Repository: wanttobeno/AntiDebuggers
Branch: master
Commit: 40c9d00a78fe
Files: 26
Total size: 75.0 KB
Directory structure:
gitextract_ibjy7f_q/
├── README.md
├── Round2_3_PC_Tecent 2016 题目说明.docx
├── Tencent2016D.cpp
├── Tencent2016D.h
├── Tencent2016DAPI.cpp
├── Tencent2016DAPI.h
├── Tencent2016Globle.h
├── stdafx.cpp
├── stdafx.h
├── targetver.h
└── 反调试技术实例VC版/
└── DetectOD/
├── About.cpp
├── About.h
├── DetectOD.clw
├── DetectOD.cpp
├── DetectOD.dsp
├── DetectOD.dsw
├── DetectOD.h
├── DetectOD.rc
├── DetectODDlg.cpp
├── DetectODDlg.h
├── ReadMe.txt
├── StdAfx.cpp
├── StdAfx.h
├── res/
│ └── DetectOD.rc2
├── resource.h
└── tlssup.c
================================================
FILE CONTENTS
================================================
================================================
FILE: README.md
================================================
### 反调试技术总结
反调试就是检测有没有被调试器调试,比如OllyDbg,IDA,WinDbg等。
参考资料:[houjingyi ](https://bbs.pediy.com/thread-225735.htm)
代码: [GitHub](https://github.com/houjingyi233/test-debug)
[Tencent2016D.cpp](./Tencent2016D.cpp) 中实现了30种检测调试器的方法,非常的精彩给力
--
30 Ways to anti-debugging on PC.For more information:http://blog.csdn.net/qq_32400847/article/details/52798050
##### 截图
##### 虚拟机检测
[AntiVirtualMachine](https://github.com/wanttobeno/AntiVirtualMachine)
##### 保护自己的程序不被破解
[DllProtect](https://github.com/wanttobeno/DllProtect)
##### 各种反调试技术原理与实例 VC版
帖子:[各种反调试技术原理与实例 VC版](https://bbs.pediy.com/thread-114767.htm)
[各种反调试技术原理与实例VC版.pdf](./反调试技术实例VC版/各种反调试技术原理与实例VC版.pdf)
```c++
void CDetectODDlg::OnExplorer()
{
// TODO: Add your control notification handler code here
HANDLE hwnd;
PROCESSENTRY32 tp32; //结构体
CString str="Explorer.EXE";
DWORD ExplorerID;
DWORD SelfID;
DWORD SelfParentID;
SelfID=GetCurrentProcessId();
::GetWindowThreadProcessId(::FindWindow("Progman",NULL),&ExplorerID);
hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
if(INVALID_HANDLE_VALUE!=hwnd)
{
Process32First(hwnd,&tp32);
do{
if(0==lstrcmp(str,tp32.szExeFile))
{
// ExplorerID=tp32.th32ProcessID;
// AfxMessageBox("aaa");
}
if(SelfID==tp32.th32ProcessID)
{
SelfParentID=tp32.th32ParentProcessID;
}
}while(Process32Next(hwnd,&tp32));
str.Format("本进程:%d 父进程:%d Explorer进程: %d ",SelfID,SelfParentID,ExplorerID);
MessageBox(str);
if(ExplorerID==SelfParentID)
{
AfxMessageBox("没有OD");
}
else
{
AfxMessageBox("发现OD");
}
}
CloseHandle(hwnd);
}
```
================================================
FILE: Tencent2016D.cpp
================================================
// Tencent2016D.cpp : DLL Ӧóĵ
//
#include "stdafx.h"
#include <iostream>
#include <windows.h>
#include <Tlhelp32.h>
#include <process.h>
#include "Tencent2016D.h"
#include "Tencent2016DAPI.h"
#include "Tencent2016Globle.h"
using namespace std;
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
BOOL CheckDebug1()
{
return IsDebuggerPresent();
}
BOOL CheckDebug2()
{
BOOL ret;
CheckRemoteDebuggerPresent(GetCurrentProcess(), &ret);
return ret;
}
BOOL CheckDebug3()
{
int debugPort = 0;
HMODULE hModule = LoadLibrary("Ntdll.dll");
NtQueryInformationProcessPtr NtQueryInformationProcess = (NtQueryInformationProcessPtr)GetProcAddress(hModule, "NtQueryInformationProcess");
if (NtQueryInformationProcess(GetCurrentProcess(), 7, &debugPort, sizeof(debugPort), NULL))
{
MessageBox(NULL, "[ERROR NtQueryInformationProcessApproach] NtQueryInformationProcess failed", "error", MB_OK);
return FALSE;
}
else
{
return debugPort != 0;
}
}
BOOL CheckDebug4()
{
DWORD errorValue = 12345;
SetLastError(errorValue);
OutputDebugString("Test for debugger!");
if (GetLastError() == errorValue)
{
return TRUE;
}
else
{
return FALSE;
}
}
BOOL CheckDebug5()
{
char fib[1024] = { 0 };
DeleteFiber(fib);
return (GetLastError() != 0x57);
}
BOOL CheckDebug6()
{
DWORD ret = CloseHandle((HANDLE)0x1234);
if (ret != 0 || GetLastError() != ERROR_INVALID_HANDLE)
{
return TRUE;
}
else
{
return FALSE;
}
}
BOOL CheckDebug7()
{
DWORD ret = CloseWindow((HWND)0x1234);
if (ret != 0 || GetLastError() != ERROR_INVALID_WINDOW_HANDLE)
{
return TRUE;
}
else
{
return FALSE;
}
}
BOOL CheckDebug8()
{
char result = 0;
__asm
{
mov eax, fs:[30h]
mov al, BYTE PTR[eax + 2]
mov result, al
}
return result != 0;
}
BOOL CheckDebug9()
{
int result = 0;
DWORD dwVersion = GetVersion();
DWORD dwWindowsMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVersion)));
if (dwWindowsMajorVersion == 5)
{
__asm
{
mov eax, fs:[30h]
mov eax, [eax + 18h]
mov eax, [eax + 10h]
mov result, eax
}
}
else
{
__asm
{
mov eax, fs:[30h]
mov eax, [eax + 18h]
mov eax, [eax + 44h]
mov result, eax
}
}
return result != 0;
}
BOOL CheckDebug10()
{
int result = 0;
DWORD dwVersion = GetVersion();
DWORD dwWindowsMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVersion)));
if (dwWindowsMajorVersion == 5)
{
__asm
{
mov eax, fs:[30h]
mov eax, [eax + 18h]
mov eax, [eax + 0ch]
mov result, eax
}
}
else
{
__asm
{
mov eax, fs:[30h]
mov eax, [eax + 18h]
mov eax, [eax + 40h]
mov result, eax
}
}
return result != 2;
}
BOOL CheckDebug11()
{
int result = 0;
__asm
{
mov eax, fs:[30h]
mov eax, [eax + 68h]
and eax, 0x70
mov result, eax
}
return result != 0;
}
BOOL CheckDebug12()
{
BOOL is_64;
HKEY hkey = NULL;
char key[] = "Debugger";
IsWow64Process(GetCurrentProcess(), &is_64);
char reg_dir_32bit[] = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug";
char reg_dir_64bit[] = "SOFTWARE\\Wow6432Node\\Microsoft\\WindowsNT\\CurrentVersion\\AeDebug";
DWORD ret = 0;
if (is_64)
{
ret = RegCreateKeyA(HKEY_LOCAL_MACHINE, reg_dir_64bit, &hkey);
}
else
{
ret = RegCreateKeyA(HKEY_LOCAL_MACHINE, reg_dir_32bit, &hkey);
}
if (ret != ERROR_SUCCESS)
{
return FALSE;
}
DWORD type;
char tmp[256];
DWORD len = 256;
ret = RegQueryValueExA(hkey, key, NULL, &type, (LPBYTE)tmp, &len);
if (strstr(tmp, "OllyIce") != NULL || strstr(tmp, "OllyDBG") != NULL || strstr(tmp, "WinDbg") != NULL || strstr(tmp, "x64dbg") != NULL || strstr(tmp, "Immunity") != NULL)
{
return TRUE;
}
else
{
return FALSE;
}
}
BOOL CheckDebug13()
{
if (FindWindowA("OLLYDBG", NULL) != NULL || FindWindowA("WinDbgFrameClass", NULL) != NULL || FindWindowA("QWidget", NULL) != NULL)
{
return TRUE;
}
else
{
return FALSE;
}
}
BOOL CheckDebug14()
{
BOOL ret = FALSE;
EnumWindows(EnumWndProc, (LPARAM)&ret);
return ret;
}
BOOL CheckDebug15()
{
char fore_window[1024];
GetWindowTextA(GetForegroundWindow(), fore_window, 1023);
if (strstr(fore_window, "WinDbg") != NULL || strstr(fore_window, "x64_dbg") != NULL || strstr(fore_window, "OllyICE") != NULL || strstr(fore_window, "OllyDBG") != NULL || strstr(fore_window, "Immunity") != NULL)
{
return TRUE;
}
else
{
return FALSE;
}
}
BOOL CheckDebug16()
{
DWORD ID;
DWORD ret = 0;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return FALSE;
}
BOOL bMore = Process32First(hProcessSnap, &pe32);
while (bMore)
{
if (stricmp(pe32.szExeFile, "OllyDBG.EXE") == 0 || stricmp(pe32.szExeFile, "OllyICE.exe") == 0 || stricmp(pe32.szExeFile, "x64_dbg.exe") == 0 || stricmp(pe32.szExeFile, "windbg.exe") == 0 || stricmp(pe32.szExeFile, "ImmunityDebugger.exe") == 0)
{
return TRUE;
}
bMore = Process32Next(hProcessSnap, &pe32);
}
CloseHandle(hProcessSnap);
return FALSE;
}
BOOL CheckDebug17()
{
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS32 pNtHeaders;
PIMAGE_SECTION_HEADER pSectionHeader;
DWORD dwBaseImage = (DWORD)GetModuleHandle(NULL);
pDosHeader = (PIMAGE_DOS_HEADER)dwBaseImage;
pNtHeaders = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew);
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders + sizeof(pNtHeaders->Signature) + sizeof(IMAGE_FILE_HEADER) +
(WORD)pNtHeaders->FileHeader.SizeOfOptionalHeader);
DWORD dwAddr = pSectionHeader->VirtualAddress + dwBaseImage;
DWORD dwCodeSize = pSectionHeader->SizeOfRawData;
BOOL Found = FALSE;
__asm
{
cld
mov edi, dwAddr
mov ecx, dwCodeSize
mov al, 0CCH
repne scasb
jnz NotFound
mov Found, 1
NotFound:
}
return Found;
}
BOOL CheckDebug18()
{
CONTEXT context;
HANDLE hThread = GetCurrentThread();
context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
GetThreadContext(hThread, &context);
if (context.Dr0 != 0 || context.Dr1 != 0 || context.Dr2 != 0 || context.Dr3 != 0)
{
return TRUE;
}
return FALSE;
}
BOOL CheckDebug19()
{
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS32 pNtHeaders;
PIMAGE_SECTION_HEADER pSectionHeader;
DWORD dwBaseImage = (DWORD)GetModuleHandle(NULL);
pDosHeader = (PIMAGE_DOS_HEADER)dwBaseImage;
pNtHeaders = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew);
pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders + sizeof(pNtHeaders->Signature) + sizeof(IMAGE_FILE_HEADER) +
(WORD)pNtHeaders->FileHeader.SizeOfOptionalHeader);
DWORD dwAddr = pSectionHeader->VirtualAddress + dwBaseImage;
DWORD dwCodeSize = pSectionHeader->SizeOfRawData;
DWORD checksum = 0;
__asm
{
cld
mov esi, dwAddr
mov ecx, dwCodeSize
xor eax, eax
checksum_loop :
movzx ebx, byte ptr[esi]
add eax, ebx
rol eax, 1
inc esi
loop checksum_loop
mov checksum, eax
}
if (checksum != 0x46ea24)
{
return FALSE;
}
else
{
return TRUE;
}
}
BOOL CheckDebug20()
{
DWORD time1, time2;
__asm
{
rdtsc
mov time1, eax
rdtsc
mov time2, eax
}
if (time2 - time1 < 0xff)
{
return FALSE;
}
else
{
return TRUE;
}
}
BOOL CheckDebug21()
{
DWORD time1 = GetTickCount();
__asm
{
mov ecx, 10
mov edx, 6
mov ecx, 10
}
DWORD time2 = GetTickCount();
if (time2 - time1 > 0x1A)
{
return TRUE;
}
else
{
return FALSE;
}
}
BOOL CheckDebug22()
{
LONG status;
DWORD dwParentPID = 0;
HANDLE hProcess;
PROCESS_BASIC_INFORMATION pbi;
int pid = getpid();
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
if (!hProcess)
{
return -1;
}
PNTQUERYINFORMATIONPROCESS NtQueryInformationProcess = (PNTQUERYINFORMATIONPROCESS)GetProcAddress(GetModuleHandleA("ntdll"), "NtQueryInformationProcess");
status = NtQueryInformationProcess(hProcess, SystemBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL);
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return FALSE;
}
BOOL bMore = Process32First(hProcessSnap, &pe32);
while (bMore)
{
if (pbi.InheritedFromUniqueProcessId == pe32.th32ProcessID)
{
if (stricmp(pe32.szExeFile, "explorer.exe") == 0)
{
CloseHandle(hProcessSnap);
return FALSE;
}
else
{
CloseHandle(hProcessSnap);
return TRUE;
}
}
bMore = Process32Next(hProcessSnap, &pe32);
}
CloseHandle(hProcessSnap);
}
BOOL CheckDebug23()
{
STARTUPINFO si;
GetStartupInfo(&si);
if (si.dwX != 0 || si.dwY != 0 || si.dwFillAttribute != 0 || si.dwXSize != 0 || si.dwYSize != 0 || si.dwXCountChars != 0 || si.dwYCountChars != 0)
{
return TRUE;
}
else
{
return FALSE;
}
}
BOOL CheckDebug24()
{
DWORD ID;
DWORD ret = 0;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return FALSE;
}
BOOL bMore = Process32First(hProcessSnap, &pe32);
while (bMore)
{
if (strcmp(pe32.szExeFile, "csrss.exe") == 0)
{
ID = pe32.th32ProcessID;
break;
}
bMore = Process32Next(hProcessSnap, &pe32);
}
CloseHandle(hProcessSnap);
if (OpenProcess(PROCESS_QUERY_INFORMATION, NULL, ID) != NULL)
{
return TRUE;
}
else
{
return FALSE;
}
}
BOOL CheckDebug25()
{
__try
{
__asm int 3
}
__except (1)
{
return FALSE;
}
return TRUE;
}
BOOL CheckDebug26()
{
__try
{
__asm
{
__emit 0xCD
__emit 0x03
}
}
__except (1)
{
return FALSE;
}
return TRUE;
}
BOOL CheckDebug27()
{
__try
{
__asm int 0x2d
}
__except (1)
{
return FALSE;
}
return TRUE;
}
BOOL CheckDebug28()
{
__try
{
__asm __emit 0xF1
}
__except (1)
{
return FALSE;
}
return TRUE;
}
BOOL CheckDebug29()
{
__try
{
__asm
{
pushfd
or word ptr[esp], 0x100
popfd
nop
}
}
__except (1)
{
return FALSE;
}
return TRUE;
}
BOOL CheckDebug30()
{
return TestExceptionCode(DBG_RIPEXCEPTION);
}
================================================
FILE: Tencent2016D.h
================================================
#pragma once
#include <windows.h>
extern "C" BOOL _declspec(dllexport) CheckDebug1();
extern "C" BOOL _declspec(dllexport) CheckDebug2();
extern "C" BOOL _declspec(dllexport) CheckDebug3();
extern "C" BOOL _declspec(dllexport) CheckDebug4();
extern "C" BOOL _declspec(dllexport) CheckDebug5();
extern "C" BOOL _declspec(dllexport) CheckDebug6();
extern "C" BOOL _declspec(dllexport) CheckDebug7();
extern "C" BOOL _declspec(dllexport) CheckDebug8();
extern "C" BOOL _declspec(dllexport) CheckDebug9();
extern "C" BOOL _declspec(dllexport) CheckDebug10();
extern "C" BOOL _declspec(dllexport) CheckDebug11();
extern "C" BOOL _declspec(dllexport) CheckDebug12();
extern "C" BOOL _declspec(dllexport) CheckDebug13();
extern "C" BOOL _declspec(dllexport) CheckDebug14();
extern "C" BOOL _declspec(dllexport) CheckDebug15();
extern "C" BOOL _declspec(dllexport) CheckDebug16();
extern "C" BOOL _declspec(dllexport) CheckDebug17();
extern "C" BOOL _declspec(dllexport) CheckDebug18();
extern "C" BOOL _declspec(dllexport) CheckDebug19();
extern "C" BOOL _declspec(dllexport) CheckDebug20();
extern "C" BOOL _declspec(dllexport) CheckDebug21();
extern "C" BOOL _declspec(dllexport) CheckDebug22();
extern "C" BOOL _declspec(dllexport) CheckDebug23();
extern "C" BOOL _declspec(dllexport) CheckDebug24();
extern "C" BOOL _declspec(dllexport) CheckDebug25();
extern "C" BOOL _declspec(dllexport) CheckDebug26();
extern "C" BOOL _declspec(dllexport) CheckDebug27();
extern "C" BOOL _declspec(dllexport) CheckDebug28();
extern "C" BOOL _declspec(dllexport) CheckDebug29();
extern "C" BOOL _declspec(dllexport) CheckDebug30();
================================================
FILE: Tencent2016DAPI.cpp
================================================
#include "stdafx.h"
#include <iostream>
#include <windows.h>
BOOL CALLBACK EnumWndProc(HWND hwnd, LPARAM lParam)
{
char cur_window[1024];
GetWindowTextA(hwnd, cur_window, 1023);
if (strstr(cur_window, "WinDbg")!=NULL || strstr(cur_window, "x64_dbg")!=NULL || strstr(cur_window, "OllyICE")!=NULL || strstr(cur_window, "OllyDBG")!=NULL || strstr(cur_window, "Immunity")!=NULL)
{
*((BOOL*)lParam) = TRUE;
}
return TRUE;
}
BOOL CALLBACK TestExceptionCode(DWORD dwCode)
{
__try
{
RaiseException(dwCode, 0, 0, 0);
}
__except (1)
{
return FALSE;
}
return TRUE;
}
================================================
FILE: Tencent2016DAPI.h
================================================
#pragma once
#include <windows.h>
extern BOOL CALLBACK TestExceptionCode(DWORD dwCode);
extern BOOL CALLBACK EnumWndProc(HWND hwnd, LPARAM lParam);
================================================
FILE: Tencent2016Globle.h
================================================
#pragma once
#include <windows.h>
typedef DWORD (WINAPI *NtQueryInformationProcessPtr)(
HANDLE processHandle,
DWORD processInformationClass,
PVOID processInformation,
ULONG processInformationLength,
PULONG returnLength);
typedef enum enumSYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
}SYSTEM_INFORMATION_CLASS;
typedef struct tagPROCESS_BASIC_INFORMATION
{
DWORD ExitStatus;
DWORD PebBaseAddress;
DWORD AffinityMask;
DWORD BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
}PROCESS_BASIC_INFORMATION;
typedef LONG (WINAPI *PNTQUERYINFORMATIONPROCESS)(HANDLE,UINT,PVOID,ULONG,PULONG);
================================================
FILE: stdafx.cpp
================================================
// stdafx.cpp : ֻļԴļ
// Tencent2016D.pch ΪԤͷ
// stdafx.obj ԤϢ
#include "stdafx.h"
// TODO: STDAFX.H
// κĸͷļڴļ
================================================
FILE: stdafx.h
================================================
// stdafx.h : ϵͳļİļ
// Ǿʹõĵ
// ضĿİļ
//
#pragma once
#include "targetver.h"
#define WIN32_LEAN_AND_MEAN // Windows ͷļųʹõϢ
// Windows ͷļ:
#include <windows.h>
// TODO: ڴ˴óҪͷļ
================================================
FILE: targetver.h
================================================
#pragma once
// SDKDDKVer.h õ߰汾 Windows ƽ̨
// ҪΪǰ Windows ƽ̨Ӧó WinSDKVer.h
// WIN32_WINNT ΪҪֵ֧ƽ̨Ȼٰ SDKDDKVer.h
#include <SDKDDKVer.h>
================================================
FILE: 反调试技术实例VC版/DetectOD/About.cpp
================================================
// About.cpp : implementation file
//
#include "stdafx.h"
#include "DetectOD.h"
#include "About.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
/////////////////////////////////////////////////////////////////////////////
// CAbout dialog
CAbout::CAbout(CWnd* pParent /*=NULL*/)
: CDialog(CAbout::IDD, pParent)
{
//{{AFX_DATA_INIT(CAbout)
// NOTE: the ClassWizard will add member initialization here
//}}AFX_DATA_INIT
}
void CAbout::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CAbout)
// NOTE: the ClassWizard will add DDX and DDV calls here
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP(CAbout, CDialog)
//{{AFX_MSG_MAP(CAbout)
// NOTE: the ClassWizard will add message map macros here
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CAbout message handlers
================================================
FILE: 反调试技术实例VC版/DetectOD/About.h
================================================
#if !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_)
#define AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
// About.h : header file
//
/////////////////////////////////////////////////////////////////////////////
// CAbout dialog
class CAbout : public CDialog
{
// Construction
public:
CAbout(CWnd* pParent = NULL); // standard constructor
// Dialog Data
//{{AFX_DATA(CAbout)
enum { IDD = IDD_DETECTOD_DIALOG };
// NOTE: the ClassWizard will add data members here
//}}AFX_DATA
// Overrides
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CAbout)
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
//}}AFX_VIRTUAL
// Implementation
protected:
// Generated message map functions
//{{AFX_MSG(CAbout)
// NOTE: the ClassWizard will add member functions here
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
//{{AFX_INSERT_LOCATION}}
// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
#endif // !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_)
================================================
FILE: 反调试技术实例VC版/DetectOD/DetectOD.clw
================================================
; CLW file contains information for the MFC ClassWizard
[General Info]
Version=1
LastClass=CAboutDlg
LastTemplate=CDialog
NewFileInclude1=#include "stdafx.h"
NewFileInclude2=#include "DetectOD.h"
ClassCount=4
Class1=CDetectODApp
Class2=CDetectODDlg
Class3=CAboutDlg
ResourceCount=3
Resource1=IDR_MAINFRAME
Resource2=IDD_ABOUTBOX
Class4=CAbout
Resource3=IDD_DETECTOD_DIALOG
[CLS:CDetectODApp]
Type=0
HeaderFile=DetectOD.h
ImplementationFile=DetectOD.cpp
Filter=N
[CLS:CDetectODDlg]
Type=0
HeaderFile=DetectODDlg.h
ImplementationFile=DetectODDlg.cpp
Filter=D
BaseClass=CDialog
VirtualFilter=dWC
LastObject=CDetectODDlg
[CLS:CAboutDlg]
Type=0
HeaderFile=DetectODDlg.h
ImplementationFile=DetectODDlg.cpp
Filter=D
BaseClass=CDialog
VirtualFilter=dWC
LastObject=CAboutDlg
[DLG:IDD_ABOUTBOX]
Type=1
Class=CAboutDlg
ControlCount=4
Control1=IDC_MYICON,static,1342177539
Control2=IDC_COMEON,static,1342177536
Control3=IDOK,button,1342373889
Control4=IDC_MYPAGE,static,1342308609
[DLG:IDD_DETECTOD_DIALOG]
Type=1
Class=CAbout
ControlCount=27
Control1=IDOK,button,1342242817
Control2=IDC_WNDCLS,button,1342242816
Control3=IDC_ISDEBUGGERPRESENT,button,1342242816
Control4=IDC_ENUMWINDOW,button,1342242816
Control5=IDC_EnumProcess,button,1342242816
Control6=IDC_Explorer,button,1342242816
Control7=IDC_GetTickCount,button,1342242816
Control8=IDC_GetStartupInfo,button,1342242816
Control9=IDC_PEBFLAGS,button,1342242816
Control10=IDC_CHECKREMOTEDEBUGGERPRESENT,button,1342242816
Control11=IDC_ZwQueryInformationProcess,button,1342242816
Control12=IDC_SetUnhandledExceptionFilter,button,1342242816
Control13=IDC_SeDebugPrivilege,button,1342242816
Control14=IDC_NTQueryObject,button,1342242816
Control15=IDC_DectectBreakpoints,button,1342242816
Control16=IDC_DectectFuncBreakpoints,button,1342242816
Control17=IDC_BlockInput,button,1342242816
Control18=IDC_CHECKSUM,button,1342242816
Control19=IDC_EnableWindow,button,1342242816
Control20=IDC_ZwSetInformationThread,button,1342242816
Control21=IDC_OutputDebugString,button,1342242816
Control22=IDC_GetEntryPoint,button,1342242816
Control23=IDC_TrapFlag,button,1342242816
Control24=IDC_GuardPages,button,1342242816
Control25=IDC_HARDWAREBREAKPOINT,button,1342242816
Control26=IDC_ABOUT,button,1342242816
Control27=IDC_MYPAGE2,static,1342308609
[CLS:CAbout]
Type=0
HeaderFile=About.h
ImplementationFile=About.cpp
BaseClass=CDialog
Filter=D
LastObject=CAbout
================================================
FILE: 反调试技术实例VC版/DetectOD/DetectOD.cpp
================================================
// DetectOD.cpp : Defines the class behaviors for the application.
//
#include "stdafx.h"
#include "DetectOD.h"
#include "DetectODDlg.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
/////////////////////////////////////////////////////////////////////////////
// CDetectODApp
BEGIN_MESSAGE_MAP(CDetectODApp, CWinApp)
//{{AFX_MSG_MAP(CDetectODApp)
// NOTE - the ClassWizard will add and remove mapping macros here.
// DO NOT EDIT what you see in these blocks of generated code!
//}}AFX_MSG
ON_COMMAND(ID_HELP, CWinApp::OnHelp)
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CDetectODApp construction
CDetectODApp::CDetectODApp()
{
// TODO: add construction code here,
// Place all significant initialization in InitInstance
}
/////////////////////////////////////////////////////////////////////////////
// The one and only CDetectODApp object
CDetectODApp theApp;
/////////////////////////////////////////////////////////////////////////////
// CDetectODApp initialization
BOOL CDetectODApp::InitInstance()
{
AfxEnableControlContainer();
// Standard initialization
// If you are not using these features and wish to reduce the size
// of your final executable, you should remove from the following
// the specific initialization routines you do not need.
#ifdef _AFXDLL
Enable3dControls(); // Call this when using MFC in a shared DLL
#else
Enable3dControlsStatic(); // Call this when linking to MFC statically
#endif
CDetectODDlg dlg;
m_pMainWnd = &dlg;
int nResponse = dlg.DoModal();
if (nResponse == IDOK)
{
// TODO: Place code here to handle when the dialog is
// dismissed with OK
}
else if (nResponse == IDCANCEL)
{
// TODO: Place code here to handle when the dialog is
// dismissed with Cancel
}
// Since the dialog has been closed, return FALSE so that we exit the
// application, rather than start the application's message pump.
return FALSE;
}
================================================
FILE: 反调试技术实例VC版/DetectOD/DetectOD.dsp
================================================
# Microsoft Developer Studio Project File - Name="DetectOD" - Package Owner=<4>
# Microsoft Developer Studio Generated Build File, Format Version 6.00
# ** DO NOT EDIT **
# TARGTYPE "Win32 (x86) Application" 0x0101
CFG=DetectOD - Win32 Debug
!MESSAGE This is not a valid makefile. To build this project using NMAKE,
!MESSAGE use the Export Makefile command and run
!MESSAGE
!MESSAGE NMAKE /f "DetectOD.mak".
!MESSAGE
!MESSAGE You can specify a configuration when running NMAKE
!MESSAGE by defining the macro CFG on the command line. For example:
!MESSAGE
!MESSAGE NMAKE /f "DetectOD.mak" CFG="DetectOD - Win32 Debug"
!MESSAGE
!MESSAGE Possible choices for configuration are:
!MESSAGE
!MESSAGE "DetectOD - Win32 Release" (based on "Win32 (x86) Application")
!MESSAGE "DetectOD - Win32 Debug" (based on "Win32 (x86) Application")
!MESSAGE
# Begin Project
# PROP AllowPerConfigDependencies 0
# PROP Scc_ProjName ""
# PROP Scc_LocalPath ""
CPP=cl.exe
MTL=midl.exe
RSC=rc.exe
!IF "$(CFG)" == "DetectOD - Win32 Release"
# PROP BASE Use_MFC 6
# PROP BASE Use_Debug_Libraries 0
# PROP BASE Output_Dir "Release"
# PROP BASE Intermediate_Dir "Release"
# PROP BASE Target_Dir ""
# PROP Use_MFC 6
# PROP Use_Debug_Libraries 0
# PROP Output_Dir "Release"
# PROP Intermediate_Dir "Release"
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MD /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_AFXDLL" /Yu"stdafx.h" /FD /c
# ADD CPP /nologo /MD /W3 /GX /Od /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_AFXDLL" /D "_MBCS" /Yu"stdafx.h" /FD /c
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD BASE RSC /l 0x804 /d "NDEBUG" /d "_AFXDLL"
# ADD RSC /l 0x804 /d "NDEBUG" /d "_AFXDLL"
BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 /nologo /subsystem:windows /machine:I386
# ADD LINK32 /nologo /subsystem:windows /machine:I386
!ELSEIF "$(CFG)" == "DetectOD - Win32 Debug"
# PROP BASE Use_MFC 6
# PROP BASE Use_Debug_Libraries 1
# PROP BASE Output_Dir "Debug"
# PROP BASE Intermediate_Dir "Debug"
# PROP BASE Target_Dir ""
# PROP Use_MFC 6
# PROP Use_Debug_Libraries 1
# PROP Output_Dir "Debug"
# PROP Intermediate_Dir "Debug"
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_AFXDLL" /Yu"stdafx.h" /FD /GZ /c
# ADD CPP /nologo /MDd /w /W0 /WX /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_AFXDLL" /D "_MBCS" /FR /Yu"stdafx.h" /FD /GZ /c
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD BASE RSC /l 0x804 /d "_DEBUG" /d "_AFXDLL"
# ADD RSC /l 0x804 /d "_DEBUG" /d "_AFXDLL"
BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 /nologo /subsystem:windows /debug /machine:I386 /pdbtype:sept
# ADD LINK32 /nologo /subsystem:windows /debug /machine:I386 /pdbtype:sept
!ENDIF
# Begin Target
# Name "DetectOD - Win32 Release"
# Name "DetectOD - Win32 Debug"
# Begin Group "Source Files"
# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
# Begin Source File
SOURCE=.\DetectOD.cpp
# End Source File
# Begin Source File
SOURCE=.\DetectOD.rc
# End Source File
# Begin Source File
SOURCE=.\DetectODDlg.cpp
# End Source File
# Begin Source File
SOURCE=.\StdAfx.cpp
# ADD CPP /Yc"stdafx.h"
# End Source File
# End Group
# Begin Group "Header Files"
# PROP Default_Filter "h;hpp;hxx;hm;inl"
# Begin Source File
SOURCE=.\DetectOD.h
# End Source File
# Begin Source File
SOURCE=.\DetectODDlg.h
# End Source File
# Begin Source File
SOURCE=.\Resource.h
# End Source File
# Begin Source File
SOURCE=.\StdAfx.h
# End Source File
# End Group
# Begin Group "Resource Files"
# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
# Begin Source File
SOURCE=.\res\DetectOD.ico
# End Source File
# Begin Source File
SOURCE=.\res\DetectOD.rc2
# End Source File
# Begin Source File
SOURCE=.\res\dog.ico
# End Source File
# Begin Source File
SOURCE=.\res\home.ico
# End Source File
# Begin Source File
SOURCE=.\res\User.ico
# End Source File
# End Group
# Begin Source File
SOURCE=.\ReadMe.txt
# End Source File
# End Target
# End Project
================================================
FILE: 反调试技术实例VC版/DetectOD/DetectOD.dsw
================================================
Microsoft Developer Studio Workspace File, Format Version 6.00
# : ܱ༭ɾùļ
###############################################################################
Project: "DetectOD"=.\DetectOD.dsp - Package Owner=<4>
Package=<5>
{{{
}}}
Package=<4>
{{{
}}}
###############################################################################
Global:
Package=<5>
{{{
}}}
Package=<3>
{{{
}}}
###############################################################################
================================================
FILE: 反调试技术实例VC版/DetectOD/DetectOD.h
================================================
// DetectOD.h : main header file for the DETECTOD application
//
#if !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_)
#define AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
#ifndef __AFXWIN_H__
#error include 'stdafx.h' before including this file for PCH
#endif
#include "resource.h" // main symbols
/////////////////////////////////////////////////////////////////////////////
// CDetectODApp:
// See DetectOD.cpp for the implementation of this class
//
class CDetectODApp : public CWinApp
{
public:
CDetectODApp();
// Overrides
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CDetectODApp)
public:
virtual BOOL InitInstance();
//}}AFX_VIRTUAL
// Implementation
//{{AFX_MSG(CDetectODApp)
// NOTE - the ClassWizard will add and remove member functions here.
// DO NOT EDIT what you see in these blocks of generated code !
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
/////////////////////////////////////////////////////////////////////////////
//{{AFX_INSERT_LOCATION}}
// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
#endif // !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_)
================================================
FILE: 反调试技术实例VC版/DetectOD/DetectOD.rc
================================================
//Microsoft Developer Studio generated resource script.
//
#include "resource.h"
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#include "afxres.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// Chinese (й) resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)
#ifdef _WIN32
LANGUAGE LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED
#pragma code_page(936)
#endif //_WIN32
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE DISCARDABLE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE DISCARDABLE
BEGIN
"#include ""afxres.h""\r\n"
"\0"
END
3 TEXTINCLUDE DISCARDABLE
BEGIN
"#define _AFX_NO_SPLITTER_RESOURCES\r\n"
"#define _AFX_NO_OLE_RESOURCES\r\n"
"#define _AFX_NO_TRACKER_RESOURCES\r\n"
"#define _AFX_NO_PROPERTY_RESOURCES\r\n"
"\r\n"
"#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)\r\n"
"#ifdef _WIN32\r\n"
"LANGUAGE 4, 2\r\n"
"#pragma code_page(936)\r\n"
"#endif //_WIN32\r\n"
"#include ""res\\DetectOD.rc2"" // non-Microsoft Visual C++ edited resources\r\n"
"#include ""l.chs\\afxres.rc"" // Standard components\r\n"
"#endif\r\n"
"\0"
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Icon
//
// Icon with lowest ID value placed first to ensure application icon
// remains consistent on all systems.
IDR_MAINFRAME ICON DISCARDABLE "res\\DetectOD.ico"
IDI_DOG ICON DISCARDABLE "res\\dog.ico"
IDI_ICON2 ICON DISCARDABLE "res\\home.ico"
/////////////////////////////////////////////////////////////////////////////
//
// Dialog
//
IDD_ABOUTBOX DIALOG DISCARDABLE 0, 0, 235, 55
STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION " ʵ"
FONT 9, ""
BEGIN
ICON IDI_ICON2,IDC_MYICON,11,16,20,20,SS_NOTIFY
LTEXT "ٷվд⻥",IDC_COMEON,56,31,88,8,SS_NOTIFY |
NOT WS_GROUP
DEFPUSHBUTTON "ȷ",IDOK,178,7,50,14,WS_GROUP
CTEXT "http://ucooper.com",IDC_MYPAGE,40,17,106,8,SS_NOTIFY
END
IDD_DETECTOD_DIALOG DIALOGEX 0, 0, 443, 200
STYLE DS_MODALFRAME | WS_MINIMIZEBOX | WS_POPUP | WS_VISIBLE | WS_CAPTION |
WS_SYSMENU
EXSTYLE WS_EX_APPWINDOW
CAPTION "ʵ д⻥ ucooper.com"
FONT 9, ""
BEGIN
DEFPUSHBUTTON " (&C)",IDOK,375,18,61,18
PUSHBUTTON "",IDC_WNDCLS,13,6,46,18
PUSHBUTTON "IsDebuggerPresent",IDC_ISDEBUGGERPRESENT,13,31,97,18
PUSHBUTTON "EnumWindow",IDC_ENUMWINDOW,63,6,47,18
PUSHBUTTON "öٽ",IDC_EnumProcess,13,55,96,18
PUSHBUTTON "Explorer",IDC_Explorer,13,79,96,18
PUSHBUTTON "GetTickCount",IDC_GetTickCount,13,103,96,18
PUSHBUTTON "GetStartupInfo",IDC_GetStartupInfo,13,127,96,18
PUSHBUTTON "PebFlags",IDC_PEBFLAGS,13,151,97,18
PUSHBUTTON "CheckRemoteDebuggerPresent",
IDC_CHECKREMOTEDEBUGGERPRESENT,7,175,109,18
PUSHBUTTON "ZwQueryInformationProcess",
IDC_ZwQueryInformationProcess,127,6,109,18
PUSHBUTTON "SetUnhandledExceptionFilter",
IDC_SetUnhandledExceptionFilter,127,175,109,18
PUSHBUTTON "SeDebugPrivilege",IDC_SeDebugPrivilege,127,31,109,18
PUSHBUTTON "NTQueryObject",IDC_NTQueryObject,127,55,109,18
PUSHBUTTON "ϵ",IDC_DectectBreakpoints,127,79,109,18
PUSHBUTTON "ϵ",IDC_DectectFuncBreakpoints,127,103,109,18
PUSHBUTTON "BlockInput",IDC_BlockInput,127,151,109,18
PUSHBUTTON "CheckSum",IDC_CHECKSUM,127,127,109,18
PUSHBUTTON "EnableWindow",IDC_EnableWindow,253,6,109,18
PUSHBUTTON "ZwSetInformationThread",IDC_ZwSetInformationThread,253,
31,109,18
PUSHBUTTON "OutputDebugString",IDC_OutputDebugString,253,55,109,18
PUSHBUTTON "GetEntryPoint",IDC_GetEntryPoint,253,152,109,18
PUSHBUTTON "쳣",IDC_TrapFlag,253,80,109,18
PUSHBUTTON "ҳGuard Pages",IDC_GuardPages,253,103,109,18
PUSHBUTTON "HardwareBreakpoint",IDC_HARDWAREBREAKPOINT,253,127,109,
18
PUSHBUTTON " (&A)",IDC_ABOUT,375,47,61,18
CTEXT "֧ңҵĸվ www.ucooper.com",IDC_MYPAGE2,
257,183,183,10,SS_NOTIFY
END
#ifndef _MAC
/////////////////////////////////////////////////////////////////////////////
//
// Version
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION 1,0,0,1
PRODUCTVERSION 1,0,0,1
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
#else
FILEFLAGS 0x0L
#endif
FILEOS 0x4L
FILETYPE 0x1L
FILESUBTYPE 0x0L
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "080404B0"
BEGIN
VALUE "CompanyName", "\0"
VALUE "FileDescription", "DetectOD Microsoft Ӧó\0"
VALUE "FileVersion", "1, 0, 0, 1\0"
VALUE "InternalName", "DetectOD\0"
VALUE "LegalCopyright", "Ȩ (C) 2010\0"
VALUE "LegalTrademarks", "\0"
VALUE "OriginalFilename", "DetectOD.EXE\0"
VALUE "ProductName", "DetectOD Ӧó\0"
VALUE "ProductVersion", "1, 0, 0, 1\0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x804, 1200
END
END
#endif // !_MAC
/////////////////////////////////////////////////////////////////////////////
//
// DESIGNINFO
//
#ifdef APSTUDIO_INVOKED
GUIDELINES DESIGNINFO DISCARDABLE
BEGIN
IDD_ABOUTBOX, DIALOG
BEGIN
LEFTMARGIN, 7
RIGHTMARGIN, 228
TOPMARGIN, 7
BOTTOMMARGIN, 48
END
IDD_DETECTOD_DIALOG, DIALOG
BEGIN
LEFTMARGIN, 7
RIGHTMARGIN, 436
TOPMARGIN, 6
BOTTOMMARGIN, 193
END
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// String Table
//
STRINGTABLE DISCARDABLE
BEGIN
IDS_ABOUTBOX " DetectOD(&A)..."
END
#endif // Chinese (й) resources
/////////////////////////////////////////////////////////////////////////////
#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
//
#define _AFX_NO_SPLITTER_RESOURCES
#define _AFX_NO_OLE_RESOURCES
#define _AFX_NO_TRACKER_RESOURCES
#define _AFX_NO_PROPERTY_RESOURCES
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)
#ifdef _WIN32
LANGUAGE 4, 2
#pragma code_page(936)
#endif //_WIN32
#include "res\DetectOD.rc2" // non-Microsoft Visual C++ edited resources
#include "l.chs\afxres.rc" // Standard components
#endif
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED
================================================
FILE: 反调试技术实例VC版/DetectOD/DetectODDlg.cpp
================================================
// DetectODDlg.cpp : implementation file
//
#include "stdafx.h"
#include "DetectOD.h"
#include "DetectODDlg.h"
#include "Shlwapi.h"
#include "tlhelp32.h"
#include "Windows.h"
#include "Winable.h"
#include "eh.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
static DWORD NewEip;
/////////////////////////////////////////////////////////////////////////////
// CAboutDlg dialog used for App About
class CAboutDlg : public CDialog
{
public:
CAboutDlg();
// Dialog Data
//{{AFX_DATA(CAboutDlg)
enum { IDD = IDD_ABOUTBOX };
//}}AFX_DATA
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CAboutDlg)
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
//}}AFX_VIRTUAL
// Implementation
protected:
//{{AFX_MSG(CAboutDlg)
afx_msg void OnMypage();
afx_msg void OnMouseMove(UINT nFlags, CPoint point);
virtual BOOL OnInitDialog();
afx_msg void OnComeon();
afx_msg void OnMyicon();
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
//{{AFX_DATA_INIT(CAboutDlg)
//}}AFX_DATA_INIT
}
void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CAboutDlg)
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
//{{AFX_MSG_MAP(CAboutDlg)
ON_BN_CLICKED(IDC_MYPAGE, OnMypage)
ON_WM_MOUSEMOVE()
ON_BN_CLICKED(IDC_COMEON, OnComeon)
ON_BN_CLICKED(IDC_MYICON, OnMyicon)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CDetectODDlg dialog
CDetectODDlg::CDetectODDlg(CWnd* pParent /*=NULL*/)
: CDialog(CDetectODDlg::IDD, pParent)
{
//{{AFX_DATA_INIT(CDetectODDlg)
// NOTE: the ClassWizard will add member initialization here
//}}AFX_DATA_INIT
// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}
void CDetectODDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CDetectODDlg)
// NOTE: the ClassWizard will add DDX and DDV calls here
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP(CDetectODDlg, CDialog)
//{{AFX_MSG_MAP(CDetectODDlg)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_BN_CLICKED(IDC_WNDCLS, OnWndcls)
ON_BN_CLICKED(IDC_ISDEBUGGERPRESENT, OnIsdebuggerpresent)
ON_BN_CLICKED(IDC_ENUMWINDOW, OnEnumwindow)
ON_BN_CLICKED(IDC_EnumProcess, OnEnumProcess)
ON_BN_CLICKED(IDC_Explorer, OnExplorer)
ON_BN_CLICKED(IDC_GetTickCount, OnGetTickCount)
ON_BN_CLICKED(IDC_GetStartupInfo, OnGetStartupInfo)
ON_BN_CLICKED(IDC_PEBFLAGS, OnPebflags)
ON_BN_CLICKED(IDC_CHECKREMOTEDEBUGGERPRESENT, OnCheckremotedebuggerpresent)
ON_BN_CLICKED(IDC_SetUnhandledExceptionFilter, OnSetUnhandledExceptionFilter)
ON_BN_CLICKED(IDC_ZwQueryInformationProcess, OnZwQueryInformationProcess)
ON_BN_CLICKED(IDC_SeDebugPrivilege, OnSeDebugPrivilege)
ON_BN_CLICKED(IDC_NTQueryObject, OnNTQueryObject)
ON_BN_CLICKED(IDC_DectectBreakpoints, OnDectectBreakpoints)
ON_BN_CLICKED(IDC_DectectFuncBreakpoints, OnDectectFuncBreakpoints)
ON_BN_CLICKED(IDC_BlockInput, OnBlockInput)
ON_BN_CLICKED(IDC_CHECKSUM, OnChecksum)
ON_BN_CLICKED(IDC_EnableWindow, OnEnableWindow)
ON_BN_CLICKED(IDC_ZwSetInformationThread, OnZwSetInformationThread)
ON_BN_CLICKED(IDC_OutputDebugString, OnOutputDebugString)
ON_BN_CLICKED(IDC_GetEntryPoint, OnGetEntryPoint)
ON_BN_CLICKED(IDC_TrapFlag, OnTrapFlag)
ON_BN_CLICKED(IDC_GuardPages, OnGuardPages)
ON_BN_CLICKED(IDC_HARDWAREBREAKPOINT, OnHardwarebreakpoint)
ON_BN_CLICKED(IDC_ABOUT, OnAbout)
ON_BN_CLICKED(IDC_MYPAGE2, OnMypage2)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CDetectODDlg message handlers
BOOL CDetectODDlg::OnInitDialog()
{
CDialog::OnInitDialog();
// Add "About..." menu item to system menu.
// IDM_ABOUTBOX must be in the system command range.
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);
CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
CString strAboutMenu;
strAboutMenu.LoadString(IDS_ABOUTBOX);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}
// Set the icon for this dialog. The framework does this automatically
// when the application's main window is not a dialog
// SetIcon(m_hIcon, TRUE); // Set big icon
// SetIcon(m_hIcon, FALSE); // Set small icon
// TODO: Add extra initialization here
SetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG))));
return TRUE; // return TRUE unless you set the focus to a control
}
void CDetectODDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialog::OnSysCommand(nID, lParam);
}
}
// If you add a minimize button to your dialog, you will need the code below
// to draw the icon. For MFC applications using the document/view model,
// this is automatically done for you by the framework.
void CDetectODDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // device context for painting
SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);
// Center icon in client rectangle
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) / 2;
int y = (rect.Height() - cyIcon + 1) / 2;
// Draw the icon
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialog::OnPaint();
}
}
// The system calls this to obtain the cursor to display while the user drags
// the minimized window.
HCURSOR CDetectODDlg::OnQueryDragIcon()
{
return (HCURSOR) m_hIcon;
}
void CDetectODDlg::OnWndcls()
{
// TODO: Add your control notification handler code here
HWND hWnd;
if(hWnd=::FindWindow("OllyDbg",NULL))
{
MessageBox("OD");
}else{
MessageBox("ûOD");
}
}
void CDetectODDlg::OnIsdebuggerpresent()
{
// TODO: Add your control notification handler code here
if(IsDebuggerPresent())
{
MessageBox("OD");
}
else
{
MessageBox("ûOD");
}
}
/***************************************************/
BOOL CALLBACK EnumWindowsProc(
HWND hwnd, // handle to parent window
LPARAM lParam // application-defined value
)
{
char ch[100];
CString str="Ollydbg";
if(IsWindowVisible(hwnd))
{
::GetWindowText(hwnd,ch,100);
//AfxMessageBox(ch);
if(::StrStrI(ch,str))
{
AfxMessageBox("OD");
return FALSE;
}
}
return TRUE;
}
void CDetectODDlg::OnEnumwindow()
{
// TODO: Add your control notification handler code here
EnumWindows(EnumWindowsProc,NULL);
AfxMessageBox("öٴڽδʾODûOD");
}
/***************************************************/
void CDetectODDlg::OnEnumProcess()
{
// TODO: Add your control notification handler code here
HANDLE hwnd;
PROCESSENTRY32 tp32; //ṹ
CString str="OLLYDBG.EXE";
BOOL bFindOD=FALSE;
hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
if(INVALID_HANDLE_VALUE!=hwnd)
{
Process32First(hwnd,&tp32);
do{
if(0==lstrcmpi(str,tp32.szExeFile))
{
AfxMessageBox("OD");
bFindOD=TRUE;
break;
}
}while(Process32Next(hwnd,&tp32));
if(!bFindOD)
AfxMessageBox("ûOD");
}
CloseHandle(hwnd);
}
void CDetectODDlg::OnExplorer()
{
// TODO: Add your control notification handler code here
HANDLE hwnd;
PROCESSENTRY32 tp32; //ṹ
CString str="Explorer.EXE";
DWORD ExplorerID;
DWORD SelfID;
DWORD SelfParentID;
SelfID=GetCurrentProcessId();
::GetWindowThreadProcessId(::FindWindow("Progman",NULL),&ExplorerID);
hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
if(INVALID_HANDLE_VALUE!=hwnd)
{
Process32First(hwnd,&tp32);
do{
if(0==lstrcmp(str,tp32.szExeFile))
{
// ExplorerID=tp32.th32ProcessID;
// AfxMessageBox("aaa");
}
if(SelfID==tp32.th32ProcessID)
{
SelfParentID=tp32.th32ParentProcessID;
}
}while(Process32Next(hwnd,&tp32));
str.Format("̣%d ̣%d Explorer: %d ",SelfID,SelfParentID,ExplorerID);
MessageBox(str);
if(ExplorerID==SelfParentID)
{
AfxMessageBox("ûOD");
}
else
{
AfxMessageBox("OD");
}
}
CloseHandle(hwnd);
}
void CDetectODDlg::OnGetTickCount()
{
// TODO: Add your control notification handler code here
DWORD dTime1;
DWORD dTime2;
dTime1=GetTickCount();
GetCurrentProcessId();
GetCurrentProcessId();
GetCurrentProcessId();
GetCurrentProcessId();
dTime2=GetTickCount();
if(dTime2-dTime1>100)
{
AfxMessageBox("OD");
}
else{
AfxMessageBox("ûOD");
}
}
void CDetectODDlg::OnGetStartupInfo()
{
// TODO: Add your control notification handler code here
STARTUPINFO info={0};
GetStartupInfo(&info);
if(info.dwX!=0 || info.dwY!=0 || info.dwXCountChars!=0 || info.dwYCountChars!=0
|| info.dwFillAttribute!=0 || info.dwXSize!=0 || info.dwYSize!=0)
{
AfxMessageBox("OD");
}
else{
AfxMessageBox("ûOD");
}
}
//**********************************************
typedef ULONG NTSTATUS;
typedef ULONG PPEB;
typedef ULONG KAFFINITY;
typedef ULONG KPRIORITY;
typedef struct _PROCESS_BASIC_INFORMATION { // Information Class 0
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation, // 0 Y N
ProcessQuotaLimits, // 1 Y Y
ProcessIoCounters, // 2 Y N
ProcessVmCounters, // 3 Y N
ProcessTimes, // 4 Y N
ProcessBasePriority, // 5 N Y
ProcessRaisePriority, // 6 N Y
ProcessDebugPort, // 7 Y Y
ProcessExceptionPort, // 8 N Y
ProcessAccessToken, // 9 N Y
ProcessLdtInformation, // 10 Y Y
ProcessLdtSize, // 11 N Y
ProcessDefaultHardErrorMode, // 12 Y Y
ProcessIoPortHandlers, // 13 N Y
ProcessPooledUsageAndLimits, // 14 Y N
ProcessWorkingSetWatch, // 15 Y Y
ProcessUserModeIOPL, // 16 N Y
ProcessEnableAlignmentFaultFixup, // 17 N Y
ProcessPriorityClass, // 18 N Y
ProcessWx86Information, // 19 Y N
ProcessHandleCount, // 20 Y N
ProcessAffinityMask, // 21 N Y
ProcessPriorityBoost, // 22 Y Y
ProcessDeviceMap,// 23 Y Y
ProcessSessionInformation, // 24 Y Y
ProcessForegroundInformation, // 25 N Y
ProcessWow64Information // 26 Y N
} PROCESSINFOCLASS;
typedef NTSTATUS (_stdcall *ZwQueryInformationProcess)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
); //庯ָ
void CDetectODDlg::OnPebflags()
{
// TODO: Add your control notification handler code here
//庯ָ
ZwQueryInformationProcess MyZwQueryInformationProcess;
HANDLE hProcess = NULL;
PROCESS_BASIC_INFORMATION pbi = {0};
ULONG peb = 0;
ULONG cnt = 0;
ULONG PebBase = 0;
ULONG AddrBase;
BOOL bFoundOD=FALSE;
WORD flag;
DWORD dwFlag;
DWORD bytesrw;
DWORD ProcessId=GetCurrentProcessId();
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessId);
if (hProcess != NULL) {
//ֵָ
MyZwQueryInformationProcess=(ZwQueryInformationProcess)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwQueryInformationProcess");
//ָ
if (MyZwQueryInformationProcess(
hProcess,
ProcessBasicInformation,
&pbi,
sizeof(PROCESS_BASIC_INFORMATION),
&cnt) == 0)
{
PebBase = (ULONG)pbi.PebBaseAddress;
AddrBase=PebBase;
if (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x68),&flag,2,&bytesrw) && bytesrw==2)
{ //PEB.NtGlobalFlag
if(0x70==flag){
bFoundOD=TRUE;
}
}
if (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x18),&dwFlag,4,&bytesrw) && bytesrw==4)
{
AddrBase=dwFlag;
}
if (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x0c),&flag,2,&bytesrw) && bytesrw==2)
{//PEB.ProcessHeap.Flags
if(2!=flag){
bFoundOD=TRUE;
}
}
if (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x10),&flag,2,&bytesrw) && bytesrw==2)
{//PEB.ProcessHeap.ForceFlags
if(0!=flag){
bFoundOD=TRUE;
}
}
if(bFoundOD==FALSE)
{
AfxMessageBox("ûOD");
}
else
{
AfxMessageBox("OD");
}
}
CloseHandle(hProcess);
}
}
//*******************************************************************
typedef BOOL (WINAPI *CHECK_REMOTE_DEBUGGER_PRESENT)(HANDLE, PBOOL);
void CDetectODDlg::OnCheckremotedebuggerpresent()
{
// TODO: Add your control notification handler code here
HANDLE hProcess;
HINSTANCE hModule;
BOOL bDebuggerPresent = FALSE;
CHECK_REMOTE_DEBUGGER_PRESENT CheckRemoteDebuggerPresent;
hModule = GetModuleHandleA("Kernel32");
CheckRemoteDebuggerPresent =
(CHECK_REMOTE_DEBUGGER_PRESENT)GetProcAddress(hModule, "CheckRemoteDebuggerPresent");
hProcess = GetCurrentProcess();
CheckRemoteDebuggerPresent(hProcess,&bDebuggerPresent);
if(bDebuggerPresent==TRUE)
{
AfxMessageBox("OD");
}
else
{
AfxMessageBox("ûOD");
}
}
//********************************************************
typedef NTSTATUS (_stdcall *ZW_QUERY_INFORMATION_PROCESS)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass, //òҲҪݽṹ
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
); //庯ָ
void CDetectODDlg::OnZwQueryInformationProcess()
{
// TODO: Add your control notification handler code here
HANDLE hProcess;
HINSTANCE hModule;
DWORD dwResult;
ZW_QUERY_INFORMATION_PROCESS MyFunc;
hModule = GetModuleHandle("ntdll.dll");
MyFunc=(ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule,"ZwQueryInformationProcess");
hProcess = GetCurrentProcess();
MyFunc(
hProcess,
ProcessDebugPort,
&dwResult,
4,
NULL);
if(dwResult!=0)
{
AfxMessageBox("OD");
}
else
{
AfxMessageBox("ûOD");
}
}
//********************************************************
static DWORD lpOldHandler;
typedef LPTOP_LEVEL_EXCEPTION_FILTER (_stdcall *pSetUnhandledExceptionFilter)(
LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter
);
pSetUnhandledExceptionFilter lpSetUnhandledExceptionFilter;
LONG WINAPI TopUnhandledExceptionFilter(
struct _EXCEPTION_POINTERS *ExceptionInfo
)
{
_asm pushad
AfxMessageBox("ص");
lpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler);
ExceptionInfo->ContextRecord->Eip=NewEip;//תƵȫλ
_asm popad
return EXCEPTION_CONTINUE_EXECUTION;
}
void CDetectODDlg::OnSetUnhandledExceptionFilter()
{
bool isDebugged=0;
// TODO: Add your control notification handler code here
lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")),
"SetUnhandledExceptionFilter");
lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter);
_asm{ //ȡȫַ
call me //ʽһҪNewEipһƫֵ
me:
pop NewEip //ʽһ
mov NewEip,offset safe //ʽ
int 3 //쳣
}
AfxMessageBox("OD");
isDebugged=1;
_asm{
safe:
}
if(1==isDebugged){
}else{
AfxMessageBox("ûOD");
}
}
//********************************************************
void CDetectODDlg::OnSeDebugPrivilege()
{
// TODO: Add your control notification handler code here
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 tp32; //ṹ
CString str="csrss.exe";
hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
if(INVALID_HANDLE_VALUE!=hProcessSnap)
{
Process32First(hProcessSnap,&tp32);
do{
if(0==lstrcmpi(str,tp32.szExeFile))
{
hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,NULL,tp32.th32ProcessID);
if(NULL!=hProcess)
{
AfxMessageBox("OD");
}
else
{
AfxMessageBox("ûOD");
}
CloseHandle(hProcess);
}
}while(Process32Next(hProcessSnap,&tp32));
}
CloseHandle(hProcessSnap);
}
//***************************************************************
#ifndef STATUS_INFO_LENGTH_MISMATCH
#define STATUS_INFO_LENGTH_MISMATCH ((UINT32)0xC0000004L)
#endif
typedef enum _POOL_TYPE {
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS
} POOL_TYPE;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef enum _OBJECT_INFORMATION_CLASS
{
ObjectBasicInformation, // Result is OBJECT_BASIC_INFORMATION structure
ObjectNameInformation, // Result is OBJECT_NAME_INFORMATION structure
ObjectTypeInformation, // Result is OBJECT_TYPE_INFORMATION structure
ObjectAllTypesInformation, // Result is OBJECT_ALL_INFORMATION structure
ObjectDataInformation // Result is OBJECT_DATA_INFORMATION structure
} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;
typedef struct _OBJECT_TYPE_INFORMATION {
UNICODE_STRING TypeName;
ULONG TotalNumberOfHandles;
ULONG TotalNumberOfObjects;
WCHAR Unused1[8];
ULONG HighWaterNumberOfHandles;
ULONG HighWaterNumberOfObjects;
WCHAR Unused2[8];
ACCESS_MASK InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ACCESS_MASK ValidAttributes;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
USHORT MaintainTypeList;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
typedef struct _OBJECT_ALL_INFORMATION {
ULONG NumberOfObjectsTypes;
OBJECT_TYPE_INFORMATION ObjectTypeInformation[1];
} OBJECT_ALL_INFORMATION, *POBJECT_ALL_INFORMATION;
typedef struct _OBJECT_ALL_TYPES_INFORMATION {
ULONG NumberOfTypes;
OBJECT_TYPE_INFORMATION TypeInformation[1];
} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION;
typedef UINT32 (__stdcall *ZwQueryObject_t) (
IN HANDLE ObjectHandle,
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG Length,
OUT PULONG ResultLength );
void CDetectODDlg::OnNTQueryObject()
{
// TODO: Add your control notification handler code here
// ڵԲܼODǼⲻ
HMODULE hNtDLL;
DWORD dwSize;
UINT i;
UCHAR KeyType=0;
OBJECT_ALL_TYPES_INFORMATION *Types;
OBJECT_TYPE_INFORMATION *t;
ZwQueryObject_t ZwQueryObject;
hNtDLL = GetModuleHandle("ntdll.dll");
if(hNtDLL){
ZwQueryObject = (ZwQueryObject_t)GetProcAddress(hNtDLL, "ZwQueryObject");
UINT32 iResult = ZwQueryObject(NULL, ObjectAllTypesInformation, NULL, NULL, &dwSize);
if(iResult==STATUS_INFO_LENGTH_MISMATCH)
{
Types = (OBJECT_ALL_TYPES_INFORMATION*)VirtualAlloc(NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);
if (Types == NULL) return;
if (iResult=ZwQueryObject(NULL,ObjectAllTypesInformation, Types, dwSize, &dwSize)) return;
for (t=Types->TypeInformation,i=0;i<Types->NumberOfTypes;i++)
{
if ( !_wcsicmp(t->TypeName.Buffer,L"DebugObject")) //ȽǷȣL⣬ص˼
{
if(t->TotalNumberOfHandles > 0 || t->TotalNumberOfObjects > 0)
{
AfxMessageBox("OD");
VirtualFree (Types,0,MEM_RELEASE);
return;
}
break; // Found Anyways
}
t=(OBJECT_TYPE_INFORMATION *)((char *)t->TypeName.Buffer+((t->TypeName.MaximumLength+3)&~3));
}
}
AfxMessageBox("ûOD!");
VirtualFree (Types,0,MEM_RELEASE);
}
}
/*********************************************************/
BOOL DetectBreakpoints()
{
BOOL bFoundOD;
bFoundOD=FALSE;
__asm
{
jmp CodeEnd
CodeStart: mov eax,ecx ;ij
nop
push eax
push ecx
pop ecx
pop eax
CodeEnd:
cld ;뿪ʼ
mov edi,offset CodeStart
mov edx,offset CodeStart
mov ecx,offset CodeEnd
sub ecx,edx
mov al,0CCH
repne scasb
jnz ODNotFound
mov bFoundOD,1
ODNotFound:
}
return bFoundOD;
}
void CDetectODDlg::OnDectectBreakpoints()
{
// TODO: Add your control notification handler code here
if(DetectBreakpoints())
{
AfxMessageBox("OD");
}
else
{
AfxMessageBox("ûOD");
}
}
/*********************************************************/
BOOL DetectFuncBreakpoints()
{
BOOL bFoundOD;
bFoundOD=FALSE;
DWORD dwAddr;
dwAddr=(DWORD)::GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA");
__asm
{
cld ;뿪ʼ
mov edi,dwAddr
mov ecx,100 ;100bytes
mov al,0CCH
repne scasb
jnz ODNotFound
mov bFoundOD,1
ODNotFound:
}
return bFoundOD;
}
void CDetectODDlg::OnDectectFuncBreakpoints()
{
// TODO: Add your control notification handler code here
if(DetectFuncBreakpoints())
{
AfxMessageBox("OD");
}
else
{
AfxMessageBox("ûOD");
}
}
void CDetectODDlg::OnBlockInput()
{ // #include "Winable.h"
// TODO: Add your control notification handler code here
DWORD dwNoUse;
DWORD dwNoUse2;
::BlockInput(TRUE);
dwNoUse=2;
dwNoUse2=3;
dwNoUse=dwNoUse2;
::BlockInput(FALSE);
}
/*********************************************************/
BOOL CheckSum()
{
BOOL bFoundOD;
bFoundOD=FALSE;
DWORD CHECK_SUM=5555; //ȷУֵ
DWORD dwAddr;
dwAddr=(DWORD)CheckSum;
__asm
{
;뿪ʼ
mov esi,dwAddr
mov ecx,100
xor eax,eax
checksum_loop:
movzx ebx,byte ptr [esi]
add eax,ebx
rol eax,1
inc esi
loop checksum_loop
cmp eax,CHECK_SUM
jz ODNotFound
mov bFoundOD,1
ODNotFound:
}
return bFoundOD;
}
void CDetectODDlg::OnChecksum()
{
// TODO: Add your control notification handler code here
if(CheckSum())
{
AfxMessageBox("OD");
}
else
{
AfxMessageBox("ûOD");
}
}
/*********************************************************/
void CDetectODDlg::OnEnableWindow()
{
// TODO: Add your control notification handler code here
CWnd *wnd;
wnd=GetForegroundWindow();
wnd->EnableWindow(FALSE);
DWORD dwNoUse;
DWORD dwNoUse2;
dwNoUse=2;
dwNoUse2=3;
dwNoUse=dwNoUse2;
wnd->EnableWindow(TRUE);
}
/*********************************************************/
typedef enum _THREADINFOCLASS {
ThreadBasicInformation, // 0 Y N
ThreadTimes, // 1 Y N
ThreadPriority, // 2 N Y
ThreadBasePriority, // 3 N Y
ThreadAffinityMask, // 4 N Y
ThreadImpersonationToken, // 5 N Y
ThreadDescriptorTableEntry, // 6 Y N
ThreadEnableAlignmentFaultFixup, // 7 N Y
ThreadEventPair, // 8 N Y
ThreadQuerySetWin32StartAddress, // 9 Y Y
ThreadZeroTlsCell, // 10 N Y
ThreadPerformanceCount, // 11 Y N
ThreadAmILastThread, // 12 Y N
ThreadIdealProcessor, // 13 N Y
ThreadPriorityBoost, // 14 Y Y
ThreadSetTlsArrayAddress, // 15 N Y
ThreadIsIoPending, // 16 Y N
ThreadHideFromDebugger // 17 N Y
} THREAD_INFO_CLASS;
typedef NTSTATUS (NTAPI *ZwSetInformationThread)(
IN HANDLE ThreadHandle,
IN THREAD_INFO_CLASS ThreadInformaitonClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
);
void CDetectODDlg::OnZwSetInformationThread()
{
// TODO: Add your control notification handler code here
CString str="Ҷλ";
HANDLE hwnd;
HMODULE hModule;
hwnd=GetCurrentThread();
hModule=LoadLibrary("ntdll.dll");
ZwSetInformationThread myFunc;
myFunc=(ZwSetInformationThread)GetProcAddress(hModule,"ZwSetInformationThread");
myFunc(hwnd,ThreadHideFromDebugger,NULL,NULL);
}
/*********************************************************/
void CDetectODDlg::OnOutputDebugString()
{
// TODO: Add your control notification handler code here
::OutputDebugString("%s%s%s");
}
/*********************************************************/
void CDetectODDlg::OnGetEntryPoint()
{
// TODO: Add your control notification handler code here
IMAGE_DOS_HEADER *dos_head=(IMAGE_DOS_HEADER *)GetModuleHandle(NULL);
PIMAGE_NT_HEADERS32 nt_head=(PIMAGE_NT_HEADERS32)((DWORD)dos_head+(DWORD)dos_head->e_lfanew);
DWORD EP=(nt_head->OptionalHeader.AddressOfEntryPoint);
CString str;
str.Format("%x",EP);
AfxMessageBox(str);
BYTE*OEP=(BYTE*)(nt_head->OptionalHeader.AddressOfEntryPoint+(DWORD)dos_head);
for(unsigned long index=0;index<20;index++){
if(OEP[index]==0xcc){
ExitProcess(0);
}
}
}
/**************************************************************/
void terminateFunc()
{
AfxMessageBox("set_terminateָĺ\n");
exit(0);
}
void CDetectODDlg::OnButton1()
{
// TODO: Add your control notification handler code here
set_terminate(terminateFunc);
try{
div(10,0);
}catch(int){
AfxMessageBox("쳣");
}catch(...){
terminate(); //쳣
}
AfxMessageBox("");
}
//********************************************************
void CDetectODDlg::OnTrapFlag()
{
try{
_asm{
pushfd //쳣
or dword ptr [esp],100h ;TF=1
popfd
}
AfxMessageBox("OD");
}catch(...){
AfxMessageBox("ûOD");
}
}
//********************************************************
static bool isDebugged=1;
LONG WINAPI TopUnhandledExceptionFilter2(
struct _EXCEPTION_POINTERS *ExceptionInfo
)
{
_asm pushad
AfxMessageBox("ص");
lpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler);
ExceptionInfo->ContextRecord->Eip=NewEip;
isDebugged=0;
_asm popad
return EXCEPTION_CONTINUE_EXECUTION;
}
void CDetectODDlg::OnGuardPages()
{
// TODO: Add your control notification handler code here
ULONG dwOldType;
DWORD dwPageSize;
LPVOID lpvBase; // ȡڴĻַ
SYSTEM_INFO sSysInfo; // ϵͳϢ
GetSystemInfo(&sSysInfo); // ȡϵͳϢ
dwPageSize=sSysInfo.dwPageSize; //ϵͳڴҳС
lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")),
"SetUnhandledExceptionFilter");
lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter2);
// ڴ
lpvBase = VirtualAlloc(NULL,dwPageSize,MEM_COMMIT,PAGE_READWRITE);
if (lpvBase==NULL) AfxMessageBox("ڴʧ");
_asm{
mov NewEip,offset safe //ʽ
mov eax,lpvBase
push eax
mov byte ptr [eax],0C3H //дһ RETN ڴ棬Աĵ
}
if(0==::VirtualProtect(lpvBase,dwPageSize,PAGE_EXECUTE_READ | PAGE_GUARD,&dwOldType)){
AfxMessageBox("ִʧ");
}
_asm{
pop ecx
call ecx //ʱѹջ
safe:
pop ecx //ջƽ⣬ʱѹջ
}
if(1==isDebugged){
AfxMessageBox("OD");
}else{
AfxMessageBox("ûOD");
}
VirtualFree(lpvBase,dwPageSize,MEM_DECOMMIT);
}
//********************************************************
static bool isDebuggedHBP=0;
LONG WINAPI TopUnhandledExceptionFilterHBP(
struct _EXCEPTION_POINTERS *ExceptionInfo
)
{
_asm pushad
AfxMessageBox("ص");
ExceptionInfo->ContextRecord->Eip=NewEip;
if(0!=ExceptionInfo->ContextRecord->Dr0||0!=ExceptionInfo->ContextRecord->Dr1||
0!=ExceptionInfo->ContextRecord->Dr2||0!=ExceptionInfo->ContextRecord->Dr3)
isDebuggedHBP=1; //Ӳϵ
ExceptionInfo->ContextRecord->Dr0=0; //Ӳϵ㣬0
ExceptionInfo->ContextRecord->Dr1=0;
ExceptionInfo->ContextRecord->Dr2=0;
ExceptionInfo->ContextRecord->Dr3=0;
ExceptionInfo->ContextRecord->Dr6=0;
ExceptionInfo->ContextRecord->Dr7=0;
ExceptionInfo->ContextRecord->Eip=NewEip; //תƵȫλ
_asm popad
return EXCEPTION_CONTINUE_EXECUTION;
}
void CDetectODDlg::OnHardwarebreakpoint()
{
// TODO: Add your control notification handler code here
lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")),
"SetUnhandledExceptionFilter");
lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilterHBP);
_asm{
mov NewEip,offset safe //ʽ
int 3
mov isDebuggedHBP,1 //ʱҲᴥ쳣ȥӲϵ
safe:
}
if(1==isDebuggedHBP){
AfxMessageBox("OD");
}else{
AfxMessageBox("ûOD");
}
}
//********************************************************
void CDetectODDlg::OnCancel()
{
// TODO: Add extra cleanup here
CDialog::OnCancel();
}
void CAboutDlg::OnMypage()
{
// TODO: Add your control notification handler code here
::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
}
void CDetectODDlg::OnAbout()
{
// TODO: Add your control notification handler code here
CAboutDlg dlg;
dlg.DoModal();
}
void CAboutDlg::OnMouseMove(UINT nFlags, CPoint point)
{
// TODO: Add your message handler code here and/or call default
CRect rect(60,20,100,100);
if(rect.PtInRect(point)){
SetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(NULL,IDC_HELP)));
}else{
SetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(AfxGetApp()->m_hInstance,IDC_ARROW)));
}
CDialog::OnMouseMove(nFlags, point);
}
BOOL CAboutDlg::OnInitDialog()
{
CDialog::OnInitDialog();
// TODO: Add extra initialization here
SetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG))));
return TRUE; // return TRUE unless you set the focus to a control
// EXCEPTION: OCX Property Pages should return FALSE
}
void CDetectODDlg::OnOK()
{
// TODO: Add extra validation here
CDialog::OnOK();
}
void CAboutDlg::OnComeon()
{
// TODO: Add your control notification handler code here
::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
}
void CAboutDlg::OnMyicon()
{
// TODO: Add your control notification handler code here
::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
}
void CDetectODDlg::OnMypage2()
{
// TODO: Add your control notification handler code here
::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
}
================================================
FILE: 反调试技术实例VC版/DetectOD/DetectODDlg.h
================================================
// DetectODDlg.h : header file
//
#if !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_)
#define AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
/////////////////////////////////////////////////////////////////////////////
// CDetectODDlg dialog
class CDetectODDlg : public CDialog
{
// Construction
public:
CDetectODDlg(CWnd* pParent = NULL); // standard constructor
// Dialog Data
//{{AFX_DATA(CDetectODDlg)
enum { IDD = IDD_DETECTOD_DIALOG };
// NOTE: the ClassWizard will add data members here
//}}AFX_DATA
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CDetectODDlg)
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
//}}AFX_VIRTUAL
// Implementation
protected:
HICON m_hIcon;
// Generated message map functions
//{{AFX_MSG(CDetectODDlg)
virtual BOOL OnInitDialog();
afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
afx_msg void OnPaint();
afx_msg HCURSOR OnQueryDragIcon();
afx_msg void OnWndcls();
afx_msg void OnTest();
afx_msg void OnIsdebuggerpresent();
afx_msg void OnEnumwindow();
afx_msg void OnEnumProcess();
afx_msg void OnExplorer();
afx_msg void OnGetTickCount();
afx_msg void OnGetStartupInfo();
afx_msg void OnPebflags();
afx_msg void OnCheckremotedebuggerpresent();
afx_msg void OnZwqueryinfomationprocess();
afx_msg void OnSetUnhandledExceptionFilter();
afx_msg void OnZwQueryInformationProcess();
afx_msg void OnSeDebugPrivilege();
afx_msg void OnNTQueryObject();
afx_msg void OnDectectBreakpoints();
afx_msg void OnDectectFuncBreakpoints();
afx_msg void OnBlockInput();
afx_msg void OnChecksum();
afx_msg void OnEnableWindow();
afx_msg void OnZwSetInformationThread();
afx_msg void OnOutputDebugString();
afx_msg void OnGetEntryPoint();
afx_msg void OnButton1();
afx_msg void OnButton2();
afx_msg void OnTrapFlag();
afx_msg void OnGuardPages();
afx_msg void OnHardwarebreakpoint();
virtual void OnCancel();
afx_msg void OnAbout();
virtual void OnOK();
afx_msg void OnMypage2();
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
//{{AFX_INSERT_LOCATION}}
// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
#endif // !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_)
================================================
FILE: 反调试技术实例VC版/DetectOD/ReadMe.txt
================================================
========================================================================
MICROSOFT FOUNDATION CLASS LIBRARY : DetectOD
========================================================================
AppWizard has created this DetectOD application for you. This application
not only demonstrates the basics of using the Microsoft Foundation classes
but is also a starting point for writing your application.
This file contains a summary of what you will find in each of the files that
make up your DetectOD application.
DetectOD.dsp
This file (the project file) contains information at the project level and
is used to build a single project or subproject. Other users can share the
project (.dsp) file, but they should export the makefiles locally.
DetectOD.h
This is the main header file for the application. It includes other
project specific headers (including Resource.h) and declares the
CDetectODApp application class.
DetectOD.cpp
This is the main application source file that contains the application
class CDetectODApp.
DetectOD.rc
This is a listing of all of the Microsoft Windows resources that the
program uses. It includes the icons, bitmaps, and cursors that are stored
in the RES subdirectory. This file can be directly edited in Microsoft
Visual C++.
DetectOD.clw
This file contains information used by ClassWizard to edit existing
classes or add new classes. ClassWizard also uses this file to store
information needed to create and edit message maps and dialog data
maps and to create prototype member functions.
res\DetectOD.ico
This is an icon file, which is used as the application's icon. This
icon is included by the main resource file DetectOD.rc.
res\DetectOD.rc2
This file contains resources that are not edited by Microsoft
Visual C++. You should place all resources not editable by
the resource editor in this file.
/////////////////////////////////////////////////////////////////////////////
AppWizard creates one dialog class:
DetectODDlg.h, DetectODDlg.cpp - the dialog
These files contain your CDetectODDlg class. This class defines
the behavior of your application's main dialog. The dialog's
template is in DetectOD.rc, which can be edited in Microsoft
Visual C++.
/////////////////////////////////////////////////////////////////////////////
Other standard files:
StdAfx.h, StdAfx.cpp
These files are used to build a precompiled header (PCH) file
named DetectOD.pch and a precompiled types file named StdAfx.obj.
Resource.h
This is the standard header file, which defines new resource IDs.
Microsoft Visual C++ reads and updates this file.
/////////////////////////////////////////////////////////////////////////////
Other notes:
AppWizard uses "TODO:" to indicate parts of the source code you
should add to or customize.
If your application uses MFC in a shared DLL, and your application is
in a language other than the operating system's current language, you
will need to copy the corresponding localized resources MFC42XXX.DLL
from the Microsoft Visual C++ CD-ROM onto the system or system32 directory,
and rename it to be MFCLOC.DLL. ("XXX" stands for the language abbreviation.
For example, MFC42DEU.DLL contains resources translated to German.) If you
don't do this, some of the UI elements of your application will remain in the
language of the operating system.
/////////////////////////////////////////////////////////////////////////////
================================================
FILE: 反调试技术实例VC版/DetectOD/StdAfx.cpp
================================================
// stdafx.cpp : source file that includes just the standard includes
// DetectOD.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
================================================
FILE: 反调试技术实例VC版/DetectOD/StdAfx.h
================================================
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#if !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_)
#define AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
#define VC_EXTRALEAN // Exclude rarely-used stuff from Windows headers
#include <afxwin.h> // MFC core and standard components
#include <afxext.h> // MFC extensions
#include <afxdisp.h> // MFC Automation classes
#include <afxdtctl.h> // MFC support for Internet Explorer 4 Common Controls
#ifndef _AFX_NO_AFXCMN_SUPPORT
#include <afxcmn.h> // MFC support for Windows Common Controls
#endif // _AFX_NO_AFXCMN_SUPPORT
//{{AFX_INSERT_LOCATION}}
// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
#endif // !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_)
================================================
FILE: 反调试技术实例VC版/DetectOD/res/DetectOD.rc2
================================================
//
// DETECTOD.RC2 - resources Microsoft Visual C++ does not edit directly
//
#ifdef APSTUDIO_INVOKED
#error this file is not editable by Microsoft Visual C++
#endif //APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
// Add manually edited resources here...
/////////////////////////////////////////////////////////////////////////////
================================================
FILE: 反调试技术实例VC版/DetectOD/resource.h
================================================
//{{NO_DEPENDENCIES}}
// Microsoft Developer Studio generated include file.
// Used by DetectOD.rc
//
#define IDC_ABOUT 3
#define IDM_ABOUTBOX 0x0010
#define IDD_ABOUTBOX 100
#define IDS_ABOUTBOX 101
#define IDD_DETECTOD_DIALOG 102
#define IDR_MAINFRAME 128
#define IDI_DOG 129
#define IDI_ICON2 133
#define IDC_WNDCLS 1000
#define IDC_ISDEBUGGERPRESENT 1002
#define IDC_ENUMWINDOW 1003
#define IDC_EnumProcess 1004
#define IDC_Explorer 1005
#define IDC_GetTickCount 1006
#define IDC_GetStartupInfo 1007
#define IDC_PEBFLAGS 1008
#define IDC_CHECKREMOTEDEBUGGERPRESENT 1009
#define IDC_ZwQueryInformationProcess 1010
#define IDC_SetUnhandledExceptionFilter 1014
#define IDC_MYPAGE 1014
#define IDC_SeDebugPrivilege 1015
#define IDC_COMEON 1015
#define IDC_MYICON 1016
#define IDC_MYPAGE2 1016
#define IDC_NTQueryObject 1017
#define IDC_DectectBreakpoints 1018
#define IDC_DectectFuncBreakpoints 1019
#define IDC_BlockInput 1020
#define IDC_CHECKSUM 1021
#define IDC_EnableWindow 1022
#define IDC_ZwSetInformationThread 1023
#define IDC_OutputDebugString 1024
#define IDC_GetEntryPoint 1025
#define IDC_TrapFlag 1026
#define IDC_GuardPages 1027
#define IDC_HARDWAREBREAKPOINT 1028
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 134
#define _APS_NEXT_COMMAND_VALUE 32771
#define _APS_NEXT_CONTROL_VALUE 1017
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
================================================
FILE: 反调试技术实例VC版/DetectOD/tlssup.c
================================================
// tlssup.cļ룺
#include <windows.h>
#include <winnt.h>
int _tls_index=0;
#pragma data_seg(".tls")
int _tls_start=0;
#pragma data_seg(".tls$ZZZ")
int _tls_end=0;
#pragma data_seg(".CRT$XLA")
int __xl_a=0;
#pragma data_seg(".CRT$XLZ")
int __xl_z=0;
#pragma data_seg(".rdata$T")
extern PIMAGE_TLS_CALLBACK my_tls_callbacktbl[];
IMAGE_TLS_DIRECTORY32 _tls_used={(DWORD)&_tls_start,(DWORD)&_tls_end,(DWORD)&_tls_index,(DWORD)my_tls_callbacktbl,0,0};
gitextract_ibjy7f_q/
├── README.md
├── Round2_3_PC_Tecent 2016 题目说明.docx
├── Tencent2016D.cpp
├── Tencent2016D.h
├── Tencent2016DAPI.cpp
├── Tencent2016DAPI.h
├── Tencent2016Globle.h
├── stdafx.cpp
├── stdafx.h
├── targetver.h
└── 反调试技术实例VC版/
└── DetectOD/
├── About.cpp
├── About.h
├── DetectOD.clw
├── DetectOD.cpp
├── DetectOD.dsp
├── DetectOD.dsw
├── DetectOD.h
├── DetectOD.rc
├── DetectODDlg.cpp
├── DetectODDlg.h
├── ReadMe.txt
├── StdAfx.cpp
├── StdAfx.h
├── res/
│ └── DetectOD.rc2
├── resource.h
└── tlssup.c
SYMBOL INDEX (56 symbols across 8 files)
FILE: Tencent2016D.cpp
function BOOL (line 15) | BOOL APIENTRY DllMain( HMODULE hModule,
function BOOL (line 31) | BOOL CheckDebug1()
function BOOL (line 36) | BOOL CheckDebug2()
function BOOL (line 43) | BOOL CheckDebug3()
function BOOL (line 59) | BOOL CheckDebug4()
function BOOL (line 74) | BOOL CheckDebug5()
function BOOL (line 81) | BOOL CheckDebug6()
function BOOL (line 94) | BOOL CheckDebug7()
function BOOL (line 107) | BOOL CheckDebug8()
function BOOL (line 119) | BOOL CheckDebug9()
function BOOL (line 147) | BOOL CheckDebug10()
function BOOL (line 175) | BOOL CheckDebug11()
function BOOL (line 188) | BOOL CheckDebug12()
function BOOL (line 223) | BOOL CheckDebug13()
function BOOL (line 235) | BOOL CheckDebug14()
function BOOL (line 242) | BOOL CheckDebug15()
function BOOL (line 256) | BOOL CheckDebug16()
function BOOL (line 307) | BOOL CheckDebug18()
function BOOL (line 320) | BOOL CheckDebug19()
function BOOL (line 357) | BOOL CheckDebug20()
function BOOL (line 397) | BOOL CheckDebug22()
function BOOL (line 439) | BOOL CheckDebug23()
function BOOL (line 453) | BOOL CheckDebug24()
function BOOL (line 485) | BOOL CheckDebug25()
function BOOL (line 498) | BOOL CheckDebug26()
function BOOL (line 515) | BOOL CheckDebug27()
function BOOL (line 528) | BOOL CheckDebug28()
function BOOL (line 541) | BOOL CheckDebug29()
function BOOL (line 560) | BOOL CheckDebug30()
FILE: Tencent2016DAPI.cpp
function BOOL (line 5) | BOOL CALLBACK EnumWndProc(HWND hwnd, LPARAM lParam)
function BOOL (line 16) | BOOL CALLBACK TestExceptionCode(DWORD dwCode)
FILE: Tencent2016Globle.h
type SYSTEM_INFORMATION_CLASS (line 12) | typedef enum enumSYSTEM_INFORMATION_CLASS
type PROCESS_BASIC_INFORMATION (line 20) | typedef struct tagPROCESS_BASIC_INFORMATION
type UINT (line 30) | typedef LONG (WINAPI *PNTQUERYINFORMATIONPROCESS)(HANDLE,UINT,PVOID,ULON...
FILE: 反调试技术实例VC版/DetectOD/About.h
function class (line 13) | class CAbout : public CDialog
FILE: 反调试技术实例VC版/DetectOD/DetectOD.cpp
function BOOL (line 42) | BOOL CDetectODApp::InitInstance()
FILE: 反调试技术实例VC版/DetectOD/DetectOD.h
function class (line 22) | class CDetectODApp : public CWinApp
FILE: 反调试技术实例VC版/DetectOD/DetectODDlg.cpp
class CAboutDlg (line 21) | class CAboutDlg : public CDialog
function BOOL (line 129) | BOOL CDetectODDlg::OnInitDialog()
function HCURSOR (line 205) | HCURSOR CDetectODDlg::OnQueryDragIcon()
function BOOL (line 235) | BOOL CALLBACK EnumWindowsProc(
type _PROCESS_BASIC_INFORMATION (line 373) | struct _PROCESS_BASIC_INFORMATION { // Information Class 0
type _PROCESSINFOCLASS (line 382) | enum _PROCESSINFOCLASS {
function LONG (line 551) | LONG WINAPI TopUnhandledExceptionFilter(
type _POOL_TYPE (line 624) | enum _POOL_TYPE {
type _UNICODE_STRING (line 634) | struct _UNICODE_STRING {
type _OBJECT_INFORMATION_CLASS (line 642) | enum _OBJECT_INFORMATION_CLASS
type _OBJECT_TYPE_INFORMATION (line 652) | struct _OBJECT_TYPE_INFORMATION {
type _OBJECT_ALL_INFORMATION (line 671) | struct _OBJECT_ALL_INFORMATION {
type _OBJECT_ALL_TYPES_INFORMATION (line 676) | struct _OBJECT_ALL_TYPES_INFORMATION {
type _THREADINFOCLASS (line 869) | enum _THREADINFOCLASS {
function terminateFunc (line 935) | void terminateFunc()
function LONG (line 971) | LONG WINAPI TopUnhandledExceptionFilter2(
function LONG (line 1026) | LONG WINAPI TopUnhandledExceptionFilterHBP(
function BOOL (line 1100) | BOOL CAboutDlg::OnInitDialog()
FILE: 反调试技术实例VC版/DetectOD/DetectODDlg.h
function class (line 14) | class CDetectODDlg : public CDialog
Condensed preview — 26 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (87K chars).
[
{
"path": "README.md",
"chars": 1776,
"preview": "### 反调试技术总结\r\n反调试就是检测有没有被调试器调试,比如OllyDbg,IDA,WinDbg等。\r\n\r\n参考资料:[houjingyi ](https://bbs.pediy.com/thread-225735.htm)\r\n 代码:"
},
{
"path": "Tencent2016D.cpp",
"chars": 10299,
"preview": "// Tencent2016D.cpp : DLL Ӧóĵ\n//\n\n#include \"stdafx.h\"\n#include <iostream>\n#include <windows.h>\n#include <Tlhelp32.h>\n#i"
},
{
"path": "Tencent2016D.h",
"chars": 1616,
"preview": "#pragma once\n\n#include <windows.h>\n\nextern \"C\" BOOL _declspec(dllexport) CheckDebug1();\nextern \"C\" BOOL _declspec(dllexp"
},
{
"path": "Tencent2016DAPI.cpp",
"chars": 584,
"preview": "#include \"stdafx.h\"\n#include <iostream>\n#include <windows.h>\n\nBOOL CALLBACK EnumWndProc(HWND hwnd, LPARAM lParam) \n{ \n"
},
{
"path": "Tencent2016DAPI.h",
"chars": 149,
"preview": "#pragma once\n\n#include <windows.h>\n\nextern BOOL CALLBACK TestExceptionCode(DWORD dwCode);\nextern BOOL CALLBACK EnumWndPr"
},
{
"path": "Tencent2016Globle.h",
"chars": 814,
"preview": "#pragma once\n\n#include <windows.h>\n\ntypedef DWORD (WINAPI *NtQueryInformationProcessPtr)(\n HANDLE processHandle,\n "
},
{
"path": "stdafx.cpp",
"chars": 115,
"preview": "// stdafx.cpp : ֻļԴļ\n// Tencent2016D.pch ΪԤͷ\n// stdafx.obj ԤϢ\n\n#include \"stdafx.h\"\n\n// TODO: STDAFX.H \n// κĸͷļڴļ\n"
},
{
"path": "stdafx.h",
"chars": 194,
"preview": "// stdafx.h : ϵͳļİļ\n// Ǿʹõĵ\n// ضĿİļ\n//\n\n#pragma once\n\n#include \"targetver.h\"\n\n#define WIN32_LEAN_AND_MEAN /"
},
{
"path": "targetver.h",
"chars": 138,
"preview": "#pragma once\n\n// SDKDDKVer.h õ߰汾 Windows ƽ̨\n\n// ҪΪǰ Windows ƽ̨Ӧó WinSDKVer.h\n// WIN32_WINNT ΪҪֵ֧ƽ̨Ȼٰ SDKDDKVer.h\n\n#incl"
},
{
"path": "反调试技术实例VC版/DetectOD/About.cpp",
"chars": 975,
"preview": "// About.cpp : implementation file\r\n//\r\n\r\n#include \"stdafx.h\"\r\n#include \"DetectOD.h\"\r\n#include \"About.h\"\r\n\r\n#ifdef _DEBU"
},
{
"path": "反调试技术实例VC版/DetectOD/About.h",
"chars": 1217,
"preview": "#if !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_)\r\n#define AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057"
},
{
"path": "反调试技术实例VC版/DetectOD/DetectOD.clw",
"chars": 2492,
"preview": "; CLW file contains information for the MFC ClassWizard\r\n\r\n[General Info]\r\nVersion=1\r\nLastClass=CAboutDlg\r\nLastTemplate="
},
{
"path": "反调试技术实例VC版/DetectOD/DetectOD.cpp",
"chars": 2091,
"preview": "// DetectOD.cpp : Defines the class behaviors for the application.\r\n//\r\n\r\n#include \"stdafx.h\"\r\n#include \"DetectOD.h\"\r\n#i"
},
{
"path": "反调试技术实例VC版/DetectOD/DetectOD.dsp",
"chars": 4425,
"preview": "# Microsoft Developer Studio Project File - Name=\"DetectOD\" - Package Owner=<4>\r\n# Microsoft Developer Studio Generated "
},
{
"path": "反调试技术实例VC版/DetectOD/DetectOD.dsw",
"chars": 495,
"preview": "Microsoft Developer Studio Workspace File, Format Version 6.00\r\n# : ܱ༭ɾùļ\r\n\r\n###########################################"
},
{
"path": "反调试技术实例VC版/DetectOD/DetectOD.h",
"chars": 1346,
"preview": "// DetectOD.h : main header file for the DETECTOD application\r\n//\r\n\r\n#if !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B21"
},
{
"path": "反调试技术实例VC版/DetectOD/DetectOD.rc",
"chars": 7233,
"preview": "//Microsoft Developer Studio generated resource script.\r\n//\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r"
},
{
"path": "反调试技术实例VC版/DetectOD/DetectODDlg.cpp",
"chars": 30574,
"preview": "// DetectODDlg.cpp : implementation file\r\n//\r\n\r\n#include \"stdafx.h\"\r\n#include \"DetectOD.h\"\r\n#include \"DetectODDlg.h\"\r\n#i"
},
{
"path": "反调试技术实例VC版/DetectOD/DetectODDlg.h",
"chars": 2451,
"preview": "// DetectODDlg.h : header file\r\n//\r\n\r\n#if !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_)\r\n"
},
{
"path": "反调试技术实例VC版/DetectOD/ReadMe.txt",
"chars": 3615,
"preview": "========================================================================\r\n MICROSOFT FOUNDATION CLASS LIBRARY : De"
},
{
"path": "反调试技术实例VC版/DetectOD/StdAfx.cpp",
"chars": 210,
"preview": "// stdafx.cpp : source file that includes just the standard includes\r\n//\tDetectOD.pch will be the pre-compiled header\r\n/"
},
{
"path": "反调试技术实例VC版/DetectOD/StdAfx.h",
"chars": 1054,
"preview": "// stdafx.h : include file for standard system include files,\r\n// or project specific include files that are used frequ"
},
{
"path": "反调试技术实例VC版/DetectOD/res/DetectOD.rc2",
"chars": 400,
"preview": "//\r\n// DETECTOD.RC2 - resources Microsoft Visual C++ does not edit directly\r\n//\r\n\r\n#ifdef APSTUDIO_INVOKED\r\n\t#error this"
},
{
"path": "反调试技术实例VC版/DetectOD/resource.h",
"chars": 2061,
"preview": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Developer Studio generated include file.\r\n// Used by DetectOD.rc\r\n//\r\n#define IDC_AB"
},
{
"path": "反调试技术实例VC版/DetectOD/tlssup.c",
"chars": 471,
"preview": "// tlssup.cļ룺\r\n#include <windows.h>\r\n#include <winnt.h>\r\n\r\nint _tls_index=0;\r\n\r\n#pragma data_seg(\".tls\")\r\nint _tls_start"
}
]
// ... and 1 more files (download for full content)
About this extraction
This page contains the full source code of the wanttobeno/AntiDebuggers GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 26 files (75.0 KB), approximately 22.3k tokens, and a symbol index with 56 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.