吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 2572|回复: 3
收起左侧

[C&C++ 转载] 常用的反调试技术总结

  [复制链接]
52lxw 发表于 2019-10-12 00:09
[C++] 纯文本查看 复制代码
//
//

//#include "stdafx.h"
#include <iostream>
#include <Windows.h>
using	namespace std;

enum PROCESSINFOCLASS//

{

	ProcessBasicInformation = 0,

	ProcessQuotaLimits,

	ProcessIoCounters,

	ProcessVmCounters,

	ProcessTimes,

	ProcessBasePriority,

	ProcessRaisePriority,

	ProcessDebugPort = 7,

	ProcessExceptionPort,

	ProcessAccessToken,

	ProcessLdtInformation,

	ProcessLdtSize,

	ProcessDefaultHardErrorMode,

	ProcessIoPortHandlers,

	ProcessPooledUsageAndLimits,

	ProcessWorkingSetWatch,

	ProcessUserModeIOPL,

	ProcessEnableAlignmentFaultFixup,

	ProcessPriorityClass,

	ProcessWx86Information,

	ProcessHandleCount,

	ProcessAffinityMask,

	ProcessPriorityBoost,

	MaxProcessInfoClass,

	ProcessWow64Information = 26,

	ProcessImageFileName = 27,

	ProcessDebugObjectHandle = 30,

	ProcessDebugFlags = 31,

	SystemKernelDebuggerInformation = 35

};

typedef enum _THREADINFOCLASS {
	ThreadBasicInformation,
	ThreadTimes,
	ThreadPriority,
	ThreadBasePriority,
	ThreadAffinityMask,
	ThreadImpersonationToken,
	ThreadDescriptorTableEntry,
	ThreadEnableAlignmentFaultFixup,
	ThreadEventPair_Reusable,
	ThreadQuerySetWin32StartAddress,
	ThreadZeroTlsCell,
	ThreadPerformanceCount,
	ThreadAmILastThread,
	ThreadIdealProcessor,
	ThreadPriorityBoost,
	ThreadSetTlsArrayAddress,
	ThreadIsIoPending,
	ThreadHideFromDebugger,
	ThreadBreakOnTermination,
	MaxThreadInfoClass
} THREADINFOCLASS;

typedef NTSTATUS(WINAPI *NtQueryInformationProcessPtr)(
	HANDLE processHandle,
	PROCESSINFOCLASS processInformationClass,
	PVOID processInformation,
	ULONG processInformationLength,
	PULONG returnLength);

typedef NTSTATUS(*NtSetInformationThreadPtr)(HANDLE threadHandle,
	THREADINFOCLASS threadInformationClass,
	PVOID threadInformation,
	ULONG threadInformationLength);

bool PebNtGlobalFlagsApproach(){ //可用
	int	result;
	__asm{
		mov eax, fs:[30h]
		mov eax, [eax+68h]
		and eax,70
		mov result,eax
	}
	return result!=0;
}

bool HeapFlagsApproach(){ //win7 x64测试没用
	int result;
	__asm{
		mov eax, fs:[30h]
		mov eax, [eax+18h]
		mov eax, [eax+10h]
		mov result,eax
	}
	return result;
}

bool NtQueryInformationProcessApproach(){ //可用
	int DebugPort = 0;
	HMODULE	hNtdll = LoadLibrary(TEXT("Ntdll.dll"));
	NtQueryInformationProcessPtr NtQueryInformationProcess = (NtQueryInformationProcessPtr)GetProcAddress(hNtdll, "NtQueryInformationProcess");
	if (NtQueryInformationProcess(GetCurrentProcess(), (PROCESSINFOCLASS)7, &DebugPort, sizeof(DebugPort), NULL))
		printf("[ERROR NtQueryInformationProcessApproach] NtQueryInformationProcess failed\n");
	else
		return DebugPort == -1;
	return false;
}

void NtSetInformationThreadApproach(){ //可用
	HMODULE	hNtdll = LoadLibrary(TEXT("Ntdll.dll"));
	NtSetInformationThreadPtr NtSetInformationThread = (NtSetInformationThreadPtr)GetProcAddress(hNtdll, "NtSetInformationThread");
	NtSetInformationThread(GetCurrentThread(), (THREADINFOCLASS)0x11, 0, 0);
}

LONG WINAPI MyUnhandledExceptionFilter(struct _EXCEPTION_POINTERS *pei){
	SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)
	pei->ContextRecord->Eax);
	// 修改寄存器eip的值
	pei->ContextRecord->Eip += 2;
	// 告诉操作系统,继续执行进程剩余的指令(指令保存在eip里),而不是关闭进程
	return EXCEPTION_CONTINUE_EXECUTION;
}

bool UnhandledExceptionFilterApproach() //实用
{
	
	SetUnhandledExceptionFilter(MyUnhandledExceptionFilter);
	__asm{
		// 将eax清零
		xor eax, eax
		// 触发一个除零异常
		div eax
	}
	return false;
}

bool	DeleteFiberApproach()//效果不好 win7 x64
{
	char	fib[1024] = { 0 };
	DeleteFiber(fib);
	return GetLastError() != 0x57;
}
int _tmain(int argc, _TCHAR* argv[])
{

	UnhandledExceptionFilterApproach();

	cout << "hello" << endl;
	//system("pause");
	getchar();
	return 0;
}


免费评分

参与人数 3吾爱币 +5 热心值 +2 收起 理由
苏紫方璇 + 3 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
涛之雨 + 1 + 1 谢谢楼主!有安卓的嘛(动态调试)
浮华世界forever + 1 用心讨论,共获提升!

查看全部评分

本帖被以下淘专辑推荐:

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

zhenghui99 发表于 2019-10-12 07:31
小白表示看不懂,但是要支持楼主大人
daymissed 发表于 2019-10-12 08:47
yaoyao7 发表于 2019-10-12 09:17
这么看起来就清晰多了,比那些只有方法论没有干货的好多了,感谢
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-3-29 07:40

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表