Старые трюки обнаружений RCE инструментов

автор | 21 Декабрь, 2008
рубрики RCE программирование, Антиотладка Комментарии к записи Старые трюки обнаружений RCE инструментов отключены

Фрагмент кода программы NEOx'a Detector:

// DetectorDlg.cpp : implementation file
//

#include "stdafx.h"
#include "Detector.h"
#include "DetectorDlg.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

//***********************[ Soft-ICE ]***********************
#define  SOFT_ICE9X    "SICE"     //SoftICE for Win9x
#define  SOFT_ICENT    "NTICE"    //SoftICE for WinNT
//**********************************************************

//**********[ File monitor & Registry monitor ]*************
#define  FILE_MONITOR  "FILEMON"     //File monitor
#define  REG_MONITOR   "REGVXD"      //Registry monitor
//**********************************************************

//*********************[ Antivirus ]************************
#define  AVP_MONITOR  "AVP95"     //AVP monitor
//#define  AVP_MONITOR  "AVP_IO"     //AVP monitor

#define  SPIDER_GUARD  "SPIDER" //Dr.Web SpIDer Guard for Win9x
//**********************************************************

/////////////////////////////////////////////////////////////////////////////
// CDetectorDlg dialog

CDetectorDlg::CDetectorDlg (CWnd* pParent /*=NULL*/)
    : CDialog (CDetectorDlg::IDD, pParent)
{
    //{{AFX_DATA_INIT (CDetectorDlg)
        // NOTE: the ClassWizard will add member initialization here
    //}}AFX_DATA_INIT
    // Note that LoadIcon does not require a subsequent DestroyIcon in Win32
    m_hIcon = AfxGetApp () ->LoadIcon (IDR_MAINFRAME);
}

void CDetectorDlg::DoDataExchange (CDataExchange* pDX)
{
    CDialog::DoDataExchange (pDX);
    //{{AFX_DATA_MAP (CDetectorDlg)
        // NOTE: the ClassWizard will add DDX and DDV calls here
    //}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP (CDetectorDlg, CDialog)
    //{{AFX_MSG_MAP (CDetectorDlg)
    ON_WM_PAINT ()
    ON_WM_QUERYDRAGICON ()
    ON_WM_TIMER ()
    ON_BN_CLICKED (ID_EXIT, OnExit)
    //}}AFX_MSG_MAP
END_MESSAGE_MAP ()

/////////////////////////////////////////////////////////////////////////////
// CDetectorDlg message handlers

BOOL CDetectorDlg::OnInitDialog ()
{
    CDialog::OnInitDialog ();

    CMenu* pSysMenu = GetSystemMenu (FALSE);
    pSysMenu->DeleteMenu (SC_SIZE, MF_BYCOMMAND);
    pSysMenu->DeleteMenu (SC_RESTORE, MF_BYCOMMAND);
    pSysMenu->DeleteMenu (SC_MAXIMIZE, MF_BYCOMMAND);
    // Set the icon for this dialog.  The framework does this automatically
    //  when the application's main window is not a dialog
    SetIcon (m_hIcon, TRUE);            // Set big icon
    SetIcon (m_hIcon, FALSE);        // Set small icon
   
    // TODO: Add extra initialization here
    ::SetWindowPos (GetSafeHwnd (), (true) ? HWND_TOPMOST : HWND_NOTOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE);
    SetTimer (0, 1000, NULL);
   
    return TRUE;  // return TRUE  unless you set the focus to a control
}

// If you add a minimize button to your dialog, you will need the code below
//  to draw the icon.  For MFC applications using the document/view model,
//  this is automatically done for you by the framework.

void CDetectorDlg::OnPaint ()
{
    if (IsIconic ())
    {
        CPaintDC dc (this); // device context for painting

        SendMessage (WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc (), 0);

        // Center icon in client rectangle
        int cxIcon = GetSystemMetrics (SM_CXICON);
        int cyIcon = GetSystemMetrics (SM_CYICON);
        CRect rect;
        GetClientRect (&rect);
        int x = (rect.Width () — cxIcon + 1) / 2;
        int y = (rect.Height () — cyIcon + 1) / 2;

        // Draw the icon
        dc.DrawIcon (x, y, m_hIcon);
    }
    else
    {
        CDialog::OnPaint ();
    }
}

// The system calls this to obtain the cursor to display while the user drags
//  the minimized window.
HCURSOR CDetectorDlg::OnQueryDragIcon ()
{
    return (HCURSOR) m_hIcon;
}

void CDetectorDlg::OnTimer (UINT nIDEvent)
{
//Определяем наличие File monitor
    if (OpenDevice (FILE_MONITOR)) SetDlgItemText (IDC_FM, "is active");
    else SetDlgItemText (IDC_FM, "is not active");
//--------------------------------------------------------------------

//Определяем наличие Registry monitor
    if (OpenDevice (REG_MONITOR)) SetDlgItemText (IDC_RM, "is active");
    else SetDlgItemText (IDC_RM, "is not active");
//--------------------------------------------------------------------

//Определяем наличие Soft-ICE
    if (GetVersion () >= 0×80000000 ) {
        //Для Win9x
        if (OpenDevice (SOFT_ICE9X)) SetDlgItemText (IDC_SI, "is active");
        else SetDlgItemText (IDC_SI, "is not active");
    }else{
    //Для WinNT
    if (OpenDevice (SOFT_ICENT)) SetDlgItemText (IDC_SI, "is active");
    else SetDlgItemText (IDC_SI, "is not active");
    }
//--------------------------------------------------------------------

//Определяем наличие антивирусов
    //AVP Monitor
    if (OpenDevice (AVP_MONITOR)) SetDlgItemText (IDC_AVPMON, "is active");
    else SetDlgItemText (IDC_AVPMON, "is not active");
    //Dr. Web SpIDer for Win9x
    if (OpenDevice (SPIDER_GUARD)) SetDlgItemText (IDC_SPIDER, "is active");
    else SetDlgItemText (IDC_SPIDER, "is not active");
//--------------------------------------------------------------------

    CDialog::OnTimer (nIDEvent);
}

BOOL CDetectorDlg::OpenDevice (CString Name)
{
    TCHAR    completeDeviceName[64];
    HANDLE   hDevice;
    if (GetVersion () & 0xFF >= 5) {
        wsprintf (completeDeviceName, TEXT ("\\\\.\\Global\\%s"), Name);

    } else {

        wsprintf (completeDeviceName, TEXT ("\\\\.\\%s"), Name);
    }

    hDevice = CreateFile (completeDeviceName,
                          GENERIC_READ,
                          FILE_SHARE_READ,
                          NULL,
                          OPEN_ALWAYS,
                          FILE_ATTRIBUTE_NORMAL,
                          NULL);

    if (hDevice != INVALID_HANDLE_VALUE)
    {
        CloseHandle (hDevice);
        return TRUE;
    }
    else
    {
        return FALSE;
    }

    return TRUE;
}

void CDetectorDlg::OnExit ()
{
    exit (0);
}

Автор: NEOx

Оценить эту тему:
1 звезда2 звезды3 звезды4 звезды5 звезд (Еще не оценили)
Loading...Loading...
Популярность: 4 039 просмотров
Вы можете следить за любыми ответами на эту запись через RSS 2.0 feed. Комментарии в настоящее время закрыты.