反虚拟机程序测试一
本帖最后由 tk86935367 于 2012-5-8 17:54 编辑PS:这个是自己写的一个反虚拟机的测试,不知道发在这里合不合适,如果不合适,版主帮忙移动下。这是一个最简单的反虚拟机测试,通过检测是否包含虚拟机tools的进程来判断是否是虚拟机。首先写一个函数,判断是否包含某进程//是否包含某进程
BOOL IsContainsProcess(CString strProName)
{
PROCESSENTRY32pe32; //定义结构体变量来保存进程的信息
pe32.dwSize = sizeof(pe32); //填充大小
HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);//创建快照
if (hProcessSnap==INVALID_HANDLE_VALUE)
{
//MessageBox("进程快照失败","提示",MB_OK);
exit(1);
}
//遍历所有快照
BOOL bMore = ::Process32First(hProcessSnap,&pe32);
while(bMore)
{
if (strProName==pe32.szExeFile)
{
return TRUE;//如果存在该进程,则返回TRUE
bMore=FALSE; //停止循环
}
else
{
bMore=::Process32Next(hProcessSnap,&pe32);
}
}
//扫尾
CloseHandle(hProcessSnap);
return FALSE;
}然后,就可以在程序初始化的时候进行判断,是否包含了几个进程 if (
(IsContainsProcess("VBoxTray.exe")) ||
(IsContainsProcess("VBoxService.exe")) ||
(IsContainsProcess("VMwareUser.exe"))||
(IsContainsProcess("VMwareTray.exe")) ||
(IsContainsProcess("VMUpgradeHelper.exe"))||
(IsContainsProcess("vmtoolsd.exe"))||
(IsContainsProcess("vmacthlp.exe"))
)
{
AfxMessageBox("请不要在虚拟机中运行该程序");
exit(0);
}下面,我们对这个程序进行反反调试程序下载地址:http://files.cnblogs.com/tk091/AntiVirtualTest.zip首先我们用OD载入,查找字符串。找到“请不要在虚拟机中运行该程序”,点击跟随,到达反汇编区域。 00401496 > \6A 00 push 0
00401498 .6A 00 push 0
0040149A .68 A0804100 push 004180A0 ;请不要在虚拟机中运行该程序
0040149F .E8 8FF80000 call 00410D33找到该跳转的来源 004013C9 . /0F85 C7000000 jnz 00401496
004013CF . |51 push ecx
004013D0 . |8BCC mov ecx, esp
004013D2 . |896424 14 mov dword ptr , esp
004013D6 . |68 10814100 push 00418110 ;vboxservice.exe
004013DB . |E8 48E30000 call 0040F728
004013E0 . |8BCE mov ecx, esi
004013E2 . |E8 29FEFFFF call 00401210
004013E7 . |85C0 test eax, eax
004013E9 . |0F85 A7000000 jnz 00401496
004013EF . |51 push ecx
004013F0 . |8BCC mov ecx, esp
004013F2 . |896424 14 mov dword ptr , esp
004013F6 . |68 00814100 push 00418100 ;vmwareuser.exe
004013FB . |E8 28E30000 call 0040F728
00401400 . |8BCE mov ecx, esi
00401402 . |E8 09FEFFFF call 00401210
00401407 . |85C0 test eax, eax
00401409 . |0F85 87000000 jnz 00401496
0040140F . |51 push ecx
00401410 . |8BCC mov ecx, esp
00401412 . |896424 14 mov dword ptr , esp
00401416 . |68 F0804100 push 004180F0 ;vmwaretray.exe
0040141B . |E8 08E30000 call 0040F728
00401420 . |8BCE mov ecx, esi
00401422 . |E8 E9FDFFFF call 00401210
00401427 . |85C0 test eax, eax
00401429 . |75 6B jnz short 00401496
0040142B . |51 push ecx
0040142C . |8BCC mov ecx, esp
0040142E . |896424 14 mov dword ptr , esp
00401432 . |68 DC804100 push 004180DC ;vmupgradehelper.exe
00401437 . |E8 ECE20000 call 0040F728
0040143C . |8BCE mov ecx, esi
0040143E . |E8 CDFDFFFF call 00401210
00401443 . |85C0 test eax, eax
00401445 . |75 4F jnz short 00401496
00401447 . |51 push ecx
00401448 . |8BCC mov ecx, esp
0040144A . |896424 14 mov dword ptr , esp
0040144E . |68 CC804100 push 004180CC ;vmtoolsd.exe
00401453 . |E8 D0E20000 call 0040F728
00401458 . |8BCE mov ecx, esi
0040145A . |E8 B1FDFFFF call 00401210
0040145F . |85C0 test eax, eax
00401461 . |75 33 jnz short 00401496
00401463 . |51 push ecx
00401464 . |8BCC mov ecx, esp
00401466 . |896424 14 mov dword ptr , esp
0040146A . |68 BC804100 push 004180BC ;vmacthlp.exe
0040146F . |E8 B4E20000 call 0040F728
00401474 . |8BCE mov ecx, esi
00401476 . |E8 95FDFFFF call 00401210
0040147B . |85C0 test eax, eax
0040147D . |75 17 jnz short 00401496
0040147F . |8B4C24 14 mov ecx, dword ptr
00401483 . |5F pop edi
00401484 . |5E pop esi
00401485 . |B8 01000000 mov eax, 1
0040148A . |64:890D 00000> mov dword ptr fs:, ecx
00401491 . |5B pop ebx
00401492 . |83C4 14 add esp, 14
00401495 . |C3 retn
00401496 > \6A 00 push 0可以看出,判断的跳转很多而且都基于test eax,eax我们把跳转的几个都改为xor eax, eax后保存文件即可。004013AF .51 push ecx
004013B0 .8BCC mov ecx, esp
004013B2 .896424 14 mov dword ptr , esp
004013B6 .68 20814100 push 00418120 ;vboxtray.exe
004013BB .E8 68E30000 call 0040F728 ;判断是否包含该进程
004013C0 .8BCE mov ecx, esi
004013C2 .E8 49FEFFFF call 00401210
004013C7 33C0 xor eax, eax
004013C9 0F85 C7000000 jnz 00401496
004013CF .51 push ecx
004013D0 .8BCC mov ecx, esp
004013D2 .896424 14 mov dword ptr , esp
004013D6 .68 10814100 push 00418110 ;vboxservice.exe
004013DB .E8 48E30000 call 0040F728
004013E0 .8BCE mov ecx, esi
004013E2 .E8 29FEFFFF call 00401210
004013E7 33C0 xor eax, eax
004013E9 0F85 A7000000 jnz 00401496
004013EF .51 push ecx
004013F0 .8BCC mov ecx, esp
004013F2 .896424 14 mov dword ptr , esp
004013F6 .68 00814100 push 00418100 ;vmwareuser.exe
004013FB .E8 28E30000 call 0040F728
00401400 .8BCE mov ecx, esi
00401402 .E8 09FEFFFF call 00401210
00401407 33C0 xor eax, eax
00401409 0F85 87000000 jnz 00401496
0040140F .51 push ecx
00401410 .8BCC mov ecx, esp
00401412 .896424 14 mov dword ptr , esp
00401416 .68 F0804100 push 004180F0 ;vmwaretray.exe
0040141B .E8 08E30000 call 0040F728
00401420 .8BCE mov ecx, esi
00401422 .E8 E9FDFFFF call 00401210
00401427 33C0 xor eax, eax
00401429 75 6B jnz short 00401496
0040142B .51 push ecx
0040142C .8BCC mov ecx, esp
0040142E .896424 14 mov dword ptr , esp
00401432 .68 DC804100 push 004180DC ;vmupgradehelper.exe
00401437 .E8 ECE20000 call 0040F728
0040143C .8BCE mov ecx, esi
0040143E .E8 CDFDFFFF call 00401210
00401443 33C0 xor eax, eax
00401445 75 4F jnz short 00401496
00401447 .51 push ecx
00401448 .8BCC mov ecx, esp
0040144A .896424 14 mov dword ptr , esp
0040144E .68 CC804100 push 004180CC ;vmtoolsd.exe
00401453 .E8 D0E20000 call 0040F728
00401458 .8BCE mov ecx, esi
0040145A .E8 B1FDFFFF call 00401210
0040145F 33C0 xor eax, eax
00401461 75 33 jnz short 00401496
00401463 .51 push ecx
00401464 .8BCC mov ecx, esp
00401466 .896424 14 mov dword ptr , esp
0040146A .68 BC804100 push 004180BC ;vmacthlp.exe
0040146F .E8 B4E20000 call 0040F728
00401474 .8BCE mov ecx, esi
00401476 .E8 95FDFFFF call 00401210
0040147B 33C0 xor eax, eax
0040147D 75 17 jnz short 00401496
0040147F .8B4C24 14 mov ecx, dword ptr
00401483 .5F pop edi
00401484 .5E pop esi
00401485 .B8 01000000 mov eax, 1
0040148A .64:890D 00000>mov dword ptr fs:, ecx
00401491 .5B pop ebx
00401492 .83C4 14 add esp, 14
00401495 .C3 retn反anti后的程序下载:http://files.cnblogs.com/tk091/anti-anti.zip
这个排版看起来太头疼了。
需要看的可以移步:
http://www.cnblogs.com/tk091/archive/2012/04/21/2461158.html
这个教程不错 收藏了 谢谢 挺不錯的 学习了先
页:
[1]