Старые трюки обнаружений RCE инструментов
Фрагмент кода программы NEOx'a Detector:
// DetectorDlg.cpp : implementation file
//
#include "stdafx.h"
#include "Detector.h"
#include "DetectorDlg.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif
//***********************[ Soft-ICE ]***********************
#define SOFT_ICE9X "SICE" //SoftICE for Win9x
#define SOFT_ICENT "NTICE" //SoftICE for WinNT
//**********************************************************
//**********[ File monitor & Registry monitor ]*************
#define FILE_MONITOR "FILEMON" //File monitor
#define REG_MONITOR "REGVXD" //Registry monitor
//**********************************************************
//*********************[ Antivirus ]************************
#define AVP_MONITOR "AVP95" //AVP monitor
//#define AVP_MONITOR "AVP_IO" //AVP monitor
#define SPIDER_GUARD "SPIDER" //Dr.Web SpIDer Guard for Win9x
//**********************************************************
/////////////////////////////////////////////////////////////////////////////
// CDetectorDlg dialog
CDetectorDlg::CDetectorDlg (CWnd* pParent /*=NULL*/)
: CDialog (CDetectorDlg::IDD, pParent)
{
//{{AFX_DATA_INIT (CDetectorDlg)
// NOTE: the ClassWizard will add member initialization here
//}}AFX_DATA_INIT
// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
m_hIcon = AfxGetApp () ->LoadIcon (IDR_MAINFRAME);
}
void CDetectorDlg::DoDataExchange (CDataExchange* pDX)
{
CDialog::DoDataExchange (pDX);
//{{AFX_DATA_MAP (CDetectorDlg)
// NOTE: the ClassWizard will add DDX and DDV calls here
//}}AFX_DATA_MAP
}
BEGIN_MESSAGE_MAP (CDetectorDlg, CDialog)
//{{AFX_MSG_MAP (CDetectorDlg)
ON_WM_PAINT ()
ON_WM_QUERYDRAGICON ()
ON_WM_TIMER ()
ON_BN_CLICKED (ID_EXIT, OnExit)
//}}AFX_MSG_MAP
END_MESSAGE_MAP ()
/////////////////////////////////////////////////////////////////////////////
// CDetectorDlg message handlers
BOOL CDetectorDlg::OnInitDialog ()
{
CDialog::OnInitDialog ();
CMenu* pSysMenu = GetSystemMenu (FALSE);
pSysMenu->DeleteMenu (SC_SIZE, MF_BYCOMMAND);
pSysMenu->DeleteMenu (SC_RESTORE, MF_BYCOMMAND);
pSysMenu->DeleteMenu (SC_MAXIMIZE, MF_BYCOMMAND);
// Set the icon for this dialog. The framework does this automatically
// when the application's main window is not a dialog
SetIcon (m_hIcon, TRUE); // Set big icon
SetIcon (m_hIcon, FALSE); // Set small icon
// TODO: Add extra initialization here
::SetWindowPos (GetSafeHwnd (), (true) ? HWND_TOPMOST : HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE);
SetTimer (0, 1000, NULL);
return TRUE; // return TRUE unless you set the focus to a control
}
// If you add a minimize button to your dialog, you will need the code below
// to draw the icon. For MFC applications using the document/view model,
// this is automatically done for you by the framework.
void CDetectorDlg::OnPaint ()
{
if (IsIconic ())
{
CPaintDC dc (this); // device context for painting
SendMessage (WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc (), 0);
// Center icon in client rectangle
int cxIcon = GetSystemMetrics (SM_CXICON);
int cyIcon = GetSystemMetrics (SM_CYICON);
CRect rect;
GetClientRect (&rect);
int x = (rect.Width () — cxIcon + 1) / 2;
int y = (rect.Height () — cyIcon + 1) / 2;
// Draw the icon
dc.DrawIcon (x, y, m_hIcon);
}
else
{
CDialog::OnPaint ();
}
}
// The system calls this to obtain the cursor to display while the user drags
// the minimized window.
HCURSOR CDetectorDlg::OnQueryDragIcon ()
{
return (HCURSOR) m_hIcon;
}
void CDetectorDlg::OnTimer (UINT nIDEvent)
{
//Определяем наличие File monitor
if (OpenDevice (FILE_MONITOR)) SetDlgItemText (IDC_FM, "is active");
else SetDlgItemText (IDC_FM, "is not active");
//--------------------------------------------------------------------
//Определяем наличие Registry monitor
if (OpenDevice (REG_MONITOR)) SetDlgItemText (IDC_RM, "is active");
else SetDlgItemText (IDC_RM, "is not active");
//--------------------------------------------------------------------
//Определяем наличие Soft-ICE
if (GetVersion () >= 0×80000000 ) {
//Для Win9x
if (OpenDevice (SOFT_ICE9X)) SetDlgItemText (IDC_SI, "is active");
else SetDlgItemText (IDC_SI, "is not active");
}else{
//Для WinNT
if (OpenDevice (SOFT_ICENT)) SetDlgItemText (IDC_SI, "is active");
else SetDlgItemText (IDC_SI, "is not active");
}
//--------------------------------------------------------------------
//Определяем наличие антивирусов
//AVP Monitor
if (OpenDevice (AVP_MONITOR)) SetDlgItemText (IDC_AVPMON, "is active");
else SetDlgItemText (IDC_AVPMON, "is not active");
//Dr. Web SpIDer for Win9x
if (OpenDevice (SPIDER_GUARD)) SetDlgItemText (IDC_SPIDER, "is active");
else SetDlgItemText (IDC_SPIDER, "is not active");
//--------------------------------------------------------------------
CDialog::OnTimer (nIDEvent);
}
BOOL CDetectorDlg::OpenDevice (CString Name)
{
TCHAR completeDeviceName[64];
HANDLE hDevice;
if (GetVersion () & 0xFF >= 5) {
wsprintf (completeDeviceName, TEXT ("\\\\.\\Global\\%s"), Name);
} else {
wsprintf (completeDeviceName, TEXT ("\\\\.\\%s"), Name);
}
hDevice = CreateFile (completeDeviceName,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hDevice != INVALID_HANDLE_VALUE)
{
CloseHandle (hDevice);
return TRUE;
}
else
{
return FALSE;
}
return TRUE;
}
void CDetectorDlg::OnExit ()
{
exit (0);
}
Автор: NEOx
(Еще не оценили)
Загрузка...