VB反编译研究[转]

1.检测程序是否被各类debug程式所加载研究!

VB code

Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
     
Const MAX_PATH As Integer = 260
Const TH32CS_SNAPPROCESS As Long = 2&
Private Type PROCESSENTRY32
    dwSize As Long
    cntUsage As Long
    th32ProcessID As Long
    th32DefaultHeapID As Long
    th32ModuleID As Long
    cntThreads As Long
    th32ParentProcessID As Long
    pcPriClassBase As Long
    dwFlags As Long
    szExeFile As String * 1024
End Type
Private Sub Command1_Click()
If Opencsrss = True Then
MsgBox "发现调试器,请关闭", , "警告"
Else
MsgBox "没有发现调试", , "恭喜"
End If
End Sub

Private Function Opencsrss() As Boolean
'发现调试器返回TRUE,没有发现则返回FALSE

On Error GoTo maple
Dim Process As PROCESSENTRY32
Dim hSnapShot As Long
Dim l1 As Long
Dim flag As Boolean
Dim mName As String
Dim i As Integer
Dim pid As Long, WOW As Long '注意这2个变量就用来存放2个ID
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&) '建立进程快照
If hSnapShot Then
    Process.dwSize = 1060
    If (Process32First(hSnapShot, Process)) Then '遍历第一个进程,获得PROCESSENTRY32结构
      Do
        i = InStr(1, Process.szExeFile, Chr(0))       '获得映像名称
        mName = LCase(Left(Process.szExeFile, i - 1)) '并转换成小写
        
        If mName = "csrss.exe" Then      '是不是WOW.exe
             WOW = Process.th32ProcessID    '获得进程ID
        End If
      Loop Until (Process32Next(hSnapShot, Process) < 1) '遍历所有进程直到返回值为False
    End If
    l1 = CloseHandle(hSnapShot)
    End If
       If WOW <> 0 Then
    
   Dim jiejie As Long
   jiejie = OpenProcess(1&, -1&, WOW)
   '测试打开能力
   If jiejie <> 0 Then
   Opencsrss = True
   Else
Opencsrss = False
   End If
    
    
     End If
Exit Function
maple:
Opencsrss = False

End Function

代码很简单,大家看着玩! 
2.timer反调试

VB code

Private Sub Command1_Click()

'假设这里是我们的注册过程,我们隔三差五随意将以下代码复制粘帖
'------------------------------
Dim ctime As Double
Dim dtime As Double
ctime = Timer
dtime = Timer
If dtime - ctime = 0 Then
MsgBox dtime - ctime, , "正常运行,经历时间:"
'实际软件中,应该彻底隐蔽这些提示消息
Else
MsgBox dtime - ctime, , "发现调试器,经历时间:"
End If

End Sub

为什么用timer??很简单,当别人开始调试的时候,莫非他是千只眼,一眼千行?? :) 
3.对于运行环境进行检测

VB code

Private Declare Sub GetStartupInfo Lib "kernel32" Alias "GetStartupInfoA" (lpStartupInfo As STARTUPINFO)

Private Type STARTUPINFO '(createprocess)
    cb As Long
    lpReserved As Long
    lpDesktop As Long
    lpTitle As Long
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

Private Sub Command1_Click()
If StartAnti = True Then
MsgBox "发现调试器,请关闭", , "警告"
Else
MsgBox "没有发现调试器", , "通过"
End If
End Sub

Private Sub Form_Load()
If StartAnti = True Then
MsgBox "发现调试器,请关闭", , "警告"
Else
MsgBox "没有发现调试器", , "通过"
End If
End Sub

Private Function StartAnti() As Boolean
Dim Huanjing As STARTUPINFO
GetStartupInfo Huanjing
If Huanjing.dwX <> 0 Or Huanjing.dwY <> 0 Or Huanjing.dwXCountChars <> 0 Or Huanjing.dwYCountChars <> 0 Or Huanjing.dwFillAttribute <> 0 Or Huanjing.dwXSize <> 0 Or Huanjing.dwYSize <> 0 Then
StartAnti = True
Else
StartAnti = False
End If
End Function

4.检查我们的程序是否在正常的父进程中运行

VB code

Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Const MAX_PATH As Integer = 260
Const TH32CS_SNAPPROCESS As Long = 2&
Private Type PROCESSENTRY32
    dwSize As Long
    cntUsage As Long
    th32ProcessID As Long
    th32DefaultHeapID As Long
    th32ModuleID As Long
    cntThreads As Long
    th32ParentProcessID As Long
    pcPriClassBase As Long
    dwFlags As Long
    szExeFile As String * 1024
End Type

Private Sub Form_Load()
Fujincheng
End Sub

Private Sub Fujincheng()

'这个过程是检测父进程的父进程是否是EXPLORE的父进程
Dim Process As PROCESSENTRY32
Dim hSnapShot As Long
Dim XNN As Long
Dim flag As Boolean
Dim mName As String
Dim i As Integer
Dim pid As Long, explorer As Long '注意这2个变量就用来存放2个ID

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&) '建立进程快照
'搜索explorer.exe进程,并获得其ID
If hSnapShot Then
    Process.dwSize = 1060
    If (Process32First(hSnapShot, Process)) Then '遍历第一个进程,获得PROCESSENTRY32结构
      Do
        i = InStr(1, Process.szExeFile, Chr(0))       '获得映像名称
        mName = LCase(Left(Process.szExeFile, i - 1)) '并转换成小写
        
        If mName = "explorer.exe" Then      '是不是explorer.exe
        explorer = Process.th32ProcessID
        ElseIf mName = LCase(App.EXEName & ".exe") Then '是不是自己
             pid = Process.th32ParentProcessID   '获得父进程ID
        Else
             flag = False
        End If
      Loop Until (Process32Next(hSnapShot, Process) < 1) '遍历所有进程直到返回值为False
    End If
    XNN = CloseHandle(hSnapShot)
    End If

Dim Openit As Long

Openit = OpenProcess(1&, -1&, pid)
     
If pid <> explorer Then MsgBox "发现父进程调试", , "警告": TerminateProcess Openit, 0

End Sub


正常的父进程可是windows的主进程哦:EXPLORE,,别搞错了:)

  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
反编译工具(VB Decompiler Pro):是一款针对使用Visual Basic 5.0/6.0开发的程序的反编译器。反编译工具(VB Decompiler Pro)可以被编译成伪代码p-code或native code模式。由于伪代码是由高级指令组成, 因此是很有可能反编译成源代码的(当然, 变量名,函数名等等是无法反编译的).反编译工具(VB Decompiler Pro)可以恢复众多伪代码指令,但要反编译成源代码还是有很多工作需要完成, 反编译器将帮助您更轻松的分析程序算法以及部分恢复源代码。 如果一个程序被编译成native code, 从机器码恢复源代码是几乎不可能的. 但即便是这种情形下VB Decompiler还是可以帮助你分析程序. VB Decompiler包含了一个强大的支持包含MMX和SSE的Pentium Pro指令集的反编译器. 它还包含一个代码分析器, 用于搜索所有API调用,汇编代码中的字符串引用并将结果修改为相应的注释。 加入一个程序被编译成.net汇编,反编译器将恢复所有的托管代码的数据表和模块,并且使用IL反汇编器反汇编所有的方法,函数以及事件。反编译并不需要.NET Framework并且支持所有的32位Windows操作系统。 VB Decompiler也将反编译文件中的所有的图形界面窗体以及控件。出于技术需要,反编译器可能显示所有控件的编译地址。 对于加壳的VB程序,首先需要脱壳后才能正常反编译。 总而言之, VB Decompiler是一款出色的程序分析工具. 尤其是当您不慎丢失源代码并且需要部分恢复原工程的时候。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值