工程说明

By lizhirui https://www.52pojie.cn/thread-808473-1-1.html

DllProtect

加密程序。加密dll文件。加密原理：dll内容使用AES和OR加密，增加CRC校验，写入到shell程序的尾部，生成文件XXXX_Encrypted.exe

加密程序会将以下结构体写入到加壳程序。

typedef struct DATA_INFO
{
	DWORD FileSize;
	DWORD FileOriginSize;
	char *FileAESPassword;
	char *FileXORPassword;
	char *DLLVirtualName;
	bool VerifyMachineCode;
	uint64 MachineCode;
	char XORDataVerifyCode;
	DWORD CRC32DataVerifyCode;
}DATA_INFO;

加密程序

Shell

脱壳程序。执行XXXX_Encrypted.exe，将dll解密出来,包括了虚拟机检测，调试检测,内存加载dll。

Shell程序无法单独调试。

虚拟机检测

inline bool IsInsideVMWare()
{
	bool rc = true;

	__try
	{
		__asm
		{
			push   edx
				push   ecx
				push   ebx

				mov    eax, 'VMXh'
				mov    ebx, 0  // 将ebx设置为非幻数’VMXH’的其它值
				mov    ecx, 10 // 指定功能号，用于获取VMWare版本，当它为0x14时用于获取VMware内存大小
				mov    edx, 'VX' // 端口号
				in     eax, dx // 从端口dx读取VMware版本到eax
				//若上面指定功能号为0x14时，可通过判断eax中的值是否大于0，若是则说明处于虚拟机中
				cmp    ebx, 'VMXh' // 判断ebx中是否包含VMware版本’VMXh’，若是则在虚拟机中
				setz[rc] // 设置返回值

				pop    ebx
				pop    ecx
				pop    edx
		}
	}
	__except (EXCEPTION_EXECUTE_HANDLER)  //如果未处于VMware中，则触发此异常
	{
		rc = false;
	}

	return rc;
}

inline bool IsVirtualPC_LDTCheck()
{
	unsigned short ldt_addr = 0;
	unsigned char ldtr[2];

	_asm sldt ldtr
	ldt_addr = *((unsigned short *)&ldtr);
	return ldt_addr != 0x00000000;
}

inline bool IsVirtualPC_GDTCheck()
{
	unsigned int gdt_addr = 0;
	unsigned char gdtr[6];

	_asm sgdt gdtr
	gdt_addr = *((unsigned int *)&gdtr[2]);
	return (gdt_addr >> 24) == 0xff;
}

inline bool IsVirtualPC_TSSCheck()
{
	unsigned char mem[4] = { 0 };

	__asm str mem;
	return (mem[0] == 0x00) && (mem[1] == 0x40);
}

inline bool DetectVM()
{
	HKEY hKey;

	char szBuffer[64];

	unsigned long hSize = sizeof(szBuffer)-1;

	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\BIOS\\", 0, KEY_READ, &hKey) == ERROR_SUCCESS)
	{

		RegQueryValueEx(hKey, "SystemManufacturer", NULL, NULL, (unsigned char *)szBuffer, &hSize);

		if (strstr(szBuffer, "VMWARE"))
		{
			RegCloseKey(hKey);
			return true;
		}

		RegCloseKey(hKey);
	}

	return false;
}

调试检查

inline void BeginCheckTimingDebug()
{
#ifdef DEBUGCHECK
	__asm
	{
		PUSHAD
			CPUID
			RDTSC
			MOV tEAX,EAX
			MOV tEDX,EDX
			POPAD
	}

#endif
}

inline void EndCheckTimingDebug(DWORD TimeDelta)
{
#ifdef DEBUGCHECK
	__asm
	{
		PUSHAD
			CPUID
			MOV ECX,tEAX
			MOV EBX,tEDX
			RDTSC
			CMP EDX,EBX
			JA Debugger_Found
			SUB EAX,ECX
			CMP EAX,TimeDelta
			JA Debugger_Found
			JMP safe

		Debugger_Found:

		POPAD
			MOV ESP,MainESP
			JMP ExitAddress

		safe:
		POPAD
	}
#endif
}

inline void CheckDebug()
{

#ifdef DEBUGCHECK
	int debuged;
	DWORD DebugPort;
	DWORD ReturnLen;

	//虚拟机检测
	(IsInsideVMWare() || IsVirtualPC_LDTCheck() || IsVirtualPC_GDTCheck() || IsVirtualPC_TSSCheck() || DetectVM()) ? ShellExit() : 0;

	__asm
	{
		PUSHAD

			;check PEB.BeingDebugged directly

			MOV EAX,DWORD PTR FS:[0x30]
			MOVZX EAX,BYTE PTR [EAX+2]
			TEST EAX,EAX
			JNZ Debugger_Found
			JMP safe

		Debugger_Found:

		POPAD
			MOV ESP,MainESP
			MOV EBP,MainEBP
			JMP ExitAddress

		safe:

		;(PEB.ProcessHeap)
			MOV EBX,DWORD PTR FS:[030H]

			;Check if PEB.NtGlobalFlag != 0
			CMP DWORD PTR [EBX+068H],0
			JNE Debugger_Found
			;query for the PID of CSRSS.EXE
			CALL [CsrGetProcessId]

			;try to open the CSRSS.EXE process
			PUSH EAX
			PUSH FALSE
			PUSH PROCESS_QUERY_INFORMATION
			CALL [OpenProcess]

			;if OpenProcess() was successful
			;process is probably being debugged
			TEST EAX,EAX
			JNZ Debugger_Found

		EXIT:
		POPAD
	}

	(CheckRemoteDebuggerPresent(GetCurrentProcess(),&debuged) == FALSE) ? ShellExit() : 0;	
	(debuged == TRUE) ? ShellExit() : 0;
	NtQueryInformationProcess(GetCurrentProcess(),ProcessDebugPort,&DebugPort,4,&ReturnLen);
	(DebugPort != 0) ? ShellExit() : 0;

#endif
}

应用

将应用程序的核心算法写在dll里面，每次主程序启动的时候需要重新解密和解压dll。增加破解难度。