反调试技术非常多，这里只是简单测试了几种在Windows 11上仍有效的方法，更多方法请参考：Anti-Debug Tricks https://anti-debug.checkpoint.com/：

Win32 API

IsDebuggerPresent

Determines whether the calling process is being debugged by a user-mode debugger.

if (IsDebuggerPresent()) {
    printf("attached debugger detected :(n");
    return -2;
}

CheckRemoteDebuggerPresent

The function kernel32!CheckRemoteDebuggerPresent() checks if a debugger (in a different process on the same machine) is attached to the current process.

BOOL bDebuggerPresent;
if (TRUE == CheckRemoteDebuggerPresent(GetCurrentProcess(), &bDebuggerPresent) &&
    TRUE == bDebuggerPresent)
    ExitProcess(-1);

NtQueryInformationProcess

The function ntdll!NtQueryInformationProcess() can retrieve a different kind of information from a process. It accepts a ProcessInformationClass parameter which specifies the information you want to get and defines the output type of the ProcessInformation parameter.

ProcessDebugFlags

A kernel structure called EPROCESS, which represents a process object, contains the field NoDebugInherit. The inverse value of this field can be retrieved using an undocumented class ProcessDebugFlags (0x1f). Therefore, if the return value is 0, a debugger is present.

#include <windows.h>

BOOL ProcessDebugFlags_test() ()
{
    typedef NTSTATUS(NTAPI* TNtQueryInformationProcess)(
        IN HANDLE           ProcessHandle,
        IN PROCESSINFOCLASS ProcessInformationClass,
        OUT PVOID           ProcessInformation,
        IN ULONG            ProcessInformationLength,
        OUT PULONG          ReturnLength
    );

    unsigned char func[] = { 'N','t','Q','u','e','r','y','I','n','f','o','r','m','a','t','i','o','n','P','r','o','c','e','s','s','�' };
    auto pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(ntdll, (PCSTR)func);

    if (pfnNtQueryInformationProcess)
    {
        DWORD dwProcessDebugFlags;
        ULONG dwReturned;
        //const DWORD ProcessDebugFlags = 0x1f;
        NTSTATUS status = pfnNtQueryInformationProcess(
            hProcess,
            ProcessDebugFlags,
            &dwProcessDebugFlags,
            sizeof(DWORD),
            &dwReturned);

        if (NT_SUCCESS(status) && (0 == dwProcessDebugFlags))
            return TRUE;
    }
    return FALSE;
}

ProcessDebugObjectHandle

When debugging begins, a kernel object called “debug object” is created. It is possible to query for the value of this handle by using the undocumented ProcessDebugObjectHandle (0x1e) class.

#include <windows.h>

BOOL ProcessDebugObjectHandle_test()
{
    typedef NTSTATUS(NTAPI* TNtQueryInformationProcess)(
        IN HANDLE           ProcessHandle,
        IN PROCESSINFOCLASS ProcessInformationClass,
        OUT PVOID           ProcessInformation,
        IN ULONG            ProcessInformationLength,
        OUT PULONG          ReturnLength
    );

    unsigned char func[] = { 'N','t','Q','u','e','r','y','I','n','f','o','r','m','a','t','i','o','n','P','r','o','c','e','s','s','�' };
    auto pfnNtQueryInformationProcess = (TNtQueryInformationProcess)GetProcAddress(ntdll, (PCSTR)func);

    if (pfnNtQueryInformationProcess)
    {
        ULONG dwReturned;
        HANDLE hProcessDebugObject = 0;
        //const DWORD ProcessDebugObjectHandle = 0x1e;
        NTSTATUS status = pfnNtQueryInformationProcess(
            hProcess,
            ProcessDebugObjectHandle,
            &hProcessDebugObject,
            sizeof(HANDLE),
            &dwReturned);

        if (NT_SUCCESS(status) && (0 != hProcessDebugObject))
            return TRUE;
    }
    return FALSE;
}

原文始发于微信公众号（红蓝对抗技战术）：简单的反调试技术实现