|
一. 修改VM配置文件 [简单]
通常反检测vmware的方法就是修改vmware的配置,我在这里简单介绍一下,如何配置。
1,用记事本打开虚拟系统镜像文件的配置文件,这个文件扩展名为vmx,比如我的虚拟系统名为XP,那这个文件就叫XP.vmx,然后在
其末尾添加这么一句,如下红色部分(注意,虚拟机不能在运行状态添加)
monitor_control.restrict_backdoor = "true"[size=14.399999618530273px]isolation.tools.getPtrLocation.disable = "TRUE"
[size=14.399999618530273px]isolation.tools.setPtrLocation.disable = "TRUE"
[size=14.399999618530273px]isolation.tools.setVersion.disable = "TRUE"
[size=14.399999618530273px]isolation.tools.getVersion.disable = "TRUE"
[size=14.399999618530273px]monitor_control.disable_directexec = "TRUE"
[size=14.399999618530273px]monitor_control.disable_chksimd = "TRUE"
[size=14.399999618530273px]monitor_control.disable_ntreloc = "TRUE"
[size=14.399999618530273px]monitor_control.disable_selfmod = "TRUE"
[size=14.399999618530273px]monitor_control.disable_reloc = "TRUE"
[size=14.399999618530273px]monitor_control.disable_btinout = "TRUE"
[size=14.399999618530273px]monitor_control.disable_btmemspace = "TRUE"
[size=14.399999618530273px]monitor_control.disable_btpriv = "TRUE"
[size=14.399999618530273px]monitor_control.disable_btseg = "TRUE"
这句的意思是关闭vmware的后门(什么后门?后面详细说)
2,开启vmware workstation,在里面的 虚拟机 -> 设置 -> 处理器 -> 勾上‘禁用二进制翻译加速’(不同汉化版翻译有所出入)
这两条一起用,可以躲过大部分检测,包括一些壳的检测,比如VMProtect等。
二 使用OP修改
1.在VM_Retn处下好断,如下:
- //VM_Retn
- Address Thread Command ; Registers and comments
- 01051374 Main shr cl,6 ; ECX=01051301
- 01051377 Main push esi
- 01051378 Main dec di ; EDI=0006F69F
- 0105137B Main clc
- 0105137C Main mov esp,ebp
- 0105137E Main rcl cx,7 ; ECX=01058084
- 01051382 Main shr cl,5 ; ECX=01058004
- 01051385 Main test bx,25E5
- 0105138A Main pop ecx ; ECX=00000000
- 0105138B Main sbb bx,0B0CF ; EBX=016378C0
- 01051390 Main movzx bp,al ; EBP=000600A5
- 01051394 Main bswap ecx
- 01051396 Main pop ecx ; ECX=0006FF8C
- 01051397 Main pushfd
- 01051398 Main sal ecx,cl ; ECX=6FF8C000
- 0105139A Main or edx,ecx ; EDX=6FF8C000
- 0105139C Main jmp NOTEPAD_.010534CE
- 010534CE Main mov ecx,dword ptr ss:[esp+4] ; ECX=010328FD
- 010534D2 Main test esi,66FCC45D
- 010534D8 Main btc bx,si ; EBX=016358C0
- 010534DC Main shr di,cl ; EDI=00060000
- 010534DF Main das ; EAX=00000045
- 010534E0 Main push dword ptr ss:[esp+8]
- 010534E4 Main popfd
- 010534E5 Main setns al ; EAX=00000000
- 010534E8 Main call NOTEPAD_.010532F5
- 010532F5 Main push edx
- 010532F6 Main mov edi,dword ptr ss:[esp+14] ; EDI=0006FF74
- 010532FA Main pop ebp ; EBP=6FF8C000
- 010532FB Main mov ebp,dword ptr ss:[esp+14] ; EBP=0006FF98
- 010532FF Main pop esi ; ESI=010534ED
- 01053300 Main pushad
- 01053301 Main bswap ax
- 01053304 Main mov eax,dword ptr ss:[esp+34] ; EAX=564D5868
- 01053308 Main seta bh ; EBX=016300C0
- 0105330B Main jmp NOTEPAD_.01051BD5
- 01051BD5 Main pop ecx ; ECX=0006FF74
- 01051BD6 Main pop ebx ; EBX=010534ED
- 01051BD7 Main mov esi,dword ptr ss:[esp+30] ; ESI=0006FF8C
- 01051BDB Main pop edx ; EDX=0006FF98
- 01051BDC Main movsx dx,dl
- 01051BE0 Main setnb dh ; EDX=00060098
- 01051BE3 Main push A12C39EA
- 01051BE8 Main mov ebx,dword ptr ss:[esp+34] ; EBX=00000000
- 01051BEC Main jmp NOTEPAD_.010536B2
- 010536B2 Main mov edx,dword ptr ss:[esp+38] ; EDX=00005658
- 010536B6 Main mov dword ptr ss:[esp],esi
- 010536B9 Main mov ecx,dword ptr ss:[esp+3C] ; ECX=0000000A
- 010536BD Main push 5E6B9B41
- 010536C2 Main pushfd
- 010536C3 Main pushfd
- 010536C4 Main mov byte ptr ss:[esp+C],ch
- 010536C8 Main push dword ptr ss:[esp+4C]
- Breakpoint at NOTEPAD_.010536CC
- 010536CC Main retn 50 //这里下好断
- Run trace closed
复制代码 2.断下后,F7后,看代码,一直到出口处的指令为
- 0102F393 ED in eax,dx
- 0102F394 9C pushfd
- 0102F395 57 push edi
- 0102F396 C74424 04 FEFCF284 mov dword ptr ss:[esp+4],84F2FCFE
- 0102F39E 60 pushad
- 0102F39F C74424 20 72265BE7 mov dword ptr ss:[esp+20],E75B2672
复制代码 3.F7步过0102F393 ED in eax,dx后,把edx,ebx寄存器的值清0
4.F9运行,发现可以正常运行了。
很简单,方法也是很老的东西了。原理就是:
in eax,dx这条指令在R3下会产生异常,而VMP在SEH里重新设置了新的EIP,初始化了新的VMContext,而在虚拟机里,这个异常不会触发。
简单的代码如下(摘自shellwolf在反调试文章的代码):
- bool IsInsideVMWare_()
- {
- bool r;
- _asm
- {
- push edx
- push ecx
- push ebx
- mov eax, 'VMXh'
- mov ebx, 0 // any value but MAGIC VALUE
- mov ecx, 10 // get VMWare version
- mov edx, 'VX' // port number
- in eax, dx // read port
- // on return EAX returns the VERSION
- cmp ebx, 'VMXh' // is it a reply from VMWare?
- setz [r] // set return value
- pop ebx
- pop ecx
- pop edx
- }
- return r;
- }
- bool FV_VMWare_VMX()
- {
- __try
- {
- return IsInsideVMWare_();
- }
- __except(1) // 1 = EXCEPTION_EXECUTE_HANDLER
- {
- return false;
- }
- }
复制代码
|
上一篇: 如何学好破解程序【文字提示+视频教程】下一篇: 汇编常用指命
|