ZwQueryInformationProcess 反调试代码

测试了一下比较管用

bool check()
{
#define NTAPI              __stdcall 
    typedef long              NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) 
#define STATUS_SUCCESS    ((NTSTATUS)0L) 

    typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION
    {
        BOOLEAN DebuggerEnabled;
        BOOLEAN DebuggerNotPresent;
    } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION;

    typedef struct _PROCESS_DEBUG_PORT_INFO
    {
        HANDLE DebugPort;
    }    PROCESS_DEBUG_PORT_INFO;


    enum SYSTEM_INFORMATION_CLASS    { SystemKernelDebuggerInformation = 35 };
    enum THREAD_INFO_CLASS            { ThreadHideFromDebugger = 17 };
    enum PROCESS_INFO_CLASS            { ProcessDebugPort = 7 };

    typedef NTSTATUS(NTAPI *ZW_QUERY_SYSTEM_INFORMATION)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength);
    typedef NTSTATUS(NTAPI *ZW_SET_INFORMATION_THREAD)(IN HANDLE ThreadHandle, IN THREAD_INFO_CLASS ThreadInformationClass, IN PVOID ThreadInformation, IN ULONG ThreadInformationLength);
    typedef NTSTATUS(NTAPI *ZW_QUERY_INFORMATION_PROCESS)(IN HANDLE ProcessHandle, IN PROCESS_INFO_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength);



    HMODULE hModule = GetModuleHandle(TEXT("ntdll.dll"));
    if (hModule == NULL)
    {
        //cout << "Failed: GetModuleHandle" << endl;
        //cout << "This prog needs WinNT/2K/XP to run." << endl;
        return false;  //反调试加载失败
    }

    //------------------------------------------------------------------------------------ 
    ZW_QUERY_SYSTEM_INFORMATION ZwQuerySystemInformation;
    ZwQuerySystemInformation = (ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hModule, "ZwQuerySystemInformation");
    if (ZwQuerySystemInformation == NULL)
    {
        //cout << "Failed: GetProcAddress ZwQuerySystemInformation" << endl;
        return false; //反调试加载失败获取函数入口失败
    }
    /* 
    系统调试器
    SYSTEM_KERNEL_DEBUGGER_INFORMATION Info;
    if (STATUS_SUCCESS == ZwQuerySystemInformation(SystemKernelDebuggerInformation, &Info, sizeof(Info), NULL))
    {
        if (Info.DebuggerEnabled)
        {
            //cout << "System debugger enabled" << endl;
            if (Info.DebuggerNotPresent)
                cout << "System debugger not present" << endl;
            else
                cout << "System debugger present" << endl;

        }
        else
            cout << "System debugger disabled" << endl;
    }
    else
    {
        cout << "Failed: ZwQuerySystemInformation" << endl;
    }

    */

    //--------------------------------------------------------------------------------------- 

    ZW_SET_INFORMATION_THREAD ZwSetInformationThread;
    ZwSetInformationThread = (ZW_SET_INFORMATION_THREAD)GetProcAddress(hModule, "ZwSetInformationThread");
    if (ZwSetInformationThread == NULL)
    {
        //cout << "Failed: GetProcAddress ZwSetInformationThread" << endl;
        return false;//函数入口获取失败
    }

    if (STATUS_SUCCESS != ZwSetInformationThread(GetCurrentThread(), ThreadHideFromDebugger, NULL, 0))
        return false;//cout << "Failed: ZwSetInformationThread" << endl;

    //--------------------------------------------------------------------------------------- 
    ZW_QUERY_INFORMATION_PROCESS ZwQueryInformationProcess;
    ZwQueryInformationProcess = (ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule, "ZwQueryInformationProcess");
    if (ZwQueryInformationProcess == NULL)
    {
        //cout << "Failed: GetProcAddress ZwQueryInformationprocess" << endl;
        return false;
    }

    PROCESS_DEBUG_PORT_INFO ProcessInfo;
    if (STATUS_SUCCESS != ZwQueryInformationProcess(GetCurrentProcess(), ProcessDebugPort, &ProcessInfo, sizeof(ProcessInfo), NULL))
        return false;// cout << "Failed: ZwQueryInformationProcess" << endl;
    else
    {
        if (ProcessInfo.DebugPort)
            return true;//cout << "Process debugger present" << endl;
        else
            return false;//cout << "Process debugger not present" << endl;
    }











}

异常反调试 试了试比较有用能检测大部分市面OD

BOOL checkCode()
{
bool b=false;
      __try
      {
           CloseHandle(HANDLE(0x100211));
           // RaiseException(dwCode, 0, 0, 0);
      }
      __except(1)
      {
      b=true;
      return  EXCEPTION_EXECUTE_HANDLER;
      }


 
      return b;
}