老东西,在ASProtect中大量使用,主要是想隐藏OEP。当然仅靠这个无法对付冲击波和icedump的/tracex,但这两个都是运行在Win9x下的。
如果用SoftICE跟下面的程序,在执行到REPZ MOVSD指令(在inline函数memcpy的函数体中)时,就会失去线索(petite似乎也是这样)。除了__try{ }__except,还可以用__try{ } __finally,把这两个结合起来形成多重嵌套可以增加复杂度。
#include <windows.h>
#include <iostream.h>
#define BUFFER_SIZE 4096
void *MemAddr = NULL;
void AccessViolation( );
int OEP( );
int Filter( );
int main( )
{
__try
{
//........
AccessViolation( );
//You can insert some garbage code here
}
__except(Filter( ))
{
//You can insert some garbage code here
return OEP( );
}
return 0;
}
void AccessViolation( )
{
MemAddr = VirtualAlloc(NULL, BUFFER_SIZE, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
memcpy(MemAddr, (void *)main, BUFFER_SIZE + 5);
cout << "Here is some garbage, which will never be executed." << endl;
//You can insert some garbage code here
}
int OEP( )
{
cout << "This is the Original Entry Point." << endl;
return 0;
}
int Filter( )
{
//You can insert some garbage code here
if (MemAddr)
{
VirtualFree(MemAddr, BUFFER_SIZE, MEM_DECOMMIT | MEM_RELEASE);
}
//You can insert some garbage code here
return EXCEPTION_EXECUTE_HANDLER;
} |
安全中国首页 > 文章中心 > 编释语言