原理
当一个程序被调试时,有两种情况:“打开” 和 “附加” ,分别调用 CreateProcess 和 DebugActiveProcess 创建一个调试对象,而通过检测系统中有无调试对象,可以判断出是否有进程正在被调试。这种方法适用于全局反调试,也就是说即使被调试的程序不是自身,也仍然会被检测到。
代码示例
// Test_Console_1.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include <iostream>
#include <Windows.h>
#include <intrin.h>
using namespace std;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef struct _OBJECT_TYPE_INFORMATION {
UNICODE_STRING TypeName;
ULONG TotalNumberOfHandles;
ULONG TotalNumberOfObjects;
}OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION;
typedef struct _OBJECT_ALL_INFORMATION {
ULONG NumberOfObjects;
OBJECT_TYPE_INFORMATION ObjectTypeInformation[1];
}OBJECT_ALL_INFORMATION, * POBJECT_ALL_INFORMATION;
typedef enum _OBJECT_INFORMATION_CLASS {
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllInformation,
ObjectDataInformation
} OBJECT_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI* pNtQueryObject)(
HANDLE Handle,
OBJECT_INFORMATION_CLASS ObjectInformationClass,
PVOID ObjectInformation,
ULONG ObjectInformationLength,
PULONG ReturnLength
);
int main()
{
// 初始化
ULONG objSize = 0;
PVOID p_Memory = NULL;
POBJECT_ALL_INFORMATION p_ObjectAllInfo = NULL;
PUCHAR p_ObjInfoLocation = NULL;
POBJECT_TYPE_INFORMATION p_ObjectTypeInfo = NULL;
// 获取 NtQueryObject 地址
pNtQueryObject NtQueryObject = (pNtQueryObject)GetProcAddress(LoadLibrary(L"ntdll.dll"),"ZwQueryObject");
if (NtQueryObject == NULL) {
goto main_end;
}
// 获取调试对象信息大小(返回 C0000004:STATUS_INFO_LENGTH_MISMATCH:信息长度不匹配)
NtQueryObject(NULL, ObjectAllInformation, &objSize, sizeof(ULONG),&objSize);
// 分配内存
p_Memory = VirtualAlloc(NULL, objSize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (p_Memory == NULL) {
goto main_end;
}
// 遍历对象信息
if (NtQueryObject(NULL, ObjectAllInformation, p_Memory, objSize, NULL) != 0) {
goto main_end;
}
p_ObjectAllInfo = (POBJECT_ALL_INFORMATION)p_Memory;
p_ObjInfoLocation = (PUCHAR)p_ObjectAllInfo->ObjectTypeInformation;
for (UINT i = 0; i < p_ObjectAllInfo->NumberOfObjects; i++) {
p_ObjectTypeInfo = (POBJECT_TYPE_INFORMATION)p_ObjInfoLocation;
if (wcscmp(L"DebugObject", p_ObjectTypeInfo->TypeName.Buffer) == 0) {
if (p_ObjectTypeInfo->TotalNumberOfObjects > 0) {
cout << "发现调试器!" << endl;
break;
}
else {
cout << "没有调试器" << endl;
break;
}
}
p_ObjInfoLocation = (PUCHAR)p_ObjectTypeInfo->TypeName.Buffer;
p_ObjInfoLocation += p_ObjectTypeInfo->TypeName.MaximumLength;
ULONG_PTR tmp = ((ULONG_PTR)p_ObjInfoLocation) & -(int)sizeof(void*);
if ((ULONG_PTR)tmp != (ULONG_PTR)p_ObjInfoLocation) {
tmp += sizeof(void*);
}
p_ObjInfoLocation = ((unsigned char*)tmp);
}
main_end:
if(p_Memory){
VirtualFree(p_Memory, 0, MEM_RELEASE);
}
getchar();
return 0;
}
效果图
vs调试:
正常启动:
x64dbg 调试 calc.exe:
