第七章:应用层保护
加密,加壳,反调试,混淆。。。
静态保护:去静态特征,去字符串,全局指针等。
动态保护:
在dump模块的方法中,一般会调用ReadProcessMemory来读取,可以修改PE结构中可选头中的ImageOfSize,还有抹去PE头的方法干扰,但对指定基址和大小就无效。
修改页面访问属性为PAGE_NO_ACCESS可以反dump.
修改代码方式的HOOK很难绕过代码检验;硬件断点触发的异常可能被GetThreadContext函数获取硬件断点的设置检测出来,而且硬件断点只有4个。
内存页面访问异常更具隐藏性,但存在因代码页频繁访问而影响原始程序性能问题。
//测试EXE
#include <stdio.h>
#include <Windows.h>
#include <vector>
#include <TlHelp32.h>
void EnumModule()
{
// TODO: Add your control notification handler code here
char szBuffer[256*100] = "";
char szModuFile[240] = "";
char szTmpBuffer[256] = "";
MODULEENTRY32 moudle;
HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,0);
if (handle == INVALID_HANDLE_VALUE)
{
printf("枚举模块失败!");
return;
}
int i = 1;
if ( Module32First(handle,&moudle))
{
do
{
sprintf(szModuFile,"[%d]Address: 0x%x, Name: %s \r\n", i, moudle.modBaseAddr, moudle.szModule);
strcat(szBuffer,szModuFile);
i++;
}while(Module32Next(handle,&moudle));
}
CloseHandle(handle);
printf(szBuffer);
}
void main()
{
#if 1
MessageBox(NULL,"the fact infor111","test SEH hook",MB_OK);
::LoadLibraryA("WaiGua.dll");
char buf[] = "the fact infor111";
MessageBox(NULL,buf,"test SEH hook",MB_OK);
#else //测试反dump
EnumModule();
::LoadLibraryA("WaiGua.dll");
EnumModule();
printf("second enum end.\n");
#endif
getchar();
}
//hook.dll
// VEHHook.cpp : Defines the entry point for the DLL application.
//
#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <limits.h>
#include <Winbase.h>
typedef LONG (WINAPI *PVECTOREDEXCEPTIONHANDLER)(PEXCEPTION_POINTERS ExceptionInfo);
typedef PVOID (WINAPI *ADDVECTOREEXCEPTIONHANDLER)(
ULONG FirstHandler,
PVECTOREDEXCEPTIONHANDLER VectoredHandler
);
ADDVECTOREEXCEPTIONHANDLER g_AddVectorExceptionHandler = NULL;
DWORD func_addr = 0x00401000;
DWORD func_addr_offset = func_addr + 0x2;
DWORD g_dwOldProtect = 0;
void PrintParameters(PCONTEXT debug_context)
{
printf("EAX: %X EBX: %X ECX: %X EDX: %X\n",
debug_context->Eax, debug_context->Ebx, debug_context->Ecx, debug_context->Edx);
printf("ESP: %X EBP: %X\n",
debug_context->Esp, debug_context->Ebp);
printf("ESI: %X EDI: %X\n",
debug_context->Esi, debug_context->Edi);
printf("Parameters\n"
"HWND: %X\n"
"text: %s\n"
"caption: %s\n",
(HWND)(*(DWORD*)(debug_context->Esp + 0x4)),
(char*)(*(DWORD*)(debug_context->Esp + 0x8)),
(char*)(*(DWORD*)(debug_context->Esp + 0xC)));
}
void ChangeText(PCONTEXT debug_context) {
char* text = (char*)(*(DWORD*)(debug_context->Esp + 0x8));
int length = strlen(text);
DWORD oldprotect = 0;
_snprintf(text, length, "Be Hooked!");
}
void __declspec(naked) ReturnOriginalFunc(void) {
__asm {
mov edi,edi
jmp [func_addr_offset]
}
}
LONG WINAPI ExceptionFilter(PEXCEPTION_POINTERS ExceptionInfo) {
if(ExceptionInfo->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP &&
ExceptionInfo->ExceptionRecord->ExceptionCode != STATUS_ACCESS_VIOLATION)
{
return EXCEPTION_CONTINUE_SEARCH;
}
if((DWORD)ExceptionInfo->ExceptionRecord->ExceptionAddress == func_addr) {
PCONTEXT debug_context = ExceptionInfo->ContextRecord;
printf("Breakpoint hit!\n");
PrintParameters(debug_context);
ChangeText(debug_context);
debug_context->Eip = (DWORD)&ReturnOriginalFunc;
DWORD dwOldProtect = 0;
VirtualProtect( (LPVOID)func_addr, 1024,PAGE_EXECUTE_READWRITE,&dwOldProtect);
}
return EXCEPTION_CONTINUE_EXECUTION;
}
DWORD ChangeDataSectionPageProtectAttr(DWORD dwProtect)
{
DWORD dwOldProtect = 0;
MEMORY_BASIC_INFORMATION mbi = { 0 };
__try{
VirtualQuery(ChangeDataSectionPageProtectAttr,&mbi,sizeof(mbi));
//VirtualProtect( (LPVOID)((PBYTE)mbi.BaseAddress + mbi.RegionSize), 1024,dwProtect,&dwOldProtect);
VirtualProtect( (LPVOID)ChangeDataSectionPageProtectAttr, 4,dwProtect,&dwOldProtect);
}
__except(EXCEPTION_CONTINUE_EXECUTION)
{
printf("ChangeDataSectionPageProtectAttr failed.\n");
}
return dwOldProtect;
}
DWORD MemPageHook(DWORD dwNewFuncAddr)
{
g_AddVectorExceptionHandler(1, ExceptionFilter);
DWORD dwOldProtect = 0;
VirtualProtect( (LPVOID)func_addr, 4,PAGE_NOACCESS,&dwOldProtect);
return dwOldProtect;
}
int APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID reserved)
{
if(reason == DLL_PROCESS_ATTACH)
{
#if 1
DisableThreadLibraryCalls(hModule);
if(AllocConsole())
{
freopen("CONOUT$", "w", stdout);
SetConsoleTitle("Console");
SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
printf("DLL loaded.\n");
}
func_addr = (DWORD)GetProcAddress(GetModuleHandle("user32.dll"), "MessageBoxA");
func_addr_offset = func_addr+2;
printf("MessageBoxA Addr: 0x%x\n",func_addr);
g_AddVectorExceptionHandler = (ADDVECTOREEXCEPTIONHANDLER)GetProcAddress(GetModuleHandle("kernel32.dll"), "AddVectoredExceptionHandler");
g_dwOldProtect = MemPageHook(func_addr);
#else//测试反dump
ChangeDataSectionPageProtectAttr(PAGE_NOACCESS);
#endif
}
return TRUE;
}