防止被进程附加调试

1. /**********************防止被进程附加调试*******************************/ 
2. bool AntiAttach() 
3. { 
4.       HMODULE ntdll; // ntdll handle 
5.       void* pDbgUiRemoteBreakin; // function handle 
6.       DWORD dwOldProtect; // just for fun 
7.       DWORD dwCodeSize; // Size of code to copy 
8.       
9.       // Get ntdll.dll handle 
10.       ntdll = GetModuleHandle("ntdll.dll"); 
11.       if(ntdll) 
12.       { 
13.            // Get target function addr 
14.            pDbgUiRemoteBreakin = GetProcAddress(ntdll, "DbgUiRemoteBreakin"); 
15.            if(pDbgUiRemoteBreakin) 
16.            { 
17.                 __asm 
18.                 { 
19.                      // Get code size 
20.                      lea eax, __CodeToCopyStart 
21.                           lea ecx, __CodeToCopyEnd 
22.                           sub ecx, eax 
23.                           mov dwCodeSize, ecx 
24.                 } 
25.                 // Make sure that we have write rights ... 
26.                 if(VirtualProtect(pDbgUiRemoteBreakin, dwCodeSize, PAGE_EXECUTE_READWRITE, &dwOldProtect)) 
27.                 { 
28.                      __asm 
29.                      { 
30.                           // Copy code between __CodeToCopyStart and __CodeToCopyEnd 
31.                           mov edi, pDbgUiRemoteBreakin 
32.                                lea esi, __CodeToCopyStart 
33.                                mov ecx, dwCodeSize 
34.                                rep movsb 
35.                                // Skip code 
36.                                jmp __CodeEnd 
37.                                
38. __CodeToCopyStart: 
39.                           lea eax, __CodeToCopyEnd 
40.                                jmp eax 
41. __CodeToCopyEnd: 
42.                      } 
43.                      
44.                      // ***CODE*HERE*** 
45.                      __asm 
46.                      { 
47.                           // Clear registers 
48.                           xor eax, eax 
49.                                pushfd 
50.                                mov [esp], eax 
51.                                popfd 
52.                                xor ebx, ebx 
53.                                xor ecx, ecx 
54.                                xor edx, edx 
55.                                xor esi, esi 
56.                                xor edi, edi 
57.                                xor esp, esp 
58.                                xor ebp, ebp 
59.                                // Jump to address 0 
60.                                jmp eax 
61.                      } 
62.                      // *************** 
63.                      
64. __CodeEnd:; 
65.            return true; 
66.                 } 
67.            } 
68.       } 
69.       return false;      
70. } 
73. void AntiDebug() 
74. { 
75.       HANDLE handle=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); 
76.       PROCESSENTRY32* info=new PROCESSENTRY32; 
77. info->dwSize=sizeof(PROCESSENTRY32); 
78. int i=0; 
79. //      HTREEITEM hItem[100]; 
80.       
81.       int MyParentProcessID=0;//自身的父进程ID 
82.       int ExplorerProcessID=0;//Explorer.exe的进程ID 
83.       int WinRarProcessID = 0;//winrar进程ID 
84.       if (Process32First(handle,info)) 
85.       { 
86.            while (Process32Next(handle,info)) 
87.            { 
88.                 CString exe; 
89.                 exe.Format("%s",info->szExeFile); 
90.                 
91.                 CString ProcessID; 
92.                 ProcessID.Format("进程ID：%d",info->th32ProcessID); 
93.                 
94.                 CString ParentID; 
95.                 ParentID.Format("父进程ID：%d",info->th32ParentProcessID); 
97.                 //比较进程名，这里忽略大小写 
98.                 if (stricmp(exe.GetBuffer(exe.GetLength()),"WinRAR.exe") == 0) 
99.                      WinRarProcessID = info->th32ProcessID; 
100.                 if (stricmp(exe.GetBuffer(exe.GetLength()),"explorer.exe")==0) 
101.                      ExplorerProcessID=info->th32ProcessID;//获得EXPLORER的进程ID 
102.                 if (stricmp(exe.GetBuffer(exe.GetLength()),"test.exe")==0) 
103.                      MyParentProcessID=info->th32ParentProcessID;//获得自身父进程ID 
104.                 
105.                 i++; 
106.            } 
107.       }      
108. //      SetDlgItemText(IDC_STATUS,sta);      
109.       CloseHandle(handle);      
110.       delete info; 
111.       //检查自身程序的父进程是否是winrar 
112.       if(MyParentProcessID != WinRarProcessID) 
113.       { 
114.            //检测自身的父进程是否是EXPLORER 
115.            if (MyParentProcessID!=ExplorerProcessID) 
116.            { 
117.                 //           AfxMessageBox("检测到调试器"); 
118.                 PrintLog("检测到调试器,结束自身"); 
119. //                exit(0); 
120.                 //           return ; 
121.            } 
122.       } 
123. //      else 
124. //           AfxMessageBox("注意：没有检测到调试器..."); 
125. }