diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..5118f1f059ce42c005dc6201110b9ad3e7ef1cf2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,58 @@
+# Prerequisites
+*.d
+
+# Compiled Object files
+*.slo
+*.lo
+*.o
+*.obj
+
+# Precompiled Headers
+*.gch
+*.pch
+
+# Compiled Dynamic libraries
+*.so
+*.dylib
+*.dll
+
+# Fortran module files
+*.mod
+*.smod
+
+# Compiled Static libraries
+*.lai
+*.la
+*.a
+*.lib
+
+# Executables
+*.exe
+*.out
+*.app
+
+#¹ýÂËÊý¾Ý¿âÎļþ¡¢sln½â¾ö·½°¸Îļþ¡¢ÅäÖÃÎļþ
+*.suo
+*.user
+*.sdf
+*.mdb
+*.ldb
+*.config
+*.pdb
+*.ilk
+*.ipdb
+*.iobj
+*.aps
+*.opensdf
+*.exp
+
+#¹ýÂËÎļþ¼ÐDebug,Release,obj
+.vs/
+.bak/
+ipch/
+Debug/
+Debug_cef/
+Release/
+obj/
+AutoLogin_VS2012/bin/bin.rar
+Heart/Tangram/SHARE
diff --git a/course/ScyllaHide/DetectOD/About.cpp b/course/ScyllaHide/DetectOD/About.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..32af8a780aa82a874715c69b19fa3d4ab4971ea1
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/About.cpp
@@ -0,0 +1,43 @@
+// About.cpp : implementation file
+//
+
+#include "stdafx.h"
+#include "DetectOD.h"
+#include "About.h"
+
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#undef THIS_FILE
+static char THIS_FILE[] = __FILE__;
+#endif
+
+/////////////////////////////////////////////////////////////////////////////
+// CAbout dialog
+
+
+CAbout::CAbout(CWnd* pParent /*=NULL*/)
+ : CDialog(CAbout::IDD, pParent)
+{
+ //{{AFX_DATA_INIT(CAbout)
+ // NOTE: the ClassWizard will add member initialization here
+ //}}AFX_DATA_INIT
+}
+
+
+void CAbout::DoDataExchange(CDataExchange* pDX)
+{
+ CDialog::DoDataExchange(pDX);
+ //{{AFX_DATA_MAP(CAbout)
+ // NOTE: the ClassWizard will add DDX and DDV calls here
+ //}}AFX_DATA_MAP
+}
+
+
+BEGIN_MESSAGE_MAP(CAbout, CDialog)
+ //{{AFX_MSG_MAP(CAbout)
+ // NOTE: the ClassWizard will add message map macros here
+ //}}AFX_MSG_MAP
+END_MESSAGE_MAP()
+
+/////////////////////////////////////////////////////////////////////////////
+// CAbout message handlers
diff --git a/course/ScyllaHide/DetectOD/About.h b/course/ScyllaHide/DetectOD/About.h
new file mode 100644
index 0000000000000000000000000000000000000000..c56ed32cf3961aa931ee188eabb5d7089a2ec4a5
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/About.h
@@ -0,0 +1,46 @@
+#if !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_)
+#define AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_
+
+#if _MSC_VER > 1000
+#pragma once
+#endif // _MSC_VER > 1000
+// About.h : header file
+//
+
+/////////////////////////////////////////////////////////////////////////////
+// CAbout dialog
+
+class CAbout : public CDialog
+{
+// Construction
+public:
+ CAbout(CWnd* pParent = NULL); // standard constructor
+
+// Dialog Data
+ //{{AFX_DATA(CAbout)
+ enum { IDD = IDD_DETECTOD_DIALOG };
+ // NOTE: the ClassWizard will add data members here
+ //}}AFX_DATA
+
+
+// Overrides
+ // ClassWizard generated virtual function overrides
+ //{{AFX_VIRTUAL(CAbout)
+ protected:
+ virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
+ //}}AFX_VIRTUAL
+
+// Implementation
+protected:
+
+ // Generated message map functions
+ //{{AFX_MSG(CAbout)
+ // NOTE: the ClassWizard will add member functions here
+ //}}AFX_MSG
+ DECLARE_MESSAGE_MAP()
+};
+
+//{{AFX_INSERT_LOCATION}}
+// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
+
+#endif // !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_)
diff --git a/course/ScyllaHide/DetectOD/DetectOD.cpp b/course/ScyllaHide/DetectOD/DetectOD.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..01e2ac2c0a9efe36155c4005b40a10945e340f6a
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/DetectOD.cpp
@@ -0,0 +1,74 @@
+// DetectOD.cpp : Defines the class behaviors for the application.
+//
+
+#include "stdafx.h"
+#include "DetectOD.h"
+#include "DetectODDlg.h"
+
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#undef THIS_FILE
+static char THIS_FILE[] = __FILE__;
+#endif
+
+/////////////////////////////////////////////////////////////////////////////
+// CDetectODApp
+
+BEGIN_MESSAGE_MAP(CDetectODApp, CWinApp)
+ //{{AFX_MSG_MAP(CDetectODApp)
+ // NOTE - the ClassWizard will add and remove mapping macros here.
+ // DO NOT EDIT what you see in these blocks of generated code!
+ //}}AFX_MSG
+ ON_COMMAND(ID_HELP, CWinApp::OnHelp)
+END_MESSAGE_MAP()
+
+/////////////////////////////////////////////////////////////////////////////
+// CDetectODApp construction
+
+CDetectODApp::CDetectODApp()
+{
+ // TODO: add construction code here,
+ // Place all significant initialization in InitInstance
+}
+
+/////////////////////////////////////////////////////////////////////////////
+// The one and only CDetectODApp object
+
+CDetectODApp theApp;
+
+/////////////////////////////////////////////////////////////////////////////
+// CDetectODApp initialization
+
+BOOL CDetectODApp::InitInstance()
+{
+ AfxEnableControlContainer();
+
+ // Standard initialization
+ // If you are not using these features and wish to reduce the size
+ // of your final executable, you should remove from the following
+ // the specific initialization routines you do not need.
+
+#ifdef _AFXDLL
+ Enable3dControls(); // Call this when using MFC in a shared DLL
+#else
+ Enable3dControlsStatic(); // Call this when linking to MFC statically
+#endif
+
+ CDetectODDlg dlg;
+ m_pMainWnd = &dlg;
+ int nResponse = dlg.DoModal();
+ if (nResponse == IDOK)
+ {
+ // TODO: Place code here to handle when the dialog is
+ // dismissed with OK
+ }
+ else if (nResponse == IDCANCEL)
+ {
+ // TODO: Place code here to handle when the dialog is
+ // dismissed with Cancel
+ }
+
+ // Since the dialog has been closed, return FALSE so that we exit the
+ // application, rather than start the application's message pump.
+ return FALSE;
+}
diff --git a/course/ScyllaHide/DetectOD/DetectOD.h b/course/ScyllaHide/DetectOD/DetectOD.h
new file mode 100644
index 0000000000000000000000000000000000000000..eb49f3a3c974b0e64d50e29db0eba68a14660f89
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/DetectOD.h
@@ -0,0 +1,49 @@
+// DetectOD.h : main header file for the DETECTOD application
+//
+
+#if !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_)
+#define AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_
+
+#if _MSC_VER > 1000
+#pragma once
+#endif // _MSC_VER > 1000
+
+#ifndef __AFXWIN_H__
+ #error include 'stdafx.h' before including this file for PCH
+#endif
+
+#include "resource.h" // main symbols
+
+/////////////////////////////////////////////////////////////////////////////
+// CDetectODApp:
+// See DetectOD.cpp for the implementation of this class
+//
+
+class CDetectODApp : public CWinApp
+{
+public:
+ CDetectODApp();
+
+// Overrides
+ // ClassWizard generated virtual function overrides
+ //{{AFX_VIRTUAL(CDetectODApp)
+ public:
+ virtual BOOL InitInstance();
+ //}}AFX_VIRTUAL
+
+// Implementation
+
+ //{{AFX_MSG(CDetectODApp)
+ // NOTE - the ClassWizard will add and remove member functions here.
+ // DO NOT EDIT what you see in these blocks of generated code !
+ //}}AFX_MSG
+ DECLARE_MESSAGE_MAP()
+};
+
+
+/////////////////////////////////////////////////////////////////////////////
+
+//{{AFX_INSERT_LOCATION}}
+// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
+
+#endif // !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_)
diff --git a/course/ScyllaHide/DetectOD/DetectOD.rc b/course/ScyllaHide/DetectOD/DetectOD.rc
new file mode 100644
index 0000000000000000000000000000000000000000..bb27b1cfd39f46d7d4912bef6722dc6b5bc53251
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/DetectOD.rc
@@ -0,0 +1,239 @@
+//Microsoft Developer Studio generated resource script.
+//
+#include "resource.h"
+
+#define APSTUDIO_READONLY_SYMBOLS
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 2 resource.
+//
+#include "afxres.h"
+
+/////////////////////////////////////////////////////////////////////////////
+#undef APSTUDIO_READONLY_SYMBOLS
+
+/////////////////////////////////////////////////////////////////////////////
+// Chinese (Öйú) resources
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)
+#ifdef _WIN32
+LANGUAGE LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED
+#pragma code_page(936)
+#endif //_WIN32
+
+#ifdef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// TEXTINCLUDE
+//
+
+1 TEXTINCLUDE DISCARDABLE
+BEGIN
+ "resource.h\0"
+END
+
+2 TEXTINCLUDE DISCARDABLE
+BEGIN
+ "#include ""afxres.h""\r\n"
+ "\0"
+END
+
+3 TEXTINCLUDE DISCARDABLE
+BEGIN
+ "#define _AFX_NO_SPLITTER_RESOURCES\r\n"
+ "#define _AFX_NO_OLE_RESOURCES\r\n"
+ "#define _AFX_NO_TRACKER_RESOURCES\r\n"
+ "#define _AFX_NO_PROPERTY_RESOURCES\r\n"
+ "\r\n"
+ "#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)\r\n"
+ "#ifdef _WIN32\r\n"
+ "LANGUAGE 4, 2\r\n"
+ "#pragma code_page(936)\r\n"
+ "#endif //_WIN32\r\n"
+ "#include ""res\\DetectOD.rc2"" // non-Microsoft Visual C++ edited resources\r\n"
+ "#include ""l.chs\\afxres.rc"" // Standard components\r\n"
+ "#endif\r\n"
+ "\0"
+END
+
+#endif // APSTUDIO_INVOKED
+
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Icon
+//
+
+// Icon with lowest ID value placed first to ensure application icon
+// remains consistent on all systems.
+IDR_MAINFRAME ICON DISCARDABLE "res\\DetectOD.ico"
+IDI_DOG ICON DISCARDABLE "res\\dog.ico"
+IDI_ICON2 ICON DISCARDABLE "res\\home.ico"
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Dialog
+//
+
+IDD_ABOUTBOX DIALOG DISCARDABLE 0, 0, 235, 55
+STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
+CAPTION "¹ØÓÚ ·´µ÷ÊÔʵÀý"
+FONT 9, "ËÎÌå"
+BEGIN
+ ICON IDI_ICON2,IDC_MYICON,11,16,20,20,SS_NOTIFY
+ LTEXT "¹Ù·½ÍøÕ¾£ºÐ´Ò⻥ÁªÍø",IDC_COMEON,56,31,88,8,SS_NOTIFY |
+ NOT WS_GROUP
+ DEFPUSHBUTTON "È·¶¨",IDOK,178,7,50,14,WS_GROUP
+ CTEXT "http://ucooper.com",IDC_MYPAGE,40,17,106,8,SS_NOTIFY
+END
+
+IDD_DETECTOD_DIALOG DIALOGEX 0, 0, 443, 200
+STYLE DS_MODALFRAME | WS_MINIMIZEBOX | WS_POPUP | WS_VISIBLE | WS_CAPTION |
+ WS_SYSMENU
+EXSTYLE WS_EX_APPWINDOW
+CAPTION "·´µ÷ÊÔʵÀý дÒ⻥ÁªÍø ucooper.com"
+FONT 9, "ËÎÌå"
+BEGIN
+ DEFPUSHBUTTON "¹Ø ±Õ(&C)",IDOK,375,18,61,18
+ PUSHBUTTON "´°¿ÚÀàÃû",IDC_WNDCLS,13,6,46,18
+ PUSHBUTTON "IsDebuggerPresent",IDC_ISDEBUGGERPRESENT,13,31,97,18
+ PUSHBUTTON "EnumWindow",IDC_ENUMWINDOW,63,6,47,18
+ PUSHBUTTON "ö¾Ù½ø³Ì",IDC_EnumProcess,13,55,96,18
+ PUSHBUTTON "¸¸½ø³ÌExplorer",IDC_Explorer,13,79,96,18
+ PUSHBUTTON "GetTickCount",IDC_GetTickCount,13,103,96,18
+ PUSHBUTTON "GetStartupInfo",IDC_GetStartupInfo,13,127,96,18
+ PUSHBUTTON "PebFlags",IDC_PEBFLAGS,13,151,97,18
+ PUSHBUTTON "CheckRemoteDebuggerPresent",
+ IDC_CHECKREMOTEDEBUGGERPRESENT,7,175,109,18
+ PUSHBUTTON "ZwQueryInformationProcess",
+ IDC_ZwQueryInformationProcess,127,6,109,18
+ PUSHBUTTON "SetUnhandledExceptionFilter",
+ IDC_SetUnhandledExceptionFilter,127,175,109,18
+ PUSHBUTTON "SeDebugPrivilege",IDC_SeDebugPrivilege,127,31,109,18
+ PUSHBUTTON "NTQueryObject",IDC_NTQueryObject,127,55,109,18
+ PUSHBUTTON "¶Ïµã¼ì²â",IDC_DectectBreakpoints,127,79,109,18
+ PUSHBUTTON "º¯Êý¶Ïµã¼ì²â",IDC_DectectFuncBreakpoints,127,103,109,18
+ PUSHBUTTON "BlockInput",IDC_BlockInput,127,151,109,18
+ PUSHBUTTON "CheckSum",IDC_CHECKSUM,127,127,109,18
+ PUSHBUTTON "EnableWindow",IDC_EnableWindow,253,6,109,18
+ PUSHBUTTON "ZwSetInformationThread",IDC_ZwSetInformationThread,253,
+ 31,109,18
+ PUSHBUTTON "OutputDebugString",IDC_OutputDebugString,253,55,109,18
+ PUSHBUTTON "GetEntryPoint",IDC_GetEntryPoint,253,152,109,18
+ PUSHBUTTON "µ¥²½Òì³£",IDC_TrapFlag,253,80,109,18
+ PUSHBUTTON "±£»¤Ò³Guard Pages",IDC_GuardPages,253,103,109,18
+ PUSHBUTTON "HardwareBreakpoint",IDC_HARDWAREBREAKPOINT,253,127,109,
+ 18
+ PUSHBUTTON "¹Ø ÓÚ(&A)",IDC_ABOUT,375,47,61,18
+ CTEXT "Ö§³ÖÎÒ£¬Çë·ÃÎÊÎҵĸöÈËÕ¾µã www.ucooper.com",IDC_MYPAGE2,
+ 257,183,183,10,SS_NOTIFY
+END
+
+
+#ifndef _MAC
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION 1,0,0,1
+ PRODUCTVERSION 1,0,0,1
+ FILEFLAGSMASK 0x3fL
+#ifdef _DEBUG
+ FILEFLAGS 0x1L
+#else
+ FILEFLAGS 0x0L
+#endif
+ FILEOS 0x4L
+ FILETYPE 0x1L
+ FILESUBTYPE 0x0L
+BEGIN
+ BLOCK "StringFileInfo"
+ BEGIN
+ BLOCK "080404B0"
+ BEGIN
+ VALUE "CompanyName", "\0"
+ VALUE "FileDescription", "DetectOD Microsoft »ù´¡ÀàÓ¦ÓóÌÐò\0"
+ VALUE "FileVersion", "1, 0, 0, 1\0"
+ VALUE "InternalName", "DetectOD\0"
+ VALUE "LegalCopyright", "°æȨËùÓÐ (C) 2010\0"
+ VALUE "LegalTrademarks", "\0"
+ VALUE "OriginalFilename", "DetectOD.EXE\0"
+ VALUE "ProductName", "DetectOD Ó¦ÓóÌÐò\0"
+ VALUE "ProductVersion", "1, 0, 0, 1\0"
+ END
+ END
+ BLOCK "VarFileInfo"
+ BEGIN
+ VALUE "Translation", 0x804, 1200
+ END
+END
+
+#endif // !_MAC
+
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// DESIGNINFO
+//
+
+#ifdef APSTUDIO_INVOKED
+GUIDELINES DESIGNINFO DISCARDABLE
+BEGIN
+ IDD_ABOUTBOX, DIALOG
+ BEGIN
+ LEFTMARGIN, 7
+ RIGHTMARGIN, 228
+ TOPMARGIN, 7
+ BOTTOMMARGIN, 48
+ END
+
+ IDD_DETECTOD_DIALOG, DIALOG
+ BEGIN
+ LEFTMARGIN, 7
+ RIGHTMARGIN, 436
+ TOPMARGIN, 6
+ BOTTOMMARGIN, 193
+ END
+END
+#endif // APSTUDIO_INVOKED
+
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// String Table
+//
+
+STRINGTABLE DISCARDABLE
+BEGIN
+ IDS_ABOUTBOX "¹ØÓÚ DetectOD(&A)..."
+END
+
+#endif // Chinese (Öйú) resources
+/////////////////////////////////////////////////////////////////////////////
+
+
+
+#ifndef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 3 resource.
+//
+#define _AFX_NO_SPLITTER_RESOURCES
+#define _AFX_NO_OLE_RESOURCES
+#define _AFX_NO_TRACKER_RESOURCES
+#define _AFX_NO_PROPERTY_RESOURCES
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)
+#ifdef _WIN32
+LANGUAGE 4, 2
+#pragma code_page(936)
+#endif //_WIN32
+#include "res\DetectOD.rc2" // non-Microsoft Visual C++ edited resources
+#include "l.chs\afxres.rc" // Standard components
+#endif
+
+/////////////////////////////////////////////////////////////////////////////
+#endif // not APSTUDIO_INVOKED
+
diff --git a/course/ScyllaHide/DetectOD/DetectOD.sln b/course/ScyllaHide/DetectOD/DetectOD.sln
new file mode 100644
index 0000000000000000000000000000000000000000..d07097798feb27b941910458b31bb995eb4df3d0
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/DetectOD.sln
@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2012
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DetectOD", "DetectOD.vcxproj", "{0CD6F28B-6A93-42AB-A435-46223134EB03}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|Win32 = Debug|Win32
+ Release|Win32 = Release|Win32
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {0CD6F28B-6A93-42AB-A435-46223134EB03}.Debug|Win32.ActiveCfg = Debug|Win32
+ {0CD6F28B-6A93-42AB-A435-46223134EB03}.Debug|Win32.Build.0 = Debug|Win32
+ {0CD6F28B-6A93-42AB-A435-46223134EB03}.Release|Win32.ActiveCfg = Release|Win32
+ {0CD6F28B-6A93-42AB-A435-46223134EB03}.Release|Win32.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+EndGlobal
diff --git a/course/ScyllaHide/DetectOD/DetectOD.vcxproj b/course/ScyllaHide/DetectOD/DetectOD.vcxproj
new file mode 100644
index 0000000000000000000000000000000000000000..376f127ffe6fccad568f9041cc4c6b6e7f86af2c
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/DetectOD.vcxproj
@@ -0,0 +1,169 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+
+
+
+ MFCProj
+ {0CD6F28B-6A93-42AB-A435-46223134EB03}
+ 10.0.17763.0
+
+
+
+ Application
+ v141
+ Dynamic
+ MultiByte
+
+
+ Application
+ v141
+ Dynamic
+ MultiByte
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ .\Debug\
+ .\Debug\
+ true
+
+
+ .\Release\
+ .\Release\
+ false
+
+
+
+ MultiThreadedDebugDLL
+ Default
+ true
+ Disabled
+ true
+ TurnOffAllWarnings
+ true
+ true
+ EditAndContinue
+ WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)
+ .\Debug\
+ true
+ .\Debug\DetectOD.pch
+ Use
+ stdafx.h
+ .\Debug\
+ .\Debug\
+ EnableFastChecks
+
+
+ true
+ _DEBUG;%(PreprocessorDefinitions)
+ .\Debug\DetectOD.tlb
+ true
+ Win32
+
+
+ 0x0804
+ _DEBUG;%(PreprocessorDefinitions)
+
+
+ true
+ .\Debug\DetectOD.bsc
+
+
+ true
+ true
+ Windows
+ .\Debug\DetectOD.exe
+
+
+
+
+ MultiThreadedDLL
+ Default
+ false
+ Disabled
+ true
+ Level3
+ WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)
+ .\Release\
+ .\Release\DetectOD.pch
+ Use
+ stdafx.h
+ .\Release\
+ .\Release\
+
+
+ true
+ NDEBUG;%(PreprocessorDefinitions)
+ .\Release\DetectOD.tlb
+ true
+ Win32
+
+
+ 0x0804
+ NDEBUG;%(PreprocessorDefinitions)
+
+
+ true
+ .\Release\DetectOD.bsc
+
+
+ true
+ Windows
+ .\Release\DetectOD.exe
+
+
+
+
+
+
+ Create
+ stdafx.h
+ Create
+ stdafx.h
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/course/ScyllaHide/DetectOD/DetectOD.vcxproj.filters b/course/ScyllaHide/DetectOD/DetectOD.vcxproj.filters
new file mode 100644
index 0000000000000000000000000000000000000000..00a660bcc759667bee19b89495719f24c6b15537
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/DetectOD.vcxproj.filters
@@ -0,0 +1,69 @@
+
+
+
+
+ {482dc496-684c-4bef-b2aa-7fe4a3c1f3b9}
+ cpp;c;cxx;rc;def;r;odl;idl;hpj;bat
+
+
+ {8240ba4f-278d-4fef-b682-382d3baf9fd9}
+ h;hpp;hxx;hm;inl
+
+
+ {235672e2-eb7d-4e1d-bddc-f8475e3f06a2}
+ ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe
+
+
+
+
+ Source Files
+
+
+ Source Files
+
+
+ Source Files
+
+
+
+
+ Source Files
+
+
+
+
+ Header Files
+
+
+ Header Files
+
+
+ Header Files
+
+
+ Header Files
+
+
+
+
+ Resource Files
+
+
+ Resource Files
+
+
+ Resource Files
+
+
+ Resource Files
+
+
+
+
+
+
+
+ Resource Files
+
+
+
\ No newline at end of file
diff --git a/course/ScyllaHide/DetectOD/DetectODDlg.cpp b/course/ScyllaHide/DetectOD/DetectODDlg.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..00f637ac2bcd3c0b792a2a976e66777947a53930
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/DetectODDlg.cpp
@@ -0,0 +1,1138 @@
+// DetectODDlg.cpp : implementation file
+//
+
+#include "stdafx.h"
+#include "DetectOD.h"
+#include "DetectODDlg.h"
+#include "Shlwapi.h"
+#include "tlhelp32.h"
+#include "Windows.h"
+// #include "Winable.h"
+#include
+#include "eh.h"
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#undef THIS_FILE
+static char THIS_FILE[] = __FILE__;
+#endif
+typedef LONG NTSTATUS;
+
+static DWORD NewEip;
+/////////////////////////////////////////////////////////////////////////////
+// CAboutDlg dialog used for App About
+
+class CAboutDlg : public CDialog
+{
+public:
+ CAboutDlg();
+
+// Dialog Data
+ //{{AFX_DATA(CAboutDlg)
+ enum { IDD = IDD_ABOUTBOX };
+ //}}AFX_DATA
+
+ // ClassWizard generated virtual function overrides
+ //{{AFX_VIRTUAL(CAboutDlg)
+ protected:
+ virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
+ //}}AFX_VIRTUAL
+
+// Implementation
+protected:
+ //{{AFX_MSG(CAboutDlg)
+ afx_msg void OnMypage();
+ afx_msg void OnMouseMove(UINT nFlags, CPoint point);
+ virtual BOOL OnInitDialog();
+ afx_msg void OnComeon();
+ afx_msg void OnMyicon();
+ //}}AFX_MSG
+ DECLARE_MESSAGE_MAP()
+};
+
+CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
+{
+ //{{AFX_DATA_INIT(CAboutDlg)
+ //}}AFX_DATA_INIT
+}
+
+void CAboutDlg::DoDataExchange(CDataExchange* pDX)
+{
+ CDialog::DoDataExchange(pDX);
+ //{{AFX_DATA_MAP(CAboutDlg)
+ //}}AFX_DATA_MAP
+}
+
+BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
+ //{{AFX_MSG_MAP(CAboutDlg)
+ ON_BN_CLICKED(IDC_MYPAGE, OnMypage)
+ ON_WM_MOUSEMOVE()
+ ON_BN_CLICKED(IDC_COMEON, OnComeon)
+ ON_BN_CLICKED(IDC_MYICON, OnMyicon)
+ //}}AFX_MSG_MAP
+END_MESSAGE_MAP()
+
+/////////////////////////////////////////////////////////////////////////////
+// CDetectODDlg dialog
+
+CDetectODDlg::CDetectODDlg(CWnd* pParent /*=NULL*/)
+ : CDialog(CDetectODDlg::IDD, pParent)
+{
+ //{{AFX_DATA_INIT(CDetectODDlg)
+ // NOTE: the ClassWizard will add member initialization here
+ //}}AFX_DATA_INIT
+ // Note that LoadIcon does not require a subsequent DestroyIcon in Win32
+ m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
+}
+
+void CDetectODDlg::DoDataExchange(CDataExchange* pDX)
+{
+ CDialog::DoDataExchange(pDX);
+ //{{AFX_DATA_MAP(CDetectODDlg)
+ // NOTE: the ClassWizard will add DDX and DDV calls here
+ //}}AFX_DATA_MAP
+}
+
+BEGIN_MESSAGE_MAP(CDetectODDlg, CDialog)
+ //{{AFX_MSG_MAP(CDetectODDlg)
+ ON_WM_SYSCOMMAND()
+ ON_WM_PAINT()
+ ON_WM_QUERYDRAGICON()
+ ON_BN_CLICKED(IDC_WNDCLS, OnWndcls)
+ ON_BN_CLICKED(IDC_ISDEBUGGERPRESENT, OnIsdebuggerpresent)
+ ON_BN_CLICKED(IDC_ENUMWINDOW, OnEnumwindow)
+ ON_BN_CLICKED(IDC_EnumProcess, OnEnumProcess)
+ ON_BN_CLICKED(IDC_Explorer, OnExplorer)
+ ON_BN_CLICKED(IDC_GetTickCount, OnGetTickCount)
+ ON_BN_CLICKED(IDC_GetStartupInfo, OnGetStartupInfo)
+ ON_BN_CLICKED(IDC_PEBFLAGS, OnPebflags)
+ ON_BN_CLICKED(IDC_CHECKREMOTEDEBUGGERPRESENT, OnCheckremotedebuggerpresent)
+ ON_BN_CLICKED(IDC_SetUnhandledExceptionFilter, OnSetUnhandledExceptionFilter)
+ ON_BN_CLICKED(IDC_ZwQueryInformationProcess, OnZwQueryInformationProcess)
+ ON_BN_CLICKED(IDC_SeDebugPrivilege, OnSeDebugPrivilege)
+ ON_BN_CLICKED(IDC_NTQueryObject, OnNTQueryObject)
+ ON_BN_CLICKED(IDC_DectectBreakpoints, OnDectectBreakpoints)
+ ON_BN_CLICKED(IDC_DectectFuncBreakpoints, OnDectectFuncBreakpoints)
+ ON_BN_CLICKED(IDC_BlockInput, OnBlockInput)
+ ON_BN_CLICKED(IDC_CHECKSUM, OnChecksum)
+ ON_BN_CLICKED(IDC_EnableWindow, OnEnableWindow)
+ ON_BN_CLICKED(IDC_ZwSetInformationThread, OnZwSetInformationThread)
+ ON_BN_CLICKED(IDC_OutputDebugString, OnOutputDebugString)
+ ON_BN_CLICKED(IDC_GetEntryPoint, OnGetEntryPoint)
+ ON_BN_CLICKED(IDC_TrapFlag, OnTrapFlag)
+ ON_BN_CLICKED(IDC_GuardPages, OnGuardPages)
+ ON_BN_CLICKED(IDC_HARDWAREBREAKPOINT, OnHardwarebreakpoint)
+ ON_BN_CLICKED(IDC_ABOUT, OnAbout)
+ ON_BN_CLICKED(IDC_MYPAGE2, OnMypage2)
+ //}}AFX_MSG_MAP
+END_MESSAGE_MAP()
+
+/////////////////////////////////////////////////////////////////////////////
+// CDetectODDlg message handlers
+
+BOOL CDetectODDlg::OnInitDialog()
+{
+ CDialog::OnInitDialog();
+
+ // Add "About..." menu item to system menu.
+
+ // IDM_ABOUTBOX must be in the system command range.
+ ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
+ ASSERT(IDM_ABOUTBOX < 0xF000);
+
+ CMenu* pSysMenu = GetSystemMenu(FALSE);
+ if (pSysMenu != NULL)
+ {
+ CString strAboutMenu;
+ strAboutMenu.LoadString(IDS_ABOUTBOX);
+ if (!strAboutMenu.IsEmpty())
+ {
+ pSysMenu->AppendMenu(MF_SEPARATOR);
+ pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
+ }
+ }
+
+ // Set the icon for this dialog. The framework does this automatically
+ // when the application's main window is not a dialog
+// SetIcon(m_hIcon, TRUE); // Set big icon
+// SetIcon(m_hIcon, FALSE); // Set small icon
+
+ // TODO: Add extra initialization here
+ SetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG))));
+ return TRUE; // return TRUE unless you set the focus to a control
+}
+
+void CDetectODDlg::OnSysCommand(UINT nID, LPARAM lParam)
+{
+ if ((nID & 0xFFF0) == IDM_ABOUTBOX)
+ {
+ CAboutDlg dlgAbout;
+ dlgAbout.DoModal();
+ }
+ else
+ {
+ CDialog::OnSysCommand(nID, lParam);
+ }
+}
+
+// If you add a minimize button to your dialog, you will need the code below
+// to draw the icon. For MFC applications using the document/view model,
+// this is automatically done for you by the framework.
+
+void CDetectODDlg::OnPaint()
+{
+ if (IsIconic())
+ {
+ CPaintDC dc(this); // device context for painting
+
+ SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);
+
+ // Center icon in client rectangle
+ int cxIcon = GetSystemMetrics(SM_CXICON);
+ int cyIcon = GetSystemMetrics(SM_CYICON);
+ CRect rect;
+ GetClientRect(&rect);
+ int x = (rect.Width() - cxIcon + 1) / 2;
+ int y = (rect.Height() - cyIcon + 1) / 2;
+
+ // Draw the icon
+ dc.DrawIcon(x, y, m_hIcon);
+ }
+ else
+ {
+ CDialog::OnPaint();
+ }
+}
+
+// The system calls this to obtain the cursor to display while the user drags
+// the minimized window.
+HCURSOR CDetectODDlg::OnQueryDragIcon()
+{
+ return (HCURSOR) m_hIcon;
+}
+
+void CDetectODDlg::OnWndcls()
+{
+ // TODO: Add your control notification handler code here
+ HWND hWnd;
+ if(hWnd=::FindWindow("OllyDbg",NULL))
+ {
+ MessageBox("·¢ÏÖOD");
+ }else{
+ MessageBox("û·¢ÏÖOD");
+ }
+
+}
+void CDetectODDlg::OnIsdebuggerpresent()
+{
+ // TODO: Add your control notification handler code here
+ if(IsDebuggerPresent())
+ {
+ MessageBox("·¢ÏÖOD");
+ }
+ else
+ {
+ MessageBox("ûÓÐOD");
+ }
+}
+/***************************************************/
+BOOL CALLBACK EnumWindowsProc(
+ HWND hwnd, // handle to parent window
+ LPARAM lParam // application-defined value
+ )
+{
+ char ch[100];
+ CString str="Ollydbg";
+ if(IsWindowVisible(hwnd))
+ {
+ ::GetWindowText(hwnd,ch,100);
+ //AfxMessageBox(ch);
+ if(::StrStrI(ch,str))
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ return FALSE;
+ }
+ }
+ return TRUE;
+}
+
+void CDetectODDlg::OnEnumwindow()
+{
+ // TODO: Add your control notification handler code here
+ EnumWindows(EnumWindowsProc,NULL);
+ AfxMessageBox("ö¾Ù´°¿Ú½áÊø£¬Î´Ìáʾ·¢ÏÖOD£¬ÔòûÓÐOD");
+}
+
+/***************************************************/
+void CDetectODDlg::OnEnumProcess()
+{
+ // TODO: Add your control notification handler code here
+
+ HANDLE hwnd;
+ PROCESSENTRY32 tp32; //½á¹¹Ìå
+ CString str="OLLYDBG.EXE";
+ BOOL bFindOD=FALSE;
+ hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
+ if(INVALID_HANDLE_VALUE!=hwnd)
+ {
+ Process32First(hwnd,&tp32);
+ do{
+ if(0==lstrcmpi(str,tp32.szExeFile))
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ bFindOD=TRUE;
+ break;
+ }
+ }while(Process32Next(hwnd,&tp32));
+ if(!bFindOD)
+ AfxMessageBox("ûÓÐOD");
+ }
+ CloseHandle(hwnd);
+}
+
+void CDetectODDlg::OnExplorer()
+{
+ // TODO: Add your control notification handler code here
+ HANDLE hwnd;
+ PROCESSENTRY32 tp32; //½á¹¹Ìå
+ CString str="Explorer.EXE";
+
+ DWORD ExplorerID;
+ DWORD SelfID;
+ DWORD SelfParentID;
+ SelfID=GetCurrentProcessId();
+ ::GetWindowThreadProcessId(::FindWindow("Progman",NULL),&ExplorerID);
+ hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
+ if(INVALID_HANDLE_VALUE!=hwnd)
+ {
+ Process32First(hwnd,&tp32);
+ do{
+ if(0==lstrcmp(str,tp32.szExeFile))
+ {
+ // ExplorerID=tp32.th32ProcessID;
+ // AfxMessageBox("aaa");
+ }
+ if(SelfID==tp32.th32ProcessID)
+ {
+ SelfParentID=tp32.th32ParentProcessID;
+ }
+ }while(Process32Next(hwnd,&tp32));
+
+ str.Format("±¾½ø³Ì£º%d ¸¸½ø³Ì£º%d Explorer½ø³Ì: %d ",SelfID,SelfParentID,ExplorerID);
+ MessageBox(str);
+ if(ExplorerID==SelfParentID)
+ {
+ AfxMessageBox("ûÓÐOD");
+ }
+ else
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ }
+ }
+ CloseHandle(hwnd);
+}
+
+void CDetectODDlg::OnGetTickCount()
+{
+ // TODO: Add your control notification handler code here
+ DWORD dTime1;
+ DWORD dTime2;
+ dTime1=GetTickCount();
+ GetCurrentProcessId();
+ GetCurrentProcessId();
+ GetCurrentProcessId();
+ GetCurrentProcessId();
+ dTime2=GetTickCount();
+ if(dTime2-dTime1>100)
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ }
+ else{
+ AfxMessageBox("ûÓÐOD");
+ }
+}
+
+void CDetectODDlg::OnGetStartupInfo()
+{
+ // TODO: Add your control notification handler code here
+ STARTUPINFO info={0};
+ GetStartupInfo(&info);
+ if(info.dwX!=0 || info.dwY!=0 || info.dwXCountChars!=0 || info.dwYCountChars!=0
+ || info.dwFillAttribute!=0 || info.dwXSize!=0 || info.dwYSize!=0)
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ }
+ else{
+ AfxMessageBox("ûÓÐOD");
+ }
+
+}
+
+//**********************************************
+// typedef ULONG NTSTATUS;
+typedef ULONG PPEB;
+typedef ULONG KAFFINITY;
+typedef ULONG KPRIORITY;
+
+typedef struct _PROCESS_BASIC_INFORMATION { // Information Class 0
+NTSTATUS ExitStatus;
+PPEB PebBaseAddress;
+KAFFINITY AffinityMask;
+KPRIORITY BasePriority;
+ULONG UniqueProcessId;
+ULONG InheritedFromUniqueProcessId;
+} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
+
+typedef enum _PROCESSINFOCLASS {
+ProcessBasicInformation, // 0 Y N
+ProcessQuotaLimits, // 1 Y Y
+ProcessIoCounters, // 2 Y N
+ProcessVmCounters, // 3 Y N
+ProcessTimes, // 4 Y N
+ProcessBasePriority, // 5 N Y
+ProcessRaisePriority, // 6 N Y
+ProcessDebugPort, // 7 Y Y
+ProcessExceptionPort, // 8 N Y
+ProcessAccessToken, // 9 N Y
+ProcessLdtInformation, // 10 Y Y
+ProcessLdtSize, // 11 N Y
+ProcessDefaultHardErrorMode, // 12 Y Y
+ProcessIoPortHandlers, // 13 N Y
+ProcessPooledUsageAndLimits, // 14 Y N
+ProcessWorkingSetWatch, // 15 Y Y
+ProcessUserModeIOPL, // 16 N Y
+ProcessEnableAlignmentFaultFixup, // 17 N Y
+ProcessPriorityClass, // 18 N Y
+ProcessWx86Information, // 19 Y N
+ProcessHandleCount, // 20 Y N
+ProcessAffinityMask, // 21 N Y
+ProcessPriorityBoost, // 22 Y Y
+ProcessDeviceMap,// 23 Y Y
+ProcessSessionInformation, // 24 Y Y
+ProcessForegroundInformation, // 25 N Y
+ProcessWow64Information // 26 Y N
+} PROCESSINFOCLASS;
+
+
+typedef NTSTATUS (_stdcall *ZwQueryInformationProcess)(
+HANDLE ProcessHandle,
+PROCESSINFOCLASS ProcessInformationClass,
+PVOID ProcessInformation,
+ULONG ProcessInformationLength,
+PULONG ReturnLength
+); //¶¨Ò庯ÊýÖ¸Õë
+
+void CDetectODDlg::OnPebflags()
+{
+ // TODO: Add your control notification handler code here
+
+ //¶¨Ò庯ÊýÖ¸Õë±äÁ¿
+ ZwQueryInformationProcess MyZwQueryInformationProcess;
+
+ HANDLE hProcess = NULL;
+ PROCESS_BASIC_INFORMATION pbi = {0};
+ ULONG peb = 0;
+ ULONG cnt = 0;
+ ULONG PebBase = 0;
+ ULONG AddrBase;
+ BOOL bFoundOD=FALSE;
+ WORD flag;
+ DWORD dwFlag;
+ DWORD bytesrw;
+ DWORD ProcessId=GetCurrentProcessId();
+ hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessId);
+ if (hProcess != NULL) {
+ //º¯ÊýÖ¸Õë±äÁ¿¸³Öµ
+ MyZwQueryInformationProcess=(ZwQueryInformationProcess)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwQueryInformationProcess");
+ //º¯ÊýÖ¸Õë±äÁ¿µ÷ÓÃ
+ if (MyZwQueryInformationProcess(
+ hProcess,
+ ProcessBasicInformation,
+ &pbi,
+ sizeof(PROCESS_BASIC_INFORMATION),
+ &cnt) == 0)
+ {
+ PebBase = (ULONG)pbi.PebBaseAddress;
+ AddrBase=PebBase;
+ if (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x68),&flag,2,&bytesrw) && bytesrw==2)
+ { //PEB.NtGlobalFlag
+ if(0x70==flag){
+ bFoundOD=TRUE;
+ }
+ }
+ if (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x18),&dwFlag,4,&bytesrw) && bytesrw==4)
+ {
+ AddrBase=dwFlag;
+ }
+ if (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x0c),&flag,2,&bytesrw) && bytesrw==2)
+ {//PEB.ProcessHeap.Flags
+ if(2!=flag){
+ bFoundOD=TRUE;
+ }
+ }
+ if (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x10),&flag,2,&bytesrw) && bytesrw==2)
+ {//PEB.ProcessHeap.ForceFlags
+ if(0!=flag){
+ bFoundOD=TRUE;
+ }
+ }
+ if(bFoundOD==FALSE)
+ {
+ AfxMessageBox("ûÓÐOD");
+ }
+ else
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ }
+ }
+ CloseHandle(hProcess);
+ }
+}
+
+//*******************************************************************
+typedef BOOL (WINAPI *CHECK_REMOTE_DEBUGGER_PRESENT)(HANDLE, PBOOL);
+
+void CDetectODDlg::OnCheckremotedebuggerpresent()
+{
+ // TODO: Add your control notification handler code here
+ HANDLE hProcess;
+ HINSTANCE hModule;
+ BOOL bDebuggerPresent = FALSE;
+ CHECK_REMOTE_DEBUGGER_PRESENT CheckRemoteDebuggerPresent;
+ hModule = GetModuleHandleA("Kernel32");
+ CheckRemoteDebuggerPresent =
+ (CHECK_REMOTE_DEBUGGER_PRESENT)GetProcAddress(hModule, "CheckRemoteDebuggerPresent");
+ hProcess = GetCurrentProcess();
+ CheckRemoteDebuggerPresent(hProcess,&bDebuggerPresent);
+ if(bDebuggerPresent==TRUE)
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ }
+ else
+ {
+ AfxMessageBox("ûÓÐOD");
+ }
+}
+//********************************************************
+typedef NTSTATUS (_stdcall *ZW_QUERY_INFORMATION_PROCESS)(
+HANDLE ProcessHandle,
+PROCESSINFOCLASS ProcessInformationClass, //¸Ã²ÎÊýÒ²ÐèÒªÉÏÃæÉùÃ÷µÄÊý¾Ý½á¹¹
+PVOID ProcessInformation,
+ULONG ProcessInformationLength,
+PULONG ReturnLength
+); //¶¨Ò庯ÊýÖ¸Õë
+
+void CDetectODDlg::OnZwQueryInformationProcess()
+{
+ // TODO: Add your control notification handler code here
+ HANDLE hProcess;
+ HINSTANCE hModule;
+ DWORD dwResult;
+ ZW_QUERY_INFORMATION_PROCESS MyFunc;
+ hModule = GetModuleHandle("ntdll.dll");
+ MyFunc=(ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule,"ZwQueryInformationProcess");
+ hProcess = GetCurrentProcess();
+ MyFunc(
+ hProcess,
+ ProcessDebugPort,
+ &dwResult,
+ 4,
+ NULL);
+ if(dwResult!=0)
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ }
+ else
+ {
+ AfxMessageBox("ûÓÐOD");
+ }
+}
+//********************************************************
+static DWORD lpOldHandler;
+typedef LPTOP_LEVEL_EXCEPTION_FILTER (_stdcall *pSetUnhandledExceptionFilter)(
+ LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter
+ );
+pSetUnhandledExceptionFilter lpSetUnhandledExceptionFilter;
+
+LONG WINAPI TopUnhandledExceptionFilter(
+ struct _EXCEPTION_POINTERS *ExceptionInfo
+)
+{
+ _asm pushad
+ AfxMessageBox("»Øµ÷º¯Êý");
+ lpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler);
+ ExceptionInfo->ContextRecord->Eip=NewEip;//תÒƵ½°²È«Î»ÖÃ
+ _asm popad
+ return EXCEPTION_CONTINUE_EXECUTION;
+}
+
+void CDetectODDlg::OnSetUnhandledExceptionFilter()
+{
+ bool isDebugged=0;
+ // TODO: Add your control notification handler code here
+ lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")),
+ "SetUnhandledExceptionFilter");
+ lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter);
+ _asm{ //»ñÈ¡Õâ¸ö°²È«µØÖ·
+ call me //·½Ê½Ò»£¬ÐèÒªNewEip¼ÓÉÏÒ»¸öÆ«ÒÆÖµ
+me:
+ pop NewEip //·½Ê½Ò»½áÊø
+ mov NewEip,offset safe //·½Ê½¶þ£¬¸ü¼òµ¥
+ int 3 //´¥·¢Òì³£
+ }
+ AfxMessageBox("¼ì²âµ½OD");
+ isDebugged=1;
+ _asm{
+safe:
+ }
+ if(1==isDebugged){
+
+ }else{
+ AfxMessageBox("ûÓÐOD");
+ }
+}
+//********************************************************
+void CDetectODDlg::OnSeDebugPrivilege()
+{
+ // TODO: Add your control notification handler code here
+ HANDLE hProcessSnap;
+ HANDLE hProcess;
+ PROCESSENTRY32 tp32; //½á¹¹Ìå
+ CString str="csrss.exe";
+ hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
+ if(INVALID_HANDLE_VALUE!=hProcessSnap)
+ {
+ Process32First(hProcessSnap,&tp32);
+ do{
+ if(0==lstrcmpi(str,tp32.szExeFile))
+ {
+ hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,NULL,tp32.th32ProcessID);
+ if(NULL!=hProcess)
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ }
+ else
+ {
+ AfxMessageBox("ûÓÐOD");
+ }
+ CloseHandle(hProcess);
+ }
+ }while(Process32Next(hProcessSnap,&tp32));
+ }
+ CloseHandle(hProcessSnap);
+}
+
+//***************************************************************
+#ifndef STATUS_INFO_LENGTH_MISMATCH
+#define STATUS_INFO_LENGTH_MISMATCH ((UINT32)0xC0000004L)
+#endif
+
+typedef enum _POOL_TYPE {
+ NonPagedPool,
+ PagedPool,
+ NonPagedPoolMustSucceed,
+ DontUseThisType,
+ NonPagedPoolCacheAligned,
+ PagedPoolCacheAligned,
+ NonPagedPoolCacheAlignedMustS
+} POOL_TYPE;
+
+typedef struct _UNICODE_STRING {
+ USHORT Length;
+ USHORT MaximumLength;
+ PWSTR Buffer;
+} UNICODE_STRING;
+typedef UNICODE_STRING *PUNICODE_STRING;
+typedef const UNICODE_STRING *PCUNICODE_STRING;
+
+typedef enum _OBJECT_INFORMATION_CLASS
+{
+ ObjectBasicInformation, // Result is OBJECT_BASIC_INFORMATION structure
+ ObjectNameInformation, // Result is OBJECT_NAME_INFORMATION structure
+ ObjectTypeInformation, // Result is OBJECT_TYPE_INFORMATION structure
+ ObjectAllTypesInformation, // Result is OBJECT_ALL_INFORMATION structure
+ ObjectDataInformation // Result is OBJECT_DATA_INFORMATION structure
+
+} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;
+
+typedef struct _OBJECT_TYPE_INFORMATION {
+ UNICODE_STRING TypeName;
+ ULONG TotalNumberOfHandles;
+ ULONG TotalNumberOfObjects;
+ WCHAR Unused1[8];
+ ULONG HighWaterNumberOfHandles;
+ ULONG HighWaterNumberOfObjects;
+ WCHAR Unused2[8];
+ ACCESS_MASK InvalidAttributes;
+ GENERIC_MAPPING GenericMapping;
+ ACCESS_MASK ValidAttributes;
+ BOOLEAN SecurityRequired;
+ BOOLEAN MaintainHandleCount;
+ USHORT MaintainTypeList;
+ POOL_TYPE PoolType;
+ ULONG DefaultPagedPoolCharge;
+ ULONG DefaultNonPagedPoolCharge;
+} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
+
+typedef struct _OBJECT_ALL_INFORMATION {
+ ULONG NumberOfObjectsTypes;
+ OBJECT_TYPE_INFORMATION ObjectTypeInformation[1];
+} OBJECT_ALL_INFORMATION, *POBJECT_ALL_INFORMATION;
+
+typedef struct _OBJECT_ALL_TYPES_INFORMATION {
+ ULONG NumberOfTypes;
+ OBJECT_TYPE_INFORMATION TypeInformation[1];
+} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION;
+
+typedef UINT32 (__stdcall *ZwQueryObject_t) (
+ IN HANDLE ObjectHandle,
+ IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
+ OUT PVOID ObjectInformation,
+ IN ULONG Length,
+ OUT PULONG ResultLength );
+
+void CDetectODDlg::OnNTQueryObject()
+{
+ // TODO: Add your control notification handler code here
+ // µ÷ÊÔÆ÷±ØÐëÕýÔÚµ÷ÊÔ²ÅÄܼì²âµ½£¬½ö´ò¿ªODÊǼì²â²»µ½µÄ
+ HMODULE hNtDLL;
+ DWORD dwSize;
+ UINT i;
+ UCHAR KeyType=0;
+ OBJECT_ALL_TYPES_INFORMATION *Types;
+ OBJECT_TYPE_INFORMATION *t;
+ ZwQueryObject_t ZwQueryObject;
+
+ hNtDLL = GetModuleHandle("ntdll.dll");
+ if(hNtDLL){
+ ZwQueryObject = (ZwQueryObject_t)GetProcAddress(hNtDLL, "ZwQueryObject");
+ UINT32 iResult = ZwQueryObject(NULL, ObjectAllTypesInformation, NULL, NULL, &dwSize);
+ if(iResult==STATUS_INFO_LENGTH_MISMATCH)
+ {
+ Types = (OBJECT_ALL_TYPES_INFORMATION*)VirtualAlloc(NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);
+ if (Types == NULL) return;
+ if (iResult=ZwQueryObject(NULL,ObjectAllTypesInformation, Types, dwSize, &dwSize)) return;
+ for (t=Types->TypeInformation,i=0;iNumberOfTypes;i++)
+ {
+ if ( !_wcsicmp(t->TypeName.Buffer,L"DebugObject")) //±È½ÏÁ½¸öÊÇ·ñÏàµÈ£¬Õâ¸öLºÜÌØÊ⣬±¾µØµÄÒâ˼
+ {
+ if(t->TotalNumberOfHandles > 0 || t->TotalNumberOfObjects > 0)
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ VirtualFree (Types,0,MEM_RELEASE);
+ return;
+ }
+ break; // Found Anyways
+ }
+ t=(OBJECT_TYPE_INFORMATION *)((char *)t->TypeName.Buffer+((t->TypeName.MaximumLength+3)&~3));
+ }
+ }
+ AfxMessageBox("ûÓÐOD!");
+ VirtualFree (Types,0,MEM_RELEASE);
+ }
+}
+/*********************************************************/
+BOOL DetectBreakpoints()
+{
+ BOOL bFoundOD;
+ bFoundOD=FALSE;
+ __asm
+ {
+ jmp CodeEnd
+ CodeStart: mov eax,ecx ;±»±£»¤µÄ³ÌÐò¶Î
+ nop
+ push eax
+ push ecx
+ pop ecx
+ pop eax
+ CodeEnd:
+ cld ;¼ì²â´úÂ뿪ʼ
+ mov edi,offset CodeStart
+ mov edx,offset CodeStart
+ mov ecx,offset CodeEnd
+ sub ecx,edx
+
+ mov al,0CCH
+ repne scasb
+ jnz ODNotFound
+ mov bFoundOD,1
+ ODNotFound:
+ }
+ return bFoundOD;
+}
+void CDetectODDlg::OnDectectBreakpoints()
+{
+ // TODO: Add your control notification handler code here
+ if(DetectBreakpoints())
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ }
+ else
+ {
+ AfxMessageBox("ûÓÐOD");
+ }
+}
+/*********************************************************/
+BOOL DetectFuncBreakpoints()
+{
+ BOOL bFoundOD;
+ bFoundOD=FALSE;
+ DWORD dwAddr;
+ dwAddr=(DWORD)::GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA");
+ __asm
+ {
+ cld ;¼ì²â´úÂ뿪ʼ
+ mov edi,dwAddr
+ mov ecx,100 ;100bytes
+ mov al,0CCH
+ repne scasb
+ jnz ODNotFound
+ mov bFoundOD,1
+ ODNotFound:
+ }
+ return bFoundOD;
+}
+void CDetectODDlg::OnDectectFuncBreakpoints()
+{
+ // TODO: Add your control notification handler code here
+ if(DetectFuncBreakpoints())
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ }
+ else
+ {
+ AfxMessageBox("ûÓÐOD");
+ }
+}
+
+void CDetectODDlg::OnBlockInput()
+{ // #include "Winable.h"
+ // TODO: Add your control notification handler code here
+ DWORD dwNoUse;
+ DWORD dwNoUse2;
+ ::BlockInput(TRUE);
+ dwNoUse=2;
+ dwNoUse2=3;
+ dwNoUse=dwNoUse2;
+ ::BlockInput(FALSE);
+}
+/*********************************************************/
+BOOL CheckSum()
+{
+ BOOL bFoundOD;
+ bFoundOD=FALSE;
+ DWORD CHECK_SUM=5555; //ÕýȷУÑéÖµ
+ DWORD dwAddr;
+ dwAddr=(DWORD)CheckSum;
+ __asm
+ {
+ ;¼ì²â´úÂ뿪ʼ
+ mov esi,dwAddr
+ mov ecx,100
+ xor eax,eax
+ checksum_loop:
+ movzx ebx,byte ptr [esi]
+ add eax,ebx
+ rol eax,1
+ inc esi
+ loop checksum_loop
+
+ cmp eax,CHECK_SUM
+ jz ODNotFound
+ mov bFoundOD,1
+ ODNotFound:
+ }
+ return bFoundOD;
+}
+void CDetectODDlg::OnChecksum()
+{
+ // TODO: Add your control notification handler code here
+ if(CheckSum())
+ {
+ AfxMessageBox("·¢ÏÖOD");
+ }
+ else
+ {
+ AfxMessageBox("ûÓÐOD");
+ }
+}
+/*********************************************************/
+
+void CDetectODDlg::OnEnableWindow()
+{
+ // TODO: Add your control notification handler code here
+ CWnd *wnd;
+ wnd=GetForegroundWindow();
+ wnd->EnableWindow(FALSE);
+ DWORD dwNoUse;
+ DWORD dwNoUse2;
+ dwNoUse=2;
+ dwNoUse2=3;
+ dwNoUse=dwNoUse2;
+ wnd->EnableWindow(TRUE);
+}
+/*********************************************************/
+typedef enum _THREADINFOCLASS {
+ThreadBasicInformation, // 0 Y N
+ThreadTimes, // 1 Y N
+ThreadPriority, // 2 N Y
+ThreadBasePriority, // 3 N Y
+ThreadAffinityMask, // 4 N Y
+ThreadImpersonationToken, // 5 N Y
+ThreadDescriptorTableEntry, // 6 Y N
+ThreadEnableAlignmentFaultFixup, // 7 N Y
+ThreadEventPair, // 8 N Y
+ThreadQuerySetWin32StartAddress, // 9 Y Y
+ThreadZeroTlsCell, // 10 N Y
+ThreadPerformanceCount, // 11 Y N
+ThreadAmILastThread, // 12 Y N
+ThreadIdealProcessor, // 13 N Y
+ThreadPriorityBoost, // 14 Y Y
+ThreadSetTlsArrayAddress, // 15 N Y
+ThreadIsIoPending, // 16 Y N
+ThreadHideFromDebugger // 17 N Y
+} THREAD_INFO_CLASS;
+
+typedef NTSTATUS (NTAPI *ZwSetInformationThread)(
+IN HANDLE ThreadHandle,
+IN THREAD_INFO_CLASS ThreadInformaitonClass,
+IN PVOID ThreadInformation,
+IN ULONG ThreadInformationLength
+);
+
+void CDetectODDlg::OnZwSetInformationThread()
+{
+ // TODO: Add your control notification handler code here
+ CString str="ÀûÓÃÎÒ¶¨Î»";
+ HANDLE hwnd;
+ HMODULE hModule;
+ hwnd=GetCurrentThread();
+ hModule=LoadLibrary("ntdll.dll");
+ ZwSetInformationThread myFunc;
+ myFunc=(ZwSetInformationThread)GetProcAddress(hModule,"ZwSetInformationThread");
+ myFunc(hwnd,ThreadHideFromDebugger,NULL,NULL);
+}
+/*********************************************************/
+void CDetectODDlg::OnOutputDebugString()
+{
+ // TODO: Add your control notification handler code here
+ ::OutputDebugString("%s%s%s");
+}
+/*********************************************************/
+void CDetectODDlg::OnGetEntryPoint()
+{
+ // TODO: Add your control notification handler code here
+ IMAGE_DOS_HEADER *dos_head=(IMAGE_DOS_HEADER *)GetModuleHandle(NULL);
+ PIMAGE_NT_HEADERS32 nt_head=(PIMAGE_NT_HEADERS32)((DWORD)dos_head+(DWORD)dos_head->e_lfanew);
+ DWORD EP=(nt_head->OptionalHeader.AddressOfEntryPoint);
+ CString str;
+ str.Format("%x",EP);
+ AfxMessageBox(str);
+
+ BYTE*OEP=(BYTE*)(nt_head->OptionalHeader.AddressOfEntryPoint+(DWORD)dos_head);
+ for(unsigned long index=0;index<20;index++){
+ if(OEP[index]==0xcc){
+ ExitProcess(0);
+ }
+ }
+
+}
+/**************************************************************/
+void terminateFunc()
+{
+ AfxMessageBox("set_terminateÖ¸¶¨µÄº¯Êý\n");
+ exit(0);
+}
+void CDetectODDlg::OnButton1()
+{
+ // TODO: Add your control notification handler code here
+
+ set_terminate(terminateFunc);
+ try{
+ div(10,0);
+ }catch(int){
+ AfxMessageBox("½ö²¶»ñÕûÐÍÒì³£");
+ }catch(...){
+ terminate(); //ËùÓÐÆäËüÒì³£
+ }
+ AfxMessageBox("°¡¹þ");
+}
+//********************************************************
+
+void CDetectODDlg::OnTrapFlag()
+{
+ try{
+ _asm{
+ pushfd //´¥·¢µ¥²½Òì³£
+ or dword ptr [esp],100h ;TF=1
+ popfd
+ }
+ AfxMessageBox("¼ì²âµ½OD");
+ }catch(...){
+ AfxMessageBox("ûÓÐOD");
+ }
+}
+//********************************************************
+static bool isDebugged=1;
+LONG WINAPI TopUnhandledExceptionFilter2(
+ struct _EXCEPTION_POINTERS *ExceptionInfo
+)
+{
+ _asm pushad
+ AfxMessageBox("»Øµ÷º¯Êý");
+ lpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler);
+ ExceptionInfo->ContextRecord->Eip=NewEip;
+ isDebugged=0;
+ _asm popad
+ return EXCEPTION_CONTINUE_EXECUTION;
+}
+
+void CDetectODDlg::OnGuardPages()
+{
+ // TODO: Add your control notification handler code here
+
+ ULONG dwOldType;
+ DWORD dwPageSize;
+ LPVOID lpvBase; // »ñÈ¡ÄÚ´æµÄ»ùµØÖ·
+ SYSTEM_INFO sSysInfo; // ϵͳÐÅÏ¢
+ GetSystemInfo(&sSysInfo); // »ñȡϵͳÐÅÏ¢
+ dwPageSize=sSysInfo.dwPageSize; //ϵͳÄÚ´æÒ³´óС
+
+ lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")),
+ "SetUnhandledExceptionFilter");
+ lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter2);
+
+ // ·ÖÅäÄÚ´æ
+ lpvBase = VirtualAlloc(NULL,dwPageSize,MEM_COMMIT,PAGE_READWRITE);
+ if (lpvBase==NULL) AfxMessageBox("ÄÚ´æ·ÖÅäʧ°Ü");
+ _asm{
+ mov NewEip,offset safe //·½Ê½¶þ£¬¸ü¼òµ¥
+ mov eax,lpvBase
+ push eax
+ mov byte ptr [eax],0C3H //дһ¸ö RETN µ½±£ÁôÄڴ棬ÒÔ±ãÏÂÃæµÄµ÷ÓÃ
+ }
+ if(0==::VirtualProtect(lpvBase,dwPageSize,PAGE_EXECUTE_READ | PAGE_GUARD,&dwOldType)){
+ AfxMessageBox("Ö´ÐÐʧ°Ü");
+ }
+ _asm{
+ pop ecx
+ call ecx //µ÷ÓÃʱѹջ
+safe:
+ pop ecx //¶Ñջƽºâ£¬µ¯³öµ÷ÓÃʱµÄѹջ
+ }
+ if(1==isDebugged){
+ AfxMessageBox("·¢ÏÖOD");
+ }else{
+ AfxMessageBox("ûÓÐOD");
+ }
+ VirtualFree(lpvBase,dwPageSize,MEM_DECOMMIT);
+}
+//********************************************************
+static bool isDebuggedHBP=0;
+LONG WINAPI TopUnhandledExceptionFilterHBP(
+ struct _EXCEPTION_POINTERS *ExceptionInfo
+)
+{
+ _asm pushad
+ AfxMessageBox("»Øµ÷º¯Êý±»µ÷ÓÃ");
+ ExceptionInfo->ContextRecord->Eip=NewEip;
+ if(0!=ExceptionInfo->ContextRecord->Dr0||0!=ExceptionInfo->ContextRecord->Dr1||
+ 0!=ExceptionInfo->ContextRecord->Dr2||0!=ExceptionInfo->ContextRecord->Dr3)
+ isDebuggedHBP=1; //¼ì²âÓÐÎÞÓ²¼þ¶Ïµã
+ ExceptionInfo->ContextRecord->Dr0=0; //½ûÓÃÓ²¼þ¶Ïµã£¬ÖÃ0
+ ExceptionInfo->ContextRecord->Dr1=0;
+ ExceptionInfo->ContextRecord->Dr2=0;
+ ExceptionInfo->ContextRecord->Dr3=0;
+ ExceptionInfo->ContextRecord->Dr6=0;
+ ExceptionInfo->ContextRecord->Dr7=0;
+ ExceptionInfo->ContextRecord->Eip=NewEip; //תÒƵ½°²È«Î»ÖÃ
+ _asm popad
+ return EXCEPTION_CONTINUE_EXECUTION;
+}
+
+void CDetectODDlg::OnHardwarebreakpoint()
+{
+ // TODO: Add your control notification handler code here
+
+ lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")),
+ "SetUnhandledExceptionFilter");
+ lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilterHBP);
+
+ _asm{
+ mov NewEip,offset safe //·½Ê½¶þ£¬¸ü¼òµ¥
+ int 3
+ mov isDebuggedHBP,1 //µ÷ÊÔʱ¿ÉÄÜÒ²²»»á´¥·¢Ò쳣ȥ¼ì²âÓ²¼þ¶Ïµã
+safe:
+ }
+ if(1==isDebuggedHBP){
+ AfxMessageBox("·¢ÏÖOD");
+ }else{
+ AfxMessageBox("ûÓÐOD");
+ }
+}
+//********************************************************
+
+void CDetectODDlg::OnCancel()
+{
+ // TODO: Add extra cleanup here
+ CDialog::OnCancel();
+}
+
+void CAboutDlg::OnMypage()
+{
+ // TODO: Add your control notification handler code here
+ ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
+}
+
+void CDetectODDlg::OnAbout()
+{
+ // TODO: Add your control notification handler code here
+ CAboutDlg dlg;
+ dlg.DoModal();
+}
+
+void CAboutDlg::OnMouseMove(UINT nFlags, CPoint point)
+{
+ // TODO: Add your message handler code here and/or call default
+ CRect rect(60,20,100,100);
+ if(rect.PtInRect(point)){
+ SetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(NULL,IDC_HELP)));
+ }else{
+ SetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(AfxGetApp()->m_hInstance,IDC_ARROW)));
+ }
+ CDialog::OnMouseMove(nFlags, point);
+}
+
+BOOL CAboutDlg::OnInitDialog()
+{
+ CDialog::OnInitDialog();
+
+ // TODO: Add extra initialization here
+ SetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG))));
+ return TRUE; // return TRUE unless you set the focus to a control
+ // EXCEPTION: OCX Property Pages should return FALSE
+}
+
+void CDetectODDlg::OnOK()
+{
+ // TODO: Add extra validation here
+
+ CDialog::OnOK();
+}
+
+void CAboutDlg::OnComeon()
+{
+ // TODO: Add your control notification handler code here
+ ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
+}
+
+void CAboutDlg::OnMyicon()
+{
+ // TODO: Add your control notification handler code here
+ ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
+}
+
+void CDetectODDlg::OnMypage2()
+{
+ // TODO: Add your control notification handler code here
+ ::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
+}
diff --git a/course/ScyllaHide/DetectOD/DetectODDlg.h b/course/ScyllaHide/DetectOD/DetectODDlg.h
new file mode 100644
index 0000000000000000000000000000000000000000..47dc580c61439867498db7f94ef28c0657eeae63
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/DetectODDlg.h
@@ -0,0 +1,82 @@
+// DetectODDlg.h : header file
+//
+
+#if !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_)
+#define AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_
+
+#if _MSC_VER > 1000
+#pragma once
+#endif // _MSC_VER > 1000
+
+/////////////////////////////////////////////////////////////////////////////
+// CDetectODDlg dialog
+
+class CDetectODDlg : public CDialog
+{
+// Construction
+public:
+ CDetectODDlg(CWnd* pParent = NULL); // standard constructor
+
+// Dialog Data
+ //{{AFX_DATA(CDetectODDlg)
+ enum { IDD = IDD_DETECTOD_DIALOG };
+ // NOTE: the ClassWizard will add data members here
+ //}}AFX_DATA
+
+ // ClassWizard generated virtual function overrides
+ //{{AFX_VIRTUAL(CDetectODDlg)
+ protected:
+ virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
+ //}}AFX_VIRTUAL
+
+// Implementation
+protected:
+ HICON m_hIcon;
+
+ // Generated message map functions
+ //{{AFX_MSG(CDetectODDlg)
+ virtual BOOL OnInitDialog();
+ afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
+ afx_msg void OnPaint();
+ afx_msg HCURSOR OnQueryDragIcon();
+ afx_msg void OnWndcls();
+ afx_msg void OnTest();
+ afx_msg void OnIsdebuggerpresent();
+ afx_msg void OnEnumwindow();
+ afx_msg void OnEnumProcess();
+ afx_msg void OnExplorer();
+ afx_msg void OnGetTickCount();
+ afx_msg void OnGetStartupInfo();
+ afx_msg void OnPebflags();
+ afx_msg void OnCheckremotedebuggerpresent();
+ afx_msg void OnZwqueryinfomationprocess();
+ afx_msg void OnSetUnhandledExceptionFilter();
+ afx_msg void OnZwQueryInformationProcess();
+ afx_msg void OnSeDebugPrivilege();
+ afx_msg void OnNTQueryObject();
+ afx_msg void OnDectectBreakpoints();
+ afx_msg void OnDectectFuncBreakpoints();
+ afx_msg void OnBlockInput();
+ afx_msg void OnChecksum();
+ afx_msg void OnEnableWindow();
+ afx_msg void OnZwSetInformationThread();
+ afx_msg void OnOutputDebugString();
+ afx_msg void OnGetEntryPoint();
+ afx_msg void OnButton1();
+ afx_msg void OnButton2();
+ afx_msg void OnTrapFlag();
+ afx_msg void OnGuardPages();
+ afx_msg void OnHardwarebreakpoint();
+ virtual void OnCancel();
+ afx_msg void OnAbout();
+ virtual void OnOK();
+ afx_msg void OnMypage2();
+ //}}AFX_MSG
+ DECLARE_MESSAGE_MAP()
+
+};
+
+//{{AFX_INSERT_LOCATION}}
+// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
+
+#endif // !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_)
diff --git a/course/ScyllaHide/DetectOD/ReadMe.txt b/course/ScyllaHide/DetectOD/ReadMe.txt
new file mode 100644
index 0000000000000000000000000000000000000000..6952c36b1d0e24930a672694e3a524f6039d77dd
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/ReadMe.txt
@@ -0,0 +1,88 @@
+========================================================================
+ MICROSOFT FOUNDATION CLASS LIBRARY : DetectOD
+========================================================================
+
+
+AppWizard has created this DetectOD application for you. This application
+not only demonstrates the basics of using the Microsoft Foundation classes
+but is also a starting point for writing your application.
+
+This file contains a summary of what you will find in each of the files that
+make up your DetectOD application.
+
+DetectOD.dsp
+ This file (the project file) contains information at the project level and
+ is used to build a single project or subproject. Other users can share the
+ project (.dsp) file, but they should export the makefiles locally.
+
+DetectOD.h
+ This is the main header file for the application. It includes other
+ project specific headers (including Resource.h) and declares the
+ CDetectODApp application class.
+
+DetectOD.cpp
+ This is the main application source file that contains the application
+ class CDetectODApp.
+
+DetectOD.rc
+ This is a listing of all of the Microsoft Windows resources that the
+ program uses. It includes the icons, bitmaps, and cursors that are stored
+ in the RES subdirectory. This file can be directly edited in Microsoft
+ Visual C++.
+
+DetectOD.clw
+ This file contains information used by ClassWizard to edit existing
+ classes or add new classes. ClassWizard also uses this file to store
+ information needed to create and edit message maps and dialog data
+ maps and to create prototype member functions.
+
+res\DetectOD.ico
+ This is an icon file, which is used as the application's icon. This
+ icon is included by the main resource file DetectOD.rc.
+
+res\DetectOD.rc2
+ This file contains resources that are not edited by Microsoft
+ Visual C++. You should place all resources not editable by
+ the resource editor in this file.
+
+
+
+
+/////////////////////////////////////////////////////////////////////////////
+
+AppWizard creates one dialog class:
+
+DetectODDlg.h, DetectODDlg.cpp - the dialog
+ These files contain your CDetectODDlg class. This class defines
+ the behavior of your application's main dialog. The dialog's
+ template is in DetectOD.rc, which can be edited in Microsoft
+ Visual C++.
+
+
+/////////////////////////////////////////////////////////////////////////////
+Other standard files:
+
+StdAfx.h, StdAfx.cpp
+ These files are used to build a precompiled header (PCH) file
+ named DetectOD.pch and a precompiled types file named StdAfx.obj.
+
+Resource.h
+ This is the standard header file, which defines new resource IDs.
+ Microsoft Visual C++ reads and updates this file.
+
+/////////////////////////////////////////////////////////////////////////////
+Other notes:
+
+AppWizard uses "TODO:" to indicate parts of the source code you
+should add to or customize.
+
+If your application uses MFC in a shared DLL, and your application is
+in a language other than the operating system's current language, you
+will need to copy the corresponding localized resources MFC42XXX.DLL
+from the Microsoft Visual C++ CD-ROM onto the system or system32 directory,
+and rename it to be MFCLOC.DLL. ("XXX" stands for the language abbreviation.
+For example, MFC42DEU.DLL contains resources translated to German.) If you
+don't do this, some of the UI elements of your application will remain in the
+language of the operating system.
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/course/ScyllaHide/DetectOD/StdAfx.cpp b/course/ScyllaHide/DetectOD/StdAfx.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..93092245c471cf8f8dad37b44df8fdac668c3577
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/StdAfx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// DetectOD.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+
+
diff --git a/course/ScyllaHide/DetectOD/StdAfx.h b/course/ScyllaHide/DetectOD/StdAfx.h
new file mode 100644
index 0000000000000000000000000000000000000000..fe8af2fd3e25cc2b69ab8dae66abe0f7c2516089
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/StdAfx.h
@@ -0,0 +1,27 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#if !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_)
+#define AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_
+
+#if _MSC_VER > 1000
+#pragma once
+#endif // _MSC_VER > 1000
+
+#define VC_EXTRALEAN // Exclude rarely-used stuff from Windows headers
+
+#include // MFC core and standard components
+#include // MFC extensions
+#include // MFC Automation classes
+#include // MFC support for Internet Explorer 4 Common Controls
+#ifndef _AFX_NO_AFXCMN_SUPPORT
+#include // MFC support for Windows Common Controls
+#endif // _AFX_NO_AFXCMN_SUPPORT
+
+
+//{{AFX_INSERT_LOCATION}}
+// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
+
+#endif // !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_)
diff --git a/course/ScyllaHide/DetectOD/res/DetectOD.ico b/course/ScyllaHide/DetectOD/res/DetectOD.ico
new file mode 100644
index 0000000000000000000000000000000000000000..7eef0bcbe6580a6f464d688906172c2d9de44262
Binary files /dev/null and b/course/ScyllaHide/DetectOD/res/DetectOD.ico differ
diff --git a/course/ScyllaHide/DetectOD/res/DetectOD.rc2 b/course/ScyllaHide/DetectOD/res/DetectOD.rc2
new file mode 100644
index 0000000000000000000000000000000000000000..3b0edfb9302e3c1c2134deda08da86bbabe86c66
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/res/DetectOD.rc2
@@ -0,0 +1,13 @@
+//
+// DETECTOD.RC2 - resources Microsoft Visual C++ does not edit directly
+//
+
+#ifdef APSTUDIO_INVOKED
+ #error this file is not editable by Microsoft Visual C++
+#endif //APSTUDIO_INVOKED
+
+
+/////////////////////////////////////////////////////////////////////////////
+// Add manually edited resources here...
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/course/ScyllaHide/DetectOD/res/User.ico b/course/ScyllaHide/DetectOD/res/User.ico
new file mode 100644
index 0000000000000000000000000000000000000000..c4ca15e61fc9ea159480f5badc63c6dd61fc5570
Binary files /dev/null and b/course/ScyllaHide/DetectOD/res/User.ico differ
diff --git a/course/ScyllaHide/DetectOD/res/dog.ico b/course/ScyllaHide/DetectOD/res/dog.ico
new file mode 100644
index 0000000000000000000000000000000000000000..4b41db2a9e4d321495c8489d5734d2caf626b0ae
Binary files /dev/null and b/course/ScyllaHide/DetectOD/res/dog.ico differ
diff --git a/course/ScyllaHide/DetectOD/res/home.ico b/course/ScyllaHide/DetectOD/res/home.ico
new file mode 100644
index 0000000000000000000000000000000000000000..f43128b9d1fe8bf5941e20a42c97f672e3817846
Binary files /dev/null and b/course/ScyllaHide/DetectOD/res/home.ico differ
diff --git a/course/ScyllaHide/DetectOD/resource.h b/course/ScyllaHide/DetectOD/resource.h
new file mode 100644
index 0000000000000000000000000000000000000000..739809c8c07cdf760e6648ba4ef9e32409a3aea2
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/resource.h
@@ -0,0 +1,51 @@
+//{{NO_DEPENDENCIES}}
+// Microsoft Developer Studio generated include file.
+// Used by DetectOD.rc
+//
+#define IDC_ABOUT 3
+#define IDM_ABOUTBOX 0x0010
+#define IDD_ABOUTBOX 100
+#define IDS_ABOUTBOX 101
+#define IDD_DETECTOD_DIALOG 102
+#define IDR_MAINFRAME 128
+#define IDI_DOG 129
+#define IDI_ICON2 133
+#define IDC_WNDCLS 1000
+#define IDC_ISDEBUGGERPRESENT 1002
+#define IDC_ENUMWINDOW 1003
+#define IDC_EnumProcess 1004
+#define IDC_Explorer 1005
+#define IDC_GetTickCount 1006
+#define IDC_GetStartupInfo 1007
+#define IDC_PEBFLAGS 1008
+#define IDC_CHECKREMOTEDEBUGGERPRESENT 1009
+#define IDC_ZwQueryInformationProcess 1010
+#define IDC_SetUnhandledExceptionFilter 1014
+#define IDC_MYPAGE 1014
+#define IDC_SeDebugPrivilege 1015
+#define IDC_COMEON 1015
+#define IDC_MYICON 1016
+#define IDC_MYPAGE2 1016
+#define IDC_NTQueryObject 1017
+#define IDC_DectectBreakpoints 1018
+#define IDC_DectectFuncBreakpoints 1019
+#define IDC_BlockInput 1020
+#define IDC_CHECKSUM 1021
+#define IDC_EnableWindow 1022
+#define IDC_ZwSetInformationThread 1023
+#define IDC_OutputDebugString 1024
+#define IDC_GetEntryPoint 1025
+#define IDC_TrapFlag 1026
+#define IDC_GuardPages 1027
+#define IDC_HARDWAREBREAKPOINT 1028
+
+// Next default values for new objects
+//
+#ifdef APSTUDIO_INVOKED
+#ifndef APSTUDIO_READONLY_SYMBOLS
+#define _APS_NEXT_RESOURCE_VALUE 134
+#define _APS_NEXT_COMMAND_VALUE 32771
+#define _APS_NEXT_CONTROL_VALUE 1017
+#define _APS_NEXT_SYMED_VALUE 101
+#endif
+#endif
diff --git a/course/ScyllaHide/DetectOD/tlssup.c b/course/ScyllaHide/DetectOD/tlssup.c
new file mode 100644
index 0000000000000000000000000000000000000000..b5733144a3202a5e9cc2ddb6b8e323d836e48e89
--- /dev/null
+++ b/course/ScyllaHide/DetectOD/tlssup.c
@@ -0,0 +1,21 @@
+// tlssup.cÎļþ´úÂ룺
+#include
+#include
+
+int _tls_index=0;
+
+#pragma data_seg(".tls")
+int _tls_start=0;
+#pragma data_seg(".tls$ZZZ")
+int _tls_end=0;
+#pragma data_seg(".CRT$XLA")
+int __xl_a=0;
+#pragma data_seg(".CRT$XLZ")
+int __xl_z=0;
+
+#pragma data_seg(".rdata$T")
+
+extern PIMAGE_TLS_CALLBACK my_tls_callbacktbl[];
+
+IMAGE_TLS_DIRECTORY32 _tls_used={(DWORD)&_tls_start,(DWORD)&_tls_end,(DWORD)&_tls_index,(DWORD)my_tls_callbacktbl,0,0};
+