Vcasm's multi-process anti-tracking technology (cainiao)

The multi-Process anti-tracking technology used in the vprotector program of vcasm is very innovative, and the multi-Thread technology is common in the anti-tracking technology. The multi-process I have seen previously mainly uses one process to debug another process. This method can only be considered as debugging anti-tracking, and cannot be called a real multi-process anti-tracking technology. The vcasm method is actually a multi-process anti-tracking technology. Here is a brief description.
To use multiple processes, you must handle data exchange and process synchronization among multiple processes. If there is no data exchange between processes, it won't be a multi-process technology. When talking about data exchange between processes, we first think of a dynamic connection library (dll ), however, vcasm adopts a simpler method. This method is described below.
Let's take a look at several API functions before talking about vcasm's data exchange method.
The CreateFileMapping function is used to generate a memory file ing object. The function is defined as follows:
HANDLE CreateFileMapping (
HANDLE hFile, // map the file HANDLE
LPSECURITY_ATTRIBUTES lpFileMappingAttributes,
// Security attributes
DWORD flProtect, // protection attribute of the object
DWORD dwMaximumSizeHigh, // 32-bit object size
DWORD dwMaximumSizeLow, // The object size is 32nd bits e
Lptstr lpName // name of the object mapped to the file
);
When hFile = (HANDLE)-1, we don't get the actual file ing object, but a memory block object of a specific size returned by an operating system paging file. This memory block object can be operated by multiple processes using the object name. That is to say, you can use it to exchange data. Determine whether this object exists? This requires a function.
DWORD GetLastError (VOID)
If the returned value is ERROR_ALREADY_EXISTS, this object already exists.
Now let's use the program to explain that the vcasm program is complicated. I didn't write the code according to the original program, but simplified it into a piece of code to illustrate the method. I just want to explain this method. The code for thread synchronization will not be written here,
If you are interested, please reverse it yourself.

GetModuleFileName (0, lpFilename, 0x200); // get the file name
Change the file name as the mapview name.
For (I = 0; I <0x200; I ++)
{
// Convert the file name-
If (* (char *) (lpFilename + I) = 0x5c) * (char *) (lpFilename + I) = 0x2d;
}
MHandle = CreateFileMapping (HANDLE)-400, PAGE_READWRITE, x, lpFilename );
GetLastError () must be followed. If there are other APIs in the middle, the returned result is unknown.
If (GetLastError ()! = ERROR_ALREADY_EXISTS)
{
Mapview = MapViewOfFile (mHandle, FILE_MAP_ALL_ACCESS, 0, 0); // submit the physical memory
Sum = (char *) mapview + 0x3ff );
* Sum = 0; // initialize the cumulative value.
}
Else
{
Mapview = MapViewOfFile (mHandle, FILE_MAP_ALL_ACCESS, 0, 0); // submit the physical memory
Sum = (char *) mapview + 0x3ff );
* Sum + = 1; // The cumulative value is + 1
}

If (* sum> 5) // It should be over five times
{
MessageBox (0, "yes", "OK", 0 );
UnmapViewOfFile (mapview); opened fileview can be skipped
CloseHandle (mHandle); handle can also be switched off
}
Else
{
Before five times, start another process.
CreateProcess (0, GetCommandLine (), 0, 0, 0, 0, 0, & StartupInfo, & ProcessInformation );
}
Sleep (50); hand over the execution right, take a break
ExitProcess (0); other processes are enabled, and this process can be disabled.

The vc ++ code is as follows:
# Include "stdafx. h"

Int APIENTRY WinMain (HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
Int nCmdShow)
{

DWORD I;
LPVOID mapview;
HANDLE mHandle;
PCHAR sum;
LPTSTR lpFilename = (LPTSTR) malloc (0x200 );
STARTUPINFO StartupInfo;
StartupInfo. cb = sizeof (STARTUPINFO );
PROCESS_INFORMATION ProcessInformation;
GetModuleFileName (0, lpFilename, 0x200); // get the file name
GetStartupInfo (& StartupInfo); // enter the StartupInfo structure.
For (I = 0; I <0x200; I ++)
{
// Convert the file name-
If (* (char *) (lpFilename + I) = 0x5c) * (char *) (lpFilename + I) = 0x2d;
}
MHandle = CreateFileMapping (HANDLE)-400, PAGE_READWRITE, x, lpFilename );
If (GetLastError ()! = ERROR_ALREADY_EXISTS)
{
Mapview = MapViewOfFile (mHandle, FILE_MAP_ALL_ACCESS, 0, 0); // submit the physical memory
Sum = (char *) mapview + 0x3ff );
* Sum = 0; // initialize the cumulative value.
}
Else
{
Mapview = MapViewOfFile (mHandle, FILE_MAP_ALL_ACCESS, 0, 0); // submit the physical memory
Sum = (char *) mapview + 0x3ff );
* Sum + = 1; // The cumulative value is + 1
}

If (* sum> 5)
{
MessageBox (0, "yes", "OK", 0 );
UnmapViewOfFile (mapview );
CloseHandle (mHandle );
}
Else
{

CreateProcess (0, GetCommandLine (), 0, 0, 0, 0, 0, & StartupInfo, & ProcessInformation );
}
Sleep (0 );
ExitProcess (0 );

Return 0;
}