01-12-2012، 11:34 PM
کد:
program Project1;
uses Windows, jwaNative, NcxNtTeb;
function ExtractFileName(FullName: String): String;
var
i, n: integer;
begin
result := '';
n := Length(FullName);
Result := FullName;
for i := n downto 1 do if FullName[i] = '\' then break;
if i > 1 then Result := Copy(FullName, i+1, n-i);
end;
function NtSuccess (Stat: LongInt): Boolean;
begin
Result := Stat >= 0;
end;
Function GetModuleFileNameByAddres(ph:THandle; Address : DWord):String;
var
mSize,back: dword;
mPtr: pointer;
St: LongInt;
begin
result := '';
mSize := 512;
mPtr := AllocMem(mSize);
St := NtQueryVirtualMemory(ph, Pointer(Address), MemorySectionName, mPtr,mSize,@back);
if NtSuccess(st) then result := PMEMORY_SECTION_NAME(mPtr).SectionFileName.Buffer;
FreeMem(mPtr,mSize);
end;
function GetPEB(): Pointer;
asm
mov eax, large fs:30h
retn
end;
Function CheckEmulator:Boolean;
var
pb: PPeb32;
ldrdata: PPebLdrData32;
ldrEntry: PLdrDataTableEntry32;
name1, name2: String;
begin
//get peb
pb := GetPEB;
//get ldr
ldrdata := pb^.Ldr;
//get first ldr entry
ldrEntry := ldrdata^.InLoadOrderModuleList.Flink;
//get section filename
name1 := ExtractFileName(GetModuleFileNameByAddres(thandle(-1), DWORD(ldrEntry^.DllBase)));
//get PEB Image filename
name2 := ExtractFileName(PWideChar(ldrEntry.FullDllName.Buffer));
//Compare
result := name1=name2;
end;
begin
if not CheckEmulator then messagebox(0, nil, nil, mb_ok);
end.