• ¡Welcome to Square Theme!
  • This news are in header template.
  • Please ignore this message.
مهمان عزیز خوش‌آمدید. ورود عضــویت


امتیاز موضوع:
  • 28 رای - 2.89 میانگین
  • 1
  • 2
  • 3
  • 4
  • 5
Title: C++ Anti-Debug Library: x64-compatible!
حالت موضوعی
#1
کد:
#include <windows.h>
#include <intrin.h>

int DebugBit = 0;
int countExceptions = 0;
int DebugBreakBit = 0;
HANDLE vehPtr;

DWORD_PTR *GetBeingDebugged( )
{
    DWORD_PTR *BeingDebuggedBit;
    #ifdef _M_IX86
        BeingDebuggedBit = ( DWORD_PTR * ) __readfsdword( 0x30 );
    #elif _M_X64
        BeingDebuggedBit = ( DWORD_PTR * ) __readgsqword( 0x60 );
    #endif
    return( ( DWORD_PTR * ) *BeingDebuggedBit );
}

DWORD_PTR *GetNtGlobalFlags( )
{
    DWORD_PTR *NtGlobalFlags;

    #ifdef _M_IX86
        DWORD_PTR *PEB = ( DWORD_PTR * ) __readfsdword( 0x30 ) + 0x68;
        NtGlobalFlags = ( DWORD_PTR * ) *PEB + 0x68;
    #elif _M_X64
        DWORD_PTR *PEB = ( DWORD_PTR * ) __readgsqword( 0x60 ) + 0xD0;
        NtGlobalFlags = ( DWORD_PTR * ) *PEB + 0xD0;
    #endif
    return( ( DWORD_PTR * ) NtGlobalFlags );
}

DWORD_PTR *GetHeapFlags( )
{
    DWORD *HeapFlags;
    #ifdef _M_IX86
        HeapFlags = ( DWORD_PTR * ) __readfsdword( 0x30 );
        HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x18 );
        HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x10 );
    #elif _M_X64
        HeapFlags = ( DWORD_PTR * ) __readgsqword( 0x60 );
        HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x30 );
        HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x20 );
    #endif
    return ( ( DWORD_PTR * ) HeapFlags );
}

LONG WINAPI vehCheck( PEXCEPTION_POINTERS pExecpPointers )
{
    SetUnhandledExceptionFilter( ( LPTOP_LEVEL_EXCEPTION_FILTER ) pExecpPointers->ContextRecord->Eax );
    #ifdef _M_IX86
        pExecpPointers->ContextRecord->Eip += 2;
    #elif _M_X64
        pExecpPointers->ContextRecord->Rip += 4;
    #endif
    countExceptions++;
    if( DebugBreakBit == 1 )
        return( EXCEPTION_CONTINUE_EXECUTION );
    else
        return( EXCEPTION_EXECUTE_HANDLER );
}

void pseudoExit( int exitCode )
{
    BlockInput( TRUE );
    MessageBox( 0, "Please close all active debuggers, and relaunch the application.", "Fatal Error", MB_OK );
    ExitProcess( exitCode );
}

unsigned int GetDebugRegisters( )
{
    unsigned int i = 0;
    CONTEXT ctx;
    ZeroMemory( &ctx, sizeof( CONTEXT ) );
    ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;

    if( GetThreadContext( GetCurrentThread( ), &ctx ) == 0 )
        pseudoExit( 0x789DABCF );

    if( ctx.Dr0 != 0 )
        i++;
    if( ctx.Dr1 != 0 )
        i++;
    if( ctx.Dr2 != 0 )
        i++;
    if( ctx.Dr3 != 0 )
        i++;

    return( i );
}

LONG WINAPI suefDebugCheck( struct _EXCEPTION_POINTERS *excInfo ) {
    DebugBit = 1;
    SetUnhandledExceptionFilter( ( LPTOP_LEVEL_EXCEPTION_FILTER ) excInfo->ContextRecord->Eax );
    #ifdef _M_IX86
        excInfo->ContextRecord->Eip += 2;
    #elif _M_X64
        excInfo->ContextRecord->Rip += 4;
    #endif
    return( EXCEPTION_CONTINUE_EXECUTION );
}

void __inline antiDebug( void )
{
    DWORD beginTime = GetTickCount( );
    OSVERSIONINFO osvi;
    osvi.dwOSVersionInfoSize = sizeof( OSVERSIONINFO );
    GetVersionEx( &osvi );

    SetUnhandledExceptionFilter( suefDebugCheck );
    DWORD_PTR *forceError = 0x00000000;
    *forceError = 0;
    if( DebugBit == 0 )
        pseudoExit( 0x99673135 );

    vehPtr = AddVectoredExceptionHandler( 1, ( PVECTORED_EXCEPTION_HANDLER ) vehCheck );

    if( osvi.dwMajorVersion >= 6 )
    {
        if( GetHeapFlags( ) > ( void * ) 0x00800000 )
            pseudoExit( 0xFFFF0000 );
    }

    if( GetHeapFlags( ) > ( void * ) 0x10000000 )
        pseudoExit( 0xFFFFFFFE );

    if( GetBeingDebugged( ) == ( void * ) 0x00010000 )
        pseudoExit( 0x04012AD0 );

    if( GetNtGlobalFlags( ) == ( void * ) 0x00000070 )
        pseudoExit( 0x0F6E1A44 );

    if( IsDebuggerPresent( ) != 0 )
        pseudoExit( 0x21473361  );

    CheckRemoteDebuggerPresent( GetCurrentProcess( ), ( PBOOL ) &DebugBit );
    if( DebugBit != 0 )
        pseudoExit( 0xC0000005 );

    #ifdef _M_IX86
        __asm
        {
            PUSH SS
            POP SS
            MOV EAX, 0
            XOR EDX, EDX
        }
    #endif

    // Windows NT 5.X or earlier features
    if( osvi.dwMajorVersion < 6 )
    {
        SetLastError( 0xC0000005 );
        OutputDebugString( "%s%s" );
        if( GetLastError( ) == 0xC0000005 )
            pseudoExit( 0x5148234F );
    }
    else
    {
        try {
            OutputDebugString( "%s%s" );
        }
        catch( ... )
        {
            DebugBit = TRUE;
        }
    }

    // Verifies if SeDebugPrivilege is given
    typedef DWORD_PTR ( NTAPI *CGPID )( );
    CGPID CsrGetProcessId = ( CGPID ) GetProcAddress( GetModuleHandle( "ntdll.dll" ), "CsrGetProcessId" );
    if( OpenProcess( PROCESS_ALL_ACCESS, FALSE, CsrGetProcessId( ) ) > 0 )
        pseudoExit( 0xFF41ECAB );
    // End experimental trick

    #ifdef _M_IX86
        try {
            __asm {
                __emit 0xF3;
                __emit 0x64;
                __emit 0xF1;
            };
        }
        catch ( ... ) {
            DebugBit = FALSE;
        }
        if( DebugBit == TRUE )
            pseudoExit( 0xAAAAAAAC );
    #endif

    if( GetDebugRegisters( ) > 0 )
        pseudoExit( 0x29342180 );

    // Requires admin access
    typedef NTSTATUS ( NTAPI *NSIT )( HANDLE, UINT, PVOID, ULONG );
    NSIT NtSetInformationThread = ( NSIT )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtSetInformationThread" );
    NtSetInformationThread( GetCurrentProcess( ), 0x11, 0, 0 );
    // End required admin access

    try {
        CloseHandle( ( HANDLE ) -1 );
    }
    catch( ... ) {
        pseudoExit( 0x00000006 );
    }

    DebugBreakBit = 1;
    __debugbreak();
    DebugBreak( );

    if( GetTickCount( ) == beginTime )
        pseudoExit( 0xD000BE05 );

    typedef NTSTATUS ( WINAPI *NQIP )( HANDLE, LONG, PVOID, ULONG, PULONG );
    NQIP NtQueryInformationProcess = ( NQIP )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtQueryInformationProcess" );
    int returnValue = 0;
    NtQueryInformationProcess( GetCurrentProcess( ), 0x7, &returnValue, 4, 0 );
    if( returnValue != 0 )
        pseudoExit( 0xCCCCCCCC );

    NtQueryInformationProcess( GetCurrentProcess( ), 0x1E, &returnValue, 4, 0 );
    if( returnValue != 0 )
        pseudoExit( 0xEFEFEFEF );

}

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
    // Begin anti-debug..
    antiDebug( );

    if( DebugBit == 1 )
        pseudoExit( 0xFFFFFFFF );
    try {
        RemoveVectoredExceptionHandler( vehPtr );
        if( countExceptions != 3 )
            pseudoExit( 0x21522153 );
    }
    catch( ... )
    {
        pseudoExit( 0x55235151 );
    }

    // End anti-debug

    MessageBox( 0, "Debugger not found.", "Success?", MB_OK );

    return( EXIT_SUCCESS );
}
گروه دور همی پارسی کدرز
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg
 
پاسخ
  


موضوعات مشابه ...
موضوع نویسنده پاسخ بازدید آخرین ارسال
  [C#][Snippets] Anti-WPE, Wireshark, Sandboxie, Emulation Amin_Mansouri 1 9,942 02-19-2015، 11:41 AM
آخرین ارسال: MBlackHat
  Anti-Debbuger Amin_Mansouri 0 4,739 01-12-2012، 11:43 PM
آخرین ارسال: Amin_Mansouri
  Anti Virtual PC vb.net Amin_Mansouri 0 4,733 10-18-2011، 09:03 PM
آخرین ارسال: Amin_Mansouri
  [VB.Net] Anti's Thread Amin_Mansouri 0 4,815 10-16-2011، 10:46 PM
آخرین ارسال: Amin_Mansouri
  anti-debug.c Amin_Mansouri 0 4,545 09-28-2011، 06:23 PM
آخرین ارسال: Amin_Mansouri
  C++ Anti-Debug: Another trick Amin_Mansouri 0 3,862 09-22-2011، 12:34 AM
آخرین ارسال: Amin_Mansouri

پرش به انجمن:


Browsing: 1 مهمان