Thread: Anti Reverse-Engeneering Library

Bom pessoal, sempre gosto de procurar sobre segurança de softwares e criei algumas funções aqui que podem ajudar você que quer seu programa longe de RIPs...Alpha release é que como são muitas funções, eu não tenho tempo de testar então quem quiser testar ai...Mesmo sem testar eu deixei as teorias de cada função embaixo para você entender o que eu estava fazendo para não ficar perdido...Na próxima edição vejo se explico os parâmetros também para ficar igual o MSDN rsrs..Mas por enquanto da para entender o suficiente

Espero que gostem!

Well folks, I always like to look on security software and created a few functions here that can help you whatever your program away from RIPs ... Alpha release is that they are many functions, I do not have time to test so who want to test ai Even without testing ... I let the theories of each function below for you to understand what I was doing to not get lost ... in the next issue I see is also to explain the parameters stay the same MSDN lol .. But for now the enough to understand

Hope you enjoy!

* CheckForINT3BP
* CheckForINT3BPObfunsc
* HideThread
* ChangeSizeOfImage
* MemoryBreakpointDebuggerCheck
* CheckHardwareBreakpoins
* FindAndKillProcess
* CanOpenCsrss
* RestoreExceptionFilter
* DebugMyself
* IsParentExplorer
* CheckOutputDebugString
* DebugObjectCheck
* CheckProcessDebugFlags
* FindOllyWindow
* ConfuseLordPE
* TryRemoveHardwareBreakpoint
* ClearHardwareBreakpoints

;################################################# #################################
;File created by Vitrix Maggot
;If you want to use post any modification of any of these functions please talk with me first
;You can add me on vitinho_kl10@hotmail.com
;################################################# ################################
;This file is protected by GNU license
;################################################# ################################
;Thanks to:
;ap0x
;ReWolf
;DarkProgramming
;################################################# ###############################
;This source is the first of thousans of versions of it
;If you find any bug please report (I didn't really tested it lol)
;I'll work my ass off to try to complete if with more.
;################################################# ###############################


include windows.inc
include kernel32.inc
include user32.inc
include ntdll.inc

includelib kernel32.lib
includelib user32.lib
includelib ntdll.lib

lpStr MACRO Text : req
local lText
.data
lText db Text, 0
.code
exitm <addr lText>
EndM

ofStr MACRO Text : req
local lText
.data
lText db Text, 0
.code
exitm <offset lText>
EndM

SERIAL_THRESHOLD equ 010000h
HideThreadFromDebugger equ 011h
ProcessDebugObjectHandle equ 01Eh
ProcessDebugFlags equ 01Fh

;Main functions
CheckForINT3BP PROTO WORD
CheckForINT3BPObfusc PROTO WORD
HideThread PROTO WORD
ChangeSizeOfImage PROTO WORD
MemoryBreakpointDebuggerCheck PROTO
CheckHardwareBreakpoints PROTO
ClrHwBpHandler PROTO
ClrHwBpHandler PROTO
ClearHardwareBreakpoints PROTO
TryRemoveHardwareBreakpoint PROTO
ConfuseLordPE PROTO
FindOllyWindow PROTO
CheckProcessDebugFlags PROTO
DebugObjectCheck PROTO
CheckOutputDebugString PROTO
IsParentExplorer PROTO
DebugMyself PROTO
RestoreExceptionFilter PROTO
CanOpenCsrss PROTO
;Other functions
FindAndKillProcess PROTO WORD
UnhandledExcepFilter PROTO :PEXCEPTION_POINTERS

.safeseh ClrHwBpHandler

.code

FindAndKillProcess proc szProcess : DWORD
;This is just a tool for you to kill a process faster
LOCAL hSnap : HANDLE
LOCAL pe32 : PROCESSENTRY32

invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS, 0
cmp eax, INVALID_HANDLE_VALUE
je Error
mov hSnap, eax
mov pe32.dwSize, sizeof PROCESSENTRY32
invoke Process32First, hSnap, addr pe32
invoke lstrcmp, addr pe32.szExeFile, szProcess
cmp eax, TRUE
je FoundIt
Looping:
cmp eax, FALSE
je Error
invoke Process32Next, hSnap, addr pe32
invoke lstrcmp, addr pe32.szExeFile, szProcess
cmp eax, TRUE
jne Looping
FoundIt:
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID
cmp eax, INVALID_HANDLE_VALUE
je Error
invoke SendMessage, eax, WM_DESTROY, 0, 0
mov eax, 1
ret
Error:
mov eax, 0
Ret
FindAndKillProcess EndP

ChangeSizeOfImage proc NewSize : DWORD
;When you change the SizeOfImage, some dumpers have problems to read that
mov eax, fs:[030h] ;PEB
mov eax, [eax + 0Ch] ;PED_LDR_DATA
mov eax, [eax + 0Ch] ;InOrderModuleList
mov dword ptr [eax + 020h], NewSize ;SizeOfImage
Ret
ChangeSizeOfImage EndP

CanOpenCsrss proc
;To debug a process we need to have certain privilages, the debuggers usually use SeDebugPrivilage, without it we can't open the csrss.exe process(we don't have that privilages)
;By using this technique we try to open it and if it opens, that means we have this privilage, so we are being debugged
invoke GetModuleHandle, lpStr("ntdll.dll")
invoke GetProcAddress, eax, lpStr("CsrGetProcessId")
call eax
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, eax
cmp eax, NULL
je Error
mov eax, 1
ret
Error:
mov eax, 0
Ret
CanOpenCsrss EndP

UnhandledExcepFilter proc pExcept : PEXCEPTION_POINTERS
;Just a CALLBACK function
invoke SetUnhandledExceptionFilter, pExcept.ContextRecord.Eax
add pExcept.ContextRecord.Eip, 2
mov eax, EXCEPTION_CONTINUE_EXECUTION
Ret
UnhandledExcepFilter EndP

RestoreExceptionFilter proc
;We set this option(UnhandledExceptionFilter), once the debugger use some technique to cause a unhandled exception, the program will exit instead of sending the exception
;To the debugger
invoke SetUnhandledExceptionFilter, addr RestoreExceptionFilter
xor eax, eax
div eax
Ret
RestoreExceptionFilter EndP

DebugMyself proc
;A process can only be debugged by one at a time, this technique debugs ourselves to don't let the debuggers debug us
LOCAL hProcess : HANDLE
LOCAL de : DEBUG_EVENT
LOCAL pi : PROCESS_INFORMATION
LOCAL si : STARTUPINFO

invoke RtlZeroMemory, addr pi, sizeof PROCESS_INFORMATION
invoke RtlZeroMemory, addr si, sizeof STARTUPINFO
invoke RtlZeroMemory, addr de, DEBUG_EVENT
invoke GetStartupInfo, addr si
call GetCommandLine
invoke CreateProcess, NULL, eax, NULL, NULL, FALSE, DEBUG_PROCESS, NULL, NULL, addr si,addr pi
invoke ContinueDebugEvent, pi.dwProcessId, pi.dwThreadId, DBG_CONTINUE
invoke WaitForDebugEvent, addr de, INFINITE
Ret
DebugMyself EndP

IsParentExplorer proc
invoke GetParentProcessID
Ret
IsParentExplorer EndP

CheckOutputDebugString proc
;When we are attached to a debugger we can comunicate with it calling the OutputDebugString, so the idea is simples, we call the function, if theres no error that means
;We have a debugger in our ass
invoke OutputDebugString, lpStr("JMB Protection")
call GetLastError
cmp eax, 0
jne Error
mov eax, 1
ret
Error:
mov eax, 0
Ret
CheckOutputDebugString EndP

HideThread proc hThread : DWORD
;This NT Function hides the thread from a debugger, that can be useful to don't let him use for example GetThreadContext(Check out our registrators)
LOCAL Status : NTSTATUS

invoke GetModuleHandle, lpStr("ntdll.dll")
invoke GetProcAddress, eax, lpStr("NtSetInformationThread")
mov esi, eax
cmp hThread, NULL
jne NotActualThread
invoke GetCurrentThread
push 0
push 0
push HideThreadFromDebugger
invoke GetCurrentThread
push eax
call esi
cmp eax, 0
jne Error
mov eax, 1
ret
NotActualThread:
push 0
push 0
push HideThreadFromDebugger
push hThread
call esi
cmp eax, 0
jne Error
mov eax, 1
ret
Error:
Ret
HideThread EndP

DebugObjectCheck proc
;This method is very simple, when we debug a process we a debug object is created and can be found using the NtQueryInformationProcess, the idea is to try to catch it
;If we catch that means we are being debugged
LOCAL hDebugObject : DWORD
LOCAL Status : NTSTATUS

invoke GetCurrentProcess
invoke NtQueryInformationProcess, eax, ProcessDebugObjectHandle, addr hDebugObject, 4, NULL
cmp eax, 0
jne Error
cmp hDebugObject, FALSE
jne Error
mov eax, 1
ret
Error:
mov eax, 0
Ret
DebugObjectCheck EndP

CheckProcessDebugFlags proc
;We can check if the debugged ir inherit with out process using this function
;Remarks: This functions is reversed, if theres a debugger inheritten, it returns false
LOCAL Status : NTSTATUS
LOCAL NoDebugInherit : DWORD
mov NoDebugInherit, 0
invoke GetCurrentProcess
invoke NtQueryInformationProcess, eax, ProcessDebugFlags, addr NoDebugInherit, 4, NULL
cmp eax, 0
jne Error
cmp NoDebugInherit, FALSE
jne Error
mov eax, 1
ret
Error:
mov eax, 0
Ret
CheckProcessDebugFlags EndP


FindOllyWindow proc
;Thats just a simple way to see if theres an OllyDBG present, i wouldn't use it...It's just soo simple that phanton can easily skip it
invoke FindWindow, NULL, lpStr("OllyDbg - [CPU]")
cmp eax, NULL
mov eax, 1
ret
NotFound:
mov eax, 0
Ret
FindOllyWindow EndP

ConfuseLordPE proc
;If we change the PE Signature of the file, LordPE can't read us, it'll think its a non-PE file, so we would be protected from him
assume fs:nothing
mov eax, dword ptr fs:[30h]
test eax, eax
js @found_win9x
@found_winNT:
mov eax, [eax + 0Ch]
mov eax, [eax + 0Ch]
add dword ptr[eax + 20h], 3000h
jmp @exit
@found_win9x:
invoke GetModuleHandle, NULL
test edx, edx
jns @exit
cmp dword ptr[edx + 08], -1
jne @exit
mov edx, [edx+4]
add dword ptr[edx + 50h], 3000h
Ret
ConfuseLordPE EndP

dbgIsDebuggerPresent proc
;This is a simple function that is equal to IsDebuggerPresent but i didn't use the API, that can be good if you want to hide your protection
assume fs:nothing
mov eax, dword ptr fs:[18h]
mov eax, dword ptr ds:[eax+30h]
movzx eax, byte ptr ds:[eax+2h]
cmp eax, 1
je Detected
mov eax, 0
ret
Detected:
mov eax, 1
Ret
dbgIsDebuggerPresent EndP

CheckForINT3BP proc SizeToCheck : DWORD
;This is very simple, theres 2 types of INT3 Breakpoint, the one with the Opcode CC(INT3) and the one with the opcode CD 03 (INT 3), we'll check our hole file and see if theres
;one of them, if we find that means a debugger is trying to checkout our thread
xor ecx, ecx
xor ax, ax
xor ebx, ebx
Looping:
cmp ebx, SizeToCheck
jbe Final
lea ax, byte ptr ds:[ebx]
cmp ax, 0CCh
je FoundOne
cmp ax, 0CDh
jne DidntFound
lea ax, byte ptr ds:[ebx + 1]
cmp ax, 003h
je FoundOne
DidntFound:
inc ebx
jmp Looping
FoundOne:
inc ecx
inc ebx
jmp Looping
Final:
mov eax, ecx
Ret
CheckForINT3BP EndP

CheckForINT3BPObfusc proc SizeToCheck : DWORD
;Some times debuggers hide their INT3 breakpoints using a method of xor, this method just check if theres a hidded int3 and tell you
xor ecx, ecx
xor ax, ax
xor ebx, ebx
Looping:
cmp ebx, SizeToCheck
jbe Final
lea ax, byte ptr ds:[ebx]
xor ax, 055h
cmp ax, 099h
je FoundOne
cmp ax, 0CDh
jne DidntFound
lea ax, byte ptr ds:[ebx + 1]
cmp ax, 003h
je FoundOne
DidntFound:
inc ebx
jmp Looping
FoundOne:
inc ecx
inc ebx
jmp Looping
Final:
mov eax, ecx
Ret
Ret
CheckForINT3BPObfusc EndP

MemoryBreakpointDebuggerCheck proc
;I couldn't think in a way to completelly protect from memory breakpoints so theres this way that we can check if theres a debugged(to be specific Olly)
;We just alloc a page in our memory then we include to it's protection the PAGE_GUARD(used for memory breakpoint), so we add a ret into the buffer
;and push a potencial return, if we are under Olly, the debugger will hit the ret and and return to where we where, otherwise it will occur the exception
;STATUS_GUARD_PAGE_VIOLATION and we will know that we are under a debugger
LOCAL sysinfo : SYSTEM_INFO
LOCAl pAlloc : DWORD
LOCAL oldProtect : DWORD

invoke GetSystemInfo, addr sysinfo
invoke VirtualAlloc, NULL, sysinfo.dwPageSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
cmp eax, NULL
je Error
mov pAlloc, eax
mov ax, 0C3h ;RET Upcode
lea pAlloc, byte ptr ds:[ax]
invoke VirtualProtect, pAlloc, sysinfo.dwPageSize, PAGE_EXECUTE_READWRITE or PAGE_GUARD, oldProtect
cmp eax, 0
je Error
mov eax, pAlloc
push MemBPBeingDebugged
jmp eax
MemBPBeingDebugged:
invoke VirtualFree, pAlloc, sysinfo.dwPageSize,MEM_RELEASE
mov eax, 1
ret
Error:
mov eax, 0
Ret
MemoryBreakpointDebuggerCheck EndP


CheckHardwareBreakpoints proc
;This method is very simple, when we set a hardware breakpoint we set it's address in Dr0, Dr1, Dr2 or Dr3, the idea its to check if theres any hardware breakpoint trigged
LOCAL ctx : CONTEXT
LOCAL hThread : HANDLE
xor ebx, ebx
invoke RtlZeroMemory, addr ctx, sizeof CONTEXT
mov ctx.ContextFlags, CONTEXT_DEBUG_REGISTERS
invoke GetCurrentThread
mov hThread, eax
invoke SuspendThread, hThread
invoke GetThreadContext, eax, addr ctx
cmp ctx._Dr0, 0
je Next1
inc ebx
Next1:
cmp ctx._Dr1, 0
je Next2
inc ebx
Next2:
cmp ctx._Dr2, 0
je Next3
inc ebx
Next3:
cmp ctx._Dr3, 0
inc ebx
mov eax, ebx
ret
Error:
mov eax, 0
Ret
CheckHardwareBreakpoints EndP

ClearHardwareBreakpoints proc
assume fs:nothing
push offset ClrHwBpHandler
push fs:[0]
mov dword ptr fs:[0], esp ; Setup SEH
xor eax, eax
div eax ; Cause an exception
op dword ptr fs:[0] ; Execution continues here
add esp, 4
ret
ClearHardwareBreakpoints endp

ClrHwBpHandler proc
xor eax, eax
mov ecx, [esp + 0ch] ; This is a CONTEXT structure on the stack
mov dword ptr [ecx + 04h], eax ; Dr0
mov dword ptr [ecx + 08h], eax ; Dr1
mov dword ptr [ecx + 0ch], eax ; Dr2
mov dword ptr [ecx + 10h], eax ; Dr3
mov dword ptr [ecx + 14h], eax ; Dr6
mov dword ptr [ecx + 18h], eax ; Dr7
add dword ptr [ecx + 0b8h], 2 ; We add 2 to EIP to skip the div eax
ret
ClrHwBpHandler endp

end.