1.检测程序是否被各类debug程式所加载研究!

VB code

Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long,ByVal th32ProcessID As Long) As Long@H_301_5@ Private Declare Function Process32First Lib "kernel32" (ByVal hSnapShot As Long,lppe As PROCESSENTRY32) As Long@H_301_5@ Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapShot As Long,lppe As PROCESSENTRY32) As Long@H_301_5@ Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long@H_301_5@ Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long,ByVal uExitCode As Long) As Long@H_301_5@ Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long,ByVal blnheritHandle As Long,ByVal dwAppProcessId As Long) As Long@H_301_5@ @H_301_5@ Const MAX_PATH As Integer = 260@H_301_5@ Const TH32CS_SNAPPROCESS As Long = 2&@H_301_5@ Private Type PROCESSENTRY32@H_301_5@ dwSize As Long@H_301_5@ cntUsage As Long@H_301_5@ th32ProcessID As Long@H_301_5@ th32DefaultHeapID As Long@H_301_5@ th32ModuleID As Long@H_301_5@ cntThreads As Long@H_301_5@ th32ParentProcessID As Long@H_301_5@ pcPriClassBase As Long@H_301_5@ dwFlags As Long@H_301_5@ szExeFile As String * 1024@H_301_5@ End Type@H_301_5@ Private Sub Command1_Click()@H_301_5@ If OpencsRSS = True Then@H_301_5@ MsgBox "发现调试器,请关闭","警告"@H_301_5@ Else@H_301_5@ MsgBox "没有发现调试","恭喜"@H_301_5@ End If@H_301_5@ End Sub@H_301_5@ @H_301_5@ Private Function OpencsRSS() As Boolean@H_301_5@ '发现调试器返回TRUE，没有发现则返回FALSE@H_301_5@ @H_301_5@ On Error GoTo maple@H_301_5@ Dim Process As PROCESSENTRY32@H_301_5@ Dim hSnapShot As Long@H_301_5@ Dim l1 As Long@H_301_5@ Dim flag As Boolean@H_301_5@ Dim mName As String@H_301_5@ Dim i As Integer@H_301_5@ Dim pid As Long,WOW As Long '注意这2个变量就用来存放2个ID@H_301_5@ hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0&) '建立进程快照@H_301_5@ If hSnapShot Then@H_301_5@ Process.dwSize = 1060@H_301_5@ If (Process32First(hSnapShot,Process)) Then '遍历第一个进程,获得PROCESSENTRY32结构@H_301_5@ Do@H_301_5@ i = InStr(1,Process.szExeFile,Chr(0)) '获得映像名称@H_301_5@ mName = LCase(Left(Process.szExeFile,i - 1)) '并转换成小写@H_301_5@ @H_301_5@ If mName = "csRSS.exe" Then '是不是WOW.exe@H_301_5@ WOW = Process.th32ProcessID '获得进程ID@H_301_5@ End If@H_301_5@ Loop Until (Process32Next(hSnapShot,Process) < 1) '遍历所有进程直到返回值为False@H_301_5@ End If@H_301_5@ l1 = CloseHandle(hSnapShot)@H_301_5@ End If@H_301_5@ If WOW <> 0 Then@H_301_5@ @H_301_5@ Dim jiejie As Long@H_301_5@ jiejie = OpenProcess(1&,-1&,WOW)@H_301_5@ '测试打开能力@H_301_5@ If jiejie <> 0 Then@H_301_5@ OpencsRSS = True@H_301_5@ Else@H_301_5@ OpencsRSS = False@H_301_5@ End If@H_301_5@ @H_301_5@ @H_301_5@ End If@H_301_5@ Exit Function@H_301_5@ maple:@H_301_5@ OpencsRSS = False@H_301_5@ @H_301_5@ End Function

代码很简单,大家看着玩!@H_301_5@ 2.timer反调试

Private Sub Command1_Click()@H_301_5@ @H_301_5@ '假设这里是我们的注册过程，我们隔三差五随意将以下代码复制粘帖@H_301_5@ '------------------------------@H_301_5@ Dim ctime As Double@H_301_5@ Dim dtime As Double@H_301_5@ ctime = Timer@H_301_5@ dtime = Timer@H_301_5@ If dtime - ctime = 0 Then@H_301_5@ MsgBox dtime - ctime,"正常运行,经历时间:"@H_301_5@ '实际软件中，应该彻底隐蔽这些提示消息@H_301_5@ Else@H_301_5@ MsgBox dtime - ctime,"发现调试器,经历时间:"@H_301_5@ End If@H_301_5@ @H_301_5@ End Sub

为什么用timer??很简单,当别人开始调试的时候,莫非他是千只眼,一眼千行?? :)@H_301_5@ 3.对于运行环境进行检测

Private Declare Sub GetStartupInfo Lib "kernel32" Alias "GetStartupInfoA" (lpStartupInfo As STARTUPINFO)@H_301_5@ @H_301_5@ Private Type STARTUPINFO '(createprocess)@H_301_5@ cb As Long@H_301_5@ lpReserved As Long@H_301_5@ lpDesktop As Long@H_301_5@ lpTitle As Long@H_301_5@ dwX As Long@H_301_5@ dwY As Long@H_301_5@ dwXSize As Long@H_301_5@ dwYSize As Long@H_301_5@ dwXCountChars As Long@H_301_5@ dwYCountChars As Long@H_301_5@ dwFillAttribute As Long@H_301_5@ dwFlags As Long@H_301_5@ wShowWindow As Integer@H_301_5@ cbReserved2 As Integer@H_301_5@ lpReserved2 As Long@H_301_5@ hStdInput As Long@H_301_5@ hStdOutput As Long@H_301_5@ hStdError As Long@H_301_5@ End Type@H_301_5@ @H_301_5@ Private Sub Command1_Click()@H_301_5@ If StartAnti = True Then@H_301_5@ MsgBox "发现调试器,"警告"@H_301_5@ Else@H_301_5@ MsgBox "没有发现调试器","通过"@H_301_5@ End If@H_301_5@ End Sub@H_301_5@ @H_301_5@ Private Sub Form_Load()@H_301_5@ If StartAnti = True Then@H_301_5@ MsgBox "发现调试器,"通过"@H_301_5@ End If@H_301_5@ End Sub@H_301_5@ @H_301_5@ Private Function StartAnti() As Boolean@H_301_5@ Dim Huanjing As STARTUPINFO@H_301_5@ GetStartupInfo Huanjing@H_301_5@ If Huanjing.dwX <> 0 Or Huanjing.dwY <> 0 Or Huanjing.dwXCountChars <> 0 Or Huanjing.dwYCountChars <> 0 Or Huanjing.dwFillAttribute <> 0 Or Huanjing.dwXSize <> 0 Or Huanjing.dwYSize <> 0 Then@H_301_5@ StartAnti = True@H_301_5@ Else@H_301_5@ StartAnti = False@H_301_5@ End If@H_301_5@ End Function

4.检查我们的程序是否在正常的父进程中运行

301_5@ Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long@H_301_5@ Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long,ByVal dwAppProcessId As Long) As Long@H_301_5@ Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long,ByVal uExitCode As Long) As Long@H_301_5@ Const MAX_PATH As Integer = 260@H_301_5@ Const TH32CS_SNAPPROCESS As Long = 2&@H_301_5@ Private Type PROCESSENTRY32@H_301_5@ dwSize As Long@H_301_5@ cntUsage As Long@H_301_5@ th32ProcessID As Long@H_301_5@ th32DefaultHeapID As Long@H_301_5@ th32ModuleID As Long@H_301_5@ cntThreads As Long@H_301_5@ th32ParentProcessID As Long@H_301_5@ pcPriClassBase As Long@H_301_5@ dwFlags As Long@H_301_5@ szExeFile As String * 1024@H_301_5@ End Type@H_301_5@ @H_301_5@ Private Sub Form_Load()@H_301_5@ Fujincheng@H_301_5@ End Sub@H_301_5@ @H_301_5@ Private Sub Fujincheng()@H_301_5@ @H_301_5@ '这个过程是检测父进程的父进程是否是EXPLORE的父进程@H_301_5@ Dim Process As PROCESSENTRY32@H_301_5@ Dim hSnapShot As Long@H_301_5@ Dim XNN As Long@H_301_5@ Dim flag As Boolean@H_301_5@ Dim mName As String@H_301_5@ Dim i As Integer@H_301_5@ Dim pid As Long,explorer As Long '注意这2个变量就用来存放2个ID@H_301_5@ @H_301_5@ hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0&) '建立进程快照@H_301_5@ '搜索explorer.exe进程,并获得其ID@H_301_5@ If hSnapShot Then@H_301_5@ Process.dwSize = 1060@H_301_5@ If (Process32First(hSnapShot,i - 1)) '并转换成小写@H_301_5@ @H_301_5@ If mName = "explorer.exe" Then '是不是explorer.exe@H_301_5@ explorer = Process.th32ProcessID@H_301_5@ ElseIf mName = LCase(App.EXEName & ".exe") Then '是不是自己@H_301_5@ pid = Process.th32ParentProcessID '获得父进程ID@H_301_5@ Else@H_301_5@ flag = False@H_301_5@ End If@H_301_5@ Loop Until (Process32Next(hSnapShot,Process) < 1) '遍历所有进程直到返回值为False@H_301_5@ End If@H_301_5@ XNN = CloseHandle(hSnapShot)@H_301_5@ End If@H_301_5@ @H_301_5@ Dim Openit As Long@H_301_5@ @H_301_5@ Openit = OpenProcess(1&,pid)@H_301_5@ @H_301_5@ If pid <> explorer Then MsgBox "发现父进程调试","警告": TerminateProcess Openit,0@H_301_5@ @H_301_5@ End Sub

正常的父进程可是windows的主进程哦:EXPLORE,别搞错了:)