Quantcast
Channel: 看雪安全论坛
Viewing all articles
Browse latest Browse all 9556

【讨论】用DebugActiveProcess检测被调试?

$
0
0
根据能否附加目标进程来判断是否被调试了,不知道可行不?

引用:

#include <windows.h>

BOOL EnableDebugPrivilege(BOOL bEnable)
{
BOOL fOK = FALSE; //Assume function fails
HANDLE hToken;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
//Attempt to modify the "Debug" privilege
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
fOK = (GetLastError() == 0);
CloseHandle(hToken);
}
return fOK;
}


int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
LPSTR pFind = strstr(lpCmdLine, "pid=");

if (0 == pFind)
{
// 创建子进程,并以父进程的PID为命令行参数,让子进程尝试attach 父进程
char path[MAX_PATH], format[MAX_PATH];
GetModuleFileNameA(NULL, path, sizeof(path));
wsprintfA(format, "pid=%d", GetCurrentProcessId());
ShellExecuteA(NULL, "open", path, format, NULL, 0);

// 只是起不让父进程退出的作用
MessageBoxA(NULL, "just keep process running", NULL, 0);
}
else
{
// 子进程

// attach 需要调试权限
EnableDebugPrivilege(TRUE);

pFind += 4;
long pid = atol(pFind);
if(!DebugActiveProcess(pid))
{
// 可能被调试了
DWORD err = GetLastError();
char error[MAX_PATH];
wsprintfA(error, "attach failed with error code:0x%0x\n", GetLastError());
MessageBoxA(NULL, error, NULL, 0);
}
else
{
// 没有被调试
DebugActiveProcessStop(pid);
MessageBoxA(NULL, "process is not debugged!", NULL, 0);
}
}
}


Viewing all articles
Browse latest Browse all 9556

Trending Articles