還是這個論壇對原始碼格式處理得比較好
下面這幾個都是利用的WinNT的native API來檢查debugger的,所以不能執行在Win9x/ME上。
1、ZwQuerySystemInformation
用這個可以檢查系統偵錯程式是否存在,對SoftICE似乎無用,估計只對微軟自家的WinDBG有效,有條件的可測試一下。
2、ZwSetInformationThread
用這個函式可以將某個執行緒的除錯埠設為0,使得Win32偵錯程式無法再收到該執行緒的除錯事件,使偵錯程式無法再除錯該執行緒。這個主要是針對VC++這樣的ring3偵錯程式的。
3、ZwQueryInformationProcess
這個可以檢查某個程式是否正被ring3偵錯程式所除錯。
測試程式:
#include <windows.h>
#include <iostream.h>
#define NTAPI __stdcall
typedef long NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS ((NTSTATUS)0L)
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION
{
BOOLEAN DebuggerEnabled;
BOOLEAN DebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
typedef struct _PROCESS_DEBUG_PORT_INFO
{
HANDLE DebugPort;
} PROCESS_DEBUG_PORT_INFO;
enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 };
enum THREAD_INFO_CLASS { ThreadHideFromDebugger
= 17 };
enum PROCESS_INFO_CLASS { ProcessDebugPort
= 7 };
typedef NTSTATUS (NTAPI *ZW_QUERY_SYSTEM_INFORMATION)(IN SYSTEM_INFORMATION_CLASS
SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef NTSTATUS (NTAPI *ZW_SET_INFORMATION_THREAD)(IN HANDLE ThreadHandle,
IN THREAD_INFO_CLASS ThreadInformationClass, IN PVOID ThreadInformation, IN
ULONG ThreadInformationLength);
typedef NTSTATUS (NTAPI *ZW_QUERY_INFORMATION_PROCESS)(IN HANDLE ProcessHandle,
IN PROCESS_INFO_CLASS ProcessInformationClass, OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength, OUT PULONG ReturnLength);
void main( )
{
HMODULE hModule = GetModuleHandle("ntdll.dll");
if (hModule == NULL)
{
cout << "Failed: GetModuleHandle"
<< endl;
cout << "This prog needs WinNT/2K/XP
to run." << endl;
return;
}
//------------------------------------------------------------------------------------
ZW_QUERY_SYSTEM_INFORMATION ZwQuerySystemInformation;
ZwQuerySystemInformation = (ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hModule,
"ZwQuerySystemInformation");
if (ZwQuerySystemInformation == NULL)
{
cout << "Failed: GetProcAddress
ZwQuerySystemInformation" << endl;
return;
}
SYSTEM_KERNEL_DEBUGGER_INFORMATION Info;
if (STATUS_SUCCESS == ZwQuerySystemInformation(SystemKernelDebuggerInformation,
&Info, sizeof(Info), NULL))
{
if (Info.DebuggerEnabled)
{
cout << "System
debugger enabled" << endl;
if (Info.DebuggerNotPresent)
cout
<< "System debugger not present" << endl;
else
cout
<< "System debugger present" << endl;
}
else
cout << "System
debugger disabled" << endl;
}
else
{
cout << "Failed: ZwQuerySystemInformation"
<< endl;
}
//---------------------------------------------------------------------------------------
ZW_SET_INFORMATION_THREAD ZwSetInformationThread;
ZwSetInformationThread = (ZW_SET_INFORMATION_THREAD)GetProcAddress(hModule,
"ZwSetInformationThread");
if (ZwSetInformationThread == NULL)
{
cout << "Failed: GetProcAddress
ZwSetInformationThread" << endl;
return;
}
if (STATUS_SUCCESS != ZwSetInformationThread(GetCurrentThread(
), ThreadHideFromDebugger, NULL, 0))
cout << "Failed: ZwSetInformationThread"
<< endl;
//---------------------------------------------------------------------------------------
ZW_QUERY_INFORMATION_PROCESS ZwQueryInformationProcess;
ZwQueryInformationProcess = (ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule,
"ZwQueryInformationProcess");
if (ZwQueryInformationProcess == NULL)
{
cout << "Failed: GetProcAddress
ZwQueryInformationprocess" << endl;
return;
}
PROCESS_DEBUG_PORT_INFO ProcessInfo;
if (STATUS_SUCCESS != ZwQueryInformationProcess(GetCurrentProcess(
), ProcessDebugPort, &ProcessInfo, sizeof(ProcessInfo), NULL))
cout << "Failed: ZwQueryInformationProcess"
<< endl;
else
{
if (ProcessInfo.DebugPort)
cout << "Process
debugger present" << endl;
else
cout << "Process
debugger not present" << endl;
}
}