1

我一直在尝试通过使用 ZwQuerySystemInformation 函数调用来确定程序是否在系统模式调试器下运行。

到目前为止,我有以下代码,我正在加载 ntdll.dll 库并获取 ZwQuerySystemInformation 的地址。然后我必须使用适当的参数调用我返回的句柄以获取 SystemKernelDebuggerInformation 信息。

#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <Winternl.h>


int _tmain(int argc, _TCHAR* argv[])
{
    /* load the ntdll.dll */
    HMODULE lib = LoadLibrary(_T("ntdll.dll"));
    FARPROC fun = GetProcAddress(lib, "ZwQuerySystemInformation");
    if(fun == NULL) {
        printf("Error: could not find the function ZwQuerySystemInformation in library ntdll.dll.");
        exit(-1);
    }
    printf("ZwQuerySystemInformation is located at 0x%08x in ntdll.dll.\n", (unsigned int)fun);


    SYSTEM_INFORMATION_CLASS sic = SystemKernelDebuggerInformation;
    SYSTEM_BASIC_INFORMATION sbi;

    NTSTATUS WINAPI temp = NtQuerySystemInformation(sic, &sbi, sizeof(sbi), NULL);


    /* wait */
    getchar();

    return 0;
}

您能告诉我如何调用该函数来获取包含 SystemKernelDebuggerInformation 信息的系统信息吗?那就够了,剩下的我来处理。

谢谢

4

1 回答 1

1

看看CheckDebugger_Method3

     int main(){
    typedef long NTSTATUS; 
    #define STATUS_SUCCESS    ((NTSTATUS)0L) 
    HANDLE hProcess = GetCurrentProcess();
    typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { 
                 BOOLEAN DebuggerEnabled; 
                 BOOLEAN DebuggerNotPresent; 
    } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; 
    enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 }; 
    typedef NTSTATUS  (__stdcall *ZW_QUERY_SYSTEM_INFORMATION)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); 
    ZW_QUERY_SYSTEM_INFORMATION ZwQuerySystemInformation;
    SYSTEM_KERNEL_DEBUGGER_INFORMATION Info;
    HMODULE hModule = GetModuleHandle("ntdll.dll");
    if (!hModule) {
        return FALSE;
    }
    ZwQuerySystemInformation = (ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hModule, "ZwQuerySystemInformation");
    if (ZwQuerySystemInformation) {
        if (STATUS_SUCCESS == ZwQuerySystemInformation(SystemKernelDebuggerInformation, &Info, sizeof(Info), NULL)) {
            if (Info.DebuggerEnabled&&!Info.DebuggerNotPresent) {
                return TRUE;
            }
        }
    }
    return FALSE;
}

ZwQuerySystemInformation自 Windows 8 起不再可用

于 2013-02-10T07:06:40.083 回答