JZTXT

逆向 | 简单调试器检测&调试器进程检测、虚拟机进程检测、启动路径检测、计算机名检测

发布时间 2023-08-21 20:31:17作者: Mz1

逆向 | 简单调试器进程检测、虚拟机进程检测、启动路径检测、计算机名检测

写在自己书里的代码,丢一份到blog。

简单调试器检测:

#include <stdio.h>
#include <windows.h>
// 定义枚举值
const int ProcessDebugPort = 0x7;
const int ProcessDebugObjectHandle = 0x1e;
const int ProcessDebugFlags = 0x1f;
#define PROCESSINFOCLASS INT
typedef VOID (_stdcall *PFN_NTQUERYINFORMATIONPROCESS)(HANDLE,PROCESSINFOCLASS,PVOID,ULONG,PULONG);
int main(){
	// 获取动态链接库中的NtQueryInformationProcess函数
	HMODULE hModule = LoadLibrary("ntdll.dll");
	PFN_NTQUERYINFORMATIONPROCESS NtQueryInformationProcess = 
		(PFN_NTQUERYINFORMATIONPROCESS)GetProcAddress(hModule, "NtQueryInformationProcess");
	// 查询ProcessDebugPort值
	DWORD dwDebugPort = 0;
	NtQueryInformationProcess(
		GetCurrentProcess(),
		ProcessDebugPort,
		&dwDebugPort,
		sizeof(dwDebugPort),
		NULL
	);
	printf("DebugPort: %d \n", dwDebugPort);    // 如果有调试器存在则值不为0,通常为-1
	// 查询ProcessDebugObjectHandle
	HANDLE hDebugObject = NULL;
	NtQueryInformationProcess(
		GetCurrentProcess(),
		ProcessDebugObjectHandle,
		&hDebugObject,
		sizeof(hDebugObject),
		NULL
	);
	printf("hDebugObject: %d \n", hDebugObject);    // 如果有调试器存在则值不为0, 会返回一个句柄
	// 查询ProcessDebugFlags
	BOOL bDebugFlag = TRUE;
	NtQueryInformationProcess(
		GetCurrentProcess(),
		ProcessDebugObjectHandle,
		&bDebugFlag,
		sizeof(bDebugFlag),
		NULL
	);
	printf("bDebugFlag: %d \n", bDebugFlag);    // 如果没有调试器存在则为1
	return 0;
}

调试器进程检测、虚拟机进程检测、启动路径检测、计算机名检测:

#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
DWORD GetPid(char* szName){
    HANDLE hprocessSnap = NULL;
    PROCESSENTRY32 pe32 = {0};
    hprocessSnap = CreateToolhelp32Snapshot(
        TH32CS_SNAPPROCESS,
        0);//捕捉所有进程的快照
    if (hprocessSnap == INVALID_HANDLE_VALUE){
        //快照失败
        return 0;
    }
    //初始化pe32结构体
    pe32.dwSize = sizeof(PROCESSENTRY32);
    if (Process32First(hprocessSnap, &pe32)){
        do{
            if (!strcmp(szName, pe32.szExeFile)){
                return (int)pe32.th32ProcessID;
            }
            //遍历查找进程名
        }while (Process32Next(hprocessSnap, &pe32));
    }else{
        CloseHandle(hprocessSnap);
    }
    return 0;
}
int main(){
	// 检测调试器进程、虚拟机软件进程
	char* DebuggerProcessNames[] = {
		"x32dbg.exe",
		"x64dbg.exe",
		"ollydbg.exe",
		"VMWareTray.exe",
		"VMWareUser.exe",   // ...
	};
	int len = sizeof(DebuggerProcessNames)/sizeof(char*);
	for (int i = 0; i < len; i ++){
		if (GetPid(DebuggerProcessNames[i]) != 0){   // 检测相关进程是否存在
			printf("stop debug! \n");
			exit(-1);
		}
	}
	// 检测运行路径
	char* cmdline = GetCommandLine();
	int tmp = NULL;
	tmp = (int)strstr(cmdline, "test") | 
		(int)strstr(cmdline, "TEST") | 
		(int)strstr(cmdline, "debug") | 
		(int)strstr(cmdline, "DEBUG") | 
		(int)strstr(cmdline, "analysis") |
		(int)strstr(cmdline, "ANALYSIS");
	if (tmp != 0){
		printf("stop debug! \n");
		exit(-1);
	}
	// 检测计算机名
	char name[255] = {0};
	ULONG size = sizeof(name);
	GetComputerName(name, &size);
	// printf("[%d] %s \n", size, name);
	tmp = (int)strstr(cmdline, "test") | 
		(int)strstr(cmdline, "TEST") | 
		(int)strstr(cmdline, "debug") | 
		(int)strstr(cmdline, "DEBUG") | 
		(int)strstr(cmdline, "analysis") |
		(int)strstr(cmdline, "ANALYSIS");
	if (tmp != 0){
		printf("stop debug! \n");
		exit(-1);
	}	
	printf("ok! \n");
	return 0;
}