티스토리 뷰
[Reversing] ZwSetInformationThread, Anti-Debugging
참고
> https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ps/psquery/class.htm
> http://www.openrce.org/reference_library/anti_reversing
ZwSetInformationThread의 두 번째 인자 값을 확인하여 안티디버깅 유무를 확인 할 수 있다.
두 번째 인자 값에 0x11(ThreadHideFromDebugger)를 전달할 경우 디버깅을 체크 확인하여, 우회를 원하면 해당 값을 0으로 수정하면 된다.
typedef DWORD (WINAPI *PFZWSETINFORMATIONTHREAD) ( HANDLE ThreadHandle, DWORD ThreadInformationClass, // Original : _THREAD_INFORMATION_CLASS PVOID ThreadInformation, ULONG ThreadInformationLength ); |
typedef enum _THREADINFOCLASS {
0x00 ThreadBasicInformation
0x01 ThreadTimes
0x02 ThreadPriority
0x03 ThreadBasePriority
0x04 ThreadAffinityMask
0x05 ThreadImpersonationToken
0x06 ThreadDescriptorTableEntry
0x07 ThreadEnableAlignmentFaultFixup
0x08 ThreadEventPair
0x09 ThreadQuerySetWin32StartAddress
0x0A ThreadZeroTlsCell
0x0B ThreadPerformanceCount
0x0C ThreadAmILastThread
0x0D ThreadIdealProcessor
0x0E ThreadPriorityBoost
0x0F ThreadSetTlsArrayAddress
0x10 ThreadIsIoPending
0x11 ThreadHideFromDebugger
0x12 ThreadBreakOnTermination
0x13 ThreadSwitchLegacyState
0x14 ThreadIsTerminated
0x15 ThreadLastSystemC
0x16 ThreadIoPriority
0x17 ThreadCycleTime
0x18 ThreadPagePriority
0x19 ThreadActualBasePriority
0x1A ThreadTebInformation
0x1B ThreadCSwitchMon
0x1C ThreadCSwitchPmu
0x1D ThreadWow64Context
0x1E ThreadGroupInformation
0x1F ThreadUmsInformation
0x20 ThreadCounterProfiling
0x21 ThreadIdealProcessorEx
0x22 ThreadCpuAccountingInformation
0x23 ThreadSuspendCount
0x24 ThreadHeterogeneousCpuPolicy
0x25 ThreadContainerId
0x26 ThreadNameInformation
0x27 ThreadSelectedCpuSets
0x28 ThreadSystemThreadInformation
0x29 ThreadActualGroupAffinity
'Reversing > Anti-Reversing' 카테고리의 다른 글
| [Reversing] PEB, Anti-Debugging (0) | 2020.02.11 |
|---|---|
| [Reversing] Anti-Reversing (0) | 2020.01.06 |
- Total
- Today