📄 antidbg.cpp
字号:
/********************************************************************
Copyright (c) Beijing Feitian Technologies
http://www.FTSafe.com
File : AntiDbg.cpp
Created: 2003/11/05
Author: yihai
Purpose: ?
Revision: ?
*********************************************************************/
// AntiDbg.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include "Psapi.h"
bool g_bWin9x = false;
void Anti_CheckCC()
{
PBYTE pData = (PBYTE)MessageBox;
if(pData[0] == 0xcc)
MessageBox(NULL,"[CC] Debugger detected",NULL,MB_OK);
else
MessageBox(NULL,"[CC] no Debugger",NULL,MB_OK);
}
void Anti_RemoveCC_Win2k()
{
PBYTE pData = (PBYTE)MessageBox;
if(pData[0] == 0xcc)
{
DWORD dwProcessID = GetCurrentProcessId();
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
DWORD dwNumOfWritten=0;
BYTE data = 0x55;
BOOL bSucc = WriteProcessMemory(hProcess,pData,&data,1,&dwNumOfWritten);
CloseHandle(hProcess);
if(bSucc)
MessageBox(0,"Remove a int 3 successfully",0,0);
}
}
void Anti_RemoveCC_WinXP()
{
PBYTE pData = (PBYTE)MessageBox;
if(pData[0] == 0xcc)
{
DWORD dwProcessID = GetCurrentProcessId();
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessID);
DWORD dwNumOfWritten=0;
BYTE data = 0x83;
BOOL bSucc = WriteProcessMemory(hProcess,pData,&data,1,&dwNumOfWritten);
CloseHandle(hProcess);
if(bSucc)
MessageBox(0,"Remove a int 3 successfully",0,0);
}
}
void Anti_OllyDbg()
{
//HWND hWnd = FindWindow("OLLYDBG",NULL);
HWND hWnd = FindWindow("SpyxxProcessPacket",NULL);
if(hWnd)
{
int iChoice = MessageBox(NULL,"OLLYDBG detected\nDeath Loop or Terminate it?",NULL,MB_YESNOCANCEL);
if(iChoice==IDYES)
{
DWORD dwProcessId;
GetWindowThreadProcessId(hWnd,&dwProcessId);
DebugActiveProcess(dwProcessId);
}
else if(iChoice==IDNO)
{
DWORD dwProcessId;
GetWindowThreadProcessId(hWnd,&dwProcessId);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
TerminateProcess(hProcess,0);
}
}
else
{
MessageBox(0,"No OLLYDBG",0,0);
}
}
HANDLE WINAPI V_CreateFile9x(
LPCTSTR lpFileName, // file name
DWORD dwDesiredAccess, // access mode
DWORD dwShareMode, // share mode
LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD
DWORD dwCreationDisposition, // how to create
DWORD dwFlagsAndAttributes, // file attributes
HANDLE hTemplateFile // handle to template file
)
{
HANDLE hFile=INVALID_HANDLE_VALUE;
__asm
{
mov ebx,CreateFile
push hTemplateFile
push dwFlagsAndAttributes
push dwCreationDisposition
push lpSecurityAttributes
push dwShareMode
push dwDesiredAccess
push lpFileName
lea eax,lbl_ret_addr
push eax
push edi
push 0x127
add ebx,6
jmp ebx
lbl_ret_addr:
mov hFile,eax
}
return hFile;
}
HANDLE WINAPI V_CreateFileNT(
LPCTSTR lpFileName, // file name
DWORD dwDesiredAccess, // access mode
DWORD dwShareMode, // share mode
LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD
DWORD dwCreationDisposition, // how to create
DWORD dwFlagsAndAttributes, // file attributes
HANDLE hTemplateFile // handle to template file
)
{
HANDLE hFile=INVALID_HANDLE_VALUE;
__asm
{
mov ebx,CreateFile
push hTemplateFile
push dwFlagsAndAttributes
push dwCreationDisposition
push lpSecurityAttributes
push dwShareMode
push dwDesiredAccess
push lpFileName
lea eax,lbl_ret_addr
push eax
push ebp
mov ebp,esp
add ebx,3
jmp ebx
lbl_ret_addr:
mov hFile,eax
}
return hFile;
}
HANDLE WINAPI Anti_CreateFile(
LPCTSTR lpFileName, // file name
DWORD dwDesiredAccess, // access mode
DWORD dwShareMode, // share mode
LPSECURITY_ATTRIBUTES lpSecurityAttributes, // SD
DWORD dwCreationDisposition, // how to create
DWORD dwFlagsAndAttributes, // file attributes
HANDLE hTemplateFile // handle to template file
)
{
if(g_bWin9x)
{
return V_CreateFile9x(lpFileName,dwDesiredAccess,dwShareMode,
lpSecurityAttributes,dwCreationDisposition,
dwFlagsAndAttributes,hTemplateFile);
}
else
{
return V_CreateFileNT(lpFileName,dwDesiredAccess,dwShareMode,
lpSecurityAttributes,dwCreationDisposition,
dwFlagsAndAttributes,hTemplateFile);
}
}
void CheckSysVer()
{
OSVERSIONINFOEX osvi;
BOOL bOsVersionInfoEx;
// Try calling GetVersionEx using the OSVERSIONINFOEX structure.
//
// If that fails, try using the OSVERSIONINFO structure.
ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
if( !(bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi)) )
{
// If OSVERSIONINFOEX doesn't work, try OSVERSIONINFO.
osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (! GetVersionEx ( (OSVERSIONINFO *) &osvi) )
return ;
}
if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT)
{
g_bWin9x = false;
}
else
{
g_bWin9x = true;
}
}
void AppInit()
{
CheckSysVer();
}
void Anti_SkipCode()
{
if(g_bWin9x)
{
if(INVALID_HANDLE_VALUE != Anti_CreateFile("\\\\.\\SICE",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL) )
{
MessageBox(0,"SICE started\n",0,0);
}
}
else
{
if(INVALID_HANDLE_VALUE != Anti_CreateFile("\\\\.\\SIWVIDSTART",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL) )
{
MessageBox(0,"SIWVIDSTART started\n",0,0);
}
}
}
int WINAPI Anti_MessageBoxWinXP(
HWND hWnd, // handle to owner window
LPCTSTR lpText, // text in message box
LPCTSTR lpCaption, // message box title
UINT uType // message box style
)
{
int iRetVal = -1;
__asm
{
mov ebx,MessageBox
mov edx,[ebx+2]
push uType
push lpCaption
push lpText
push hWnd
lea eax,lbl_ret_addr
push eax
add ebx,7
cmp [edx],0
jmp ebx
lbl_ret_addr:
mov iRetVal,eax
}
return iRetVal;
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
AppInit();
Anti_CheckCC();
Anti_OllyDbg();
Anti_SkipCode();
//Anti_MessageBoxWinXP(0,"skip in WinXP",0,0);
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -