CC斷點檢測

2019-11-14 11:22:53

字體：大中小

來源：轉載

供稿：網友

前言

以前看過CC斷點的檢測原理. 今天做脫殼練習時, 居然看到cm中有一個fnMessageBox函數中進行了CC斷點檢測.

記錄

cm中的實際函數

00FAF476 <fnMessageBoxEx> 55 push ebp00FAF477 8BEC mov ebp, esp00FAF479 51 push ecx00FAF47A 53 push ebx00FAF47B 56 push esi00FAF47C 57 push edi00FAF47D 60 pushad00FAF47E 8B15 7420FE00 mov edx, dWord ptr [FE2074] ; kernel32.7C8092CA00FAF484 83C2 64 add edx, 6400FAF487 FFD2 call edx ; getTickCount, but not used result00FAF489 8B15 3020FE00 mov edx, dword ptr [FE2030] ; USER32.77D5078600FAF48F 83C2 64 add edx, 64 ; MessageBox00FAF492 B9 05000000 mov ecx, 500FAF497 803A CC cmp byte ptr [edx], 0CC00FAF49A 74 10 je short <L_END> ; find CC breakpoint00FAF49C ^ E2 F9 loopd short 00FAF497 ; check cc breakpoint 5 times00FAF49E <L_CALL_ORG_FN> FF75 14 push dword ptr [ebp+14]00FAF4A1 FF75 10 push dword ptr [ebp+10]00FAF4A4 FF75 0C push dword ptr [ebp+C]00FAF4A7 FF75 08 push dword ptr [ebp+8]00FAF4AA FFD2 call edx ; call org MessageBox00FAF4AC <L_END> 8945 FC mov dword ptr [ebp-4], eax ; [ebp - 4] is local value iRc00FAF4AF 61 popad00FAF4B0 8B45 FC mov eax, dword ptr [ebp-4]00FAF4B3 5F pop edi00FAF4B4 5E pop esi00FAF4B5 5B pop ebx00FAF4B6 C9 leave00FAF4B7 C2 1000 retn 10

還原的CC斷點檢測

// CheckCcBp.cpp : Defines the entry point for the console application.//#include "stdafx.h"#include <windows.h>#include <stdlib.h>#include <stdio.h>#include <CONIO.H>int __stdcall MessageBoxA_ByAntiDebug( IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType);typedef int (__stdcall * PFN_MessageBoxA)( IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType);#define API_INDEX_MessageBox 0#define KEY_dwAryOrgApiAddr 0x64DWORD g_dwAryOrgApiAddr[1] = {0};int main(int argc, char* argv[]){ HMODULE hDll = NULL; PFN_MessageBoxA pfnMessageBox = NULL; // 先保存原始api地址, 這里模擬一下, 不要求和cm中相同 hDll = LoadLibraryA("user32.dll"); g_dwAryOrgApiAddr[API_INDEX_MessageBox] = (DWORD)Get