用SEH改变程序流程以达到反跟踪的目的(1千字),SEH,反跟踪技术 2008年06月23日 星期一 下午 02:30 老东西,在ASProtect中大量使用,主要是想隐藏OEP。当然仅靠这个无法对付冲击波和icedump的/tracex,但这两个都是运行在Win9x下的。 如果用SoftICE跟下面的程序,在执行到REPZ MOVSD指令(在inline函数memcpy的函数体中)时,就会失去线索(petite似乎也是这样)。除了__try{ }__except,还可以用__try{ } __finally,把这两个结合起来形成多重嵌套可以增加复杂度。 #include #include #define BUFFER_SIZE 4096 void *MemAddr = NULL; void AccessViolation( ); int OEP( ); int Filter( ); int main( ) { __try { //........ AccessViolation( ); //You can insert some garbage code here } __except(Filter( )) { //You can insert some garbage code here return OEP( ); } return 0; } void AccessViolation( ) { MemAddr = VirtualAlloc(NULL, BUFFER_SIZE, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); memcpy(MemAddr, (void *)main, BUFFER_SIZE 5); cout << "Here is some garbage, which will never be executed." << endl; //You can insert some garbage code here } int OEP( ) { cout << "This is the Original Entry Point." << endl; return 0; } int Filter( ) { //You can insert some garbage code here if (MemAddr) { VirtualFree(MemAddr, BUFFER_SIZE, MEM_DECOMMIT | MEM_RELEASE); } //You can insert some garbage code here return EXCEPTION_EXECUTE_HANDLER; } |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-29 23:37 , Processed in 0.157552 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.