반응형
https://ntquery.wordpress.com/2015/09/07/windows-10-new-anti-debug-outputdebugstringw/
Windows 10: New Anti-Debug OutputDebugStringW
Prior to Windows 10, OutputDebugStringW was only a dummy implementation. The function converted the input Unicode string to a simple Ansi string and calls the Ansi version of the function OutputDeb…
ntquery.wordpress.com
위 링크에서 가져온 코드를 보면,
void __stdcall _OutputDebugStringA(LPCSTR lpOutputString)
{
ULONG_PTR args[2];
args[0] = (ULONG_PTR)strlen(lpOutputString) + 1;
args[1] = (ULONG_PTR)lpOutputString;
__try
{
RaiseException(0x40010006, 0, 2, args);//DBG_PRINTEXCEPTION_C
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}void __stdcall _OutputDebugStringW(LPCWSTR lpOutputString)
{
char outputDebugStringBuffer[1000] = {0};
WideCharToMultiByte(CP_ACP, 0, lpOutputString, -1, outputDebugStringBuffer, sizeof(outputDebugStringBuffer), 0, 0);
ULONG_PTR args[4];
//unicode
args[0] = (ULONG_PTR)wcslen(lpOutputString) + 1;
args[1] = (ULONG_PTR)lpOutputString;
//ansi for compatibility
args[2] = (ULONG_PTR)wcslen(lpOutputString) + 1;
args[3] = (ULONG_PTR)outputDebugStringBuffer;
__try
{
RaiseException(0x4001000A, 0, 4, args);//DBG_PRINTEXCEPTION_WIDE_C
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}OutputDebugStringA 은 0x40010006 = DBG_PRINTEXCEPTION_C 라는 예외를 발생시키고,
OutputDebugStringW 는 0x4001000A = DBG_PRINTEXCEPTION_WIDE_C 라는 예외를 발생시킨다.
728x90
