我一直在尝试使用ZwQuerySystemInformation函数调用来确定程序是否在系统模式调试器下运行。
到目前为止,我有以下代码,我正在加载ntdll.dll库并获取ZwQuerySystemInformation的地址。然后我必须使用适当的参数调用我得到的句柄来获取SystemKernelDebuggerInformation信息。
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <Winternl.h>
int _tmain(int argc, _TCHAR* argv[])
{
/* load the ntdll.dll */
HMODULE lib = LoadLibrary(_T("ntdll.dll"));
FARPROC fun = GetProcAddress(lib, "ZwQuerySystemInformation");
if(fun == NULL) {
printf("Error: could not find the function ZwQuerySystemInformation in library ntdll.dll.");
exit(-1);
}
printf("ZwQuerySystemInformation is located at 0x%08x in ntdll.dll.\n", (unsigned int)fun);
SYSTEM_INFORMATION_CLASS sic = SystemKernelDebuggerInformation;
SYSTEM_BASIC_INFORMATION sbi;
NTSTATUS WINAPI temp = NtQuerySystemInformation(sic, &sbi, sizeof(sbi), NULL);
/* wait */
getchar();
return 0;
}
您能告诉我如何调用该函数来获取包含SystemKernelDebuggerInformation信息的系统信息?这就足够了,我会照顾其余的。
谢谢
答案 0 :(得分:1)
int main(){
typedef long NTSTATUS;
#define STATUS_SUCCESS ((NTSTATUS)0L)
HANDLE hProcess = GetCurrentProcess();
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION {
BOOLEAN DebuggerEnabled;
BOOLEAN DebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 };
typedef NTSTATUS (__stdcall *ZW_QUERY_SYSTEM_INFORMATION)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength);
ZW_QUERY_SYSTEM_INFORMATION ZwQuerySystemInformation;
SYSTEM_KERNEL_DEBUGGER_INFORMATION Info;
HMODULE hModule = GetModuleHandle("ntdll.dll");
if (!hModule) {
return FALSE;
}
ZwQuerySystemInformation = (ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hModule, "ZwQuerySystemInformation");
if (ZwQuerySystemInformation) {
if (STATUS_SUCCESS == ZwQuerySystemInformation(SystemKernelDebuggerInformation, &Info, sizeof(Info), NULL)) {
if (Info.DebuggerEnabled&&!Info.DebuggerNotPresent) {
return TRUE;
}
}
}
return FALSE;
}