26种对付反调试的方法(7)

发布时间：2019-03-21 12:55 所属栏目：20 来源：luochicun

导读：在CheckRemoteDebuggerPresent的内部，调用NtQueryInformationProcess函数： 0:000ufkernelbase!CheckRemotedebuggerPresent KERNELBASE!CheckRemoteDebuggerPresent: ... 75207a246a00push0 75207a266a04push4 752

在CheckRemoteDebuggerPresent的内部，调用NtQueryInformationProcess函数：

0:000> uf kernelbase!CheckRemotedebuggerPresent 
KERNELBASE!CheckRemoteDebuggerPresent: 
... 
75207a24 6a00            push    0 
75207a26 6a04            push    4 
75207a28 8d45fc          lea     eax,[ebp-4] 
75207a2b 50              push    eax 
75207a2c 6a07            push    7 
75207a2e ff7508          push    dword ptr [ebp+8] 
75207a31 ff151c602775    call    dword ptr [KERNELBASE!_imp__NtQueryInformationProcess (7527601c)] 
75207a37 85c0            test    eax,eax 
75207a39 0f88607e0100    js      KERNELBASE!CheckRemoteDebuggerPresent+0x2b (7521f89f) 
...

如果我们来看看NtQueryInformationProcess文档，那么这个Assembler列表将向我们展示CheckRemoteDebuggerPresent函数获取DebugPort值，因为ProcessInformationClass参数值（第二个）为7，以下反调试代码就是基于调用NtQueryInformationProcess：

typedef NTSTATUS(NTAPI *pfnNtQueryInformationProcess)( 
    _In_      HANDLE           ProcessHandle, 
    _In_      UINT             ProcessInformationClass, 
    _Out_     PVOID            ProcessInformation, 
    _In_      ULONG            ProcessInformationLength, 
    _Out_opt_ PULONG           ReturnLength 
    ); 
const UINT ProcessDebugPort = 7; 
int main(int argc, char *argv[]) 
{ 
    pfnNtQueryInformationProcess NtQueryInformationProcess = NULL; 
    NTSTATUS status; 
    DWORD isDebuggerPresent = 0; 
    HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll")); 
     
    if (NULL != hNtDll) 
    { 
        NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(hNtDll, "NtQueryInformationProcess"); 
        if (NULL != NtQueryInformationProcess) 
        { 
            status = NtQueryInformationProcess( 
                GetCurrentProcess(), 
                ProcessDebugPort, 
                &isDebuggerPresent, 
                sizeof(DWORD), 
                NULL); 
            if (status == 0x00000000 && isDebuggerPresent != 0) 
            { 
                std::cout << "Stop debugging program!" << std::endl; 
                exit(-1); 
            } 
        } 
    } 
    return 0; 
}

如何避开CheckRemoteDebuggerPresent和NtQueryInformationProcess

（编辑：ASP站长网）