Anti-debugging Technology 2

V. UseNtqueryinformationprocessFunction

NtqueryinformationprocessThe function is not public.APIThe second parameter can be used to query the debugging port of a process. If the process is debugged, the returned port value is-1Otherwise, it is another value. Because this function is an undisclosed function, you need to useLoadlibraryAndGetproceaddressMethod to obtain the call address, for exampleCodeAs follows:

 

//Declare a function pointer.

TypedefNtstatus (winapi * ntqueryinformationprocessptr )(

Handle processhandle,

Processinfoclass processinformationclass,

Pvoid processinformation,

Ulong processinformationlength,

Pulong returnlength );

 

BoolNtqueryinformationprocessapproach ()

{

IntDebugport = 0;

Hmodule = loadlibrary (text ("NTDLL. dll"));

Ntqueryinformationprocessptr ntqueryinformationprocess = (ntqueryinformationprocessptr) getprocaddress (hmodule,"Ntqueryinformationprocess");

If(Ntqueryinformationprocess (getcurrentprocess (), (processinfoclass) 7, & debugport,Sizeof(Debugport), null ))

Printf ("[Error ntqueryinformationprocessapproach] ntqueryinformationprocess failed \ n");

Else

ReturnDebugport =-1;

 

Return False;

}

 

VI,NtsetinformationthreadMethod

This is also usedWindowsYou can call an undisclosed Function Method in the current thread.NtsetinformationthreadWhen calling this function, if you specify0x11This value (meaningThreadhidefromdebugger), Which means to tell the operating system to cancel all the attached debuggers. Sample Code:

 

//Declare a function pointer.

TypedefNtstatus (* ntsetinformationthreadptr) (handle threadhandle,

Threadinfoclass threadinformationclass,

Pvoid threadinformation,

Ulong threadinformationlength );

 

VoidNtsetinformationthreadapproach ()

{

Hmodule = loadlibrary (text ("NTDLL. dll"));

Ntsetinformationthreadptr ntsetinformationthread = (ntsetinformationthreadptr) getprocaddress (hmodule,"Ntsetinformationthread");

Ntsetinformationthread (getcurrentthread (), (threadinfoclass) 0x11, 0, 0 );

}

 

VII. Methods for triggering exceptions

The principle of this technology is: first, the process usesSetunhandledexceptionfilterThe function registers an unprocessed exception handling function.AIf the process is not debugged, an unhandled exception is triggered, causing the operating system to give control to the previously registered function.AIf the process is debugged, this unprocessed exception will be caught by the debugger, so that our functionAThere is no chance to run.

Here is a tip: When an unhandled exception is triggered, if you jump back to the original code to continue the execution, rather than letting the operating system shut down the process. The solution is in the functionAModifyEIPBecause in the functionAParameters_ Prediction_pointersThe address of the command that triggered the exception.AModify the register according to the instruction address.EIPThe sample code is as follows:

//Unprocessed Exception Handling for process registrationProgramA

Long winapi myunhandledexceptionfilter (Struct_ Prediction_pointers * Pei)

{

Setunhandledexceptionfilter (lptop_level_exception_filter)

Pei-> contextrecord-> eax );

//Modify registersEIPValue

Pei-> contextrecord-> EIP + = 2;

//Tell the operating system to continue executing the remaining commands of the process (the commands are stored inEIPInstead of shutting down the process.

ReturnPrediction_continue_execution;

}

 

BoolUnhandledexceptionfilterapproach ()

{

Setunhandledexceptionfilter (myunhandledexceptionfilter );

_ ASM

{

//SetEaxReset

XOR eax, eax

//Trigger a division by zero exception

Div eax

}

 

Return False;

}

8. CallDeletefiberFunction

IfDeletefiberIf the function passes an invalid parameter,DeletefiberIn addition to throwing an exception, the function still throws the processLasterrorThe value is set to the code of the specific error cause. However, if the process is being debuggedLasterrorThe value will be modified. Therefore, if the debugger bypasses the anti-debugging technology described in Step 7, we can verify it.LasterrorCheck whether the value is modified to check the existence of the debugger. Sample Code:

BoolDeletefiberapproach ()

{

CharFIB [1024] = {0 };

//An exception is thrown and captured by the debugger.

Deletefiber (FIB );

 

// 0x57Which meansError_invalid_parameter

Return(Getlasterror ()! = 0x57 );

}

 

To be continued