess(GetCurrentProcess( ), ProcessDebugPort, &ProcessInfo, sizeof(ProcessInfo), NULL))
cout << "Failed: ZwQueryInformationProcess" << endl;
else
{
if (ProcessInfo.DebugPort)
cout << "Process debugger present" << endl;
else
cout << "Process debugger not present" << endl;
}
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
