DebugObjectHandle 句柄

一、通过检测 DebugObjectHandle 句柄

从 Windows XP 开始,引入了 DebugObject,当一个调试会话启动的时候,调试器会调用调试子系统函数来创建一个 DebugObject 对象以及与之关联的句柄 DebugObjectHandle

1 通过 NtQueryInformationProcess 函数来检测

我们可以通过 NtQueryInformationProcess 函数来指定 ProcessDebugObjectHandle (0x1e) 值来查询特定进程是否处于调试状态,代码如下:

#include <stdio.h>
#include <Windows.h>

typedef enum _PROCESSINFOCLASS {
    ProcessBasicInformation,
    ProcessQuotaLimits,
    ProcessIoCounters,
    ProcessVmCounters,
    ProcessTimes,
    ProcessBasePriority,
    ProcessRaisePriority,
    ProcessDebugPort,
    ProcessExceptionPort,
    ProcessAccessToken,
    ProcessLdtInformation,
    ProcessLdtSize,
    ProcessDefaultHardErrorMode,
    ProcessIoPortHandlers,          // Note: this is kernel mode only
    ProcessPooledUsageAndLimits,
    ProcessWorkingSetWatch,
    ProcessUserModeIOPL,
    ProcessEnableAlignmentFaultFixup,
    ProcessPriorityClass,
    ProcessWx86Information,
    ProcessHandleCount,
    ProcessAffinityMask,
    ProcessPriorityBoost,
    ProcessDeviceMap,
    ProcessSessionInformation,
    ProcessForegroundInformation,
    ProcessWow64Information,
    ProcessImageFileName,
    ProcessLUIDDeviceMapsEnabled,
    ProcessBreakOnTermination,
    ProcessDebugObjectHandle,
    ProcessDebugFlags,
    ProcessHandleTracing,
    ProcessIoPriority,
    ProcessExecuteFlags,
    ProcessResourceManagement,
    ProcessCookie,
    ProcessImageInformation,
    MaxProcessInfoClass             // MaxProcessInfoClass should always be the last enum
} PROCESSINFOCLASS;

typedef NTSTATUS(NTAPI* PFN_NtQueryInformationProcess)(
    HANDLE ProcessHandle,    // 需查询的进程句柄
    DWORD ProcessInformationClass,    // 需查询的进程信息枚举类型
    PVOID ProcessInformation,    // 输出缓冲区
    ULONG ProcessInformationLength,    // 输出缓冲区大小
    PULONG ReturnLength    // 实际返回大小
    );


// 定义函数指针
PFN_NtQueryInformationProcess NtQueryInformationProcess;

int main()
{
    /* 通过 NtQueryInformationProcess 函数检测 DebugObjectHandle 句柄 */
    // 从 ntdll.dll 中获取 NtQueryInformationProcess 函数的地址
    HMODULE hMod = LoadLibraryA("ntdll.dll");
    NtQueryInformationProcess = (PFN_NtQueryInformationProcess)GetProcAddress(hMod, "NtQueryInformationProcess");

    // 查询是否存在 DebugObjectHandle
    HANDLE DebugObjectHandle = NULL;
    NtQueryInformationProcess(GetCurrentProcess(), ProcessDebugObjectHandle, &DebugObjectHandle, sizeof(HANDLE), NULL);    // ProcessDebugObjectHandle(30)
    if (DebugObjectHandle != NULL)
    {
        printf("正在被调试,传回的 DebugObjectHandle 为 0x%p\r\n", DebugObjectHandle);
    }
    else
    {
        printf("没有被调试\r\n");
    }

    system("pause");
}

通过调试器打开程序,结果如下:

posted @ 2025-02-17 21:14  lostin9772  阅读(3)  评论(0)    收藏  举报