Skip to content

M
MyOpen

夜猫逐梦 / MyOpen

通知 2
Star 0
Fork 1
M
MyOpen
提交 96a9f964 编写于 作者: K khz_df
浏览文件
操作

【各种反调试技术原理与实例 VC版】https://github.com/wanttobeno/AntiDebuggers... 

【各种反调试技术原理与实例 VC版】https://github.com/wanttobeno/AntiDebuggershttps://bbs.pediy.com/thread-114767.htm
上级 98e52679
显示空白变更内容
内联 并排
Showing with 2195 addition and 0 deletion
.gitignore 0 → 100644
浏览文件 @ 96a9f964
# Prerequisites
*.d
# Compiled Object files
*.slo
*.lo
*.o
*.obj
# Precompiled Headers
*.gch
*.pch
# Compiled Dynamic libraries
*.so
*.dylib
*.dll
# Fortran module files
*.mod
*.smod
# Compiled Static libraries
*.lai
*.la
*.a
*.lib
# Executables
*.exe
*.out
*.app
#过滤数据库文件、sln解决方案文件、配置文件
*.suo
*.user
*.sdf
*.mdb
*.ldb
*.config
*.pdb
*.ilk
*.ipdb
*.iobj
*.aps
*.opensdf
*.exp
#过滤文件夹Debug,Release,obj
.vs/
.bak/
ipch/
Debug/
Debug_cef/
Release/
obj/
AutoLogin_VS2012/bin/bin.rar
Heart/Tangram/SHARE
course/ScyllaHide/DetectOD/About.cpp 0 → 100644
浏览文件 @ 96a9f964
// About.cpp : implementation file
//
#include "stdafx.h"
#include "DetectOD.h"
#include "About.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
/////////////////////////////////////////////////////////////////////////////
// CAbout dialog
CAbout::CAbout(CWnd* pParent /*=NULL*/)
: CDialog(CAbout::IDD, pParent)
{
//{{AFX_DATA_INIT(CAbout)
// NOTE: the ClassWizard will add member initialization here
//}}AFX_DATA_INIT
}
void CAbout::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CAbout)
// NOTE: the ClassWizard will add DDX and DDV calls here
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP(CAbout, CDialog)
//{{AFX_MSG_MAP(CAbout)
// NOTE: the ClassWizard will add message map macros here
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CAbout message handlers
course/ScyllaHide/DetectOD/About.h 0 → 100644
浏览文件 @ 96a9f964
#if !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_)
#define AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
// About.h : header file
//
/////////////////////////////////////////////////////////////////////////////
// CAbout dialog
class CAbout : public CDialog
{
// Construction
public:
CAbout(CWnd* pParent = NULL); // standard constructor
// Dialog Data
//{{AFX_DATA(CAbout)
enum { IDD = IDD_DETECTOD_DIALOG };
// NOTE: the ClassWizard will add data members here
//}}AFX_DATA
// Overrides
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CAbout)
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
//}}AFX_VIRTUAL
// Implementation
protected:
// Generated message map functions
//{{AFX_MSG(CAbout)
// NOTE: the ClassWizard will add member functions here
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
//{{AFX_INSERT_LOCATION}}
// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
#endif // !defined(AFX_ABOUT_H__E6A0B5AD_AEAB_4C62_B057_2E9C36D008CF__INCLUDED_)
course/ScyllaHide/DetectOD/DetectOD.cpp 0 → 100644
浏览文件 @ 96a9f964
// DetectOD.cpp : Defines the class behaviors for the application.
//
#include "stdafx.h"
#include "DetectOD.h"
#include "DetectODDlg.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
/////////////////////////////////////////////////////////////////////////////
// CDetectODApp
BEGIN_MESSAGE_MAP(CDetectODApp, CWinApp)
//{{AFX_MSG_MAP(CDetectODApp)
// NOTE - the ClassWizard will add and remove mapping macros here.
// DO NOT EDIT what you see in these blocks of generated code!
//}}AFX_MSG
ON_COMMAND(ID_HELP, CWinApp::OnHelp)
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CDetectODApp construction
CDetectODApp::CDetectODApp()
{
// TODO: add construction code here,
// Place all significant initialization in InitInstance
}
/////////////////////////////////////////////////////////////////////////////
// The one and only CDetectODApp object
CDetectODApp theApp;
/////////////////////////////////////////////////////////////////////////////
// CDetectODApp initialization
BOOL CDetectODApp::InitInstance()
{
AfxEnableControlContainer();
// Standard initialization
// If you are not using these features and wish to reduce the size
// of your final executable, you should remove from the following
// the specific initialization routines you do not need.
#ifdef _AFXDLL
Enable3dControls(); // Call this when using MFC in a shared DLL
#else
Enable3dControlsStatic(); // Call this when linking to MFC statically
#endif
CDetectODDlg dlg;
m_pMainWnd = &dlg;
int nResponse = dlg.DoModal();
if (nResponse == IDOK)
{
// TODO: Place code here to handle when the dialog is
// dismissed with OK
}
else if (nResponse == IDCANCEL)
{
// TODO: Place code here to handle when the dialog is
// dismissed with Cancel
}
// Since the dialog has been closed, return FALSE so that we exit the
// application, rather than start the application's message pump.
return FALSE;
}
course/ScyllaHide/DetectOD/DetectOD.h 0 → 100644
浏览文件 @ 96a9f964
// DetectOD.h : main header file for the DETECTOD application
//
#if !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_)
#define AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
#ifndef __AFXWIN_H__
#error include 'stdafx.h' before including this file for PCH
#endif
#include "resource.h" // main symbols
/////////////////////////////////////////////////////////////////////////////
// CDetectODApp:
// See DetectOD.cpp for the implementation of this class
//
class CDetectODApp : public CWinApp
{
public:
CDetectODApp();
// Overrides
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CDetectODApp)
public:
virtual BOOL InitInstance();
//}}AFX_VIRTUAL
// Implementation
//{{AFX_MSG(CDetectODApp)
// NOTE - the ClassWizard will add and remove member functions here.
// DO NOT EDIT what you see in these blocks of generated code !
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
/////////////////////////////////////////////////////////////////////////////
//{{AFX_INSERT_LOCATION}}
// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
#endif // !defined(AFX_DETECTOD_H__D2C4A318_F732_4AD0_B210_EF118C7FAC21__INCLUDED_)
course/ScyllaHide/DetectOD/DetectOD.rc 0 → 100644
浏览文件 @ 96a9f964
//Microsoft Developer Studio generated resource script.
//
#include "resource.h"
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#include "afxres.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// Chinese (中国) resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)
#ifdef _WIN32
LANGUAGE LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED
#pragma code_page(936)
#endif //_WIN32
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE DISCARDABLE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE DISCARDABLE
BEGIN
"#include ""afxres.h""\r\n"
"\0"
END
3 TEXTINCLUDE DISCARDABLE
BEGIN
"#define _AFX_NO_SPLITTER_RESOURCES\r\n"
"#define _AFX_NO_OLE_RESOURCES\r\n"
"#define _AFX_NO_TRACKER_RESOURCES\r\n"
"#define _AFX_NO_PROPERTY_RESOURCES\r\n"
"\r\n"
"#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)\r\n"
"#ifdef _WIN32\r\n"
"LANGUAGE 4, 2\r\n"
"#pragma code_page(936)\r\n"
"#endif //_WIN32\r\n"
"#include ""res\\DetectOD.rc2"" // non-Microsoft Visual C++ edited resources\r\n"
"#include ""l.chs\\afxres.rc"" // Standard components\r\n"
"#endif\r\n"
"\0"
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Icon
//
// Icon with lowest ID value placed first to ensure application icon
// remains consistent on all systems.
IDR_MAINFRAME ICON DISCARDABLE "res\\DetectOD.ico"
IDI_DOG ICON DISCARDABLE "res\\dog.ico"
IDI_ICON2 ICON DISCARDABLE "res\\home.ico"
/////////////////////////////////////////////////////////////////////////////
//
// Dialog
//
IDD_ABOUTBOX DIALOG DISCARDABLE 0, 0, 235, 55
STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "关于 反调试实例"
FONT 9, "宋体"
BEGIN
ICON IDI_ICON2,IDC_MYICON,11,16,20,20,SS_NOTIFY
LTEXT "官方网站:写意互联网",IDC_COMEON,56,31,88,8,SS_NOTIFY |
NOT WS_GROUP
DEFPUSHBUTTON "确定",IDOK,178,7,50,14,WS_GROUP
CTEXT "http://ucooper.com",IDC_MYPAGE,40,17,106,8,SS_NOTIFY
END
IDD_DETECTOD_DIALOG DIALOGEX 0, 0, 443, 200
STYLE DS_MODALFRAME | WS_MINIMIZEBOX | WS_POPUP | WS_VISIBLE | WS_CAPTION |
WS_SYSMENU
EXSTYLE WS_EX_APPWINDOW
CAPTION "反调试实例 写意互联网 ucooper.com"
FONT 9, "宋体"
BEGIN
DEFPUSHBUTTON "关 闭(&C)",IDOK,375,18,61,18
PUSHBUTTON "窗口类名",IDC_WNDCLS,13,6,46,18
PUSHBUTTON "IsDebuggerPresent",IDC_ISDEBUGGERPRESENT,13,31,97,18
PUSHBUTTON "EnumWindow",IDC_ENUMWINDOW,63,6,47,18
PUSHBUTTON "枚举进程",IDC_EnumProcess,13,55,96,18
PUSHBUTTON "父进程Explorer",IDC_Explorer,13,79,96,18
PUSHBUTTON "GetTickCount",IDC_GetTickCount,13,103,96,18
PUSHBUTTON "GetStartupInfo",IDC_GetStartupInfo,13,127,96,18
PUSHBUTTON "PebFlags",IDC_PEBFLAGS,13,151,97,18
PUSHBUTTON "CheckRemoteDebuggerPresent",
IDC_CHECKREMOTEDEBUGGERPRESENT,7,175,109,18
PUSHBUTTON "ZwQueryInformationProcess",
IDC_ZwQueryInformationProcess,127,6,109,18
PUSHBUTTON "SetUnhandledExceptionFilter",
IDC_SetUnhandledExceptionFilter,127,175,109,18
PUSHBUTTON "SeDebugPrivilege",IDC_SeDebugPrivilege,127,31,109,18
PUSHBUTTON "NTQueryObject",IDC_NTQueryObject,127,55,109,18
PUSHBUTTON "断点检测",IDC_DectectBreakpoints,127,79,109,18
PUSHBUTTON "函数断点检测",IDC_DectectFuncBreakpoints,127,103,109,18
PUSHBUTTON "BlockInput",IDC_BlockInput,127,151,109,18
PUSHBUTTON "CheckSum",IDC_CHECKSUM,127,127,109,18
PUSHBUTTON "EnableWindow",IDC_EnableWindow,253,6,109,18
PUSHBUTTON "ZwSetInformationThread",IDC_ZwSetInformationThread,253,
31,109,18
PUSHBUTTON "OutputDebugString",IDC_OutputDebugString,253,55,109,18
PUSHBUTTON "GetEntryPoint",IDC_GetEntryPoint,253,152,109,18
PUSHBUTTON "单步异常",IDC_TrapFlag,253,80,109,18
PUSHBUTTON "保护页Guard Pages",IDC_GuardPages,253,103,109,18
PUSHBUTTON "HardwareBreakpoint",IDC_HARDWAREBREAKPOINT,253,127,109,
18
PUSHBUTTON "关 于(&A)",IDC_ABOUT,375,47,61,18
CTEXT "支持我,请访问我的个人站点 www.ucooper.com",IDC_MYPAGE2,
257,183,183,10,SS_NOTIFY
END
#ifndef _MAC
/////////////////////////////////////////////////////////////////////////////
//
// Version
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION 1,0,0,1
PRODUCTVERSION 1,0,0,1
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
#else
FILEFLAGS 0x0L
#endif
FILEOS 0x4L
FILETYPE 0x1L
FILESUBTYPE 0x0L
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "080404B0"
BEGIN
VALUE "CompanyName", "\0"
VALUE "FileDescription", "DetectOD Microsoft 基础类应用程序\0"
VALUE "FileVersion", "1, 0, 0, 1\0"
VALUE "InternalName", "DetectOD\0"
VALUE "LegalCopyright", "版权所有 (C) 2010\0"
VALUE "LegalTrademarks", "\0"
VALUE "OriginalFilename", "DetectOD.EXE\0"
VALUE "ProductName", "DetectOD 应用程序\0"
VALUE "ProductVersion", "1, 0, 0, 1\0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x804, 1200
END
END
#endif // !_MAC
/////////////////////////////////////////////////////////////////////////////
//
// DESIGNINFO
//
#ifdef APSTUDIO_INVOKED
GUIDELINES DESIGNINFO DISCARDABLE
BEGIN
IDD_ABOUTBOX, DIALOG
BEGIN
LEFTMARGIN, 7
RIGHTMARGIN, 228
TOPMARGIN, 7
BOTTOMMARGIN, 48
END
IDD_DETECTOD_DIALOG, DIALOG
BEGIN
LEFTMARGIN, 7
RIGHTMARGIN, 436
TOPMARGIN, 6
BOTTOMMARGIN, 193
END
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// String Table
//
STRINGTABLE DISCARDABLE
BEGIN
IDS_ABOUTBOX "关于 DetectOD(&A)..."
END
#endif // Chinese (中国) resources
/////////////////////////////////////////////////////////////////////////////
#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
//
#define _AFX_NO_SPLITTER_RESOURCES
#define _AFX_NO_OLE_RESOURCES
#define _AFX_NO_TRACKER_RESOURCES
#define _AFX_NO_PROPERTY_RESOURCES
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)
#ifdef _WIN32
LANGUAGE 4, 2
#pragma code_page(936)
#endif //_WIN32
#include "res\DetectOD.rc2" // non-Microsoft Visual C++ edited resources
#include "l.chs\afxres.rc" // Standard components
#endif
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED
course/ScyllaHide/DetectOD/DetectOD.sln 0 → 100644
浏览文件 @ 96a9f964

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 2012
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DetectOD", "DetectOD.vcxproj", "{0CD6F28B-6A93-42AB-A435-46223134EB03}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{0CD6F28B-6A93-42AB-A435-46223134EB03}.Debug|Win32.ActiveCfg = Debug|Win32
{0CD6F28B-6A93-42AB-A435-46223134EB03}.Debug|Win32.Build.0 = Debug|Win32
{0CD6F28B-6A93-42AB-A435-46223134EB03}.Release|Win32.ActiveCfg = Release|Win32
{0CD6F28B-6A93-42AB-A435-46223134EB03}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
course/ScyllaHide/DetectOD/DetectOD.vcxproj 0 → 100644
浏览文件 @ 96a9f964
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<SccProjectName />
<SccLocalPath />
<Keyword>MFCProj</Keyword>
<ProjectGuid>{0CD6F28B-6A93-42AB-A435-46223134EB03}</ProjectGuid>
<WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v141</PlatformToolset>
<UseOfMfc>Dynamic</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v141</PlatformToolset>
<UseOfMfc>Dynamic</UseOfMfc>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.Cpp.UpgradeFromVC60.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="$(VCTargetsPath)Microsoft.Cpp.UpgradeFromVC60.props" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<OutDir>.\Debug\</OutDir>
<IntDir>.\Debug\</IntDir>
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<OutDir>.\Release\</OutDir>
<IntDir>.\Release\</IntDir>
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
<InlineFunctionExpansion>Default</InlineFunctionExpansion>
<FunctionLevelLinking>true</FunctionLevelLinking>
<Optimization>Disabled</Optimization>
<SuppressStartupBanner>true</SuppressStartupBanner>
<WarningLevel>TurnOffAllWarnings</WarningLevel>
<TreatWarningAsError>true</TreatWarningAsError>
<MinimalRebuild>true</MinimalRebuild>
<DebugInformationFormat>EditAndContinue</DebugInformationFormat>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AssemblerListingLocation>.\Debug\</AssemblerListingLocation>
<BrowseInformation>true</BrowseInformation>
<PrecompiledHeaderOutputFile>.\Debug\DetectOD.pch</PrecompiledHeaderOutputFile>
<PrecompiledHeader>Use</PrecompiledHeader>
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
<ObjectFileName>.\Debug\</ObjectFileName>
<ProgramDataBaseFileName>.\Debug\</ProgramDataBaseFileName>
<BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
</ClCompile>
<Midl>
<SuppressStartupBanner>true</SuppressStartupBanner>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<TypeLibraryName>.\Debug\DetectOD.tlb</TypeLibraryName>
<MkTypLibCompatible>true</MkTypLibCompatible>
<TargetEnvironment>Win32</TargetEnvironment>
</Midl>
<ResourceCompile>
<Culture>0x0804</Culture>
<PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<Bscmake>
<SuppressStartupBanner>true</SuppressStartupBanner>
<OutputFile>.\Debug\DetectOD.bsc</OutputFile>
</Bscmake>
<Link>
<SuppressStartupBanner>true</SuppressStartupBanner>
<GenerateDebugInformation>true</GenerateDebugInformation>
<SubSystem>Windows</SubSystem>
<OutputFile>.\Debug\DetectOD.exe</OutputFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
<InlineFunctionExpansion>Default</InlineFunctionExpansion>
<FunctionLevelLinking>false</FunctionLevelLinking>
<Optimization>Disabled</Optimization>
<SuppressStartupBanner>true</SuppressStartupBanner>
<WarningLevel>Level3</WarningLevel>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<AssemblerListingLocation>.\Release\</AssemblerListingLocation>
<PrecompiledHeaderOutputFile>.\Release\DetectOD.pch</PrecompiledHeaderOutputFile>
<PrecompiledHeader>Use</PrecompiledHeader>
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
<ObjectFileName>.\Release\</ObjectFileName>
<ProgramDataBaseFileName>.\Release\</ProgramDataBaseFileName>
</ClCompile>
<Midl>
<SuppressStartupBanner>true</SuppressStartupBanner>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<TypeLibraryName>.\Release\DetectOD.tlb</TypeLibraryName>
<MkTypLibCompatible>true</MkTypLibCompatible>
<TargetEnvironment>Win32</TargetEnvironment>
</Midl>
<ResourceCompile>
<Culture>0x0804</Culture>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
<Bscmake>
<SuppressStartupBanner>true</SuppressStartupBanner>
<OutputFile>.\Release\DetectOD.bsc</OutputFile>
</Bscmake>
<Link>
<SuppressStartupBanner>true</SuppressStartupBanner>
<SubSystem>Windows</SubSystem>
<OutputFile>.\Release\DetectOD.exe</OutputFile>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="DetectOD.cpp" />
<ClCompile Include="DetectODDlg.cpp" />
<ClCompile Include="StdAfx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeaderFile Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">stdafx.h</PrecompiledHeaderFile>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeaderFile Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">stdafx.h</PrecompiledHeaderFile>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="DetectOD.rc" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="DetectOD.h" />
<ClInclude Include="DetectODDlg.h" />
<ClInclude Include="Resource.h" />
<ClInclude Include="StdAfx.h" />
</ItemGroup>
<ItemGroup>
<Image Include="res\DetectOD.ico" />
<Image Include="res\dog.ico" />
<Image Include="res\home.ico" />
<Image Include="res\User.ico" />
</ItemGroup>
<ItemGroup>
<CustomBuild Include="res\DetectOD.rc2" />
</ItemGroup>
<ItemGroup>
<Text Include="ReadMe.txt" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>
\ No newline at end of file
course/ScyllaHide/DetectOD/DetectOD.vcxproj.filters 0 → 100644
浏览文件 @ 96a9f964
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{482dc496-684c-4bef-b2aa-7fe4a3c1f3b9}</UniqueIdentifier>
<Extensions>cpp;c;cxx;rc;def;r;odl;idl;hpj;bat</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{8240ba4f-278d-4fef-b682-382d3baf9fd9}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{235672e2-eb7d-4e1d-bddc-f8475e3f06a2}</UniqueIdentifier>
<Extensions>ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="DetectOD.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="DetectODDlg.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="StdAfx.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="DetectOD.rc">
<Filter>Source Files</Filter>
</ResourceCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="DetectOD.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="DetectODDlg.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="Resource.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="StdAfx.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<Image Include="res\DetectOD.ico">
<Filter>Resource Files</Filter>
</Image>
<Image Include="res\dog.ico">
<Filter>Resource Files</Filter>
</Image>
<Image Include="res\home.ico">
<Filter>Resource Files</Filter>
</Image>
<Image Include="res\User.ico">
<Filter>Resource Files</Filter>
</Image>
</ItemGroup>
<ItemGroup>
<Text Include="ReadMe.txt" />
</ItemGroup>
<ItemGroup>
<CustomBuild Include="res\DetectOD.rc2">
<Filter>Resource Files</Filter>
</CustomBuild>
</ItemGroup>
</Project>
\ No newline at end of file
course/ScyllaHide/DetectOD/DetectODDlg.cpp 0 → 100644
浏览文件 @ 96a9f964
// DetectODDlg.cpp : implementation file
//
#include "stdafx.h"
#include "DetectOD.h"
#include "DetectODDlg.h"
#include "Shlwapi.h"
#include "tlhelp32.h"
#include "Windows.h"
// #include "Winable.h"
#include <winnt.h>
#include "eh.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
typedef LONG NTSTATUS;
static DWORD NewEip;
/////////////////////////////////////////////////////////////////////////////
// CAboutDlg dialog used for App About
class CAboutDlg : public CDialog
{
public:
CAboutDlg();
// Dialog Data
//{{AFX_DATA(CAboutDlg)
enum { IDD = IDD_ABOUTBOX };
//}}AFX_DATA
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CAboutDlg)
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
//}}AFX_VIRTUAL
// Implementation
protected:
//{{AFX_MSG(CAboutDlg)
afx_msg void OnMypage();
afx_msg void OnMouseMove(UINT nFlags, CPoint point);
virtual BOOL OnInitDialog();
afx_msg void OnComeon();
afx_msg void OnMyicon();
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
//{{AFX_DATA_INIT(CAboutDlg)
//}}AFX_DATA_INIT
}
void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CAboutDlg)
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
//{{AFX_MSG_MAP(CAboutDlg)
ON_BN_CLICKED(IDC_MYPAGE, OnMypage)
ON_WM_MOUSEMOVE()
ON_BN_CLICKED(IDC_COMEON, OnComeon)
ON_BN_CLICKED(IDC_MYICON, OnMyicon)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CDetectODDlg dialog
CDetectODDlg::CDetectODDlg(CWnd* pParent /*=NULL*/)
: CDialog(CDetectODDlg::IDD, pParent)
{
//{{AFX_DATA_INIT(CDetectODDlg)
// NOTE: the ClassWizard will add member initialization here
//}}AFX_DATA_INIT
// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}
void CDetectODDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CDetectODDlg)
// NOTE: the ClassWizard will add DDX and DDV calls here
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP(CDetectODDlg, CDialog)
//{{AFX_MSG_MAP(CDetectODDlg)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_BN_CLICKED(IDC_WNDCLS, OnWndcls)
ON_BN_CLICKED(IDC_ISDEBUGGERPRESENT, OnIsdebuggerpresent)
ON_BN_CLICKED(IDC_ENUMWINDOW, OnEnumwindow)
ON_BN_CLICKED(IDC_EnumProcess, OnEnumProcess)
ON_BN_CLICKED(IDC_Explorer, OnExplorer)
ON_BN_CLICKED(IDC_GetTickCount, OnGetTickCount)
ON_BN_CLICKED(IDC_GetStartupInfo, OnGetStartupInfo)
ON_BN_CLICKED(IDC_PEBFLAGS, OnPebflags)
ON_BN_CLICKED(IDC_CHECKREMOTEDEBUGGERPRESENT, OnCheckremotedebuggerpresent)
ON_BN_CLICKED(IDC_SetUnhandledExceptionFilter, OnSetUnhandledExceptionFilter)
ON_BN_CLICKED(IDC_ZwQueryInformationProcess, OnZwQueryInformationProcess)
ON_BN_CLICKED(IDC_SeDebugPrivilege, OnSeDebugPrivilege)
ON_BN_CLICKED(IDC_NTQueryObject, OnNTQueryObject)
ON_BN_CLICKED(IDC_DectectBreakpoints, OnDectectBreakpoints)
ON_BN_CLICKED(IDC_DectectFuncBreakpoints, OnDectectFuncBreakpoints)
ON_BN_CLICKED(IDC_BlockInput, OnBlockInput)
ON_BN_CLICKED(IDC_CHECKSUM, OnChecksum)
ON_BN_CLICKED(IDC_EnableWindow, OnEnableWindow)
ON_BN_CLICKED(IDC_ZwSetInformationThread, OnZwSetInformationThread)
ON_BN_CLICKED(IDC_OutputDebugString, OnOutputDebugString)
ON_BN_CLICKED(IDC_GetEntryPoint, OnGetEntryPoint)
ON_BN_CLICKED(IDC_TrapFlag, OnTrapFlag)
ON_BN_CLICKED(IDC_GuardPages, OnGuardPages)
ON_BN_CLICKED(IDC_HARDWAREBREAKPOINT, OnHardwarebreakpoint)
ON_BN_CLICKED(IDC_ABOUT, OnAbout)
ON_BN_CLICKED(IDC_MYPAGE2, OnMypage2)
//}}AFX_MSG_MAP
END_MESSAGE_MAP()
/////////////////////////////////////////////////////////////////////////////
// CDetectODDlg message handlers
BOOL CDetectODDlg::OnInitDialog()
{
CDialog::OnInitDialog();
// Add "About..." menu item to system menu.
// IDM_ABOUTBOX must be in the system command range.
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);
CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
CString strAboutMenu;
strAboutMenu.LoadString(IDS_ABOUTBOX);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}
// Set the icon for this dialog. The framework does this automatically
// when the application's main window is not a dialog
// SetIcon(m_hIcon, TRUE); // Set big icon
// SetIcon(m_hIcon, FALSE); // Set small icon
// TODO: Add extra initialization here
SetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG))));
return TRUE; // return TRUE unless you set the focus to a control
}
void CDetectODDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialog::OnSysCommand(nID, lParam);
}
}
// If you add a minimize button to your dialog, you will need the code below
// to draw the icon. For MFC applications using the document/view model,
// this is automatically done for you by the framework.
void CDetectODDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // device context for painting
SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);
// Center icon in client rectangle
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) / 2;
int y = (rect.Height() - cyIcon + 1) / 2;
// Draw the icon
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialog::OnPaint();
}
}
// The system calls this to obtain the cursor to display while the user drags
// the minimized window.
HCURSOR CDetectODDlg::OnQueryDragIcon()
{
return (HCURSOR) m_hIcon;
}
void CDetectODDlg::OnWndcls()
{
// TODO: Add your control notification handler code here
HWND hWnd;
if(hWnd=::FindWindow("OllyDbg",NULL))
{
MessageBox("发现OD");
}else{
MessageBox("没发现OD");
}
}
void CDetectODDlg::OnIsdebuggerpresent()
{
// TODO: Add your control notification handler code here
if(IsDebuggerPresent())
{
MessageBox("发现OD");
}
else
{
MessageBox("没有OD");
}
}
/***************************************************/
BOOL CALLBACK EnumWindowsProc(
HWND hwnd, // handle to parent window
LPARAM lParam // application-defined value
)
{
char ch[100];
CString str="Ollydbg";
if(IsWindowVisible(hwnd))
{
::GetWindowText(hwnd,ch,100);
//AfxMessageBox(ch);
if(::StrStrI(ch,str))
{
AfxMessageBox("发现OD");
return FALSE;
}
}
return TRUE;
}
void CDetectODDlg::OnEnumwindow()
{
// TODO: Add your control notification handler code here
EnumWindows(EnumWindowsProc,NULL);
AfxMessageBox("枚举窗口结束,未提示发现OD,则没有OD");
}
/***************************************************/
void CDetectODDlg::OnEnumProcess()
{
// TODO: Add your control notification handler code here
HANDLE hwnd;
PROCESSENTRY32 tp32; //结构体
CString str="OLLYDBG.EXE";
BOOL bFindOD=FALSE;
hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
if(INVALID_HANDLE_VALUE!=hwnd)
{
Process32First(hwnd,&tp32);
do{
if(0==lstrcmpi(str,tp32.szExeFile))
{
AfxMessageBox("发现OD");
bFindOD=TRUE;
break;
}
}while(Process32Next(hwnd,&tp32));
if(!bFindOD)
AfxMessageBox("没有OD");
}
CloseHandle(hwnd);
}
void CDetectODDlg::OnExplorer()
{
// TODO: Add your control notification handler code here
HANDLE hwnd;
PROCESSENTRY32 tp32; //结构体
CString str="Explorer.EXE";
DWORD ExplorerID;
DWORD SelfID;
DWORD SelfParentID;
SelfID=GetCurrentProcessId();
::GetWindowThreadProcessId(::FindWindow("Progman",NULL),&ExplorerID);
hwnd=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
if(INVALID_HANDLE_VALUE!=hwnd)
{
Process32First(hwnd,&tp32);
do{
if(0==lstrcmp(str,tp32.szExeFile))
{
// ExplorerID=tp32.th32ProcessID;
// AfxMessageBox("aaa");
}
if(SelfID==tp32.th32ProcessID)
{
SelfParentID=tp32.th32ParentProcessID;
}
}while(Process32Next(hwnd,&tp32));
str.Format("本进程:%d 父进程:%d Explorer进程: %d ",SelfID,SelfParentID,ExplorerID);
MessageBox(str);
if(ExplorerID==SelfParentID)
{
AfxMessageBox("没有OD");
}
else
{
AfxMessageBox("发现OD");
}
}
CloseHandle(hwnd);
}
void CDetectODDlg::OnGetTickCount()
{
// TODO: Add your control notification handler code here
DWORD dTime1;
DWORD dTime2;
dTime1=GetTickCount();
GetCurrentProcessId();
GetCurrentProcessId();
GetCurrentProcessId();
GetCurrentProcessId();
dTime2=GetTickCount();
if(dTime2-dTime1>100)
{
AfxMessageBox("发现OD");
}
else{
AfxMessageBox("没有OD");
}
}
void CDetectODDlg::OnGetStartupInfo()
{
// TODO: Add your control notification handler code here
STARTUPINFO info={0};
GetStartupInfo(&info);
if(info.dwX!=0 || info.dwY!=0 || info.dwXCountChars!=0 || info.dwYCountChars!=0
|| info.dwFillAttribute!=0 || info.dwXSize!=0 || info.dwYSize!=0)
{
AfxMessageBox("发现OD");
}
else{
AfxMessageBox("没有OD");
}
}
//**********************************************
// typedef ULONG NTSTATUS;
typedef ULONG PPEB;
typedef ULONG KAFFINITY;
typedef ULONG KPRIORITY;
typedef struct _PROCESS_BASIC_INFORMATION { // Information Class 0
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation, // 0 Y N
ProcessQuotaLimits, // 1 Y Y
ProcessIoCounters, // 2 Y N
ProcessVmCounters, // 3 Y N
ProcessTimes, // 4 Y N
ProcessBasePriority, // 5 N Y
ProcessRaisePriority, // 6 N Y
ProcessDebugPort, // 7 Y Y
ProcessExceptionPort, // 8 N Y
ProcessAccessToken, // 9 N Y
ProcessLdtInformation, // 10 Y Y
ProcessLdtSize, // 11 N Y
ProcessDefaultHardErrorMode, // 12 Y Y
ProcessIoPortHandlers, // 13 N Y
ProcessPooledUsageAndLimits, // 14 Y N
ProcessWorkingSetWatch, // 15 Y Y
ProcessUserModeIOPL, // 16 N Y
ProcessEnableAlignmentFaultFixup, // 17 N Y
ProcessPriorityClass, // 18 N Y
ProcessWx86Information, // 19 Y N
ProcessHandleCount, // 20 Y N
ProcessAffinityMask, // 21 N Y
ProcessPriorityBoost, // 22 Y Y
ProcessDeviceMap,// 23 Y Y
ProcessSessionInformation, // 24 Y Y
ProcessForegroundInformation, // 25 N Y
ProcessWow64Information // 26 Y N
} PROCESSINFOCLASS;
typedef NTSTATUS (_stdcall *ZwQueryInformationProcess)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
); //定义函数指针
void CDetectODDlg::OnPebflags()
{
// TODO: Add your control notification handler code here
//定义函数指针变量
ZwQueryInformationProcess MyZwQueryInformationProcess;
HANDLE hProcess = NULL;
PROCESS_BASIC_INFORMATION pbi = {0};
ULONG peb = 0;
ULONG cnt = 0;
ULONG PebBase = 0;
ULONG AddrBase;
BOOL bFoundOD=FALSE;
WORD flag;
DWORD dwFlag;
DWORD bytesrw;
DWORD ProcessId=GetCurrentProcessId();
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessId);
if (hProcess != NULL) {
//函数指针变量赋值
MyZwQueryInformationProcess=(ZwQueryInformationProcess)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwQueryInformationProcess");
//函数指针变量调用
if (MyZwQueryInformationProcess(
hProcess,
ProcessBasicInformation,
&pbi,
sizeof(PROCESS_BASIC_INFORMATION),
&cnt) == 0)
{
PebBase = (ULONG)pbi.PebBaseAddress;
AddrBase=PebBase;
if (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x68),&flag,2,&bytesrw) && bytesrw==2)
{ //PEB.NtGlobalFlag
if(0x70==flag){
bFoundOD=TRUE;
}
}
if (ReadProcessMemory(hProcess,(LPCVOID)(PebBase+0x18),&dwFlag,4,&bytesrw) && bytesrw==4)
{
AddrBase=dwFlag;
}
if (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x0c),&flag,2,&bytesrw) && bytesrw==2)
{//PEB.ProcessHeap.Flags
if(2!=flag){
bFoundOD=TRUE;
}
}
if (ReadProcessMemory(hProcess,(LPCVOID)(AddrBase+0x10),&flag,2,&bytesrw) && bytesrw==2)
{//PEB.ProcessHeap.ForceFlags
if(0!=flag){
bFoundOD=TRUE;
}
}
if(bFoundOD==FALSE)
{
AfxMessageBox("没有OD");
}
else
{
AfxMessageBox("发现OD");
}
}
CloseHandle(hProcess);
}
}
//*******************************************************************
typedef BOOL (WINAPI *CHECK_REMOTE_DEBUGGER_PRESENT)(HANDLE, PBOOL);
void CDetectODDlg::OnCheckremotedebuggerpresent()
{
// TODO: Add your control notification handler code here
HANDLE hProcess;
HINSTANCE hModule;
BOOL bDebuggerPresent = FALSE;
CHECK_REMOTE_DEBUGGER_PRESENT CheckRemoteDebuggerPresent;
hModule = GetModuleHandleA("Kernel32");
CheckRemoteDebuggerPresent =
(CHECK_REMOTE_DEBUGGER_PRESENT)GetProcAddress(hModule, "CheckRemoteDebuggerPresent");
hProcess = GetCurrentProcess();
CheckRemoteDebuggerPresent(hProcess,&bDebuggerPresent);
if(bDebuggerPresent==TRUE)
{
AfxMessageBox("发现OD");
}
else
{
AfxMessageBox("没有OD");
}
}
//********************************************************
typedef NTSTATUS (_stdcall *ZW_QUERY_INFORMATION_PROCESS)(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass, //该参数也需要上面声明的数据结构
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
); //定义函数指针
void CDetectODDlg::OnZwQueryInformationProcess()
{
// TODO: Add your control notification handler code here
HANDLE hProcess;
HINSTANCE hModule;
DWORD dwResult;
ZW_QUERY_INFORMATION_PROCESS MyFunc;
hModule = GetModuleHandle("ntdll.dll");
MyFunc=(ZW_QUERY_INFORMATION_PROCESS)GetProcAddress(hModule,"ZwQueryInformationProcess");
hProcess = GetCurrentProcess();
MyFunc(
hProcess,
ProcessDebugPort,
&dwResult,
4,
NULL);
if(dwResult!=0)
{
AfxMessageBox("发现OD");
}
else
{
AfxMessageBox("没有OD");
}
}
//********************************************************
static DWORD lpOldHandler;
typedef LPTOP_LEVEL_EXCEPTION_FILTER (_stdcall *pSetUnhandledExceptionFilter)(
LPTOP_LEVEL_EXCEPTION_FILTER lpTopLevelExceptionFilter
);
pSetUnhandledExceptionFilter lpSetUnhandledExceptionFilter;
LONG WINAPI TopUnhandledExceptionFilter(
struct _EXCEPTION_POINTERS *ExceptionInfo
)
{
_asm pushad
AfxMessageBox("回调函数");
lpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler);
ExceptionInfo->ContextRecord->Eip=NewEip;//转移到安全位置
_asm popad
return EXCEPTION_CONTINUE_EXECUTION;
}
void CDetectODDlg::OnSetUnhandledExceptionFilter()
{
bool isDebugged=0;
// TODO: Add your control notification handler code here
lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")),
"SetUnhandledExceptionFilter");
lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter);
_asm{ //获取这个安全地址
call me //方式一,需要NewEip加上一个偏移值
me:
pop NewEip //方式一结束
mov NewEip,offset safe //方式二,更简单
int 3 //触发异常
}
AfxMessageBox("检测到OD");
isDebugged=1;
_asm{
safe:
}
if(1==isDebugged){
}else{
AfxMessageBox("没有OD");
}
}
//********************************************************
void CDetectODDlg::OnSeDebugPrivilege()
{
// TODO: Add your control notification handler code here
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 tp32; //结构体
CString str="csrss.exe";
hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
if(INVALID_HANDLE_VALUE!=hProcessSnap)
{
Process32First(hProcessSnap,&tp32);
do{
if(0==lstrcmpi(str,tp32.szExeFile))
{
hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,NULL,tp32.th32ProcessID);
if(NULL!=hProcess)
{
AfxMessageBox("发现OD");
}
else
{
AfxMessageBox("没有OD");
}
CloseHandle(hProcess);
}
}while(Process32Next(hProcessSnap,&tp32));
}
CloseHandle(hProcessSnap);
}
//***************************************************************
#ifndef STATUS_INFO_LENGTH_MISMATCH
#define STATUS_INFO_LENGTH_MISMATCH ((UINT32)0xC0000004L)
#endif
typedef enum _POOL_TYPE {
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS
} POOL_TYPE;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef enum _OBJECT_INFORMATION_CLASS
{
ObjectBasicInformation, // Result is OBJECT_BASIC_INFORMATION structure
ObjectNameInformation, // Result is OBJECT_NAME_INFORMATION structure
ObjectTypeInformation, // Result is OBJECT_TYPE_INFORMATION structure
ObjectAllTypesInformation, // Result is OBJECT_ALL_INFORMATION structure
ObjectDataInformation // Result is OBJECT_DATA_INFORMATION structure
} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;
typedef struct _OBJECT_TYPE_INFORMATION {
UNICODE_STRING TypeName;
ULONG TotalNumberOfHandles;
ULONG TotalNumberOfObjects;
WCHAR Unused1[8];
ULONG HighWaterNumberOfHandles;
ULONG HighWaterNumberOfObjects;
WCHAR Unused2[8];
ACCESS_MASK InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ACCESS_MASK ValidAttributes;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
USHORT MaintainTypeList;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
typedef struct _OBJECT_ALL_INFORMATION {
ULONG NumberOfObjectsTypes;
OBJECT_TYPE_INFORMATION ObjectTypeInformation[1];
} OBJECT_ALL_INFORMATION, *POBJECT_ALL_INFORMATION;
typedef struct _OBJECT_ALL_TYPES_INFORMATION {
ULONG NumberOfTypes;
OBJECT_TYPE_INFORMATION TypeInformation[1];
} OBJECT_ALL_TYPES_INFORMATION, *POBJECT_ALL_TYPES_INFORMATION;
typedef UINT32 (__stdcall *ZwQueryObject_t) (
IN HANDLE ObjectHandle,
IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG Length,
OUT PULONG ResultLength );
void CDetectODDlg::OnNTQueryObject()
{
// TODO: Add your control notification handler code here
// 调试器必须正在调试才能检测到,仅打开OD是检测不到的
HMODULE hNtDLL;
DWORD dwSize;
UINT i;
UCHAR KeyType=0;
OBJECT_ALL_TYPES_INFORMATION *Types;
OBJECT_TYPE_INFORMATION *t;
ZwQueryObject_t ZwQueryObject;
hNtDLL = GetModuleHandle("ntdll.dll");
if(hNtDLL){
ZwQueryObject = (ZwQueryObject_t)GetProcAddress(hNtDLL, "ZwQueryObject");
UINT32 iResult = ZwQueryObject(NULL, ObjectAllTypesInformation, NULL, NULL, &dwSize);
if(iResult==STATUS_INFO_LENGTH_MISMATCH)
{
Types = (OBJECT_ALL_TYPES_INFORMATION*)VirtualAlloc(NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);
if (Types == NULL) return;
if (iResult=ZwQueryObject(NULL,ObjectAllTypesInformation, Types, dwSize, &dwSize)) return;
for (t=Types->TypeInformation,i=0;i<Types->NumberOfTypes;i++)
{
if ( !_wcsicmp(t->TypeName.Buffer,L"DebugObject")) //比较两个是否相等,这个L很特殊,本地的意思
{
if(t->TotalNumberOfHandles > 0 || t->TotalNumberOfObjects > 0)
{
AfxMessageBox("发现OD");
VirtualFree (Types,0,MEM_RELEASE);
return;
}
break; // Found Anyways
}
t=(OBJECT_TYPE_INFORMATION *)((char *)t->TypeName.Buffer+((t->TypeName.MaximumLength+3)&~3));
}
}
AfxMessageBox("没有OD!");
VirtualFree (Types,0,MEM_RELEASE);
}
}
/*********************************************************/
BOOL DetectBreakpoints()
{
BOOL bFoundOD;
bFoundOD=FALSE;
__asm
{
jmp CodeEnd
CodeStart: mov eax,ecx ;被保护的程序段
nop
push eax
push ecx
pop ecx
pop eax
CodeEnd:
cld ;检测代码开始
mov edi,offset CodeStart
mov edx,offset CodeStart
mov ecx,offset CodeEnd
sub ecx,edx
mov al,0CCH
repne scasb
jnz ODNotFound
mov bFoundOD,1
ODNotFound:
}
return bFoundOD;
}
void CDetectODDlg::OnDectectBreakpoints()
{
// TODO: Add your control notification handler code here
if(DetectBreakpoints())
{
AfxMessageBox("发现OD");
}
else
{
AfxMessageBox("没有OD");
}
}
/*********************************************************/
BOOL DetectFuncBreakpoints()
{
BOOL bFoundOD;
bFoundOD=FALSE;
DWORD dwAddr;
dwAddr=(DWORD)::GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA");
__asm
{
cld ;检测代码开始
mov edi,dwAddr
mov ecx,100 ;100bytes
mov al,0CCH
repne scasb
jnz ODNotFound
mov bFoundOD,1
ODNotFound:
}
return bFoundOD;
}
void CDetectODDlg::OnDectectFuncBreakpoints()
{
// TODO: Add your control notification handler code here
if(DetectFuncBreakpoints())
{
AfxMessageBox("发现OD");
}
else
{
AfxMessageBox("没有OD");
}
}
void CDetectODDlg::OnBlockInput()
{ // #include "Winable.h"
// TODO: Add your control notification handler code here
DWORD dwNoUse;
DWORD dwNoUse2;
::BlockInput(TRUE);
dwNoUse=2;
dwNoUse2=3;
dwNoUse=dwNoUse2;
::BlockInput(FALSE);
}
/*********************************************************/
BOOL CheckSum()
{
BOOL bFoundOD;
bFoundOD=FALSE;
DWORD CHECK_SUM=5555; //正确校验值
DWORD dwAddr;
dwAddr=(DWORD)CheckSum;
__asm
{
;检测代码开始
mov esi,dwAddr
mov ecx,100
xor eax,eax
checksum_loop:
movzx ebx,byte ptr [esi]
add eax,ebx
rol eax,1
inc esi
loop checksum_loop
cmp eax,CHECK_SUM
jz ODNotFound
mov bFoundOD,1
ODNotFound:
}
return bFoundOD;
}
void CDetectODDlg::OnChecksum()
{
// TODO: Add your control notification handler code here
if(CheckSum())
{
AfxMessageBox("发现OD");
}
else
{
AfxMessageBox("没有OD");
}
}
/*********************************************************/
void CDetectODDlg::OnEnableWindow()
{
// TODO: Add your control notification handler code here
CWnd *wnd;
wnd=GetForegroundWindow();
wnd->EnableWindow(FALSE);
DWORD dwNoUse;
DWORD dwNoUse2;
dwNoUse=2;
dwNoUse2=3;
dwNoUse=dwNoUse2;
wnd->EnableWindow(TRUE);
}
/*********************************************************/
typedef enum _THREADINFOCLASS {
ThreadBasicInformation, // 0 Y N
ThreadTimes, // 1 Y N
ThreadPriority, // 2 N Y
ThreadBasePriority, // 3 N Y
ThreadAffinityMask, // 4 N Y
ThreadImpersonationToken, // 5 N Y
ThreadDescriptorTableEntry, // 6 Y N
ThreadEnableAlignmentFaultFixup, // 7 N Y
ThreadEventPair, // 8 N Y
ThreadQuerySetWin32StartAddress, // 9 Y Y
ThreadZeroTlsCell, // 10 N Y
ThreadPerformanceCount, // 11 Y N
ThreadAmILastThread, // 12 Y N
ThreadIdealProcessor, // 13 N Y
ThreadPriorityBoost, // 14 Y Y
ThreadSetTlsArrayAddress, // 15 N Y
ThreadIsIoPending, // 16 Y N
ThreadHideFromDebugger // 17 N Y
} THREAD_INFO_CLASS;
typedef NTSTATUS (NTAPI *ZwSetInformationThread)(
IN HANDLE ThreadHandle,
IN THREAD_INFO_CLASS ThreadInformaitonClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength
);
void CDetectODDlg::OnZwSetInformationThread()
{
// TODO: Add your control notification handler code here
CString str="利用我定位";
HANDLE hwnd;
HMODULE hModule;
hwnd=GetCurrentThread();
hModule=LoadLibrary("ntdll.dll");
ZwSetInformationThread myFunc;
myFunc=(ZwSetInformationThread)GetProcAddress(hModule,"ZwSetInformationThread");
myFunc(hwnd,ThreadHideFromDebugger,NULL,NULL);
}
/*********************************************************/
void CDetectODDlg::OnOutputDebugString()
{
// TODO: Add your control notification handler code here
::OutputDebugString("%s%s%s");
}
/*********************************************************/
void CDetectODDlg::OnGetEntryPoint()
{
// TODO: Add your control notification handler code here
IMAGE_DOS_HEADER *dos_head=(IMAGE_DOS_HEADER *)GetModuleHandle(NULL);
PIMAGE_NT_HEADERS32 nt_head=(PIMAGE_NT_HEADERS32)((DWORD)dos_head+(DWORD)dos_head->e_lfanew);
DWORD EP=(nt_head->OptionalHeader.AddressOfEntryPoint);
CString str;
str.Format("%x",EP);
AfxMessageBox(str);
BYTE*OEP=(BYTE*)(nt_head->OptionalHeader.AddressOfEntryPoint+(DWORD)dos_head);
for(unsigned long index=0;index<20;index++){
if(OEP[index]==0xcc){
ExitProcess(0);
}
}
}
/**************************************************************/
void terminateFunc()
{
AfxMessageBox("set_terminate指定的函数\n");
exit(0);
}
void CDetectODDlg::OnButton1()
{
// TODO: Add your control notification handler code here
set_terminate(terminateFunc);
try{
div(10,0);
}catch(int){
AfxMessageBox("仅捕获整型异常");
}catch(...){
terminate(); //所有其它异常
}
AfxMessageBox("啊哈");
}
//********************************************************
void CDetectODDlg::OnTrapFlag()
{
try{
_asm{
pushfd //触发单步异常
or dword ptr [esp],100h ;TF=1
popfd
}
AfxMessageBox("检测到OD");
}catch(...){
AfxMessageBox("没有OD");
}
}
//********************************************************
static bool isDebugged=1;
LONG WINAPI TopUnhandledExceptionFilter2(
struct _EXCEPTION_POINTERS *ExceptionInfo
)
{
_asm pushad
AfxMessageBox("回调函数");
lpSetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER )lpOldHandler);
ExceptionInfo->ContextRecord->Eip=NewEip;
isDebugged=0;
_asm popad
return EXCEPTION_CONTINUE_EXECUTION;
}
void CDetectODDlg::OnGuardPages()
{
// TODO: Add your control notification handler code here
ULONG dwOldType;
DWORD dwPageSize;
LPVOID lpvBase; // 获取内存的基地址
SYSTEM_INFO sSysInfo; // 系统信息
GetSystemInfo(&sSysInfo); // 获取系统信息
dwPageSize=sSysInfo.dwPageSize; //系统内存页大小
lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")),
"SetUnhandledExceptionFilter");
lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilter2);
// 分配内存
lpvBase = VirtualAlloc(NULL,dwPageSize,MEM_COMMIT,PAGE_READWRITE);
if (lpvBase==NULL) AfxMessageBox("内存分配失败");
_asm{
mov NewEip,offset safe //方式二,更简单
mov eax,lpvBase
push eax
mov byte ptr [eax],0C3H //写一个 RETN 到保留内存,以便下面的调用
}
if(0==::VirtualProtect(lpvBase,dwPageSize,PAGE_EXECUTE_READ | PAGE_GUARD,&dwOldType)){
AfxMessageBox("执行失败");
}
_asm{
pop ecx
call ecx //调用时压栈
safe:
pop ecx //堆栈平衡,弹出调用时的压栈
}
if(1==isDebugged){
AfxMessageBox("发现OD");
}else{
AfxMessageBox("没有OD");
}
VirtualFree(lpvBase,dwPageSize,MEM_DECOMMIT);
}
//********************************************************
static bool isDebuggedHBP=0;
LONG WINAPI TopUnhandledExceptionFilterHBP(
struct _EXCEPTION_POINTERS *ExceptionInfo
)
{
_asm pushad
AfxMessageBox("回调函数被调用");
ExceptionInfo->ContextRecord->Eip=NewEip;
if(0!=ExceptionInfo->ContextRecord->Dr0||0!=ExceptionInfo->ContextRecord->Dr1||
0!=ExceptionInfo->ContextRecord->Dr2||0!=ExceptionInfo->ContextRecord->Dr3)
isDebuggedHBP=1; //检测有无硬件断点
ExceptionInfo->ContextRecord->Dr0=0; //禁用硬件断点,置0
ExceptionInfo->ContextRecord->Dr1=0;
ExceptionInfo->ContextRecord->Dr2=0;
ExceptionInfo->ContextRecord->Dr3=0;
ExceptionInfo->ContextRecord->Dr6=0;
ExceptionInfo->ContextRecord->Dr7=0;
ExceptionInfo->ContextRecord->Eip=NewEip; //转移到安全位置
_asm popad
return EXCEPTION_CONTINUE_EXECUTION;
}
void CDetectODDlg::OnHardwarebreakpoint()
{
// TODO: Add your control notification handler code here
lpSetUnhandledExceptionFilter = (pSetUnhandledExceptionFilter)GetProcAddress(LoadLibrary(("kernel32.dll")),
"SetUnhandledExceptionFilter");
lpOldHandler=(DWORD)lpSetUnhandledExceptionFilter(TopUnhandledExceptionFilterHBP);
_asm{
mov NewEip,offset safe //方式二,更简单
int 3
mov isDebuggedHBP,1 //调试时可能也不会触发异常去检测硬件断点
safe:
}
if(1==isDebuggedHBP){
AfxMessageBox("发现OD");
}else{
AfxMessageBox("没有OD");
}
}
//********************************************************
void CDetectODDlg::OnCancel()
{
// TODO: Add extra cleanup here
CDialog::OnCancel();
}
void CAboutDlg::OnMypage()
{
// TODO: Add your control notification handler code here
::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
}
void CDetectODDlg::OnAbout()
{
// TODO: Add your control notification handler code here
CAboutDlg dlg;
dlg.DoModal();
}
void CAboutDlg::OnMouseMove(UINT nFlags, CPoint point)
{
// TODO: Add your message handler code here and/or call default
CRect rect(60,20,100,100);
if(rect.PtInRect(point)){
SetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(NULL,IDC_HELP)));
}else{
SetClassLong(m_hWnd,GCL_HCURSOR,(LONG)(LoadCursor(AfxGetApp()->m_hInstance,IDC_ARROW)));
}
CDialog::OnMouseMove(nFlags, point);
}
BOOL CAboutDlg::OnInitDialog()
{
CDialog::OnInitDialog();
// TODO: Add extra initialization here
SetClassLong(m_hWnd,GCL_HICON,(LONG)(LoadIcon(AfxGetApp()->m_hInstance,MAKEINTRESOURCE(IDI_DOG))));
return TRUE; // return TRUE unless you set the focus to a control
// EXCEPTION: OCX Property Pages should return FALSE
}
void CDetectODDlg::OnOK()
{
// TODO: Add extra validation here
CDialog::OnOK();
}
void CAboutDlg::OnComeon()
{
// TODO: Add your control notification handler code here
::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
}
void CAboutDlg::OnMyicon()
{
// TODO: Add your control notification handler code here
::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
}
void CDetectODDlg::OnMypage2()
{
// TODO: Add your control notification handler code here
::ShellExecute(NULL,"open","http://ucooper.com",NULL,NULL,SW_SHOWNORMAL);
}
course/ScyllaHide/DetectOD/DetectODDlg.h 0 → 100644
浏览文件 @ 96a9f964
// DetectODDlg.h : header file
//
#if !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_)
#define AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
/////////////////////////////////////////////////////////////////////////////
// CDetectODDlg dialog
class CDetectODDlg : public CDialog
{
// Construction
public:
CDetectODDlg(CWnd* pParent = NULL); // standard constructor
// Dialog Data
//{{AFX_DATA(CDetectODDlg)
enum { IDD = IDD_DETECTOD_DIALOG };
// NOTE: the ClassWizard will add data members here
//}}AFX_DATA
// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CDetectODDlg)
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
//}}AFX_VIRTUAL
// Implementation
protected:
HICON m_hIcon;
// Generated message map functions
//{{AFX_MSG(CDetectODDlg)
virtual BOOL OnInitDialog();
afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
afx_msg void OnPaint();
afx_msg HCURSOR OnQueryDragIcon();
afx_msg void OnWndcls();
afx_msg void OnTest();
afx_msg void OnIsdebuggerpresent();
afx_msg void OnEnumwindow();
afx_msg void OnEnumProcess();
afx_msg void OnExplorer();
afx_msg void OnGetTickCount();
afx_msg void OnGetStartupInfo();
afx_msg void OnPebflags();
afx_msg void OnCheckremotedebuggerpresent();
afx_msg void OnZwqueryinfomationprocess();
afx_msg void OnSetUnhandledExceptionFilter();
afx_msg void OnZwQueryInformationProcess();
afx_msg void OnSeDebugPrivilege();
afx_msg void OnNTQueryObject();
afx_msg void OnDectectBreakpoints();
afx_msg void OnDectectFuncBreakpoints();
afx_msg void OnBlockInput();
afx_msg void OnChecksum();
afx_msg void OnEnableWindow();
afx_msg void OnZwSetInformationThread();
afx_msg void OnOutputDebugString();
afx_msg void OnGetEntryPoint();
afx_msg void OnButton1();
afx_msg void OnButton2();
afx_msg void OnTrapFlag();
afx_msg void OnGuardPages();
afx_msg void OnHardwarebreakpoint();
virtual void OnCancel();
afx_msg void OnAbout();
virtual void OnOK();
afx_msg void OnMypage2();
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};
//{{AFX_INSERT_LOCATION}}
// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
#endif // !defined(AFX_DETECTODDLG_H__878B65B9_998E_4718_93F3_D147DB13A90D__INCLUDED_)
course/ScyllaHide/DetectOD/ReadMe.txt 0 → 100644
浏览文件 @ 96a9f964
========================================================================
MICROSOFT FOUNDATION CLASS LIBRARY : DetectOD
========================================================================
AppWizard has created this DetectOD application for you. This application
not only demonstrates the basics of using the Microsoft Foundation classes
but is also a starting point for writing your application.
This file contains a summary of what you will find in each of the files that
make up your DetectOD application.
DetectOD.dsp
This file (the project file) contains information at the project level and
is used to build a single project or subproject. Other users can share the
project (.dsp) file, but they should export the makefiles locally.
DetectOD.h
This is the main header file for the application. It includes other
project specific headers (including Resource.h) and declares the
CDetectODApp application class.
DetectOD.cpp
This is the main application source file that contains the application
class CDetectODApp.
DetectOD.rc
This is a listing of all of the Microsoft Windows resources that the
program uses. It includes the icons, bitmaps, and cursors that are stored
in the RES subdirectory. This file can be directly edited in Microsoft
Visual C++.
DetectOD.clw
This file contains information used by ClassWizard to edit existing
classes or add new classes. ClassWizard also uses this file to store
information needed to create and edit message maps and dialog data
maps and to create prototype member functions.
res\DetectOD.ico
This is an icon file, which is used as the application's icon. This
icon is included by the main resource file DetectOD.rc.
res\DetectOD.rc2
This file contains resources that are not edited by Microsoft
Visual C++. You should place all resources not editable by
the resource editor in this file.
/////////////////////////////////////////////////////////////////////////////
AppWizard creates one dialog class:
DetectODDlg.h, DetectODDlg.cpp - the dialog
These files contain your CDetectODDlg class. This class defines
the behavior of your application's main dialog. The dialog's
template is in DetectOD.rc, which can be edited in Microsoft
Visual C++.
/////////////////////////////////////////////////////////////////////////////
Other standard files:
StdAfx.h, StdAfx.cpp
These files are used to build a precompiled header (PCH) file
named DetectOD.pch and a precompiled types file named StdAfx.obj.
Resource.h
This is the standard header file, which defines new resource IDs.
Microsoft Visual C++ reads and updates this file.
/////////////////////////////////////////////////////////////////////////////
Other notes:
AppWizard uses "TODO:" to indicate parts of the source code you
should add to or customize.
If your application uses MFC in a shared DLL, and your application is
in a language other than the operating system's current language, you
will need to copy the corresponding localized resources MFC42XXX.DLL
from the Microsoft Visual C++ CD-ROM onto the system or system32 directory,
and rename it to be MFCLOC.DLL. ("XXX" stands for the language abbreviation.
For example, MFC42DEU.DLL contains resources translated to German.) If you
don't do this, some of the UI elements of your application will remain in the
language of the operating system.
/////////////////////////////////////////////////////////////////////////////
course/ScyllaHide/DetectOD/StdAfx.cpp 0 → 100644
浏览文件 @ 96a9f964
// stdafx.cpp : source file that includes just the standard includes
// DetectOD.pch will be the pre-compiled header
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
course/ScyllaHide/DetectOD/StdAfx.h 0 → 100644
浏览文件 @ 96a9f964
// stdafx.h : include file for standard system include files,
// or project specific include files that are used frequently, but
// are changed infrequently
//
#if !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_)
#define AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_
#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000
#define VC_EXTRALEAN // Exclude rarely-used stuff from Windows headers
#include <afxwin.h> // MFC core and standard components
#include <afxext.h> // MFC extensions
#include <afxdisp.h> // MFC Automation classes
#include <afxdtctl.h> // MFC support for Internet Explorer 4 Common Controls
#ifndef _AFX_NO_AFXCMN_SUPPORT
#include <afxcmn.h> // MFC support for Windows Common Controls
#endif // _AFX_NO_AFXCMN_SUPPORT
//{{AFX_INSERT_LOCATION}}
// Microsoft Visual C++ will insert additional declarations immediately before the previous line.
#endif // !defined(AFX_STDAFX_H__1D6A253C_B6C7_47CB_B730_6447CAF4FA7B__INCLUDED_)
course/ScyllaHide/DetectOD/res/DetectOD.rc2 0 → 100644
浏览文件 @ 96a9f964
//
// DETECTOD.RC2 - resources Microsoft Visual C++ does not edit directly
//
#ifdef APSTUDIO_INVOKED
#error this file is not editable by Microsoft Visual C++
#endif //APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
// Add manually edited resources here...
/////////////////////////////////////////////////////////////////////////////
course/ScyllaHide/DetectOD/resource.h 0 → 100644
浏览文件 @ 96a9f964
//{{NO_DEPENDENCIES}}
// Microsoft Developer Studio generated include file.
// Used by DetectOD.rc
//
#define IDC_ABOUT 3
#define IDM_ABOUTBOX 0x0010
#define IDD_ABOUTBOX 100
#define IDS_ABOUTBOX 101
#define IDD_DETECTOD_DIALOG 102
#define IDR_MAINFRAME 128
#define IDI_DOG 129
#define IDI_ICON2 133
#define IDC_WNDCLS 1000
#define IDC_ISDEBUGGERPRESENT 1002
#define IDC_ENUMWINDOW 1003
#define IDC_EnumProcess 1004
#define IDC_Explorer 1005
#define IDC_GetTickCount 1006
#define IDC_GetStartupInfo 1007
#define IDC_PEBFLAGS 1008
#define IDC_CHECKREMOTEDEBUGGERPRESENT 1009
#define IDC_ZwQueryInformationProcess 1010
#define IDC_SetUnhandledExceptionFilter 1014
#define IDC_MYPAGE 1014
#define IDC_SeDebugPrivilege 1015
#define IDC_COMEON 1015
#define IDC_MYICON 1016
#define IDC_MYPAGE2 1016
#define IDC_NTQueryObject 1017
#define IDC_DectectBreakpoints 1018
#define IDC_DectectFuncBreakpoints 1019
#define IDC_BlockInput 1020
#define IDC_CHECKSUM 1021
#define IDC_EnableWindow 1022
#define IDC_ZwSetInformationThread 1023
#define IDC_OutputDebugString 1024
#define IDC_GetEntryPoint 1025
#define IDC_TrapFlag 1026
#define IDC_GuardPages 1027
#define IDC_HARDWAREBREAKPOINT 1028
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 134
#define _APS_NEXT_COMMAND_VALUE 32771
#define _APS_NEXT_CONTROL_VALUE 1017
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
course/ScyllaHide/DetectOD/tlssup.c 0 → 100644
浏览文件 @ 96a9f964
// tlssup.cļ룺
#include <windows.h>
#include <winnt.h>
int _tls_index=0;
#pragma data_seg(".tls")
int _tls_start=0;
#pragma data_seg(".tls$ZZZ")
int _tls_end=0;
#pragma data_seg(".CRT$XLA")
int __xl_a=0;
#pragma data_seg(".CRT$XLZ")
int __xl_z=0;
#pragma data_seg(".rdata$T")
extern PIMAGE_TLS_CALLBACK my_tls_callbacktbl[];
IMAGE_TLS_DIRECTORY32 _tls_used={(DWORD)&_tls_start,(DWORD)&_tls_end,(DWORD)&_tls_index,(DWORD)my_tls_callbacktbl,0,0};
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册