反调试——5——检测调试对象

反调试——5——检测调试对象

有一些内容采用的是WRK里面的定义。因为这个算是没有公开的文档,公开的不能这样使用。

查询父进程实现反调试

正常打开(双击运行)的程序的父进程是explorer.exe(资源管理器)(Windows的内置机制),通过查询父进程的ID是否是explorer.exe来判断程序是否被调试了。

这里我直接上代码了。

NTSTATUS
NtQueryInformationProcess(
   __in HANDLE ProcessHandle,
   __in PROCESSINFOCLASS ProcessInformationClass,
   __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
   __in ULONG ProcessInformationLength,
   __out_opt PULONG ReturnLength
  )
#include<iostream>
#include<Windows.h>
#include<winternl.h>
#include<tlhelp32.h>
#include<string.h>
using namespace std;


typedef struct _PROCESS_BASIC_INFORMATION_1 {
   NTSTATUS ExitStatus;
   PPEB PebBaseAddress;
   ULONG_PTR AffinityMask;
   KPRIORITY BasePriority;
   ULONG_PTR UniqueProcessId;
   ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION_1;

//定义函数指针
typedef NTSTATUS (NTAPI *_NtQueryInformationProcess)(
   __in HANDLE ProcessHandle,
   __in PROCESSINFOCLASS ProcessInformationClass,
   __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
   __in ULONG ProcessInformationLength,
   __out_opt PULONG ReturnLength
);

_NtQueryInformationProcess NtQueryInformationProcess_My;

int main()
{
//获得NtQueryInformation函数指针
   HMODULE hNtdll = GetModuleHandleA("ntdll.dll");//因为每个程序都会有ntdll,所以就不用动态loadlibrary加载了,直接获取dll的句柄
   if (hNtdll == NULL)
  {
       cout << "获取ntdll句柄错误" << endl;
       return 0;
  }
   NtQueryInformationProcess_My = (_NtQueryInformationProcess)GetProcAddress(hNtdll, "NtQueryInformationProcess");

   //获取当前进程的信息
   HANDLE hCurrentProcess = GetCurrentProcess();
   PROCESS_BASIC_INFORMATION_1 CurrentInfo = { 0 };
   NtQueryInformationProcess_My(hCurrentProcess, ProcessBasicInformation, &CurrentInfo,sizeof(CurrentInfo),NULL);
   auto CurrentParentProcessId = CurrentInfo.InheritedFromUniqueProcessId;

   //遍历所有进程信息,对比进程ID
   PROCESSENTRY32 SnapshotInfo = { 0 };
   SnapshotInfo.dwSize = sizeof(PROCESSENTRY32);
   HANDLE  hSnapshot =  CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
   if (hSnapshot == INVALID_HANDLE_VALUE)
  {
       cout << "创建进程快照失败" << endl;
       return 0;
  }
   auto Sucess = Process32First(hSnapshot, &SnapshotInfo);
   if (Sucess == TRUE)
  {
       do {
           if (wcscmp(SnapshotInfo.szExeFile, L"explorer.exe")==0)//这里使用宽字符
          {
               if (SnapshotInfo.th32ProcessID == CurrentParentProcessId)
              {
                   cout << "程序通过父进程检测,程序的父进程正常" << endl;
              }
               else
              {
                   cout << "检测到父进程不对,程序正在被调试" << endl;
              }
               break;
          }
      } while (Process32Next(hSnapshot, &SnapshotInfo));
  }
   else
  {
       cout << "获取第一个进程信息失败" << endl;
       return 0;
  }
   system("pause");
   return 0;
}

 

反调试——5——检测调试对象

 

 

查询调试内核调试对象

当调试器调试某进程时,会创建一个内核的调试对象,通过检测它是否存在来实现反调试。(这里就采用WRK里面的内容了,官方文档的内容不好使。)

通过NtQueryObject可以检测是否存在调试对象,通过这个东西来看程序是否在被调试。

__kernel_entry NTSYSCALLAPI NTSTATUS NtQueryObject(
 HANDLE                   Handle,
 OBJECT_INFORMATION_CLASS ObjectInformationClass,
 PVOID                    ObjectInformation,
 ULONG                    ObjectInformationLength,
 PULONG                   ReturnLength
);//官方文档版本

NTSTATUS
NtQueryObject (
   __in HANDLE Handle,//需要查询的句柄
   __in OBJECT_INFORMATION_CLASS ObjectInformationClass,
    //查询对象枚举类
   __out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation,
       //输出结构缓冲区
   __in ULONG ObjectInformationLength,
    //缓冲区大小

   __out_opt PULONG ReturnLength
  //实际需要大小
  );//wrk版本

NtQueryObject中的OBJECT_INFORMATION_CLASS参数:

typedef enum _OBJECT_INFORMATION_CLASS {
   ObjectBasicInformation,
   ObjectNameInformation,
   ObjectTypeInformation,
   ObjectTypesInformation,//所有内核对象类型信息
   ObjectHandleFlagInformation,
   ObjectSessionInformation,
   MaxObjectInfoClass  // MaxObjectInfoClass should always be the last enum
} OBJECT_INFORMATION_CLASS;

 

//UNICODE_STRING结构体
typedef struct _UNICODE_STRING {
   USHORT Length;
   USHORT MaximumLength;
#ifdef MIDL_PASS
  [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
#else // MIDL_PASS
   PWSTR  Buffer;
#endif // MIDL_PASS
} UNICODE_STRING;

然后初步代码是这样:

#include"Anti-Debug.h"
int main()
{
   //先获取ntdll的句柄
   HMODULE hNtdll = GetModuleHandleA("ntdll.dll");

   //获取函数指针
   NtQueryObject = (_NtQueryObject)GetProcAddress(hNtdll, "NtQueryObject");

   //来一个很大的缓冲区
   char* buffer = (char*)malloc(0x4000);
   DWORD realSize = 0;
   auto ret = NtQueryObject(NULL, ObjectTypesInformation, buffer, 0x4000, &realSize);
   if(ret != 0)
  {
       printf("NtQueryObject error\n");
  }

   CloseHandle(hNtdll);
   return 0;
}

//Anti-Debug.h
#pragma once
#include<iostream>
#include<Windows.h>
using namespace std;
typedef enum _OBJECT_INFORMATION_CLASS {
   ObjectBasicInformation,
   ObjectNameInformation,
   ObjectTypeInformation,
   ObjectTypesInformation,
   ObjectHandleFlagInformation,
   ObjectSessionInformation,
   MaxObjectInfoClass  // MaxObjectInfoClass should always be the last enum
} OBJECT_INFORMATION_CLASS;
typedef  NTSTATUS(NTAPI* _NtQueryObject)(
   __in HANDLE Handle,
   __in OBJECT_INFORMATION_CLASS ObjectInformationClass,
   __out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation,
   __in ULONG ObjectInformationLength,
   __out_opt PULONG ReturnLength
  );
_NtQueryObject NtQueryObject;
typedef struct _UNICODE_STRING {
   USHORT Length;
   USHORT MaximumLength;
#ifdef MIDL_PASS
  [size_is(MaximumLength / 2), length_is((Length) / 2)] USHORT* Buffer;
#else // MIDL_PASS
   PWSTR  Buffer;
#endif // MIDL_PASS
} UNICODE_STRING;

然后来通过对这个buffer进行一个处理。

处理缓冲区

这个缓冲区是一个比较麻烦的结构,存放了所有内核对象的内容。

typedef struct _OBJECT_TYPES_INFORMATION
{
   ULONG numberOfTypesInfo;
   OBJECT_TYPE_INFORMATION typeInfo[1];
};
//也就是说TYPES包含了type在里面,因为TYPES是所有的type的内容

//缓冲区结构体
//   __out_bcount_opt(ObjectInformationLength) PVOID //ObjectInformation,
typedef struct _OBJECT_TYPE_INFORMATION {
   UNICODE_STRING TypeName;
//内核对象类型的名称,比如互斥体,事件等等  
   ULONG TotalNumberOfObjects;//对象的数量
   ULONG TotalNumberOfHandles;
   ULONG TotalPagedPoolUsage;
   ULONG TotalNonPagedPoolUsage;
   ULONG TotalNamePoolUsage;
   ULONG TotalHandleTableUsage;
   ULONG HighWaterNumberOfObjects;
   ULONG HighWaterNumberOfHandles;
   ULONG HighWaterPagedPoolUsage;
   ULONG HighWaterNonPagedPoolUsage;
   ULONG HighWaterNamePoolUsage;
   ULONG HighWaterHandleTableUsage;
   ULONG InvalidAttributes;
   GENERIC_MAPPING GenericMapping;
   ULONG ValidAccessMask;
   BOOLEAN SecurityRequired;
   BOOLEAN MaintainHandleCount;
   ULONG PoolType;
   ULONG DefaultPagedPoolCharge;
   ULONG DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;

然后大致上是完成了:

#include"Anti-Debug.h"
int main()
{
   //先获取ntdll的句柄
   HMODULE hNtdll = GetModuleHandleA("ntdll.dll");

   //获取函数指针
   NtQueryObject = (_NtQueryObject)GetProcAddress(hNtdll, "NtQueryObject");

   //来一个很大的缓冲区
   char* buffer = (char*)malloc(0x4000);
   DWORD realSize = 0;
   auto ret = NtQueryObject(NULL, ObjectTypesInformation, buffer, 0x4000, &realSize);
   if(ret != 0)
  {
       printf("NtQueryObject error\n");
       return 0;
  }

   //定义TYPES对于的结构体来获取缓冲区的内容
   POBJECT_TYPES_INFORMATION typesInfo = NULL;
   typesInfo = (POBJECT_TYPES_INFORMATION)buffer;
   //循环遍历typesInfo
   POBJECT_TYPE_INFORMATION typeInfo = typesInfo->typeInfo;
   //采用单个的type结构体来获取每个type的内容
   for(int i = 0; i < typesInfo->numberOfTypesInfo; i++)
  {
       if (wcscmp(L"DebugObject", typeInfo->TypeName.Buffer)==0)//是调试类型的内核对象
      {
           if (typeInfo->TotalNumberOfObjects > 0)
          {
               cout << "有调试内核对象,正在进行调试" << endl;
          }
           else
          {
               cout << "没有检测到内核调试对象" << endl;
          }
           break;
           typeInfo++;
      }
  }
   return 0;
}

但是有一个问题出现了,由于typeinfo这个单type的内容的结构体里面有一个UNICODE_STRING字段这个字段里面又有个buffer,这个buffer根据内容的不同而大小不同,所以不能直接++

//修正指针偏移
      DWORD temp = typeInfo->TypeName.MaximumLength;
      temp +=temp % 4;
      typeInfo = (POBJECT_TYPE_INFORMATION)((DWORD)typeInfo + temp);
      typeInfo++;

最终版本:

#include"Anti-Debug.h"
int main()
{
  //先获取ntdll的句柄
  HMODULE hNtdll = GetModuleHandleA("ntdll.dll");

  //获取函数指针
  NtQueryObject = (_NtQueryObject)GetProcAddress(hNtdll, "NtQueryObject");

  //来一个很大的缓冲区
  char* buffer = (char*)malloc(0x4000);
  DWORD realSize = 0;
  auto ret = NtQueryObject(NULL, ObjectTypesInformation, buffer, 0x4000, &realSize);
  if(ret != 0)
  {
      printf("NtQueryObject error\n");
      return 0;
  }

  //定义TYPES对于的结构体来获取缓冲区的内容
  POBJECT_TYPES_INFORMATION typesInfo = NULL;
  typesInfo = (POBJECT_TYPES_INFORMATION)buffer;
  //循环遍历typesInfo
  POBJECT_TYPE_INFORMATION typeInfo = typesInfo->typeInfo;
  //采用单个的type结构体来获取每个type的内容
  for(int i = 0; i < typesInfo->numberOfTypesInfo; i++)
  {
      if (wcscmp(L"DebugObject", typeInfo->TypeName.Buffer)==0)//是调试类型的内核对象
      {
          if (typeInfo->TotalNumberOfObjects > 0)
          {
              cout << "有调试内核对象,正在进行调试" << endl;
          }
          else
          {
              cout << "没有检测到内核调试对象" << endl;
          }
          break;
      }
      DWORD temp = typeInfo->TypeName.MaximumLength;
      temp +=temp % 4;
      typeInfo = (POBJECT_TYPE_INFORMATION)((DWORD)typeInfo + temp);
      typeInfo++;
  }
  return 0;
}
//头文件
#pragma once
#include<iostream>
#include<Windows.h>
using namespace std;
typedef enum _OBJECT_INFORMATION_CLASS {
  ObjectBasicInformation,
  ObjectNameInformation,
  ObjectTypeInformation,
  ObjectTypesInformation,
  ObjectHandleFlagInformation,
  ObjectSessionInformation,
  MaxObjectInfoClass // MaxObjectInfoClass should always be the last enum
} OBJECT_INFORMATION_CLASS;
typedef NTSTATUS(NTAPI* _NtQueryObject)(
  __in HANDLE Handle,
  __in OBJECT_INFORMATION_CLASS ObjectInformationClass,
  __out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation,
  __in ULONG ObjectInformationLength,
  __out_opt PULONG ReturnLength
  );
_NtQueryObject NtQueryObject;

typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
#ifdef MIDL_PASS
  [size_is(MaximumLength / 2), length_is((Length) / 2)] USHORT* Buffer;
#else // MIDL_PASS
  PWSTR Buffer;
#endif // MIDL_PASS
} UNICODE_STRING;

typedef struct _OBJECT_TYPE_INFORMATION {
  UNICODE_STRING TypeName;
  ULONG TotalNumberOfObjects;
  ULONG TotalNumberOfHandles;
  ULONG TotalPagedPoolUsage;
  ULONG TotalNonPagedPoolUsage;
  ULONG TotalNamePoolUsage;
  ULONG TotalHandleTableUsage;
  ULONG HighWaterNumberOfObjects;
  ULONG HighWaterNumberOfHandles;
  ULONG HighWaterPagedPoolUsage;
  ULONG HighWaterNonPagedPoolUsage;
  ULONG HighWaterNamePoolUsage;
  ULONG HighWaterHandleTableUsage;
  ULONG InvalidAttributes;
  GENERIC_MAPPING GenericMapping;
  ULONG ValidAccessMask;
  BOOLEAN SecurityRequired;
  BOOLEAN MaintainHandleCount;
  ULONG PoolType;
  ULONG DefaultPagedPoolCharge;
  ULONG DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION;


typedef struct _OBJECT_TYPES_INFORMATION
{
  ULONG numberOfTypesInfo;
  OBJECT_TYPE_INFORMATION typeInfo[1];
}OBJECT_TYPES_INFORMATION,*POBJECT_TYPES_INFORMATION;

 

上一篇:Windows 文件过滤驱动经验总结


下一篇:C#获取时间戳