[Reversing] ZwSetInformationThread, Anti-Debugging

[Reversing]  ZwSetInformationThread, Anti-Debugging

참고

> https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ps/psquery/class.htm

> http://www.openrce.org/reference_library/anti_reversing

ZwSetInformationThread의 두 번째 인자 값을 확인하여 안티디버깅 유무를 확인 할 수 있다. 

두 번째 인자 값에 0x11(ThreadHideFromDebugger)를 전달할 경우 디버깅을 체크 확인하여, 우회를 원하면 해당 값을 0으로 수정하면 된다.

typedef DWORD (WINAPI *PFZWSETINFORMATIONTHREAD) (      HANDLE ThreadHandle,      DWORD ThreadInformationClass, // Original : _THREAD_INFORMATION_CLASS      PVOID         ThreadInformation,      ULONG          ThreadInformationLength );

typedef enum _THREADINFOCLASS {

  0x00 ThreadBasicInformation

  0x01 ThreadTimes

  0x02 ThreadPriority

  0x03 ThreadBasePriority

  0x04 ThreadAffinityMask

  0x05 ThreadImpersonationToken

  0x06 ThreadDescriptorTableEntry

  0x07 ThreadEnableAlignmentFaultFixup

  0x08 ThreadEventPair

  0x09 ThreadQuerySetWin32StartAddress

  0x0A ThreadZeroTlsCell

  0x0B ThreadPerformanceCount

  0x0C ThreadAmILastThread

  0x0D ThreadIdealProcessor

  0x0E ThreadPriorityBoost

  0x0F ThreadSetTlsArrayAddress

  0x10 ThreadIsIoPending

  0x11 ThreadHideFromDebugger

  0x12 ThreadBreakOnTermination

  0x13 ThreadSwitchLegacyState

  0x14 ThreadIsTerminated

  0x15 ThreadLastSystemC

  0x16 ThreadIoPriority

  0x17 ThreadCycleTime

  0x18 ThreadPagePriority

  0x19 ThreadActualBasePriority

  0x1A ThreadTebInformation

  0x1B ThreadCSwitchMon

  0x1C ThreadCSwitchPmu

  0x1D ThreadWow64Context

  0x1E ThreadGroupInformation

  0x1F ThreadUmsInformation

  0x20 ThreadCounterProfiling

  0x21 ThreadIdealProcessorEx

  0x22 ThreadCpuAccountingInformation

  0x23 ThreadSuspendCount

  0x24 ThreadHeterogeneousCpuPolicy

  0x25 ThreadContainerId

  0x26 ThreadNameInformation

  0x27 ThreadSelectedCpuSets

  0x28 ThreadSystemThreadInformation

  0x29 ThreadActualGroupAffinity