反调试是软件保护壳的最基本的功能之一。
反调试方法也是多种多样。通过调用标准的API接口,计算指令时间差。查看当调试器加载后的
内存的一些标志,还有就是判断当前运行环境是否合乎逻辑等方法。这里收集了一些反调试的方法,其中的命名规则使用了壳狼的反调试程序的方式,希望不要和我收取版权的费用。^_^,其中借鉴了不少壳狼的函数。增加了一些,也删除了一些。大部分的参考资料来自<<脱壳的艺术>>,<<Anti-UnPacker Tricks>>与<<加密与解密第三版>>。
这里要说明的一点是。每个函数编写都是自己建立堆栈了,看的不习惯的多看下就习惯了 呵呵。
原因也很简单,MASM不允许在函数内定义函数了。
这些函数还有一个要讲的是。因为最后这些函数要在以后的章节中用到
为了能允许用户自定义反调试的功能。免去重定位的麻烦,所以
利用栈传递了API集合地址和外部函数集合的地址。
朋友们还是先看代码了。。。
利用IsDebuggerPresent确定是否存在,IsDebuggerPresent是WIN提供的一个标准调试API
用于确定是否存在调试器。这个方法很简单TRUE为存在,FASLE则为不存在。
FD_IsDebuggerPresent:
FD_IsDebugger_Arg_Win32Api equ 04h
mov eax, dword ptr [esp+FD_IsDebugger_Arg_Win32Api]
assume eax : ptr WIN32APIBASE
call dword ptr [eax].xIsDebuggerPresent
Exit_FD_IsDebuggerPresent:
assume eax : nothing
retn 04h
End_FD_IsDebuggerPresent:
FD_PEB_BeingDebuggedFlag:
assume fs : nothing
mov eax, fs:[30h] ; eax = TEB.ProcessEnvironmentBlock
inc eax
inc eax
mov eax, dword ptr [eax]
and eax, 000000FFh ; al = PEB.BeingDebugged
test eax, eax
jnz FD_PEB_BeingDebuggedFlag_Found
Exit_PEB_BeingDebuggedFlag:
retn 0
FD_PEB_BeingDebuggedFlag_Found:
mov eax, 1
jmp Exit_PEB_BeingDebuggedFlag
End_FD_PEB_BeingDebuggedFlag:
FD_PEB_NtGlobalFlags:
assume fs : nothing
mov eax, fs:[30h]
mov eax, dword ptr [eax+68h]
and eax, 070h
test eax, eax
jnz FD_PEB_NtGlobalFlags_Found
Exit_FD_PEB_NtGlobalFlags:
retn 0
FD_PEB_NtGlobalFlags_Found:
mov eax, 1
jmp Exit_FD_PEB_NtGlobalFlags
End_FD_PEB_NtGlobalFlags:
FD_Heap_ForceFlags:
assume fs : nothing
mov eax, fs:[30h]
mov eax, dword ptr [eax+18h] ; PEB.ProcessHeap
mov eax, dword ptr [eax+10h] ; PEB.ProcessHeap.Flags
test eax, eax
jnz Found_FD_Heap_ForceFlags
Exit_FD_Heap_ForceFlag:
retn 0
Found_FD_Heap_ForceFlags:
mov eax, 1
jmp Exit_FD_Heap_ForceFlag
End_FD_Heap_ForceFlags:
FD_Heap_HeapFlags:
assume fs : nothing
mov eax, fs:[30h]
mov eax, dword ptr [eax+18h] ; PEB.ProcessHeap
mov eax, dword ptr [eax+0ch] ; PEB.ProcessHeap.ForceFlags
cmp eax, 2
jnz Found_FD_Heap_HeapFlags
Exit_FD_Heap_HeapFlags:
retn 0
Found_FD_Heap_HeapFlags:
mov eax, 1
jmp Exit_FD_Heap_HeapFlags
End_FD_Heap_HeapFlags:
FD_CheckRemoteDebuggerPresent:
FD_CheckRemoteDebuggerPresent_Arg_Win32Api equ 04h
mov eax, dword ptr [esp+FD_CheckRemoteDebuggerPresent_Arg_Win32Api]
assume eax : ptr WIN32APIBASE
push esp
push esp
call dword ptr [eax].xGetCurrentProcess
push eax
call dword ptr [eax].xCheckRemoteDebuggerPresent
pop esp
assume eax : nothing
retn 04h
End_FD_CheckRemoteDebuggerPresent:
FD_NtQueryInfoProc_DbgPort:
FD_NtQueryInfoProc_DbgPort_Arg_Win32Api equ 08h
FD_NtQueryInfoProc_DbgPort_StackSize equ sizeof PROCESS_DEBUG_PORT_INFO
FD_NtQueryInfoProc_DbgPort_ProcessInfo equ -(FD_NtQueryInfoProc_DbgPort_StackSize)
push ebp
mov ebp, esp
sub esp, FD_NtQueryInfoProc_DbgPort_StackSize
push ebx
mov ebx, dword ptr [ebp+FD_NtQueryInfoProc_DbgPort_Arg_Win32Api]
assume ebx : ptr WIN32APIBASE
push NULL
push sizeof PROCESS_DEBUG_PORT_INFO
lea eax, [ebp+FD_NtQueryInfoProc_DbgPort_ProcessInfo]
push eax
push ProcessDebugPort
call dword ptr [ebx].xGetCurrentProcess
push eax
call dword ptr [ebx].xZwQueryInformationProcess
test eax, eax
jnz FD_NtQueryInfoProc_DbgPort_Tmp1
lea eax, [ebp+FD_NtQueryInfoProc_DbgPort_ProcessInfo]
assume eax : ptr PROCESS_DEBUG_PORT_INFO
mov eax, dword ptr [eax].DebugPort
test eax, eax
jnz Found_FD_NtQueryInfoProc_DbgPort
FD_NtQueryInfoProc_DbgPort_Tmp1:
xor eax, eax
Exit_FD_NtQueryInfoProc_DbgPort:
assume eax : nothing
assume ebx : nothing
pop ebx
mov esp, ebp
pop ebp
retn 04h
Found_FD_NtQueryInfoProc_DbgPort:
mov eax, 1
jmp Exit_FD_NtQueryInfoProc_DbgPort
End_FD_NtQueryInfoProc_DbgPort:
FD_NtQueryInfoProc_DbgObjHandle:
FD_NtQueryInfoProc_DbgObjHandle_Arg_Win32Api equ 08h
FD_NtQueryInfoProc_DbgObjHandle_StackSize equ sizeof PROCESS_DEBUG_OBJECTHANDLE_INFO
FD_NtQueryInfoProc_DbgObjHandle_ProcessInfo equ -(FD_NtQueryInfoProc_DbgObjHandle_StackSize)
push ebp
mov ebp, esp
sub esp, FD_NtQueryInfoProc_DbgObjHandle_StackSize
push ebx
mov ebx, dword ptr [ebp+FD_NtQueryInfoProc_DbgObjHandle_Arg_Win32Api]
assume ebx : ptr WIN32APIBASE
push NULL
push sizeof PROCESS_DEBUG_OBJECTHANDLE_INFO
lea eax, [ebp+FD_NtQueryInfoProc_DbgObjHandle_ProcessInfo]
push eax
push SystemNotImplemented8
call dword ptr [ebx].xGetCurrentProcess
push eax
call dword ptr [ebx].xZwQueryInformationProcess
test eax, eax
jnz FD_NtQueryInfoProc_DbgObjHandle_Tmp1
lea eax, [ebp+FD_NtQueryInfoProc_DbgObjHandle_ProcessInfo]
assume eax : ptr PROCESS_DEBUG_OBJECTHANDLE_INFO
mov eax, dword ptr [eax].ObjectHandle
test eax, eax
jnz Found_FD_NtQueryInfoProc_DbgObjHandle
FD_NtQueryInfoProc_DbgObjHandle_Tmp1:
xor eax, eax
Exit_FD_NtQueryInfoProc_DbgObjHandle:
assume eax : nothing
assume ebx : nothing
pop ebx
mov esp, ebp
pop ebp
retn 04h
Found_FD_NtQueryInfoProc_DbgObjHandle:
mov eax, 1
jmp Exit_FD_NtQueryInfoProc_DbgObjHandle
End_FD_NtQueryInfoProc_DbgObjHandle:
FD_NtQueryInfoProc_DbgFlags:
FD_NtQueryInfoProc_DbgFlags_Arg_Win32Api equ 08h
FD_NtQueryInfoProc_DbgFlags_StackSize equ sizeof PROCESS_DEBUG_FLAGS_INFO
FD_NtQueryInfoProc_DbgFlags_ProcessInfo equ -(FD_NtQueryInfoProc_DbgFlags_StackSize)
push ebp
mov ebp, esp
sub esp, FD_NtQueryInfoProc_DbgFlags_StackSize
push ebx
mov ebx, dword ptr [ebp+FD_NtQueryInfoProc_DbgFlags_Arg_Win32Api]
assume ebx : ptr WIN32APIBASE
push NULL
push sizeof PROCESS_DEBUG_FLAGS_INFO
lea eax, [ebp+FD_NtQueryInfoProc_DbgFlags_ProcessInfo]
push eax
push SystemNotImplemented9
call dword ptr [ebx].xGetCurrentProcess
push eax
call dword ptr [ebx].xZwQueryInformationProcess
test eax, eax
jnz FD_NtQueryInfoProc_DbgFlags_Tmp1
lea eax, [ebp+FD_NtQueryInfoProc_DbgFlags_ProcessInfo]
assume eax : ptr PROCESS_DEBUG_FLAGS_INFO
mov eax, dword ptr [eax].DebugFlags
test eax, eax
jz Found_FD_NtQueryInfoProc_DbgFlags
FD_NtQueryInfoProc_DbgFlags_Tmp1:
xor eax, eax
Exit_FD_NtQueryInfoProc_DbgFlags:
assume eax : nothing
assume ebx : nothing
pop ebx
mov esp, ebp
pop ebp
retn 04h
Found_FD_NtQueryInfoProc_DbgFlags:
mov eax, 1
jmp Exit_FD_NtQueryInfoProc_DbgFlags
End_FD_NtQueryInfoProc_DbgFlags:
FD_NtQueryInfoProc_SysKrlDbgInfo:
FD_NtQueryInfoProc_SysKrlDbgInfo_Arg_Win32Api equ 08h
FD_NtQueryInfoProc_SysKrlDbgInfo_StackSize equ sizeof PROCESS_DEBUG_FLAGS_INFO
FD_NtQueryInfoProc_SysKrlDbgInfo_Info equ -(sizeof PROCESS_DEBUG_FLAGS_INFO)
push ebp
mov ebp, esp
sub esp, FD_NtQueryInfoProc_SysKrlDbgInfo_StackSize
push ebx
mov ebx, dword ptr [ebp+FD_NtQueryInfoProc_SysKrlDbgInfo_Arg_Win32Api]
assume ebx : ptr WIN32APIBASE
push NULL
push sizeof PROCESS_DEBUG_FLAGS_INFO
lea eax, [ebp+FD_NtQueryInfoProc_SysKrlDbgInfo_Info]
push eax
push SystemKernelDebuggerInformation
call dword ptr [ebx].xGetCurrentProcess
push eax
call dword ptr [ebx].xZwQuerySystemInformation
test eax, eax
jnz FD_NtQueryInfoProc_SysKrlDbgInfo_Tmp1
lea eax, [ebp+FD_NtQueryInfoProc_SysKrlDbgInfo_Info]
assume eax : ptr PROCESS_DEBUG_FLAGS_INFO
mov eax, dword ptr [eax].DebugFlags
test eax, eax
jz Found_FD_NtQueryInfoProc_SysKrlDbgInfo
FD_NtQueryInfoProc_SysKrlDbgInfo_Tmp1:
xor eax, eax
Exit_FD_NtQueryInfoProc_SysKrlDbgInfo:
assume eax : nothing
assume ebx : nothing
pop ebx
mov esp, ebp
pop ebp
retn 04h
Found_FD_NtQueryInfoProc_SysKrlDbgInfo:
mov eax, 1
jmp Exit_FD_NtQueryInfoProc_SysKrlDbgInfo
End_FD_NtQueryInfoProc_SysKrlDbgInfo:
FD_Heap_Magic:
FD_Heap_Magic_Arg_Win32Api equ 04h
mov eax, dword ptr [esp+FD_Heap_Magic_Arg_Win32Api]
push ebx
push ecx
push edx
push esi
push edi
mov ebx, eax
assume ebx : ptr WIN32APIBASE
push 100h
push NULL
call dword ptr [ebx].xGetProcessHeap
mov edi, eax ; HeapHandle
push eax
call dword ptr [ebx].xHeapAlloc
mov esi, eax ; HeapMem
xor ecx, ecx
mov edx, 100h
cld
FD_Heap_Magic_Loop:
lodsd
cmp eax, 0ABABABABh
jnz FD_Heap_Magic_Tmp1
inc ecx
FD_Heap_Magic_Tmp1:
cmp eax, 0BAADF00Dh
jnz FD_Heap_Magic_Tmp2
inc ecx
FD_Heap_Magic_Tmp2:
cmp eax, 0FEEEFEEEh
jnz FD_Heap_Magic_Tmp3
inc ecx
FD_Heap_Magic_Tmp3:
sub edx, 04h
jnz FD_Heap_Magic_Loop
push ecx
;; free heap
push esi
push HEAP_NO_SERIALIZE
push edi
call dword ptr [ebx].xHeapFree
pop ecx
;; judge count
cmp ecx, 10h
jae Found_FD_Heap_Magic
xor eax, eax
Exit_FD_Heap_Magic:
pop edi
pop esi
pop edx
pop ecx
pop ebx
assume ebx : nothing
retn 04h
Found_FD_Heap_Magic:
mov eax, 1
jmp Exit_FD_Heap_Magic
End_FD_Heap_Magic:
FD_SeDebugPrivilege:
FD_SeDebugPrivilege_Arg_Win32Api equ 08h
FD_SeDebugPrivilege_StackSize equ 10h + sizeof PROCESSENTRY32
FD_SeDebugPrivilege_hProcessSnap equ -04h
FD_SeDebugPrivilege_PID_csrss equ -08h
FD_SeDebugPrivilege_FingFlag equ -0ch
FD_SeDebugPrivilege_pe32 equ -(10h+sizeof PROCESSENTRY32)
push ebp
mov ebp, esp
sub esp, FD_SeDebugPrivilege_StackSize
push ebx
push ecx
push edi
;; clear stack
lea edi, [ebp-FD_SeDebugPrivilege_StackSize]
mov ecx, FD_SeDebugPrivilege_StackSize
xor eax, eax
cld
rep stosb
mov ebx, dword ptr [ebp+FD_SeDebugPrivilege_Arg_Win32Api]
assume ebx : ptr WIN32APIBASE
lea edi, [ebp+FD_SeDebugPrivilege_pe32]
assume edi : ptr PROCESSENTRY32
push 0
push TH32CS_SNAPPROCESS
call dword ptr [ebx].xCreateToolhelp32Snapshot
cmp eax, INVALID_HANDLE_VALUE
jz NotFound_FD_SeDebugPrivilege
mov dword ptr [ebp+FD_SeDebugPrivilege_hProcessSnap], eax
push sizeof PROCESSENTRY32
pop dword ptr [edi].dwSize
push edi
push dword ptr [ebp+FD_SeDebugPrivilege_hProcessSnap]
call dword ptr [ebx].xProcess32First
test eax, eax
jnz FD_SeDebugPrivilege_Loop
push dword ptr [ebp+FD_SeDebugPrivilege_hProcessSnap]
call dword ptr [ebx].xCloseHandle
jmp NotFound_FD_SeDebugPrivilege
FD_SeDebugPrivilege_Loop:
call FD_SeDebugPrivilege_Str
db 'CSRSS.EXE',0
FD_SeDebugPrivilege_Str:
lea eax, [edi].szExeFile
push eax
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jnz FD_SeDebugPrivilege_Tmp2
push dword ptr [edi].th32ProcessID
pop dword ptr [ebp+FD_SeDebugPrivilege_PID_csrss]
push TRUE
pop dword ptr [ebp+FD_SeDebugPrivilege_FingFlag]
FD_SeDebugPrivilege_Tmp2:
mov eax, dword ptr [ebp+FD_SeDebugPrivilege_FingFlag]
test eax, eax
jnz FD_SeDebugPrivilege_Tmp3
push edi
push dword ptr [ebp+FD_SeDebugPrivilege_hProcessSnap]
call dword ptr [ebx].xProcess32Next
test eax, eax
jnz FD_SeDebugPrivilege_Loop
FD_SeDebugPrivilege_Tmp3:
mov eax, dword ptr [ebp+FD_SeDebugPrivilege_FingFlag]
test eax, eax
jz FD_SeDebugPrivilege_Tmp4
push dword ptr [ebp+FD_SeDebugPrivilege_PID_csrss]
push FALSE
push PROCESS_QUERY_INFORMATION
call dword ptr [ebx].xOpenProcess
test eax, eax
jz FD_SeDebugPrivilege_Tmp4
push dword ptr [ebp+FD_SeDebugPrivilege_hProcessSnap]
call dword ptr [ebx].xCloseHandle
jmp Found_FD_SeDebugPrivilege
FD_SeDebugPrivilege_Tmp4:
push dword ptr [ebp+FD_SeDebugPrivilege_hProcessSnap]
call dword ptr [ebx].xCloseHandle
jmp NotFound_FD_SeDebugPrivilege
Exit_FD_SeDebugPrivilege:
pop edi
pop ecx
pop ebx
assume ebx : nothing
assume edi : nothing
mov esp, ebp
pop ebp
retn 04h
NotFound_FD_SeDebugPrivilege:
xor eax, eax
jmp Exit_FD_SeDebugPrivilege
Found_FD_SeDebugPrivilege:
mov eax, 1
jmp Exit_FD_SeDebugPrivilege
End_FD_SeDebugPrivilege:
FD_Parent_Process:
FD_Parent_Process_Arg_Win32Api equ 08h
FD_Parent_Process_StackSize equ MAX_PATH + sizeof PROCESSENTRY32 + sizeof MODULEENTRY32 + 20h
FD_Parent_Process_hParnet equ -04h
FD_Parent_Process_PIDExplorer equ -08h
FD_Parent_Process_PIDParent equ -0ch
FD_Parent_Process_PIDChild equ -10h
FD_Parent_Process_hSnapshot equ -14h
FD_Parent_Process_pe32 equ -(20h + PROCESSENTRY32)
FD_Parent_Process_me32 equ -(20h + PROCESSENTRY32 + MODULEENTRY32)
FD_Parent_Process_lpszSystemInfo equ -(20h + PROCESSENTRY32 + MODULEENTRY32 + MAX_PATH)
push ebp
mov ebp, esp
sub esp, FD_Parent_Process_StackSize
push ebx
push ecx
push edi
push esi
;; clear the stack
lea edi, [ebp-FD_Parent_Process_StackSize]
xor eax, eax
mov ecx, FD_Parent_Process_StackSize
cld
rep stosb
mov ebx, dword ptr [ebp+FD_Parent_Process_Arg_Win32Api]
assume ebx : ptr WIN32APIBASE
lea eax, [ebp+FD_Parent_Process_pe32]
assume eax : ptr PROCESSENTRY32
push sizeof PROCESSENTRY32
pop dword ptr [eax].dwSize
call dword ptr [ebx].xGetCurrentProcessId
mov dword ptr [ebp+FD_Parent_Process_PIDChild], eax
push 0
push TH32CS_SNAPPROCESS
call dword ptr [ebx].xCreateToolhelp32Snapshot
mov dword ptr [ebp+FD_Parent_Process_hSnapshot], eax
lea eax, [ebp+FD_Parent_Process_pe32]
push eax
push dword ptr [ebp+FD_Parent_Process_hSnapshot]
call dword ptr [ebx].xProcess32First
test eax, eax
jz FD_Parent_Process_Tmp1
FD_Parent_Process_Loop1:
lea eax, [ebp+FD_Parent_Process_pe32]
push eax
push dword ptr [ebp+FD_Parent_Process_hSnapshot]
call dword ptr [ebx].xProcess32Next
test eax, eax
jz FD_Parent_Process_Tmp2
call FD_Parent_Process_Str1
db "EXPLORER.EXE",0
FD_Parent_Process_Str1:
lea eax, [ebp+FD_Parent_Process_pe32]
lea eax, [eax].szExeFile
push eax
call dword ptr [ebx].xlstrcmpiA
jnz FD_Parent_Process_Tmp3
mov eax, dword ptr [ebp+FD_Parent_Process_PIDExplorer]
test eax, eax
jnz FD_Parent_Process_Tmp3
lea eax, [ebp+FD_Parent_Process_pe32]
assume eax : ptr PROCESSENTRY32
push dword ptr [eax].th32ProcessID
pop dword ptr [ebp+FD_Parent_Process_PIDExplorer]
FD_Parent_Process_Tmp3:
lea eax, [ebp+FD_Parent_Process_pe32]
mov eax, dword ptr [eax].th32ProcessID
sub eax, dword ptr [ebp+FD_Parent_Process_PIDChild]
jnz FD_Parent_Process_Tmp4
lea eax, [ebp+FD_Parent_Process_pe32]
push dword ptr [eax].th32ParentProcessID
pop dword ptr [ebp+FD_Parent_Process_PIDParent]
FD_Parent_Process_Tmp4:
jmp FD_Parent_Process_Loop1
FD_Parent_Process_Tmp1:
push dword ptr [ebp+FD_Parent_Process_hSnapshot]
call dword ptr [ebx].xCloseHandle
jmp NotFound_FD_Parent_Process
FD_Parent_Process_Tmp2:
mov eax, dword ptr [ebp+FD_Parent_Process_PIDExplorer]
sub eax, dword ptr [ebp+FD_Parent_Process_PIDParent]
jz FD_Parent_Process_Tmp5
push dword ptr [ebp+FD_Parent_Process_hSnapshot]
call dword ptr [ebx].xCloseHandle
jmp Found_FD_Parent_Process
FD_Parent_Process_Tmp5:
lea eax, [ebp+FD_Parent_Process_me32]
assume eax : ptr MODULEENTRY32
push sizeof MODULEENTRY32
pop dword ptr [eax].dwSize
push dword ptr [ebp+FD_Parent_Process_PIDExplorer]
push TH32CS_SNAPMODULE
call dword ptr [ebx].xCreateToolhelp32Snapshot
mov dword ptr [ebp+FD_Parent_Process_hSnapshot], eax
lea eax, [ebp+FD_Parent_Process_me32]
push eax
push dword ptr [ebp+FD_Parent_Process_hSnapshot]
call dword ptr [ebx].xModule32First
test eax, eax
jz FD_Parent_Process_Tmp6
FD_Parent_Process_Loop2:
lea eax, [ebp+FD_Parent_Process_me32]
mov eax, dword ptr [eax].th32ProcessID
sub eax, dword ptr [ebp+FD_Parent_Process_PIDExplorer]
jnz FD_Parent_Process_Tmp7
push MAX_PATH
lea eax, [ebp+FD_Parent_Process_lpszSystemInfo]
push eax
call dword ptr [ebx].xGetWindowsDirectoryA
call FD_Parent_Process_Str2
db '\',0
FD_Parent_Process_Str2:
lea eax, [ebp+FD_Parent_Process_lpszSystemInfo]
push eax
call dword ptr [ebx].xlstrcatA
call FD_Parent_Process_Str3
db "EXPLORER.EXE",0
FD_Parent_Process_Str3:
lea eax, [ebp+FD_Parent_Process_lpszSystemInfo]
push eax
call dword ptr [ebx].xlstrcatA
lea eax, [ebp+FD_Parent_Process_lpszSystemInfo]
push eax
lea eax, [ebp+FD_Parent_Process_me32]
lea eax, [eax].szExePath
push eax
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jz FD_Parent_Process_Tmp6
push dword ptr [ebp+FD_Parent_Process_hSnapshot]
call dword ptr [ebx].xCloseHandle
jmp Found_FD_Parent_Process
FD_Parent_Process_Tmp7:
lea eax, [ebp+FD_Parent_Process_me32]
push eax
push dword ptr [ebp+FD_Parent_Process_hSnapshot]
call dword ptr [ebx].xModule32Next
test eax, eax
jnz FD_Parent_Process_Loop2
FD_Parent_Process_Tmp6:
push dword ptr [ebp+FD_Parent_Process_hSnapshot]
call dword ptr [ebx].xCloseHandle
jmp NotFound_FD_Parent_Process
Exit_FD_Parent_Process:
pop esi
pop edi
pop ecx
pop ebx
assume eax : nothing
assume ebx : nothing
mov esp, ebp
pop ebp
retn 04h
NotFound_FD_Parent_Process:
xor eax, eax
jmp Exit_FD_Parent_Process
Found_FD_Parent_Process:
mov eax, 1
jmp Exit_FD_Parent_Process
End_FD_Parent_Process:
FD_DebugObject_NtQueryObject:
FD_DebugObject_NtQueryObject_Arg_Win32Api equ 04h
mov eax, dword ptr [esp+FD_DebugObject_NtQueryObject_Arg_Win32Api]
push ebx
push ecx
push edx
push edi
push esi
mov ebx, eax
assume ebx : ptr WIN32APIBASE
push edx ; alloc the stack
push esp ; ReturnLength
push 0
push 0
push ObjectAllTypeInformation
push 0
call dword ptr [ebx].xNtQueryObject
pop ecx
;; make a tmp stack
push ebp
mov ebp, esp
sub esp, ecx
mov esi, esp
;; ObjectInformationLength
push 0
push ecx
push esi
push ObjectAllTypeInformation
push 0
call dword ptr [ebx].xNtQueryObject
cld
;; NumberOfObjectsTypes
lodsd
xchg ecx, eax ; ecx = NumberOfObjectsTypes
FD_DebugObject_NtQueryObject_Loop:
;; load string lengths
lodsd
movzx edx, ax
;; pointer to TypeName
lodsd
xchg esi, eax
;; sizeof(L"DebugObject")
;; avoids superstrings
;; like "DebugObjective"
cmp edx, 16h
jnz FD_DebugObject_NtQueryObject_Tmp2
xchg ecx, edx
FD_DebugObject_NtQueryObject_Tmp1:
call FD_DebugObject_NtQueryObject_UnicodeStr1
dw 'D','e','b','u','g'
dw 'O','b','j','e','c','t'
FD_DebugObject_NtQueryObject_UnicodeStr1:
pop edi
repe cmpsb
xchg ecx, edx
jnz FD_DebugObject_NtQueryObject_Tmp2
;; TotalNumberOfObjects
cmp dword ptr [eax], edx
jnz Found_FD_DebugObject_NtQueryObject
;; point to trailing null
FD_DebugObject_NtQueryObject_Tmp2:
add esi, edx
;; round down to dword
and esi, -4
;; skip trailing null
;; and any alignment bytes
lodsd
loop FD_DebugObject_NtQueryObject_Loop
xor eax, eax
Exit_FD_DebugObject_NtQueryObject:
;; clear the tmp stack
mov esp, ebp
pop ebp
pop esi
pop edi
pop edx
pop ecx
pop ebx
assume ebx : nothing
retn 04h
Found_FD_DebugObject_NtQueryObject:
mov eax, 1
jmp Exit_FD_DebugObject_NtQueryObject
End_FD_DebugObject_NtQueryObject:
FD_Find_Debugger_Window:
FD_Find_Debugger_Window_Arg_WinApi32 equ 08h
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+FD_Find_Debugger_Window_Arg_WinApi32]
assume ebx : ptr WIN32APIBASE
push NULL
call FD_Find_Debugger_Window_Str1
db "1212121",0
FD_Find_Debugger_Window_Str1:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_Str2
db "icu_dbg",0
FD_Find_Debugger_Window_Str2:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_Str3
db "pe--diy",0
FD_Find_Debugger_Window_Str3:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_Str5
db "ollydbg",0
FD_Find_Debugger_Window_Str5:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_Str6
db "odbydyk",0
FD_Find_Debugger_Window_Str6:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_Str7
db "WinDbgFrameClass",0
FD_Find_Debugger_Window_Str7:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_Str8
db "TDeDeMainForm",0
FD_Find_Debugger_Window_Str8:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_Str9
db "TIdaWindow",0
FD_Find_Debugger_Window_Str9:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_StrA
db "TESTDBG",0
FD_Find_Debugger_Window_StrA:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_StrB
db "kk1",0
FD_Find_Debugger_Window_StrB:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_StrC
db "Eew75",0
FD_Find_Debugger_Window_StrC:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_StrD
db "Shadow",0
FD_Find_Debugger_Window_StrD:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_StrE
db "PEiD v0.94",0
FD_Find_Debugger_Window_StrE:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_StrF
db "Registry Monitor - Sysinternals: www.sysinternals.com",0
FD_Find_Debugger_Window_StrF:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_Str10
db "File Monitor - Sysinternals: www.sysinternals.com",0
FD_Find_Debugger_Window_Str10:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
push NULL
call FD_Find_Debugger_Window_Str11
db "Import REConstructor v1.6 FINAL (C) 2001-2003 MackT/uCF",0
FD_Find_Debugger_Window_Str11:
call dword ptr [ebx].xFindWindowA
test eax, eax
jnz Found_FD_Find_Debugger_Window
jmp NotFound_Found_FD_Find_Debugger_Window
Exit_FD_Find_Debugger_Window:
pop ebx
assume ebx : nothing
mov esp, ebp
pop ebp
retn 04h
NotFound_Found_FD_Find_Debugger_Window:
xor eax, eax
jmp Exit_FD_Find_Debugger_Window
Found_FD_Find_Debugger_Window:
mov eax, 1
jmp Exit_FD_Find_Debugger_Window
End_FD_Find_Debugger_Window:
FD_Find_Debugger_Process:
FD_Find_Debugger_Process_Arg_Win32Api equ 08h
FD_Find_Debugger_Process_StackSize equ 10h + sizeof PROCESSENTRY32
FD_Find_Debugger_Process_hSnapshot equ -04h
FD_Find_Debugger_Process_hParnet equ -08h
FD_Find_Debugger_Process_pe32 equ -(10+sizeof PROCESSENTRY32)
push ebp
mov ebp, esp
sub esp, FD_Find_Debugger_Process_StackSize
push edi
push esi
push edx
push ecx
push ebx
;; clear the stack
lea edi, [ebp-FD_Find_Debugger_Process_StackSize]
mov ecx, FD_Find_Debugger_Process_StackSize
xor eax, eax
cld
rep stosb
mov ebx, dword ptr [ebp+FD_Find_Debugger_Process_Arg_Win32Api]
assume ebx : ptr WIN32APIBASE
lea esi, [ebp+FD_Find_Debugger_Process_pe32]
assume esi : ptr PROCESSENTRY32
push sizeof PROCESSENTRY32
pop dword ptr [esi].dwSize
push 0
push TH32CS_SNAPPROCESS
call dword ptr [ebx].xCreateToolhelp32Snapshot
mov dword ptr [ebp+FD_Find_Debugger_Process_hSnapshot], eax
lea eax, [ebp+FD_Find_Debugger_Process_pe32]
push eax
push dword ptr [ebp+FD_Find_Debugger_Process_hSnapshot]
call dword ptr [ebx].xProcess32First
test eax, eax
jz NotFound_FD_Find_Debugger_Process
FD_Find_Debugger_Process_Loop:
lea eax, [esi].szExeFile
mov edi, eax
call FD_Find_Debugger_Process_Str1
db "OLLYICE.EXE",0
FD_Find_Debugger_Process_Str1:
push edi
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jz Found_FD_Find_Debugger_Process
call FD_Find_Debugger_Process_Str2
db "IDAG.EXE",0
FD_Find_Debugger_Process_Str2:
push edi
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jz Found_FD_Find_Debugger_Process
call FD_Find_Debugger_Process_Str3
db "OLLYDBG.EXE",0
FD_Find_Debugger_Process_Str3:
push edi
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jz Found_FD_Find_Debugger_Process
call FD_Find_Debugger_Process_Str4
db "PEID.EXE",0
FD_Find_Debugger_Process_Str4:
push edi
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jz Found_FD_Find_Debugger_Process
call FD_Find_Debugger_Process_Str5
db "SOFTICE.EXE",0
FD_Find_Debugger_Process_Str5:
push edi
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jz Found_FD_Find_Debugger_Process
call FD_Find_Debugger_Process_Str6
db "LORDPE.EXE",0
FD_Find_Debugger_Process_Str6:
push edi
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jz Found_FD_Find_Debugger_Process
call FD_Find_Debugger_Process_Str7
db "IMPORTREC.EXE",0
FD_Find_Debugger_Process_Str7:
push edi
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jz Found_FD_Find_Debugger_Process
call FD_Find_Debugger_Process_Str8
db "W32DSM89.EXE",0
FD_Find_Debugger_Process_Str8:
push edi
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jz Found_FD_Find_Debugger_Process
call FD_Find_Debugger_Process_Str9
db "WINDBG.EXE",0
FD_Find_Debugger_Process_Str9:
push edi
call dword ptr [ebx].xlstrcmpiA
test eax, eax
jz Found_FD_Find_Debugger_Process
lea eax, [ebp+FD_Find_Debugger_Process_pe32]
push eax
push dword ptr [ebp+FD_Find_Debugger_Process_hSnapshot]
call dword ptr [ebx].xProcess32Next
test eax, eax
jnz FD_Find_Debugger_Process_Loop
jmp NotFound_FD_Find_Debugger_Process
Exit_FD_Find_Debugger_Process:
;; close the Shotsnap handle
push dword ptr [ebp+FD_Find_Debugger_Process_hSnapshot]
call dword ptr [ebx].xCloseHandle
pop edi
pop esi
pop edx
pop ecx
pop ebx
assume ebx : nothing
assume esi : nothing
mov esp, ebp
pop ebp
retn 04h
NotFound_FD_Find_Debugger_Process:
xor eax, eax
jmp Exit_FD_Find_Debugger_Process
Found_FD_Find_Debugger_Process:
mov eax, 1
jmp Exit_FD_Find_Debugger_Process
End_FD_Find_Debugger_Process:
FD_Find_Device_Driver:
FD_Find_Device_Driver_Arg_Win32Api equ 08h
push ebp
mov ebp, esp
push ebx
push ecx
push edx
push esi
push edi
mov ebx, dword ptr [ebp+FD_Find_Device_Driver_Arg_Win32Api]
assume ebx : ptr WIN32APIBASE
;; check softice on unknow system
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
call FD_Find_Device_Driver_Str1
db "\\.\SIWVID",0
FD_Find_Device_Driver_Str1:
call dword ptr [ebx].xCreateFileA
cmp eax, INVALID_HANDLE_VALUE
jnz Found_FD_Find_Device_Driver
;; check softice 4.05 on win2k
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
call FD_Find_Device_Driver_Str2
db "\\.\NTICE",0
FD_Find_Device_Driver_Str2:
call dword ptr [ebx].xCreateFileA
cmp eax, INVALID_HANDLE_VALUE
jnz Found_FD_Find_Device_Driver
;; check softice on win9x
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
call FD_Find_Device_Driver_Str3
db "\\.\SICE",0
FD_Find_Device_Driver_Str3:
call dword ptr [ebx].xCreateFileA
cmp eax, INVALID_HANDLE_VALUE
jnz Found_FD_Find_Device_Driver
;; check softice on win9x
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
call FD_Find_Device_Driver_Str4
db "\\.\SIWDEBUG",0
FD_Find_Device_Driver_Str4:
call dword ptr [ebx].xCreateFileA
push eax
call dword ptr [ebx].xGetLastError
test al, 032h
pop eax
jz Found_FD_Find_Device_Driver
;; check regmon on win9x
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
call FD_Find_Device_Driver_Str5
db "\\.\REGVXD",0
FD_Find_Device_Driver_Str5:
call dword ptr [ebx].xCreateFileA
cmp eax, INVALID_HANDLE_VALUE
jnz Found_FD_Find_Device_Driver
;; check RegMON
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
call FD_Find_Device_Driver_Str6
db "\\.\FILEM",0
FD_Find_Device_Driver_Str6:
call dword ptr [ebx].xCreateFileA
cmp eax, INVALID_HANDLE_VALUE
jnz Found_FD_Find_Device_Driver
;; check TRW
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
call FD_Find_Device_Driver_Str7
db "\\.\TRW",0
FD_Find_Device_Driver_Str7:
call dword ptr [ebx].xCreateFileA
cmp eax, INVALID_HANDLE_VALUE
jnz Found_FD_Find_Device_Driver
;; check softice extender
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ + FILE_SHARE_WRITE
push GENERIC_READ + GENERIC_WRITE
call FD_Find_Device_Driver_Str8
db "\\.\ICEEXT",0
FD_Find_Device_Driver_Str8:
call dword ptr [ebx].xCreateFileA
cmp eax, INVALID_HANDLE_VALUE
jnz Found_FD_Find_Device_Driver
jmp NotFound_FD_Find_Device_Driver
Exit_FD_Find_Device_Driver:
pop edi
pop esi
pop edx
pop ecx
pop ebx
assume ebx : nothing
mov esp, ebp
pop ebp
retn 04h
NotFound_FD_Find_Device_Driver:
xor eax, eax
jmp Exit_FD_Find_Device_Driver
Found_FD_Find_Device_Driver:
push eax
assume ebx : ptr WIN32APIBASE
call dword ptr [ebx].xCloseHandle
assume ebx : nothing
mov eax, 1
jmp Exit_FD_Find_Device_Driver
End_FD_Find_Device_Driver:
FD_Exception_Int3:
call Get_FD_Exception_Int3_Eip
Get_FD_Exception_Int3_Eip:
pop eax
add eax, offset FD_Exception_Int3_Exception - offset Get_FD_Exception_Int3_Eip
;; setup exception
assume fs : nothing
push eax
push dword ptr fs : [0]
mov dword ptr fs : [0], esp
;; reset eax
xor eax, eax
int 03h
;; unsetup exception
pop dword ptr fs : [0]
add esp, 04h
;; check the flag
test eax, eax
jz Found_FD_Exception_Int3
jmp NotFound_FD_Exception_Int3
FD_Exception_Int3_Exception:
mov eax, dword ptr [esp+0ch]
;; eax = ContextRecord
assume eax : ptr CONTEXT
mov dword ptr [eax].regEax, 0FFFFFFFFh
inc dword ptr [eax].regEip
xor eax, eax
assume eax : nothing
retn
Exit_FD_Exception_Int3:
retn 0h
NotFound_FD_Exception_Int3:
xor eax, eax
jmp Exit_FD_Exception_Int3
Found_FD_Exception_Int3:
mov eax, 1
jmp Exit_FD_Exception_Int3
End_FD_Exception_Int3:
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
