#include <windows.h>
#include <iostream.h>
#include <conio.h>
#include <stdio.h>
#define NTAPI __stdcall
typedef long NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS ((NTSTATUS)0L)
typedef struct _PROCESS_DEBUG_PORT_INFO
{
HANDLE DebugPort;
} PROCESS_DEBUG_PORT_INFO;
enum THREAD_INFO_CLASS { ThreadHideFromDebugger = 17 };
typedef NTSTATUS (NTAPI *ZW_SET_INFORMATION_THREAD)(IN HANDLE ThreadHandle, IN THREAD_INFO_CLASS ThreadInformationClass, IN PVOID ThreadInformation, IN ULONG ThreadInformationLength);
ZW_SET_INFORMATION_THREAD ZwSetInformationThread;
void main()
{
ZwSetInformationThread = (ZW_SET_INFORMATION_THREAD)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwSetInformationThread");
if (ZwSetInformationThread == NULL)
{
printf("%s", "Failed: GetProcAddress ZwSetInformationThread");
return ;
}
if (STATUS_SUCCESS != ZwSetInformationThread(GetCurrentThread(), ThreadHideFromDebugger, NULL, 0))
{
printf("%d\r\n", GetLastError());
//MessageBox(0, str, str, 0);
cout << "Failed: ZwSetInformationThread" << endl;
}
cout << "OK" << endl;
//MessageBox(0, "0", "0", 0);
}
ZwSetInformationThread
用这个函数可以将某个线程的调试端口设为0,使得Win32调试器无法再收到该线程的调试事件,使调试器无法再调试该线程。这个主要是针对VC++这样的ring3调试器的。
上面这段代码编译出来是没有错误的,但是运行的时候,用OD还是能附加,这是为什么呢,我是按照示例代码来编写的啊,为什么OD还是能调试呢?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课