反虚拟机程序测试

这是一个最简单的反虚拟机测试,通过检测是否包含虚拟机tools的进程来判断是否是虚拟机。

首先写一个函数,判断是否包含某进程

 1 //是否包含某进程
 2 BOOL IsContainsProcess(CString strProName)
 3 {
 4     PROCESSENTRY32  pe32;   //定义结构体变量来保存进程的信息
 5     pe32.dwSize = sizeof(pe32);   //填充大小
 6     
 7     HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);  //创建快照
 8     
 9     if (hProcessSnap==INVALID_HANDLE_VALUE)
10     {
11         //MessageBox("进程快照失败","提示",MB_OK);
12         exit(1);
13     }
14     
15     //遍历所有快照
16     BOOL bMore = ::Process32First(hProcessSnap,&pe32);
17     while(bMore)
18     {
19         if (strProName==pe32.szExeFile)
20         {
21             return TRUE;  //如果存在该进程,则返回TRUE
22             bMore=FALSE;   //停止循环
23         }
24         else
25         {
26             bMore=::Process32Next(hProcessSnap,&pe32);
27         }
28     }
29     //扫尾
30     CloseHandle(hProcessSnap);
31     return FALSE;     
32 }

然后,就可以在程序初始化的时候进行判断,是否包含了几个进程

 

 1  1 if ( 
 2  2         (IsContainsProcess("VBoxTray.exe")) ||
 3  3         (IsContainsProcess("VBoxService.exe")) ||
 4  4         (IsContainsProcess("VMwareUser.exe"))|| 
 5  5         (IsContainsProcess("VMwareTray.exe")) ||
 6  6         (IsContainsProcess("VMUpgradeHelper.exe"))||
 7  7         (IsContainsProcess("vmtoolsd.exe"))||
 8  8         (IsContainsProcess("vmacthlp.exe"))
 9  9         )
10 10     {
11 11         AfxMessageBox("请不要在虚拟机中运行该程序");
12 12         exit(0);
13 13     }

下面,我们对这个程序进行反反调试

程序下载地址:http://files.cnblogs.com/tk091/AntiVirtualTest.zip

首先我们用OD载入,查找字符串。

找到“请不要在虚拟机中运行该程序”,点击跟随,到达反汇编区域。

1 00401496   > \6A 00         push    0
2 00401498   .  6A 00         push    0
3 0040149A   .  68 A0804100   push    004180A0                         ;  请不要在虚拟机中运行该程序
4 0040149F   .  E8 8FF80000   call    00410D33

找到该跳转的来源

 1 004013C9   . /0F85 C7000000 jnz     00401496
 2 004013CF   . |51            push    ecx
 3 004013D0   . |8BCC          mov     ecx, esp
 4 004013D2   . |896424 14     mov     dword ptr [esp+14], esp
 5 004013D6   . |68 10814100   push    00418110                         ;  vboxservice.exe
 6 004013DB   . |E8 48E30000   call    0040F728
 7 004013E0   . |8BCE          mov     ecx, esi
 8 004013E2   . |E8 29FEFFFF   call    00401210
 9 004013E7   . |85C0          test    eax, eax
10 004013E9   . |0F85 A7000000 jnz     00401496
11 004013EF   . |51            push    ecx
12 004013F0   . |8BCC          mov     ecx, esp
13 004013F2   . |896424 14     mov     dword ptr [esp+14], esp
14 004013F6   . |68 00814100   push    00418100                         ;  vmwareuser.exe
15 004013FB   . |E8 28E30000   call    0040F728
16 00401400   . |8BCE          mov     ecx, esi
17 00401402   . |E8 09FEFFFF   call    00401210
18 00401407   . |85C0          test    eax, eax
19 00401409   . |0F85 87000000 jnz     00401496
20 0040140F   . |51            push    ecx
21 00401410   . |8BCC          mov     ecx, esp
22 00401412   . |896424 14     mov     dword ptr [esp+14], esp
23 00401416   . |68 F0804100   push    004180F0                         ;  vmwaretray.exe
24 0040141B   . |E8 08E30000   call    0040F728
25 00401420   . |8BCE          mov     ecx, esi
26 00401422   . |E8 E9FDFFFF   call    00401210
27 00401427   . |85C0          test    eax, eax
28 00401429   . |75 6B         jnz     short 00401496
29 0040142B   . |51            push    ecx
30 0040142C   . |8BCC          mov     ecx, esp
31 0040142E   . |896424 14     mov     dword ptr [esp+14], esp
32 00401432   . |68 DC804100   push    004180DC                         ;  vmupgradehelper.exe
33 00401437   . |E8 ECE20000   call    0040F728
34 0040143C   . |8BCE          mov     ecx, esi
35 0040143E   . |E8 CDFDFFFF   call    00401210
36 00401443   . |85C0          test    eax, eax
37 00401445   . |75 4F         jnz     short 00401496
38 00401447   . |51            push    ecx
39 00401448   . |8BCC          mov     ecx, esp
40 0040144A   . |896424 14     mov     dword ptr [esp+14], esp
41 0040144E   . |68 CC804100   push    004180CC                         ;  vmtoolsd.exe
42 00401453   . |E8 D0E20000   call    0040F728
43 00401458   . |8BCE          mov     ecx, esi
44 0040145A   . |E8 B1FDFFFF   call    00401210
45 0040145F   . |85C0          test    eax, eax
46 00401461   . |75 33         jnz     short 00401496
47 00401463   . |51            push    ecx
48 00401464   . |8BCC          mov     ecx, esp
49 00401466   . |896424 14     mov     dword ptr [esp+14], esp
50 0040146A   . |68 BC804100   push    004180BC                         ;  vmacthlp.exe
51 0040146F   . |E8 B4E20000   call    0040F728
52 00401474   . |8BCE          mov     ecx, esi
53 00401476   . |E8 95FDFFFF   call    00401210
54 0040147B   . |85C0          test    eax, eax
55 0040147D   . |75 17         jnz     short 00401496
56 0040147F   . |8B4C24 14     mov     ecx, dword ptr [esp+14]
57 00401483   . |5F            pop     edi
58 00401484   . |5E            pop     esi
59 00401485   . |B8 01000000   mov     eax, 1
60 0040148A   . |64:890D 00000>mov     dword ptr fs:[0], ecx
61 00401491   . |5B            pop     ebx
62 00401492   . |83C4 14       add     esp, 14
63 00401495   . |C3            retn
64 00401496   > \6A 00         push    0

可以看出,判断的跳转很多

而且都基于test eax,eax

我们把跳转的几个都改为xor     eax, eax后保存文件即可。

 1 004013AF   .  51            push    ecx
 2 004013B0   .  8BCC          mov     ecx, esp
 3 004013B2   .  896424 14     mov     dword ptr [esp+14], esp
 4 004013B6   .  68 20814100   push    00418120                         ;  vboxtray.exe
 5 004013BB   .  E8 68E30000   call    0040F728                         ;  判断是否包含该进程
 6 004013C0   .  8BCE          mov     ecx, esi
 7 004013C2   .  E8 49FEFFFF   call    00401210
 8 004013C7      33C0          xor     eax, eax
 9 004013C9      0F85 C7000000 jnz     00401496
10 004013CF   .  51            push    ecx
11 004013D0   .  8BCC          mov     ecx, esp
12 004013D2   .  896424 14     mov     dword ptr [esp+14], esp
13 004013D6   .  68 10814100   push    00418110                         ;  vboxservice.exe
14 004013DB   .  E8 48E30000   call    0040F728
15 004013E0   .  8BCE          mov     ecx, esi
16 004013E2   .  E8 29FEFFFF   call    00401210
17 004013E7      33C0          xor     eax, eax
18 004013E9      0F85 A7000000 jnz     00401496
19 004013EF   .  51            push    ecx
20 004013F0   .  8BCC          mov     ecx, esp
21 004013F2   .  896424 14     mov     dword ptr [esp+14], esp
22 004013F6   .  68 00814100   push    00418100                         ;  vmwareuser.exe
23 004013FB   .  E8 28E30000   call    0040F728
24 00401400   .  8BCE          mov     ecx, esi
25 00401402   .  E8 09FEFFFF   call    00401210
26 00401407      33C0          xor     eax, eax
27 00401409      0F85 87000000 jnz     00401496
28 0040140F   .  51            push    ecx
29 00401410   .  8BCC          mov     ecx, esp
30 00401412   .  896424 14     mov     dword ptr [esp+14], esp
31 00401416   .  68 F0804100   push    004180F0                         ;  vmwaretray.exe
32 0040141B   .  E8 08E30000   call    0040F728
33 00401420   .  8BCE          mov     ecx, esi
34 00401422   .  E8 E9FDFFFF   call    00401210
35 00401427      33C0          xor     eax, eax
36 00401429      75 6B         jnz     short 00401496
37 0040142B   .  51            push    ecx
38 0040142C   .  8BCC          mov     ecx, esp
39 0040142E   .  896424 14     mov     dword ptr [esp+14], esp
40 00401432   .  68 DC804100   push    004180DC                         ;  vmupgradehelper.exe
41 00401437   .  E8 ECE20000   call    0040F728
42 0040143C   .  8BCE          mov     ecx, esi
43 0040143E   .  E8 CDFDFFFF   call    00401210
44 00401443      33C0          xor     eax, eax
45 00401445      75 4F         jnz     short 00401496
46 00401447   .  51            push    ecx
47 00401448   .  8BCC          mov     ecx, esp
48 0040144A   .  896424 14     mov     dword ptr [esp+14], esp
49 0040144E   .  68 CC804100   push    004180CC                         ;  vmtoolsd.exe
50 00401453   .  E8 D0E20000   call    0040F728
51 00401458   .  8BCE          mov     ecx, esi
52 0040145A   .  E8 B1FDFFFF   call    00401210
53 0040145F      33C0          xor     eax, eax
54 00401461      75 33         jnz     short 00401496
55 00401463   .  51            push    ecx
56 00401464   .  8BCC          mov     ecx, esp
57 00401466   .  896424 14     mov     dword ptr [esp+14], esp
58 0040146A   .  68 BC804100   push    004180BC                         ;  vmacthlp.exe
59 0040146F   .  E8 B4E20000   call    0040F728
60 00401474   .  8BCE          mov     ecx, esi
61 00401476   .  E8 95FDFFFF   call    00401210
62 0040147B      33C0          xor     eax, eax
63 0040147D      75 17         jnz     short 00401496
64 0040147F   .  8B4C24 14     mov     ecx, dword ptr [esp+14]
65 00401483   .  5F            pop     edi
66 00401484   .  5E            pop     esi
67 00401485   .  B8 01000000   mov     eax, 1
68 0040148A   .  64:890D 00000>mov     dword ptr fs:[0], ecx
69 00401491   .  5B            pop     ebx
70 00401492   .  83C4 14       add     esp, 14
71 00401495   .  C3            retn

反anti后的程序下载:http://files.cnblogs.com/tk091/anti-anti.zip

posted @ 2012-04-21 11:48 r3call 阅读(...) 评论(...) 编辑 收藏