checknt.cpp

此为本书的配套光盘.本书不但由浅入深地讲解了软件保护技术

/********************************************************************

	Copyright (c) Beijing Feitian Technologies
	http://www.FTSafe.com

	File :		CheckNT.cpp	

	Created:	2003/11/05

	Author:		yihai
	
	Purpose:	?

	Revision:	?

*********************************************************************/
 // CheckNT.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <conio.h>
#include <Windows.h>

typedef  BOOL (WINAPI *TPFN_IsDebuggerPresent)();
typedef  BOOL (WINAPI *TPFN_CheckRemoteDebuggerPresent)(HANDLE hProcess,PBOOL pbDebuggerPresent);
BOOL chk_UserDbg()
{
	BOOL bRet=FALSE;
	HMODULE hMod = LoadLibrary("KERNEL32.DLL");
	
	TPFN_IsDebuggerPresent IsDebuggerPresent =	(TPFN_IsDebuggerPresent)GetProcAddress(hMod,"IsDebuggerPresent");
	if(IsDebuggerPresent)
		bRet = IsDebuggerPresent();
	
	TPFN_CheckRemoteDebuggerPresent CheckRemoteDebuggerPresent = (TPFN_CheckRemoteDebuggerPresent)GetProcAddress(hMod,"CheckRemoteDebuggerPresent");
	if(CheckRemoteDebuggerPresent)
	{
		HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId());
		BOOL bDbg=FALSE;
		CheckRemoteDebuggerPresent(hProcess,&bDbg);
		CloseHandle(hProcess);
		if(bDbg)
		{
			bRet = TRUE;
			printf("    Remote Debugger\n");
		}			
	}
	
	FreeLibrary(hMod);
	
	return bRet;
}

BOOL chk_I3SEH()
{
	BOOL bRet = TRUE;
	__try
	{
		__asm int 3		
		bRet = TRUE;
	}	
	__except(EXCEPTION_EXECUTE_HANDLER)
	{
		bRet = FALSE;
	}
	return bRet;
}

typedef struct  tagTiny_PEB
{
	BYTE InheritedAddressSpace;
    BYTE ReadImageFileExecOptions;
    BYTE BeingDebugged;
}*PTINY_PEB;

bool chk_TEB()
{
	PTINY_PEB  pPEB=NULL;
	__asm mov eax,fs:[0x30]	
	__asm mov pPEB,eax
		
	if(pPEB->BeingDebugged!=0)
		return true;
	return false;
}

bool chk_MeltNTICE()
{
	bool bRet = false;
	if(INVALID_HANDLE_VALUE != CreateFile("\\\\.\\NTICE",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL) )
	{
		printf("    NTICE\n");
		bRet = true;
	}

	if(INVALID_HANDLE_VALUE != CreateFile("\\\\.\\SIWSYM",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL) )
	{
		printf("    SIWSYM\n");
		bRet = true;
	}

	if(INVALID_HANDLE_VALUE != CreateFile("\\\\.\\SIWVIDSTART",GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_ARCHIVE,NULL) )
	{
		printf("    SIWVIDSTART\n");
		bRet = true;
	}
	
	return bRet;
}

BOOL chk_IceBackDoor()
{
	BOOL bRet = TRUE;
	__try
	{
		__asm
		{
			mov si,0x4647
			mov di,0x4a4d
			int 3	
		}
		bRet = TRUE;
	}	
	__except(EXCEPTION_EXECUTE_HANDLER)
	{
		bRet = FALSE;
	}
	return bRet;
}

bool chk_UEF()
{
	PBYTE pData = (PBYTE)UnhandledExceptionFilter;
	
	if(pData[0] == 0xcc)
		return true;
	
	return false;
}

bool chk_SCMan(LPCTSTR lpSrvName)
{
	SC_HANDLE   schService;
    SC_HANDLE   schSCManager;
	bool		bRet=false;
	
    schSCManager = OpenSCManager(
		NULL,                   // machine (NULL == local)
		NULL,                   // database (NULL == default)
		SC_MANAGER_ALL_ACCESS   // access required
		);
    if ( schSCManager )
    {
        schService = OpenService(schSCManager, lpSrvName, SERVICE_ALL_ACCESS);
		
        if (schService)
        {
			SERVICE_STATUS ss;
			BOOL bSucc = QueryServiceStatus(schService,&ss);
			if(bSucc)
			{
				if(ss.dwCurrentState == SERVICE_RUNNING)
				{
					bRet = true;
				}
			}			
		}		
	}
    
	CloseServiceHandle(schService);
	CloseServiceHandle(schSCManager);
	
	return bRet;
}

typedef LONG (WINAPI *TPFN_NtQuerySystemInformation)(
											 IN int SystemInformationClass,
											 IN OUT PVOID SystemInformation,
											 IN ULONG SystemInformationLength,
											 OUT PULONG ReturnLength OPTIONAL
);

#define  QSI_SYSTEM_MODULE_INFORMATION	11

typedef struct _SYSTEM_MODULE
{
    DWORD dReserved01;
    DWORD d04;
    PVOID pAddress;
    DWORD dSize;                // bytes
    DWORD dFlags;
    WORD  wId;                  // zero based
    WORD  wRank;                // 0 if not assigned
    WORD  w18;
    WORD  wNameOffset;
    BYTE  abName [256];
}
SYSTEM_MODULE,
* PSYSTEM_MODULE,
**PPSYSTEM_MODULE;

// - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

typedef struct _SYSTEM_MODULE_INFORMATION
{
    DWORD         dCount;
    SYSTEM_MODULE aSM [1];
}
SYSTEM_MODULE_INFORMATION,
* PSYSTEM_MODULE_INFORMATION,
    **PPSYSTEM_MODULE_INFORMATION;

bool chk_QuerySysInfo(LPCTSTR lpProcName)
{
	bool bRet=false;
	HMODULE hNtDll = LoadLibrary("NtDll.dll");
	if(hNtDll == NULL)
	{
		return false;
	}	
	TPFN_NtQuerySystemInformation NtQuerySystemInformation;
	NtQuerySystemInformation = (TPFN_NtQuerySystemInformation)GetProcAddress(hNtDll,lpProcName);
	if(NtQuerySystemInformation)
	{
		DWORD dwRetLen=0;		
		
		SYSTEM_MODULE_INFORMATION	sysModInfo;
		NtQuerySystemInformation(QSI_SYSTEM_MODULE_INFORMATION,&sysModInfo,sizeof(SYSTEM_MODULE_INFORMATION),&dwRetLen);

		DWORD dwSystInfoLen = 4+sysModInfo.dCount*sizeof(SYSTEM_MODULE);
		
		PBYTE pSystemInformation = new BYTE[dwSystInfoLen];		

		dwRetLen = 0;
		NtQuerySystemInformation(QSI_SYSTEM_MODULE_INFORMATION,pSystemInformation,dwSystInfoLen,&dwRetLen);
		{
			PSYSTEM_MODULE_INFORMATION pModInfo 
				= (PSYSTEM_MODULE_INFORMATION)pSystemInformation;
			
			DWORD count = (dwSystInfoLen- 4) / sizeof(SYSTEM_MODULE);
			
			for (DWORD i=0; i<count; i++)
			{
				if (stricmp((char*)pModInfo->aSM[i].abName + pModInfo->aSM[i].wNameOffset, 
					"NTICE.SYS")==0)
				{					
					printf("    NTICE\n");
					bRet = true;
				}
				else if (stricmp((char*)pModInfo->aSM[i].abName + pModInfo->aSM[i].wNameOffset,
						"KIKME.SYS")==0)
				{
					printf("    NTICE+IceExt\n");
					bRet = true;
				}
				else if (stricmp((char*)pModInfo->aSM[i].abName + pModInfo->aSM[i].wNameOffset,
					"IceExt.SYS")==0)
				{
					printf("    IceExt\n");
					bRet = true;
				}
				//else
				//	printf("%s\n",(char*)pModInfo->aSM[i].abName + pModInfo->aSM[i].wNameOffset);
             }
		}

		delete[] pSystemInformation;
	}
	FreeLibrary(hNtDll);	
	return bRet;
}

void CrashSoftICE()
{
	__try
	{
		__asm
		{
			mov ax,0x0902
			mov si,0x4647
			mov di,0x4a4d
			int 3			
		}	
	}
	__except(EXCEPTION_EXECUTE_HANDLER)
	{
	}	
}

int main(int argc, char* argv[])
{
	printf("[UserDbg]\n");
	if(chk_UserDbg())
	{
		printf("  UserDebugger detected.\n");
	}
	else
		printf("  no UserDebugger.\n");
	
	printf("[chk_TEB]\n");
	if(chk_TEB())
	{
		printf("  Debugger detected.\n");
	}
	else
		printf("  no Debugger.\n");

	printf("[I3SEH]\n");
	if(chk_I3SEH())
		printf("  Debugger dectected.\n");
	else
		printf("  no Debugger.\n");

	printf("[MeltNTICE]\n");
	if(chk_MeltNTICE())
	{
		printf("  NTICE dectected.\n");
	}
	else
	{
		printf("  no NTICE.\n");
	}

	printf("[IceBackDoor]\n");
	if(chk_IceBackDoor())
		printf("  NTICE dectected.\n");
	else
		printf("  no NTICE.\n");
	
	printf("[UnhandledExceptionFilter]\n");
	if(chk_UEF())
		printf("  NTICE dectected.\n");
	else
		printf("  no NTICE.\n");


	printf("[SCMan]\n");
	if(chk_SCMan("NTICE"))
		printf("  NTICE dectected.\n");
	else
		printf("  no NTICE.\n");
	
	printf("[SCMan]\n");
	if(chk_SCMan("IceExt"))
		printf("  IceExt dectected.\n");
	else
		printf("  no IceExt.\n");
	
	printf("[SCMan]\n");
	if(chk_SCMan("SIWVID"))
		printf("  SIWVID dectected.\n");
	else
		printf("  no SIWVID.\n");	

	printf("[NtQuerySystemInformation]\n");
	if(chk_QuerySysInfo("NtQuerySystemInformation"))
	{
		printf("  NTICE dectected.\n");
	}
	else
	{
		printf("  no NTICE.\n");
	}

	printf("[ZwQuerySystemInformation]\n");
	if(chk_QuerySysInfo("ZwQuerySystemInformation"))
	{
		printf("  NTICE dectected.\n");
	}
	else
	{
		printf("  no NTICE.\n");
	}	

	printf("SoftICE will be crashed,do you want to continue(y/n)?.\n");
	int ch = getche();
	if( (ch == 'y') || (ch == 'Y') )
		CrashSoftICE();
	return 0;
}