如何ZwQueryInformationProcess()取消 ProcessDebugPort 类的反调试保护?不像isDebuggerPresent()我发现这在我的技能中真的很难绕过......
有谁知道如何绕过这个api函数?
我如何绕过 ZwQueryInformationProcess 作为反调试保护
逆向工程
视窗
ollydbg
反调试
2021-06-13 07:32:45
1个回答
#include "zwopenproc.h"
int main (void)
{
hNtdll=GetModuleHandle("ntdll.dll");
if(hNtdll)
{
*(FARPROC *)&ZwQIP = GetProcAddress(hNtdll,"ZwQueryInformationProcess");
hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId());
ZwQIP(hProc,ProcessImageFileName,OutBuff,sizeof(OutBuff),&Rlen);
printf("ImageName=%wZ\n",OutBuff);
ZwQIP(hProc,ProcessDebugPort,&DbgPort,4, &Rlen);
switch( DbgPort )
{
case 0xffffffff:
printf("some bugs are debugging us\n");
break;
case 0x0:
printf("no bugs are debugging us\n");
break;
default:
printf ("who knows if bugs are debugging us\n");
break;
}
}
return 0;
}
在没有调试器的情况下执行此代码
zwopenproc.exe
ImageName=\Device\HarddiskVolume4\test\zwqiproc\zwopenproc.exe
no bugs are debugging us
在调试器内部执行会导致检测
cdb -g -G zwopenproc.exe | tail -2
ImageName=\Device\HarddiskVolume4\test\zwqiproc\zwopenproc.exe
some bugs are debugging us +++++++++++++++++++++++++++++++++++++++++++++++
在调试器内部执行并使用脚本覆盖返回缓冲区不会导致检测
cdb -G -c "$$>a< zwqip.txt" zwopenproc.exe | tail -6
Process Id 2064
Parent Process 3716
Base Priority 8
. 0 id: 810 create name: zwopenproc.exe
ImageName=\Device\HarddiskVolume4\test\zwqiproc\zwopenproc.exe
no bugs are debugging us <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
printf "%x\n" , 2064
810
脚本文件的内容
cat zwqip.txt
bp ntdll!ZwQueryInformationProcess ".if( poi(@esp+8) != 7 ){gc} .else { !handle poi(@esp+4
) f ; | ; gu ; ed dbgport 0; gc } "
g
其它你可能感兴趣的问题