订阅Anti-Monitor Delphi反调试
该日志由 samool 发表于 2007-01-22 15:20:11
//Anti-Monitor
Function ABC39: Boolean; //检测Dump;
var
hFile: Thandle;
Begin
Result:= false;
hFile := FindWindow(nil,'ProcDump32 (C) 1998, 1999, 2000 G-RoM, Lorian & Stone');
if( hFile <> 0 ) then
begin
Result:= TRUE;
end;
End;
Function ABC40: Boolean; //检测RegMON;
var
hFile: Thandle;
Begin
Result:= false;
hFile := FindWindow(nil,'Registry Monitor - Sysinternals: www.sysinternals.com');
if( hFile <> 0 ) then
begin
Result:= TRUE;
end;
End;
Function ABC41: Boolean;stdcall; //检测FileMON;
var
hFile: Thandle;
Begin
Result:= false;
hFile := FindWindow(nil,'File Monitor - Sysinternals: www.sysinternals.com');
if( hFile <> 0 ) then
begin
Result:= TRUE;
end;
End;
////////////////////////////////////////////////////////////////////////////////
//Anti-loader
Function ABC42():Boolean; //检测调试器;
var
YInt,NInt:Integer;
begin
asm
mov eax,fs:[30h]
movzx eax,byte ptr[eax+2h]
or al,al
jz @No
jnz @Yes
@No:
mov NInt,1
@Yes:
Mov YInt,1
end;
if YInt=1 then
Result:=True;
if NInt=1 then
Result:=False;
end;
98下:
Function IsSoftIce95Loaded: boolean; //声明一个检测SoftICE的boolean型变量
Var hFile: Thandle;
Begin
result := false;
hFile := CreateFileA('\\.\SICE', GENERIC_READ or GENERIC_WRITE,
FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
if( hFile <> INVALID_HANDLE_VALUE ) then begin
CloseHandle(hFile);
result := TRUE;
end;
End;
Function IsSoftIceNTLoaded: boolean; //声明一个检测SoftIceNT的boolean型变量
Var hFile: Thandle;
Begin
result := false;
hFile := CreateFileA('\\.\NTICE', GENERIC_READ or GENERIC_WRITE,
FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
if( hFile <> INVALID_HANDLE_VALUE ) then begin
CloseHandle(hFile);
result := TRUE;
end;
End;
Function IsTRWLoaded: boolean; //声明一个检测TRW的boolean型变量
Var hFile: Thandle;
Begin
result := false;
hFile := CreateFileA('\\.\TRWDEBUG', GENERIC_READ or GENERIC_WRITE,
FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
if( hFile <> INVALID_HANDLE_VALUE ) then begin
CloseHandle(hFile);
result := TRUE;
end;
End;
Function IsTRW2000Loaded: boolean; //声明一个检测TRW2000的boolean型变量
Var hFile: Thandle;
Begin
result := false;
hFile := CreateFileA('\\.\TRW2000', GENERIC_READ or GENERIC_WRITE,
FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
if( hFile <> INVALID_HANDLE_VALUE ) then begin
CloseHandle(hFile);
result := TRUE;
end;
End;
Function IsRegMONLoaded: boolean; //声明一个检测RegMON的boolean型变量 For Windows98;
Var hFile: Thandle;
Begin
result := false;
hFile := CreateFileA('\\.\REGVXD', GENERIC_READ or GENERIC_WRITE,
FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
if( hFile <> INVALID_HANDLE_VALUE ) then begin
CloseHandle(hFile);
result := TRUE;
end;
End;
Function IsNTRegMONLoaded: boolean; //声明一个检测RegMON的boolean型变量 For Windows2000/xp;
Var hFile: Thandle;
Begin
result := false;
hFile := FindWindow(nil,'Registry Monitor - Sysinternals: www.sysinternals.com');
if( hFile <> 0 ) then
begin
result := TRUE;
end;
End;
Function IsFileMONLoaded: boolean; //声明一个检测FileMON的boolean型变量 For Windows98;
Var hFile: Thandle;
Begin
result := false;
hFile := CreateFileA('\\.\FILEVXD', GENERIC_READ or GENERIC_WRITE,
FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
if( hFile <> INVALID_HANDLE_VALUE ) then begin
CloseHandle(hFile);
result := TRUE;
end;
End;
Function IsBW2000Loaded: boolean; //声明一个检测冲击波2000的boolean型变量 加壳时说不定用的上
Var hFile: Thandle;
Begin
result := false;
hFile := CreateFileA('\\.\bw2k', GENERIC_READ or GENERIC_WRITE,
FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
if( hFile <> INVALID_HANDLE_VALUE ) then begin
CloseHandle(hFile);
result := TRUE;
end;
End;
上面的调用就是根据返回值True或者False来检测的.
该日志标签: none
上一篇: 检测Win2000/XP下的SoftIce 下一篇: 检测DEDE反编译器
当前暂无评论 »