我正在Microsoft的Visual Studio 2022上编写一个简单的C++项目,该项目使用NtQueryInformationProcess来检查进程是否正在调试但不工作。
下面是我的代码:
#include "Header.h"
#include <iostream>
#include <winternl.h>
#include<Windows.h>
// Method use Debug flags in the PEB. This worked and return a = 1
int PEB_Flag() {
int a;
__asm {
mov eax, dword ptr fs : [18h]
mov eax, dword ptr ds : [eax + 30h]
movzx eax, byte ptr ds : [eax + 2h]
mov[a], eax
}
return a;
}
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0,
ProcessDebugPort = 7,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessBreakOnTermination = 29
} PROCESSINFOCLASS;
typedef NTSTATUS(NTAPI* TNtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength
);
int main() {
HANDLE ProcessHandler = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());
HMODULE hNtdll = LoadLibraryA("ntdll.dll");
//HINSTANCE hNtDll = GetModuleHandleW(L"ntdll.dll");
std::cout << "hNtdll: " << std::hex << hNtdll << std::endl;
auto pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(
hNtdll, "NtQueryInformationProcess");
DWORD dwProcessDebugPort, dwReturned;
NTSTATUS status = pfnNtQueryInformationProcess(
//GetCurrentProcess(),
ProcessHandler,
ProcessDebugPort,
&dwProcessDebugPort,
sizeof(DWORD),
&dwReturned);
a = int(status);
std::cout << "Is debugged: " << a << std::endl;
std::cout << "OK ?";
std::cin >> a; // I set a breakpoint here
}我构建它,在调试模式和realease模式下运行它,它会打印“Is debugged:0”,这是错误的,因为此进程正在调试中。我知道我的代码有问题,因为我尝试了方法检查调试器标志,它打印“1”。
1条答案
按热度按时间6ojccjat1#
调用
NtQueryInformationProcess函数的返回值仅指示调用是否成功(如果失败,则指示错误的性质)。因此,假设调用成功,您的status变量将具有值STATUS_SUCCESS,该值被定义为零(无论您是否将其转换为int)。您要检查的 * 实际数据 * 是
dwProcessDebugPortDWORD,您将其地址(看似正确)传递给系统调用。如果进程在调试器下运行,则它将具有非零值。因此,在调用
NtQueryInformationProcess之后,您的“诊断”代码应该如下所示: