windows 使用NtQueryInformationProcess检查附加的调试器

tct7dpnv  于 2023-05-19  发布在  Windows
关注(0)|答案(1)|浏览(188)

我正在Microsoft的Visual Studio 2022上编写一个简单的C++项目,该项目使用NtQueryInformationProcess来检查进程是否正在调试但不工作。
下面是我的代码:

#include "Header.h"
#include <iostream>
#include <winternl.h>
#include<Windows.h>

// Method use Debug flags in the PEB. This worked and return a = 1
int PEB_Flag() {
    int a;
    __asm {
        mov eax, dword ptr fs : [18h]
        mov eax, dword ptr ds : [eax + 30h]
        movzx eax, byte ptr ds : [eax + 2h]
        mov[a], eax
    }
    return a;
}

typedef enum _PROCESSINFOCLASS {
    ProcessBasicInformation = 0,
    ProcessDebugPort = 7,
    ProcessWow64Information = 26,
    ProcessImageFileName = 27,
    ProcessBreakOnTermination = 29
} PROCESSINFOCLASS;

typedef NTSTATUS(NTAPI* TNtQueryInformationProcess)(
    IN HANDLE           ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID           ProcessInformation,
    IN ULONG            ProcessInformationLength,
    OUT PULONG          ReturnLength
    );
int main() {
    HANDLE ProcessHandler = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());

    HMODULE hNtdll = LoadLibraryA("ntdll.dll");
    //HINSTANCE hNtDll = GetModuleHandleW(L"ntdll.dll");
    std::cout << "hNtdll: " << std::hex << hNtdll << std::endl;

    auto pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(
        hNtdll, "NtQueryInformationProcess");
    DWORD dwProcessDebugPort, dwReturned;
    NTSTATUS status = pfnNtQueryInformationProcess(
        //GetCurrentProcess(),
        ProcessHandler,
        ProcessDebugPort,
        &dwProcessDebugPort,
        sizeof(DWORD),
        &dwReturned);


    a = int(status);
    std::cout << "Is debugged: " << a << std::endl;

    std::cout << "OK ?";
    std::cin >> a; // I set a breakpoint here
}

我构建它,在调试模式和realease模式下运行它,它会打印“Is debugged:0”,这是错误的,因为此进程正在调试中。我知道我的代码有问题,因为我尝试了方法检查调试器标志,它打印“1”。

6ojccjat

6ojccjat1#

调用NtQueryInformationProcess函数的返回值指示调用是否成功(如果失败,则指示错误的性质)。因此,假设调用成功,您的status变量将具有值STATUS_SUCCESS,该值被定义为零(无论您是否将其转换为int)。
您要检查的 * 实际数据 * 是dwProcessDebugPortDWORD,您将其地址(看似正确)传递给系统调用。如果进程在调试器下运行,则它将具有非零值。
因此,在调用NtQueryInformationProcess之后,您的“诊断”代码应该如下所示:

if (NT_SUCCESS(status)) {
    std::cout << (dwProcessDebugPort == 0 ? "Not debugging.\n" : "Debugging.\n");
}
else {
    std::cout << "Call failed!\n";
}

相关问题