(编辑:jimmy 日期: 2024/12/24 浏览:2)
image.png
插件
image.png
API工具
image.png
image.png
MOV EDI,EDI ;嗯?多此一举?
PUSH EBPMOV EBP,ESPPOP EBP
cmp eax,0aaaaaaaajne 773c59e4MOV DWORD PTR SS:[ESP+0xC],0x0JMP DWORD PTR DS:[0x77381960]
image.png
image.png
image.png
image.png
image.png
#define OD_OPENPROCESS_ADDRESS (LPVOID)0x773c59d7
// od 反附加BYTE anti_od_attach[] = { 0x3D,0,0,0,0, // cmp eax,00000000 0x75,0x08, // jne 773c59e6 0xC7,0x44,0x24,0x0C,0x00,0x00,0x00,0x00, // MOV DWORD PTR SS : [ESP + 0xC] , 0x0 0xFF,0x25,0x60,0x19,0x38,0x77 // JMP DWORD PTR DS : [0x77381960]};
DWORD myPid = GetCurrentProcessId(); *(DWORD*)(anti_od_attach + 1) = myPid; // cmp eax,00000000 -> cmp eax,myPid
image.png
image.png
#include <iostream>#include <windows.h>#include <tchar.h>#include <psapi.h>#pragma comment(lib, "psapi.lib")// od的openprocess函数开始地址#define OD_OPENPROCESS_ADDRESS (LPVOID)0x773c59d7using namespace std;// od 反附加BYTE anti_od_attach[] = { 0x3D,0,0,0,0, // cmp eax,00000000 0x75,0x08, // jne 773c59e6 0xC7,0x44,0x24,0x0C,0x00,0x00,0x00,0x00, // MOV DWORD PTR SS : [ESP + 0xC] , 0x0 0xFF,0x25,0x60,0x19,0x38,0x77 // JMP DWORD PTR DS : [0x77381960]};// od 关闭反附加BYTE on_od_attach[] = { 0xFF,0x25,0x60,0x19,0x38,0x77, // JMP DWORD PTR DS : [0x77381960] 0x90,0x90,0x90,0x90, // nop 0x90,0x90, 0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90, 0x90};// 根据进程找pidDWORD FindPid(LPCTSTR name);int main(){ system("title ==== Anti OD Attach ===="); // 把自己pid记下来生成opcode,让od attach时跳过我的程序 DWORD myPid = GetCurrentProcessId(); *(DWORD*)(anti_od_attach + 1) = myPid; // cmp eax,00000000 -> cmp eax,myPid printf("My PID:%08X\n", myPid); int num; BYTE* pCode; DWORD pCodeLen = sizeof(anti_od_attach); while (true) { cout << "0 = OD不能AttachMe" << endl; cout << "1 = OD可以AttachMe" << endl; cout << "其他退出" << endl; cout << "请输入:"; cin num; if (num == 0) { pCode = anti_od_attach; } else if (num == 1) { pCode = on_od_attach; } else { break; } // 找到进程PID DWORD pid = FindPid(L"OLLYDBG.EXE"); printf("1、OD PID:%08X\n", pid); // 打开进程 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); // 代码段置为可写 DWORD oldProtect; VirtualProtect(OD_OPENPROCESS_ADDRESS, pCodeLen, PAGE_READWRITE, &oldProtect); // 内联Hook SIZE_T realWriteNum; WriteProcessMemory(hProcess, OD_OPENPROCESS_ADDRESS, pCode, pCodeLen, &realWriteNum); // 代码段置为不可写 DWORD oldProtect2; VirtualProtect(OD_OPENPROCESS_ADDRESS, pCodeLen, oldProtect, &oldProtect2); printf("功能生效\n"); }}DWORD FindPid(LPCTSTR name) { DWORD aProcesses[1024], cbNeeded, ModNeeded; if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded)) return -1; HANDLE hProcess; HMODULE hMod; TCHAR szProcessName[MAX_PATH] = _T("unknown"); int nProcesses = cbNeeded / sizeof(DWORD); for (int i = 0; i < nProcesses; i++) { hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i]); if (NULL != hProcess) { if (EnumProcessModules(hProcess, &hMod, sizeof(hMod), &ModNeeded)) { GetModuleBaseName(hProcess, hMod, szProcessName, sizeof(szProcessName)); if (lstrcmpi(szProcessName, name) == 0) { return aProcesses[i]; } } else continue; } } return -1;}