Cracking 1

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 1 / Cracking I..iso / Příklady / 3.Anti-Debugging / Přepnutí do Ring0 / SEH / SEHDlg.cpp < prev next >

Wrap

C/C++ Source or Header | 2002-08-07 | 4.9 KB | 172 lines

// SEHDlg.cpp : implementation file // #include "stdafx.h" #include "SEH.h" #include "SEHDlg.h" #ifdef _DEBUG #define new DEBUG_NEW #undef THIS_FILE static char THIS_FILE[] = __FILE__; #endif ///////////////////////////////////////////////////////////////////////////// // CSEHDlg dialog CSEHDlg::CSEHDlg(CWnd* pParent /*=NULL*/) : CDialog(CSEHDlg::IDD, pParent) { //{{AFX_DATA_INIT(CSEHDlg) // NOTE: the ClassWizard will add member initialization here //}}AFX_DATA_INIT // Note that LoadIcon does not require a subsequent DestroyIcon in Win32 m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME); } void CSEHDlg::DoDataExchange(CDataExchange* pDX) { CDialog::DoDataExchange(pDX); //{{AFX_DATA_MAP(CSEHDlg) // NOTE: the ClassWizard will add DDX and DDV calls here //}}AFX_DATA_MAP } BEGIN_MESSAGE_MAP(CSEHDlg, CDialog) //{{AFX_MSG_MAP(CSEHDlg) ON_WM_PAINT() ON_WM_QUERYDRAGICON() ON_BN_CLICKED(IDC_OK, OnOk) //}}AFX_MSG_MAP END_MESSAGE_MAP() ///////////////////////////////////////////////////////////////////////////// // CSEHDlg message handlers BOOL CSEHDlg::OnInitDialog() { CDialog::OnInitDialog(); // Set the icon for this dialog. The framework does this automatically // when the application's main window is not a dialog SetIcon(m_hIcon, TRUE); // Set big icon SetIcon(m_hIcon, FALSE); // Set small icon // TODO: Add extra initialization here return TRUE; // return TRUE unless you set the focus to a control } // If you add a minimize button to your dialog, you will need the code below // to draw the icon. For MFC applications using the document/view model, // this is automatically done for you by the framework. void CSEHDlg::OnPaint() { if (IsIconic()) { CPaintDC dc(this); // device context for painting SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0); // Center icon in client rectangle int cxIcon = GetSystemMetrics(SM_CXICON); int cyIcon = GetSystemMetrics(SM_CYICON); CRect rect; GetClientRect(&rect); int x = (rect.Width() - cxIcon + 1) / 2; int y = (rect.Height() - cyIcon + 1) / 2; // Draw the icon dc.DrawIcon(x, y, m_hIcon); } else { CDialog::OnPaint(); } } // The system calls this to obtain the cursor to display while the user drags // the minimized window. HCURSOR CSEHDlg::OnQueryDragIcon() { return (HCURSOR) m_hIcon; } void CSEHDlg::OnOk() { _asm { mov ax,ds test al,4 // o jak² operaΦnφ systΘm se jednß? je Not_Win9x // skok = nejednß se o operaΦnφ systΘm Windows 9x/Me Win9x: push offset MyHandler // adresa handleru push dword ptr fs:[0] // ulo₧enφ adresy p°edchozφho handleru mov fs:[0],esp // instalace pushfd // ulo₧enφ EFLAGS mov eax,esp // ulo₧enφ hodnoty ESP, tj. adresy zßsobnφku INT 3 // --> Ring0 // NOP zde b²t nemusφ - tento k≤d se spustφ pouze ve Windows 9x/Me // handler tak nemusφ opravovat vzniklou chybu(p°eskoΦenφm - zm∞na // hodnoty EIP), proto₧e EIP ve Windows 9x/Me ukazuje na instrukci // nßsledujφcφ po INT 3 /*******Ring0*******/ mov ebx,Dr7 // tato instrukce bude funkΦnφ pouze v Ring0 // obnovenφ p∙vodnφch hodnot registr∙ p°ed skokem do Ring3 push edx // GS push edx // FS push edx // ES push edx // DS push edx // SS push eax // ESP push dword ptr [eax] // EFLAGS push ecx // CS push offset Ring3 // EIP = adresa k≤du, odkud program pob∞₧φ op∞t v Ring3 iretd // --> Ring3 Ring3: popfd // obnovenφ EFLAGS pop dword ptr fs:[0] // obnovenφ p∙vodnφho handleru add esp,4 // korekce zßsobnφku jmp Ok /*******MyHandler*******/ // SEH handler pro p°echod do Ring0 MyHandler: mov edx,[esp+0Ch] // CONTEXT mov ecx,[esp+4] // EXCEPTION_RECORD mov ecx,[ecx] // ECX = Φφslo chyby, kterß prßv∞ vznikla cmp ecx,80000003h // jednß se o chybu STATUS_BREAKPOINT(80000003h) // vyvolanou instrukcφ INT 3? jne Chyba // skok = jednß se o jinou chybu, kterou tento handler // nebude zpracovßvat movzx ecx,word ptr [edx+0BCh] // ECX = CS mov [edx+0ACh],ecx // ECX(po skoku z handleru zp∞t do programovΘho k≤du) = CS mov dword ptr [edx+0BCh],28h // CS(po skoku...) = 28h, to zajiÜ¥uje // p°epnutφ do Ring0 movzx ecx,word ptr [edx+0C8h] // ECX = SS mov [edx+0A8h],ecx // EDX(po skoku...) = ECX = SS mov dword ptr [edx+0C8h],30h // SS(po skoku...) = 30h, to // zajiÜ¥uje p°epnutφ do Ring0 or dword ptr [edx+0C0h],200h // EFLAGS(po skoku...) = 200h sub eax,eax // ExceptionContinueExecution ret // --> Ring0 Chyba: sub eax,eax inc eax // ExceptionContinueSearch ret } Not_Win9x: MessageBox("Tato metoda funguje pouze ve Windows 9x/Me",NULL,MB_OK); return; Ok: MessageBox("P°echod mezi Ring m≤dy prob∞hl ·sp∞Ün∞",NULL,MB_OK); }