如何检测可能正在分析程序的调试器或其他工具? [英] How can I detect a debugger or other tool that might be analysing my program?
问题描述
Hi,
I''m trying to make my application detect whether it''s being debugged or not, well i''ve found such a great article here on code project An Anti-Reverse Engineering Guide[^] and started working on it, then i came up with this:
<system.runtime.interopservices.dllimport("kernel32.dll")> _
Public Shared Function LoadLibrary(ByVal szFileName As String) As IntPtr
End Function
<system.runtime.interopservices.dllimport("kernel32.dll")> _
Public Shared Function GetProcAddress(ByVal hLibrary As IntPtr, ByVal szProcName As String) As IntPtr
End Function
<system.runtime.interopservices.dllimport("kernel32.dll",> _
Public Shared Function GetCurrentProcess() As IntPtr
End Function
Private Delegate Function Nt_QueryInformationProcess(ByVal hProc As IntPtr, ByVal DbgFlags As UInt32, ByRef NoDbg As Boolean, ByVal PiLen As Int32, ByVal RetLen As Int32) As Int32
Private Function CheckProcessDebugFlags() As Boolean
Dim NoDebugInherit As Boolean
Dim Nt_QIP As Nt_QueryInformationProcess = _
DirectCast(System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary("Ntdll.dll"), "NtQueryInformationProcess"), GetType(Nt_QueryInformationProcess)), Nt_QueryInformationProcess)
Dim Status As Int32 = Nt_QIP.Invoke(GetCurrentProcess(), &H1F, NoDebugInherit, 4, 0)
If Status = 0 Then
If NoDebugInherit = False Then
Return True
Else
Return False
End If
Else
Return False
End If
End Function
问题在于,即使它在调试模式下运行,它也始终会返回false,是否可能是我做错了什么,或者它根本无法与托管代码一起使用?
the problem is that it always returns false even when it''s running in debug mode, so could it be that i''m doing something wrong or it just don''t work with managed code?
推荐答案
我很想知道您可能编写了什么样的软件来保证这种保护.除此之外,只需使用足以阻止/禁止反向工程的功能强大的混淆库即可.
I''m curious to know what kind of software you may have written that warrannts that kind of protection. Beyond that, just use a sufficiantly capable obfuscation library that can prevent/inhibit reverse engineering.
有一种方法可以检测到这一点:
There is a method to detect this:
if (System.Diagnostics.Debugger.IsAttached)
System.Diagnostics.Process.GetCurrentProcess().Kill(); //for example某事告诉我它无法停止真正高级的代码破解程序.我什至没有提到逆向工程,逆向工程不能受此或防止在调试器下运行的任何技巧的影响.逆向工程分析代码,而不是运行它.因此,当逆向工程完成时,可以轻松删除此类代码.
Something tells me it cannot stop a really advanced code cracker. I don''t even mention reverse engineering which cannot be effected by this or any trick used to prevent running under debugger. Reverse engineering analyzes the code, not runs it. So, when reverse engineering is complete, such code can be simply removed.
如果您的输出是.Net程序集,则存在更高级别的攻击(对CLR IL进行反向工程)和此类低级别的东西并不会真正帮到您,因为对于试图破解您的代码的人来说,这确实很明显.
If your output is a .Net assembly then there is a far higher level attack (reverse engineering the CLR IL) and this kind of low level stuff is not really going to help you much because it will be really obvious to someone who''s trying to crack your code.
这篇关于如何检测可能正在分析程序的调试器或其他工具?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
