这个 API 的功能是:如果程序正在被调试,则强制将自己从调试器里分离出来。
代码:
#include "stdafx.h"
#include <iostream>
#include <tchar.h>
#include <Windows.h>
#include <stdio.h>
#pragma
/*
ZwSetInformationThread 第二个成员
*/
typedef enum _THREADINFOCLASS {
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger
}THREAD_INFO_CLASS;
#pragma
#pragma
/*
ZwSetInformationThread
*/
typedef NTSTATUS (NTAPI *pZwSetInformationThread)(
IN HANDLE ThreadHandle, // 线程对象句柄
IN THREAD_INFO_CLASS ThreadInformaitonClass, // 线程信息类型
IN PVOID ThreadInformation, // 线程信息指针
IN ULONG ThreadInformationLength // 线程信息大小
);
#pragma
#pragma
#pragma
int _tmain(int argc, _TCHAR* argv[])
{
// 获取 ZwSetInformationThread 函数地址
pZwSetInformationThread ZwSetInformationThread = (pZwSetInformationThread)GetProcAddress(LoadLibrary(L"ntdll.dll"),"ZwSetInformationThread");
// 执行 ZwSetInformationThread
ZwSetInformationThread(GetCurrentThread(),ThreadHideFromDebugger,NULL,NULL);
// 测试 ZwSetInformationThread 的效果
std::cout << "程序运行到了这里" << std::endl;
getchar();
return 0;
}
效果图:
在 API 执行前下断点程序可以正常断下:
在 API 执行之后下断点无法断下:
