[C++] 纯文本查看 复制代码
//
//
//#include "stdafx.h"
#include <iostream>
#include <Windows.h>
using namespace std;
enum PROCESSINFOCLASS//
{
ProcessBasicInformation = 0,
ProcessQuotaLimits,
ProcessIoCounters,
ProcessVmCounters,
ProcessTimes,
ProcessBasePriority,
ProcessRaisePriority,
ProcessDebugPort = 7,
ProcessExceptionPort,
ProcessAccessToken,
ProcessLdtInformation,
ProcessLdtSize,
ProcessDefaultHardErrorMode,
ProcessIoPortHandlers,
ProcessPooledUsageAndLimits,
ProcessWorkingSetWatch,
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup,
ProcessPriorityClass,
ProcessWx86Information,
ProcessHandleCount,
ProcessAffinityMask,
ProcessPriorityBoost,
MaxProcessInfoClass,
ProcessWow64Information = 26,
ProcessImageFileName = 27,
ProcessDebugObjectHandle = 30,
ProcessDebugFlags = 31,
SystemKernelDebuggerInformation = 35
};
typedef enum _THREADINFOCLASS {
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
MaxThreadInfoClass
} THREADINFOCLASS;
typedef NTSTATUS(WINAPI *NtQueryInformationProcessPtr)(
HANDLE processHandle,
PROCESSINFOCLASS processInformationClass,
PVOID processInformation,
ULONG processInformationLength,
PULONG returnLength);
typedef NTSTATUS(*NtSetInformationThreadPtr)(HANDLE threadHandle,
THREADINFOCLASS threadInformationClass,
PVOID threadInformation,
ULONG threadInformationLength);
bool PebNtGlobalFlagsApproach(){ //可用
int result;
__asm{
mov eax, fs:[30h]
mov eax, [eax+68h]
and eax,70
mov result,eax
}
return result!=0;
}
bool HeapFlagsApproach(){ //win7 x64测试没用
int result;
__asm{
mov eax, fs:[30h]
mov eax, [eax+18h]
mov eax, [eax+10h]
mov result,eax
}
return result;
}
bool NtQueryInformationProcessApproach(){ //可用
int DebugPort = 0;
HMODULE hNtdll = LoadLibrary(TEXT("Ntdll.dll"));
NtQueryInformationProcessPtr NtQueryInformationProcess = (NtQueryInformationProcessPtr)GetProcAddress(hNtdll, "NtQueryInformationProcess");
if (NtQueryInformationProcess(GetCurrentProcess(), (PROCESSINFOCLASS)7, &DebugPort, sizeof(DebugPort), NULL))
printf("[ERROR NtQueryInformationProcessApproach] NtQueryInformationProcess failed\n");
else
return DebugPort == -1;
return false;
}
void NtSetInformationThreadApproach(){ //可用
HMODULE hNtdll = LoadLibrary(TEXT("Ntdll.dll"));
NtSetInformationThreadPtr NtSetInformationThread = (NtSetInformationThreadPtr)GetProcAddress(hNtdll, "NtSetInformationThread");
NtSetInformationThread(GetCurrentThread(), (THREADINFOCLASS)0x11, 0, 0);
}
LONG WINAPI MyUnhandledExceptionFilter(struct _EXCEPTION_POINTERS *pei){
SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)
pei->ContextRecord->Eax);
// 修改寄存器eip的值
pei->ContextRecord->Eip += 2;
// 告诉操作系统,继续执行进程剩余的指令(指令保存在eip里),而不是关闭进程
return EXCEPTION_CONTINUE_EXECUTION;
}
bool UnhandledExceptionFilterApproach() //实用
{
SetUnhandledExceptionFilter(MyUnhandledExceptionFilter);
__asm{
// 将eax清零
xor eax, eax
// 触发一个除零异常
div eax
}
return false;
}
bool DeleteFiberApproach()//效果不好 win7 x64
{
char fib[1024] = { 0 };
DeleteFiber(fib);
return GetLastError() != 0x57;
}
int _tmain(int argc, _TCHAR* argv[])
{
UnhandledExceptionFilterApproach();
cout << "hello" << endl;
//system("pause");
getchar();
return 0;
}
[复制链接]
发表于 2019-10-12 00:09
