[VB]反調試代碼(轉載)

這篇比較簡單XD

又是一篇反調試的,思路或許有用,先收藏了。最後一招是發帖人原創的麼？因為以前見過的。
原文題目：想反編譯VB6.0寫的東西 你得多動動腦袋了!!!

原帖地址：http://topic.csdn.net/u/20090411/16/af92fda3-41fb-4bf9-b16b-83980a23ef82.html
VB6.0因為其編寫方便,而被一些人一直稱是」垃圾」計算機語言,今天在這裡和大家共享幾個反反編譯的辦法,希望對大家有用!


1.檢測程序是否被各類debug程式所加載研究!

Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long Private Declare Function Process32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long   Const MAX_PATH As Integer = 260 Const TH32CS_SNAPPROCESS As Long = 2& Private Type PROCESSENTRY32 dwSize As Long cntUsage As Long th32ProcessID As Long th32DefaultHeapID As Long th32ModuleID As Long cntThreads As Long th32ParentProcessID As Long pcPriClassBase As Long dwFlags As Long szExeFile As String * 1024 End Type Private Sub Command1_Click() If Opencsrss = True Then MsgBox "發現調試器,請關閉", , "警告" Else MsgBox "沒有發現調試", , "恭喜" End If End Sub   Private Function Opencsrss() As Boolean '發現調試器返回TRUE，沒有發現則返回FALSE On Error GoTo maple Dim Process As PROCESSENTRY32 Dim hSnapShot As Long Dim l1 As Long Dim flag As Boolean Dim mName As String Dim i As Integer Dim pid As Long, WOW As Long '注意這2個變量就用來存放2個ID hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&) '建立進程快照 If hSnapShot Then Process.dwSize = 1060 If (Process32First(hSnapShot, Process)) Then '遍歷第一個進程,獲得PROCESSENTRY32結構 Do i = InStr(1, Process.szExeFile, Chr(0)) '獲得映像名稱 mName = LCase(Left(Process.szExeFile, i - 1)) '並轉換成小寫 If mName = "csrss.exe" Then '是不是WOW.exe WOW = Process.th32ProcessID '獲得進程ID End If Loop Until (Process32Next(hSnapShot, Process) < 1) '遍歷所有進程直到返回值為False End If l1 = CloseHandle(hSnapShot) End If If WOW <> 0 Then   Dim jiejie As Long jiejie = OpenProcess(1&, -1&, WOW) '測試打開能力 If jiejie <> 0 Then Opencsrss = True Else Opencsrss = False End If     End If Exit Function maple: Opencsrss = False   End Function

2.timer反調試

Private Sub Command1_Click()   '假設這裡是我們的註冊過程，我們隔三差五隨意將以下代碼複製粘帖 '------------------------------ Dim ctime As Double Dim dtime As Double ctime = Timer dtime = Timer If dtime - ctime = 0 Then MsgBox dtime - ctime, , "正常運行,經歷時間:" '實際軟件中，應該徹底隱蔽這些提示消息 Else MsgBox dtime - ctime, , "發現調試器,經歷時間:" End If   End Sub

為什麼用timer 很簡單,當別人開始調試的時候,莫非他是千隻眼,一眼千行 :)
3.對於運行環境進行檢測

Private Declare Sub GetStartupInfo Lib "kernel32" Alias "GetStartupInfoA" (lpStartupInfo As STARTUPINFO)   Private Type STARTUPINFO '(createprocess) cb As Long lpReserved As Long lpDesktop As Long lpTitle As Long dwX As Long dwY As Long dwXSize As Long dwYSize As Long dwXCountChars As Long dwYCountChars As Long dwFillAttribute As Long dwFlags As Long wShowWindow As Integer cbReserved2 As Integer lpReserved2 As Long hStdInput As Long hStdOutput As Long hStdError As Long End Type   Private Sub Command1_Click() If StartAnti = True Then MsgBox "發現調試器,請關閉", , "警告" Else MsgBox "沒有發現調試器", , "通過" End If End Sub   Private Sub Form_Load() If StartAnti = True Then MsgBox "發現調試器,請關閉", , "警告" Else MsgBox "沒有發現調試器", , "通過" End If End Sub   Private Function StartAnti() As Boolean Dim Huanjing As STARTUPINFO GetStartupInfo Huanjing If Huanjing.dwX <> 0 Or Huanjing.dwY <> 0 Or Huanjing.dwXCountChars <> 0 Or Huanjing.dwYCountChars <> 0 Or Huanjing.dwFillAttribute <> 0 Or Huanjing.dwXSize <> 0 Or Huanjing.dwYSize <> 0 Then StartAnti = True Else StartAnti = False End If End Function

4.檢查我們的程序是否在正常的父進程中運行

Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long Private Declare Function Process32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long Const MAX_PATH As Integer = 260 Const TH32CS_SNAPPROCESS As Long = 2& Private Type PROCESSENTRY32 dwSize As Long cntUsage As Long th32ProcessID As Long th32DefaultHeapID As Long th32ModuleID As Long cntThreads As Long th32ParentProcessID As Long pcPriClassBase As Long dwFlags As Long szExeFile As String * 1024 End Type   Private Sub Form_Load() Fujincheng End Sub   Private Sub Fujincheng()   '這個過程是檢測父進程的父進程是否是EXPLORE的父進程 Dim Process As PROCESSENTRY32 Dim hSnapShot As Long Dim XNN As Long Dim flag As Boolean Dim mName As String Dim i As Integer Dim pid As Long, explorer As Long '注意這2個變量就用來存放2個ID hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&) '建立進程快照 '搜索explorer.exe進程,並獲得其ID If hSnapShot Then Process.dwSize = 1060 If (Process32First(hSnapShot, Process)) Then '遍歷第一個進程,獲得PROCESSENTRY32結構 Do i = InStr(1, Process.szExeFile, Chr(0)) '獲得映像名稱 mName = LCase(Left(Process.szExeFile, i - 1)) '並轉換成小寫 If mName = "explorer.exe" Then '是不是explorer.exe explorer = Process.th32ProcessID ElseIf mName = LCase(App.EXEName & ".exe") Then '是不是自己 pid = Process.th32ParentProcessID '獲得父進程ID Else flag = False End If Loop Until (Process32Next(hSnapShot, Process) < 1) '遍歷所有進程直到返回值為False End If XNN = CloseHandle(hSnapShot) End If   Dim Openit As Long   Openit = OpenProcess(1&, -1&, pid)   If pid <> explorer Then MsgBox "發現父進程調試", , "警告": TerminateProcess Openit, 0   End Sub

正常的父進程可是windows的主進程哦:EXPLORE,,別搞錯了:)