英文:
Use NtQueryInformationProcess to check for debugger attached
问题
Here is the translated code portion:
我正在编写一个简单的C++项目,使用Microsoft的Visual Studio 2022,在其中使用`NtQueryInformationProcess`来检查进程是否正在被调试,但它不起作用。
以下是我的代码:
#include "Header.h"
#include <iostream>
#include <winternl.h>
#include <Windows.h>
// 使用PEB中的Debug标志的方法。这个方法有效并返回a = 1
int PEB_Flag() {
int a;
__asm {
mov eax, dword ptr fs : [18h]
mov eax, dword ptr ds : [eax + 30h]
movzx eax, byte ptr ds : [eax + 2h]
mov[a], eax
}
return a;
}
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0,
ProcessDebugPort = 7,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessBreakOnTermination = 29
} PROCESSINFOCLASS;
typedef NTSTATUS(NTAPI* TNtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength
);
int main() {
HANDLE ProcessHandler = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());
HMODULE hNtdll = LoadLibraryA("ntdll.dll");
std::cout << "hNtdll: " << std::hex << hNtdll << std::endl;
auto pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(
hNtdll, "NtQueryInformationProcess");
DWORD dwProcessDebugPort, dwReturned;
NTSTATUS status = pfnNtQueryInformationProcess(
ProcessHandler,
ProcessDebugPort,
&dwProcessDebugPort,
sizeof(DWORD),
&dwReturned);
int a = int(status);
std::cout << "Is debugged: " << a << std::endl;
std::cout << "OK ?";
std::cin >> a; // 我在这里设置了一个断点
}
This is the translated portion of your C++ code.
英文:
I am writing a simple C++ project on Microsoft's Visual Studio 2022, that uses NtQueryInformationProcess
to check if a process is being debugged but it is not working.
Here is my code:
#include "Header.h"
#include <iostream>
#include <winternl.h>
#include<Windows.h>
// Method use Debug flags in the PEB. This worked and return a = 1
int PEB_Flag() {
int a;
__asm {
mov eax, dword ptr fs : [18h]
mov eax, dword ptr ds : [eax + 30h]
movzx eax, byte ptr ds : [eax + 2h]
mov[a], eax
}
return a;
}
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0,
ProcessDebugPort = 7,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessBreakOnTermination = 29
} PROCESSINFOCLASS;
typedef NTSTATUS(NTAPI* TNtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength
);
int main() {
HANDLE ProcessHandler = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());
HMODULE hNtdll = LoadLibraryA("ntdll.dll");
//HINSTANCE hNtDll = GetModuleHandleW(L"ntdll.dll");
std::cout << "hNtdll: " << std::hex << hNtdll << std::endl;
auto pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(
hNtdll, "NtQueryInformationProcess");
DWORD dwProcessDebugPort, dwReturned;
NTSTATUS status = pfnNtQueryInformationProcess(
//GetCurrentProcess(),
ProcessHandler,
ProcessDebugPort,
&dwProcessDebugPort,
sizeof(DWORD),
&dwReturned);
a = int(status);
std::cout << "Is debugged: " << a << std::endl;
std::cout << "OK ?";
std::cin >> a; // I set a breakpoint here
}
I build it, run it in both debug mode and realease mode, and it print "Is debugged: 0", which is wrong because this process is being debugged. I know that my code has something wrong, because I had tried with method check for debugger flag and it prints "1".
答案1
得分: 0
The return value of a call to the NtQueryInformationProcess
function indicates only whether or not the call succeeded (and, if it failed, and indication of the nature of the error). Thus, your status
variable – assuming the call succeeds – will have the value STATUS_SUCCESS
, which is defined as zero (whether or not you cast it to an int
).
The actual data that you want to inspect is the dwProcessDebugPort
DWORD
, whose address you (seemingly correctly) pass to the system call. That will have a non-zero value if the process is being run under a debugger.
So, after your call to NtQueryInformationProcess
, your 'diagnostic' code should look something like this:
if (NT_SUCCESS(status)) {
std::cout << (dwProcessDebugPort == 0 ? "Not debugging.\n" : "Debugging.\n");
}
else {
std::cout << "Call failed!\n";
}
英文:
The return value of a call to the NtQueryInformationProcess
function indicates only whether or not the call succeeded (and, if it failed, and indication of the nature of the error). Thus, your status
variable – assuming the call succeeds – will have the value STATUS_SUCCESS
, which is defined as zero (whether or not you cast it to an int
).
The actual data that you want to inspect is the dwProcessDebugPort
DWORD
, whose address you (seemingly correctly) pass to the system call. That will have a non-zero value if the process is being run under a debugger.
So, after your call to NtQueryInformationProcess
, your 'diagnostic' code should look something like this:
if (NT_SUCCESS(status)) {
std::cout << (dwProcessDebugPort == 0 ? "Not debugging.\n" : "Debugging.\n");
}
else {
std::cout << "Call failed!\n";
}
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论