这是一个最简单的反虚拟机测试,通过检测是否包含虚拟机tools的进程来判断是否是虚拟机。
首先写一个函数,判断是否包含某进程
1 //是否包含某进程 2 BOOL IsContainsProcess(CString strProName) 3 { 4 PROCESSENTRY32 pe32; //定义结构体变量来保存进程的信息 5 pe32.dwSize = sizeof(pe32); //填充大小 6 7 HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //创建快照 8 9 if (hProcessSnap==INVALID_HANDLE_VALUE) 10 { 11 //MessageBox("进程快照失败","提示",MB_OK); 12 exit(1); 13 } 14 15 //遍历所有快照 16 BOOL bMore = ::Process32First(hProcessSnap,&pe32); 17 while(bMore) 18 { 19 if (strProName==pe32.szExeFile) 20 { 21 return TRUE; //如果存在该进程,则返回TRUE 22 bMore=FALSE; //停止循环 23 } 24 else 25 { 26 bMore=::Process32Next(hProcessSnap,&pe32); 27 } 28 } 29 //扫尾 30 CloseHandle(hProcessSnap); 31 return FALSE; 32 }
然后,就可以在程序初始化的时候进行判断,是否包含了几个进程
1 1 if ( 2 2 (IsContainsProcess("VBoxTray.exe")) || 3 3 (IsContainsProcess("VBoxService.exe")) || 4 4 (IsContainsProcess("VMwareUser.exe"))|| 5 5 (IsContainsProcess("VMwareTray.exe")) || 6 6 (IsContainsProcess("VMUpgradeHelper.exe"))|| 7 7 (IsContainsProcess("vmtoolsd.exe"))|| 8 8 (IsContainsProcess("vmacthlp.exe")) 9 9 ) 10 10 { 11 11 AfxMessageBox("请不要在虚拟机中运行该程序"); 12 12 exit(0); 13 13 }
下面,我们对这个程序进行反反调试
程序下载地址:https://files.cnblogs.com/tk091/AntiVirtualTest.zip
首先我们用OD载入,查找字符串。
找到“请不要在虚拟机中运行该程序”,点击跟随,到达反汇编区域。
1 00401496 > \6A 00 push 0 2 00401498 . 6A 00 push 0 3 0040149A . 68 A0804100 push 004180A0 ; 请不要在虚拟机中运行该程序 4 0040149F . E8 8FF80000 call 00410D33
找到该跳转的来源
1 004013C9 . /0F85 C7000000 jnz 00401496 2 004013CF . |51 push ecx 3 004013D0 . |8BCC mov ecx, esp 4 004013D2 . |896424 14 mov dword ptr [esp+14], esp 5 004013D6 . |68 10814100 push 00418110 ; vboxservice.exe 6 004013DB . |E8 48E30000 call 0040F728 7 004013E0 . |8BCE mov ecx, esi 8 004013E2 . |E8 29FEFFFF call 00401210 9 004013E7 . |85C0 test eax, eax 10 004013E9 . |0F85 A7000000 jnz 00401496 11 004013EF . |51 push ecx 12 004013F0 . |8BCC mov ecx, esp 13 004013F2 . |896424 14 mov dword ptr [esp+14], esp 14 004013F6 . |68 00814100 push 00418100 ; vmwareuser.exe 15 004013FB . |E8 28E30000 call 0040F728 16 00401400 . |8BCE mov ecx, esi 17 00401402 . |E8 09FEFFFF call 00401210 18 00401407 . |85C0 test eax, eax 19 00401409 . |0F85 87000000 jnz 00401496 20 0040140F . |51 push ecx 21 00401410 . |8BCC mov ecx, esp 22 00401412 . |896424 14 mov dword ptr [esp+14], esp 23 00401416 . |68 F0804100 push 004180F0 ; vmwaretray.exe 24 0040141B . |E8 08E30000 call 0040F728 25 00401420 . |8BCE mov ecx, esi 26 00401422 . |E8 E9FDFFFF call 00401210 27 00401427 . |85C0 test eax, eax 28 00401429 . |75 6B jnz short 00401496 29 0040142B . |51 push ecx 30 0040142C . |8BCC mov ecx, esp 31 0040142E . |896424 14 mov dword ptr [esp+14], esp 32 00401432 . |68 DC804100 push 004180DC ; vmupgradehelper.exe 33 00401437 . |E8 ECE20000 call 0040F728 34 0040143C . |8BCE mov ecx, esi 35 0040143E . |E8 CDFDFFFF call 00401210 36 00401443 . |85C0 test eax, eax 37 00401445 . |75 4F jnz short 00401496 38 00401447 . |51 push ecx 39 00401448 . |8BCC mov ecx, esp 40 0040144A . |896424 14 mov dword ptr [esp+14], esp 41 0040144E . |68 CC804100 push 004180CC ; vmtoolsd.exe 42 00401453 . |E8 D0E20000 call 0040F728 43 00401458 . |8BCE mov ecx, esi 44 0040145A . |E8 B1FDFFFF call 00401210 45 0040145F . |85C0 test eax, eax 46 00401461 . |75 33 jnz short 00401496 47 00401463 . |51 push ecx 48 00401464 . |8BCC mov ecx, esp 49 00401466 . |896424 14 mov dword ptr [esp+14], esp 50 0040146A . |68 BC804100 push 004180BC ; vmacthlp.exe 51 0040146F . |E8 B4E20000 call 0040F728 52 00401474 . |8BCE mov ecx, esi 53 00401476 . |E8 95FDFFFF call 00401210 54 0040147B . |85C0 test eax, eax 55 0040147D . |75 17 jnz short 00401496 56 0040147F . |8B4C24 14 mov ecx, dword ptr [esp+14] 57 00401483 . |5F pop edi 58 00401484 . |5E pop esi 59 00401485 . |B8 01000000 mov eax, 1 60 0040148A . |64:890D 00000>mov dword ptr fs:[0], ecx 61 00401491 . |5B pop ebx 62 00401492 . |83C4 14 add esp, 14 63 00401495 . |C3 retn 64 00401496 > \6A 00 push 0
可以看出,判断的跳转很多
而且都基于test eax,eax
我们把跳转的几个都改为xor eax, eax后保存文件即可。
1 004013AF . 51 push ecx 2 004013B0 . 8BCC mov ecx, esp 3 004013B2 . 896424 14 mov dword ptr [esp+14], esp 4 004013B6 . 68 20814100 push 00418120 ; vboxtray.exe 5 004013BB . E8 68E30000 call 0040F728 ; 判断是否包含该进程 6 004013C0 . 8BCE mov ecx, esi 7 004013C2 . E8 49FEFFFF call 00401210 8 004013C7 33C0 xor eax, eax 9 004013C9 0F85 C7000000 jnz 00401496 10 004013CF . 51 push ecx 11 004013D0 . 8BCC mov ecx, esp 12 004013D2 . 896424 14 mov dword ptr [esp+14], esp 13 004013D6 . 68 10814100 push 00418110 ; vboxservice.exe 14 004013DB . E8 48E30000 call 0040F728 15 004013E0 . 8BCE mov ecx, esi 16 004013E2 . E8 29FEFFFF call 00401210 17 004013E7 33C0 xor eax, eax 18 004013E9 0F85 A7000000 jnz 00401496 19 004013EF . 51 push ecx 20 004013F0 . 8BCC mov ecx, esp 21 004013F2 . 896424 14 mov dword ptr [esp+14], esp 22 004013F6 . 68 00814100 push 00418100 ; vmwareuser.exe 23 004013FB . E8 28E30000 call 0040F728 24 00401400 . 8BCE mov ecx, esi 25 00401402 . E8 09FEFFFF call 00401210 26 00401407 33C0 xor eax, eax 27 00401409 0F85 87000000 jnz 00401496 28 0040140F . 51 push ecx 29 00401410 . 8BCC mov ecx, esp 30 00401412 . 896424 14 mov dword ptr [esp+14], esp 31 00401416 . 68 F0804100 push 004180F0 ; vmwaretray.exe 32 0040141B . E8 08E30000 call 0040F728 33 00401420 . 8BCE mov ecx, esi 34 00401422 . E8 E9FDFFFF call 00401210 35 00401427 33C0 xor eax, eax 36 00401429 75 6B jnz short 00401496 37 0040142B . 51 push ecx 38 0040142C . 8BCC mov ecx, esp 39 0040142E . 896424 14 mov dword ptr [esp+14], esp 40 00401432 . 68 DC804100 push 004180DC ; vmupgradehelper.exe 41 00401437 . E8 ECE20000 call 0040F728 42 0040143C . 8BCE mov ecx, esi 43 0040143E . E8 CDFDFFFF call 00401210 44 00401443 33C0 xor eax, eax 45 00401445 75 4F jnz short 00401496 46 00401447 . 51 push ecx 47 00401448 . 8BCC mov ecx, esp 48 0040144A . 896424 14 mov dword ptr [esp+14], esp 49 0040144E . 68 CC804100 push 004180CC ; vmtoolsd.exe 50 00401453 . E8 D0E20000 call 0040F728 51 00401458 . 8BCE mov ecx, esi 52 0040145A . E8 B1FDFFFF call 00401210 53 0040145F 33C0 xor eax, eax 54 00401461 75 33 jnz short 00401496 55 00401463 . 51 push ecx 56 00401464 . 8BCC mov ecx, esp 57 00401466 . 896424 14 mov dword ptr [esp+14], esp 58 0040146A . 68 BC804100 push 004180BC ; vmacthlp.exe 59 0040146F . E8 B4E20000 call 0040F728 60 00401474 . 8BCE mov ecx, esi 61 00401476 . E8 95FDFFFF call 00401210 62 0040147B 33C0 xor eax, eax 63 0040147D 75 17 jnz short 00401496 64 0040147F . 8B4C24 14 mov ecx, dword ptr [esp+14] 65 00401483 . 5F pop edi 66 00401484 . 5E pop esi 67 00401485 . B8 01000000 mov eax, 1 68 0040148A . 64:890D 00000>mov dword ptr fs:[0], ecx 69 00401491 . 5B pop ebx 70 00401492 . 83C4 14 add esp, 14 71 00401495 . C3 retn
反anti后的程序下载:https://files.cnblogs.com/tk091/anti-anti.zip