VB anti-Tracking Technology

Www.2cto.com

Author: laomms
 
Compared with other languages, VB is always "despised". In fact, there is no good or bad language, as a programmer said: there is no best language, only the best programmer. VB also has its own features, which are simple, convenient, visualized, and conducive to rapid development. The 6 m mini version is even more appealing. It is easy to get started and is also the best foundation for other languages. Unfortunately, there are few articles on VB protection technology. Software Encryption technology involves VB protection content, but the source code is too small, most of which are C and MASM source code, here we will also give a rough description of some protection technologies of VB. If you still have better methods, we hope to add them below.
 
I. Check the anti-RING3 debugger of the parent process. We know that the parent process of the Common Software in WIN32 system is ipve, when the RING3 debugger, such as OD, debugs the software, it sets their threads as its sub-threads. We only need to let the program check whether the parent process is ipve, check the Anti-Debug file in the attachment. If the parent process is found to be not javase. EXE automatically exits. The source code is as follows:
'Check related APIS by yourself
HSnapShot = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0 &) 'create a process Snapshot
If hSnapShot Then
Process. dwSize = 1060
If (Process32First (hSnapShot, Process) then' traverses the first Process and obtains the PROCESSENTRY32 structure.
Do
I = InStr (1, Process. szExeFile, Chr (0) 'Get the image name
MName = LCase (Left (Process. szExeFile, I-1) 'and converts it to lowercase
If mName = "assumer.exe" Then 'is not assumer.exe
Explorer = Process. th32ProcessID 'get the Process ID
ElseIf Process. th32ProcessID = GetCurrentProcessId () then' is not your own
Pid = Process. th32ParentProcessID 'get your parent Process ID
Else
Flag = False
End If
Loop Until (Process32Next (hSnapShot, Process) <1) 'traverses all processes Until the returned value is False
End If
L1 = CloseHandle (hSnapShot)
End If
If pid <> explorer Then
TerminateProcess hprocess, 0
Else
MsgBox "OK"
On Error Resume Next
End If
End Sub
Of course, this method is not omnipotent. If it is disconnected under Process32First, the redirection can be easily escaped.
 
Ii. Anti-SMARTCHECK loading. SMARTCHECK is a tool for debugging VB, and it is necessary to prevent it. Lou's predecessors mentioned two detection methods in the Software Encryption technology:
Use the AppActivate function of VB to activate the SMARTCHECK window, then send ALT + F4 to close the window, and use FindWindow to find that the SMARTCHECK window is closed directly. The code is basically like this:
WinHwnd = FindWindow (vbNullString, "num1_smartcheck ")
If winHwnd <> 0 Then
AppActivate "num1_smartcheck"
Sendkey "% {f4}", True
Sendkey "% y", True
In fact, I think the process SMARTCHK is directly detected. you can also check whether the EXE exists. The method is similar to the above. You can also check other processes such as W32DASM. The Anti-Load in the attachment is an instance. If SMARTCHK is called, the system automatically exits:
.....
If InStr (LCase (Process. szExeFile), "smartchk.exe")> 0 Then
Smart = Process. th32ProcessID
TerminateProcess hprocess, 0
Unload Me
Exit Do
End If
.......
 
3. Check SOFTICE. The Anti-ice in the attachment is the code of Aming's predecessors, and the SOFTICE is directly detected in the memory.
 
4. Use the IsDebuggerPresent detection debugger, Which is useless for OD. For details, see the IsDebuggerPresent in the attachment.
Private Declare Function IsDebuggerPresent Lib "kernel32" () As Long
Private Sub commandementclick ()
If IsDebuggerPresent Then
End
Else
MsgBox "not debugged"
End If
End Sub
 
5. Encrypted strings.
For example, Text1.text = "congratulations", we can write Text1.text = Chr (-18009) & Chr (-12366) & Chr (33 ), in addition, the write algorithm encrypts the string. In the instance Encodestring, you cannot find the string information and garbled characters.
 
6. implement software code verification to prevent modification. For example, use CRC or MD5 to perform code integrity detection. The implementation method is as follows:
Write a software program to add a CRC signature, which is defined as the end part:
Const CRC_HEAD = & H761226 'is used to determine whether CRC verification is added.
Private Type stCRC
LHead As Long 'indicates whether CRC verification is performed.
LCRC As Long 'crc check Value
End Type
Private Sub commandementclick ()
CRC_Exe App. Path & "\ Project 1.Exe"
End Sub
Private Function CRC_Exe (ByVal strExe As String) As Boolean
Dim hFile As Long
Dim lFileLen As Long
Dim sCRC As stCRC
Dim btExe () As Byte
On Error GoTo Err_CRC_Exe
LFileLen = FileLen (strExe)
HFile = FreeFile
Open strExe For Binary As # hfile' Open the encrypted file
Seek hFile, lFileLen-LenB (sCRC) + 1' locate the CRC identification field, located at the end of the Exe file
Get hFile, sCRC
If sCRC. lHead = CRC_HEAD Then 'If CRC verification has been added, exit. Otherwise, add CRC verification.
MsgBox "CRC verified! "
Close # hFile
Exit Function
Else
Seek hFile, 1' locate the file header
ReDim btExe (lFileLen-1)
Get hFile, and btexe' read Exe data in byte mode into the Array
SCRC. lHead = CRC_HEAD 'Add a CRC verification identifier
SCRC. lCRC = Get_CRC (VarPtr (btExe (0), lFileLen) 'Get the CRC value of the Exe content
Put hFile, and scrc' write the CRC check to the end of the Exe file
End If
Close # hFile
MsgBox "CRC verification completed! "
CRC_Exe = True
Exit Function

Err_CRC_Exe:
If hFile <> 0 Then Close # hFile
CRC_Exe = False
MsgBox Err. Description
End Function
 
Add the CRC verification code for the program itself:
Const CRC_HEAD = & H761226 'is used to determine whether CRC verification is added.
Private Type stCRC
LHead As Long 'indicates whether CRC verification is performed.
LCRC As Long 'crc check Value
End Type
Private Sub Form_Load ()
Dim hFile As Long
Dim sCRC As stCRC
Dim strExe As String
Dim lFileLen As Long
Dim btExe () As Byte
StrExe = App. Path & "\" & App. EXEName & ". exe"
LFileLen = FileLen (strExe)
ReDim btExe (lFileLen-LenB (sCRC)-1) As Byte 'defines the Exe Byte cache Array
HFile = FreeFile
Open strExe For Binary As # hfile' reads Exe data to an array
Get # hFile, btExe
Get # hFile, sCRC
Close # hFile
If sCRC. lHead = CRC_HEAD Then 'If CRC verification is added to the program, the CRC value is verified.
If Get_CRC (VarPtr (btExe (0), UBound (btExe) + 1) = lCRC Then 'verify that the CRC value of the Exe data is the same as that of the stored CRC Value
MsgBox "file not modified! ".
Else
The MsgBox file is invalid! "
End If
Else
MsgBox "file has not been CRC verified! "'Check whether the CRC check has been added at the end
End If
End Sub
 
Among them, there are many CRC modules online. CRC32 in the attachment is the instance. Any software modification prompt is changed. We recommend that you add a shell after the self-check is added. Otherwise, you can use UltraEdit to check the position of the CRC Check value in the original file.
 
7. Use SEH for reverse tracking. If the attachment's SHE uses SMARTCHECK for debugging, it will automatically exit. the source code of the building is attached:
Option Explicit
Private Declare Sub DebugBreak Lib "kernel32 "()
Private Sub commandementclick ()
On Error GoTo ERR_RaiseException
DebugBreak
DebugBreak
Exit Sub
 
ERR_RaiseException:
MsgBox "No debugger found! "
End Sub
 
Sub SetHandler ()
SetUnhandledExceptionFilter AddressOf NewExceptionHandler
End Sub
 
Sub RestoreHandler ()
SetUnhandledExceptionFilter 0
End Sub
 
Private Sub Form_Load ()
SetHandler
End Sub
 
Private Sub Form_Unload (Cancel As Integer)
RestoreHandler
End Sub
The 'she module is skipped.
In addition to the above methods, you can also use some cryptographic knowledge to increase the difficulty. If the technology is strong enough, you can also use embedded assembly to get some instructions and reverse debug SEH mechanisms.
Attachment:
Http://www.bkjia.com/uploadfile/2012/0221/20120221112624706.rar