防止loader的一种技术(2千字),loader,反跟踪技术 2008年06月23日 星期一 下午 02:29 通过检查进程的父进程,可以防止loader方式的破解。一般情况下普通Win32进程的父进程是explorer.exe。如果不是,则很可能是被其它loader加载了。 在NT/2K下,可以利用native API获得进程的父进程的PID,进而可获得父进程的程序名。 #include #include #include #define NTAPI __stdcall typedef long NTSTATUS; #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0) enum PROCESS_INFO_CLASS { ProcessBasicInformation = 0 }; typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; ULONG PebBaseAddress; ULONG AffinityMask; ULONG BasePriority; ULONG UniqueProcessId; ULONG InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; typedef NTSTATUS (NTAPI *ZW_QUERY_INFORMATION_PROCESS)(IN HANDLE ProcessHandle, IN PROCESS_INFO_CLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength); ULONG GetParentPID(HANDLE hProcess) { ULONG ParentPID = (ULONG)(-1); __try { HMODULE hModule = GetModuleHandle("ntdll.dll"); if (! hModule) __leave; ZW_QUERY_INFORMATION_PROCESS ZwQueryInformationProcess; ZwQueryInformationProcess = (ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule, "ZwQueryInformationProcess"); if (!ZwQueryInformationProcess) __leave; PROCESS_BASIC_INFORMATION ProcessInfo; NTSTATUS Status = ZwQueryInformationProcess(hProcess, ProcessBasicInformation, &ProcessInfo, sizeof(ProcessInfo), NULL); if (NT_SUCCESS(Status)) { ParentPID = ProcessInfo.InheritedFromUniqueProcessId; } } __finally { //empty } return ParentPID; } void main(void) { LONG ParentPID = GetParentPID(GetCurrentProcess( )); cout << "Parent PID: " << ParentPID << endl; HANDLE hParentProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ParentPID); if (hParentProcess) { char FileName[MAX_PATH]; DWORD Len = GetModuleFileNameEx(hParentProcess, NULL, FileName, MAX_PATH); if (Len) { cout << "Parent EXE name: " << FileName << endl; } CloseHandle(hParentProcess); } } 在NT/2K下,普通Win32进程的父进程还可能是cmd.exe;对于Win32服务进程,其父进程则为service.exe。 |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-29 23:24 , Processed in 0.164781 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.