processmain.pas

各种反分析软件的手法,包括(反Dede,反单步跟踪,反SoftICE,Ollydbg,反静态分析,以及程序自身的CRC32效验等,对于初学者有很大的帮助.

unit ProcessMain;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, TlHelp32, ComCtrls;

type
  TForm1 = class(TForm)
    StatusBar1: TStatusBar;
    procedure FormCreate(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

//*********************************************
//通过查找进程列表实现检测FileMon和RegMon
//*********************************************
//检测FileMon
function AntiFileMon():Boolean;
var
  hSnap:THandle;
  Process32:PROCESSENTRY32;
  LoopFlag:BOOL;
  szFileName:String;
begin
  ////得到所有进程的列表快照
  hSnap:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if hSnap=INVALID_HANDLE_VALUE then
  begin
    Result:=False;
    Exit;
  end;
  Process32.dwSize:=sizeof(PROCESSENTRY32);
  //查找进程
  LoopFlag:=Process32First(hSnap,Process32);
  if LoopFlag=False then
  begin
    CloseHandle(hSnap);
    Result:=False;
    Exit;
  end;
  while Integer(LoopFlag)<>0 do
    begin
      //取进程名
      szFileName:=ExtractFileName(Process32.szExeFile);
      if UpperCase(szFileName)='FILEMON.EXE' then
        begin
          Result:=True;
          break;
        end
      else
        Result:=False;
      LoopFlag:=Process32Next(hSnap,Process32);
    end;
  CloseHandle(hSnap);
end;

//检测RegMon
function AntiRegMon():Boolean;
var
  hSnap:THandle;
  Process32:PROCESSENTRY32;
  LoopFlag:BOOL;
  szFileName:String;
begin
  ////得到所有进程的列表快照
  hSnap:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if hSnap=INVALID_HANDLE_VALUE then
  begin
    Result:=False;
    Exit;
  end;
  Process32.dwSize:=sizeof(PROCESSENTRY32);
  //查找进程
  LoopFlag:=Process32First(hSnap,Process32);
  if LoopFlag=False then
  begin
    CloseHandle(hSnap);
    Result:=False;
    Exit;
  end;
  while Integer(LoopFlag)<>0 do
    begin
      //取进程名
      szFileName:=ExtractFileName(Process32.szExeFile);
      if UpperCase(szFileName)='REGMON.EXE' then
        begin
          Result:=True;
          break;
        end
      else
        Result:=False;
      LoopFlag:=Process32Next(hSnap,Process32);
    end;
  CloseHandle(hSnap);
end;

procedure TForm1.FormCreate(Sender: TObject);
begin
  if AntiFileMon then
    MessageBox(Handle,'注意：发现软件被FileMon监视!','提示',MB_OK+MB_ICONINFORMATION);
  if AntiRegMon then
    MessageBox(Handle,'注意：发现软件被RegMon监视!','提示',MB_OK+MB_ICONINFORMATION);
end;

end.