[持续更新]过SOD检测OD方法
使用异常Closehandle
如果给CloseHandle()函数一个无效句柄作为输入参数,在无调试器时,将会返回一个错误代码,而有调试器存在时,
将会触发一个EXCEPTION_INVALID_HANDLE (0xc0000008)的异常。
bool getdebebugbyCloseHandle()//返回true说明有OD
{
__try
{
CloseHandle((HANDLE)0x00001234);
return false;
}
__except(1)
{
return true;
}
}
仅在进程初始化创建主线程时执行的代码
//必须先于程序执行 TLS EPO 窗口回调等等
void getdebugbyOEP()
{
IMAGE_DOS_HEADER*dos_head=(IMAGE_DOS_HEADER*)GetModuleHandle(NULL);
PIMAGE_NT_HEADERS32 nt_head=(PIMAGE_NT_HEADERS32)((DWORD)dos_head+(DWORD)dos_head->e_lfanew);
BYTE*OEP=(BYTE*)(nt_head->OptionalHeader.AddressOfEntryPoint+(DWORD)dos_head);
for(unsigned long index=0;index<200;index++)
{
if(OEP==0xcc)
{
ExitProcess(0);
}
}
}
GetWindowLongA 获取窗口样式
OD的窗口样式出卖了它
代码:
// checkod.cpp : 定义控制台应用程序的入口点。
//
#include <stdio.h>
#include <Windows.h>
void CALLBACK HandleWinEvent(HWINEVENTHOOK hook, DWORD event, HWND hwnd,
LONG idObject, LONG idChild,
DWORD dwEventThread, DWORD dwmsEventTime)
{
char name;
GetWindowTextA(hwnd,name,MAX_PATH);
LONG mStyle = GetWindowLongA(hwnd,GWL_STYLE);
LONG ExtStyle=GetWindowLongA(hwnd,GWL_EXSTYLE);
if(mStyle==0x57c70000&&ExtStyle==0x140)
{
printf("find od 1 %08x %s\r\n",dwEventThread,name);
}
if (mStyle==0x56CF0000&&ExtStyle==0x140)
{
printf("Find od 2 %08x %s\r\n",dwEventThread,name);
}
}
int main(int argc, char argv[])
{
CoInitialize(NULL);
HWINEVENTHOOK hHook = SetWinEventHook( EVENT_MIN , EVENT_MAX , NULL, HandleWinEvent, 0, 0, WINEVENT_OUTOFCONTEXT | WINEVENT_SKIPOWNPROCESS);
if (hHook)
{
printf("set hook ok\r\n");
}
else
{
printf("some hack in this os\r\n");
exit(-1);
}
MSG msg;
while(GetMessage(&msg,NULL,0,0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return 0;
}
窗口名的检测
搜集了常见OD的窗口名特征
#include <stdio.h>
#include <windows.h>
#include <string.h>
BOOL bFind = FALSE;
BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)
{
if (hwnd == INVALID_HANDLE_VALUE)
{
return FALSE;
}
char szbuf = {0};
int ilens = 0;
ilens = GetWindowTextA(hwnd, szbuf, sizeof(szbuf)/sizeof(char));
if(ilens != 0)
{
PCHAR pstr = NULL;
pstr = strstr(szbuf, "LCG");
if(pstr == NULL)
pstr = strstr(szbuf,"- 主线程");
if(pstr == NULL)
pstr = strstr(szbuf,"模块 -");
if(pstr == NULL)
pstr = strstr(szbuf,"main thread");
if(pstr == NULL)
pstr = strstr(szbuf,",module");
if(pstr == NULL)
pstr = strstr(szbuf,",- Module;");
if(pstr == NULL)
pstr = strstr(szbuf,"- Thread");
if(pstr == NULL)
pstr = strstr(szbuf,"G.P.U");
if(pstr == NULL)
pstr = strstr(szbuf,"+ 主线程");
if(pstr == NULL)
pstr = strstr(szbuf,"主线程,");
if(pstr == NULL)
pstr = strstr(szbuf,",模块");
if(pstr == NULL)
pstr = strstr(szbuf,"模块 +");
if(pstr == NULL)
pstr = strstr(szbuf,"PYG");
if(pstr == NULL)
pstr = strstr(szbuf,"FCK");
if(pstr == NULL)
pstr = strstr(szbuf,"?块");
if(pstr == NULL)
pstr = strstr(szbuf,"主线程");
if(pstr == NULL)
pstr = strstr(szbuf,"BH");
if(pstr == NULL)
pstr = strstr(szbuf,"吾爱");
if(pstr == NULL)
pstr = strstr(szbuf,"破解");
if(pstr == NULL)
{
pstr = strstr(szbuf,"[");
if(pstr != NULL)
pstr = strstr(szbuf,"]");
if(pstr != NULL)
goto END;
}
END:
if(pstr != NULL)
{
bFind = TRUE;
printf("Find Od!\r\n");
return FALSE;
}
}
return TRUE;
}
VOID EnumOD()
{
EnumWindows(EnumWindowsProc, NULL);
}
int main(int argc, char* argv[])
{
EnumOD();
if (bFind != TRUE)
{
printf("Find nothind!\n");
}
getchar();
return 0;
}
页:
[1]