老東西,在ASProtect中大量使用,主要是想隱藏OEP。當然僅靠這個無法對付衝擊波和icedump的/tracex,但這兩個都是執行在Win9x下的。
如果用SoftICE跟下面的程式,在執行到REPZ MOVSD指令(在inline函式memcpy的函式體中)時,就會失去線索(petite似乎也是這樣)。除了__try{
}__except,還可以用__try{ } __finally,把這兩個結合起來形成多重巢狀可以增加複雜度。
#include <windows.h>
#include <iostream.h>
#define BUFFER_SIZE 4096
void *MemAddr = NULL;
void AccessViolation( );
int OEP( );
int Filter( );
int main( )
{
__try
{
//........
AccessViolation( );
//You can insert some garbage code here
}
__except(Filter( ))
{
//You can insert some garbage code here
return OEP( );
}
return 0;
}
void AccessViolation( )
{
MemAddr = VirtualAlloc(NULL, BUFFER_SIZE,
MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
memcpy(MemAddr, (void *)main, BUFFER_SIZE
+ 5);
cout << "Here is some garbage, which
will never be executed." << endl;
//You can insert some garbage code here
}
int OEP( )
{
cout << "This is the Original Entry Point." <<
endl;
return 0;
}
int Filter( )
{
//You can insert some garbage code here
if (MemAddr)
{
VirtualFree(MemAddr, BUFFER_SIZE, MEM_DECOMMIT
| MEM_RELEASE);
}
//You can insert some garbage code here
return EXCEPTION_EXECUTE_HANDLER;
}