生活随笔
收集整理的這篇文章主要介紹了
页面异常反dump 及 内存访问异常hook
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
第七章:應用層保護
加密,加殼,反調試,混淆。。。
靜態保護:去靜態特征,去字符串,全局指針等。
動態保護:
在dump模塊的方法中,一般會調用ReadProcessMemory來讀取,可以修改PE結構中可選頭中的ImageOfSize,還有抹去PE頭的方法干擾,但對指定基址和大小就無效。
修改頁面訪問屬性為PAGE_NO_ACCESS可以反dump.
修改代碼方式的HOOK很難繞過代碼檢驗;硬件斷點觸發的異常可能被GetThreadContext函數獲取硬件斷點的設置檢測出來,而且硬件斷點只有4個。
內存頁面訪問異常更具隱藏性,但存在因代碼頁頻繁訪問而影響原始程序性能問題。
//測試EXE
#include <stdio.h>
#include <Windows.h>
#include <vector>
#include <TlHelp32.h>void EnumModule()
{// TODO: Add your control notification handler code herechar szBuffer[256*100] = "";char szModuFile[240] = "";char szTmpBuffer[256] = "";MODULEENTRY32 moudle;HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,0);if (handle == INVALID_HANDLE_VALUE){printf("枚舉模塊失敗!");return;}int i = 1;if ( Module32First(handle,&moudle)){ do{sprintf(szModuFile,"[%d]Address: 0x%x, Name: %s \r\n", i, moudle.modBaseAddr, moudle.szModule);strcat(szBuffer,szModuFile);i++;}while(Module32Next(handle,&moudle));}CloseHandle(handle);printf(szBuffer);
}void main()
{
#if 1MessageBox(NULL,"the fact infor111","test SEH hook",MB_OK); ::LoadLibraryA("WaiGua.dll");char buf[] = "the fact infor111";MessageBox(NULL,buf,"test SEH hook",MB_OK);
#else //測試反dumpEnumModule();::LoadLibraryA("WaiGua.dll");EnumModule();printf("second enum end.\n");
#endifgetchar();
}
?
//hook.dll
// VEHHook.cpp : Defines the entry point for the DLL application.
//
#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <limits.h>
#include <Winbase.h>typedef LONG (WINAPI *PVECTOREDEXCEPTIONHANDLER)(PEXCEPTION_POINTERS ExceptionInfo);typedef PVOID (WINAPI *ADDVECTOREEXCEPTIONHANDLER)(ULONG FirstHandler,PVECTOREDEXCEPTIONHANDLER VectoredHandler
);
ADDVECTOREEXCEPTIONHANDLER g_AddVectorExceptionHandler = NULL;DWORD func_addr = 0x00401000;
DWORD func_addr_offset = func_addr + 0x2;
DWORD g_dwOldProtect = 0;void PrintParameters(PCONTEXT debug_context)
{printf("EAX: %X EBX: %X ECX: %X EDX: %X\n",debug_context->Eax, debug_context->Ebx, debug_context->Ecx, debug_context->Edx);printf("ESP: %X EBP: %X\n",debug_context->Esp, debug_context->Ebp);printf("ESI: %X EDI: %X\n",debug_context->Esi, debug_context->Edi);printf("Parameters\n""HWND: %X\n""text: %s\n""caption: %s\n",(HWND)(*(DWORD*)(debug_context->Esp + 0x4)),(char*)(*(DWORD*)(debug_context->Esp + 0x8)),(char*)(*(DWORD*)(debug_context->Esp + 0xC)));}void ChangeText(PCONTEXT debug_context) {char* text = (char*)(*(DWORD*)(debug_context->Esp + 0x8));int length = strlen(text);DWORD oldprotect = 0;_snprintf(text, length, "Be Hooked!");
}void __declspec(naked) ReturnOriginalFunc(void) {__asm {mov edi,edijmp [func_addr_offset]}
}LONG WINAPI ExceptionFilter(PEXCEPTION_POINTERS ExceptionInfo) {if(ExceptionInfo->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP &&ExceptionInfo->ExceptionRecord->ExceptionCode != STATUS_ACCESS_VIOLATION){return EXCEPTION_CONTINUE_SEARCH;}if((DWORD)ExceptionInfo->ExceptionRecord->ExceptionAddress == func_addr) {PCONTEXT debug_context = ExceptionInfo->ContextRecord;printf("Breakpoint hit!\n");PrintParameters(debug_context);ChangeText(debug_context);debug_context->Eip = (DWORD)&ReturnOriginalFunc;DWORD dwOldProtect = 0;VirtualProtect( (LPVOID)func_addr, 1024,PAGE_EXECUTE_READWRITE,&dwOldProtect);}return EXCEPTION_CONTINUE_EXECUTION;
}DWORD ChangeDataSectionPageProtectAttr(DWORD dwProtect)
{DWORD dwOldProtect = 0;MEMORY_BASIC_INFORMATION mbi = { 0 };__try{VirtualQuery(ChangeDataSectionPageProtectAttr,&mbi,sizeof(mbi));//VirtualProtect( (LPVOID)((PBYTE)mbi.BaseAddress + mbi.RegionSize), 1024,dwProtect,&dwOldProtect);VirtualProtect( (LPVOID)ChangeDataSectionPageProtectAttr, 4,dwProtect,&dwOldProtect);}__except(EXCEPTION_CONTINUE_EXECUTION){printf("ChangeDataSectionPageProtectAttr failed.\n"); }return dwOldProtect;
}DWORD MemPageHook(DWORD dwNewFuncAddr)
{g_AddVectorExceptionHandler(1, ExceptionFilter);DWORD dwOldProtect = 0;VirtualProtect( (LPVOID)func_addr, 4,PAGE_NOACCESS,&dwOldProtect);return dwOldProtect;
}int APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID reserved)
{if(reason == DLL_PROCESS_ATTACH) {
#if 1DisableThreadLibraryCalls(hModule);if(AllocConsole()) {freopen("CONOUT$", "w", stdout);SetConsoleTitle("Console");SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);printf("DLL loaded.\n");}func_addr = (DWORD)GetProcAddress(GetModuleHandle("user32.dll"), "MessageBoxA");func_addr_offset = func_addr+2;printf("MessageBoxA Addr: 0x%x\n",func_addr);g_AddVectorExceptionHandler = (ADDVECTOREEXCEPTIONHANDLER)GetProcAddress(GetModuleHandle("kernel32.dll"), "AddVectoredExceptionHandler");g_dwOldProtect = MemPageHook(func_addr);#else//測試反dumpChangeDataSectionPageProtectAttr(PAGE_NOACCESS);
#endif}return TRUE;
}
?
總結
以上是生活随笔為你收集整理的页面异常反dump 及 内存访问异常hook的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
