-
-
[原创]别喷我啊,(测试反OD程序)
-
发表于: 2010-8-5 20:28
-
附加试试
打开也试试
技术含量很低
开源了,加了VM 我都怕了!
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, tlhelp32, PSAPI, StrUtils;
type
TForm1 = class(TForm)
Label1: TLabel;
Label2: TLabel;
Label3: TLabel;
procedure FormCreate(Sender: TObject);
procedure FormShow(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
NOP: Byte;
NTDLL: THandle;
BytesWritten: DWORD;
Address: Pointer;
RAddress: Byte;
implementation
{$R *.dfm}
const
ParentName = '\EXPLORER.EXE';
L1: string = '检测OD附加...';
L2: string = '检测OD启动AntiLoader...';
L3: string = '检测OD启动ScanOD...';
procedure SetPrivilege;
var
TPPrev, TP: TTokenPrivileges;
TokenHandle: THandle;
dwRetLen: DWORD;
lpLuid: TLargeInteger;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ALL_ACCESS, TokenHandle);
if (LookupPrivilegeValue(nil, 'SeDebugPrivilege', lpLuid)) then
begin
TP.PrivilegeCount := 1;
TP.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
TP.Privileges[0].Luid := lpLuid;
AdjustTokenPrivileges(TokenHandle, False, TP, SizeOf(TPPrev), TPPrev, dwRetLen);
end;
CloseHandle(TokenHandle);
end;
procedure PatchInt3;
begin
asm
db $EB,$10,'VMProtect begin',0
end;
if Win32Platform <> VER_PLATFORM_WIN32_NT then Exit;
NTDLL := GetModuleHandle('NTDLL.DLL');
if NTDLL = 0 then Exit;
Address := GetProcAddress(NTDLL, 'DbgBreakPoint');
if Address = nil then Exit;
try
if Char(Address^) <> #$CC then Exit;
NOP := $90;
if WriteProcessMemory(GetCurrentProcess, Address, @NOP, 1, BytesWritten) and (BytesWritten = 1) then FlushInstructionCache(GetCurrentProcess, Address, 1);
except
on EAccessViolation do ;
else
raise;
end;
asm
db $EB,$0E,'VMProtect end',0
end;
end;
function AntiLoader(): Boolean;
var
hSnap, hProcess: THandle;
szBuffer: array[0..MAX_PATH] of char;
FileName: array[0..MAX_PATH] of char;
Process32: PROCESSENTRY32;
LoopFlag: BOOL;
begin
asm
db $EB,$10,'VMProtect begin',0
end;
hSnap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if hSnap = INVALID_HANDLE_VALUE then
begin
Result := False;
Exit;
end;
Process32.dwSize := sizeof(PROCESSENTRY32);
LoopFlag := Process32First(hSnap, Process32);
if LoopFlag = False then
begin
CloseHandle(hSnap);
Result := False;
Exit;
end;
while Integer(LoopFlag) <> 0 do
begin
if Process32.th32ProcessID = GetCurrentProcessId() then
begin
hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, Process32.th32ParentProcessID);
if hProcess <> 0 then
begin
if GetModuleFileNameEx(hProcess, 0, FileName, MAX_PATH) <> 0 then
begin
GetWindowsDirectory(szBuffer, MAX_PATH);
StrCat(szBuffer, ParentName);
if UpperCase(string(FileName)) <> UpperCase(string(szBuffer)) then
begin
Result := True;
end else
begin
Result := False;
CloseHandle(hSnap);
Exit;
end;
end;
end
else
Result := False;
end;
LoopFlag := Process32Next(hSnap, Process32);
Result := True;
end;
CloseHandle(hSnap);
asm
db $EB,$0E,'VMProtect end',0
end;
end;
procedure ScanOD();
begin
asm
db $EB,$10,'VMProtect begin',0
end;
asm
mov eax,Address
mov dl,byte ptr[eax]
mov RAddress,dl
end;
if RAddress = $CC then Form1.Label1.Caption := L1;
if AntiLoader then Form1.Label2.Caption := L2;
asm
db $EB,$0E,'VMProtect end',0
end;
end;
procedure Scan_FindWin();
var
Text: array[0..255] of char;
h: THandle;
s0: string;
s1: string;
s2: string;
begin
asm
db $EB,$10,'VMProtect begin',0
end;
h := GetWindow(Form1.handle, GW_HWNDFIRST);
while h <> 0 do
begin
if GetWindowText(h, @text, 255) > 0 then
begin
s0 := UpperCase(Application.Title);
s1 := UpperCase(ExtractFileName(Application.ExeName));
s2 := UpperCase(StrPas(@Text));
if (Pos(s1, s2) > 0) or (Pos(s0, s2) > 0) then
begin
if (Pos('.EXE', s2) > 0) or (Pos('.COM', s2) > 0) or (Pos('.BAT', s2) > 0) or (Pos('.SCR', s2) > 0) then
begin
if Pos(' - ', s2) > 0 then
begin
Form1.Label3.Caption := L3;
end;
end;
end;
end;
h := GetWindow(h, GW_HWNDNEXT);
end;
asm
db $EB,$0E,'VMProtect end',0
end;
end;
procedure OccupyFile(lpFileName: string);
begin
CreateFileA(PChar(lpFileName), GENERIC_READ, 0, nil, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
asm
db $EB,$10,'VMProtect begin',0
end;
OccupyFile(Application.ExeName);
PatchInt3;
SetTimer(0, 1, 100, @ScanOD);
asm
db $EB,$0E,'VMProtect end',0
end;
end;
procedure TForm1.FormShow(Sender: TObject);
begin
asm
db $EB,$10,'VMProtect begin',0
end;
SetTimer(Form1.Handle, 2, 100, @Scan_FindWin);
asm
db $EB,$0E,'VMProtect end',0
end;
end;
end.
打开也试试
技术含量很低
开源了,加了VM 我都怕了!
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, tlhelp32, PSAPI, StrUtils;
type
TForm1 = class(TForm)
Label1: TLabel;
Label2: TLabel;
Label3: TLabel;
procedure FormCreate(Sender: TObject);
procedure FormShow(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
NOP: Byte;
NTDLL: THandle;
BytesWritten: DWORD;
Address: Pointer;
RAddress: Byte;
implementation
{$R *.dfm}
const
ParentName = '\EXPLORER.EXE';
L1: string = '检测OD附加...';
L2: string = '检测OD启动AntiLoader...';
L3: string = '检测OD启动ScanOD...';
procedure SetPrivilege;
var
TPPrev, TP: TTokenPrivileges;
TokenHandle: THandle;
dwRetLen: DWORD;
lpLuid: TLargeInteger;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ALL_ACCESS, TokenHandle);
if (LookupPrivilegeValue(nil, 'SeDebugPrivilege', lpLuid)) then
begin
TP.PrivilegeCount := 1;
TP.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
TP.Privileges[0].Luid := lpLuid;
AdjustTokenPrivileges(TokenHandle, False, TP, SizeOf(TPPrev), TPPrev, dwRetLen);
end;
CloseHandle(TokenHandle);
end;
procedure PatchInt3;
begin
asm
db $EB,$10,'VMProtect begin',0
end;
if Win32Platform <> VER_PLATFORM_WIN32_NT then Exit;
NTDLL := GetModuleHandle('NTDLL.DLL');
if NTDLL = 0 then Exit;
Address := GetProcAddress(NTDLL, 'DbgBreakPoint');
if Address = nil then Exit;
try
if Char(Address^) <> #$CC then Exit;
NOP := $90;
if WriteProcessMemory(GetCurrentProcess, Address, @NOP, 1, BytesWritten) and (BytesWritten = 1) then FlushInstructionCache(GetCurrentProcess, Address, 1);
except
on EAccessViolation do ;
else
raise;
end;
asm
db $EB,$0E,'VMProtect end',0
end;
end;
function AntiLoader(): Boolean;
var
hSnap, hProcess: THandle;
szBuffer: array[0..MAX_PATH] of char;
FileName: array[0..MAX_PATH] of char;
Process32: PROCESSENTRY32;
LoopFlag: BOOL;
begin
asm
db $EB,$10,'VMProtect begin',0
end;
hSnap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if hSnap = INVALID_HANDLE_VALUE then
begin
Result := False;
Exit;
end;
Process32.dwSize := sizeof(PROCESSENTRY32);
LoopFlag := Process32First(hSnap, Process32);
if LoopFlag = False then
begin
CloseHandle(hSnap);
Result := False;
Exit;
end;
while Integer(LoopFlag) <> 0 do
begin
if Process32.th32ProcessID = GetCurrentProcessId() then
begin
hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, Process32.th32ParentProcessID);
if hProcess <> 0 then
begin
if GetModuleFileNameEx(hProcess, 0, FileName, MAX_PATH) <> 0 then
begin
GetWindowsDirectory(szBuffer, MAX_PATH);
StrCat(szBuffer, ParentName);
if UpperCase(string(FileName)) <> UpperCase(string(szBuffer)) then
begin
Result := True;
end else
begin
Result := False;
CloseHandle(hSnap);
Exit;
end;
end;
end
else
Result := False;
end;
LoopFlag := Process32Next(hSnap, Process32);
Result := True;
end;
CloseHandle(hSnap);
asm
db $EB,$0E,'VMProtect end',0
end;
end;
procedure ScanOD();
begin
asm
db $EB,$10,'VMProtect begin',0
end;
asm
mov eax,Address
mov dl,byte ptr[eax]
mov RAddress,dl
end;
if RAddress = $CC then Form1.Label1.Caption := L1;
if AntiLoader then Form1.Label2.Caption := L2;
asm
db $EB,$0E,'VMProtect end',0
end;
end;
procedure Scan_FindWin();
var
Text: array[0..255] of char;
h: THandle;
s0: string;
s1: string;
s2: string;
begin
asm
db $EB,$10,'VMProtect begin',0
end;
h := GetWindow(Form1.handle, GW_HWNDFIRST);
while h <> 0 do
begin
if GetWindowText(h, @text, 255) > 0 then
begin
s0 := UpperCase(Application.Title);
s1 := UpperCase(ExtractFileName(Application.ExeName));
s2 := UpperCase(StrPas(@Text));
if (Pos(s1, s2) > 0) or (Pos(s0, s2) > 0) then
begin
if (Pos('.EXE', s2) > 0) or (Pos('.COM', s2) > 0) or (Pos('.BAT', s2) > 0) or (Pos('.SCR', s2) > 0) then
begin
if Pos(' - ', s2) > 0 then
begin
Form1.Label3.Caption := L3;
end;
end;
end;
end;
h := GetWindow(h, GW_HWNDNEXT);
end;
asm
db $EB,$0E,'VMProtect end',0
end;
end;
procedure OccupyFile(lpFileName: string);
begin
CreateFileA(PChar(lpFileName), GENERIC_READ, 0, nil, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
asm
db $EB,$10,'VMProtect begin',0
end;
OccupyFile(Application.ExeName);
PatchInt3;
SetTimer(0, 1, 100, @ScanOD);
asm
db $EB,$0E,'VMProtect end',0
end;
end;
procedure TForm1.FormShow(Sender: TObject);
begin
asm
db $EB,$10,'VMProtect begin',0
end;
SetTimer(Form1.Handle, 2, 100, @Scan_FindWin);
asm
db $EB,$0E,'VMProtect end',0
end;
end;
end.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
anit anit attach
|
|
|
|
|
|
呵呵全部猜中了楼上的
|
|
|
开源开源
|
