supervxd.bat

超级增强断点源代码!配合trw2000和sice 使用!可以调试一些反调试的外壳和程序! 用vc编译

;@GOTO TRANSLATE

        .386p

;******************************************************************************
;                             I N C L U D E S
;******************************************************************************
WIN40COMPAT equ 0 ;!!!!!!!!!!!!!!!!!!!!!!!! YES
        MASM6   EQU 0
        INCLUDE VMM.Inc
;        INCLUDE Debug.Inc
        INCLUDE VWIN32.INC
;        UNICODE=0
;        ARGUMENTS = 0 
;        INCLUDE W32MAIN.INC

FALSE EQU 0
TRUE  EQU 1
Unhook EQU 0
Erase  EQU 1
Monitor EQU 2



;******************************************************************************
;                      P A G E   L O C K E D   C O D E
;------------------------------------------------------------------------------
;       Memory is a scarce resource. Use this only where necessary.
;******************************************************************************
VxD_LOCKED_CODE_SEG

;******************************************************************************
;
;   VXD_Control
;
;   DESCRIPTION:
;
;       This is a call-back routine to handle the messages that are sent
;       to VxD's to control system operation. Every VxD needs this function
;       regardless if messages are processed or not. The control proc must
;       be in the LOCKED code segment.
;
;       The Control_Dispatch macro used in this procedure simplifies
;       the handling of messages. To handle a particular message, add
;       a Control_Dispatch statement with the message name, followed
;       by the procedure that should handle the message. 
;
;       The two messages handled in this sample control proc, Device_Init
;       and Create_VM, are done only to illustrate how messages are
;       typically handled by a VxD. A VxD is not required to handle any
;       messages.
;
;   ENTRY:
;       EAX = Message number
;       EBX = VM Handle
;
;==============================================================================

BeginProc VXD_Control
          Control_Dispatch W32_DEVICEIOCONTROL, VXD_DEVICEIOCONTROL 
          Control_Dispatch TERMINATE_THREAD, VXD_TERMINATE_THREAD 
          CLC
          RET
EndProc   VXD_Control

BeginProc VXD_TERMINATE_THREAD
          CMP      EDI, TheThread
          JNE      @f
          ;AND      WORD PTR Saved , FALSE ;WORD I DRXACTIVE
      ANDit::
          AND      Saved , FALSE ;WORD I DRXACTIVE
          AND      TheThread,0
         @@:
          CLC
          RET  
EndProc   VXD_TERMINATE_THREAD

BeginProc VXD_DEVICEIOCONTROL
          MOV      EDX, [ESI+12]
          DEC      EDX
          JS       Quit_IOCTL
          CMP      DL, PreserveMode
          JE       Quit_IOCTL

          MOV      EAX, VWIN32_DEVICE_ID
          VMMCall  Get_DDB
          
          MOV      ECX, [ECX+38H]  ;WCALL TABLE
          ADD      ECX, 8+8*15H
          CMP      DWORD PTR [ECX+4], 2
          JNE      Failed0  

          OR       EDX, EDX 
          JE       UnhookIt

;       HookIt:
;          CMP      OrigSTC, 0
;          JNE      Failed   ;uz hooked

          MOV      EAX, [ECX]
;         JEAXZ    Failed      
          MOV      OrigSTC, EAX
          MOV      [ECX], OFFSET HookedSTC
          JMP      Failed

        UnhookIt:
          MOV      EAX, OrigSTC

;          AND      Saved , FALSE
;          AND      TheThread,0
          CALL ANDit

;          AND      ActiveDRx, FALSE  ;????
          MOV      [ECX], EAX
                     

         Failed0:  MOV DL, 0
         Failed:
          MOV      PreserveMode, DL                      
         Quit_IOCTL:
          SUB EAX, EAX
          CLC
          RET
EndProc   VXD_DEVICEIOCONTROL


HookedSTC  PROC 
   PUSHFD
   PUSH    EAX
   PUSH    ECX
   PUSH    ESI
   PUSH    EDI
   MOV     ECX, [ESP+5*4 +4 +3*4]  ;CONTEXT
   CMP     PreserveMode, CmdErase
   JE      HackContext

;   AND     (CONTEXT PTR [ECX]).cx_Dr7, 0
;   AND     DWORD PTR [ECX+4+5*4], 0
;   AND     BYTE PTR [ECX+4+5*4], 0
;  HackContext:
;    AND     BYTE PTR [ECX], NOT 10H
    
;   JMP     Done

  @@:
    VMMCall Get_Cur_Thread_Handle

;   MOV     EAX, [ESP+5*4 +4] 
;   CMP     (CONTEXT PTR [ECX]).cx_Dr7, 0
;   CMP     DWORD PTR [ECX+4*5+4], 0  !!!!!!!!!
   CMP     BYTE PTR [ECX+4*5+4], 0
   JE      Restore

   CMP     Saved, TRUE
   JE      Done

   MOV     TheThread, EDI

   CLD
   MOV     EDI, OFFSET SavedDRx
   MOV     EAX, DR0
   STOSD
   MOV     EAX, DR1
   STOSD
   MOV     EAX, DR2
   STOSD
   MOV     EAX, DR3
   STOSD
   MOV     EAX, DR6
   STOSD
   MOV     EAX, DR7
   STOSD
 ;  OR       AL, AL
 ;  JE      @f
   MOV     Saved, TRUE
;   INC     Saved
;  @@: 
;   MOV     ActiveDRx, AL
   JMP     Done

  Restore:
   CMP     EDI, TheThread
   JNE     Done

   ;to je otazka????? 
;   AND     BYTE PTR [ECX], NOT 10H

   CMP     Saved, FALSE
;   JNE      DoiT  ;?????
   
;   CMP     ActiveDRx, FALSE
;   JE      Done
   JE     HackContext
  
;  DoiT:
   CLD
   MOV     ESI, OFFSET SavedDRx
   LODSD
   MOV     DR0, EAX
   LODSD
   MOV     DR1, EAX
   LODSD
   MOV     DR2, EAX
   LODSD
   MOV     DR3, EAX
   LODSD
   MOV     DR6, EAX
   LODSD
   MOV     DR7, EAX
   MOV     Saved, FALSE
   ;AND     TheThread, 0
   ;DEC     Saved

  HackContext:
   AND     BYTE PTR [ECX], NOT 10H

  Done:
   POP     EDI
   POP     ESI
   POP     ECX
   POP     EAX
   POPFD
   JMP     OrigSTC   
HookedSTC  ENDP        


VxD_LOCKED_CODE_ENDS


CmdUnhook EQU 0
CmdErase  EQU 1
CmdMonit  EQU 2

VxD_LOCKED_DATA_SEG
          OrigSTC      DWORD 0
          TheThread    DWORD 0
          SavedDRx     DWORD 6 DUP (?)
          PreserveMode BYTE CmdUnhook 
          Saved        BYTE FALSE
;          ActiveDRx    BYTE FALSE 
VxD_LOCKED_DATA_ENDS

Declare_Virtual_Device SUPERBPM, 1, 0, VXD_Control, Undefined_Device_ID ,,,

        END


:TRANSLATE
@ECHO OFF
ML /nologo /c /IC:\98DDK\INC\WIN98 %0
LINK /VXD /EXETYPE:DYNAMIC SuperVxD.OBJ /DEF:SuperVxD.DEF /OUT:SuperBPM.vxd /ALIGN:0X400
DEL SuperVxD.OBJ
DEL SuperBPM.EXP
DEL SuperBPM.LIB