GetStartupInfo 反加载篇

转：http://bbs.pediy.com/showthread.php?p=1160998#post1160998

1.Windows 加载器创建进程的时候会把StartUpInfo 的结构值设为0,而一般的可执行文件加载器创建进程的时候,则不会把StartUpInfo结构清0,利用OD来启动进程时,该结构不为0,StartUpInfo的结构如下
typedef struct _STARTUPINFO {
  DWORD cb;
  LPTSTR lpReserved;
  LPTSTR lpDesktop;
  LPTSTR lpTitle;
  DWORD dwX;
  DWORD dwY;
  DWORD dwXSize;
  DWORD dwYSize;
  DWORD dwXCountChars;
  DWORD dwYCountChars;
  DWORD dwFillAttribute;
  DWORD dwFlags;
  WORD wShowWindow;
  WORD cbReserved2;
  LPBYTE lpReserved2;
  HANDLE hStdInput;
  HANDLE hStdOutput;
  HANDLE hStdError;
} STARTUPINFO,
*LPSTARTUPINFO;

2.  dzip32.dll 利用该方法来检测当前程序是否是被调试程序启动



CODE:009D98EC ; /*
CODE:009D98EC ; * 判断当前程序是否处于调试中
CODE:009D98EC ; * 当处于调试之中，返回值为1
CODE:009D98EC ; * 当为正常情况，返回值为0
CODE:009D98EC ; */
CODE:009D98EC
CODE:009D98EC CheckDebug_DllEntry proc near           ; CODE XREF: DllEntryPoint+10D p
CODE:009D98EC
CODE:009D98EC var_34          = dword ptr -34h
CODE:009D98EC var_30          = dword ptr -30h
CODE:009D98EC var_2C          = dword ptr -2Ch
CODE:009D98EC var_28          = dword ptr -28h
CODE:009D98EC var_24          = dword ptr -24h
CODE:009D98EC var_20          = dword ptr -20h
CODE:009D98EC var_1C          = dword ptr -1Ch
CODE:009D98EC
CODE:009D98EC                 add     esp, -44h
CODE:009D98EF                 push    esp             ; lpStartupInfo
CODE:009D98F0                 call    GetStartupInfoA_0
CODE:009D98F5                 cmp     [esp+44h+var_34], 0
CODE:009D98FA                 jnz     short loc_9D9926
CODE:009D98FC                 cmp     [esp+44h+var_30], 0
CODE:009D9901                 jnz     short loc_9D9926
CODE:009D9903                 cmp     [esp+44h+var_24], 0
CODE:009D9908                 jnz     short loc_9D9926
CODE:009D990A                 cmp     [esp+44h+var_20], 0
CODE:009D990F                 jnz     short loc_9D9926
CODE:009D9911                 cmp     [esp+44h+var_1C], 0
CODE:009D9916                 jnz     short loc_9D9926
CODE:009D9918                 cmp     [esp+44h+var_2C], 0
CODE:009D991D                 jnz     short loc_9D9926
CODE:009D991F                 cmp     [esp+44h+var_28], 0
CODE:009D9924                 jz      short loc_9D992A
CODE:009D9926
CODE:009D9926 loc_9D9926:                             ; CODE XREF: CheckDebug_DllEntry+E j
CODE:009D9926                                         ; CheckDebug_DllEntry+15 j
CODE:009D9926                                         ; CheckDebug_DllEntry+1C j
CODE:009D9926                                         ; CheckDebug_DllEntry+23 j
CODE:009D9926                                         ; CheckDebug_DllEntry+2A j
CODE:009D9926                                         ; CheckDebug_DllEntry+31 j
CODE:009D9926                 mov     al, 1
CODE:009D9928                 jmp     short loc_9D992C
CODE:009D992A ; ---------------------------------------------------------------------------
CODE:009D992A
CODE:009D992A loc_9D992A:                             ; CODE XREF: CheckDebug_DllEntry+38 j
CODE:009D992A                 xor     eax, eax
CODE:009D992C
CODE:009D992C loc_9D992C:                             ; CODE XREF: CheckDebug_DllEntry+3C j
CODE:009D992C                 add     esp, 44h
CODE:009D992F                 retn
CODE:009D992F CheckDebug_DllEntry endp

 

 

经过分析 ：检测数据对应结构体中dwX一直到dwFileAttributes.