[Add to favorites] Use seh for reverse tracking

Use seh for reverse tracking
I don't want to perform literacy for seh here
When a program is debugged and encounters INT 3, the debugger will be interrupted.
When a program runs normally and encounters INT 3, an exception occurs. The system reports an error. If seh is set
For the moment, no error is reported, and the processing permission is handed over to Seh. We can make some effort in it to determine whether the software has been tracked.

The following is a routine I wrote:

. 386
. Model flat, stdcall
Option Casemap: None

Include windows. inc
Include kernel32.inc
Include user32.inc

Includelib kernel32.lib
Includelib user32.lib

Sehproc proto: DWORD,: DWORD

. Data
; Constant definition
Szdebug DB "Err, hmm, u'r debugging me !!!! ", 0
Sztest DB "hearson reverse tracking routine using seh", 0
Szfine DB "Good boy! ", 0

. Code
Start:
; Establish the basic seh Structure
Assume FS: Nothing
Push offset sehproc
Push FS: [0]
MoV FS: [0], ESP
Lea EDX and szdebug; first assign the edX value, and then assign the value again in the seh subroutine
INT 3; interrupt exception
Pop FS: [0]; clear the seh linked list
Invoke MessageBox, null, EDX, ADDR sztest, mb_ OK or mb_iconinformation
Invoke exitprocess, null

Sehproc proc lp0000t: DWORD, lpframe: DWORD, lpcontext: DWORD, lpdispatch: DWORD

MoV eax, lpcontext; change the value of edX and EIP below
Assume eax: PTR Context
Lea edX, szfine
MoV [eax]. regedx, EDX; we assign another value to the edX in the source program.
INC [eax]. regeip; point the EIP to the next command; otherwise, it will enter an endless loop.
Assume eax: Nothing
MoV eax, 0; indicates that the system has finished processing and continues to execute the program.
RET

Sehproc endp

End start

If you have any questions, please send me a letter: hearson@yeah.net

About:

MoV [eax]. regedx, EDX; we assign another value to the edX in the source program.
INC [eax]. regeip; point the EIP to the next command; otherwise, it will enter an endless loop.
Assume eax: Nothing
MoV eax, 0; indicates that the system has finished processing and continues to execute the program.

The structure in the assembly was originally written like this!
Context struct ;_
Contextflags DWORD? ; | ------------- + 00
Idr0 DWORD? ; | + 04
IDR1 DWORD? ; | + 08
Idr2 DWORD? ;> Debug register + 0c
IDR3 DWORD? ; | + 10
Idr6 DWORD? ; | + 14
Idr7 DWORD? ; _ | + 18
Floatsave floating_save_area <>; floating point register area + 1C ~~ + 88
Reggs DWORD? ; -- | + 8C
Regfs DWORD? ; |/Segment register + 90
Reges DWORD? ; |/+ 94
Regds DWORD? ; -- | + 98
Regedi DWORD? ; ____________ + 9C
Regesi DWORD? ; | General + a0
Regebx DWORD? ; | Mail + A4
Regedx DWORD? ; | Storage + A8
Regecx DWORD? ; | Device + AC
Regeax DWORD? ; _______ | ___ Group _ + B0
Regebp DWORD? ; +++ ++ B4
Regeip DWORD? ; | Control + B8
Regcs DWORD? ; | Storage + BC
Regflag DWORD? ; | Group + C0
Regesp DWORD? ; | + C4
Regss DWORD? ; ++ C8
Extendedregisters dB maximum_supported_extension DUP (?)
Context ends