[持续更新]过SOD检测OD方法
来源:互联网 发布:网络语肝是什么意思 编辑:程序博客网 时间:2024/04/29 09:29
使用异常
Closehandle
如果给CloseHandle()函数一个无效句柄作为输入参数,在无调试器时,将会返回一个错误代码,而有调试器存在时,
将会触发一个EXCEPTION_INVALID_HANDLE (0xc0000008)的异常。
bool getdebebugbyCloseHandle()//返回true说明有OD{__try{CloseHandle((HANDLE)0x00001234);return false;}__except(1){return true;}}
//必须先于程序执行 TLS EPO 窗口回调等等void getdebugbyOEP(){IMAGE_DOS_HEADER*dos_head=(IMAGE_DOS_HEADER*)GetModuleHandle(NULL);PIMAGE_NT_HEADERS32 nt_head=(PIMAGE_NT_HEADERS32)((DWORD)dos_head+(DWORD)dos_head->e_lfanew);BYTE*OEP=(BYTE*)(nt_head->OptionalHeader.AddressOfEntryPoint+(DWORD)dos_head);for(unsigned long index=0;index<200;index++){if(OEP[index]==0xcc){ExitProcess(0);}}}
GetWindowLongA 获取窗口样式
OD的窗口样式出卖了它
代码:
// checkod.cpp : 定义控制台应用程序的入口点。//#include <stdio.h>#include <Windows.h>void CALLBACK HandleWinEvent(HWINEVENTHOOK hook, DWORD event, HWND hwnd, LONG idObject, LONG idChild, DWORD dwEventThread, DWORD dwmsEventTime){char name[MAX_PATH];GetWindowTextA(hwnd,name,MAX_PATH);LONG mStyle = GetWindowLongA(hwnd,GWL_STYLE);LONG ExtStyle=GetWindowLongA(hwnd,GWL_EXSTYLE);if(mStyle==0x57c70000&&ExtStyle==0x140){printf("find od 1 %08x %s\r\n",dwEventThread,name);}if (mStyle==0x56CF0000&&ExtStyle==0x140){printf("Find od 2 %08x %s\r\n",dwEventThread,name);}}int main(int argc, char argv[]){CoInitialize(NULL);HWINEVENTHOOK hHook = SetWinEventHook( EVENT_MIN , EVENT_MAX , NULL, HandleWinEvent, 0, 0, WINEVENT_OUTOFCONTEXT | WINEVENT_SKIPOWNPROCESS);if (hHook){printf("set hook ok\r\n");}else{printf("some hack in this os\r\n");exit(-1);}MSG msg;while(GetMessage(&msg,NULL,0,0)){TranslateMessage(&msg);DispatchMessage(&msg);}return 0;}
窗口名的检测
搜集了常见OD的窗口名特征
#include <stdio.h>#include <windows.h>#include <string.h>BOOL bFind = FALSE;BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam){if (hwnd == INVALID_HANDLE_VALUE){return FALSE;}char szbuf[MAX_PATH] = {0};int ilens = 0;ilens = GetWindowTextA(hwnd, szbuf, sizeof(szbuf)/sizeof(char));if(ilens != 0){PCHAR pstr = NULL;pstr = strstr(szbuf, "LCG");if(pstr == NULL)pstr = strstr(szbuf,"- 主线程");if(pstr == NULL)pstr = strstr(szbuf,"模块 -");if(pstr == NULL)pstr = strstr(szbuf,"main thread");if(pstr == NULL)pstr = strstr(szbuf,",module");if(pstr == NULL)pstr = strstr(szbuf,",- Module;");if(pstr == NULL)pstr = strstr(szbuf,"- Thread");if(pstr == NULL)pstr = strstr(szbuf,"G.P.U");if(pstr == NULL)pstr = strstr(szbuf,"+ 主线程");if(pstr == NULL)pstr = strstr(szbuf,"主线程,");if(pstr == NULL)pstr = strstr(szbuf,",模块");if(pstr == NULL)pstr = strstr(szbuf,"模块 +");if(pstr == NULL)pstr = strstr(szbuf,"PYG");if(pstr == NULL)pstr = strstr(szbuf,"FCK");if(pstr == NULL)pstr = strstr(szbuf,"?块");if(pstr == NULL)pstr = strstr(szbuf,"主线程");if(pstr == NULL)pstr = strstr(szbuf,"BH");if(pstr == NULL)pstr = strstr(szbuf,"吾爱");if(pstr == NULL)pstr = strstr(szbuf,"破解");if(pstr == NULL){pstr = strstr(szbuf,"[");if(pstr != NULL)pstr = strstr(szbuf,"]");if(pstr != NULL)goto END;}END:if(pstr != NULL){bFind = TRUE;printf("Find Od!\r\n");return FALSE;}}return TRUE;}VOID EnumOD(){EnumWindows(EnumWindowsProc, NULL);}int main(int argc, char* argv[]){EnumOD();if (bFind != TRUE){printf("Find nothind!\n");}getchar();return 0;}
0 0
- [持续更新]过SOD检测OD方法
- sod
- Hack方法(持续更新)
- 测试方法--持续更新
- 踩过的坑,持续更新
- appium踩过的坑(持续更新..)
- 碰见过的数学(持续更新)
- 代码故障检测列表(持续更新)
- jQuery常用方法(持续更新)
- jQuery常用方法(持续更新)
- 用过的shell命令——持续更新
- [持续更新]个人用过比较好的开源库
- 我用过的hadoop命令(持续更新)
- 我做过的网络流题(持续更新)
- 那些年我踩过的坑(持续更新)
- Android 开发时遇到过的坑(持续更新)
- Hadoop开发入门踩过的坑(持续更新)
- IDEA 使用时遇到过的问题(持续更新)
- MIT6.828 Lab3: 第2部分 Page Faults, Breakpoints Exceptions, and System Calls
- [新手]ESP8266的使用范例----智能家居
- Monkey log异常分析说明
- shell变量问题
- JAVA诊断监控工具
- [持续更新]过SOD检测OD方法
- CS231n课程图像分类学习笔记
- (GeekBand或极客班) inline 函数的思考。(第二季)
- python 字典学习2
- 属性杂录
- 宽字符
- 学会珍惜眼前的一切
- 剑指Offer——机器人的运动范围
- Python核心编程(第十一章)--函数和函数式编程