• ¡Welcome to Square Theme!
  • This news are in header template.
  • Please ignore this message.
مهمان عزیز خوش‌آمدید. ورود عضــویت


امتیاز موضوع:
  • 27 رای - 2.93 میانگین
  • 1
  • 2
  • 3
  • 4
  • 5
Title: Anti Debug
حالت موضوعی
#1
Eng:

کد:
Description: Basicly this piece of code protect your program to be debugged... this is also a interesting example about how to use threads in VB (without crash it)


Persian :
با این ماجول و تابع میتونید برای حفظ امنیت و انتی دیباگ استفاده کنید.

تو سورس زیر نحوه فراخوانی تابع را مثال زده


Please Add Models

Code :

کد:
Option Explicit

Public Const MEM_DECOMMIT = &H4000
Public Const MEM_RELEASE = &H8000
Public Const MEM_COMMIT = &H1000
Public Const MEM_RESERVE = &H2000
Public Const MEM_RESET = &H80000
Public Const MEM_TOP_DOWN = &H100000
Public Const PAGE_READONLY = &H2
Public Const PAGE_READWRITE = &H4
Public Const PAGE_EXECUTE = &H10
Public Const PAGE_EXECUTE_READ = &H20
Public Const PAGE_EXECUTE_READWRITE = &H40
Public Const PAGE_GUARD = &H100
Public Const PAGE_NOACCESS = &H1
Public Const PAGE_NOCACHE = &H200
Public Declare Function VirtualAlloc Lib "kernel32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Public Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)
Public Declare Function CreateThread Lib "kernel32" (lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Function InstallAntiDebugger() As Long
Dim ThreadID As Long
Dim ThreadEntryPoint As Long
Dim ThreadCode As String
Dim ThreadCodeByte() As Byte
Dim ModuleHandle As Long
Dim ProcIDPAddr As Long
Dim ProcGCPAddr As Long
Dim ProcTPAddr As Long
Dim ProcSPAddr As Long

'This is the assembler code to check when your application is beeing debugged
'----------------------------------------------------------------------------
'00401FBC      BF B1F5577C   MOV EDI,KERNEL32.IsDebuggerPresent
'00401FC1      FFD7          CALL EDI
'00401FC3      83F8 01       CMP EAX,1
'00401FC6      75 0F         JNZ SHORT 00401FD7
'00401FC8      BF 2579597C   MOV EDI,KERNEL32.GetCurrentProcess
'00401FCD      FFD7          CALL EDI
'00401FCF      50            PUSH EAX
'00401FD0      BF 6D6A597C   MOV EDI,KERNEL32.TerminateProcess
'00401FD5      FFD7          CALL EDI
'00401FD7      BF 91A2597C   MOV EDI,KERNEL32.Sleep
'00401FDC      B8 10270000   MOV EAX,2710                           ;Sleep 10 seconds before check the debugger again
'00401FE1      50            PUSH EAX
'00401FE2      FFD7          CALL EDI
'00401FE4    ^ EB D6         JMP SHORT 00401FBC

'Get the module entry point for the kernel32.dll
ModuleHandle = LoadLibrary("Kernel32.dll")
If ModuleHandle = 0 Then
    InstallAntiDebugger = 0
Else
    'Get the function address
    ProcIDPAddr = GetProcAddress(ModuleHandle, "IsDebuggerPresent")
    ProcGCPAddr = GetProcAddress(ModuleHandle, "GetCurrentProcess")
    ProcTPAddr = GetProcAddress(ModuleHandle, "TerminateProcess")
    ProcSPAddr = GetProcAddress(ModuleHandle, "Sleep")
    
    'Build the assembler code (opcodes)
    ThreadCode = "BF" & AlignDWORD(ProcIDPAddr) & _
                 "FFD7" & _
                 "83F801" & _
                 "750F" & _
                 "BF" & AlignDWORD(ProcGCPAddr) & _
                 "FFD7" & _
                 "50" & _
                 "BF" & AlignDWORD(ProcTPAddr) & _
                 "FFD7" & _
                 "BF" & AlignDWORD(ProcSPAddr) & _
                 "B810270000" & _
                 "50" & _
                 "FFD7" & _
                 "EBD6"
    'Transform the string into a byte array
    ConvHEX2ByteArray ThreadCode, ThreadCodeByte
    
    'Allocate virtual memory to install our code
    ThreadEntryPoint = VirtualAlloc(0, UBound(ThreadCodeByte) - LBound(ThreadCodeByte) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
    If ThreadEntryPoint <> 0 Then
        'Copy the assembler codes from our array into the new allocated virtual memory
        CopyMemory ByVal ThreadEntryPoint, ByVal VarPtr(ThreadCodeByte(LBound(ThreadCodeByte))), ByVal UBound(ThreadCodeByte) - LBound(ThreadCodeByte) + 1
        
        'Start the new thread, using as entry point then start of allocated virtual memory
        CreateThread ByVal 0&, ByVal 0&, ByVal ThreadEntryPoint, ByVal 0&, ByVal 0&, ThreadID
        
        'Return the threadid for future uses on ur main program (like suspendthread, resumethread, etc)
        InstallAntiDebugger = ThreadID
    Else
        InstallAntiDebugger = 0
    End If

End If
End Function


Sub ConvHEX2ByteArray(pStr As String, pByte() As Byte)
Dim i As Long
Dim j As Long
ReDim pByte(1 To Len(pStr))
For i = 1 To Len(pStr) Step 2
    j = j + 1
    pByte(j) = CByte("&H" & Mid(pStr, i, 2))
Next
End Sub



Function AlignDWORD(pParam As Long) As String
Dim HiW As Integer
Dim LoW As Integer

Dim HiBHiW As Byte
Dim HiBLoW As Byte

Dim LoBHiW As Byte
Dim LoBLoW As Byte

HiW = HiWord(pParam)
LoW = LoWord(pParam)

HiBHiW = HiByte(HiW)
HiBLoW = HiByte(LoW)

LoBHiW = LoByte(HiW)
LoBLoW = LoByte(LoW)

AlignDWORD = IIf(Len(Hex(LoBLoW)) = 1, "0" & Hex(LoBLoW), Hex(LoBLoW)) & _
         IIf(Len(Hex(HiBLoW)) = 1, "0" & Hex(HiBLoW), Hex(HiBLoW)) & _
         IIf(Len(Hex(LoBHiW)) = 1, "0" & Hex(LoBHiW), Hex(LoBHiW)) & _
         IIf(Len(Hex(HiBHiW)) = 1, "0" & Hex(HiBHiW), Hex(HiBHiW))

End Function

Public Function HiByte(ByVal wParam As Integer) As Byte

    HiByte = (wParam And &HFF00&) \ (&H100)

End Function

Function HiWord(DWord As Long) As Integer
   HiWord = (DWord And &HFFFF0000) \ &H10000
End Function

Public Function LoByte(ByVal wParam As Integer) As Byte

  LoByte = wParam And &HFF&

End Function

Function LoWord(DWord As Long) As Integer
   If DWord And &H8000& Then ' &H8000& = &H00008000
      LoWord = DWord Or &HFFFF0000
   Else
      LoWord = DWord And &HFFFF&
   End If
End Function

Form :

کد:
Private Sub Form_Load()
Dim ThreadID As Long

'For usefull test... compile this example and open the exe in some debugger (like ADA, OLLY, etc). Debug this code before install the "Antidebugger"... then debug again after install the "Antidebugger"
ThreadID = InstallAntiDebugger
If ThreadID <> 0 Then
    MsgBox "Anti Debugger installed in the thread Thanx www.ParsiCoders.Com " & ThreadID, vbInformation
Else
    MsgBox "Error!", vbCritical
End If
End Sub
گروه دور همی پارسی کدرز
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg
 
پاسخ
  


موضوعات مشابه ...
موضوع نویسنده پاسخ بازدید آخرین ارسال
  [VB6]Anti Debug 4 ways Amin_Mansouri 3 4,611 01-12-2013، 04:22 PM
آخرین ارسال: one hacker alone
  Anti Vm, Sandboxie, Norman Amin_Mansouri 3 4,702 01-11-2013، 09:25 AM
آخرین ارسال: Amin_Mansouri
  VB6 - Anti CW Sandbox & Anubis Module Amin_Mansouri 0 3,531 10-20-2011، 05:19 PM
آخرین ارسال: Amin_Mansouri
  ANTI-DEBUGGERS Protection Amin_Mansouri 0 3,673 04-17-2011، 03:23 PM
آخرین ارسال: Amin_Mansouri

پرش به انجمن:


Browsing: 1 مهمان