GetStartupInfo 反加载篇
来源:互联网 发布:淘宝网中老年运动衣 编辑:程序博客网 时间:2024/06/06 09:34
转:http://bbs.pediy.com/showthread.php?p=1160998#post1160998
1.Windows 加载器创建进程的时候会把StartUpInfo 的结构值设为0,而一般的可执行文件加载器创建进程的时候,则不会把StartUpInfo结构清0,利用OD来启动进程时,该结构不为0,StartUpInfo的结构如下
typedef struct _STARTUPINFO {
DWORD cb;
LPTSTR lpReserved;
LPTSTR lpDesktop;
LPTSTR lpTitle;
DWORD dwX;
DWORD dwY;
DWORD dwXSize;
DWORD dwYSize;
DWORD dwXCountChars;
DWORD dwYCountChars;
DWORD dwFillAttribute;
DWORD dwFlags;
WORD wShowWindow;
WORD cbReserved2;
LPBYTE lpReserved2;
HANDLE hStdInput;
HANDLE hStdOutput;
HANDLE hStdError;
} STARTUPINFO,
*LPSTARTUPINFO;
2. dzip32.dll 利用该方法来检测当前程序是否是被调试程序启动
CODE:009D98EC ; /*
CODE:009D98EC ; * 判断当前程序是否处于调试中
CODE:009D98EC ; * 当处于调试之中,返回值为1
CODE:009D98EC ; * 当为正常情况,返回值为0
CODE:009D98EC ; */
CODE:009D98EC
CODE:009D98EC CheckDebug_DllEntry proc near ; CODE XREF: DllEntryPoint+10D p
CODE:009D98EC
CODE:009D98EC var_34 = dword ptr -34h
CODE:009D98EC var_30 = dword ptr -30h
CODE:009D98EC var_2C = dword ptr -2Ch
CODE:009D98EC var_28 = dword ptr -28h
CODE:009D98EC var_24 = dword ptr -24h
CODE:009D98EC var_20 = dword ptr -20h
CODE:009D98EC var_1C = dword ptr -1Ch
CODE:009D98EC
CODE:009D98EC add esp, -44h
CODE:009D98EF push esp ; lpStartupInfo
CODE:009D98F0 call GetStartupInfoA_0
CODE:009D98F5 cmp [esp+44h+var_34], 0
CODE:009D98FA jnz short loc_9D9926
CODE:009D98FC cmp [esp+44h+var_30], 0
CODE:009D9901 jnz short loc_9D9926
CODE:009D9903 cmp [esp+44h+var_24], 0
CODE:009D9908 jnz short loc_9D9926
CODE:009D990A cmp [esp+44h+var_20], 0
CODE:009D990F jnz short loc_9D9926
CODE:009D9911 cmp [esp+44h+var_1C], 0
CODE:009D9916 jnz short loc_9D9926
CODE:009D9918 cmp [esp+44h+var_2C], 0
CODE:009D991D jnz short loc_9D9926
CODE:009D991F cmp [esp+44h+var_28], 0
CODE:009D9924 jz short loc_9D992A
CODE:009D9926
CODE:009D9926 loc_9D9926: ; CODE XREF: CheckDebug_DllEntry+E j
CODE:009D9926 ; CheckDebug_DllEntry+15 j
CODE:009D9926 ; CheckDebug_DllEntry+1C j
CODE:009D9926 ; CheckDebug_DllEntry+23 j
CODE:009D9926 ; CheckDebug_DllEntry+2A j
CODE:009D9926 ; CheckDebug_DllEntry+31 j
CODE:009D9926 mov al, 1
CODE:009D9928 jmp short loc_9D992C
CODE:009D992A ; ---------------------------------------------------------------------------
CODE:009D992A
CODE:009D992A loc_9D992A: ; CODE XREF: CheckDebug_DllEntry+38 j
CODE:009D992A xor eax, eax
CODE:009D992C
CODE:009D992C loc_9D992C: ; CODE XREF: CheckDebug_DllEntry+3C j
CODE:009D992C add esp, 44h
CODE:009D992F retn
CODE:009D992F CheckDebug_DllEntry endp
经过分析 :检测数据对应结构体中dwX一直到dwFileAttributes.
- GetStartupInfo 反加载篇
- GetStartupInfo
- GetStartupInfo
- GetStartupInfo
- GetStartupInfo 函数
- 阻止反外挂GPK/sys加载思路
- js全选反选+HTML加载
- 使用 GetStartupInfo 检查自己是否被"调试"
- GetStartupInfo检测程序处于被调试状态
- GetStartupInfo检测程序处于被调试状态
- 使用 GetStartupInfo 检查自己是否被"调试"
- 使用 GetStartupInfo 检查自己是否被"调试"
- 使用 GetStartupInfo 检查自己是否被"调试"
- 使用 GetStartupInfo 检查自己是否被"调试"
- 使用 GetStartupInfo 检查自己是否被"调试"
- 反其道为之,as3加载flex的swf
- APK反破解之四:Android代码动态加载技术
- APK反破解之四:Android代码动态加载技术
- EBS 常用表关联
- B. Permutation
- IBM的LPI复习资料之LPI101-Topic103:GNU和Unix命令(1)Linux命令行
- Foxmail 7.0 winsock 错误代码10061
- 第六周项目3:平面坐标点类
- GetStartupInfo 反加载篇
- 基于Hibernate框架的泛型DAO层---SwiftDAO
- Android获取Theme的背景颜色
- STL中的sort
- rails部署
- 三角形类
- CentOS reset root password
- VC6.0向工程中添加文件和打开文件出错“"0x5003eaed"指令引用的"0x00000000"内存”解
- 交叉编译问题
