Repository: wanttobeno/AntiDebuggers Branch: master Commit: 40c9d00a78fe Files: 26 Total size: 75.0 KB Directory structure: gitextract_ibjy7f_q/ ├── README.md ├── Round2_3_PC_Tecent 2016 题目说明.docx ├── Tencent2016D.cpp ├── Tencent2016D.h ├── Tencent2016DAPI.cpp ├── Tencent2016DAPI.h ├── Tencent2016Globle.h ├── stdafx.cpp ├── stdafx.h ├── targetver.h └── 反调试技术实例VC版/ └── DetectOD/ ├── About.cpp ├── About.h ├── DetectOD.clw ├── DetectOD.cpp ├── DetectOD.dsp ├── DetectOD.dsw ├── DetectOD.h ├── DetectOD.rc ├── DetectODDlg.cpp ├── DetectODDlg.h ├── ReadMe.txt ├── StdAfx.cpp ├── StdAfx.h ├── res/ │ └── DetectOD.rc2 ├── resource.h └── tlssup.c ================================================ FILE CONTENTS ================================================ ================================================ FILE: README.md ================================================ ### 反调试技术总结 反调试就是检测有没有被调试器调试,比如OllyDbg,IDA,WinDbg等。 参考资料:[houjingyi ](https://bbs.pediy.com/thread-225735.htm) 代码: [GitHub](https://github.com/houjingyi233/test-debug) [Tencent2016D.cpp](./Tencent2016D.cpp) 中实现了30种检测调试器的方法,非常的精彩给力 -- 30 Ways to anti-debugging on PC.For more information:http://blog.csdn.net/qq_32400847/article/details/52798050 ##### 截图 ![snatshot.png](snatshot.png) ##### 虚拟机检测 [AntiVirtualMachine](https://github.com/wanttobeno/AntiVirtualMachine) ##### 保护自己的程序不被破解 [DllProtect](https://github.com/wanttobeno/DllProtect) ##### 各种反调试技术原理与实例 VC版 帖子:[各种反调试技术原理与实例 VC版](https://bbs.pediy.com/thread-114767.htm) [各种反调试技术原理与实例VC版.pdf](./反调试技术实例VC版/各种反调试技术原理与实例VC版.pdf) ![Snatshot.png](./反调试技术实例VC版/282401_i4gdy3hacnzffml.jpg) ```c++ void CDetectODDlg::OnExplorer() { // TODO: Add your control notification handler code here HANDLE hwnd; PROCESSENTRY32 tp32; //结构体 CString str="Explorer.EXE"; DWORD ExplorerID; DWORD SelfID; DWORD SelfParentID; SelfID=GetCurrentProcessId(); ::GetWindowThreadProcessId(::FindWindow("Progman",NULL),&ExplorerID); hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); if(INVALID_HANDLE_VALUE!=hwnd) { Process32First(hwnd,&tp32); do{ if(0==lstrcmp(str,tp32.szExeFile)) { // ExplorerID=tp32.th32ProcessID; // AfxMessageBox("aaa"); } if(SelfID==tp32.th32ProcessID) { SelfParentID=tp32.th32ParentProcessID; } }while(Process32Next(hwnd,&tp32)); str.Format("本进程:%d 父进程:%d Explorer进程: %d ",SelfID,SelfParentID,ExplorerID); MessageBox(str); if(ExplorerID==SelfParentID) { AfxMessageBox("没有OD"); } else { AfxMessageBox("发现OD"); } } CloseHandle(hwnd); } ``` ================================================ FILE: Tencent2016D.cpp ================================================ // Tencent2016D.cpp : DLL Ӧóĵ // #include "stdafx.h" #include #include #include #include #include "Tencent2016D.h" #include "Tencent2016DAPI.h" #include "Tencent2016Globle.h" using namespace std; BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } BOOL CheckDebug1() { return IsDebuggerPresent(); } BOOL CheckDebug2() { BOOL ret; CheckRemoteDebuggerPresent(GetCurrentProcess(), &ret); return ret; } BOOL CheckDebug3() { int debugPort = 0; HMODULE hModule = LoadLibrary("Ntdll.dll"); NtQueryInformationProcessPtr NtQueryInformationProcess = (NtQueryInformationProcessPtr)GetProcAddress(hModule, "NtQueryInformationProcess"); if (NtQueryInformationProcess(GetCurrentProcess(), 7, &debugPort, sizeof(debugPort), NULL)) { MessageBox(NULL, "[ERROR NtQueryInformationProcessApproach] NtQueryInformationProcess failed", "error", MB_OK); return FALSE; } else { return debugPort != 0; } } BOOL CheckDebug4() { DWORD errorValue = 12345; SetLastError(errorValue); OutputDebugString("Test for debugger!"); if (GetLastError() == errorValue) { return TRUE; } else { return FALSE; } } BOOL CheckDebug5() { char fib[1024] = { 0 }; DeleteFiber(fib); return (GetLastError() != 0x57); } BOOL CheckDebug6() { DWORD ret = CloseHandle((HANDLE)0x1234); if (ret != 0 || GetLastError() != ERROR_INVALID_HANDLE) { return TRUE; } else { return FALSE; } } BOOL CheckDebug7() { DWORD ret = CloseWindow((HWND)0x1234); if (ret != 0 || GetLastError() != ERROR_INVALID_WINDOW_HANDLE) { return TRUE; } else { return FALSE; } } BOOL CheckDebug8() { char result = 0; __asm { mov eax, fs:[30h] mov al, BYTE PTR[eax + 2] mov result, al } return result != 0; } BOOL CheckDebug9() { int result = 0; DWORD dwVersion = GetVersion(); DWORD dwWindowsMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVersion))); if (dwWindowsMajorVersion == 5) { __asm { mov eax, fs:[30h] mov eax, [eax + 18h] mov eax, [eax + 10h] mov result, eax } } else { __asm { mov eax, fs:[30h] mov eax, [eax + 18h] mov eax, [eax + 44h] mov result, eax } } return result != 0; } BOOL CheckDebug10() { int result = 0; DWORD dwVersion = GetVersion(); DWORD dwWindowsMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVersion))); if (dwWindowsMajorVersion == 5) { __asm { mov eax, fs:[30h] mov eax, [eax + 18h] mov eax, [eax + 0ch] mov result, eax } } else { __asm { mov eax, fs:[30h] mov eax, [eax + 18h] mov eax, [eax + 40h] mov result, eax } } return result != 2; } BOOL CheckDebug11() { int result = 0; __asm { mov eax, fs:[30h] mov eax, [eax + 68h] and eax, 0x70 mov result, eax } return result != 0; } BOOL CheckDebug12() { BOOL is_64; HKEY hkey = NULL; char key[] = "Debugger"; IsWow64Process(GetCurrentProcess(), &is_64); char reg_dir_32bit[] = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug"; char reg_dir_64bit[] = "SOFTWARE\\Wow6432Node\\Microsoft\\WindowsNT\\CurrentVersion\\AeDebug"; DWORD ret = 0; if (is_64) { ret = RegCreateKeyA(HKEY_LOCAL_MACHINE, reg_dir_64bit, &hkey); } else { ret = RegCreateKeyA(HKEY_LOCAL_MACHINE, reg_dir_32bit, &hkey); } if (ret != ERROR_SUCCESS) { return FALSE; } DWORD type; char tmp[256]; DWORD len = 256; ret = RegQueryValueExA(hkey, key, NULL, &type, (LPBYTE)tmp, &len); if (strstr(tmp, "OllyIce") != NULL || strstr(tmp, "OllyDBG") != NULL || strstr(tmp, "WinDbg") != NULL || strstr(tmp, "x64dbg") != NULL || strstr(tmp, "Immunity") != NULL) { return TRUE; } else { return FALSE; } } BOOL CheckDebug13() { if (FindWindowA("OLLYDBG", NULL) != NULL || FindWindowA("WinDbgFrameClass", NULL) != NULL || FindWindowA("QWidget", NULL) != NULL) { return TRUE; } else { return FALSE; } } BOOL CheckDebug14() { BOOL ret = FALSE; EnumWindows(EnumWndProc, (LPARAM)&ret); return ret; } BOOL CheckDebug15() { char fore_window[1024]; GetWindowTextA(GetForegroundWindow(), fore_window, 1023); if (strstr(fore_window, "WinDbg") != NULL || strstr(fore_window, "x64_dbg") != NULL || strstr(fore_window, "OllyICE") != NULL || strstr(fore_window, "OllyDBG") != NULL || strstr(fore_window, "Immunity") != NULL) { return TRUE; } else { return FALSE; } } BOOL CheckDebug16() { DWORD ID; DWORD ret = 0; PROCESSENTRY32 pe32; pe32.dwSize = sizeof(pe32); HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) { return FALSE; } BOOL bMore = Process32First(hProcessSnap, &pe32); while (bMore) { if (stricmp(pe32.szExeFile, "OllyDBG.EXE") == 0 || stricmp(pe32.szExeFile, "OllyICE.exe") == 0 || stricmp(pe32.szExeFile, "x64_dbg.exe") == 0 || stricmp(pe32.szExeFile, "windbg.exe") == 0 || stricmp(pe32.szExeFile, "ImmunityDebugger.exe") == 0) { return TRUE; } bMore = Process32Next(hProcessSnap, &pe32); } CloseHandle(hProcessSnap); return FALSE; } BOOL CheckDebug17() { PIMAGE_DOS_HEADER pDosHeader; PIMAGE_NT_HEADERS32 pNtHeaders; PIMAGE_SECTION_HEADER pSectionHeader; DWORD dwBaseImage = (DWORD)GetModuleHandle(NULL); pDosHeader = (PIMAGE_DOS_HEADER)dwBaseImage; pNtHeaders = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew); pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders + sizeof(pNtHeaders->Signature) + sizeof(IMAGE_FILE_HEADER) + (WORD)pNtHeaders->FileHeader.SizeOfOptionalHeader); DWORD dwAddr = pSectionHeader->VirtualAddress + dwBaseImage; DWORD dwCodeSize = pSectionHeader->SizeOfRawData; BOOL Found = FALSE; __asm { cld mov edi, dwAddr mov ecx, dwCodeSize mov al, 0CCH repne scasb jnz NotFound mov Found, 1 NotFound: } return Found; } BOOL CheckDebug18() { CONTEXT context; HANDLE hThread = GetCurrentThread(); context.ContextFlags = CONTEXT_DEBUG_REGISTERS; GetThreadContext(hThread, &context); if (context.Dr0 != 0 || context.Dr1 != 0 || context.Dr2 != 0 || context.Dr3 != 0) { return TRUE; } return FALSE; } BOOL CheckDebug19() { PIMAGE_DOS_HEADER pDosHeader; PIMAGE_NT_HEADERS32 pNtHeaders; PIMAGE_SECTION_HEADER pSectionHeader; DWORD dwBaseImage = (DWORD)GetModuleHandle(NULL); pDosHeader = (PIMAGE_DOS_HEADER)dwBaseImage; pNtHeaders = (PIMAGE_NT_HEADERS32)((DWORD)pDosHeader + pDosHeader->e_lfanew); pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pNtHeaders + sizeof(pNtHeaders->Signature) + sizeof(IMAGE_FILE_HEADER) + (WORD)pNtHeaders->FileHeader.SizeOfOptionalHeader); DWORD dwAddr = pSectionHeader->VirtualAddress + dwBaseImage; DWORD dwCodeSize = pSectionHeader->SizeOfRawData; DWORD checksum = 0; __asm { cld mov esi, dwAddr mov ecx, dwCodeSize xor eax, eax checksum_loop : movzx ebx, byte ptr[esi] add eax, ebx rol eax, 1 inc esi loop checksum_loop mov checksum, eax } if (checksum != 0x46ea24) { return FALSE; } else { return TRUE; } } BOOL CheckDebug20() { DWORD time1, time2; __asm { rdtsc mov time1, eax rdtsc mov time2, eax } if (time2 - time1 < 0xff) { return FALSE; } else { return TRUE; } } BOOL CheckDebug21() { DWORD time1 = GetTickCount(); __asm { mov ecx, 10 mov edx, 6 mov ecx, 10 } DWORD time2 = GetTickCount(); if (time2 - time1 > 0x1A) { return TRUE; } else { return FALSE; } } BOOL CheckDebug22() { LONG status; DWORD dwParentPID = 0; HANDLE hProcess; PROCESS_BASIC_INFORMATION pbi; int pid = getpid(); hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid); if (!hProcess) { return -1; } PNTQUERYINFORMATIONPROCESS NtQueryInformationProcess = (PNTQUERYINFORMATIONPROCESS)GetProcAddress(GetModuleHandleA("ntdll"), "NtQueryInformationProcess"); status = NtQueryInformationProcess(hProcess, SystemBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL); PROCESSENTRY32 pe32; pe32.dwSize = sizeof(pe32); HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) { return FALSE; } BOOL bMore = Process32First(hProcessSnap, &pe32); while (bMore) { if (pbi.InheritedFromUniqueProcessId == pe32.th32ProcessID) { if (stricmp(pe32.szExeFile, "explorer.exe") == 0) { CloseHandle(hProcessSnap); return FALSE; } else { CloseHandle(hProcessSnap); return TRUE; } } bMore = Process32Next(hProcessSnap, &pe32); } CloseHandle(hProcessSnap); } BOOL CheckDebug23() { STARTUPINFO si; GetStartupInfo(&si); if (si.dwX != 0 || si.dwY != 0 || si.dwFillAttribute != 0 || si.dwXSize != 0 || si.dwYSize != 0 || si.dwXCountChars != 0 || si.dwYCountChars != 0) { return TRUE; } else { return FALSE; } } BOOL CheckDebug24() { DWORD ID; DWORD ret = 0; PROCESSENTRY32 pe32; pe32.dwSize = sizeof(pe32); HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) { return FALSE; } BOOL bMore = Process32First(hProcessSnap, &pe32); while (bMore) { if (strcmp(pe32.szExeFile, "csrss.exe") == 0) { ID = pe32.th32ProcessID; break; } bMore = Process32Next(hProcessSnap, &pe32); } CloseHandle(hProcessSnap); if (OpenProcess(PROCESS_QUERY_INFORMATION, NULL, ID) != NULL) { return TRUE; } else { return FALSE; } } BOOL CheckDebug25() { __try { __asm int 3 } __except (1) { return FALSE; } return TRUE; } BOOL CheckDebug26() { __try { __asm { __emit 0xCD __emit 0x03 } } __except (1) { return FALSE; } return TRUE; } BOOL CheckDebug27() { __try { __asm int 0x2d } __except (1) { return FALSE; } return TRUE; } BOOL CheckDebug28() { __try { __asm __emit 0xF1 } __except (1) { return FALSE; } return TRUE; } BOOL CheckDebug29() { __try { __asm { pushfd or word ptr[esp], 0x100 popfd nop } } __except (1) { return FALSE; } return TRUE; } BOOL CheckDebug30() { return TestExceptionCode(DBG_RIPEXCEPTION); } ================================================ FILE: Tencent2016D.h ================================================ #pragma once #include extern "C" BOOL _declspec(dllexport) CheckDebug1(); extern "C" BOOL _declspec(dllexport) CheckDebug2(); extern "C" BOOL _declspec(dllexport) CheckDebug3(); extern "C" BOOL _declspec(dllexport) CheckDebug4(); extern "C" BOOL _declspec(dllexport) CheckDebug5(); extern "C" BOOL _declspec(dllexport) CheckDebug6(); extern "C" BOOL _declspec(dllexport) CheckDebug7(); extern "C" BOOL _declspec(dllexport) CheckDebug8(); extern "C" BOOL _declspec(dllexport) CheckDebug9(); extern "C" BOOL _declspec(dllexport) CheckDebug10(); extern "C" BOOL _declspec(dllexport) CheckDebug11(); extern "C" BOOL _declspec(dllexport) CheckDebug12(); extern "C" BOOL _declspec(dllexport) CheckDebug13(); extern "C" BOOL _declspec(dllexport) CheckDebug14(); extern "C" BOOL _declspec(dllexport) CheckDebug15(); extern "C" BOOL _declspec(dllexport) CheckDebug16(); extern "C" BOOL _declspec(dllexport) CheckDebug17(); extern "C" BOOL _declspec(dllexport) CheckDebug18(); extern "C" BOOL _declspec(dllexport) CheckDebug19(); extern "C" BOOL _declspec(dllexport) CheckDebug20(); extern "C" BOOL _declspec(dllexport) CheckDebug21(); extern "C" BOOL _declspec(dllexport) CheckDebug22(); extern "C" BOOL _declspec(dllexport) CheckDebug23(); extern "C" BOOL _declspec(dllexport) CheckDebug24(); extern "C" BOOL _declspec(dllexport) CheckDebug25(); extern "C" BOOL _declspec(dllexport) CheckDebug26(); extern "C" BOOL _declspec(dllexport) CheckDebug27(); extern "C" BOOL _declspec(dllexport) CheckDebug28(); extern "C" BOOL _declspec(dllexport) CheckDebug29(); extern "C" BOOL _declspec(dllexport) CheckDebug30(); ================================================ FILE: Tencent2016DAPI.cpp ================================================ #include "stdafx.h" #include #include BOOL CALLBACK EnumWndProc(HWND hwnd, LPARAM lParam) { char cur_window[1024]; GetWindowTextA(hwnd, cur_window, 1023); if (strstr(cur_window, "WinDbg")!=NULL || strstr(cur_window, "x64_dbg")!=NULL || strstr(cur_window, "OllyICE")!=NULL || strstr(cur_window, "OllyDBG")!=NULL || strstr(cur_window, "Immunity")!=NULL) { *((BOOL*)lParam) = TRUE; } return TRUE; } BOOL CALLBACK TestExceptionCode(DWORD dwCode) { __try { RaiseException(dwCode, 0, 0, 0); } __except (1) { return FALSE; } return TRUE; } ================================================ FILE: Tencent2016DAPI.h ================================================ #pragma once #include extern BOOL CALLBACK TestExceptionCode(DWORD dwCode); extern BOOL CALLBACK EnumWndProc(HWND hwnd, LPARAM lParam); ================================================ FILE: Tencent2016Globle.h ================================================ #pragma once #include typedef DWORD (WINAPI *NtQueryInformationProcessPtr)( HANDLE processHandle, DWORD processInformationClass, PVOID processInformation, ULONG processInformationLength, PULONG returnLength); typedef enum enumSYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation, SystemTimeOfDayInformation, }SYSTEM_INFORMATION_CLASS; typedef struct tagPROCESS_BASIC_INFORMATION { DWORD ExitStatus; DWORD PebBaseAddress; DWORD AffinityMask; DWORD BasePriority; ULONG UniqueProcessId; ULONG InheritedFromUniqueProcessId; }PROCESS_BASIC_INFORMATION; typedef LONG (WINAPI *PNTQUERYINFORMATIONPROCESS)(HANDLE,UINT,PVOID,ULONG,PULONG); ================================================ FILE: stdafx.cpp ================================================ // stdafx.cpp : ֻ׼ļԴļ // Tencent2016D.pch ΪԤͷ // stdafx.obj ԤϢ #include "stdafx.h" // TODO: STDAFX.H // κĸͷļڴļ ================================================ FILE: stdafx.h ================================================ // stdafx.h : ׼ϵͳļİļ // Ǿʹõĵ // ضĿİļ // #pragma once #include "targetver.h" #define WIN32_LEAN_AND_MEAN // Windows ͷļųʹõϢ // Windows ͷļ: #include // TODO: ڴ˴óҪͷļ ================================================ FILE: targetver.h ================================================ #pragma once // SDKDDKVer.h õ߰汾 Windows ƽ̨ // ҪΪǰ Windows ƽ̨Ӧó WinSDKVer.h // WIN32_WINNT ΪҪֵ֧ƽ̨Ȼٰ SDKDDKVer.h #include ================================================ FILE: 反调试技术实例VC版/DetectOD/About.cpp ================================================ // About.cpp : implementation file // #include "stdafx.h" #include "DetectOD.h" #include "About.h" #ifdef _DEBUG #define new DEBUG_NEW #undef THIS_FILE static char THIS_FILE[] = __FILE__; #endif ///////////////////////////////////////////////////////////////////////////// // CAbout dialog CAbout::CAbout(CWnd* pParent /*=NULL*/) : CDialog(CAbout::IDD, pParent) { //{{AFX_DATA_INIT(CAbout) // NOTE: the ClassWizard will add member initialization here //}}AFX_DATA_INIT } void CAbout::DoDataExchange(CDataExchange* pDX) { CDialog::DoDataExchange(pDX); //{{AFX_DATA_MAP(CAbout) // NOTE: the ClassWizard will add DDX and DDV calls here //}}AFX_DATA_MAP } BEGIN_MESSAGE_MAP(CAbout, CDialog) //{{AFX_MSG_MAP(CAbout) // NOTE: the ClassWizard will add message map macros here //}}AFX_MSG_MAP END_MESSAGE_MAP() ///////////////////////////////////////////////////////////////////////////// // CAbout message handlers ================================================ FILE: 反调试技术实例VC版/DetectOD/About.h ================================================ #if !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_) #define AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_ #if _MSC_VER > 1000 #pragma once #endif // _MSC_VER > 1000 // About.h : header file // ///////////////////////////////////////////////////////////////////////////// // CAbout dialog class CAbout : public CDialog { // Construction public: CAbout(CWnd* pParent = NULL); // standard constructor // Dialog Data //{{AFX_DATA(CAbout) enum { IDD = IDD_DETECTOD_DIALOG }; // NOTE: the ClassWizard will add data members here //}}AFX_DATA // Overrides // ClassWizard generated virtual function overrides //{{AFX_VIRTUAL(CAbout) protected: virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support //}}AFX_VIRTUAL // Implementation protected: // Generated message map functions //{{AFX_MSG(CAbout) // NOTE: the ClassWizard will add member functions here //}}AFX_MSG DECLARE_MESSAGE_MAP() }; //{{AFX_INSERT_LOCATION}} // Microsoft Visual C++ will insert additional declarations immediately before the previous line. #endif // !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_) ================================================ FILE: 反调试技术实例VC版/DetectOD/DetectOD.clw ================================================ ; CLW file contains information for the MFC ClassWizard [General Info] Version=1 LastClass=CAboutDlg LastTemplate=CDialog NewFileInclude1=#include "stdafx.h" NewFileInclude2=#include "DetectOD.h" ClassCount=4 Class1=CDetectODApp Class2=CDetectODDlg Class3=CAboutDlg ResourceCount=3 Resource1=IDR_MAINFRAME Resource2=IDD_ABOUTBOX Class4=CAbout Resource3=IDD_DETECTOD_DIALOG [CLS:CDetectODApp] Type=0 HeaderFile=DetectOD.h ImplementationFile=DetectOD.cpp Filter=N [CLS:CDetectODDlg] Type=0 HeaderFile=DetectODDlg.h ImplementationFile=DetectODDlg.cpp Filter=D BaseClass=CDialog VirtualFilter=dWC LastObject=CDetectODDlg [CLS:CAboutDlg] Type=0 HeaderFile=DetectODDlg.h ImplementationFile=DetectODDlg.cpp Filter=D BaseClass=CDialog VirtualFilter=dWC LastObject=CAboutDlg [DLG:IDD_ABOUTBOX] Type=1 Class=CAboutDlg ControlCount=4 Control1=IDC_MYICON,static,1342177539 Control2=IDC_COMEON,static,1342177536 Control3=IDOK,button,1342373889 Control4=IDC_MYPAGE,static,1342308609 [DLG:IDD_DETECTOD_DIALOG] Type=1 Class=CAbout ControlCount=27 Control1=IDOK,button,1342242817 Control2=IDC_WNDCLS,button,1342242816 Control3=IDC_ISDEBUGGERPRESENT,button,1342242816 Control4=IDC_ENUMWINDOW,button,1342242816 Control5=IDC_EnumProcess,button,1342242816 Control6=IDC_Explorer,button,1342242816 Control7=IDC_GetTickCount,button,1342242816 Control8=IDC_GetStartupInfo,button,1342242816 Control9=IDC_PEBFLAGS,button,1342242816 Control10=IDC_CHECKREMOTEDEBUGGERPRESENT,button,1342242816 Control11=IDC_ZwQueryInformationProcess,button,1342242816 Control12=IDC_SetUnhandledExceptionFilter,button,1342242816 Control13=IDC_SeDebugPrivilege,button,1342242816 Control14=IDC_NTQueryObject,button,1342242816 Control15=IDC_DectectBreakpoints,button,1342242816 Control16=IDC_DectectFuncBreakpoints,button,1342242816 Control17=IDC_BlockInput,button,1342242816 Control18=IDC_CHECKSUM,button,1342242816 Control19=IDC_EnableWindow,button,1342242816 Control20=IDC_ZwSetInformationThread,button,1342242816 Control21=IDC_OutputDebugString,button,1342242816 Control22=IDC_GetEntryPoint,button,1342242816 Control23=IDC_TrapFlag,button,1342242816 Control24=IDC_GuardPages,button,1342242816 Control25=IDC_HARDWAREBREAKPOINT,button,1342242816 Control26=IDC_ABOUT,button,1342242816 Control27=IDC_MYPAGE2,static,1342308609 [CLS:CAbout] Type=0 HeaderFile=About.h ImplementationFile=About.cpp BaseClass=CDialog Filter=D LastObject=CAbout ================================================ FILE: 反调试技术实例VC版/DetectOD/DetectOD.cpp ================================================ // DetectOD.cpp : Defines the class behaviors for the application. // #include "stdafx.h" #include "DetectOD.h" #include "DetectODDlg.h" #ifdef _DEBUG #define new DEBUG_NEW #undef THIS_FILE static char THIS_FILE[] = __FILE__; #endif ///////////////////////////////////////////////////////////////////////////// // CDetectODApp BEGIN_MESSAGE_MAP(CDetectODApp, CWinApp) //{{AFX_MSG_MAP(CDetectODApp) // NOTE - the ClassWizard will add and remove mapping macros here. // DO NOT EDIT what you see in these blocks of generated code! //}}AFX_MSG ON_COMMAND(ID_HELP, CWinApp::OnHelp) END_MESSAGE_MAP() ///////////////////////////////////////////////////////////////////////////// // CDetectODApp construction CDetectODApp::CDetectODApp() { // TODO: add construction code here, // Place all significant initialization in InitInstance } ///////////////////////////////////////////////////////////////////////////// // The one and only CDetectODApp object CDetectODApp theApp; ///////////////////////////////////////////////////////////////////////////// // CDetectODApp initialization BOOL CDetectODApp::InitInstance() { AfxEnableControlContainer(); // Standard initialization // If you are not using these features and wish to reduce the size // of your final executable, you should remove from the following // the specific initialization routines you do not need. #ifdef _AFXDLL Enable3dControls(); // Call this when using MFC in a shared DLL #else Enable3dControlsStatic(); // Call this when linking to MFC statically #endif CDetectODDlg dlg; m_pMainWnd = &dlg; int nResponse = dlg.DoModal(); if (nResponse == IDOK) { // TODO: Place code here to handle when the dialog is // dismissed with OK } else if (nResponse == IDCANCEL) { // TODO: Place code here to handle when the dialog is // dismissed with Cancel } // Since the dialog has been closed, return FALSE so that we exit the // application, rather than start the application's message pump. return FALSE; } ================================================ FILE: 反调试技术实例VC版/DetectOD/DetectOD.dsp ================================================ # Microsoft Developer Studio Project File - Name="DetectOD" - Package Owner=<4> # Microsoft Developer Studio Generated Build File, Format Version 6.00 # ** DO NOT EDIT ** # TARGTYPE "Win32 (x86) Application" 0x0101 CFG=DetectOD - Win32 Debug !MESSAGE This is not a valid makefile. To build this project using NMAKE, !MESSAGE use the Export Makefile command and run !MESSAGE !MESSAGE NMAKE /f "DetectOD.mak". !MESSAGE !MESSAGE You can specify a configuration when running NMAKE !MESSAGE by defining the macro CFG on the command line. For example: !MESSAGE !MESSAGE NMAKE /f "DetectOD.mak" CFG="DetectOD - Win32 Debug" !MESSAGE !MESSAGE Possible choices for configuration are: !MESSAGE !MESSAGE "DetectOD - Win32 Release" (based on "Win32 (x86) Application") !MESSAGE "DetectOD - Win32 Debug" (based on "Win32 (x86) Application") !MESSAGE # Begin Project # PROP AllowPerConfigDependencies 0 # PROP Scc_ProjName "" # PROP Scc_LocalPath "" CPP=cl.exe MTL=midl.exe RSC=rc.exe !IF "$(CFG)" == "DetectOD - Win32 Release" # PROP BASE Use_MFC 6 # PROP BASE Use_Debug_Libraries 0 # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" # PROP Use_MFC 6 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Target_Dir "" # ADD BASE CPP /nologo /MD /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_AFXDLL" /Yu"stdafx.h" /FD /c # ADD CPP /nologo /MD /W3 /GX /Od /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_AFXDLL" /D "_MBCS" /Yu"stdafx.h" /FD /c # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x804 /d "NDEBUG" /d "_AFXDLL" # ADD RSC /l 0x804 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 /nologo /subsystem:windows /machine:I386 # ADD LINK32 /nologo /subsystem:windows /machine:I386 !ELSEIF "$(CFG)" == "DetectOD - Win32 Debug" # PROP BASE Use_MFC 6 # PROP BASE Use_Debug_Libraries 1 # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" # PROP Use_MFC 6 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_AFXDLL" /Yu"stdafx.h" /FD /GZ /c # ADD CPP /nologo /MDd /w /W0 /WX /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_AFXDLL" /D "_MBCS" /FR /Yu"stdafx.h" /FD /GZ /c # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x804 /d "_DEBUG" /d "_AFXDLL" # ADD RSC /l 0x804 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 /nologo /subsystem:windows /debug /machine:I386 /pdbtype:sept # ADD LINK32 /nologo /subsystem:windows /debug /machine:I386 /pdbtype:sept !ENDIF # Begin Target # Name "DetectOD - Win32 Release" # Name "DetectOD - Win32 Debug" # Begin Group "Source Files" # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" # Begin Source File SOURCE=.\DetectOD.cpp # End Source File # Begin Source File SOURCE=.\DetectOD.rc # End Source File # Begin Source File SOURCE=.\DetectODDlg.cpp # End Source File # Begin Source File SOURCE=.\StdAfx.cpp # ADD CPP /Yc"stdafx.h" # End Source File # End Group # Begin Group "Header Files" # PROP Default_Filter "h;hpp;hxx;hm;inl" # Begin Source File SOURCE=.\DetectOD.h # End Source File # Begin Source File SOURCE=.\DetectODDlg.h # End Source File # Begin Source File SOURCE=.\Resource.h # End Source File # Begin Source File SOURCE=.\StdAfx.h # End Source File # End Group # Begin Group "Resource Files" # PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" # Begin Source File SOURCE=.\res\DetectOD.ico # End Source File # Begin Source File SOURCE=.\res\DetectOD.rc2 # End Source File # Begin Source File SOURCE=.\res\dog.ico # End Source File # Begin Source File SOURCE=.\res\home.ico # End Source File # Begin Source File SOURCE=.\res\User.ico # End Source File # End Group # Begin Source File SOURCE=.\ReadMe.txt # End Source File # End Target # End Project ================================================ FILE: 反调试技术实例VC版/DetectOD/DetectOD.dsw ================================================ Microsoft Developer Studio Workspace File, Format Version 6.00 # : ܱ༭ɾùļ ############################################################################### Project: "DetectOD"=.\DetectOD.dsp - Package Owner=<4> Package=<5> {{{ }}} Package=<4> {{{ }}} ############################################################################### Global: Package=<5> {{{ }}} Package=<3> {{{ }}} ############################################################################### ================================================ FILE: 反调试技术实例VC版/DetectOD/DetectOD.h ================================================ // DetectOD.h : main header file for the DETECTOD application // #if !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_) #define AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_ #if _MSC_VER > 1000 #pragma once #endif // _MSC_VER > 1000 #ifndef __AFXWIN_H__ #error include 'stdafx.h' before including this file for PCH #endif #include "resource.h" // main symbols ///////////////////////////////////////////////////////////////////////////// // CDetectODApp: // See DetectOD.cpp for the implementation of this class // class CDetectODApp : public CWinApp { public: CDetectODApp(); // Overrides // ClassWizard generated virtual function overrides //{{AFX_VIRTUAL(CDetectODApp) public: virtual BOOL InitInstance(); //}}AFX_VIRTUAL // Implementation //{{AFX_MSG(CDetectODApp) // NOTE - the ClassWizard will add and remove member functions here. // DO NOT EDIT what you see in these blocks of generated code ! //}}AFX_MSG DECLARE_MESSAGE_MAP() }; ///////////////////////////////////////////////////////////////////////////// //{{AFX_INSERT_LOCATION}} // Microsoft Visual C++ will insert additional declarations immediately before the previous line. #endif // !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_) ================================================ FILE: 反调试技术实例VC版/DetectOD/DetectOD.rc ================================================ //Microsoft Developer Studio generated resource script. // #include "resource.h" #define APSTUDIO_READONLY_SYMBOLS ///////////////////////////////////////////////////////////////////////////// // // Generated from the TEXTINCLUDE 2 resource. // #include "afxres.h" ///////////////////////////////////////////////////////////////////////////// #undef APSTUDIO_READONLY_SYMBOLS ///////////////////////////////////////////////////////////////////////////// // Chinese (й) resources #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS) #ifdef _WIN32 LANGUAGE LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED #pragma code_page(936) #endif //_WIN32 #ifdef APSTUDIO_INVOKED ///////////////////////////////////////////////////////////////////////////// // // TEXTINCLUDE // 1 TEXTINCLUDE DISCARDABLE BEGIN "resource.h\0" END 2 TEXTINCLUDE DISCARDABLE BEGIN "#include ""afxres.h""\r\n" "\0" END 3 TEXTINCLUDE DISCARDABLE BEGIN "#define _AFX_NO_SPLITTER_RESOURCES\r\n" "#define _AFX_NO_OLE_RESOURCES\r\n" "#define _AFX_NO_TRACKER_RESOURCES\r\n" "#define _AFX_NO_PROPERTY_RESOURCES\r\n" "\r\n" "#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)\r\n" "#ifdef _WIN32\r\n" "LANGUAGE 4, 2\r\n" "#pragma code_page(936)\r\n" "#endif //_WIN32\r\n" "#include ""res\\DetectOD.rc2"" // non-Microsoft Visual C++ edited resources\r\n" "#include ""l.chs\\afxres.rc"" // Standard components\r\n" "#endif\r\n" "\0" END #endif // APSTUDIO_INVOKED ///////////////////////////////////////////////////////////////////////////// // // Icon // // Icon with lowest ID value placed first to ensure application icon // remains consistent on all systems. IDR_MAINFRAME ICON DISCARDABLE "res\\DetectOD.ico" IDI_DOG ICON DISCARDABLE "res\\dog.ico" IDI_ICON2 ICON DISCARDABLE "res\\home.ico" ///////////////////////////////////////////////////////////////////////////// // // Dialog // IDD_ABOUTBOX DIALOG DISCARDABLE 0, 0, 235, 55 STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION " ʵ" FONT 9, "" BEGIN ICON IDI_ICON2,IDC_MYICON,11,16,20,20,SS_NOTIFY LTEXT "ٷվд⻥",IDC_COMEON,56,31,88,8,SS_NOTIFY | NOT WS_GROUP DEFPUSHBUTTON "ȷ",IDOK,178,7,50,14,WS_GROUP CTEXT "http://ucooper.com",IDC_MYPAGE,40,17,106,8,SS_NOTIFY END IDD_DETECTOD_DIALOG DIALOGEX 0, 0, 443, 200 STYLE DS_MODALFRAME | WS_MINIMIZEBOX | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU EXSTYLE WS_EX_APPWINDOW CAPTION "ʵ д⻥ ucooper.com" FONT 9, "" BEGIN DEFPUSHBUTTON " (&C)",IDOK,375,18,61,18 PUSHBUTTON "",IDC_WNDCLS,13,6,46,18 PUSHBUTTON "IsDebuggerPresent",IDC_ISDEBUGGERPRESENT,13,31,97,18 PUSHBUTTON "EnumWindow",IDC_ENUMWINDOW,63,6,47,18 PUSHBUTTON "öٽ",IDC_EnumProcess,13,55,96,18 PUSHBUTTON "Explorer",IDC_Explorer,13,79,96,18 PUSHBUTTON "GetTickCount",IDC_GetTickCount,13,103,96,18 PUSHBUTTON "GetStartupInfo",IDC_GetStartupInfo,13,127,96,18 PUSHBUTTON "PebFlags",IDC_PEBFLAGS,13,151,97,18 PUSHBUTTON "CheckRemoteDebuggerPresent", IDC_CHECKREMOTEDEBUGGERPRESENT,7,175,109,18 PUSHBUTTON "ZwQueryInformationProcess", IDC_ZwQueryInformationProcess,127,6,109,18 PUSHBUTTON "SetUnhandledExceptionFilter", IDC_SetUnhandledExceptionFilter,127,175,109,18 PUSHBUTTON "SeDebugPrivilege",IDC_SeDebugPrivilege,127,31,109,18 PUSHBUTTON "NTQueryObject",IDC_NTQueryObject,127,55,109,18 PUSHBUTTON "ϵ",IDC_DectectBreakpoints,127,79,109,18 PUSHBUTTON "ϵ",IDC_DectectFuncBreakpoints,127,103,109,18 PUSHBUTTON "BlockInput",IDC_BlockInput,127,151,109,18 PUSHBUTTON "CheckSum",IDC_CHECKSUM,127,127,109,18 PUSHBUTTON "EnableWindow",IDC_EnableWindow,253,6,109,18 PUSHBUTTON "ZwSetInformationThread",IDC_ZwSetInformationThread,253, 31,109,18 PUSHBUTTON "OutputDebugString",IDC_OutputDebugString,253,55,109,18 PUSHBUTTON "GetEntryPoint",IDC_GetEntryPoint,253,152,109,18 PUSHBUTTON "쳣",IDC_TrapFlag,253,80,109,18 PUSHBUTTON "ҳGuard Pages",IDC_GuardPages,253,103,109,18 PUSHBUTTON "HardwareBreakpoint",IDC_HARDWAREBREAKPOINT,253,127,109, 18 PUSHBUTTON " (&A)",IDC_ABOUT,375,47,61,18 CTEXT "֧ңҵĸվ www.ucooper.com",IDC_MYPAGE2, 257,183,183,10,SS_NOTIFY END #ifndef _MAC ///////////////////////////////////////////////////////////////////////////// // // Version // VS_VERSION_INFO VERSIONINFO FILEVERSION 1,0,0,1 PRODUCTVERSION 1,0,0,1 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L #else FILEFLAGS 0x0L #endif FILEOS 0x4L FILETYPE 0x1L FILESUBTYPE 0x0L BEGIN BLOCK "StringFileInfo" BEGIN BLOCK "080404B0" BEGIN VALUE "CompanyName", "\0" VALUE "FileDescription", "DetectOD Microsoft Ӧó\0" VALUE "FileVersion", "1, 0, 0, 1\0" VALUE "InternalName", "DetectOD\0" VALUE "LegalCopyright", "Ȩ (C) 2010\0" VALUE "LegalTrademarks", "\0" VALUE "OriginalFilename", "DetectOD.EXE\0" VALUE "ProductName", "DetectOD Ӧó\0" VALUE "ProductVersion", "1, 0, 0, 1\0" END END BLOCK "VarFileInfo" BEGIN VALUE "Translation", 0x804, 1200 END END #endif // !_MAC ///////////////////////////////////////////////////////////////////////////// // // DESIGNINFO // #ifdef APSTUDIO_INVOKED GUIDELINES DESIGNINFO DISCARDABLE BEGIN IDD_ABOUTBOX, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 228 TOPMARGIN, 7 BOTTOMMARGIN, 48 END IDD_DETECTOD_DIALOG, DIALOG BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 436 TOPMARGIN, 6 BOTTOMMARGIN, 193 END END #endif // APSTUDIO_INVOKED ///////////////////////////////////////////////////////////////////////////// // // String Table // STRINGTABLE DISCARDABLE BEGIN IDS_ABOUTBOX " DetectOD(&A)..." END #endif // Chinese (й) resources ///////////////////////////////////////////////////////////////////////////// #ifndef APSTUDIO_INVOKED ///////////////////////////////////////////////////////////////////////////// // // Generated from the TEXTINCLUDE 3 resource. // #define _AFX_NO_SPLITTER_RESOURCES #define _AFX_NO_OLE_RESOURCES #define _AFX_NO_TRACKER_RESOURCES #define _AFX_NO_PROPERTY_RESOURCES #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS) #ifdef _WIN32 LANGUAGE 4, 2 #pragma code_page(936) #endif //_WIN32 #include "res\DetectOD.rc2" // non-Microsoft Visual C++ edited resources #include "l.chs\afxres.rc" // Standard components #endif ///////////////////////////////////////////////////////////////////////////// #endif // not APSTUDIO_INVOKED ================================================ FILE: 反调试技术实例VC版/DetectOD/DetectODDlg.cpp ================================================ // DetectODDlg.cpp : implementation file // #include "stdafx.h" #include "DetectOD.h" #include "DetectODDlg.h" #include "Shlwapi.h" #include "tlhelp32.h" #include "Windows.h" #include "Winable.h" #include "eh.h" #ifdef _DEBUG #define new DEBUG_NEW #undef THIS_FILE static char THIS_FILE[] = __FILE__; #endif static DWORD NewEip; ///////////////////////////////////////////////////////////////////////////// // CAboutDlg dialog used for App About class CAboutDlg : public CDialog { public: CAboutDlg(); // Dialog Data //{{AFX_DATA(CAboutDlg) enum { IDD = IDD_ABOUTBOX }; //}}AFX_DATA // ClassWizard generated virtual function overrides //{{AFX_VIRTUAL(CAboutDlg) protected: virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support //}}AFX_VIRTUAL // Implementation protected: //{{AFX_MSG(CAboutDlg) afx_msg void OnMypage(); afx_msg void OnMouseMove(UINT nFlags, CPoint point); virtual BOOL OnInitDialog(); afx_msg void OnComeon(); afx_msg void OnMyicon(); //}}AFX_MSG DECLARE_MESSAGE_MAP() }; CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD) { //{{AFX_DATA_INIT(CAboutDlg) //}}AFX_DATA_INIT } void CAboutDlg::DoDataExchange(CDataExchange* pDX) { CDialog::DoDataExchange(pDX); //{{AFX_DATA_MAP(CAboutDlg) //}}AFX_DATA_MAP } BEGIN_MESSAGE_MAP(CAboutDlg, CDialog) //{{AFX_MSG_MAP(CAboutDlg) ON_BN_CLICKED(IDC_MYPAGE, OnMypage) ON_WM_MOUSEMOVE() ON_BN_CLICKED(IDC_COMEON, OnComeon) ON_BN_CLICKED(IDC_MYICON, OnMyicon) //}}AFX_MSG_MAP END_MESSAGE_MAP() ///////////////////////////////////////////////////////////////////////////// // CDetectODDlg dialog CDetectODDlg::CDetectODDlg(CWnd* pParent /*=NULL*/) : CDialog(CDetectODDlg::IDD, pParent) { //{{AFX_DATA_INIT(CDetectODDlg) // NOTE: the ClassWizard will add member initialization here //}}AFX_DATA_INIT // Note that LoadIcon does not require a subsequent DestroyIcon in Win32 m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME); } void CDetectODDlg::DoDataExchange(CDataExchange* pDX) { CDialog::DoDataExchange(pDX); //{{AFX_DATA_MAP(CDetectODDlg) // NOTE: the ClassWizard will add DDX and DDV calls here //}}AFX_DATA_MAP } BEGIN_MESSAGE_MAP(CDetectODDlg, CDialog) //{{AFX_MSG_MAP(CDetectODDlg) ON_WM_SYSCOMMAND() ON_WM_PAINT() ON_WM_QUERYDRAGICON() ON_BN_CLICKED(IDC_WNDCLS, OnWndcls) ON_BN_CLICKED(IDC_ISDEBUGGERPRESENT, OnIsdebuggerpresent) ON_BN_CLICKED(IDC_ENUMWINDOW, OnEnumwindow) ON_BN_CLICKED(IDC_EnumProcess, OnEnumProcess) ON_BN_CLICKED(IDC_Explorer, OnExplorer) ON_BN_CLICKED(IDC_GetTickCount, OnGetTickCount) ON_BN_CLICKED(IDC_GetStartupInfo, OnGetStartupInfo) ON_BN_CLICKED(IDC_PEBFLAGS, OnPebflags) ON_BN_CLICKED(IDC_CHECKREMOTEDEBUGGERPRESENT, OnCheckremotedebuggerpresent) ON_BN_CLICKED(IDC_SetUnhandledExceptionFilter, OnSetUnhandledExceptionFilter) ON_BN_CLICKED(IDC_ZwQueryInformationProcess, OnZwQueryInformationProcess) ON_BN_CLICKED(IDC_SeDebugPrivilege, OnSeDebugPrivilege) ON_BN_CLICKED(IDC_NTQueryObject, OnNTQueryObject) ON_BN_CLICKED(IDC_DectectBreakpoints, OnDectectBreakpoints) ON_BN_CLICKED(IDC_DectectFuncBreakpoints, OnDectectFuncBreakpoints) ON_BN_CLICKED(IDC_BlockInput, OnBlockInput) ON_BN_CLICKED(IDC_CHECKSUM, OnChecksum) ON_BN_CLICKED(IDC_EnableWindow, OnEnableWindow) ON_BN_CLICKED(IDC_ZwSetInformationThread, OnZwSetInformationThread) ON_BN_CLICKED(IDC_OutputDebugString, OnOutputDebugString) ON_BN_CLICKED(IDC_GetEntryPoint, OnGetEntryPoint) ON_BN_CLICKED(IDC_TrapFlag, OnTrapFlag) ON_BN_CLICKED(IDC_GuardPages, OnGuardPages) ON_BN_CLICKED(IDC_HARDWAREBREAKPOINT, OnHardwarebreakpoint) ON_BN_CLICKED(IDC_ABOUT, OnAbout) ON_BN_CLICKED(IDC_MYPAGE2, OnMypage2) //}}AFX_MSG_MAP END_MESSAGE_MAP() ///////////////////////////////////////////////////////////////////////////// // CDetectODDlg message handlers BOOL CDetectODDlg::OnInitDialog() { CDialog::OnInitDialog(); // Add "About..." menu item to system menu. // IDM_ABOUTBOX must be in the system command range. ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX); ASSERT(IDM_ABOUTBOX < 0xF000); CMenu* pSysMenu = GetSystemMenu(FALSE); if (pSysMenu != NULL) { CString strAboutMenu; strAboutMenu.LoadString(IDS_ABOUTBOX); if (!strAboutMenu.IsEmpty()) { pSysMenu->AppendMenu(MF_SEPARATOR); pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu); } } // Set the icon for this dialog. The framework does this automatically // when the application's main window is not a dialog // SetIcon(m_hIcon, TRUE); // Set big icon // SetIcon(m_hIcon, FALSE); // Set small icon // TODO: Add extra initialization here SetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG)))); return TRUE; // return TRUE unless you set the focus to a control } void CDetectODDlg::OnSysCommand(UINT nID, LPARAM lParam) { if ((nID & 0xFFF0) == IDM_ABOUTBOX) { CAboutDlg dlgAbout; dlgAbout.DoModal(); } else { CDialog::OnSysCommand(nID, lParam); } } // If you add a minimize button to your dialog, you will need the code below // to draw the icon. For MFC applications using the document/view model, // this is automatically done for you by the framework. void CDetectODDlg::OnPaint() { if (IsIconic()) { CPaintDC dc(this); // device context for painting SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0); // Center icon in client rectangle int cxIcon = GetSystemMetrics(SM_CXICON); int cyIcon = GetSystemMetrics(SM_CYICON); CRect rect; GetClientRect(&rect); int x = (rect.Width() - cxIcon + 1) / 2; int y = (rect.Height() - cyIcon + 1) / 2; // Draw the icon dc.DrawIcon(x, y, m_hIcon); } else { CDialog::OnPaint(); } } // The system calls this to obtain the cursor to display while the user drags // the minimized window. HCURSOR CDetectODDlg::OnQueryDragIcon() { return (HCURSOR) m_hIcon; } void CDetectODDlg::OnWndcls() { // TODO: Add your control notification handler code here HWND hWnd; if(hWnd=::FindWindow("OllyDbg",NULL)) { MessageBox("OD"); }else{ MessageBox("ûOD"); } } void CDetectODDlg::OnIsdebuggerpresent() { // TODO: Add your control notification handler code here if(IsDebuggerPresent()) { MessageBox("OD"); } else { MessageBox("ûOD"); } } /***************************************************/ BOOL CALLBACK EnumWindowsProc( HWND hwnd, // handle to parent window LPARAM lParam // application-defined value ) { char ch[100]; CString str="Ollydbg"; if(IsWindowVisible(hwnd)) { ::GetWindowText(hwnd,ch,100); //AfxMessageBox(ch); if(::StrStrI(ch,str)) { AfxMessageBox("OD"); return FALSE; } } return TRUE; } void CDetectODDlg::OnEnumwindow() { // TODO: Add your control notification handler code here EnumWindows(EnumWindowsProc,NULL); AfxMessageBox("öٴڽδʾODûOD"); } /***************************************************/ void CDetectODDlg::OnEnumProcess() { // TODO: Add your control notification handler code here HANDLE hwnd; PROCESSENTRY32 tp32; //ṹ CString str="OLLYDBG.EXE"; BOOL bFindOD=FALSE; hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); if(INVALID_HANDLE_VALUE!=hwnd) { Process32First(hwnd,&tp32); do{ if(0==lstrcmpi(str,tp32.szExeFile)) { AfxMessageBox("OD"); bFindOD=TRUE; break; } }while(Process32Next(hwnd,&tp32)); if(!bFindOD) AfxMessageBox("ûOD"); } CloseHandle(hwnd); } void CDetectODDlg::OnExplorer() { // TODO: Add your control notification handler code here HANDLE hwnd; PROCESSENTRY32 tp32; //ṹ CString str="Explorer.EXE"; DWORD ExplorerID; DWORD SelfID; DWORD SelfParentID; SelfID=GetCurrentProcessId(); ::GetWindowThreadProcessId(::FindWindow("Progman",NULL),&ExplorerID); hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); if(INVALID_HANDLE_VALUE!=hwnd) { Process32First(hwnd,&tp32); do{ if(0==lstrcmp(str,tp32.szExeFile)) { // ExplorerID=tp32.th32ProcessID; // AfxMessageBox("aaa"); } if(SelfID==tp32.th32ProcessID) { SelfParentID=tp32.th32ParentProcessID; } }while(Process32Next(hwnd,&tp32)); str.Format("̣%d ̣%d Explorer: %d ",SelfID,SelfParentID,ExplorerID); MessageBox(str); if(ExplorerID==SelfParentID) { AfxMessageBox("ûOD"); } else { AfxMessageBox("OD"); } } CloseHandle(hwnd); } void CDetectODDlg::OnGetTickCount() { // TODO: Add your control notification handler code here DWORD dTime1; DWORD dTime2; dTime1=GetTickCount(); GetCurrentProcessId(); GetCurrentProcessId(); GetCurrentProcessId(); GetCurrentProcessId(); dTime2=GetTickCount(); if(dTime2-dTime1>100) { AfxMessageBox("OD"); } else{ AfxMessageBox("ûOD"); } } void CDetectODDlg::OnGetStartupInfo() { // TODO: Add your control notification handler code here STARTUPINFO info={0}; GetStartupInfo(&info); if(info.dwX!=0 || info.dwY!=0 || info.dwXCountChars!=0 || info.dwYCountChars!=0 || info.dwFillAttribute!=0 || info.dwXSize!=0 || info.dwYSize!=0) { AfxMessageBox("OD"); } else{ AfxMessageBox("ûOD"); } } //********************************************** typedef ULONG NTSTATUS; typedef ULONG PPEB; typedef ULONG KAFFINITY; typedef ULONG KPRIORITY; typedef struct _PROCESS_BASIC_INFORMATION { // Information Class 0 NTSTATUS ExitStatus; PPEB PebBaseAddress; KAFFINITY AffinityMask; KPRIORITY BasePriority; ULONG UniqueProcessId; ULONG InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; typedef enum _PROCESSINFOCLASS { ProcessBasicInformation, // 0 Y N ProcessQuotaLimits, // 1 Y Y ProcessIoCounters, // 2 Y N ProcessVmCounters, // 3 Y N ProcessTimes, // 4 Y N ProcessBasePriority, // 5 N Y ProcessRaisePriority, // 6 N Y ProcessDebugPort, // 7 Y Y ProcessExceptionPort, // 8 N Y ProcessAccessToken, // 9 N Y ProcessLdtInformation, // 10 Y Y ProcessLdtSize, // 11 N Y ProcessDefaultHardErrorMode, // 12 Y Y ProcessIoPortHandlers, // 13 N Y ProcessPooledUsageAndLimits, // 14 Y N ProcessWorkingSetWatch, // 15 Y Y ProcessUserModeIOPL, // 16 N Y ProcessEnableAlignmentFaultFixup, // 17 N Y ProcessPriorityClass, // 18 N Y ProcessWx86Information, // 19 Y N ProcessHandleCount, // 20 Y N ProcessAffinityMask, // 21 N Y ProcessPriorityBoost, // 22 Y Y ProcessDeviceMap,// 23 Y Y ProcessSessionInformation, // 24 Y Y ProcessForegroundInformation, // 25 N Y ProcessWow64Information // 26 Y N } PROCESSINFOCLASS; typedef NTSTATUS (_stdcall *ZwQueryInformationProcess)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength ); //庯ָ void CDetectODDlg::OnPebflags() { // TODO: Add your control notification handler code here //庯ָ ZwQueryInformationProcess MyZwQueryInformationProcess; HANDLE hProcess = NULL; PROCESS_BASIC_INFORMATION pbi = {0}; ULONG peb = 0; ULONG cnt = 0; ULONG PebBase = 0; ULONG AddrBase; BOOL bFoundOD=FALSE; WORD flag; DWORD dwFlag; DWORD bytesrw; DWORD ProcessId=GetCurrentProcessId(); hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessId); if (hProcess != NULL) { //ֵָ MyZwQueryInformationProcess=(ZwQueryInformationProcess)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwQueryInformationProcess"); //ָ if (MyZwQueryInformationProcess( hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), &cnt) == 0) { PebBase = (ULONG)pbi.PebBaseAddress; AddrBase=PebBase; if (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x68),&flag,2,&bytesrw) && bytesrw==2) { //PEB.NtGlobalFlag if(0x70==flag){ bFoundOD=TRUE; } } if (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x18),&dwFlag,4,&bytesrw) && bytesrw==4) { AddrBase=dwFlag; } if (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x0c),&flag,2,&bytesrw) && bytesrw==2) {//PEB.ProcessHeap.Flags if(2!=flag){ bFoundOD=TRUE; } } if (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x10),&flag,2,&bytesrw) && bytesrw==2) {//PEB.ProcessHeap.ForceFlags if(0!=flag){ bFoundOD=TRUE; } } if(bFoundOD==FALSE) { AfxMessageBox("ûOD"); } else { AfxMessageBox("OD"); } } CloseHandle(hProcess); } } //******************************************************************* typedef BOOL (WINAPI *CHECK_REMOTE_DEBUGGER_PRESENT)(HANDLE, PBOOL); void CDetectODDlg::OnCheckremotedebuggerpresent() { // TODO: Add your control notification handler code here HANDLE hProcess; HINSTANCE hModule; BOOL bDebuggerPresent = FALSE; CHECK_REMOTE_DEBUGGER_PRESENT CheckRemoteDebuggerPresent; hModule = GetModuleHandleA("Kernel32"); CheckRemoteDebuggerPresent = (CHECK_REMOTE_DEBUGGER_PRESENT)GetProcAddress(hModule, "CheckRemoteDebuggerPresent"); hProcess = GetCurrentProcess(); CheckRemoteDebuggerPresent(hProcess,&bDebuggerPresent); if(bDebuggerPresent==TRUE) { AfxMessageBox("OD"); } else { AfxMessageBox("ûOD"); } } //******************************************************** typedef NTSTATUS (_stdcall *ZW_QUERY_INFORMATION_PROCESS)( HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, //òҲҪݽṹ PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength ); //庯ָ void CDetectODDlg::OnZwQueryInformationProcess() { // TODO: Add your control notification handler code here HANDLE hProcess; HINSTANCE hModule; DWORD dwResult; ZW_QUERY_INFORMATION_PROCESS MyFunc; hModule = GetModuleHandle("ntdll.dll"); MyFunc=(ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule,"ZwQueryInformationProcess"); hProcess = GetCurrentProcess(); MyFunc( hProcess, ProcessDebugPort, &dwResult, 4, NULL); if(dwResult!=0) { AfxMessageBox("OD"); } else { AfxMessageBox("ûOD"); } } //******************************************************** static DWORD lpOldHandler; typedef LPTOP_LEVEL_EXCEPTION_FILTER (_stdcall *pSetUnhandledExceptionFilter)( LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter ); pSetUnhandledExceptionFilter lpSetUnhandledExceptionFilter; LONG WINAPI TopUnhandledExceptionFilter( struct _EXCEPTION_POINTERS *ExceptionInfo ) { _asm pushad AfxMessageBox("ص"); lpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler); ExceptionInfo->ContextRecord->Eip=NewEip;//תƵȫλ _asm popad return EXCEPTION_CONTINUE_EXECUTION; } void CDetectODDlg::OnSetUnhandledExceptionFilter() { bool isDebugged=0; // TODO: Add your control notification handler code here lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")), "SetUnhandledExceptionFilter"); lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter); _asm{ //ȡȫַ call me //ʽһҪNewEipһƫֵ me: pop NewEip //ʽһ mov NewEip,offset safe //ʽ int 3 //쳣 } AfxMessageBox("⵽OD"); isDebugged=1; _asm{ safe: } if(1==isDebugged){ }else{ AfxMessageBox("ûOD"); } } //******************************************************** void CDetectODDlg::OnSeDebugPrivilege() { // TODO: Add your control notification handler code here HANDLE hProcessSnap; HANDLE hProcess; PROCESSENTRY32 tp32; //ṹ CString str="csrss.exe"; hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); if(INVALID_HANDLE_VALUE!=hProcessSnap) { Process32First(hProcessSnap,&tp32); do{ if(0==lstrcmpi(str,tp32.szExeFile)) { hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,NULL,tp32.th32ProcessID); if(NULL!=hProcess) { AfxMessageBox("OD"); } else { AfxMessageBox("ûOD"); } CloseHandle(hProcess); } }while(Process32Next(hProcessSnap,&tp32)); } CloseHandle(hProcessSnap); } //*************************************************************** #ifndef STATUS_INFO_LENGTH_MISMATCH #define STATUS_INFO_LENGTH_MISMATCH ((UINT32)0xC0000004L) #endif typedef enum _POOL_TYPE { NonPagedPool, PagedPool, NonPagedPoolMustSucceed, DontUseThisType, NonPagedPoolCacheAligned, PagedPoolCacheAligned, NonPagedPoolCacheAlignedMustS } POOL_TYPE; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING; typedef UNICODE_STRING *PUNICODE_STRING; typedef const UNICODE_STRING *PCUNICODE_STRING; typedef enum _OBJECT_INFORMATION_CLASS { ObjectBasicInformation, // Result is OBJECT_BASIC_INFORMATION structure ObjectNameInformation, // Result is OBJECT_NAME_INFORMATION structure ObjectTypeInformation, // Result is OBJECT_TYPE_INFORMATION structure ObjectAllTypesInformation, // Result is OBJECT_ALL_INFORMATION structure ObjectDataInformation // Result is OBJECT_DATA_INFORMATION structure } OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; typedef struct _OBJECT_TYPE_INFORMATION { UNICODE_STRING TypeName; ULONG TotalNumberOfHandles; ULONG TotalNumberOfObjects; WCHAR Unused1[8]; ULONG HighWaterNumberOfHandles; ULONG HighWaterNumberOfObjects; WCHAR Unused2[8]; ACCESS_MASK InvalidAttributes; GENERIC_MAPPING GenericMapping; ACCESS_MASK ValidAttributes; BOOLEAN SecurityRequired; BOOLEAN MaintainHandleCount; USHORT MaintainTypeList; POOL_TYPE PoolType; ULONG DefaultPagedPoolCharge; ULONG DefaultNonPagedPoolCharge; } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; typedef struct _OBJECT_ALL_INFORMATION { ULONG NumberOfObjectsTypes; OBJECT_TYPE_INFORMATION ObjectTypeInformation[1]; } OBJECT_ALL_INFORMATION, *POBJECT_ALL_INFORMATION; typedef struct _OBJECT_ALL_TYPES_INFORMATION { ULONG NumberOfTypes; OBJECT_TYPE_INFORMATION TypeInformation[1]; } OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION; typedef UINT32 (__stdcall *ZwQueryObject_t) ( IN HANDLE ObjectHandle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, OUT PVOID ObjectInformation, IN ULONG Length, OUT PULONG ResultLength ); void CDetectODDlg::OnNTQueryObject() { // TODO: Add your control notification handler code here // ڵԲܼ⵽ODǼⲻ HMODULE hNtDLL; DWORD dwSize; UINT i; UCHAR KeyType=0; OBJECT_ALL_TYPES_INFORMATION *Types; OBJECT_TYPE_INFORMATION *t; ZwQueryObject_t ZwQueryObject; hNtDLL = GetModuleHandle("ntdll.dll"); if(hNtDLL){ ZwQueryObject = (ZwQueryObject_t)GetProcAddress(hNtDLL, "ZwQueryObject"); UINT32 iResult = ZwQueryObject(NULL, ObjectAllTypesInformation, NULL, NULL, &dwSize); if(iResult==STATUS_INFO_LENGTH_MISMATCH) { Types = (OBJECT_ALL_TYPES_INFORMATION*)VirtualAlloc(NULL,dwSize,MEM_COMMIT,PAGE_READWRITE); if (Types == NULL) return; if (iResult=ZwQueryObject(NULL,ObjectAllTypesInformation, Types, dwSize, &dwSize)) return; for (t=Types->TypeInformation,i=0;iNumberOfTypes;i++) { if ( !_wcsicmp(t->TypeName.Buffer,L"DebugObject")) //ȽǷȣL⣬ص˼ { if(t->TotalNumberOfHandles > 0 || t->TotalNumberOfObjects > 0) { AfxMessageBox("OD"); VirtualFree (Types,0,MEM_RELEASE); return; } break; // Found Anyways } t=(OBJECT_TYPE_INFORMATION *)((char *)t->TypeName.Buffer+((t->TypeName.MaximumLength+3)&~3)); } } AfxMessageBox("ûOD!"); VirtualFree (Types,0,MEM_RELEASE); } } /*********************************************************/ BOOL DetectBreakpoints() { BOOL bFoundOD; bFoundOD=FALSE; __asm { jmp CodeEnd CodeStart: mov eax,ecx ;ij nop push eax push ecx pop ecx pop eax CodeEnd: cld ;뿪ʼ mov edi,offset CodeStart mov edx,offset CodeStart mov ecx,offset CodeEnd sub ecx,edx mov al,0CCH repne scasb jnz ODNotFound mov bFoundOD,1 ODNotFound: } return bFoundOD; } void CDetectODDlg::OnDectectBreakpoints() { // TODO: Add your control notification handler code here if(DetectBreakpoints()) { AfxMessageBox("OD"); } else { AfxMessageBox("ûOD"); } } /*********************************************************/ BOOL DetectFuncBreakpoints() { BOOL bFoundOD; bFoundOD=FALSE; DWORD dwAddr; dwAddr=(DWORD)::GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA"); __asm { cld ;뿪ʼ mov edi,dwAddr mov ecx,100 ;100bytes mov al,0CCH repne scasb jnz ODNotFound mov bFoundOD,1 ODNotFound: } return bFoundOD; } void CDetectODDlg::OnDectectFuncBreakpoints() { // TODO: Add your control notification handler code here if(DetectFuncBreakpoints()) { AfxMessageBox("OD"); } else { AfxMessageBox("ûOD"); } } void CDetectODDlg::OnBlockInput() { // #include "Winable.h" // TODO: Add your control notification handler code here DWORD dwNoUse; DWORD dwNoUse2; ::BlockInput(TRUE); dwNoUse=2; dwNoUse2=3; dwNoUse=dwNoUse2; ::BlockInput(FALSE); } /*********************************************************/ BOOL CheckSum() { BOOL bFoundOD; bFoundOD=FALSE; DWORD CHECK_SUM=5555; //ȷУֵ DWORD dwAddr; dwAddr=(DWORD)CheckSum; __asm { ;뿪ʼ mov esi,dwAddr mov ecx,100 xor eax,eax checksum_loop: movzx ebx,byte ptr [esi] add eax,ebx rol eax,1 inc esi loop checksum_loop cmp eax,CHECK_SUM jz ODNotFound mov bFoundOD,1 ODNotFound: } return bFoundOD; } void CDetectODDlg::OnChecksum() { // TODO: Add your control notification handler code here if(CheckSum()) { AfxMessageBox("OD"); } else { AfxMessageBox("ûOD"); } } /*********************************************************/ void CDetectODDlg::OnEnableWindow() { // TODO: Add your control notification handler code here CWnd *wnd; wnd=GetForegroundWindow(); wnd->EnableWindow(FALSE); DWORD dwNoUse; DWORD dwNoUse2; dwNoUse=2; dwNoUse2=3; dwNoUse=dwNoUse2; wnd->EnableWindow(TRUE); } /*********************************************************/ typedef enum _THREADINFOCLASS { ThreadBasicInformation, // 0 Y N ThreadTimes, // 1 Y N ThreadPriority, // 2 N Y ThreadBasePriority, // 3 N Y ThreadAffinityMask, // 4 N Y ThreadImpersonationToken, // 5 N Y ThreadDescriptorTableEntry, // 6 Y N ThreadEnableAlignmentFaultFixup, // 7 N Y ThreadEventPair, // 8 N Y ThreadQuerySetWin32StartAddress, // 9 Y Y ThreadZeroTlsCell, // 10 N Y ThreadPerformanceCount, // 11 Y N ThreadAmILastThread, // 12 Y N ThreadIdealProcessor, // 13 N Y ThreadPriorityBoost, // 14 Y Y ThreadSetTlsArrayAddress, // 15 N Y ThreadIsIoPending, // 16 Y N ThreadHideFromDebugger // 17 N Y } THREAD_INFO_CLASS; typedef NTSTATUS (NTAPI *ZwSetInformationThread)( IN HANDLE ThreadHandle, IN THREAD_INFO_CLASS ThreadInformaitonClass, IN PVOID ThreadInformation, IN ULONG ThreadInformationLength ); void CDetectODDlg::OnZwSetInformationThread() { // TODO: Add your control notification handler code here CString str="Ҷλ"; HANDLE hwnd; HMODULE hModule; hwnd=GetCurrentThread(); hModule=LoadLibrary("ntdll.dll"); ZwSetInformationThread myFunc; myFunc=(ZwSetInformationThread)GetProcAddress(hModule,"ZwSetInformationThread"); myFunc(hwnd,ThreadHideFromDebugger,NULL,NULL); } /*********************************************************/ void CDetectODDlg::OnOutputDebugString() { // TODO: Add your control notification handler code here ::OutputDebugString("%s%s%s"); } /*********************************************************/ void CDetectODDlg::OnGetEntryPoint() { // TODO: Add your control notification handler code here IMAGE_DOS_HEADER *dos_head=(IMAGE_DOS_HEADER *)GetModuleHandle(NULL); PIMAGE_NT_HEADERS32 nt_head=(PIMAGE_NT_HEADERS32)((DWORD)dos_head+(DWORD)dos_head->e_lfanew); DWORD EP=(nt_head->OptionalHeader.AddressOfEntryPoint); CString str; str.Format("%x",EP); AfxMessageBox(str); BYTE*OEP=(BYTE*)(nt_head->OptionalHeader.AddressOfEntryPoint+(DWORD)dos_head); for(unsigned long index=0;index<20;index++){ if(OEP[index]==0xcc){ ExitProcess(0); } } } /**************************************************************/ void terminateFunc() { AfxMessageBox("set_terminateָĺ\n"); exit(0); } void CDetectODDlg::OnButton1() { // TODO: Add your control notification handler code here set_terminate(terminateFunc); try{ div(10,0); }catch(int){ AfxMessageBox("쳣"); }catch(...){ terminate(); //쳣 } AfxMessageBox(""); } //******************************************************** void CDetectODDlg::OnTrapFlag() { try{ _asm{ pushfd //쳣 or dword ptr [esp],100h ;TF=1 popfd } AfxMessageBox("⵽OD"); }catch(...){ AfxMessageBox("ûOD"); } } //******************************************************** static bool isDebugged=1; LONG WINAPI TopUnhandledExceptionFilter2( struct _EXCEPTION_POINTERS *ExceptionInfo ) { _asm pushad AfxMessageBox("ص"); lpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler); ExceptionInfo->ContextRecord->Eip=NewEip; isDebugged=0; _asm popad return EXCEPTION_CONTINUE_EXECUTION; } void CDetectODDlg::OnGuardPages() { // TODO: Add your control notification handler code here ULONG dwOldType; DWORD dwPageSize; LPVOID lpvBase; // ȡڴĻַ SYSTEM_INFO sSysInfo; // ϵͳϢ GetSystemInfo(&sSysInfo); // ȡϵͳϢ dwPageSize=sSysInfo.dwPageSize; //ϵͳڴҳС lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")), "SetUnhandledExceptionFilter"); lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter2); // ڴ lpvBase = VirtualAlloc(NULL,dwPageSize,MEM_COMMIT,PAGE_READWRITE); if (lpvBase==NULL) AfxMessageBox("ڴʧ"); _asm{ mov NewEip,offset safe //ʽ mov eax,lpvBase push eax mov byte ptr [eax],0C3H //дһ RETN ڴ棬Աĵ } if(0==::VirtualProtect(lpvBase,dwPageSize,PAGE_EXECUTE_READ | PAGE_GUARD,&dwOldType)){ AfxMessageBox("ִʧ"); } _asm{ pop ecx call ecx //ʱѹջ safe: pop ecx //ջƽ⣬ʱѹջ } if(1==isDebugged){ AfxMessageBox("OD"); }else{ AfxMessageBox("ûOD"); } VirtualFree(lpvBase,dwPageSize,MEM_DECOMMIT); } //******************************************************** static bool isDebuggedHBP=0; LONG WINAPI TopUnhandledExceptionFilterHBP( struct _EXCEPTION_POINTERS *ExceptionInfo ) { _asm pushad AfxMessageBox("ص"); ExceptionInfo->ContextRecord->Eip=NewEip; if(0!=ExceptionInfo->ContextRecord->Dr0||0!=ExceptionInfo->ContextRecord->Dr1|| 0!=ExceptionInfo->ContextRecord->Dr2||0!=ExceptionInfo->ContextRecord->Dr3) isDebuggedHBP=1; //Ӳϵ ExceptionInfo->ContextRecord->Dr0=0; //Ӳϵ㣬0 ExceptionInfo->ContextRecord->Dr1=0; ExceptionInfo->ContextRecord->Dr2=0; ExceptionInfo->ContextRecord->Dr3=0; ExceptionInfo->ContextRecord->Dr6=0; ExceptionInfo->ContextRecord->Dr7=0; ExceptionInfo->ContextRecord->Eip=NewEip; //תƵȫλ _asm popad return EXCEPTION_CONTINUE_EXECUTION; } void CDetectODDlg::OnHardwarebreakpoint() { // TODO: Add your control notification handler code here lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")), "SetUnhandledExceptionFilter"); lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilterHBP); _asm{ mov NewEip,offset safe //ʽ int 3 mov isDebuggedHBP,1 //ʱҲᴥ쳣ȥӲϵ safe: } if(1==isDebuggedHBP){ AfxMessageBox("OD"); }else{ AfxMessageBox("ûOD"); } } //******************************************************** void CDetectODDlg::OnCancel() { // TODO: Add extra cleanup here CDialog::OnCancel(); } void CAboutDlg::OnMypage() { // TODO: Add your control notification handler code here ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL); } void CDetectODDlg::OnAbout() { // TODO: Add your control notification handler code here CAboutDlg dlg; dlg.DoModal(); } void CAboutDlg::OnMouseMove(UINT nFlags, CPoint point) { // TODO: Add your message handler code here and/or call default CRect rect(60,20,100,100); if(rect.PtInRect(point)){ SetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(NULL,IDC_HELP))); }else{ SetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(AfxGetApp()->m_hInstance,IDC_ARROW))); } CDialog::OnMouseMove(nFlags, point); } BOOL CAboutDlg::OnInitDialog() { CDialog::OnInitDialog(); // TODO: Add extra initialization here SetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG)))); return TRUE; // return TRUE unless you set the focus to a control // EXCEPTION: OCX Property Pages should return FALSE } void CDetectODDlg::OnOK() { // TODO: Add extra validation here CDialog::OnOK(); } void CAboutDlg::OnComeon() { // TODO: Add your control notification handler code here ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL); } void CAboutDlg::OnMyicon() { // TODO: Add your control notification handler code here ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL); } void CDetectODDlg::OnMypage2() { // TODO: Add your control notification handler code here ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL); } ================================================ FILE: 反调试技术实例VC版/DetectOD/DetectODDlg.h ================================================ // DetectODDlg.h : header file // #if !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_) #define AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_ #if _MSC_VER > 1000 #pragma once #endif // _MSC_VER > 1000 ///////////////////////////////////////////////////////////////////////////// // CDetectODDlg dialog class CDetectODDlg : public CDialog { // Construction public: CDetectODDlg(CWnd* pParent = NULL); // standard constructor // Dialog Data //{{AFX_DATA(CDetectODDlg) enum { IDD = IDD_DETECTOD_DIALOG }; // NOTE: the ClassWizard will add data members here //}}AFX_DATA // ClassWizard generated virtual function overrides //{{AFX_VIRTUAL(CDetectODDlg) protected: virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support //}}AFX_VIRTUAL // Implementation protected: HICON m_hIcon; // Generated message map functions //{{AFX_MSG(CDetectODDlg) virtual BOOL OnInitDialog(); afx_msg void OnSysCommand(UINT nID, LPARAM lParam); afx_msg void OnPaint(); afx_msg HCURSOR OnQueryDragIcon(); afx_msg void OnWndcls(); afx_msg void OnTest(); afx_msg void OnIsdebuggerpresent(); afx_msg void OnEnumwindow(); afx_msg void OnEnumProcess(); afx_msg void OnExplorer(); afx_msg void OnGetTickCount(); afx_msg void OnGetStartupInfo(); afx_msg void OnPebflags(); afx_msg void OnCheckremotedebuggerpresent(); afx_msg void OnZwqueryinfomationprocess(); afx_msg void OnSetUnhandledExceptionFilter(); afx_msg void OnZwQueryInformationProcess(); afx_msg void OnSeDebugPrivilege(); afx_msg void OnNTQueryObject(); afx_msg void OnDectectBreakpoints(); afx_msg void OnDectectFuncBreakpoints(); afx_msg void OnBlockInput(); afx_msg void OnChecksum(); afx_msg void OnEnableWindow(); afx_msg void OnZwSetInformationThread(); afx_msg void OnOutputDebugString(); afx_msg void OnGetEntryPoint(); afx_msg void OnButton1(); afx_msg void OnButton2(); afx_msg void OnTrapFlag(); afx_msg void OnGuardPages(); afx_msg void OnHardwarebreakpoint(); virtual void OnCancel(); afx_msg void OnAbout(); virtual void OnOK(); afx_msg void OnMypage2(); //}}AFX_MSG DECLARE_MESSAGE_MAP() }; //{{AFX_INSERT_LOCATION}} // Microsoft Visual C++ will insert additional declarations immediately before the previous line. #endif // !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_) ================================================ FILE: 反调试技术实例VC版/DetectOD/ReadMe.txt ================================================ ======================================================================== MICROSOFT FOUNDATION CLASS LIBRARY : DetectOD ======================================================================== AppWizard has created this DetectOD application for you. This application not only demonstrates the basics of using the Microsoft Foundation classes but is also a starting point for writing your application. This file contains a summary of what you will find in each of the files that make up your DetectOD application. DetectOD.dsp This file (the project file) contains information at the project level and is used to build a single project or subproject. Other users can share the project (.dsp) file, but they should export the makefiles locally. DetectOD.h This is the main header file for the application. It includes other project specific headers (including Resource.h) and declares the CDetectODApp application class. DetectOD.cpp This is the main application source file that contains the application class CDetectODApp. DetectOD.rc This is a listing of all of the Microsoft Windows resources that the program uses. It includes the icons, bitmaps, and cursors that are stored in the RES subdirectory. This file can be directly edited in Microsoft Visual C++. DetectOD.clw This file contains information used by ClassWizard to edit existing classes or add new classes. ClassWizard also uses this file to store information needed to create and edit message maps and dialog data maps and to create prototype member functions. res\DetectOD.ico This is an icon file, which is used as the application's icon. This icon is included by the main resource file DetectOD.rc. res\DetectOD.rc2 This file contains resources that are not edited by Microsoft Visual C++. You should place all resources not editable by the resource editor in this file. ///////////////////////////////////////////////////////////////////////////// AppWizard creates one dialog class: DetectODDlg.h, DetectODDlg.cpp - the dialog These files contain your CDetectODDlg class. This class defines the behavior of your application's main dialog. The dialog's template is in DetectOD.rc, which can be edited in Microsoft Visual C++. ///////////////////////////////////////////////////////////////////////////// Other standard files: StdAfx.h, StdAfx.cpp These files are used to build a precompiled header (PCH) file named DetectOD.pch and a precompiled types file named StdAfx.obj. Resource.h This is the standard header file, which defines new resource IDs. Microsoft Visual C++ reads and updates this file. ///////////////////////////////////////////////////////////////////////////// Other notes: AppWizard uses "TODO:" to indicate parts of the source code you should add to or customize. If your application uses MFC in a shared DLL, and your application is in a language other than the operating system's current language, you will need to copy the corresponding localized resources MFC42XXX.DLL from the Microsoft Visual C++ CD-ROM onto the system or system32 directory, and rename it to be MFCLOC.DLL. ("XXX" stands for the language abbreviation. For example, MFC42DEU.DLL contains resources translated to German.) If you don't do this, some of the UI elements of your application will remain in the language of the operating system. ///////////////////////////////////////////////////////////////////////////// ================================================ FILE: 反调试技术实例VC版/DetectOD/StdAfx.cpp ================================================ // stdafx.cpp : source file that includes just the standard includes // DetectOD.pch will be the pre-compiled header // stdafx.obj will contain the pre-compiled type information #include "stdafx.h" ================================================ FILE: 反调试技术实例VC版/DetectOD/StdAfx.h ================================================ // stdafx.h : include file for standard system include files, // or project specific include files that are used frequently, but // are changed infrequently // #if !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_) #define AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_ #if _MSC_VER > 1000 #pragma once #endif // _MSC_VER > 1000 #define VC_EXTRALEAN // Exclude rarely-used stuff from Windows headers #include // MFC core and standard components #include // MFC extensions #include // MFC Automation classes #include // MFC support for Internet Explorer 4 Common Controls #ifndef _AFX_NO_AFXCMN_SUPPORT #include // MFC support for Windows Common Controls #endif // _AFX_NO_AFXCMN_SUPPORT //{{AFX_INSERT_LOCATION}} // Microsoft Visual C++ will insert additional declarations immediately before the previous line. #endif // !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_) ================================================ FILE: 反调试技术实例VC版/DetectOD/res/DetectOD.rc2 ================================================ // // DETECTOD.RC2 - resources Microsoft Visual C++ does not edit directly // #ifdef APSTUDIO_INVOKED #error this file is not editable by Microsoft Visual C++ #endif //APSTUDIO_INVOKED ///////////////////////////////////////////////////////////////////////////// // Add manually edited resources here... ///////////////////////////////////////////////////////////////////////////// ================================================ FILE: 反调试技术实例VC版/DetectOD/resource.h ================================================ //{{NO_DEPENDENCIES}} // Microsoft Developer Studio generated include file. // Used by DetectOD.rc // #define IDC_ABOUT 3 #define IDM_ABOUTBOX 0x0010 #define IDD_ABOUTBOX 100 #define IDS_ABOUTBOX 101 #define IDD_DETECTOD_DIALOG 102 #define IDR_MAINFRAME 128 #define IDI_DOG 129 #define IDI_ICON2 133 #define IDC_WNDCLS 1000 #define IDC_ISDEBUGGERPRESENT 1002 #define IDC_ENUMWINDOW 1003 #define IDC_EnumProcess 1004 #define IDC_Explorer 1005 #define IDC_GetTickCount 1006 #define IDC_GetStartupInfo 1007 #define IDC_PEBFLAGS 1008 #define IDC_CHECKREMOTEDEBUGGERPRESENT 1009 #define IDC_ZwQueryInformationProcess 1010 #define IDC_SetUnhandledExceptionFilter 1014 #define IDC_MYPAGE 1014 #define IDC_SeDebugPrivilege 1015 #define IDC_COMEON 1015 #define IDC_MYICON 1016 #define IDC_MYPAGE2 1016 #define IDC_NTQueryObject 1017 #define IDC_DectectBreakpoints 1018 #define IDC_DectectFuncBreakpoints 1019 #define IDC_BlockInput 1020 #define IDC_CHECKSUM 1021 #define IDC_EnableWindow 1022 #define IDC_ZwSetInformationThread 1023 #define IDC_OutputDebugString 1024 #define IDC_GetEntryPoint 1025 #define IDC_TrapFlag 1026 #define IDC_GuardPages 1027 #define IDC_HARDWAREBREAKPOINT 1028 // Next default values for new objects // #ifdef APSTUDIO_INVOKED #ifndef APSTUDIO_READONLY_SYMBOLS #define _APS_NEXT_RESOURCE_VALUE 134 #define _APS_NEXT_COMMAND_VALUE 32771 #define _APS_NEXT_CONTROL_VALUE 1017 #define _APS_NEXT_SYMED_VALUE 101 #endif #endif ================================================ FILE: 反调试技术实例VC版/DetectOD/tlssup.c ================================================ // tlssup.cļ룺 #include #include int _tls_index=0; #pragma data_seg(".tls") int _tls_start=0; #pragma data_seg(".tls$ZZZ") int _tls_end=0; #pragma data_seg(".CRT$XLA") int __xl_a=0; #pragma data_seg(".CRT$XLZ") int __xl_z=0; #pragma data_seg(".rdata$T") extern PIMAGE_TLS_CALLBACK my_tls_callbacktbl[]; IMAGE_TLS_DIRECTORY32 _tls_used={(DWORD)&_tls_start,(DWORD)&_tls_end,(DWORD)&_tls_index,(DWORD)my_tls_callbacktbl,0,0};