رتبه موضوع:
  • 23 رای - 3.09 میانگین
  • 1
  • 2
  • 3
  • 4
  • 5
C++ Anti-Debug Library: x64-compatible!
#1
کد:
#include <windows.h>
#include <intrin.h>

int DebugBit = 0;
int countExceptions = 0;
int DebugBreakBit = 0;
HANDLE vehPtr;

DWORD_PTR *GetBeingDebugged( )
{
    DWORD_PTR *BeingDebuggedBit;
    #ifdef _M_IX86
        BeingDebuggedBit = ( DWORD_PTR * ) __readfsdword( 0x30 );
    #elif _M_X64
        BeingDebuggedBit = ( DWORD_PTR * ) __readgsqword( 0x60 );
    #endif
    return( ( DWORD_PTR * ) *BeingDebuggedBit );
}

DWORD_PTR *GetNtGlobalFlags( )
{
    DWORD_PTR *NtGlobalFlags;

    #ifdef _M_IX86
        DWORD_PTR *PEB = ( DWORD_PTR * ) __readfsdword( 0x30 ) + 0x68;
        NtGlobalFlags = ( DWORD_PTR * ) *PEB + 0x68;
    #elif _M_X64
        DWORD_PTR *PEB = ( DWORD_PTR * ) __readgsqword( 0x60 ) + 0xD0;
        NtGlobalFlags = ( DWORD_PTR * ) *PEB + 0xD0;
    #endif
    return( ( DWORD_PTR * ) NtGlobalFlags );
}

DWORD_PTR *GetHeapFlags( )
{
    DWORD *HeapFlags;
    #ifdef _M_IX86
        HeapFlags = ( DWORD_PTR * ) __readfsdword( 0x30 );
        HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x18 );
        HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x10 );
    #elif _M_X64
        HeapFlags = ( DWORD_PTR * ) __readgsqword( 0x60 );
        HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x30 );
        HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x20 );
    #endif
    return ( ( DWORD_PTR * ) HeapFlags );
}

LONG WINAPI vehCheck( PEXCEPTION_POINTERS pExecpPointers )
{
    SetUnhandledExceptionFilter( ( LPTOP_LEVEL_EXCEPTION_FILTER ) pExecpPointers->ContextRecord->Eax );
    #ifdef _M_IX86
        pExecpPointers->ContextRecord->Eip += 2;
    #elif _M_X64
        pExecpPointers->ContextRecord->Rip += 4;
    #endif
    countExceptions++;
    if( DebugBreakBit == 1 )
        return( EXCEPTION_CONTINUE_EXECUTION );
    else
        return( EXCEPTION_EXECUTE_HANDLER );
}

void pseudoExit( int exitCode )
{
    BlockInput( TRUE );
    MessageBox( 0, "Please close all active debuggers, and relaunch the application.", "Fatal Error", MB_OK );
    ExitProcess( exitCode );
}

unsigned int GetDebugRegisters( )
{
    unsigned int i = 0;
    CONTEXT ctx;
    ZeroMemory( &ctx, sizeof( CONTEXT ) );
    ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;

    if( GetThreadContext( GetCurrentThread( ), &ctx ) == 0 )
        pseudoExit( 0x789DABCF );

    if( ctx.Dr0 != 0 )
        i++;
    if( ctx.Dr1 != 0 )
        i++;
    if( ctx.Dr2 != 0 )
        i++;
    if( ctx.Dr3 != 0 )
        i++;

    return( i );
}

LONG WINAPI suefDebugCheck( struct _EXCEPTION_POINTERS *excInfo ) {
    DebugBit = 1;
    SetUnhandledExceptionFilter( ( LPTOP_LEVEL_EXCEPTION_FILTER ) excInfo->ContextRecord->Eax );
    #ifdef _M_IX86
        excInfo->ContextRecord->Eip += 2;
    #elif _M_X64
        excInfo->ContextRecord->Rip += 4;
    #endif
    return( EXCEPTION_CONTINUE_EXECUTION );
}

void __inline antiDebug( void )
{
    DWORD beginTime = GetTickCount( );
    OSVERSIONINFO osvi;
    osvi.dwOSVersionInfoSize = sizeof( OSVERSIONINFO );
    GetVersionEx( &osvi );

    SetUnhandledExceptionFilter( suefDebugCheck );
    DWORD_PTR *forceError = 0x00000000;
    *forceError = 0;
    if( DebugBit == 0 )
        pseudoExit( 0x99673135 );

    vehPtr = AddVectoredExceptionHandler( 1, ( PVECTORED_EXCEPTION_HANDLER ) vehCheck );

    if( osvi.dwMajorVersion >= 6 )
    {
        if( GetHeapFlags( ) > ( void * ) 0x00800000 )
            pseudoExit( 0xFFFF0000 );
    }

    if( GetHeapFlags( ) > ( void * ) 0x10000000 )
        pseudoExit( 0xFFFFFFFE );

    if( GetBeingDebugged( ) == ( void * ) 0x00010000 )
        pseudoExit( 0x04012AD0 );

    if( GetNtGlobalFlags( ) == ( void * ) 0x00000070 )
        pseudoExit( 0x0F6E1A44 );

    if( IsDebuggerPresent( ) != 0 )
        pseudoExit( 0x21473361  );

    CheckRemoteDebuggerPresent( GetCurrentProcess( ), ( PBOOL ) &DebugBit );
    if( DebugBit != 0 )
        pseudoExit( 0xC0000005 );

    #ifdef _M_IX86
        __asm
        {
            PUSH SS
            POP SS
            MOV EAX, 0
            XOR EDX, EDX
        }
    #endif

    // Windows NT 5.X or earlier features
    if( osvi.dwMajorVersion < 6 )
    {
        SetLastError( 0xC0000005 );
        OutputDebugString( "%s%s" );
        if( GetLastError( ) == 0xC0000005 )
            pseudoExit( 0x5148234F );
    }
    else
    {
        try {
            OutputDebugString( "%s%s" );
        }
        catch( ... )
        {
            DebugBit = TRUE;
        }
    }

    // Verifies if SeDebugPrivilege is given
    typedef DWORD_PTR ( NTAPI *CGPID )( );
    CGPID CsrGetProcessId = ( CGPID ) GetProcAddress( GetModuleHandle( "ntdll.dll" ), "CsrGetProcessId" );
    if( OpenProcess( PROCESS_ALL_ACCESS, FALSE, CsrGetProcessId( ) ) > 0 )
        pseudoExit( 0xFF41ECAB );
    // End experimental trick

    #ifdef _M_IX86
        try {
            __asm {
                __emit 0xF3;
                __emit 0x64;
                __emit 0xF1;
            };
        }
        catch ( ... ) {
            DebugBit = FALSE;
        }
        if( DebugBit == TRUE )
            pseudoExit( 0xAAAAAAAC );
    #endif

    if( GetDebugRegisters( ) > 0 )
        pseudoExit( 0x29342180 );

    // Requires admin access
    typedef NTSTATUS ( NTAPI *NSIT )( HANDLE, UINT, PVOID, ULONG );
    NSIT NtSetInformationThread = ( NSIT )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtSetInformationThread" );
    NtSetInformationThread( GetCurrentProcess( ), 0x11, 0, 0 );
    // End required admin access

    try {
        CloseHandle( ( HANDLE ) -1 );
    }
    catch( ... ) {
        pseudoExit( 0x00000006 );
    }

    DebugBreakBit = 1;
    __debugbreak();
    DebugBreak( );

    if( GetTickCount( ) == beginTime )
        pseudoExit( 0xD000BE05 );

    typedef NTSTATUS ( WINAPI *NQIP )( HANDLE, LONG, PVOID, ULONG, PULONG );
    NQIP NtQueryInformationProcess = ( NQIP )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtQueryInformationProcess" );
    int returnValue = 0;
    NtQueryInformationProcess( GetCurrentProcess( ), 0x7, &returnValue, 4, 0 );
    if( returnValue != 0 )
        pseudoExit( 0xCCCCCCCC );

    NtQueryInformationProcess( GetCurrentProcess( ), 0x1E, &returnValue, 4, 0 );
    if( returnValue != 0 )
        pseudoExit( 0xEFEFEFEF );

}

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
    // Begin anti-debug..
    antiDebug( );

    if( DebugBit == 1 )
        pseudoExit( 0xFFFFFFFF );
    try {
        RemoveVectoredExceptionHandler( vehPtr );
        if( countExceptions != 3 )
            pseudoExit( 0x21522153 );
    }
    catch( ... )
    {
        pseudoExit( 0x55235151 );
    }

    // End anti-debug

    MessageBox( 0, "Debugger not found.", "Success?", MB_OK );

    return( EXIT_SUCCESS );
}
در صورتی که سوال دارید و سوالتون مختصر هست با شماره 09120642214 میتونید تماس بگیرید.
کسانی که دوست دارن در کانال فروشگاه ما و یا کانال انجمن عضو بشن یک پیامک در تلگرام برای من بفرستید که عضوشون میکنم.

ادرس فروشگاه :

http://www.amshop.ir



ای ام شاپ را در اینستگرام دنبال کنید

ای ام شاپ رو در کانال تلگرام دنبال کنید



This forum uses Lukasz Tkacz MyBB addons.
پاسخ


موضوعات مشابه ...
موضوع نویسنده پاسخ بازدید آخرین ارسال
  [C#][Snippets] Anti-WPE, Wireshark, Sandboxie, Emulation Amin_Mansouri 1 4,489 02-19-2015، 11:41 AM
آخرین ارسال: MBlackHat
  Anti-Debbuger Amin_Mansouri 0 1,835 01-12-2012، 11:43 PM
آخرین ارسال: Amin_Mansouri
  Anti Virtual PC vb.net Amin_Mansouri 0 1,970 10-18-2011، 09:03 PM
آخرین ارسال: Amin_Mansouri
  [VB.Net] Anti's Thread Amin_Mansouri 0 2,047 10-16-2011، 10:46 PM
آخرین ارسال: Amin_Mansouri
  anti-debug.c Amin_Mansouri 0 1,816 09-28-2011، 06:23 PM
آخرین ارسال: Amin_Mansouri
  C++ Anti-Debug: Another trick Amin_Mansouri 0 1,574 09-22-2011، 12:34 AM
آخرین ارسال: Amin_Mansouri

پرش به انجمن:


کاربران در حال بازدید این موضوع: 1 مهمان
<------> <____> <<<<----------------->>>> <<<<--->>>>>
This forum uses Lukasz Tkacz MyBB addons.