虚拟机检测
分别用几种方法来实现的,有兴趣可以看下。感觉在加上病毒变异技术的话,那就可以躲过杀软了。。。
.386
.model flat,stdcall
option casemap:none
include INVM.inc
.const
.data
g_vm_0 db 'VMXh',0
g_title db '这种检测的位置比较多,但是具有不同的针对性,这里就不检测了',0
g_vm_1 db 'VX',0
g_msg_suc db 'in vm!',0
g_msg_fal db 'out vm!',0
g_dbg_0 db '%x',0
g_rc db 0
.code
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke InitCommonControls
invoke WinMain,hInstance,NULL,CommandLine,SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
mov wc.cbSize,sizeof WNDCLASSEX
mov wc.style,CS_HREDRAW or CS_VREDRAW
mov wc.lpfnWndProc,offset WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,DLGWINDOWEXTRA
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_BTNFACE+1
mov wc.lpszMenuName,IDM_MENU
mov wc.lpszClassName,offset ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov wc.hIcon,eax
mov wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx,addr wc
invoke CreateDialogParam,hInstance,IDD_DIALOG,NULL,addr WndProc,NULL
invoke ShowWindow,hWnd,SW_SHOWNORMAL
invoke UpdateWindow,hWnd
.while TRUE
invoke GetMessage,addr msg,NULL,0,0
.BREAK .if !eax
invoke TranslateMessage,addr msg
invoke DispatchMessage,addr msg
.endw
mov eax,msg.wParam
ret
WinMain endp
gdt_ struct
limit word ?
baselo word ?
basehi word ?
gdt_ ends
ldt_gdt proc
LOCAL gdt:gdt_
sgdt gdt
mov ax,gdt.basehi
shr ax,8
cmp al,0ffh
jnz @f
mov eax,1
ret
@@:
xor eax,eax
ret
ldt_gdt endp
str_test proc
LOCAL mem:byte
pushad
str word ptr mem
.if mem == 00h && mem == 40h
popad
mov eax,1
ret
.endif
popad
xor eax,eax
ret
str_test endp
time proc
pushad
db 0fh,31h;;RDTSC
xchg ecx, eax
db 0fh,31h
sub eax, ecx
cmp eax, 0FFh
jg Detected
popad
xor eax,eax
ret
Detected:
popad
mov eax,1
ret
time endp
idt_ struct
limit word ?
baselo word ?
basehi word ?
idt_ ends
redpill proc
LOCAL idt:idt_
sidt idt
cmp idt.basehi,0d000h
jbe @f
mov eax,1
ret
@@:
xor eax,eax
ret
redpill endp
other proc
;;这里检测的方法很多。具体要看你收集的特征码了。比如注册表。。。。
ret
other endp
WndProc proc hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
mov eax,uMsg
.if eax==WM_INITDIALOG
push hWin
pop hWnd
.elseif eax==WM_COMMAND
mov eax,wParam
and eax,0FFFFh
.if eax==IDM_FILE_EXIT
invoke SendMessage,hWin,WM_CLOSE,0,0
.elseif eax==IDM_HELP_ABOUT
invoke ShellAbout,hWin,addr AppName,addr AboutMsg,NULL
.elseif eax==1002
;;idt&gdt检测
call ldt_gdt
.if eax==1
invoke MessageBox,NULL,offset g_msg_suc,NULL,0
.elseif
invoke MessageBox,NULL,offset g_msg_fal,NULL,0
.endif
.elseif eax==1003
;;str检测
call str_test
.if eax==1
invoke MessageBox,NULL,offset g_msg_suc,NULL,0
.elseif
invoke MessageBox,NULL,offset g_msg_fal,NULL,0
.endif
.elseif eax==1004
;;时间差检测
call time
.if eax==1
invoke MessageBox,NULL,offset g_msg_suc,NULL,0
.elseif
invoke MessageBox,NULL,offset g_msg_fal,NULL,0
.endif
.elseif eax==1005
;;特征检测
invoke MessageBox,NULL,offset g_title,NULL,0
.elseif eax == 1006
call redpill
.if eax==1
invoke MessageBox,NULL,offset g_msg_suc,NULL,0
.elseif
invoke MessageBox,NULL,offset g_msg_fal,NULL,0
.endif
.endif
; .elseif eax==WM_SIZE
.elseif eax==WM_CLOSE
invoke DestroyWindow,hWin
.elseif uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.else
invoke DefWindowProc,hWin,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
WndProc endp
end start
据说有个方法是测试指令时间。 :L=:L
:D=:D
还得手动转换...
不过确实是精品! 帮你修正该死的表情符号:.386
.model flat,stdcall
option casemap:none
include INVM.inc
.const
.data
g_vm_0 db 'VMXh',0
g_title db '这种检测的位置比较多,但是具有不同的针对性,这里就不检测了',0
g_vm_1 db 'VX',0
g_msg_suc db 'in vm!',0
g_msg_fal db 'out vm!',0
g_dbg_0 db '%x',0
g_rc db 0
.code
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke InitCommonControls
invoke WinMain,hInstance,NULL,CommandLine,SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
mov wc.cbSize,sizeof WNDCLASSEX
mov wc.style,CS_HREDRAW or CS_VREDRAW
mov wc.lpfnWndProc,offset WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,DLGWINDOWEXTRA
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_BTNFACE+1
mov wc.lpszMenuName,IDM_MENU
mov wc.lpszClassName,offset ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov wc.hIcon,eax
mov wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx,addr wc
invoke CreateDialogParam,hInstance,IDD_DIALOG,NULL,addr WndProc,NULL
invoke ShowWindow,hWnd,SW_SHOWNORMAL
invoke UpdateWindow,hWnd
.while TRUE
invoke GetMessage,addr msg,NULL,0,0
.BREAK .if !eax
invoke TranslateMessage,addr msg
invoke DispatchMessage,addr msg
.endw
mov eax,msg.wParam
ret
WinMain endp
gdt_ struct
limit word ?
baselo word ?
basehi word ?
gdt_ ends
ldt_gdt proc
LOCAL gdt:gdt_
sgdt gdt
mov ax,gdt.basehi
shr ax,8
cmp al,0ffh
jnz @f
mov eax,1
ret
@@:
xor eax,eax
ret
ldt_gdt endp
str_test proc
LOCAL mem:byte
pushad
str word ptr mem
.if mem == 00h && mem == 40h
popad
mov eax,1
ret
.endif
popad
xor eax,eax
ret
str_test endp
time proc
pushad
db 0fh,31h;;RDTSC
xchg ecx, eax
db 0fh,31h
sub eax, ecx
cmp eax, 0FFh
jg Detected
popad
xor eax,eax
ret
Detected:
popad
mov eax,1
ret
time endp
idt_ struct
limit word ?
baselo word ?
basehi word ?
idt_ ends
redpill proc
LOCAL idt:idt_
sidt idt
cmp idt.basehi,0d000h
jbe @f
mov eax,1
ret
@@:
xor eax,eax
ret
redpill endp
other proc
;;这里检测的方法很多。具体要看你收集的特征码了。比如注册表。。。。
ret
other endp
WndProc proc hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
mov eax,uMsg
.if eax==WM_INITDIALOG
push hWin
pop hWnd
.elseif eax==WM_COMMAND
mov eax,wParam
and eax,0FFFFh
.if eax==IDM_FILE_EXIT
invoke SendMessage,hWin,WM_CLOSE,0,0
.elseif eax==IDM_HELP_ABOUT
invoke ShellAbout,hWin,addr AppName,addr AboutMsg,NULL
.elseif eax==1002
;;idt&gdt检测
call ldt_gdt
.if eax==1
invoke MessageBox,NULL,offset g_msg_suc,NULL,0
.elseif
invoke MessageBox,NULL,offset g_msg_fal,NULL,0
.endif
.elseif eax==1003
;;str检测
call str_test
.if eax==1
invoke MessageBox,NULL,offset g_msg_suc,NULL,0
.elseif
invoke MessageBox,NULL,offset g_msg_fal,NULL,0
.endif
.elseif eax==1004
;;时间差检测
call time
.if eax==1
invoke MessageBox,NULL,offset g_msg_suc,NULL,0
.elseif
invoke MessageBox,NULL,offset g_msg_fal,NULL,0
.endif
.elseif eax==1005
;;特征检测
invoke MessageBox,NULL,offset g_title,NULL,0
.elseif eax == 1006
call redpill
.if eax==1
invoke MessageBox,NULL,offset g_msg_suc,NULL,0
.elseif
invoke MessageBox,NULL,offset g_msg_fal,NULL,0
.endif
.endif
; .elseif eax==WM_SIZE
.elseif eax==WM_CLOSE
invoke DestroyWindow,hWin
.elseif uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.else
invoke DefWindowProc,hWin,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
WndProc endp
end start 这种宏汇编代码,看着真别扭。 时间差检测。。。 看的眼花缭乱*_*! 学习····················
页:
[1]