反作弊技巧
音乐
演示文章
Anti Debug
PatchGuard
WIN64 驱动保护
Proof of Concept
逆向分析

ThreadHideFromDebugger AntiDebug

ThreadHideFromDebugger

Baklib
狐白 最后一次编辑 3 年多前
146
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) typedef enum _THREADINFOCLASS { ThreadBasicInformation, ThreadTimes, ThreadPriority, ThreadBasePriority, ThreadAffinityMask, ThreadImpersonationToken, ThreadDescriptorTableEntry, ThreadEnableAlignmentFaultFixup, ThreadEventPair_Reusable, ThreadQuerySetWin32StartAddress, ThreadZeroTlsCell, ThreadPerformanceCount, ThreadAmILastThread, ThreadIdealProcessor, ThreadPriorityBoost, ThreadSetTlsArrayAddress, ThreadIsIoPending, ThreadHideFromDebugger, ThreadBreakOnTermination, MaxThreadInfoClass } THREADINFOCLASS; typedef NTSTATUS(WINAPI* NtQueryInformationThreadPtr)( _In_ HANDLE ThreadHandle, _In_ THREADINFOCLASS ThreadInformationClass, _Out_ PVOID ThreadInformation, _In_ ULONG ThreadInformationLength, _Out_opt_ PULONG ReturnLength); typedef NTSTATUS(WINAPI *NtSetInformationThreadPtr)( _In_ HANDLE ThreadHandle, _In_ THREADINFOCLASS ThreadInformationClass, _In_reads_bytes_(ThreadInformationLength) PVOID ThreadInformation, _In_ ULONG ThreadInformationLength ); void main() { HMODULE hModule = GetModuleHandle("ntdll.dll"); if (hModule != NULL) { NTSTATUS status; BOOLEAN PThreadHideFromDebugger; NtSetInformationThreadPtr NtSetInformationThread = (NtSetInformationThreadPtr)GetProcAddress(hModule, "NtSetInformationThread"); NtQueryInformationThreadPtr NtQueryInformationThread = (NtQueryInformationThreadPtr)GetProcAddress(hModule, "NtQueryInformationThread"); //one status = NtSetInformationThread(GetCurrentThread(), ThreadHideFromDebugger, 0, 8);//SharpOD BUG if (NT_SUCCESS(status)) printf("sharpod Error...\n"); status = NtQueryInformationThread(GetCurrentThread(), ThreadHideFromDebugger, &PThreadHideFromDebugger, sizeof(BOOLEAN), NULL); if (!NT_SUCCESS(status) && PThreadHideFromDebugger == TRUE) { printf("NtQueryInformationThread Error...\n"); } status=NtSetInformationThread(GetCurrentThread(), ThreadHideFromDebugger, 0, 0); if (!NT_SUCCESS(status)){ printf("NtSetInformationThread Error...\n"); } else{ status = NtQueryInformationThread(GetCurrentThread(), ThreadHideFromDebugger, &PThreadHideFromDebugger, sizeof(BOOLEAN), NULL); if (!NT_SUCCESS(status)) { printf("NtQueryInformationThread Error... PThreadHideFromDebugger:%d\n", PThreadHideFromDebugger); } else { if (PThreadHideFromDebugger!=TRUE) { printf("ThreadHideFromDebugger Error... PThreadHideFromDebugger:%d\n", PThreadHideFromDebugger); } printf("If the debugger breaks or debugs the operation, the program will crash PThreadHideFromDebugger:%d\n", PThreadHideFromDebugger);// If the debugger breaks or debugs the operation, the program will crash system("pause"); Sleep(1); //int3 Sleep printf("OK\n"); } } system("pause"); exit(0); } printf("Get ntdll Module Error\n"); system("pause"); case ThreadHideFromDebugger: if (length != sizeof(BOOLEAN)) return STATUS_INFO_LENGTH_MISMATCH; *(BOOLEAN *)data = TRUE; if (ret_len) *ret_len = sizeof(BOOLEAN); return STATUS_SUCCESS;