[转]隐藏Debug

//隐藏Debug
void HideDebug(PROCESS_INFORMATION pi)
{
    BYTE ISDEBUGFLAG = 0x00;
    int ISHEAPFLAG = 2;
    SuspendThread(pi.hThread);
    CONTEXT context;
    ZeroMemory(&context,sizeof(CONTEXT));
    context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS;
    GetThreadContext(pi.hThread,&context);
    //IsDebugPresent_Flag
    WriteProcessMemory(pi.hProcess,(LPVOID)(context.Ebx+0x2),&ISDEBUGFLAG,1,NULL);
    //NTGlobal_Flag 用0D则为70 这个为0 防止其他调试器存在
    WriteProcessMemory(pi.hProcess,(LPVOID)(context.Ebx+0x68),&ISDEBUGFLAG,1,NULL);
    //GetProcessHeap_Flag
    DWORD HeapAddress;
    ReadProcessMemory(pi.hProcess,(LPCVOID)(context.Ebx + 0x18),&HeapAddress,sizeof(HeapAddress),NULL);
    WriteProcessMemory(pi.hProcess,(LPVOID)HeapAddress,&ISHEAPFLAG,sizeof(ISHEAPFLAG),NULL);

    ReadProcessMemory(pi.hProcess,(LPCVOID)(context.Ebx + 0x68),&ISDEBUGFLAG,1,NULL);
    //printf("NT_GLOBAL=%d\n",ISDEBUGFLAG);
    ResumeThread(pi.hThread);
}

posted on 2009-09-02 05:38 Sunwayking 阅读(345) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

Sunwayking

导航

公告

[转]隐藏Debug