#include "security.h"BOOL WINAPI IsDebug(){ HANDLE hProcess = NULL; PR

1. #include "security.h"
2.  
3. BOOL WINAPI IsDebug()
4. {
5. HANDLE hProcess = NULL;
6. PROCESSENTRY32 Pe32 = { 0 };
7. HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
8. if (hProcessSnap == INVALID_HANDLE_VALUE)
9. {
10. return FALSE;
11. }
12. Pe32.dwSize = sizeof(PROCESSENTRY32);
13.  
14. if (Process32First(hProcessSnap, &Pe32))
15. {
16. do
17. {
18. if (_stricmp("csrss.exe", Pe32.szExeFile) == 0)
19. {
20. HANDLE hProcess = OpenProcess(
21. PROCESS_ALL_ACCESS,
22. FALSE,
23. Pe32.th32ProcessID
24. );
25.  
26. if (hProcess)
27. {
28. return TRUE;
29. }
30. else
31. {
32. return FALSE;
33. }
34. CloseHandle(hProcess);
35. }
36. } while (Process32Next(hProcessSnap, &Pe32));
37. }
38. CloseHandle(hProcessSnap);
39. }
40.  
41. inline bool Int2DCheck()
42. {
43. __try
44. {
45. __asm
46. {
47. int 0x2d
48. xor eax, eax
49. add eax, 2
50. }
51. }
52. __except (EXCEPTION_EXECUTE_HANDLER)
53. {
54. return false;
55. }
56.  
57. return true;
58. }
59.  
60. DWORD __forceinline IsInsideVPC_exceptionFilter(LPEXCEPTION_POINTERS ep)
61. {
62. PCONTEXT ctx = ep->ContextRecord;
63.  
64. ctx->Ebx = -1;
65. ctx->Eip += 4;
66. return EXCEPTION_CONTINUE_EXECUTION;
67. }
68.  
69. bool IsInsideVPC()
70. {
71. bool rc = false;
72.  
73. __try
74. {
75. _asm push ebx
76. _asm mov ebx, 0
77. _asm mov eax, 1
78.  
79.  
80. _asm __emit 0Fh
81. _asm __emit 3Fh
82. _asm __emit 07h
83. _asm __emit 0Bh
84.  
85. _asm test ebx, ebx
86. _asm setz[rc]
87. _asm pop ebx
88. }
89.  
90. __except (IsInsideVPC_exceptionFilter(GetExceptionInformation()))
91. {
92. }
93.  
94. return rc;
95. }
96.  
97. bool IsInsideVMWare()
98. {
99. bool rc = true;
100.  
101. __try
102. {
103. __asm
104. {
105. push edx
106. push ecx
107. push ebx
108.  
109. mov eax, 'VMXh'
110. mov ebx, 0
111. mov ecx, 10
112. mov edx, 'VX'
113.  
114. in eax, dx
115.  
116. cmp ebx, 'VMXh'
117. setz[rc]
118.  
119. pop ebx
120. pop ecx
121. pop edx
122. }
123. }
124. __except (EXCEPTION_EXECUTE_HANDLER)
125. {
126. rc = false;
127. }
128.  
129. return rc;
130. }
131.  
132. bool VMCheck()
133. {
134. unsigned int time1 = 0;
135. unsigned int time2 = 0;
136. __asm
137. {
138. RDTSC
139. MOV time1, EAX
140. RDTSC
141. MOV time2, EAX
142.  
143. }
144. if ((time2 - time1) > 100)
145. {
146. return true;
147. }
148.  
149. return false;
150. }
151.  
152. BOOL AD_CheckRemoteDebuggerPresent()
153. {
154. FARPROC Func_addr;
155. HMODULE hModule = GetModuleHandle("kernel32.dll");
156.  
157. if (hModule == INVALID_HANDLE_VALUE)
158. return false;
159.  
160. (FARPROC&)Func_addr = GetProcAddress(hModule, "CheckRemoteDebuggerPresent");
161.  
162. if (Func_addr != NULL) {
163. __asm {
164. push eax;
165. push esp;
166. push 0xffffffff;
167. call Func_addr;
168. test eax, eax;
169. je choke_false;
170. pop eax;
171. test eax, eax
172. je choke_false;
173. jmp choke_true;
174. }
175. }
176.  
177. choke_true:
178. return true;
179.  
180. choke_false:
181. return false;
182. }
183.  
184. BOOL AD_PEB_NtGlobalFlags()
185. {
186. __asm {
187. mov eax, fs:[30h]
188. mov eax, [eax + 68h]
189. and eax, 0x70
190. }
191. }
192.  
193.  
194. BOOL AD_PEB_IsDebugged()
195. {
196. __asm {
197. xor eax, eax
198. mov ebx, fs:[30h]
199. mov al, byte ptr[ebx + 2]
200. }
201. }
202.  
203. #define DRIVERS_ARRAY 2048
204.  
205. bool Security::IsHTTPDebuggerInstalled()
206. {
207. LPVOID drivers[DRIVERS_ARRAY];
208. DWORD cbNeeded;
209. int cDrivers, i;
210.  
211. if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers))
212. {
213. TCHAR szDriver[DRIVERS_ARRAY];
214.  
215. cDrivers = cbNeeded / sizeof(drivers[0]);
216.  
217. for (i = 0; i < cDrivers; i++)
218. {
219. if (GetDeviceDriverBaseName(drivers[i], szDriver, sizeof(szDriver) / sizeof(szDriver[0])))
220. {
221. std::string strDriver = szDriver;
222. if (strDriver.find("HttpDebug") != std::string::npos)
223. return true;
224. }
225. }
226. }
227. return false;
228. }
229.  
230. std::string Security::GetIP(std::string hostname)
231. {
232. WSADATA wsaData;
233. IN_ADDR addr;
234. HOSTENT* list_ip;
235. WSAStartup(MAKEWORD(2, 0), &wsaData);
236. list_ip = gethostbyname(hostname.c_str());
237. memcpy(&addr.S_un.S_addr, list_ip->h_addr, list_ip->h_length);
238. return inet_ntoa(addr);
239. WSACleanup();
240. }
241.  
242. bool SecurityCheck()
243. {
244. if (IsDebuggerPresent())
245. return false;
246.  
247. if (IsDebug())
248. return false;
249.  
250. if (Int2DCheck())
251. return false;
252.  
253. if (AD_PEB_IsDebugged())
254. return false;
255.  
256. if (AD_PEB_NtGlobalFlags())
257. return false;
258.  
259. if (AD_CheckRemoteDebuggerPresent())
260. return false;
261.  
262. if (IsInsideVPC())
263. return false;
264.  
265. if (IsInsideVMWare())
266. return false;
267.  
268. if (VMCheck())
269. return false;
270.  
271. return true;
272. }
273.  
274. void Security::SecurityLoop()
275. {
276. while (true)
277. {
278. if (!SecurityCheck())
279. exit(0);
280. Sleep(5000);
281. }
282. }