老东西,在ASProtect中大量使用,主要是想隐藏OEP。当然仅靠这个无法对付冲击波和icedump的/tracex,但这两个都是运行在Win9x下的。
如果用SoftICE跟下面的程序,在执行到REPZ MOVSD指令(在inline函数memcpy的函数体中)时,就会失去线索(petite似乎也是这样)。除了__try{
}__except,还可以用__try{ } __finally,把这两个结合起来形成多重嵌套可以增加复杂度。
#include <windows.h>
#include <iostream.h>
#define BUFFER_SIZE 4096
void *MemAddr = NULL;
void AccessViolation( );
int OEP( );
int Filter( );
int main( )
{
__try
{
//........
AccessViolation( );
//You can insert some garbage code here
}
__except(Filter( ))
{
//You can insert some garbage code here
return OEP( );
}
return 0;
}
void AccessViolation( )
{
MemAddr = VirtualAlloc(NULL, BUFFER_SIZE,
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
memcpy(MemAddr, (void *)main, BUFFER_SIZE
+ 5);
cout << "Here is some garbage, which
will never be executed." << endl;
//You can insert some garbage code here
}
int OEP( )
{
cout << "This is the Original Entry Point." <<
endl;
return 0;
}
int Filter( )
{
//You can insert some garbage code here
if (MemAddr)
{
VirtualFree(MemAddr, BUFFER_SIZE, MEM_DECOMMIT
| MEM_RELEASE);
}
//You can insert some garbage code here
return EXCEPTION_EXECUTE_HANDLER;
}
- 标 题:利用SEH改变程序流程以达到反跟踪的目的 (1千字)
- 作 者:blowfish
- 时 间:2001-6-29 12:00:56
- 链 接:http://bbs.pediy.com