-
-
[求助]反调试的一段代码,百思不得其解
-
发表于:
2012-10-14 19:32
5123
-
00504F55 |. FF15 08F25100 CALL DWORD PTR DS:[<&KERNEL32.IsDebugger>; [IsDebuggerPresent
00504F5B |. A3 F8715700 MOV DWORD PTR DS:[5771F8],EAX
00504F60 |. 6A 01 PUSH 1
00504F62 |. E8 D7030000 CALL <JMP.&MSVCR80._crt_debugger_hook>
00504F67 |. 59 POP ECX
00504F68 |. 6A 00 PUSH 0 ; /pTopLevelFilter = NULL
00504F6A |. FF15 3CF25100 CALL DWORD PTR DS:[<&KERNEL32.SetUnhandl>; \SetUnhandledExceptionFilter
00504F70 |. 68 54245400 PUSH 8021x.00542454 ; /╭w
00504F75 |. FF15 0CF25100 CALL DWORD PTR DS:[<&KERNEL32.UnhandledE>; \UnhandledExceptionFilter
00504F7B |. 833D F8715700>CMP DWORD PTR DS:[5771F8],0
00504F82 |. 75 08 JNZ SHORT 8021x.00504F8C
00504F84 |. 6A 01 PUSH 1
00504F86 |. E8 B3030000 CALL <JMP.&MSVCR80._crt_debugger_hook>
00504F8B |. 59 POP ECX
00504F8C |> 68 090400C0 PUSH C0000409 ; /ExitCode = C0000409 (-1073740791.)
00504F91 |. FF15 A4F35100 CALL DWORD PTR DS:[<&KERNEL32.GetCurrent>; |[GetCurrentProcess
00504F97 |. 50 PUSH EAX ; |hProcess
00504F98 |. FF15 C0F25100 CALL DWORD PTR DS:[<&KERNEL32.TerminateP>; \TerminateProcess
00504F9E |. C9 LEAVE
00504F9F \. C3 RETN
第一次貼代碼不会贴。。。见谅。。。
在anti的时候,分析代码,发现了反调试代码,但是怎么分析,这段代码都会退出程序。。不明白呀,,已经证明IsDebuggerPresent只有这一处,驱动保护已经破掉,这段代码爆破没用。。。。不是scr就是md5检测了。。。求大牛看看上面的代码,分析一下这段代码的作用(我感觉都退出程序了。。)
谢谢了~~
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课