[ { "path": "README.md", "content": "### 反调试技术总结\r\n反调试就是检测有没有被调试器调试,比如OllyDbg,IDA,WinDbg等。\r\n\r\n参考资料:[houjingyi ](https://bbs.pediy.com/thread-225735.htm)\r\n 代码: [GitHub](https://github.com/houjingyi233/test-debug)\r\n\r\n\r\n[Tencent2016D.cpp](./Tencent2016D.cpp) 中实现了30种检测调试器的方法,非常的精彩给力\r\n\r\n--\r\n30 Ways to anti-debugging on PC.For more information:http://blog.csdn.net/qq_32400847/article/details/52798050\r\n\r\n\r\n\r\n##### 截图\r\n\r\n![snatshot.png](snatshot.png)\r\n\r\n\r\n##### 虚拟机检测\r\n\r\n[AntiVirtualMachine](https://github.com/wanttobeno/AntiVirtualMachine)\r\n\r\n##### 保护自己的程序不被破解\r\n\r\n[DllProtect](https://github.com/wanttobeno/DllProtect)\r\n\r\n\r\n##### 各种反调试技术原理与实例 VC版\r\n\r\n帖子:[各种反调试技术原理与实例 VC版](https://bbs.pediy.com/thread-114767.htm)\r\n\r\n[各种反调试技术原理与实例VC版.pdf](./反调试技术实例VC版/各种反调试技术原理与实例VC版.pdf)\r\n\r\n![Snatshot.png](./反调试技术实例VC版/282401_i4gdy3hacnzffml.jpg)\r\n\r\n\r\n```c++\r\nvoid CDetectODDlg::OnExplorer() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tHANDLE hwnd;\r\n\tPROCESSENTRY32 tp32; //结构体\r\n\tCString str=\"Explorer.EXE\";\r\n\r\n\tDWORD ExplorerID;\r\n\tDWORD SelfID;\r\n\tDWORD SelfParentID;\r\n\tSelfID=GetCurrentProcessId();\r\n\t::GetWindowThreadProcessId(::FindWindow(\"Progman\",NULL),&ExplorerID);\r\n\thwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);\r\n\tif(INVALID_HANDLE_VALUE!=hwnd) \r\n\t{\r\n\t\tProcess32First(hwnd,&tp32);\r\n\t\tdo{\r\n\t\t\tif(0==lstrcmp(str,tp32.szExeFile))\r\n\t\t\t{\r\n\t\t\t//\tExplorerID=tp32.th32ProcessID;\r\n\t\t\t//\tAfxMessageBox(\"aaa\");\r\n\t\t\t}\r\n\t\t\tif(SelfID==tp32.th32ProcessID)\r\n\t\t\t{\r\n\t\t\t\tSelfParentID=tp32.th32ParentProcessID;\r\n\t\t\t}\r\n\t\t}while(Process32Next(hwnd,&tp32));\r\n\r\n\t\tstr.Format(\"本进程:%d 父进程:%d Explorer进程: %d \",SelfID,SelfParentID,ExplorerID);\r\n\t\tMessageBox(str);\r\n\t\tif(ExplorerID==SelfParentID)\r\n\t\t{\r\n\t\t\tAfxMessageBox(\"没有OD\");\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tAfxMessageBox(\"发现OD\");\r\n\t\t}\r\n\t}\r\n\tCloseHandle(hwnd);\r\n}\r\n\r\n```\r\n\r\n" }, { "path": "Tencent2016D.cpp", "content": "// Tencent2016D.cpp : DLL Ӧóĵ\n//\n\n#include \"stdafx.h\"\n#include \n#include \n#include \n#include \n#include \"Tencent2016D.h\"\n#include \"Tencent2016DAPI.h\"\n#include \"Tencent2016Globle.h\"\n\nusing namespace std;\n\nBOOL APIENTRY DllMain( HMODULE hModule,\n DWORD ul_reason_for_call,\n LPVOID lpReserved\n\t\t\t\t\t )\n{\n\tswitch (ul_reason_for_call)\n\t{\n\tcase DLL_PROCESS_ATTACH:\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\tcase DLL_PROCESS_DETACH:\n\t\tbreak;\n\t}\n\treturn TRUE;\n}\n\nBOOL CheckDebug1()\n{\n\treturn IsDebuggerPresent();\n}\n\nBOOL CheckDebug2()\n{\n\tBOOL ret;\n\tCheckRemoteDebuggerPresent(GetCurrentProcess(), &ret);\n\treturn ret;\n}\n\nBOOL CheckDebug3()\n{\n\tint debugPort = 0;\n\tHMODULE hModule = LoadLibrary(\"Ntdll.dll\");\n\tNtQueryInformationProcessPtr NtQueryInformationProcess = (NtQueryInformationProcessPtr)GetProcAddress(hModule, \"NtQueryInformationProcess\");\n\tif (NtQueryInformationProcess(GetCurrentProcess(), 7, &debugPort, sizeof(debugPort), NULL))\n\t{\n\t\tMessageBox(NULL, \"[ERROR NtQueryInformationProcessApproach] NtQueryInformationProcess failed\", \"error\", MB_OK);\n\t\treturn FALSE;\n\t}\n\telse\n\t{\n\t\treturn debugPort != 0;\n\t}\n}\n\nBOOL CheckDebug4()\n{\n\tDWORD errorValue = 12345;\n\tSetLastError(errorValue);\n\tOutputDebugString(\"Test for debugger!\");\n\tif (GetLastError() == errorValue)\n\t{\n\t\treturn TRUE;\n\t}\n\telse\n\t{\n\t\treturn FALSE;\n\t}\n}\n\nBOOL CheckDebug5()\n{\n\tchar fib[1024] = { 0 };\n\tDeleteFiber(fib);\n\treturn (GetLastError() != 0x57);\n}\n\nBOOL CheckDebug6()\n{\n\tDWORD ret = CloseHandle((HANDLE)0x1234);\n\tif (ret != 0 || GetLastError() != ERROR_INVALID_HANDLE)\n\t{\n\t\treturn TRUE;\n\t}\n\telse\n\t{\n\t\treturn FALSE;\n\t}\n}\n\nBOOL CheckDebug7()\n{\n\tDWORD ret = CloseWindow((HWND)0x1234);\n\tif (ret != 0 || GetLastError() != ERROR_INVALID_WINDOW_HANDLE)\n\t{\n\t\treturn TRUE;\n\t}\n\telse\n\t{\n\t\treturn FALSE;\n\t}\n}\n\nBOOL CheckDebug8()\n{\n\tchar result = 0;\n\t__asm\n\t{\n\t\tmov eax, fs:[30h]\n\t\tmov al, BYTE PTR[eax + 2]\n\t\tmov result, al\n\t}\n\treturn result != 0;\n}\n\nBOOL CheckDebug9()\n{\n\tint result = 0;\n\tDWORD dwVersion = GetVersion();\n\tDWORD dwWindowsMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVersion)));\n\tif (dwWindowsMajorVersion == 5)\n\t{\n\t\t__asm\n\t\t{\n\t\t\tmov eax, fs:[30h]\n\t\t\tmov eax, [eax + 18h]\n\t\t\tmov eax, [eax + 10h]\n\t\t\tmov result, eax\n\t\t}\n\t}\n\telse\n\t{\n\t\t__asm\n\t\t{\n\t\t\tmov eax, fs:[30h]\n\t\t\tmov eax, [eax + 18h]\n\t\t\tmov eax, [eax + 44h]\n\t\t\tmov result, eax\n\t\t}\n\t}\n\treturn result != 0;\n}\n\nBOOL CheckDebug10()\n{\n\tint result = 0;\n\tDWORD dwVersion = GetVersion();\n\tDWORD dwWindowsMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVersion)));\n\tif (dwWindowsMajorVersion == 5)\n\t{\n\t\t__asm\n\t\t{\n\t\t\tmov eax, fs:[30h]\n\t\t\tmov eax, [eax + 18h]\n\t\t\tmov eax, [eax + 0ch]\n\t\t\tmov result, eax\n\t\t}\n\t}\n\telse\n\t{\n\t\t__asm\n\t\t{\n\t\t\tmov eax, fs:[30h]\n\t\t\tmov eax, [eax + 18h]\n\t\t\tmov eax, [eax + 40h]\n\t\t\tmov result, eax\n\t\t}\n\t}\n\treturn result != 2;\n}\n\nBOOL CheckDebug11()\n{\n\tint result = 0;\n\t__asm\n\t{\n\t\tmov eax, fs:[30h]\n\t\tmov eax, [eax + 68h]\n\t\tand eax, 0x70\n\t\tmov result, eax\n\t}\n\treturn result != 0;\n}\n\nBOOL CheckDebug12()\n{\n\tBOOL is_64;\n\tHKEY hkey = NULL;\n\tchar key[] = \"Debugger\";\n\tIsWow64Process(GetCurrentProcess(), &is_64);\n\tchar reg_dir_32bit[] = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AeDebug\";\n\tchar reg_dir_64bit[] = \"SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\WindowsNT\\\\CurrentVersion\\\\AeDebug\";\n\tDWORD ret = 0;\n\tif (is_64)\n\t{\n\t\tret = RegCreateKeyA(HKEY_LOCAL_MACHINE, reg_dir_64bit, &hkey);\n\t}\n\telse\n\t{\n\t\tret = RegCreateKeyA(HKEY_LOCAL_MACHINE, reg_dir_32bit, &hkey);\n\t}\n\tif (ret != ERROR_SUCCESS)\n\t{\n\t\treturn FALSE;\n\t}\n\tDWORD type;\n\tchar tmp[256];\n\tDWORD len = 256;\n\tret = RegQueryValueExA(hkey, key, NULL, &type, (LPBYTE)tmp, &len);\n\tif (strstr(tmp, \"OllyIce\") != NULL || strstr(tmp, \"OllyDBG\") != NULL || strstr(tmp, \"WinDbg\") != NULL || strstr(tmp, \"x64dbg\") != NULL || strstr(tmp, \"Immunity\") != NULL)\n\t{\n\t\treturn TRUE;\n\t}\n\telse\n\t{\n\t\treturn FALSE;\n\t}\n}\n\nBOOL CheckDebug13()\n{\n\tif (FindWindowA(\"OLLYDBG\", NULL) != NULL || FindWindowA(\"WinDbgFrameClass\", NULL) != NULL || FindWindowA(\"QWidget\", NULL) != NULL)\n\t{\n\t\treturn TRUE;\n\t}\n\telse\n\t{\n\t\treturn FALSE;\n\t}\n}\n\nBOOL CheckDebug14()\n{\n\tBOOL ret = FALSE;\n\tEnumWindows(EnumWndProc, (LPARAM)&ret);\n\treturn ret;\n}\n\nBOOL CheckDebug15()\n{\n\tchar fore_window[1024];\n\tGetWindowTextA(GetForegroundWindow(), fore_window, 1023);\n\tif (strstr(fore_window, \"WinDbg\") != NULL || strstr(fore_window, \"x64_dbg\") != NULL || strstr(fore_window, \"OllyICE\") != NULL || strstr(fore_window, \"OllyDBG\") != NULL || strstr(fore_window, \"Immunity\") != NULL)\n\t{\n\t\treturn TRUE;\n\t}\n\telse\n\t{\n\t\treturn FALSE;\n\t}\n}\n\nBOOL CheckDebug16()\n{\n\tDWORD ID;\n\tDWORD ret = 0;\n\tPROCESSENTRY32 pe32;\n\tpe32.dwSize = sizeof(pe32);\n\tHANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n\tif (hProcessSnap == INVALID_HANDLE_VALUE)\n\t{\n\t\treturn FALSE;\n\t}\n\tBOOL bMore = Process32First(hProcessSnap, &pe32);\n\twhile (bMore)\n\t{\n\t\tif (stricmp(pe32.szExeFile, \"OllyDBG.EXE\") == 0 || stricmp(pe32.szExeFile, \"OllyICE.exe\") == 0 || stricmp(pe32.szExeFile, \"x64_dbg.exe\") == 0 || stricmp(pe32.szExeFile, \"windbg.exe\") == 0 || stricmp(pe32.szExeFile, \"ImmunityDebugger.exe\") == 0)\n\t\t{\n\t\t\treturn TRUE;\n\t\t}\n\t\tbMore = Process32Next(hProcessSnap, &pe32);\n\t}\n\tCloseHandle(hProcessSnap);\n\treturn FALSE;\n}\n\nBOOL CheckDebug17()\n{\n\tPIMAGE_DOS_HEADER pDosHeader;\n\tPIMAGE_NT_HEADERS32 pNtHeaders;\n\tPIMAGE_SECTION_HEADER pSectionHeader;\n\tDWORD dwBaseImage = (DWORD)GetModuleHandle(NULL); \n\tpDosHeader = (PIMAGE_DOS_HEADER)dwBaseImage;\n\tpNtHeaders = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew);\n\tpSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders + sizeof(pNtHeaders->Signature) + sizeof(IMAGE_FILE_HEADER) +\n\t\t(WORD)pNtHeaders->FileHeader.SizeOfOptionalHeader);\n\tDWORD dwAddr = pSectionHeader->VirtualAddress + dwBaseImage; \n\tDWORD dwCodeSize = pSectionHeader->SizeOfRawData; \n\tBOOL Found = FALSE;\n\t__asm\n\t{\n\t\tcld\n\t\tmov edi, dwAddr\n\t\tmov ecx, dwCodeSize\n\t\tmov al, 0CCH\n\t\trepne scasb\n\t\tjnz NotFound\n\t\tmov Found, 1\n\t\tNotFound:\n\t}\n\treturn Found;\n}\n\nBOOL CheckDebug18()\n{\n\tCONTEXT context;\n\tHANDLE hThread = GetCurrentThread();\n\tcontext.ContextFlags = CONTEXT_DEBUG_REGISTERS;\n\tGetThreadContext(hThread, &context);\n\tif (context.Dr0 != 0 || context.Dr1 != 0 || context.Dr2 != 0 || context.Dr3 != 0)\n\t{\n\t\treturn TRUE;\n\t}\n\treturn FALSE;\n}\n\nBOOL CheckDebug19()\n{\n\tPIMAGE_DOS_HEADER pDosHeader;\n\tPIMAGE_NT_HEADERS32 pNtHeaders;\n\tPIMAGE_SECTION_HEADER pSectionHeader;\n\tDWORD dwBaseImage = (DWORD)GetModuleHandle(NULL); \n\tpDosHeader = (PIMAGE_DOS_HEADER)dwBaseImage;\n\tpNtHeaders = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew);\n\tpSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders + sizeof(pNtHeaders->Signature) + sizeof(IMAGE_FILE_HEADER) +\n\t\t(WORD)pNtHeaders->FileHeader.SizeOfOptionalHeader);\n\tDWORD dwAddr = pSectionHeader->VirtualAddress + dwBaseImage; \n\tDWORD dwCodeSize = pSectionHeader->SizeOfRawData; \n\tDWORD checksum = 0;\n\t__asm\n\t{\n\t\tcld\n\t\tmov esi, dwAddr\n\t\tmov ecx, dwCodeSize\n\t\txor eax, eax\n\tchecksum_loop :\n\t\tmovzx ebx, byte ptr[esi]\n\t\tadd eax, ebx\n\t\trol eax, 1\n\t\tinc esi\n\t\tloop checksum_loop\n\t\tmov checksum, eax\n\t}\n\tif (checksum != 0x46ea24)\n\t{\n\t\treturn FALSE;\n\t}\n\telse\n\t{\n\t\treturn TRUE;\n\t}\n}\n\nBOOL CheckDebug20()\n{\n\tDWORD time1, time2;\n\t__asm\n\t{\n\t\trdtsc\n\t\tmov time1, eax\n\t\trdtsc\n\t\tmov time2, eax\n\t}\n\tif (time2 - time1 < 0xff)\n\t{\n\t\treturn FALSE;\n\t}\n\telse\n\t{\n\t\treturn TRUE;\n\t}\n}\n\nBOOL CheckDebug21()\n{\n\tDWORD time1 = GetTickCount();\n\t__asm\n\t{\n\t\tmov ecx, 10\n\t\tmov edx, 6\n\t\tmov ecx, 10\n\t}\n\tDWORD time2 = GetTickCount();\n\tif (time2 - time1 > 0x1A)\n\t{\n\t\treturn TRUE;\n\t}\n\telse\n\t{\n\t\treturn FALSE;\n\t}\n}\n\nBOOL CheckDebug22()\n{\n\tLONG status;\n\tDWORD dwParentPID = 0;\n\tHANDLE hProcess;\n\tPROCESS_BASIC_INFORMATION pbi;\n\tint pid = getpid();\n\thProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);\n\tif (!hProcess)\n\t{\n\t\treturn -1;\n\t}\n\tPNTQUERYINFORMATIONPROCESS NtQueryInformationProcess = (PNTQUERYINFORMATIONPROCESS)GetProcAddress(GetModuleHandleA(\"ntdll\"), \"NtQueryInformationProcess\");\n\tstatus = NtQueryInformationProcess(hProcess, SystemBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL);\n\tPROCESSENTRY32 pe32;\n\tpe32.dwSize = sizeof(pe32);\n\tHANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n\tif (hProcessSnap == INVALID_HANDLE_VALUE)\n\t{\n\t\treturn FALSE;\n\t}\n\tBOOL bMore = Process32First(hProcessSnap, &pe32);\n\twhile (bMore)\n\t{\n\t\tif (pbi.InheritedFromUniqueProcessId == pe32.th32ProcessID)\n\t\t{\n\t\t\tif (stricmp(pe32.szExeFile, \"explorer.exe\") == 0)\n\t\t\t{\n\t\t\t\tCloseHandle(hProcessSnap);\n\t\t\t\treturn FALSE;\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\tCloseHandle(hProcessSnap);\n\t\t\t\treturn TRUE;\n\t\t\t}\n\t\t}\n\t\tbMore = Process32Next(hProcessSnap, &pe32);\n\t}\n\tCloseHandle(hProcessSnap);\n}\n\nBOOL CheckDebug23()\n{\n\tSTARTUPINFO si;\n\tGetStartupInfo(&si);\n\tif (si.dwX != 0 || si.dwY != 0 || si.dwFillAttribute != 0 || si.dwXSize != 0 || si.dwYSize != 0 || si.dwXCountChars != 0 || si.dwYCountChars != 0)\n\t{\n\t\treturn TRUE;\n\t}\n\telse\n\t{\n\t\treturn FALSE;\n\t}\n}\n\nBOOL CheckDebug24()\n{\n\tDWORD ID;\n\tDWORD ret = 0;\n\tPROCESSENTRY32 pe32;\n\tpe32.dwSize = sizeof(pe32);\n\tHANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);\n\tif (hProcessSnap == INVALID_HANDLE_VALUE)\n\t{\n\t\treturn FALSE;\n\t}\n\tBOOL bMore = Process32First(hProcessSnap, &pe32);\n\twhile (bMore)\n\t{\n\t\tif (strcmp(pe32.szExeFile, \"csrss.exe\") == 0)\n\t\t{\n\t\t\tID = pe32.th32ProcessID;\n\t\t\tbreak;\n\t\t}\n\t\tbMore = Process32Next(hProcessSnap, &pe32);\n\t}\n\tCloseHandle(hProcessSnap);\n\tif (OpenProcess(PROCESS_QUERY_INFORMATION, NULL, ID) != NULL)\n\t{\n\t\treturn TRUE;\n\t}\n\telse\n\t{\n\t\treturn FALSE;\n\t}\n}\n\nBOOL CheckDebug25()\n{\n\t__try\n\t{\n\t\t__asm int 3\n\t}\n\t__except (1)\n\t{\n\t\treturn FALSE;\n\t}\n\treturn TRUE;\n}\n\nBOOL CheckDebug26()\n{\n\t__try\n\t{\n\t\t__asm\n\t\t{\n\t\t\t__emit 0xCD\n\t\t\t__emit 0x03\n\t\t}\n\t}\n\t__except (1)\n\t{\n\t\treturn FALSE;\n\t}\n\treturn TRUE;\n}\n\nBOOL CheckDebug27()\n{\n\t__try\n\t{\n\t\t__asm int 0x2d\n\t}\n\t__except (1)\n\t{\n\t\treturn FALSE;\n\t}\n\treturn TRUE;\n}\n\nBOOL CheckDebug28()\n{\n\t__try\n\t{\n\t\t__asm __emit 0xF1\n\t}\n\t__except (1)\n\t{\n\t\treturn FALSE;\n\t}\n\treturn TRUE;\n}\n\nBOOL CheckDebug29()\n{\n\t__try\n\t{\n\t\t__asm\n\t\t{\n\t\t\tpushfd\n\t\t\tor word ptr[esp], 0x100\n\t\t\tpopfd\n\t\t\tnop\n\t\t}\n\t}\n\t__except (1)\n\t{\n\t\treturn FALSE;\n\t}\n\treturn TRUE;\n}\n\nBOOL CheckDebug30()\n{\n\treturn TestExceptionCode(DBG_RIPEXCEPTION);\n}" }, { "path": "Tencent2016D.h", "content": "#pragma once\n\n#include \n\nextern \"C\" BOOL _declspec(dllexport) CheckDebug1();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug2();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug3();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug4();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug5();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug6();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug7();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug8();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug9();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug10();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug11();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug12();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug13();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug14();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug15();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug16();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug17();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug18();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug19();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug20();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug21();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug22();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug23();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug24();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug25();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug26();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug27();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug28();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug29();\nextern \"C\" BOOL _declspec(dllexport) CheckDebug30();" }, { "path": "Tencent2016DAPI.cpp", "content": "#include \"stdafx.h\"\n#include \n#include \n\nBOOL CALLBACK EnumWndProc(HWND hwnd, LPARAM lParam) \n{ \n\tchar cur_window[1024];\n GetWindowTextA(hwnd, cur_window, 1023);\n\tif (strstr(cur_window, \"WinDbg\")!=NULL || strstr(cur_window, \"x64_dbg\")!=NULL || strstr(cur_window, \"OllyICE\")!=NULL || strstr(cur_window, \"OllyDBG\")!=NULL || strstr(cur_window, \"Immunity\")!=NULL)\n\t{\n\t\t*((BOOL*)lParam) = TRUE;\n\t}\n\treturn TRUE;\n} \n\nBOOL CALLBACK TestExceptionCode(DWORD dwCode)\n{\n\t__try\n\t{\n\t\tRaiseException(dwCode, 0, 0, 0);\n\t}\n\t__except (1)\n\t{\n\t\treturn FALSE;\n\t}\n\treturn TRUE;\n}" }, { "path": "Tencent2016DAPI.h", "content": "#pragma once\n\n#include \n\nextern BOOL CALLBACK TestExceptionCode(DWORD dwCode);\nextern BOOL CALLBACK EnumWndProc(HWND hwnd, LPARAM lParam);" }, { "path": "Tencent2016Globle.h", "content": "#pragma once\n\n#include \n\ntypedef DWORD (WINAPI *NtQueryInformationProcessPtr)(\n HANDLE processHandle,\n DWORD processInformationClass,\n PVOID processInformation,\n ULONG processInformationLength,\n PULONG returnLength);\n\ntypedef enum enumSYSTEM_INFORMATION_CLASS \n{ \n SystemBasicInformation, \n SystemProcessorInformation, \n SystemPerformanceInformation, \n SystemTimeOfDayInformation, \n}SYSTEM_INFORMATION_CLASS; \n \ntypedef struct tagPROCESS_BASIC_INFORMATION \n{ \n DWORD ExitStatus; \n DWORD PebBaseAddress; \n DWORD AffinityMask; \n DWORD BasePriority; \n ULONG UniqueProcessId; \n ULONG InheritedFromUniqueProcessId; \n}PROCESS_BASIC_INFORMATION; \n \ntypedef LONG (WINAPI *PNTQUERYINFORMATIONPROCESS)(HANDLE,UINT,PVOID,ULONG,PULONG);" }, { "path": "stdafx.cpp", "content": "// stdafx.cpp : ֻ׼ļԴļ\n// Tencent2016D.pch ΪԤͷ\n// stdafx.obj ԤϢ\n\n#include \"stdafx.h\"\n\n// TODO: STDAFX.H \n// κĸͷļڴļ\n" }, { "path": "stdafx.h", "content": "// stdafx.h : ׼ϵͳļİļ\n// Ǿʹõĵ\n// ضĿİļ\n//\n\n#pragma once\n\n#include \"targetver.h\"\n\n#define WIN32_LEAN_AND_MEAN // Windows ͷļųʹõϢ\n// Windows ͷļ:\n#include \n\n\n\n// TODO: ڴ˴óҪͷļ\n" }, { "path": "targetver.h", "content": "#pragma once\n\n// SDKDDKVer.h õ߰汾 Windows ƽ̨\n\n// ҪΪǰ Windows ƽ̨Ӧó WinSDKVer.h\n// WIN32_WINNT ΪҪֵ֧ƽ̨Ȼٰ SDKDDKVer.h\n\n#include \n" }, { "path": "反调试技术实例VC版/DetectOD/About.cpp", "content": "// About.cpp : implementation file\r\n//\r\n\r\n#include \"stdafx.h\"\r\n#include \"DetectOD.h\"\r\n#include \"About.h\"\r\n\r\n#ifdef _DEBUG\r\n#define new DEBUG_NEW\r\n#undef THIS_FILE\r\nstatic char THIS_FILE[] = __FILE__;\r\n#endif\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CAbout dialog\r\n\r\n\r\nCAbout::CAbout(CWnd* pParent /*=NULL*/)\r\n\t: CDialog(CAbout::IDD, pParent)\r\n{\r\n\t//{{AFX_DATA_INIT(CAbout)\r\n\t\t// NOTE: the ClassWizard will add member initialization here\r\n\t//}}AFX_DATA_INIT\r\n}\r\n\r\n\r\nvoid CAbout::DoDataExchange(CDataExchange* pDX)\r\n{\r\n\tCDialog::DoDataExchange(pDX);\r\n\t//{{AFX_DATA_MAP(CAbout)\r\n\t\t// NOTE: the ClassWizard will add DDX and DDV calls here\r\n\t//}}AFX_DATA_MAP\r\n}\r\n\r\n\r\nBEGIN_MESSAGE_MAP(CAbout, CDialog)\r\n\t//{{AFX_MSG_MAP(CAbout)\r\n\t\t// NOTE: the ClassWizard will add message map macros here\r\n\t//}}AFX_MSG_MAP\r\nEND_MESSAGE_MAP()\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CAbout message handlers\r\n" }, { "path": "反调试技术实例VC版/DetectOD/About.h", "content": "#if !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_)\r\n#define AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_\r\n\r\n#if _MSC_VER > 1000\r\n#pragma once\r\n#endif // _MSC_VER > 1000\r\n// About.h : header file\r\n//\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CAbout dialog\r\n\r\nclass CAbout : public CDialog\r\n{\r\n// Construction\r\npublic:\r\n\tCAbout(CWnd* pParent = NULL); // standard constructor\r\n\r\n// Dialog Data\r\n\t//{{AFX_DATA(CAbout)\r\n\tenum { IDD = IDD_DETECTOD_DIALOG };\r\n\t\t// NOTE: the ClassWizard will add data members here\r\n\t//}}AFX_DATA\r\n\r\n\r\n// Overrides\r\n\t// ClassWizard generated virtual function overrides\r\n\t//{{AFX_VIRTUAL(CAbout)\r\n\tprotected:\r\n\tvirtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support\r\n\t//}}AFX_VIRTUAL\r\n\r\n// Implementation\r\nprotected:\r\n\r\n\t// Generated message map functions\r\n\t//{{AFX_MSG(CAbout)\r\n\t\t// NOTE: the ClassWizard will add member functions here\r\n\t//}}AFX_MSG\r\n\tDECLARE_MESSAGE_MAP()\r\n};\r\n\r\n//{{AFX_INSERT_LOCATION}}\r\n// Microsoft Visual C++ will insert additional declarations immediately before the previous line.\r\n\r\n#endif // !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_)\r\n" }, { "path": "反调试技术实例VC版/DetectOD/DetectOD.clw", "content": "; CLW file contains information for the MFC ClassWizard\r\n\r\n[General Info]\r\nVersion=1\r\nLastClass=CAboutDlg\r\nLastTemplate=CDialog\r\nNewFileInclude1=#include \"stdafx.h\"\r\nNewFileInclude2=#include \"DetectOD.h\"\r\n\r\nClassCount=4\r\nClass1=CDetectODApp\r\nClass2=CDetectODDlg\r\nClass3=CAboutDlg\r\n\r\nResourceCount=3\r\nResource1=IDR_MAINFRAME\r\nResource2=IDD_ABOUTBOX\r\nClass4=CAbout\r\nResource3=IDD_DETECTOD_DIALOG\r\n\r\n[CLS:CDetectODApp]\r\nType=0\r\nHeaderFile=DetectOD.h\r\nImplementationFile=DetectOD.cpp\r\nFilter=N\r\n\r\n[CLS:CDetectODDlg]\r\nType=0\r\nHeaderFile=DetectODDlg.h\r\nImplementationFile=DetectODDlg.cpp\r\nFilter=D\r\nBaseClass=CDialog\r\nVirtualFilter=dWC\r\nLastObject=CDetectODDlg\r\n\r\n[CLS:CAboutDlg]\r\nType=0\r\nHeaderFile=DetectODDlg.h\r\nImplementationFile=DetectODDlg.cpp\r\nFilter=D\r\nBaseClass=CDialog\r\nVirtualFilter=dWC\r\nLastObject=CAboutDlg\r\n\r\n[DLG:IDD_ABOUTBOX]\r\nType=1\r\nClass=CAboutDlg\r\nControlCount=4\r\nControl1=IDC_MYICON,static,1342177539\r\nControl2=IDC_COMEON,static,1342177536\r\nControl3=IDOK,button,1342373889\r\nControl4=IDC_MYPAGE,static,1342308609\r\n\r\n[DLG:IDD_DETECTOD_DIALOG]\r\nType=1\r\nClass=CAbout\r\nControlCount=27\r\nControl1=IDOK,button,1342242817\r\nControl2=IDC_WNDCLS,button,1342242816\r\nControl3=IDC_ISDEBUGGERPRESENT,button,1342242816\r\nControl4=IDC_ENUMWINDOW,button,1342242816\r\nControl5=IDC_EnumProcess,button,1342242816\r\nControl6=IDC_Explorer,button,1342242816\r\nControl7=IDC_GetTickCount,button,1342242816\r\nControl8=IDC_GetStartupInfo,button,1342242816\r\nControl9=IDC_PEBFLAGS,button,1342242816\r\nControl10=IDC_CHECKREMOTEDEBUGGERPRESENT,button,1342242816\r\nControl11=IDC_ZwQueryInformationProcess,button,1342242816\r\nControl12=IDC_SetUnhandledExceptionFilter,button,1342242816\r\nControl13=IDC_SeDebugPrivilege,button,1342242816\r\nControl14=IDC_NTQueryObject,button,1342242816\r\nControl15=IDC_DectectBreakpoints,button,1342242816\r\nControl16=IDC_DectectFuncBreakpoints,button,1342242816\r\nControl17=IDC_BlockInput,button,1342242816\r\nControl18=IDC_CHECKSUM,button,1342242816\r\nControl19=IDC_EnableWindow,button,1342242816\r\nControl20=IDC_ZwSetInformationThread,button,1342242816\r\nControl21=IDC_OutputDebugString,button,1342242816\r\nControl22=IDC_GetEntryPoint,button,1342242816\r\nControl23=IDC_TrapFlag,button,1342242816\r\nControl24=IDC_GuardPages,button,1342242816\r\nControl25=IDC_HARDWAREBREAKPOINT,button,1342242816\r\nControl26=IDC_ABOUT,button,1342242816\r\nControl27=IDC_MYPAGE2,static,1342308609\r\n\r\n[CLS:CAbout]\r\nType=0\r\nHeaderFile=About.h\r\nImplementationFile=About.cpp\r\nBaseClass=CDialog\r\nFilter=D\r\nLastObject=CAbout\r\n\r\n" }, { "path": "反调试技术实例VC版/DetectOD/DetectOD.cpp", "content": "// DetectOD.cpp : Defines the class behaviors for the application.\r\n//\r\n\r\n#include \"stdafx.h\"\r\n#include \"DetectOD.h\"\r\n#include \"DetectODDlg.h\"\r\n\r\n#ifdef _DEBUG\r\n#define new DEBUG_NEW\r\n#undef THIS_FILE\r\nstatic char THIS_FILE[] = __FILE__;\r\n#endif\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CDetectODApp\r\n\r\nBEGIN_MESSAGE_MAP(CDetectODApp, CWinApp)\r\n\t//{{AFX_MSG_MAP(CDetectODApp)\r\n\t\t// NOTE - the ClassWizard will add and remove mapping macros here.\r\n\t\t// DO NOT EDIT what you see in these blocks of generated code!\r\n\t//}}AFX_MSG\r\n\tON_COMMAND(ID_HELP, CWinApp::OnHelp)\r\nEND_MESSAGE_MAP()\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CDetectODApp construction\r\n\r\nCDetectODApp::CDetectODApp()\r\n{\r\n\t// TODO: add construction code here,\r\n\t// Place all significant initialization in InitInstance\r\n}\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// The one and only CDetectODApp object\r\n\r\nCDetectODApp theApp;\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CDetectODApp initialization\r\n\r\nBOOL CDetectODApp::InitInstance()\r\n{\r\n\tAfxEnableControlContainer();\r\n\r\n\t// Standard initialization\r\n\t// If you are not using these features and wish to reduce the size\r\n\t// of your final executable, you should remove from the following\r\n\t// the specific initialization routines you do not need.\r\n\r\n#ifdef _AFXDLL\r\n\tEnable3dControls();\t\t\t// Call this when using MFC in a shared DLL\r\n#else\r\n\tEnable3dControlsStatic();\t// Call this when linking to MFC statically\r\n#endif\r\n\r\n\tCDetectODDlg dlg;\r\n\tm_pMainWnd = &dlg;\r\n\tint nResponse = dlg.DoModal();\r\n\tif (nResponse == IDOK)\r\n\t{\r\n\t\t// TODO: Place code here to handle when the dialog is\r\n\t\t// dismissed with OK\r\n\t}\r\n\telse if (nResponse == IDCANCEL)\r\n\t{\r\n\t\t// TODO: Place code here to handle when the dialog is\r\n\t\t// dismissed with Cancel\r\n\t}\r\n\r\n\t// Since the dialog has been closed, return FALSE so that we exit the\r\n\t// application, rather than start the application's message pump.\r\n\treturn FALSE;\r\n}\r\n" }, { "path": "反调试技术实例VC版/DetectOD/DetectOD.dsp", "content": "# Microsoft Developer Studio Project File - Name=\"DetectOD\" - Package Owner=<4>\r\n# Microsoft Developer Studio Generated Build File, Format Version 6.00\r\n# ** DO NOT EDIT **\r\n\r\n# TARGTYPE \"Win32 (x86) Application\" 0x0101\r\n\r\nCFG=DetectOD - Win32 Debug\r\n!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r\n!MESSAGE use the Export Makefile command and run\r\n!MESSAGE \r\n!MESSAGE NMAKE /f \"DetectOD.mak\".\r\n!MESSAGE \r\n!MESSAGE You can specify a configuration when running NMAKE\r\n!MESSAGE by defining the macro CFG on the command line. For example:\r\n!MESSAGE \r\n!MESSAGE NMAKE /f \"DetectOD.mak\" CFG=\"DetectOD - Win32 Debug\"\r\n!MESSAGE \r\n!MESSAGE Possible choices for configuration are:\r\n!MESSAGE \r\n!MESSAGE \"DetectOD - Win32 Release\" (based on \"Win32 (x86) Application\")\r\n!MESSAGE \"DetectOD - Win32 Debug\" (based on \"Win32 (x86) Application\")\r\n!MESSAGE \r\n\r\n# Begin Project\r\n# PROP AllowPerConfigDependencies 0\r\n# PROP Scc_ProjName \"\"\r\n# PROP Scc_LocalPath \"\"\r\nCPP=cl.exe\r\nMTL=midl.exe\r\nRSC=rc.exe\r\n\r\n!IF \"$(CFG)\" == \"DetectOD - Win32 Release\"\r\n\r\n# PROP BASE Use_MFC 6\r\n# PROP BASE Use_Debug_Libraries 0\r\n# PROP BASE Output_Dir \"Release\"\r\n# PROP BASE Intermediate_Dir \"Release\"\r\n# PROP BASE Target_Dir \"\"\r\n# PROP Use_MFC 6\r\n# PROP Use_Debug_Libraries 0\r\n# PROP Output_Dir \"Release\"\r\n# PROP Intermediate_Dir \"Release\"\r\n# PROP Target_Dir \"\"\r\n# ADD BASE CPP /nologo /MD /W3 /GX /O2 /D \"WIN32\" /D \"NDEBUG\" /D \"_WINDOWS\" /D \"_AFXDLL\" /Yu\"stdafx.h\" /FD /c\r\n# ADD CPP /nologo /MD /W3 /GX /Od /D \"WIN32\" /D \"NDEBUG\" /D \"_WINDOWS\" /D \"_AFXDLL\" /D \"_MBCS\" /Yu\"stdafx.h\" /FD /c\r\n# ADD BASE MTL /nologo /D \"NDEBUG\" /mktyplib203 /win32\r\n# ADD MTL /nologo /D \"NDEBUG\" /mktyplib203 /win32\r\n# ADD BASE RSC /l 0x804 /d \"NDEBUG\" /d \"_AFXDLL\"\r\n# ADD RSC /l 0x804 /d \"NDEBUG\" /d \"_AFXDLL\"\r\nBSC32=bscmake.exe\r\n# ADD BASE BSC32 /nologo\r\n# ADD BSC32 /nologo\r\nLINK32=link.exe\r\n# ADD BASE LINK32 /nologo /subsystem:windows /machine:I386\r\n# ADD LINK32 /nologo /subsystem:windows /machine:I386\r\n\r\n!ELSEIF \"$(CFG)\" == \"DetectOD - Win32 Debug\"\r\n\r\n# PROP BASE Use_MFC 6\r\n# PROP BASE Use_Debug_Libraries 1\r\n# PROP BASE Output_Dir \"Debug\"\r\n# PROP BASE Intermediate_Dir \"Debug\"\r\n# PROP BASE Target_Dir \"\"\r\n# PROP Use_MFC 6\r\n# PROP Use_Debug_Libraries 1\r\n# PROP Output_Dir \"Debug\"\r\n# PROP Intermediate_Dir \"Debug\"\r\n# PROP Ignore_Export_Lib 0\r\n# PROP Target_Dir \"\"\r\n# ADD BASE CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /D \"WIN32\" /D \"_DEBUG\" /D \"_WINDOWS\" /D \"_AFXDLL\" /Yu\"stdafx.h\" /FD /GZ /c\r\n# ADD CPP /nologo /MDd /w /W0 /WX /Gm /GX /ZI /Od /D \"WIN32\" /D \"_DEBUG\" /D \"_WINDOWS\" /D \"_AFXDLL\" /D \"_MBCS\" /FR /Yu\"stdafx.h\" /FD /GZ /c\r\n# ADD BASE MTL /nologo /D \"_DEBUG\" /mktyplib203 /win32\r\n# ADD MTL /nologo /D \"_DEBUG\" /mktyplib203 /win32\r\n# ADD BASE RSC /l 0x804 /d \"_DEBUG\" /d \"_AFXDLL\"\r\n# ADD RSC /l 0x804 /d \"_DEBUG\" /d \"_AFXDLL\"\r\nBSC32=bscmake.exe\r\n# ADD BASE BSC32 /nologo\r\n# ADD BSC32 /nologo\r\nLINK32=link.exe\r\n# ADD BASE LINK32 /nologo /subsystem:windows /debug /machine:I386 /pdbtype:sept\r\n# ADD LINK32 /nologo /subsystem:windows /debug /machine:I386 /pdbtype:sept\r\n\r\n!ENDIF \r\n\r\n# Begin Target\r\n\r\n# Name \"DetectOD - Win32 Release\"\r\n# Name \"DetectOD - Win32 Debug\"\r\n# Begin Group \"Source Files\"\r\n\r\n# PROP Default_Filter \"cpp;c;cxx;rc;def;r;odl;idl;hpj;bat\"\r\n# Begin Source File\r\n\r\nSOURCE=.\\DetectOD.cpp\r\n# End Source File\r\n# Begin Source File\r\n\r\nSOURCE=.\\DetectOD.rc\r\n# End Source File\r\n# Begin Source File\r\n\r\nSOURCE=.\\DetectODDlg.cpp\r\n# End Source File\r\n# Begin Source File\r\n\r\nSOURCE=.\\StdAfx.cpp\r\n# ADD CPP /Yc\"stdafx.h\"\r\n# End Source File\r\n# End Group\r\n# Begin Group \"Header Files\"\r\n\r\n# PROP Default_Filter \"h;hpp;hxx;hm;inl\"\r\n# Begin Source File\r\n\r\nSOURCE=.\\DetectOD.h\r\n# End Source File\r\n# Begin Source File\r\n\r\nSOURCE=.\\DetectODDlg.h\r\n# End Source File\r\n# Begin Source File\r\n\r\nSOURCE=.\\Resource.h\r\n# End Source File\r\n# Begin Source File\r\n\r\nSOURCE=.\\StdAfx.h\r\n# End Source File\r\n# End Group\r\n# Begin Group \"Resource Files\"\r\n\r\n# PROP Default_Filter \"ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe\"\r\n# Begin Source File\r\n\r\nSOURCE=.\\res\\DetectOD.ico\r\n# End Source File\r\n# Begin Source File\r\n\r\nSOURCE=.\\res\\DetectOD.rc2\r\n# End Source File\r\n# Begin Source File\r\n\r\nSOURCE=.\\res\\dog.ico\r\n# End Source File\r\n# Begin Source File\r\n\r\nSOURCE=.\\res\\home.ico\r\n# End Source File\r\n# Begin Source File\r\n\r\nSOURCE=.\\res\\User.ico\r\n# End Source File\r\n# End Group\r\n# Begin Source File\r\n\r\nSOURCE=.\\ReadMe.txt\r\n# End Source File\r\n# End Target\r\n# End Project\r\n" }, { "path": "反调试技术实例VC版/DetectOD/DetectOD.dsw", "content": "Microsoft Developer Studio Workspace File, Format Version 6.00\r\n# : ܱ༭ɾùļ\r\n\r\n###############################################################################\r\n\r\nProject: \"DetectOD\"=.\\DetectOD.dsp - Package Owner=<4>\r\n\r\nPackage=<5>\r\n{{{\r\n}}}\r\n\r\nPackage=<4>\r\n{{{\r\n}}}\r\n\r\n###############################################################################\r\n\r\nGlobal:\r\n\r\nPackage=<5>\r\n{{{\r\n}}}\r\n\r\nPackage=<3>\r\n{{{\r\n}}}\r\n\r\n###############################################################################\r\n\r\n" }, { "path": "反调试技术实例VC版/DetectOD/DetectOD.h", "content": "// DetectOD.h : main header file for the DETECTOD application\r\n//\r\n\r\n#if !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_)\r\n#define AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_\r\n\r\n#if _MSC_VER > 1000\r\n#pragma once\r\n#endif // _MSC_VER > 1000\r\n\r\n#ifndef __AFXWIN_H__\r\n\t#error include 'stdafx.h' before including this file for PCH\r\n#endif\r\n\r\n#include \"resource.h\"\t\t// main symbols\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CDetectODApp:\r\n// See DetectOD.cpp for the implementation of this class\r\n//\r\n\r\nclass CDetectODApp : public CWinApp\r\n{\r\npublic:\r\n\tCDetectODApp();\r\n\r\n// Overrides\r\n\t// ClassWizard generated virtual function overrides\r\n\t//{{AFX_VIRTUAL(CDetectODApp)\r\n\tpublic:\r\n\tvirtual BOOL InitInstance();\r\n\t//}}AFX_VIRTUAL\r\n\r\n// Implementation\r\n\r\n\t//{{AFX_MSG(CDetectODApp)\r\n\t\t// NOTE - the ClassWizard will add and remove member functions here.\r\n\t\t// DO NOT EDIT what you see in these blocks of generated code !\r\n\t//}}AFX_MSG\r\n\tDECLARE_MESSAGE_MAP()\r\n};\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n\r\n//{{AFX_INSERT_LOCATION}}\r\n// Microsoft Visual C++ will insert additional declarations immediately before the previous line.\r\n\r\n#endif // !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_)\r\n" }, { "path": "反调试技术实例VC版/DetectOD/DetectOD.rc", "content": "//Microsoft Developer Studio generated resource script.\r\n//\r\n#include \"resource.h\"\r\n\r\n#define APSTUDIO_READONLY_SYMBOLS\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Generated from the TEXTINCLUDE 2 resource.\r\n//\r\n#include \"afxres.h\"\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n#undef APSTUDIO_READONLY_SYMBOLS\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// Chinese (й) resources\r\n\r\n#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)\r\n#ifdef _WIN32\r\nLANGUAGE LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED\r\n#pragma code_page(936)\r\n#endif //_WIN32\r\n\r\n#ifdef APSTUDIO_INVOKED\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// TEXTINCLUDE\r\n//\r\n\r\n1 TEXTINCLUDE DISCARDABLE \r\nBEGIN\r\n \"resource.h\\0\"\r\nEND\r\n\r\n2 TEXTINCLUDE DISCARDABLE \r\nBEGIN\r\n \"#include \"\"afxres.h\"\"\\r\\n\"\r\n \"\\0\"\r\nEND\r\n\r\n3 TEXTINCLUDE DISCARDABLE \r\nBEGIN\r\n \"#define _AFX_NO_SPLITTER_RESOURCES\\r\\n\"\r\n \"#define _AFX_NO_OLE_RESOURCES\\r\\n\"\r\n \"#define _AFX_NO_TRACKER_RESOURCES\\r\\n\"\r\n \"#define _AFX_NO_PROPERTY_RESOURCES\\r\\n\"\r\n \"\\r\\n\"\r\n \"#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)\\r\\n\"\r\n \"#ifdef _WIN32\\r\\n\"\r\n \"LANGUAGE 4, 2\\r\\n\"\r\n \"#pragma code_page(936)\\r\\n\"\r\n \"#endif //_WIN32\\r\\n\"\r\n \"#include \"\"res\\\\DetectOD.rc2\"\" // non-Microsoft Visual C++ edited resources\\r\\n\"\r\n \"#include \"\"l.chs\\\\afxres.rc\"\" // Standard components\\r\\n\"\r\n \"#endif\\r\\n\"\r\n \"\\0\"\r\nEND\r\n\r\n#endif // APSTUDIO_INVOKED\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Icon\r\n//\r\n\r\n// Icon with lowest ID value placed first to ensure application icon\r\n// remains consistent on all systems.\r\nIDR_MAINFRAME ICON DISCARDABLE \"res\\\\DetectOD.ico\"\r\nIDI_DOG ICON DISCARDABLE \"res\\\\dog.ico\"\r\nIDI_ICON2 ICON DISCARDABLE \"res\\\\home.ico\"\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Dialog\r\n//\r\n\r\nIDD_ABOUTBOX DIALOG DISCARDABLE 0, 0, 235, 55\r\nSTYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU\r\nCAPTION \" ʵ\"\r\nFONT 9, \"\"\r\nBEGIN\r\n ICON IDI_ICON2,IDC_MYICON,11,16,20,20,SS_NOTIFY\r\n LTEXT \"ٷվд⻥\",IDC_COMEON,56,31,88,8,SS_NOTIFY | \r\n NOT WS_GROUP\r\n DEFPUSHBUTTON \"ȷ\",IDOK,178,7,50,14,WS_GROUP\r\n CTEXT \"http://ucooper.com\",IDC_MYPAGE,40,17,106,8,SS_NOTIFY\r\nEND\r\n\r\nIDD_DETECTOD_DIALOG DIALOGEX 0, 0, 443, 200\r\nSTYLE DS_MODALFRAME | WS_MINIMIZEBOX | WS_POPUP | WS_VISIBLE | WS_CAPTION | \r\n WS_SYSMENU\r\nEXSTYLE WS_EX_APPWINDOW\r\nCAPTION \"ʵ д⻥ ucooper.com\"\r\nFONT 9, \"\"\r\nBEGIN\r\n DEFPUSHBUTTON \" (&C)\",IDOK,375,18,61,18\r\n PUSHBUTTON \"\",IDC_WNDCLS,13,6,46,18\r\n PUSHBUTTON \"IsDebuggerPresent\",IDC_ISDEBUGGERPRESENT,13,31,97,18\r\n PUSHBUTTON \"EnumWindow\",IDC_ENUMWINDOW,63,6,47,18\r\n PUSHBUTTON \"öٽ\",IDC_EnumProcess,13,55,96,18\r\n PUSHBUTTON \"Explorer\",IDC_Explorer,13,79,96,18\r\n PUSHBUTTON \"GetTickCount\",IDC_GetTickCount,13,103,96,18\r\n PUSHBUTTON \"GetStartupInfo\",IDC_GetStartupInfo,13,127,96,18\r\n PUSHBUTTON \"PebFlags\",IDC_PEBFLAGS,13,151,97,18\r\n PUSHBUTTON \"CheckRemoteDebuggerPresent\",\r\n IDC_CHECKREMOTEDEBUGGERPRESENT,7,175,109,18\r\n PUSHBUTTON \"ZwQueryInformationProcess\",\r\n IDC_ZwQueryInformationProcess,127,6,109,18\r\n PUSHBUTTON \"SetUnhandledExceptionFilter\",\r\n IDC_SetUnhandledExceptionFilter,127,175,109,18\r\n PUSHBUTTON \"SeDebugPrivilege\",IDC_SeDebugPrivilege,127,31,109,18\r\n PUSHBUTTON \"NTQueryObject\",IDC_NTQueryObject,127,55,109,18\r\n PUSHBUTTON \"ϵ\",IDC_DectectBreakpoints,127,79,109,18\r\n PUSHBUTTON \"ϵ\",IDC_DectectFuncBreakpoints,127,103,109,18\r\n PUSHBUTTON \"BlockInput\",IDC_BlockInput,127,151,109,18\r\n PUSHBUTTON \"CheckSum\",IDC_CHECKSUM,127,127,109,18\r\n PUSHBUTTON \"EnableWindow\",IDC_EnableWindow,253,6,109,18\r\n PUSHBUTTON \"ZwSetInformationThread\",IDC_ZwSetInformationThread,253,\r\n 31,109,18\r\n PUSHBUTTON \"OutputDebugString\",IDC_OutputDebugString,253,55,109,18\r\n PUSHBUTTON \"GetEntryPoint\",IDC_GetEntryPoint,253,152,109,18\r\n PUSHBUTTON \"쳣\",IDC_TrapFlag,253,80,109,18\r\n PUSHBUTTON \"ҳGuard Pages\",IDC_GuardPages,253,103,109,18\r\n PUSHBUTTON \"HardwareBreakpoint\",IDC_HARDWAREBREAKPOINT,253,127,109,\r\n 18\r\n PUSHBUTTON \" (&A)\",IDC_ABOUT,375,47,61,18\r\n CTEXT \"֧ңҵĸվ www.ucooper.com\",IDC_MYPAGE2,\r\n 257,183,183,10,SS_NOTIFY\r\nEND\r\n\r\n\r\n#ifndef _MAC\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Version\r\n//\r\n\r\nVS_VERSION_INFO VERSIONINFO\r\n FILEVERSION 1,0,0,1\r\n PRODUCTVERSION 1,0,0,1\r\n FILEFLAGSMASK 0x3fL\r\n#ifdef _DEBUG\r\n FILEFLAGS 0x1L\r\n#else\r\n FILEFLAGS 0x0L\r\n#endif\r\n FILEOS 0x4L\r\n FILETYPE 0x1L\r\n FILESUBTYPE 0x0L\r\nBEGIN\r\n BLOCK \"StringFileInfo\"\r\n BEGIN\r\n BLOCK \"080404B0\"\r\n BEGIN\r\n VALUE \"CompanyName\", \"\\0\"\r\n VALUE \"FileDescription\", \"DetectOD Microsoft Ӧó\\0\"\r\n VALUE \"FileVersion\", \"1, 0, 0, 1\\0\"\r\n VALUE \"InternalName\", \"DetectOD\\0\"\r\n VALUE \"LegalCopyright\", \"Ȩ (C) 2010\\0\"\r\n VALUE \"LegalTrademarks\", \"\\0\"\r\n VALUE \"OriginalFilename\", \"DetectOD.EXE\\0\"\r\n VALUE \"ProductName\", \"DetectOD Ӧó\\0\"\r\n VALUE \"ProductVersion\", \"1, 0, 0, 1\\0\"\r\n END\r\n END\r\n BLOCK \"VarFileInfo\"\r\n BEGIN\r\n VALUE \"Translation\", 0x804, 1200\r\n END\r\nEND\r\n\r\n#endif // !_MAC\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// DESIGNINFO\r\n//\r\n\r\n#ifdef APSTUDIO_INVOKED\r\nGUIDELINES DESIGNINFO DISCARDABLE \r\nBEGIN\r\n IDD_ABOUTBOX, DIALOG\r\n BEGIN\r\n LEFTMARGIN, 7\r\n RIGHTMARGIN, 228\r\n TOPMARGIN, 7\r\n BOTTOMMARGIN, 48\r\n END\r\n\r\n IDD_DETECTOD_DIALOG, DIALOG\r\n BEGIN\r\n LEFTMARGIN, 7\r\n RIGHTMARGIN, 436\r\n TOPMARGIN, 6\r\n BOTTOMMARGIN, 193\r\n END\r\nEND\r\n#endif // APSTUDIO_INVOKED\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// String Table\r\n//\r\n\r\nSTRINGTABLE DISCARDABLE \r\nBEGIN\r\n IDS_ABOUTBOX \" DetectOD(&A)...\"\r\nEND\r\n\r\n#endif // Chinese (й) resources\r\n/////////////////////////////////////////////////////////////////////////////\r\n\r\n\r\n\r\n#ifndef APSTUDIO_INVOKED\r\n/////////////////////////////////////////////////////////////////////////////\r\n//\r\n// Generated from the TEXTINCLUDE 3 resource.\r\n//\r\n#define _AFX_NO_SPLITTER_RESOURCES\r\n#define _AFX_NO_OLE_RESOURCES\r\n#define _AFX_NO_TRACKER_RESOURCES\r\n#define _AFX_NO_PROPERTY_RESOURCES\r\n\r\n#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)\r\n#ifdef _WIN32\r\nLANGUAGE 4, 2\r\n#pragma code_page(936)\r\n#endif //_WIN32\r\n#include \"res\\DetectOD.rc2\" // non-Microsoft Visual C++ edited resources\r\n#include \"l.chs\\afxres.rc\" // Standard components\r\n#endif\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n#endif // not APSTUDIO_INVOKED\r\n\r\n" }, { "path": "反调试技术实例VC版/DetectOD/DetectODDlg.cpp", "content": "// DetectODDlg.cpp : implementation file\r\n//\r\n\r\n#include \"stdafx.h\"\r\n#include \"DetectOD.h\"\r\n#include \"DetectODDlg.h\"\r\n#include \"Shlwapi.h\"\r\n#include \"tlhelp32.h\"\r\n#include \"Windows.h\"\r\n#include \"Winable.h\"\r\n#include \"eh.h\"\r\n#ifdef _DEBUG\r\n#define new DEBUG_NEW\r\n#undef THIS_FILE\r\nstatic char THIS_FILE[] = __FILE__;\r\n#endif\r\nstatic DWORD NewEip;\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CAboutDlg dialog used for App About\r\n\r\nclass CAboutDlg : public CDialog\r\n{\r\npublic:\r\n\tCAboutDlg();\r\n\r\n// Dialog Data\r\n\t//{{AFX_DATA(CAboutDlg)\r\n\tenum { IDD = IDD_ABOUTBOX };\r\n\t//}}AFX_DATA\r\n\r\n\t// ClassWizard generated virtual function overrides\r\n\t//{{AFX_VIRTUAL(CAboutDlg)\r\n\tprotected:\r\n\tvirtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support\r\n\t//}}AFX_VIRTUAL\r\n\r\n// Implementation\r\nprotected:\r\n\t//{{AFX_MSG(CAboutDlg)\r\n\tafx_msg void OnMypage();\r\n\tafx_msg void OnMouseMove(UINT nFlags, CPoint point);\r\n\tvirtual BOOL OnInitDialog();\r\n\tafx_msg void OnComeon();\r\n\tafx_msg void OnMyicon();\r\n\t//}}AFX_MSG\r\n\tDECLARE_MESSAGE_MAP()\r\n};\r\n\r\nCAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)\r\n{\r\n\t//{{AFX_DATA_INIT(CAboutDlg)\r\n\t//}}AFX_DATA_INIT\r\n}\r\n\r\nvoid CAboutDlg::DoDataExchange(CDataExchange* pDX)\r\n{\r\n\tCDialog::DoDataExchange(pDX);\r\n\t//{{AFX_DATA_MAP(CAboutDlg)\r\n\t//}}AFX_DATA_MAP\r\n}\r\n\r\nBEGIN_MESSAGE_MAP(CAboutDlg, CDialog)\r\n\t//{{AFX_MSG_MAP(CAboutDlg)\r\n\tON_BN_CLICKED(IDC_MYPAGE, OnMypage)\r\n\tON_WM_MOUSEMOVE()\r\n\tON_BN_CLICKED(IDC_COMEON, OnComeon)\r\n\tON_BN_CLICKED(IDC_MYICON, OnMyicon)\r\n\t//}}AFX_MSG_MAP\r\nEND_MESSAGE_MAP()\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CDetectODDlg dialog\r\n\r\nCDetectODDlg::CDetectODDlg(CWnd* pParent /*=NULL*/)\r\n\t: CDialog(CDetectODDlg::IDD, pParent)\r\n{\r\n\t//{{AFX_DATA_INIT(CDetectODDlg)\r\n\t\t// NOTE: the ClassWizard will add member initialization here\r\n\t//}}AFX_DATA_INIT\r\n\t// Note that LoadIcon does not require a subsequent DestroyIcon in Win32\r\n\tm_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);\r\n}\r\n\r\nvoid CDetectODDlg::DoDataExchange(CDataExchange* pDX)\r\n{\r\n\tCDialog::DoDataExchange(pDX);\r\n\t//{{AFX_DATA_MAP(CDetectODDlg)\r\n\t\t// NOTE: the ClassWizard will add DDX and DDV calls here\r\n\t//}}AFX_DATA_MAP\r\n}\r\n\r\nBEGIN_MESSAGE_MAP(CDetectODDlg, CDialog)\r\n\t//{{AFX_MSG_MAP(CDetectODDlg)\r\n\tON_WM_SYSCOMMAND()\r\n\tON_WM_PAINT()\r\n\tON_WM_QUERYDRAGICON()\r\n\tON_BN_CLICKED(IDC_WNDCLS, OnWndcls)\r\n\tON_BN_CLICKED(IDC_ISDEBUGGERPRESENT, OnIsdebuggerpresent)\r\n\tON_BN_CLICKED(IDC_ENUMWINDOW, OnEnumwindow)\r\n\tON_BN_CLICKED(IDC_EnumProcess, OnEnumProcess)\r\n\tON_BN_CLICKED(IDC_Explorer, OnExplorer)\r\n\tON_BN_CLICKED(IDC_GetTickCount, OnGetTickCount)\r\n\tON_BN_CLICKED(IDC_GetStartupInfo, OnGetStartupInfo)\r\n\tON_BN_CLICKED(IDC_PEBFLAGS, OnPebflags)\r\n\tON_BN_CLICKED(IDC_CHECKREMOTEDEBUGGERPRESENT, OnCheckremotedebuggerpresent)\r\n\tON_BN_CLICKED(IDC_SetUnhandledExceptionFilter, OnSetUnhandledExceptionFilter)\r\n\tON_BN_CLICKED(IDC_ZwQueryInformationProcess, OnZwQueryInformationProcess)\r\n\tON_BN_CLICKED(IDC_SeDebugPrivilege, OnSeDebugPrivilege)\r\n\tON_BN_CLICKED(IDC_NTQueryObject, OnNTQueryObject)\r\n\tON_BN_CLICKED(IDC_DectectBreakpoints, OnDectectBreakpoints)\r\n\tON_BN_CLICKED(IDC_DectectFuncBreakpoints, OnDectectFuncBreakpoints)\r\n\tON_BN_CLICKED(IDC_BlockInput, OnBlockInput)\r\n\tON_BN_CLICKED(IDC_CHECKSUM, OnChecksum)\r\n\tON_BN_CLICKED(IDC_EnableWindow, OnEnableWindow)\r\n\tON_BN_CLICKED(IDC_ZwSetInformationThread, OnZwSetInformationThread)\r\n\tON_BN_CLICKED(IDC_OutputDebugString, OnOutputDebugString)\r\n\tON_BN_CLICKED(IDC_GetEntryPoint, OnGetEntryPoint)\r\n\tON_BN_CLICKED(IDC_TrapFlag, OnTrapFlag)\r\n\tON_BN_CLICKED(IDC_GuardPages, OnGuardPages)\r\n\tON_BN_CLICKED(IDC_HARDWAREBREAKPOINT, OnHardwarebreakpoint)\r\n\tON_BN_CLICKED(IDC_ABOUT, OnAbout)\r\n\tON_BN_CLICKED(IDC_MYPAGE2, OnMypage2)\r\n\t//}}AFX_MSG_MAP\r\nEND_MESSAGE_MAP()\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CDetectODDlg message handlers\r\n\r\nBOOL CDetectODDlg::OnInitDialog()\r\n{\r\n\tCDialog::OnInitDialog();\r\n\r\n\t// Add \"About...\" menu item to system menu.\r\n\r\n\t// IDM_ABOUTBOX must be in the system command range.\r\n\tASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);\r\n\tASSERT(IDM_ABOUTBOX < 0xF000);\r\n\r\n\tCMenu* pSysMenu = GetSystemMenu(FALSE);\r\n\tif (pSysMenu != NULL)\r\n\t{\r\n\t\tCString strAboutMenu;\r\n\t\tstrAboutMenu.LoadString(IDS_ABOUTBOX);\r\n\t\tif (!strAboutMenu.IsEmpty())\r\n\t\t{\r\n\t\t\tpSysMenu->AppendMenu(MF_SEPARATOR);\r\n\t\t\tpSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);\r\n\t\t}\r\n\t}\r\n\r\n\t// Set the icon for this dialog. The framework does this automatically\r\n\t// when the application's main window is not a dialog\r\n//\tSetIcon(m_hIcon, TRUE);\t\t\t// Set big icon\r\n//\tSetIcon(m_hIcon, FALSE);\t\t// Set small icon\r\n\r\n\t// TODO: Add extra initialization here\r\n\tSetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG))));\r\n\treturn TRUE; // return TRUE unless you set the focus to a control\r\n}\r\n\r\nvoid CDetectODDlg::OnSysCommand(UINT nID, LPARAM lParam)\r\n{\r\n\tif ((nID & 0xFFF0) == IDM_ABOUTBOX)\r\n\t{\r\n\t\tCAboutDlg dlgAbout;\r\n\t\tdlgAbout.DoModal();\r\n\t}\r\n\telse\r\n\t{\r\n\t\tCDialog::OnSysCommand(nID, lParam);\r\n\t}\r\n}\r\n\r\n// If you add a minimize button to your dialog, you will need the code below\r\n// to draw the icon. For MFC applications using the document/view model,\r\n// this is automatically done for you by the framework.\r\n\r\nvoid CDetectODDlg::OnPaint() \r\n{\r\n\tif (IsIconic())\r\n\t{\r\n\t\tCPaintDC dc(this); // device context for painting\r\n\r\n\t\tSendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);\r\n\r\n\t\t// Center icon in client rectangle\r\n\t\tint cxIcon = GetSystemMetrics(SM_CXICON);\r\n\t\tint cyIcon = GetSystemMetrics(SM_CYICON);\r\n\t\tCRect rect;\r\n\t\tGetClientRect(&rect);\r\n\t\tint x = (rect.Width() - cxIcon + 1) / 2;\r\n\t\tint y = (rect.Height() - cyIcon + 1) / 2;\r\n\r\n\t\t// Draw the icon\r\n\t\tdc.DrawIcon(x, y, m_hIcon);\r\n\t}\r\n\telse\r\n\t{\r\n\t\tCDialog::OnPaint();\r\n\t}\r\n}\r\n\r\n// The system calls this to obtain the cursor to display while the user drags\r\n// the minimized window.\r\nHCURSOR CDetectODDlg::OnQueryDragIcon()\r\n{\r\n\treturn (HCURSOR) m_hIcon;\r\n}\r\n\r\nvoid CDetectODDlg::OnWndcls() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tHWND hWnd;\r\n\tif(hWnd=::FindWindow(\"OllyDbg\",NULL))\r\n\t{\r\n\t\tMessageBox(\"OD\");\r\n\t}else{\r\n\t\tMessageBox(\"ûOD\");\r\n\t}\t\r\n\r\n}\r\nvoid CDetectODDlg::OnIsdebuggerpresent() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tif(IsDebuggerPresent())\r\n\t{\r\n\t\tMessageBox(\"OD\");\r\n\t}\t\r\n\telse\r\n\t{\r\n\t\tMessageBox(\"ûOD\");\r\n\t}\r\n}\r\n/***************************************************/\r\nBOOL CALLBACK EnumWindowsProc(\r\n HWND hwnd, // handle to parent window\r\n LPARAM lParam // application-defined value\r\n )\r\n{\r\n\tchar ch[100];\r\n\tCString str=\"Ollydbg\";\r\n\tif(IsWindowVisible(hwnd))\r\n\t{\r\n\t\t::GetWindowText(hwnd,ch,100);\r\n\t\t//AfxMessageBox(ch);\r\n\t\tif(::StrStrI(ch,str))\r\n\t\t{\r\n\t\t\tAfxMessageBox(\"OD\");\r\n\t\t\treturn FALSE;\r\n\t\t}\r\n\t}\t\r\n\treturn TRUE;\r\n}\r\n\r\nvoid CDetectODDlg::OnEnumwindow() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tEnumWindows(EnumWindowsProc,NULL);\r\n\tAfxMessageBox(\"öٴڽδʾODûOD\");\r\n}\r\n\r\n/***************************************************/\r\nvoid CDetectODDlg::OnEnumProcess() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\t\r\n\tHANDLE hwnd;\r\n\tPROCESSENTRY32 tp32; //ṹ\r\n\tCString str=\"OLLYDBG.EXE\";\r\n\tBOOL bFindOD=FALSE;\r\n\thwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);\r\n\tif(INVALID_HANDLE_VALUE!=hwnd) \r\n\t{\r\n\t\tProcess32First(hwnd,&tp32);\r\n\t\tdo{\r\n\t\t\tif(0==lstrcmpi(str,tp32.szExeFile))\r\n\t\t\t{\r\n\t\t\t\tAfxMessageBox(\"OD\");\r\n\t\t\t\tbFindOD=TRUE;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}while(Process32Next(hwnd,&tp32));\r\n\t\tif(!bFindOD)\r\n\t\t\tAfxMessageBox(\"ûOD\");\r\n\t}\r\n\tCloseHandle(hwnd);\r\n}\r\n\r\nvoid CDetectODDlg::OnExplorer() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tHANDLE hwnd;\r\n\tPROCESSENTRY32 tp32; //ṹ\r\n\tCString str=\"Explorer.EXE\";\r\n\r\n\tDWORD ExplorerID;\r\n\tDWORD SelfID;\r\n\tDWORD SelfParentID;\r\n\tSelfID=GetCurrentProcessId();\r\n\t::GetWindowThreadProcessId(::FindWindow(\"Progman\",NULL),&ExplorerID);\r\n\thwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);\r\n\tif(INVALID_HANDLE_VALUE!=hwnd) \r\n\t{\r\n\t\tProcess32First(hwnd,&tp32);\r\n\t\tdo{\r\n\t\t\tif(0==lstrcmp(str,tp32.szExeFile))\r\n\t\t\t{\r\n\t\t\t//\tExplorerID=tp32.th32ProcessID;\r\n\t\t\t//\tAfxMessageBox(\"aaa\");\r\n\t\t\t}\r\n\t\t\tif(SelfID==tp32.th32ProcessID)\r\n\t\t\t{\r\n\t\t\t\tSelfParentID=tp32.th32ParentProcessID;\r\n\t\t\t}\r\n\t\t}while(Process32Next(hwnd,&tp32));\r\n\r\n\t\tstr.Format(\"̣%d ̣%d Explorer: %d \",SelfID,SelfParentID,ExplorerID);\r\n\t\tMessageBox(str);\r\n\t\tif(ExplorerID==SelfParentID)\r\n\t\t{\r\n\t\t\tAfxMessageBox(\"ûOD\");\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tAfxMessageBox(\"OD\");\r\n\t\t}\r\n\t}\r\n\tCloseHandle(hwnd);\r\n}\r\n\r\nvoid CDetectODDlg::OnGetTickCount() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tDWORD dTime1;\r\n\tDWORD dTime2;\r\n\tdTime1=GetTickCount();\r\n\tGetCurrentProcessId();\r\n\tGetCurrentProcessId();\r\n\tGetCurrentProcessId();\r\n\tGetCurrentProcessId();\r\n\tdTime2=GetTickCount();\r\n\tif(dTime2-dTime1>100)\r\n\t{\r\n\t\tAfxMessageBox(\"OD\");\r\n\t}\r\n\telse{\r\n\t\tAfxMessageBox(\"ûOD\");\r\n\t}\r\n}\r\n\r\nvoid CDetectODDlg::OnGetStartupInfo() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tSTARTUPINFO info={0};\r\n\tGetStartupInfo(&info);\r\n\tif(info.dwX!=0 || info.dwY!=0 || info.dwXCountChars!=0 || info.dwYCountChars!=0\r\n\t\t|| info.dwFillAttribute!=0 || info.dwXSize!=0 || info.dwYSize!=0)\r\n\t{\r\n\t\tAfxMessageBox(\"OD\");\r\n\t}\r\n\telse{\r\n\t\tAfxMessageBox(\"ûOD\");\r\n\t}\r\n\r\n}\r\n\r\n//**********************************************\r\ntypedef ULONG NTSTATUS;\r\ntypedef ULONG PPEB;\r\ntypedef ULONG KAFFINITY;\r\ntypedef ULONG KPRIORITY;\r\n\r\ntypedef struct _PROCESS_BASIC_INFORMATION { // Information Class 0\r\nNTSTATUS ExitStatus;\r\nPPEB PebBaseAddress;\r\nKAFFINITY AffinityMask;\r\nKPRIORITY BasePriority;\r\nULONG UniqueProcessId;\r\nULONG InheritedFromUniqueProcessId;\r\n} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;\r\n\r\ntypedef enum _PROCESSINFOCLASS {\r\nProcessBasicInformation, // 0 Y N\r\nProcessQuotaLimits, // 1 Y Y\r\nProcessIoCounters, // 2 Y N\r\nProcessVmCounters, // 3 Y N\r\nProcessTimes, // 4 Y N\r\nProcessBasePriority, // 5 N Y\r\nProcessRaisePriority, // 6 N Y\r\nProcessDebugPort, // 7 Y Y\r\nProcessExceptionPort, // 8 N Y\r\nProcessAccessToken, // 9 N Y\r\nProcessLdtInformation, // 10 Y Y\r\nProcessLdtSize, // 11 N Y\r\nProcessDefaultHardErrorMode, // 12 Y Y\r\nProcessIoPortHandlers, // 13 N Y\r\nProcessPooledUsageAndLimits, // 14 Y N\r\nProcessWorkingSetWatch, // 15 Y Y\r\nProcessUserModeIOPL, // 16 N Y\r\nProcessEnableAlignmentFaultFixup, // 17 N Y\r\nProcessPriorityClass, // 18 N Y\r\nProcessWx86Information, // 19 Y N\r\nProcessHandleCount, // 20 Y N\r\nProcessAffinityMask, // 21 N Y\r\nProcessPriorityBoost, // 22 Y Y\r\nProcessDeviceMap,// 23 Y Y\r\nProcessSessionInformation, // 24 Y Y\r\nProcessForegroundInformation, // 25 N Y\r\nProcessWow64Information // 26 Y N\r\n} PROCESSINFOCLASS;\r\n\r\ntypedef NTSTATUS (_stdcall *ZwQueryInformationProcess)(\r\nHANDLE ProcessHandle,\r\nPROCESSINFOCLASS ProcessInformationClass,\r\nPVOID ProcessInformation,\r\nULONG ProcessInformationLength,\r\nPULONG ReturnLength\r\n); //庯ָ\r\nvoid CDetectODDlg::OnPebflags() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\t\r\n\t//庯ָ\r\n\tZwQueryInformationProcess MyZwQueryInformationProcess;\r\n\r\n\tHANDLE hProcess = NULL;\r\n\tPROCESS_BASIC_INFORMATION pbi = {0};\r\n ULONG peb = 0; \r\n ULONG cnt = 0;\r\n\tULONG PebBase = 0;\r\n\tULONG AddrBase;\r\n\tBOOL bFoundOD=FALSE;\r\n\tWORD flag;\r\n\tDWORD dwFlag;\r\n\tDWORD bytesrw;\t\r\n\tDWORD ProcessId=GetCurrentProcessId();\r\n hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessId);\t\r\n if (hProcess != NULL) {\r\n\t\t//ֵָ\r\n\t\tMyZwQueryInformationProcess=(ZwQueryInformationProcess)GetProcAddress(LoadLibrary(\"ntdll.dll\"),\"ZwQueryInformationProcess\");\r\n //ָ\r\n\t\tif (MyZwQueryInformationProcess( \r\n hProcess,\r\n\t\t\t\tProcessBasicInformation,\r\n\t\t\t\t&pbi,\r\n\t\t\t\tsizeof(PROCESS_BASIC_INFORMATION),\r\n\t\t\t\t&cnt) == 0)\r\n\t\t{\r\n PebBase = (ULONG)pbi.PebBaseAddress;\r\n\t\t\tAddrBase=PebBase;\r\n\t\t\tif (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x68),&flag,2,&bytesrw) && bytesrw==2)\r\n\t\t\t{ //PEB.NtGlobalFlag\t\t\t\t\r\n\t\t\t\tif(0x70==flag){\r\n\t\t\t\t\tbFoundOD=TRUE;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\tif (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x18),&dwFlag,4,&bytesrw) && bytesrw==4)\r\n\t\t\t{\r\n\t\t\t\tAddrBase=dwFlag;\r\n\t\t\t}\r\n\t\t\tif (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x0c),&flag,2,&bytesrw) && bytesrw==2)\r\n\t\t\t{//PEB.ProcessHeap.Flags\r\n\t\t\t\tif(2!=flag){\t\t\t\t\t\r\n\t\t\t\t\tbFoundOD=TRUE;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\tif (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x10),&flag,2,&bytesrw) && bytesrw==2)\r\n\t\t\t{//PEB.ProcessHeap.ForceFlags\r\n\t\t\t\tif(0!=flag){\r\n\t\t\t\t\tbFoundOD=TRUE;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\tif(bFoundOD==FALSE)\r\n\t\t\t{\r\n\t\t\t\tAfxMessageBox(\"ûOD\");\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\tAfxMessageBox(\"OD\");\r\n\t\t\t}\r\n }\r\n CloseHandle(hProcess);\r\n }\r\n}\r\n\r\n//*******************************************************************\r\ntypedef BOOL (WINAPI *CHECK_REMOTE_DEBUGGER_PRESENT)(HANDLE, PBOOL);\r\n\r\nvoid CDetectODDlg::OnCheckremotedebuggerpresent() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tHANDLE hProcess;\r\n HINSTANCE hModule; \r\n BOOL bDebuggerPresent = FALSE;\r\n CHECK_REMOTE_DEBUGGER_PRESENT CheckRemoteDebuggerPresent;\r\n hModule = GetModuleHandleA(\"Kernel32\");\r\n CheckRemoteDebuggerPresent = \r\n (CHECK_REMOTE_DEBUGGER_PRESENT)GetProcAddress(hModule, \"CheckRemoteDebuggerPresent\");\r\n hProcess = GetCurrentProcess();\r\n CheckRemoteDebuggerPresent(hProcess,&bDebuggerPresent); \r\n\tif(bDebuggerPresent==TRUE)\r\n\t{\r\n\t\tAfxMessageBox(\"OD\");\r\n\t}\r\n\telse\r\n\t{\r\n\t\tAfxMessageBox(\"ûOD\");\r\n\t}\r\n}\r\n//********************************************************\r\ntypedef NTSTATUS (_stdcall *ZW_QUERY_INFORMATION_PROCESS)(\r\nHANDLE ProcessHandle,\r\nPROCESSINFOCLASS ProcessInformationClass, //òҲҪݽṹ\r\nPVOID ProcessInformation,\r\nULONG ProcessInformationLength,\r\nPULONG ReturnLength\r\n); //庯ָ\r\n\r\nvoid CDetectODDlg::OnZwQueryInformationProcess() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tHANDLE hProcess;\r\n HINSTANCE hModule;\r\n DWORD dwResult;\r\n ZW_QUERY_INFORMATION_PROCESS MyFunc;\r\n hModule = GetModuleHandle(\"ntdll.dll\");\r\n MyFunc=(ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule,\"ZwQueryInformationProcess\");\r\n hProcess = GetCurrentProcess();\r\n MyFunc(\r\n\t\thProcess,\r\n\t\tProcessDebugPort,\r\n\t\t&dwResult,\r\n\t\t4,\r\n\t\tNULL);\r\n\tif(dwResult!=0)\r\n\t{\r\n\t\tAfxMessageBox(\"OD\");\r\n\t}\r\n\telse\r\n\t{\r\n\t\tAfxMessageBox(\"ûOD\");\r\n\t}\r\n}\r\n//********************************************************\r\nstatic DWORD lpOldHandler;\r\ntypedef LPTOP_LEVEL_EXCEPTION_FILTER (_stdcall *pSetUnhandledExceptionFilter)(\r\n LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter \r\n );\r\npSetUnhandledExceptionFilter lpSetUnhandledExceptionFilter;\r\n\r\nLONG WINAPI TopUnhandledExceptionFilter(\r\n\tstruct _EXCEPTION_POINTERS *ExceptionInfo\r\n)\r\n{\r\n\t_asm pushad\r\n\tAfxMessageBox(\"ص\");\r\n\tlpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler);\r\n\tExceptionInfo->ContextRecord->Eip=NewEip;//תƵȫλ\r\n\t_asm popad\r\n\treturn EXCEPTION_CONTINUE_EXECUTION;\r\n}\r\n\r\nvoid CDetectODDlg::OnSetUnhandledExceptionFilter() \r\n{\r\n\tbool isDebugged=0;\r\n\t// TODO: Add your control notification handler code here\r\n\tlpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary((\"kernel32.dll\")),\r\n \"SetUnhandledExceptionFilter\"); \r\n\tlpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter);\r\n\t_asm{ //ȡȫַ\r\n\t\tcall me //ʽһҪNewEipһƫֵ\r\nme:\r\n\t\tpop NewEip //ʽһ\r\n\t\tmov NewEip,offset safe //ʽ\r\n\t\tint 3 //쳣\r\n\t}\t\r\n\tAfxMessageBox(\"⵽OD\");\r\n\tisDebugged=1;\r\n\t_asm{\r\nsafe:\t\r\n\t}\r\n\tif(1==isDebugged){\r\n\r\n\t}else{\r\n\t\tAfxMessageBox(\"ûOD\");\r\n\t}\t\r\n}\r\n//********************************************************\r\nvoid CDetectODDlg::OnSeDebugPrivilege() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tHANDLE hProcessSnap;\r\n\tHANDLE hProcess;\r\n\tPROCESSENTRY32 tp32; //ṹ\r\n\tCString str=\"csrss.exe\";\r\n\thProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);\r\n\tif(INVALID_HANDLE_VALUE!=hProcessSnap) \r\n\t{\t\t\r\n\t\tProcess32First(hProcessSnap,&tp32);\r\n\t\tdo{\r\n\t\t\tif(0==lstrcmpi(str,tp32.szExeFile))\r\n\t\t\t{\r\n\t\t\t\thProcess=OpenProcess(PROCESS_QUERY_INFORMATION,NULL,tp32.th32ProcessID);\r\n\t\t\t\tif(NULL!=hProcess)\r\n\t\t\t\t{\r\n\t\t\t\t\tAfxMessageBox(\"OD\");\t\t\t\t\t\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\tAfxMessageBox(\"ûOD\");\r\n\t\t\t\t}\r\n\t\t\t\tCloseHandle(hProcess);\r\n\t\t\t}\t\t\r\n\t\t}while(Process32Next(hProcessSnap,&tp32));\t\t\t\r\n\t}\r\n\tCloseHandle(hProcessSnap);\r\n}\r\n\r\n//***************************************************************\r\n#ifndef STATUS_INFO_LENGTH_MISMATCH\r\n#define STATUS_INFO_LENGTH_MISMATCH\t((UINT32)0xC0000004L)\r\n#endif\r\n\r\ntypedef enum _POOL_TYPE {\r\n NonPagedPool,\r\n PagedPool,\r\n NonPagedPoolMustSucceed,\r\n DontUseThisType,\r\n NonPagedPoolCacheAligned,\r\n PagedPoolCacheAligned,\r\n NonPagedPoolCacheAlignedMustS\r\n} POOL_TYPE;\r\n\r\ntypedef struct _UNICODE_STRING {\r\n USHORT Length;\r\n USHORT MaximumLength;\r\n PWSTR Buffer;\r\n} UNICODE_STRING;\r\ntypedef UNICODE_STRING *PUNICODE_STRING;\r\ntypedef const UNICODE_STRING *PCUNICODE_STRING;\r\n\r\ntypedef enum _OBJECT_INFORMATION_CLASS\r\n{\r\n\tObjectBasicInformation,\t\t\t// Result is OBJECT_BASIC_INFORMATION structure\r\n\tObjectNameInformation,\t\t\t// Result is OBJECT_NAME_INFORMATION structure\r\n\tObjectTypeInformation,\t\t\t// Result is OBJECT_TYPE_INFORMATION structure\r\n\tObjectAllTypesInformation,\t\t\t// Result is OBJECT_ALL_INFORMATION structure\r\n\tObjectDataInformation\t\t\t// Result is OBJECT_DATA_INFORMATION structure\r\n\t\r\n} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;\r\n\r\ntypedef struct _OBJECT_TYPE_INFORMATION {\r\n\tUNICODE_STRING TypeName; \r\n\tULONG TotalNumberOfHandles; \r\n\tULONG TotalNumberOfObjects; \r\n\tWCHAR Unused1[8]; \r\n\tULONG HighWaterNumberOfHandles; \r\n\tULONG HighWaterNumberOfObjects; \r\n\tWCHAR Unused2[8]; \r\n\tACCESS_MASK InvalidAttributes; \r\n\tGENERIC_MAPPING GenericMapping; \r\n\tACCESS_MASK ValidAttributes; \r\n\tBOOLEAN SecurityRequired; \r\n\tBOOLEAN MaintainHandleCount; \r\n\tUSHORT MaintainTypeList; \r\n\tPOOL_TYPE PoolType; \r\n\tULONG DefaultPagedPoolCharge; \r\n\tULONG DefaultNonPagedPoolCharge;\r\n} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;\r\n\r\ntypedef struct _OBJECT_ALL_INFORMATION {\r\n\tULONG NumberOfObjectsTypes; \r\n\tOBJECT_TYPE_INFORMATION ObjectTypeInformation[1];\r\n} OBJECT_ALL_INFORMATION, *POBJECT_ALL_INFORMATION;\r\n\r\ntypedef struct _OBJECT_ALL_TYPES_INFORMATION {\r\n ULONG NumberOfTypes;\r\n OBJECT_TYPE_INFORMATION TypeInformation[1];\r\n} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION;\r\n\r\ntypedef UINT32 (__stdcall *ZwQueryObject_t) ( \t\t \r\n\tIN HANDLE ObjectHandle, \r\n\tIN OBJECT_INFORMATION_CLASS ObjectInformationClass, \r\n\tOUT PVOID ObjectInformation, \r\n\tIN ULONG Length, \r\n\tOUT PULONG ResultLength );\r\n\r\nvoid CDetectODDlg::OnNTQueryObject() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\t// ڵԲܼ⵽ODǼⲻ\r\n\tHMODULE hNtDLL;\r\n\tDWORD dwSize;\r\n\tUINT i;\r\n\tUCHAR KeyType=0;\r\n\tOBJECT_ALL_TYPES_INFORMATION *Types;\r\n\tOBJECT_TYPE_INFORMATION\t*t;\r\n\tZwQueryObject_t ZwQueryObject;\r\n\r\n\thNtDLL = GetModuleHandle(\"ntdll.dll\");\r\n\tif(hNtDLL){\r\n\t\tZwQueryObject = (ZwQueryObject_t)GetProcAddress(hNtDLL, \"ZwQueryObject\");\r\n\t\tUINT32 iResult = ZwQueryObject(NULL, ObjectAllTypesInformation, NULL, NULL, &dwSize);\r\n\t\tif(iResult==STATUS_INFO_LENGTH_MISMATCH)\r\n\t\t{\r\n\t\t\tTypes = (OBJECT_ALL_TYPES_INFORMATION*)VirtualAlloc(NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);\r\n\t\t\tif (Types == NULL) \treturn;\r\n\t\t if (iResult=ZwQueryObject(NULL,ObjectAllTypesInformation, Types, dwSize, &dwSize)) return;\t\r\n\t\t\tfor (t=Types->TypeInformation,i=0;iNumberOfTypes;i++)\r\n\t\t\t{ \r\n\t\t\t\tif ( !_wcsicmp(t->TypeName.Buffer,L\"DebugObject\")) //ȽǷȣL⣬ص˼\r\n\t\t\t\t{ \r\n\t\t\t\t\tif(t->TotalNumberOfHandles > 0 || t->TotalNumberOfObjects > 0)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tAfxMessageBox(\"OD\");\r\n\t\t\t\t\t\tVirtualFree (Types,0,MEM_RELEASE);\r\n\t\t\t\t\t\treturn;\r\n\t\t\t\t\t}\r\n\t\t\t\t\tbreak; // Found Anyways\r\n\t\t\t\t}\r\n\t\t\t\tt=(OBJECT_TYPE_INFORMATION *)((char *)t->TypeName.Buffer+((t->TypeName.MaximumLength+3)&~3));\r\n\t\t\t}\r\n\t\t}\r\n\t\tAfxMessageBox(\"ûOD!\");\r\n\t\tVirtualFree (Types,0,MEM_RELEASE);\r\n\t}\r\n}\r\n/*********************************************************/\r\nBOOL DetectBreakpoints()\r\n{\r\n\tBOOL bFoundOD;\r\n\tbFoundOD=FALSE;\r\n\t__asm\r\n\t{\r\n\t\t\t\tjmp CodeEnd \r\n CodeStart: mov eax,ecx ;ij\r\n nop\r\n push eax\r\n push ecx\r\n pop ecx\r\n pop eax\r\n CodeEnd: \r\n cld ;뿪ʼ\r\n mov edi,offset CodeStart\r\n\t\t\t\tmov edx,offset CodeStart\r\n mov ecx,offset CodeEnd\r\n\t\t\t\tsub ecx,edx\r\n\t\t\t\t\r\n mov al,0CCH\r\n repne scasb\r\n\t\t\t\tjnz ODNotFound\r\n\t\t\t\tmov bFoundOD,1\r\n\tODNotFound:\t\t\t\t\r\n\t}\r\n\treturn bFoundOD;\r\n}\t\r\nvoid CDetectODDlg::OnDectectBreakpoints() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tif(DetectBreakpoints())\r\n\t{\r\n\t\tAfxMessageBox(\"OD\");\r\n\t}\r\n\telse\r\n\t{\r\n\t\tAfxMessageBox(\"ûOD\");\r\n\t}\t\r\n}\r\n/*********************************************************/\r\nBOOL DetectFuncBreakpoints()\r\n{\r\n\tBOOL bFoundOD;\r\n\tbFoundOD=FALSE;\r\n\tDWORD dwAddr;\r\n\tdwAddr=(DWORD)::GetProcAddress(LoadLibrary(\"user32.dll\"),\"MessageBoxA\");\r\n\t__asm\r\n\t{\r\n cld ;뿪ʼ\r\n mov edi,dwAddr\r\n\t\t\t\tmov ecx,100 ;100bytes\r\n mov al,0CCH\r\n repne scasb\r\n\t\t\t\tjnz ODNotFound\r\n\t\t\t\tmov bFoundOD,1\r\n\tODNotFound:\t\t\t\t\r\n\t}\r\n\treturn bFoundOD;\r\n}\r\nvoid CDetectODDlg::OnDectectFuncBreakpoints() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tif(DetectFuncBreakpoints())\r\n\t{\r\n\t\tAfxMessageBox(\"OD\");\r\n\t}\r\n\telse\r\n\t{\r\n\t\tAfxMessageBox(\"ûOD\");\r\n\t}\t\r\n}\r\n\r\nvoid CDetectODDlg::OnBlockInput() \r\n{ // #include \"Winable.h\"\r\n\t// TODO: Add your control notification handler code here\t\r\n\tDWORD dwNoUse;\r\n\tDWORD dwNoUse2;\r\n\t::BlockInput(TRUE);\r\n dwNoUse=2;\r\n\tdwNoUse2=3;\r\n\tdwNoUse=dwNoUse2;\r\n\t::BlockInput(FALSE);\t\r\n}\r\n/*********************************************************/\r\nBOOL CheckSum()\r\n{\r\n BOOL bFoundOD;\r\n\tbFoundOD=FALSE;\r\n\tDWORD CHECK_SUM=5555; //ȷУֵ\r\n\tDWORD dwAddr;\r\n\tdwAddr=(DWORD)CheckSum;\r\n\t__asm\r\n\t{\r\n ;뿪ʼ\r\n mov esi,dwAddr\r\n\t\t\t\tmov ecx,100\r\n\t\t\t\txor eax,eax\r\n checksum_loop:\r\n movzx \tebx,byte ptr [esi]\r\n add \teax,ebx\r\n rol \teax,1\r\n inc \tesi\r\n loop \tchecksum_loop\r\n \r\n cmp \teax,CHECK_SUM\t\t\r\n\t\t\t\tjz ODNotFound\r\n\t\t\t\tmov bFoundOD,1\r\n\tODNotFound:\t\t\t\t\r\n\t}\r\n\treturn bFoundOD;\r\n}\r\nvoid CDetectODDlg::OnChecksum() \r\n{\r\n\t// TODO: Add your control notification handler code here\t\r\n\tif(CheckSum())\r\n\t{\r\n\t\tAfxMessageBox(\"OD\");\r\n\t}\r\n\telse\r\n\t{\r\n\t\tAfxMessageBox(\"ûOD\");\r\n\t}\t\r\n}\r\n/*********************************************************/\r\n\r\nvoid CDetectODDlg::OnEnableWindow() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tCWnd *wnd;\r\n\twnd=GetForegroundWindow();\r\n\twnd->EnableWindow(FALSE);\r\n\tDWORD dwNoUse;\r\n\tDWORD dwNoUse2;\r\n dwNoUse=2;\r\n\tdwNoUse2=3;\r\n\tdwNoUse=dwNoUse2;\r\n\twnd->EnableWindow(TRUE);\r\n}\r\n/*********************************************************/\r\ntypedef enum _THREADINFOCLASS {\r\nThreadBasicInformation, // 0 Y N\r\nThreadTimes, // 1 Y N\r\nThreadPriority, // 2 N Y\r\nThreadBasePriority, // 3 N Y\r\nThreadAffinityMask, // 4 N Y\r\nThreadImpersonationToken, // 5 N Y\r\nThreadDescriptorTableEntry, // 6 Y N\r\nThreadEnableAlignmentFaultFixup, // 7 N Y\r\nThreadEventPair, // 8 N Y\r\nThreadQuerySetWin32StartAddress, // 9 Y Y\r\nThreadZeroTlsCell, // 10 N Y\r\nThreadPerformanceCount, // 11 Y N\r\nThreadAmILastThread, // 12 Y N\r\nThreadIdealProcessor, // 13 N Y\r\nThreadPriorityBoost, // 14 Y Y\r\nThreadSetTlsArrayAddress, // 15 N Y\r\nThreadIsIoPending, // 16 Y N\r\nThreadHideFromDebugger // 17 N Y\r\n} THREAD_INFO_CLASS;\r\n\r\ntypedef NTSTATUS (NTAPI *ZwSetInformationThread)(\r\nIN HANDLE \t\t\t\t\t\tThreadHandle,\r\nIN THREAD_INFO_CLASS\t\t\tThreadInformaitonClass,\r\nIN PVOID \t\t\t\t\t\tThreadInformation,\r\nIN ULONG \t\t\t\t\t\tThreadInformationLength\r\n);\r\n\r\nvoid CDetectODDlg::OnZwSetInformationThread() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tCString str=\"Ҷλ\";\r\n\tHANDLE hwnd;\r\n\tHMODULE hModule;\r\n\thwnd=GetCurrentThread();\r\n\thModule=LoadLibrary(\"ntdll.dll\");\r\n\tZwSetInformationThread myFunc;\r\n\tmyFunc=(ZwSetInformationThread)GetProcAddress(hModule,\"ZwSetInformationThread\");\r\n\tmyFunc(hwnd,ThreadHideFromDebugger,NULL,NULL);\t\r\n}\r\n/*********************************************************/\r\nvoid CDetectODDlg::OnOutputDebugString() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\t::OutputDebugString(\"%s%s%s\");\r\n}\r\n/*********************************************************/\r\nvoid CDetectODDlg::OnGetEntryPoint() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tIMAGE_DOS_HEADER *dos_head=(IMAGE_DOS_HEADER *)GetModuleHandle(NULL);\r\n\tPIMAGE_NT_HEADERS32 nt_head=(PIMAGE_NT_HEADERS32)((DWORD)dos_head+(DWORD)dos_head->e_lfanew);\r\n\tDWORD EP=(nt_head->OptionalHeader.AddressOfEntryPoint);\t\r\n\tCString str;\r\n\tstr.Format(\"%x\",EP);\r\n\tAfxMessageBox(str);\r\n\r\n\tBYTE*OEP=(BYTE*)(nt_head->OptionalHeader.AddressOfEntryPoint+(DWORD)dos_head);\r\n\tfor(unsigned long index=0;index<20;index++){\r\n\t\tif(OEP[index]==0xcc){\r\n\t\t\tExitProcess(0);\r\n\t\t}\r\n\t}\r\n\r\n}\r\n/**************************************************************/\r\nvoid terminateFunc()\r\n{\r\n\tAfxMessageBox(\"set_terminateָĺ\\n\");\r\n\texit(0);\r\n}\r\nvoid CDetectODDlg::OnButton1() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\r\n\tset_terminate(terminateFunc);\r\n\ttry{\r\n\t\tdiv(10,0);\r\n\t}catch(int){\r\n\t\tAfxMessageBox(\"쳣\");\r\n\t}catch(...){\r\n\t\tterminate(); //쳣\r\n\t}\r\n\tAfxMessageBox(\"\");\t\r\n}\r\n//********************************************************\r\n\r\nvoid CDetectODDlg::OnTrapFlag() \r\n{\r\n\ttry{\r\n\t\t_asm{\t\t\t\t\t\r\n\t\t\tpushfd\t\t\t\t\t //쳣\r\n\t\t\tor dword ptr [esp],100h ;TF=1\r\n\t\t\tpopfd\r\n\t\t}\r\n\t\tAfxMessageBox(\"⵽OD\");\r\n\t}catch(...){\r\n\t\tAfxMessageBox(\"ûOD\");\t\r\n\t}\r\n}\r\n//********************************************************\r\nstatic bool isDebugged=1;\r\nLONG WINAPI TopUnhandledExceptionFilter2(\r\n\tstruct _EXCEPTION_POINTERS *ExceptionInfo\r\n)\r\n{\r\n\t_asm pushad\r\n\tAfxMessageBox(\"ص\");\r\n\tlpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler);\r\n\tExceptionInfo->ContextRecord->Eip=NewEip;\r\n\tisDebugged=0;\r\n\t_asm popad\r\n\treturn EXCEPTION_CONTINUE_EXECUTION;\r\n}\r\n\r\nvoid CDetectODDlg::OnGuardPages() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\t\r\n\tULONG dwOldType;\r\n\tDWORD dwPageSize;\r\n\tLPVOID lpvBase; // ȡڴĻַ\r\n\tSYSTEM_INFO sSysInfo; // ϵͳϢ\r\n\tGetSystemInfo(&sSysInfo); // ȡϵͳϢ\r\n\tdwPageSize=sSysInfo.dwPageSize;\t\t//ϵͳڴҳС\r\n\r\n\tlpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary((\"kernel32.dll\")),\r\n \"SetUnhandledExceptionFilter\"); \r\n\tlpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter2);\r\n\r\n // ڴ\r\n\tlpvBase = VirtualAlloc(NULL,dwPageSize,MEM_COMMIT,PAGE_READWRITE);\r\n\tif (lpvBase==NULL)\tAfxMessageBox(\"ڴʧ\");\r\n\t_asm{\r\n\t\tmov NewEip,offset safe //ʽ\r\n\t\tmov eax,lpvBase\r\n\t\tpush eax\r\n\t mov byte ptr [eax],0C3H //дһ RETN ڴ棬Աĵ\r\n\t}\r\n\tif(0==::VirtualProtect(lpvBase,dwPageSize,PAGE_EXECUTE_READ | PAGE_GUARD,&dwOldType)){\r\n\t\tAfxMessageBox(\"ִʧ\");\t\r\n\t}\r\n\t_asm{\r\n\t\tpop ecx\r\n\t\tcall ecx //ʱѹջ\r\nsafe:\r\n\t\tpop\t ecx //ջƽ⣬ʱѹջ\r\n\t}\t\r\n\tif(1==isDebugged){\r\n\t\tAfxMessageBox(\"OD\");\r\n\t}else{\r\n\t\tAfxMessageBox(\"ûOD\");\r\n\t}\r\n\tVirtualFree(lpvBase,dwPageSize,MEM_DECOMMIT);\r\n}\r\n//********************************************************\r\nstatic bool isDebuggedHBP=0;\r\nLONG WINAPI TopUnhandledExceptionFilterHBP(\r\n\tstruct _EXCEPTION_POINTERS *ExceptionInfo\r\n)\r\n{\r\n\t_asm pushad\r\n\tAfxMessageBox(\"ص\");\r\n\tExceptionInfo->ContextRecord->Eip=NewEip;\r\n\tif(0!=ExceptionInfo->ContextRecord->Dr0||0!=ExceptionInfo->ContextRecord->Dr1||\r\n\t\t0!=ExceptionInfo->ContextRecord->Dr2||0!=ExceptionInfo->ContextRecord->Dr3)\r\n\t\tisDebuggedHBP=1; //Ӳϵ\r\n\tExceptionInfo->ContextRecord->Dr0=0; //Ӳϵ㣬0\r\n\tExceptionInfo->ContextRecord->Dr1=0;\r\n\tExceptionInfo->ContextRecord->Dr2=0;\r\n\tExceptionInfo->ContextRecord->Dr3=0;\r\n\tExceptionInfo->ContextRecord->Dr6=0;\r\n\tExceptionInfo->ContextRecord->Dr7=0;\r\n\tExceptionInfo->ContextRecord->Eip=NewEip; //תƵȫλ\r\n\t_asm popad\r\n\treturn EXCEPTION_CONTINUE_EXECUTION;\r\n}\r\n\r\nvoid CDetectODDlg::OnHardwarebreakpoint() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\r\n\tlpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary((\"kernel32.dll\")),\r\n \"SetUnhandledExceptionFilter\"); \r\n\tlpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilterHBP);\r\n\r\n\t_asm{\r\n\t\tmov NewEip,offset safe //ʽ\r\n\t\tint 3\r\n\t\tmov isDebuggedHBP,1 //ʱҲᴥ쳣ȥӲϵ\r\nsafe:\r\n\t}\t\r\n\tif(1==isDebuggedHBP){\r\n\t\tAfxMessageBox(\"OD\");\r\n\t}else{\r\n\t\tAfxMessageBox(\"ûOD\");\r\n\t}\r\n}\r\n//********************************************************\r\n\r\nvoid CDetectODDlg::OnCancel() \r\n{\r\n\t// TODO: Add extra cleanup here\r\n\tCDialog::OnCancel();\r\n}\r\n\r\nvoid CAboutDlg::OnMypage() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\t::ShellExecute(NULL,\"open\",\"http://ucooper.com\",NULL,NULL,SW_SHOWNORMAL);\r\n}\r\n\r\nvoid CDetectODDlg::OnAbout() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\tCAboutDlg dlg;\r\n\tdlg.DoModal();\r\n}\r\n\r\nvoid CAboutDlg::OnMouseMove(UINT nFlags, CPoint point) \r\n{\r\n\t// TODO: Add your message handler code here and/or call default\r\n\tCRect rect(60,20,100,100);\r\n\tif(rect.PtInRect(point)){\t\t\r\n\t\tSetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(NULL,IDC_HELP)));\r\n\t}else{\r\n\t\tSetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(AfxGetApp()->m_hInstance,IDC_ARROW)));\r\n\t}\r\n\tCDialog::OnMouseMove(nFlags, point);\r\n}\r\n\r\nBOOL CAboutDlg::OnInitDialog() \r\n{\r\n\tCDialog::OnInitDialog();\r\n\t\r\n\t// TODO: Add extra initialization here\r\n\tSetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG))));\r\n\treturn TRUE; // return TRUE unless you set the focus to a control\r\n\t // EXCEPTION: OCX Property Pages should return FALSE\r\n}\r\n\r\nvoid CDetectODDlg::OnOK() \r\n{\r\n\t// TODO: Add extra validation here\r\n\t\r\n\tCDialog::OnOK();\r\n}\r\n\r\nvoid CAboutDlg::OnComeon() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\t::ShellExecute(NULL,\"open\",\"http://ucooper.com\",NULL,NULL,SW_SHOWNORMAL);\r\n}\r\n\r\nvoid CAboutDlg::OnMyicon() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\t::ShellExecute(NULL,\"open\",\"http://ucooper.com\",NULL,NULL,SW_SHOWNORMAL);\r\n}\r\n\r\nvoid CDetectODDlg::OnMypage2() \r\n{\r\n\t// TODO: Add your control notification handler code here\r\n\t::ShellExecute(NULL,\"open\",\"http://ucooper.com\",NULL,NULL,SW_SHOWNORMAL);\r\n}\r\n" }, { "path": "反调试技术实例VC版/DetectOD/DetectODDlg.h", "content": "// DetectODDlg.h : header file\r\n//\r\n\r\n#if !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_)\r\n#define AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_\r\n\r\n#if _MSC_VER > 1000\r\n#pragma once\r\n#endif // _MSC_VER > 1000\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// CDetectODDlg dialog\r\n\r\nclass CDetectODDlg : public CDialog\r\n{\r\n// Construction\r\npublic:\r\n\tCDetectODDlg(CWnd* pParent = NULL);\t// standard constructor\r\n\r\n// Dialog Data\r\n\t//{{AFX_DATA(CDetectODDlg)\r\n\tenum { IDD = IDD_DETECTOD_DIALOG };\r\n\t\t// NOTE: the ClassWizard will add data members here\r\n\t//}}AFX_DATA\r\n\r\n\t// ClassWizard generated virtual function overrides\r\n\t//{{AFX_VIRTUAL(CDetectODDlg)\r\n\tprotected:\r\n\tvirtual void DoDataExchange(CDataExchange* pDX);\t// DDX/DDV support\r\n\t//}}AFX_VIRTUAL\r\n\r\n// Implementation\r\nprotected:\r\n\tHICON m_hIcon;\r\n\r\n\t// Generated message map functions\r\n\t//{{AFX_MSG(CDetectODDlg)\r\n\tvirtual BOOL OnInitDialog();\r\n\tafx_msg void OnSysCommand(UINT nID, LPARAM lParam);\r\n\tafx_msg void OnPaint();\r\n\tafx_msg HCURSOR OnQueryDragIcon();\r\n\tafx_msg void OnWndcls();\r\n\tafx_msg void OnTest();\r\n\tafx_msg void OnIsdebuggerpresent();\r\n\tafx_msg void OnEnumwindow();\r\n\tafx_msg void OnEnumProcess();\r\n\tafx_msg void OnExplorer();\r\n\tafx_msg void OnGetTickCount();\r\n\tafx_msg void OnGetStartupInfo();\r\n\tafx_msg void OnPebflags();\r\n\tafx_msg void OnCheckremotedebuggerpresent();\r\n\tafx_msg void OnZwqueryinfomationprocess();\r\n\tafx_msg void OnSetUnhandledExceptionFilter();\r\n\tafx_msg void OnZwQueryInformationProcess();\r\n\tafx_msg void OnSeDebugPrivilege();\r\n\tafx_msg void OnNTQueryObject();\r\n\tafx_msg void OnDectectBreakpoints();\r\n\tafx_msg void OnDectectFuncBreakpoints();\r\n\tafx_msg void OnBlockInput();\r\n\tafx_msg void OnChecksum();\r\n\tafx_msg void OnEnableWindow();\r\n\tafx_msg void OnZwSetInformationThread();\r\n\tafx_msg void OnOutputDebugString();\r\n\tafx_msg void OnGetEntryPoint();\r\n\tafx_msg void OnButton1();\r\n\tafx_msg void OnButton2();\r\n\tafx_msg void OnTrapFlag();\r\n\tafx_msg void OnGuardPages();\r\n\tafx_msg void OnHardwarebreakpoint();\r\n\tvirtual void OnCancel();\r\n\tafx_msg void OnAbout();\r\n\tvirtual void OnOK();\r\n\tafx_msg void OnMypage2();\r\n\t//}}AFX_MSG\r\n\tDECLARE_MESSAGE_MAP()\r\n\r\n};\r\n\r\n//{{AFX_INSERT_LOCATION}}\r\n// Microsoft Visual C++ will insert additional declarations immediately before the previous line.\r\n\r\n#endif // !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_)\r\n" }, { "path": "反调试技术实例VC版/DetectOD/ReadMe.txt", "content": "========================================================================\r\n MICROSOFT FOUNDATION CLASS LIBRARY : DetectOD\r\n========================================================================\r\n\r\n\r\nAppWizard has created this DetectOD application for you. This application\r\nnot only demonstrates the basics of using the Microsoft Foundation classes\r\nbut is also a starting point for writing your application.\r\n\r\nThis file contains a summary of what you will find in each of the files that\r\nmake up your DetectOD application.\r\n\r\nDetectOD.dsp\r\n This file (the project file) contains information at the project level and\r\n is used to build a single project or subproject. Other users can share the\r\n project (.dsp) file, but they should export the makefiles locally.\r\n\r\nDetectOD.h\r\n This is the main header file for the application. It includes other\r\n project specific headers (including Resource.h) and declares the\r\n CDetectODApp application class.\r\n\r\nDetectOD.cpp\r\n This is the main application source file that contains the application\r\n class CDetectODApp.\r\n\r\nDetectOD.rc\r\n This is a listing of all of the Microsoft Windows resources that the\r\n program uses. It includes the icons, bitmaps, and cursors that are stored\r\n in the RES subdirectory. This file can be directly edited in Microsoft\r\n\tVisual C++.\r\n\r\nDetectOD.clw\r\n This file contains information used by ClassWizard to edit existing\r\n classes or add new classes. ClassWizard also uses this file to store\r\n information needed to create and edit message maps and dialog data\r\n maps and to create prototype member functions.\r\n\r\nres\\DetectOD.ico\r\n This is an icon file, which is used as the application's icon. This\r\n icon is included by the main resource file DetectOD.rc.\r\n\r\nres\\DetectOD.rc2\r\n This file contains resources that are not edited by Microsoft \r\n\tVisual C++. You should place all resources not editable by\r\n\tthe resource editor in this file.\r\n\r\n\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n\r\nAppWizard creates one dialog class:\r\n\r\nDetectODDlg.h, DetectODDlg.cpp - the dialog\r\n These files contain your CDetectODDlg class. This class defines\r\n the behavior of your application's main dialog. The dialog's\r\n template is in DetectOD.rc, which can be edited in Microsoft\r\n\tVisual C++.\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\nOther standard files:\r\n\r\nStdAfx.h, StdAfx.cpp\r\n These files are used to build a precompiled header (PCH) file\r\n named DetectOD.pch and a precompiled types file named StdAfx.obj.\r\n\r\nResource.h\r\n This is the standard header file, which defines new resource IDs.\r\n Microsoft Visual C++ reads and updates this file.\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\nOther notes:\r\n\r\nAppWizard uses \"TODO:\" to indicate parts of the source code you\r\nshould add to or customize.\r\n\r\nIf your application uses MFC in a shared DLL, and your application is \r\nin a language other than the operating system's current language, you\r\nwill need to copy the corresponding localized resources MFC42XXX.DLL\r\nfrom the Microsoft Visual C++ CD-ROM onto the system or system32 directory,\r\nand rename it to be MFCLOC.DLL. (\"XXX\" stands for the language abbreviation.\r\nFor example, MFC42DEU.DLL contains resources translated to German.) If you\r\ndon't do this, some of the UI elements of your application will remain in the\r\nlanguage of the operating system.\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n" }, { "path": "反调试技术实例VC版/DetectOD/StdAfx.cpp", "content": "// stdafx.cpp : source file that includes just the standard includes\r\n//\tDetectOD.pch will be the pre-compiled header\r\n//\tstdafx.obj will contain the pre-compiled type information\r\n\r\n#include \"stdafx.h\"\r\n\r\n\r\n\r\n" }, { "path": "反调试技术实例VC版/DetectOD/StdAfx.h", "content": "// stdafx.h : include file for standard system include files,\r\n// or project specific include files that are used frequently, but\r\n// are changed infrequently\r\n//\r\n\r\n#if !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_)\r\n#define AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_\r\n\r\n#if _MSC_VER > 1000\r\n#pragma once\r\n#endif // _MSC_VER > 1000\r\n\r\n#define VC_EXTRALEAN\t\t// Exclude rarely-used stuff from Windows headers\r\n\r\n#include // MFC core and standard components\r\n#include // MFC extensions\r\n#include // MFC Automation classes\r\n#include \t\t// MFC support for Internet Explorer 4 Common Controls\r\n#ifndef _AFX_NO_AFXCMN_SUPPORT\r\n#include \t\t\t// MFC support for Windows Common Controls\r\n#endif // _AFX_NO_AFXCMN_SUPPORT\r\n\r\n\r\n//{{AFX_INSERT_LOCATION}}\r\n// Microsoft Visual C++ will insert additional declarations immediately before the previous line.\r\n\r\n#endif // !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_)\r\n" }, { "path": "反调试技术实例VC版/DetectOD/res/DetectOD.rc2", "content": "//\r\n// DETECTOD.RC2 - resources Microsoft Visual C++ does not edit directly\r\n//\r\n\r\n#ifdef APSTUDIO_INVOKED\r\n\t#error this file is not editable by Microsoft Visual C++\r\n#endif //APSTUDIO_INVOKED\r\n\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n// Add manually edited resources here...\r\n\r\n/////////////////////////////////////////////////////////////////////////////\r\n" }, { "path": "反调试技术实例VC版/DetectOD/resource.h", "content": "//{{NO_DEPENDENCIES}}\r\n// Microsoft Developer Studio generated include file.\r\n// Used by DetectOD.rc\r\n//\r\n#define IDC_ABOUT 3\r\n#define IDM_ABOUTBOX 0x0010\r\n#define IDD_ABOUTBOX 100\r\n#define IDS_ABOUTBOX 101\r\n#define IDD_DETECTOD_DIALOG 102\r\n#define IDR_MAINFRAME 128\r\n#define IDI_DOG 129\r\n#define IDI_ICON2 133\r\n#define IDC_WNDCLS 1000\r\n#define IDC_ISDEBUGGERPRESENT 1002\r\n#define IDC_ENUMWINDOW 1003\r\n#define IDC_EnumProcess 1004\r\n#define IDC_Explorer 1005\r\n#define IDC_GetTickCount 1006\r\n#define IDC_GetStartupInfo 1007\r\n#define IDC_PEBFLAGS 1008\r\n#define IDC_CHECKREMOTEDEBUGGERPRESENT 1009\r\n#define IDC_ZwQueryInformationProcess 1010\r\n#define IDC_SetUnhandledExceptionFilter 1014\r\n#define IDC_MYPAGE 1014\r\n#define IDC_SeDebugPrivilege 1015\r\n#define IDC_COMEON 1015\r\n#define IDC_MYICON 1016\r\n#define IDC_MYPAGE2 1016\r\n#define IDC_NTQueryObject 1017\r\n#define IDC_DectectBreakpoints 1018\r\n#define IDC_DectectFuncBreakpoints 1019\r\n#define IDC_BlockInput 1020\r\n#define IDC_CHECKSUM 1021\r\n#define IDC_EnableWindow 1022\r\n#define IDC_ZwSetInformationThread 1023\r\n#define IDC_OutputDebugString 1024\r\n#define IDC_GetEntryPoint 1025\r\n#define IDC_TrapFlag 1026\r\n#define IDC_GuardPages 1027\r\n#define IDC_HARDWAREBREAKPOINT 1028\r\n\r\n// Next default values for new objects\r\n// \r\n#ifdef APSTUDIO_INVOKED\r\n#ifndef APSTUDIO_READONLY_SYMBOLS\r\n#define _APS_NEXT_RESOURCE_VALUE 134\r\n#define _APS_NEXT_COMMAND_VALUE 32771\r\n#define _APS_NEXT_CONTROL_VALUE 1017\r\n#define _APS_NEXT_SYMED_VALUE 101\r\n#endif\r\n#endif\r\n" }, { "path": "反调试技术实例VC版/DetectOD/tlssup.c", "content": "// tlssup.cļ룺\r\n#include \r\n#include \r\n\r\nint _tls_index=0;\r\n\r\n#pragma data_seg(\".tls\")\r\nint _tls_start=0;\r\n#pragma data_seg(\".tls$ZZZ\")\r\nint _tls_end=0;\r\n#pragma data_seg(\".CRT$XLA\")\r\nint __xl_a=0;\r\n#pragma data_seg(\".CRT$XLZ\")\r\nint __xl_z=0;\r\n\r\n#pragma data_seg(\".rdata$T\")\r\n\r\nextern PIMAGE_TLS_CALLBACK my_tls_callbacktbl[];\r\n\r\nIMAGE_TLS_DIRECTORY32 _tls_used={(DWORD)&_tls_start,(DWORD)&_tls_end,(DWORD)&_tls_index,(DWORD)my_tls_callbacktbl,0,0};\r\n\r\n" } ]