测试了一下比较管用
bool check() { #define NTAPI __stdcall typedef long NTSTATUS; #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define STATUS_SUCCESS ((NTSTATUS)0L) typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { BOOLEAN DebuggerEnabled; BOOLEAN DebuggerNotPresent; } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; typedef struct _PROCESS_DEBUG_PORT_INFO { HANDLE DebugPort; } PROCESS_DEBUG_PORT_INFO; enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 }; enum THREAD_INFO_CLASS { ThreadHideFromDebugger = 17 }; enum PROCESS_INFO_CLASS { ProcessDebugPort = 7 }; typedef NTSTATUS(NTAPI *ZW_QUERY_SYSTEM_INFORMATION)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); typedef NTSTATUS(NTAPI *ZW_SET_INFORMATION_THREAD)(IN HANDLE ThreadHandle, IN THREAD_INFO_CLASS ThreadInformationClass, IN PVOID ThreadInformation, IN ULONG ThreadInformationLength); typedef NTSTATUS(NTAPI *ZW_QUERY_INFORMATION_PROCESS)(IN HANDLE ProcessHandle, IN PROCESS_INFO_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength); HMODULE hModule = GetModuleHandle(TEXT("ntdll.dll")); if (hModule == NULL) { //cout << "Failed: GetModuleHandle" << endl; //cout << "This prog needs WinNT/2K/XP to run." << endl; return false; //反调试加载失败 } //------------------------------------------------------------------------------------ ZW_QUERY_SYSTEM_INFORMATION ZwQuerySystemInformation; ZwQuerySystemInformation = (ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hModule, "ZwQuerySystemInformation"); if (ZwQuerySystemInformation == NULL) { //cout << "Failed: GetProcAddress ZwQuerySystemInformation" << endl; return false; //反调试加载失败获取函数入口失败 } /* 系统调试器 SYSTEM_KERNEL_DEBUGGER_INFORMATION Info; if (STATUS_SUCCESS == ZwQuerySystemInformation(SystemKernelDebuggerInformation, &Info, sizeof(Info), NULL)) { if (Info.DebuggerEnabled) { //cout << "System debugger enabled" << endl; if (Info.DebuggerNotPresent) cout << "System debugger not present" << endl; else cout << "System debugger present" << endl; } else cout << "System debugger disabled" << endl; } else { cout << "Failed: ZwQuerySystemInformation" << endl; } */ //--------------------------------------------------------------------------------------- ZW_SET_INFORMATION_THREAD ZwSetInformationThread; ZwSetInformationThread = (ZW_SET_INFORMATION_THREAD)GetProcAddress(hModule, "ZwSetInformationThread"); if (ZwSetInformationThread == NULL) { //cout << "Failed: GetProcAddress ZwSetInformationThread" << endl; return false;//函数入口获取失败 } if (STATUS_SUCCESS != ZwSetInformationThread(GetCurrentThread(), ThreadHideFromDebugger, NULL, 0)) return false;//cout << "Failed: ZwSetInformationThread" << endl; //--------------------------------------------------------------------------------------- ZW_QUERY_INFORMATION_PROCESS ZwQueryInformationProcess; ZwQueryInformationProcess = (ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule, "ZwQueryInformationProcess"); if (ZwQueryInformationProcess == NULL) { //cout << "Failed: GetProcAddress ZwQueryInformationprocess" << endl; return false; } PROCESS_DEBUG_PORT_INFO ProcessInfo; if (STATUS_SUCCESS != ZwQueryInformationProcess(GetCurrentProcess(), ProcessDebugPort, &ProcessInfo, sizeof(ProcessInfo), NULL)) return false;// cout << "Failed: ZwQueryInformationProcess" << endl; else { if (ProcessInfo.DebugPort) return true;//cout << "Process debugger present" << endl; else return false;//cout << "Process debugger not present" << endl; } }
异常反调试 试了试比较有用能检测大部分市面OD
BOOL checkCode() { bool b=false; __try { CloseHandle(HANDLE(0x100211)); // RaiseException(dwCode, 0, 0, 0); } __except(1) { b=true; return EXCEPTION_EXECUTE_HANDLER; } return b; }