SetUnhandledExceptionFilter 反调试

646F1877  |.  8B85 E0FCFFFF MOV EAX,DWORD PTR SS:[EBP-320]
646F187D  |.  C705 D0347E64>MOV DWORD PTR DS:[647E34D0],10001
646F1887  |.  A1 88357E64 MOV EAX,DWORD PTR DS:[647E3588]
646F188C  |.  A3 84347E64 MOV DWORD PTR DS:[647E3484],EAX
646F1891  |.  C705 78347E64>MOV DWORD PTR DS:[647E3478],C0000409
646F189B  |.  C705 7C347E64>MOV DWORD PTR DS:[647E347C],1
646F18A5  |.  A1 48207C64 MOV EAX,DWORD PTR DS:[647C2048]
646F18AA  |.  8985 D8FCFFFF MOV DWORD PTR SS:[EBP-328],EAX
646F18B0  |.  A1 4C207C64 MOV EAX,DWORD PTR DS:[647C204C]
646F18B5  |.  8985 DCFCFFFF MOV DWORD PTR SS:[EBP-324],EAX
646F18BB  |.  FF15 ACF17364 CALL DWORD PTR DS:[<&KERNEL32.IsDebuggerPresent>]                ; [IsDebuggerPresent
646F18C1  |.  A3 C8347E64 MOV DWORD PTR DS:[647E34C8],EAX
646F18C6  |.  6A 01       PUSH 1
646F18C8  |.  E8 3F030000 CALL <JMP.&MSVCR100._crt_debugger_hook>
646F18CD  |.  59          POP ECX
646F18CE  |.  6A 00       PUSH 0                                                          ; /pTopLevelFilter = NULL
646F18D0  |.  FF15 A8F17364 CALL DWORD PTR DS:[<&KERNEL32.SetUnhandledExceptionFilter>]    ; \SetUnhandledExceptionFilter
646F18D6  |.  68 F4FC7364 PUSH AppBiz.6473FCF4                                           ; /pExceptionInfo = AppBiz.6473FCF4
646F18DB  |.  FF15 A4F17364 CALL DWORD PTR DS:[<&KERNEL32.UnhandledExceptionFilter>]       ; \UnhandledExceptionFilter
646F18E1  |.  833D C8347E64>CMP DWORD PTR DS:[647E34C8],0
646F18E8  |.  75 08       JNZ SHORT AppBiz.646F18F2
646F18EA  |.  6A 01       PUSH 1
646F18EC  |.  E8 1B030000 CALL <JMP.&MSVCR100._crt_debugger_hook>
646F18F1  |.  59          POP ECX
646F18F2  |>  68 090400C0 PUSH C0000409                                                    ; /ExitCode = C0000409 (-1073740791.)
646F18F7  |.  FF15 DCF07364 CALL DWORD PTR DS:[<&KERNEL32.GetCurrentProcess>]                ; |[GetCurrentProcess
646F18FD  |.  50          PUSH EAX                                                       ; |hProcess
646F18FE  |.  FF15 24F17364 CALL DWORD PTR DS:[<&KERNEL32.TerminateProcess>]                ; \TerminateProcess
646F1904  |.  C9          LEAVE
646F1905  \.  C3          RETN
646F1906 $- FF25 20F47364 JMP DWORD PTR DS:[<&MSVCR100.?terminate@@YAXXZ>]                ;  MSVCR100.?terminate@@YAXXZ

SetUnhandledExceptionFilter这个函数解决了一切。

总结了下搜到的资料，这个函数的返回值有三种情况：

EXCEPTION_EXECUTE_HANDLER equ 1 表示我已经处理了异常,可以优雅地结束了
EXCEPTION_CONTINUE_SEARCH equ 0 表示我不处理,其他人来吧,于是windows调用默认的处理程序显示一个错误框,并结束
EXCEPTION_CONTINUE_EXECUTION equ -1 表示错误已经被修复,请从异常发生处继续执行

具体使用方法如下：

  #include <windows.h>

  long __stdcall callback(_EXCEPTION_POINTERS* excp)
  {
  MessageBox(0,"Error","error",MB_OK);
  printf("Error address %x/n",excp->ExceptionRecord->ExceptionAddress);
  printf("CPU register:/n");
  printf("eax %x ebx %x ecx %x edx %x/n",excp->ContextRecord->Eax,
  excp->ContextRecord->Ebx,excp->ContextRecord->Ecx,
  excp->ContextRecord->Edx);
  return EXCEPTION_EXECUTE_HANDLER;
  }

  int main(int argc,char* argv[])
  {
  SetUnhandledExceptionFilter(callback);
  _asm int 3 //只是为了让程序崩溃
  return 0;
  }

SetUnhandledExceptionFilter 反调试

猜你喜欢