常用的反调试技术总结

[C++] 纯文本查看 复制代码

//
//

//#include "stdafx.h"
#include <iostream>
#include <Windows.h>
using	namespace std;

enum PROCESSINFOCLASS//

{

	ProcessBasicInformation = 0,

	ProcessQuotaLimits,

	ProcessIoCounters,

	ProcessVmCounters,

	ProcessTimes,

	ProcessBasePriority,

	ProcessRaisePriority,

	ProcessDebugPort = 7,

	ProcessExceptionPort,

	ProcessAccessToken,

	ProcessLdtInformation,

	ProcessLdtSize,

	ProcessDefaultHardErrorMode,

	ProcessIoPortHandlers,

	ProcessPooledUsageAndLimits,

	ProcessWorkingSetWatch,

	ProcessUserModeIOPL,

	ProcessEnableAlignmentFaultFixup,

	ProcessPriorityClass,

	ProcessWx86Information,

	ProcessHandleCount,

	ProcessAffinityMask,

	ProcessPriorityBoost,

	MaxProcessInfoClass,

	ProcessWow64Information = 26,

	ProcessImageFileName = 27,

	ProcessDebugObjectHandle = 30,

	ProcessDebugFlags = 31,

	SystemKernelDebuggerInformation = 35

};

typedef enum _THREADINFOCLASS {
	ThreadBasicInformation,
	ThreadTimes,
	ThreadPriority,
	ThreadBasePriority,
	ThreadAffinityMask,
	ThreadImpersonationToken,
	ThreadDescriptorTableEntry,
	ThreadEnableAlignmentFaultFixup,
	ThreadEventPair_Reusable,
	ThreadQuerySetWin32StartAddress,
	ThreadZeroTlsCell,
	ThreadPerformanceCount,
	ThreadAmILastThread,
	ThreadIdealProcessor,
	ThreadPriorityBoost,
	ThreadSetTlsArrayAddress,
	ThreadIsIoPending,
	ThreadHideFromDebugger,
	ThreadBreakOnTermination,
	MaxThreadInfoClass
} THREADINFOCLASS;

typedef NTSTATUS(WINAPI *NtQueryInformationProcessPtr)(
	HANDLE processHandle,
	PROCESSINFOCLASS processInformationClass,
	PVOID processInformation,
	ULONG processInformationLength,
	PULONG returnLength);

typedef NTSTATUS(*NtSetInformationThreadPtr)(HANDLE threadHandle,
	THREADINFOCLASS threadInformationClass,
	PVOID threadInformation,
	ULONG threadInformationLength);

bool PebNtGlobalFlagsApproach(){ //可用
	int	result;
	__asm{
		mov eax, fs:[30h]
		mov eax, [eax+68h]
		and eax,70
		mov result,eax
	}
	return result!=0;
}

bool HeapFlagsApproach(){ //win7 x64测试没用
	int result;
	__asm{
		mov eax, fs:[30h]
		mov eax, [eax+18h]
		mov eax, [eax+10h]
		mov result,eax
	}
	return result;
}

bool NtQueryInformationProcessApproach(){ //可用
	int DebugPort = 0;
	HMODULE	hNtdll = LoadLibrary(TEXT("Ntdll.dll"));
	NtQueryInformationProcessPtr NtQueryInformationProcess = (NtQueryInformationProcessPtr)GetProcAddress(hNtdll, "NtQueryInformationProcess");
	if (NtQueryInformationProcess(GetCurrentProcess(), (PROCESSINFOCLASS)7, &DebugPort, sizeof(DebugPort), NULL))
		printf("[ERROR NtQueryInformationProcessApproach] NtQueryInformationProcess failed\n");
	else
		return DebugPort == -1;
	return false;
}

void NtSetInformationThreadApproach(){ //可用
	HMODULE	hNtdll = LoadLibrary(TEXT("Ntdll.dll"));
	NtSetInformationThreadPtr NtSetInformationThread = (NtSetInformationThreadPtr)GetProcAddress(hNtdll, "NtSetInformationThread");
	NtSetInformationThread(GetCurrentThread(), (THREADINFOCLASS)0x11, 0, 0);
}

LONG WINAPI MyUnhandledExceptionFilter(struct _EXCEPTION_POINTERS *pei){
	SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)
	pei->ContextRecord->Eax);
	// 修改寄存器eip的值
	pei->ContextRecord->Eip += 2;
	// 告诉操作系统,继续执行进程剩余的指令(指令保存在eip里),而不是关闭进程
	return EXCEPTION_CONTINUE_EXECUTION;
}

bool UnhandledExceptionFilterApproach() //实用
{
	
	SetUnhandledExceptionFilter(MyUnhandledExceptionFilter);
	__asm{
		// 将eax清零
		xor eax, eax
		// 触发一个除零异常
		div eax
	}
	return false;
}

bool	DeleteFiberApproach()//效果不好 win7 x64
{
	char	fib[1024] = { 0 };
	DeleteFiber(fib);
	return GetLastError() != 0x57;
}
int _tmain(int argc, _TCHAR* argv[])
{

	UnhandledExceptionFilterApproach();

	cout << "hello" << endl;
	//system("pause");
	getchar();
	return 0;
}


THE END
喜欢就支持以下吧
点赞0
分享
评论 抢沙发
  • 管埋员

    昵称

  • 取消
    昵称