├── AntiReversing ├── AntiReversing.vcxproj └── main.cpp ├── DLL ├── DLL.vcxproj ├── dll.cpp └── dll.h ├── ProReversing.sln ├── ProReversingLib ├── Debugger.cpp ├── Debugger.h ├── NtGlobalFlag.cpp ├── NtGlobalFlag.h ├── PebBeingDebugged.cpp ├── PebBeingDebugged.h ├── PebHeapFlags.cpp ├── PebHeapFlags.h ├── ProReversing.cpp ├── ProReversing.h ├── ProReversingLib.vcxproj ├── ProReversingLib.vcxproj.filters ├── ProTechnique.cpp ├── ProTechnique.h ├── SimpleCommunicator.cpp ├── SimpleCommunicator.h ├── System.cpp ├── System.h ├── Systemx64.asm └── Systemx86.asm ├── README.md ├── Release └── ProReverse.dll ├── Test ├── ProReversingTest.h ├── SimpleCommunicatorTest.h ├── Test.vcxproj ├── Test.vcxproj.filters └── test.cpp └── x64 └── Release └── ProReverse.dll /AntiReversing/AntiReversing.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8} 23 | Win32Proj 24 | AntiReversing 25 | AntiReversing 26 | 27 | 28 | 29 | Application 30 | true 31 | MultiByte 32 | 33 | 34 | Application 35 | true 36 | MultiByte 37 | 38 | 39 | Application 40 | false 41 | true 42 | MultiByte 43 | 44 | 45 | Application 46 | false 47 | true 48 | MultiByte 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | true 68 | 69 | 70 | true 71 | 72 | 73 | false 74 | 75 | 76 | false 77 | 78 | 79 | 80 | 81 | 82 | Level3 83 | Disabled 84 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 85 | MultiThreadedDebug 86 | ../ProReversingLib;$(BOOSTDIR)/include 87 | 88 | 89 | Console 90 | true 91 | $(BOOSTDIR)/lib;$(OutDir) 92 | ProReversing.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 93 | 94 | 95 | 96 | 97 | 98 | 99 | Level3 100 | Disabled 101 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 102 | MultiThreadedDebug 103 | ../ProReversingLib;$(BOOSTDIR)/include 104 | 105 | 106 | Console 107 | true 108 | $(BOOSTDIR)/lib64;$(OutDir) 109 | ProReversing.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 110 | 111 | 112 | 113 | 114 | Level3 115 | NotUsing 116 | MaxSpeed 117 | true 118 | true 119 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 120 | MultiThreaded 121 | $(BOOSTDIR)/include;../ProReversingLib 122 | 123 | 124 | Console 125 | true 126 | true 127 | true 128 | $(BOOSTDIR)/lib;$(OutDir) 129 | ProReversing.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 130 | 131 | 132 | 133 | 134 | Level3 135 | NotUsing 136 | MaxSpeed 137 | true 138 | true 139 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 140 | MultiThreaded 141 | $(BOOSTDIR)/include;../ProReversingLib 142 | 143 | 144 | Console 145 | true 146 | true 147 | true 148 | $(BOOSTDIR)/lib64;$(OutDir) 149 | ProReversing.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | -------------------------------------------------------------------------------- /AntiReversing/main.cpp: -------------------------------------------------------------------------------- 1 | /* ============================================================================ 2 | * Copyright (c) 2012, Sebastian Eschweiler analyst[at]gmail.com> 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are met: 7 | * * Redistributions of source code must retain the above copyright 8 | * notice, this list of conditions and the following disclaimer. 9 | * * Redistributions in binary form must reproduce the above copyright 10 | * notice, this list of conditions and the following disclaimer in the 11 | * documentation and/or other materials provided with the distribution. 12 | * * Neither the name of the nor the 13 | * names of its contributors may be used to endorse or promote products 14 | * derived from this software without specific prior written permission. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | * DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY 20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | * ============================================================================= 27 | */ 28 | 29 | #include 30 | #include 31 | #include 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | 39 | #include 40 | 41 | using namespace std; 42 | 43 | static map> Message2Test; 44 | static ProReversing ProRev; 45 | 46 | string RemoteCallHandler(const string& data) 47 | { 48 | if (data == "exit") 49 | { 50 | exit(0); 51 | } 52 | else if (data == "enable") 53 | { 54 | ProRev.enableProtection(); 55 | return "done"; 56 | } 57 | else if (data == "disable") 58 | { 59 | ProRev.disableProtection(); 60 | return "done"; 61 | } 62 | else 63 | { 64 | map>::iterator implementation = Message2Test.find(data); 65 | 66 | if (implementation != Message2Test.end()) 67 | return implementation->second->isAntiTechniqueStillWorking() ? "true" : "false"; 68 | } 69 | 70 | return "unknown"; 71 | 72 | } 73 | 74 | void addElementToMyMap(auto_ptr& elem) 75 | { 76 | Message2Test[elem->name()] = elem; 77 | } 78 | 79 | void main() 80 | { 81 | addElementToMyMap(auto_ptr(new PebBeingDebugged)); 82 | addElementToMyMap(auto_ptr(new PebHeapFlags)); 83 | addElementToMyMap(auto_ptr(new NtGlobalFlag)); 84 | 85 | boost::asio::io_service ioService; 86 | 87 | AsioServer as(ioService, RemoteCallHandler); 88 | 89 | ioService.run(); 90 | } -------------------------------------------------------------------------------- /DLL/DLL.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {8DDF10A1-496B-40DC-BE45-14F142109F8B} 23 | Win32Proj 24 | ProReversing 25 | ProReverse 26 | 27 | 28 | 29 | DynamicLibrary 30 | true 31 | MultiByte 32 | 33 | 34 | DynamicLibrary 35 | true 36 | MultiByte 37 | 38 | 39 | DynamicLibrary 40 | false 41 | true 42 | MultiByte 43 | false 44 | 45 | 46 | DynamicLibrary 47 | false 48 | true 49 | MultiByte 50 | false 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | true 70 | 71 | 72 | true 73 | 74 | 75 | false 76 | 77 | 78 | false 79 | 80 | 81 | 82 | NotUsing 83 | Level3 84 | Disabled 85 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions) 86 | MultiThreadedDebug 87 | ../ProReversingLib 88 | 89 | 90 | Windows 91 | true 92 | ProReversing.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 93 | $(OutDir) 94 | 95 | 96 | 97 | 98 | NotUsing 99 | Level3 100 | Disabled 101 | WIN32;_DEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions) 102 | MultiThreadedDebug 103 | ../ProReversingLib 104 | 105 | 106 | Windows 107 | true 108 | ProReversing.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 109 | $(OutDir) 110 | 111 | 112 | 113 | 114 | Level3 115 | NotUsing 116 | MaxSpeed 117 | true 118 | true 119 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions) 120 | MultiThreaded 121 | ../ProReversingLib 122 | 123 | 124 | Windows 125 | true 126 | true 127 | true 128 | ProReversing.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 129 | $(OutDir) 130 | 131 | 132 | 133 | 134 | false 135 | 136 | 137 | 138 | 139 | Level3 140 | NotUsing 141 | MaxSpeed 142 | true 143 | true 144 | WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS;%(PreprocessorDefinitions) 145 | MultiThreaded 146 | ../ProReversingLib 147 | 148 | 149 | Windows 150 | true 151 | true 152 | true 153 | ProReversing.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 154 | $(OutDir) 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | -------------------------------------------------------------------------------- /DLL/dll.cpp: -------------------------------------------------------------------------------- 1 | /* ============================================================================ 2 | * Copyright (c) 2012, Sebastian Eschweiler analyst[at]gmail.com> 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are met: 7 | * * Redistributions of source code must retain the above copyright 8 | * notice, this list of conditions and the following disclaimer. 9 | * * Redistributions in binary form must reproduce the above copyright 10 | * notice, this list of conditions and the following disclaimer in the 11 | * documentation and/or other materials provided with the distribution. 12 | * * Neither the name of the nor the 13 | * names of its contributors may be used to endorse or promote products 14 | * derived from this software without specific prior written permission. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | * DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY 20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | * ============================================================================= 27 | */ 28 | 29 | #include "dll.h" 30 | #include "..\ProReversingLib\ProReversing.h" 31 | 32 | static ProReversing ProRev; 33 | 34 | DLL_API int dummyFunction( void ) 35 | { 36 | return 0; 37 | } 38 | 39 | 40 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) 41 | { 42 | switch (ul_reason_for_call) 43 | { 44 | case DLL_PROCESS_ATTACH: 45 | //DisableThreadLibraryCalls(GetModuleHandle(NULL)); 46 | ProRev.enableProtection(); 47 | break; 48 | case DLL_THREAD_ATTACH: 49 | break; 50 | case DLL_THREAD_DETACH: 51 | break; 52 | case DLL_PROCESS_DETACH: 53 | ProRev.disableProtection(); 54 | break; 55 | } 56 | return TRUE; 57 | } 58 | 59 | 60 | -------------------------------------------------------------------------------- /DLL/dll.h: -------------------------------------------------------------------------------- 1 | /* ============================================================================ 2 | * Copyright (c) 2012, Sebastian Eschweiler analyst[at]gmail.com> 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are met: 7 | * * Redistributions of source code must retain the above copyright 8 | * notice, this list of conditions and the following disclaimer. 9 | * * Redistributions in binary form must reproduce the above copyright 10 | * notice, this list of conditions and the following disclaimer in the 11 | * documentation and/or other materials provided with the distribution. 12 | * * Neither the name of the nor the 13 | * names of its contributors may be used to endorse or promote products 14 | * derived from this software without specific prior written permission. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | * DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY 20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | * ============================================================================= 27 | */ 28 | 29 | #pragma once 30 | 31 | #include 32 | 33 | 34 | #ifdef DLL_EXPORTS 35 | #define DLL_API __declspec(dllexport) 36 | #else 37 | #define DLL_API __declspec(dllimport) 38 | #endif 39 | 40 | 41 | DLL_API int dummyFunction(void); 42 | -------------------------------------------------------------------------------- /ProReversing.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ProReversingLib", "ProReversingLib\ProReversingLib.vcxproj", "{DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DLL", "DLL\DLL.vcxproj", "{8DDF10A1-496B-40DC-BE45-14F142109F8B}" 7 | ProjectSection(ProjectDependencies) = postProject 8 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB} = {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB} 9 | EndProjectSection 10 | EndProject 11 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Test", "Test\Test.vcxproj", "{39807440-F9D5-4378-A917-7424562A5286}" 12 | ProjectSection(ProjectDependencies) = postProject 13 | {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8} = {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8} 14 | {8DDF10A1-496B-40DC-BE45-14F142109F8B} = {8DDF10A1-496B-40DC-BE45-14F142109F8B} 15 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB} = {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB} 16 | EndProjectSection 17 | EndProject 18 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AntiReversing", "AntiReversing\AntiReversing.vcxproj", "{F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8}" 19 | ProjectSection(ProjectDependencies) = postProject 20 | {8DDF10A1-496B-40DC-BE45-14F142109F8B} = {8DDF10A1-496B-40DC-BE45-14F142109F8B} 21 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB} = {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB} 22 | EndProjectSection 23 | EndProject 24 | Global 25 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 26 | Debug|Win32 = Debug|Win32 27 | Debug|x64 = Debug|x64 28 | Release|Win32 = Release|Win32 29 | Release|x64 = Release|x64 30 | EndGlobalSection 31 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 32 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB}.Debug|Win32.ActiveCfg = Debug|Win32 33 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB}.Debug|Win32.Build.0 = Debug|Win32 34 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB}.Debug|x64.ActiveCfg = Debug|x64 35 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB}.Debug|x64.Build.0 = Debug|x64 36 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB}.Release|Win32.ActiveCfg = Release|Win32 37 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB}.Release|Win32.Build.0 = Release|Win32 38 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB}.Release|x64.ActiveCfg = Release|x64 39 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB}.Release|x64.Build.0 = Release|x64 40 | {8DDF10A1-496B-40DC-BE45-14F142109F8B}.Debug|Win32.ActiveCfg = Debug|Win32 41 | {8DDF10A1-496B-40DC-BE45-14F142109F8B}.Debug|Win32.Build.0 = Debug|Win32 42 | {8DDF10A1-496B-40DC-BE45-14F142109F8B}.Debug|x64.ActiveCfg = Debug|x64 43 | {8DDF10A1-496B-40DC-BE45-14F142109F8B}.Debug|x64.Build.0 = Debug|x64 44 | {8DDF10A1-496B-40DC-BE45-14F142109F8B}.Release|Win32.ActiveCfg = Release|Win32 45 | {8DDF10A1-496B-40DC-BE45-14F142109F8B}.Release|Win32.Build.0 = Release|Win32 46 | {8DDF10A1-496B-40DC-BE45-14F142109F8B}.Release|x64.ActiveCfg = Release|x64 47 | {8DDF10A1-496B-40DC-BE45-14F142109F8B}.Release|x64.Build.0 = Release|x64 48 | {39807440-F9D5-4378-A917-7424562A5286}.Debug|Win32.ActiveCfg = Debug|Win32 49 | {39807440-F9D5-4378-A917-7424562A5286}.Debug|Win32.Build.0 = Debug|Win32 50 | {39807440-F9D5-4378-A917-7424562A5286}.Debug|x64.ActiveCfg = Debug|x64 51 | {39807440-F9D5-4378-A917-7424562A5286}.Debug|x64.Build.0 = Debug|x64 52 | {39807440-F9D5-4378-A917-7424562A5286}.Release|Win32.ActiveCfg = Release|Win32 53 | {39807440-F9D5-4378-A917-7424562A5286}.Release|Win32.Build.0 = Release|Win32 54 | {39807440-F9D5-4378-A917-7424562A5286}.Release|x64.ActiveCfg = Release|x64 55 | {39807440-F9D5-4378-A917-7424562A5286}.Release|x64.Build.0 = Release|x64 56 | {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8}.Debug|Win32.ActiveCfg = Debug|Win32 57 | {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8}.Debug|Win32.Build.0 = Debug|Win32 58 | {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8}.Debug|x64.ActiveCfg = Debug|x64 59 | {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8}.Debug|x64.Build.0 = Debug|x64 60 | {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8}.Release|Win32.ActiveCfg = Release|Win32 61 | {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8}.Release|Win32.Build.0 = Release|Win32 62 | {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8}.Release|x64.ActiveCfg = Release|x64 63 | {F7DA347C-7A61-49A8-9CD0-473EBCD4DEF8}.Release|x64.Build.0 = Release|x64 64 | EndGlobalSection 65 | GlobalSection(SolutionProperties) = preSolution 66 | HideSolutionNode = FALSE 67 | EndGlobalSection 68 | EndGlobal 69 | -------------------------------------------------------------------------------- /ProReversingLib/Debugger.cpp: -------------------------------------------------------------------------------- 1 | #include "Debugger.h" 2 | 3 | #include 4 | 5 | using namespace std; 6 | 7 | Debugger::Debugger(void) 8 | {} 9 | 10 | 11 | Debugger::~Debugger(void) 12 | {} 13 | 14 | 15 | DWORD Debugger::OnCreateProcess(DEBUG_EVENT& debugEvent) 16 | { 17 | return DBG_CONTINUE; 18 | } 19 | 20 | pair Debugger::OnExitProcess(DEBUG_EVENT& debugEvent) 21 | { 22 | pair res(false, DBG_CONTINUE); 23 | return res; 24 | } 25 | 26 | DWORD Debugger::OnLoadDll(DEBUG_EVENT& debugEvent) 27 | { 28 | return DBG_CONTINUE; 29 | } 30 | 31 | DWORD Debugger::OnUnloadDll(DEBUG_EVENT& debugEvent) 32 | { 33 | return DBG_CONTINUE; 34 | } 35 | 36 | DWORD Debugger::OnCreateThread(DEBUG_EVENT& debugEvent) 37 | { 38 | return DBG_CONTINUE; 39 | } 40 | 41 | DWORD Debugger::OnExitThread(DEBUG_EVENT& debugEvent) 42 | { 43 | return DBG_CONTINUE; 44 | } 45 | 46 | pair Debugger::OnRip(DEBUG_EVENT& debugEvent) 47 | { 48 | pair res(false, DBG_CONTINUE); 49 | return res; 50 | } 51 | 52 | DWORD Debugger::OnDebugString(DEBUG_EVENT& debugEvent) 53 | { 54 | OUTPUT_DEBUG_STRING_INFO& event = debugEvent.u.DebugString; 55 | size_t length = (event.fUnicode ? 2 : 1 ) * event.nDebugStringLength; 56 | 57 | string debugString; 58 | debugString.resize(length); 59 | SIZE_T numBytesRead; 60 | 61 | ReadProcessMemory(processInfo_.hProcess, event.lpDebugStringData, const_cast(debugString.c_str()), length, &numBytesRead); 62 | 63 | if (event.fUnicode) 64 | printf("[debug string] %S", debugString.c_str()); 65 | else 66 | printf("[debug string] %s", debugString.c_str()); 67 | 68 | return DBG_CONTINUE; 69 | } 70 | 71 | DWORD Debugger::OnException(DEBUG_EVENT& debugEvent) 72 | { 73 | EXCEPTION_DEBUG_INFO& event = debugEvent.u.Exception; 74 | printf("[exception] 0x%08x at address 0x%08x\n", event.ExceptionRecord.ExceptionCode, event.ExceptionRecord.ExceptionAddress); 75 | 76 | if (event.ExceptionRecord.ExceptionCode == STATUS_BREAKPOINT) 77 | { 78 | printf("[exception] breakpoint found, continuing execution\n"); 79 | return DBG_CONTINUE; 80 | } 81 | 82 | return DBG_EXCEPTION_NOT_HANDLED; 83 | } 84 | 85 | bool Debugger::debugLoop() 86 | { 87 | bool done = false; 88 | 89 | while (!done) 90 | { 91 | DEBUG_EVENT debugEvent; 92 | if (!WaitForDebugEvent(&debugEvent, INFINITE)) 93 | throw "Debug loop aborted"; 94 | 95 | DWORD continueFlag = DBG_CONTINUE; 96 | switch (debugEvent.dwDebugEventCode) 97 | { 98 | case CREATE_PROCESS_DEBUG_EVENT: 99 | { 100 | continueFlag = OnCreateProcess(debugEvent); 101 | CloseHandle(debugEvent.u.CreateProcessInfo.hFile); 102 | break; 103 | } 104 | case EXIT_PROCESS_DEBUG_EVENT: 105 | { 106 | pair res = OnExitProcess(debugEvent); 107 | done = res.first; 108 | continueFlag = res.second; 109 | break; 110 | } 111 | case LOAD_DLL_DEBUG_EVENT: 112 | { 113 | continueFlag = OnLoadDll(debugEvent); 114 | CloseHandle(debugEvent.u.LoadDll.hFile); 115 | break; 116 | } 117 | case UNLOAD_DLL_DEBUG_EVENT: 118 | { 119 | continueFlag = OnUnloadDll(debugEvent); 120 | break; 121 | } 122 | case CREATE_THREAD_DEBUG_EVENT: 123 | { 124 | continueFlag = OnCreateThread(debugEvent); 125 | break; 126 | } 127 | case EXIT_THREAD_DEBUG_EVENT: 128 | { 129 | continueFlag = OnExitThread(debugEvent); 130 | break; 131 | } 132 | case RIP_EVENT: 133 | { 134 | pair res = OnRip(debugEvent); 135 | done = res.first; 136 | continueFlag = res.second; 137 | break; 138 | } 139 | case OUTPUT_DEBUG_STRING_EVENT: 140 | { 141 | continueFlag = OnDebugString(debugEvent); 142 | break; 143 | } 144 | case EXCEPTION_DEBUG_EVENT: 145 | { 146 | continueFlag = OnException(debugEvent); 147 | break; 148 | } 149 | 150 | default: 151 | printf("debug event %08x\n", debugEvent.dwDebugEventCode); 152 | break; 153 | } 154 | 155 | if (!ContinueDebugEvent(debugEvent.dwProcessId, debugEvent.dwThreadId, continueFlag)) 156 | throw "Error continuing debug event"; 157 | 158 | } 159 | 160 | return true; 161 | 162 | } 163 | 164 | void Debugger::setProcessInfo( const PROCESS_INFORMATION& other ) 165 | { 166 | memcpy(&processInfo_, &other, sizeof PROCESS_INFORMATION); 167 | } 168 | 169 | -------------------------------------------------------------------------------- /ProReversingLib/Debugger.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "Process.h" 9 | 10 | using namespace std; 11 | 12 | 13 | class Debugger 14 | { 15 | public: 16 | Debugger(void); 17 | ~Debugger(void); 18 | 19 | void setProcessInfo(const PROCESS_INFORMATION& other); 20 | 21 | bool debugLoop(); 22 | 23 | private: 24 | 25 | virtual DWORD OnCreateProcess(DEBUG_EVENT& debugEvent); 26 | virtual pair OnExitProcess(DEBUG_EVENT& debugEvent); 27 | virtual DWORD OnLoadDll(DEBUG_EVENT& debugEvent); 28 | virtual DWORD OnUnloadDll(DEBUG_EVENT& debugEvent); 29 | virtual DWORD OnCreateThread(DEBUG_EVENT& debugEvent); 30 | virtual DWORD OnExitThread(DEBUG_EVENT& debugEvent); 31 | virtual pair OnRip(DEBUG_EVENT& debugEvent); 32 | virtual DWORD OnDebugString(DEBUG_EVENT& debugEvent); 33 | virtual DWORD OnException(DEBUG_EVENT& debugEvent); 34 | 35 | STARTUPINFO startupInfo_; 36 | PROCESS_INFORMATION processInfo_; 37 | 38 | }; 39 | 40 | -------------------------------------------------------------------------------- /ProReversingLib/NtGlobalFlag.cpp: -------------------------------------------------------------------------------- 1 | #include "NtGlobalFlag.h" 2 | #include "System.h" 3 | 4 | NtGlobalFlag::NtGlobalFlag(void) 5 | :ntGlobalFlagPtr_(getNtGlobalFlagPtr()) 6 | {} 7 | 8 | 9 | NtGlobalFlag::~NtGlobalFlag(void) 10 | {} 11 | 12 | 13 | bool NtGlobalFlag::enable() 14 | { 15 | originalData_ = *ntGlobalFlagPtr_; 16 | *ntGlobalFlagPtr_ &= ~0x70; 17 | 18 | return true; 19 | } 20 | 21 | 22 | bool NtGlobalFlag::disable() 23 | { 24 | *ntGlobalFlagPtr_ = originalData_; 25 | 26 | return true; 27 | } 28 | 29 | 30 | ULONG32* NtGlobalFlag::getNtGlobalFlagPtr() 31 | { 32 | BYTE* peb = System::getPeb(); 33 | #ifdef _WIN64 34 | return(ULONG32*) (peb + 0xbc); 35 | #else 36 | // NtGlobalFlag is at offset 0x68 in all 32 bit versions 37 | return(ULONG32*) (peb + 0x68); 38 | #endif 39 | } 40 | 41 | 42 | bool NtGlobalFlag::isAntiTechniqueStillWorking() 43 | { 44 | return (*ntGlobalFlagPtr_ & 0x70) != 0; 45 | } 46 | 47 | 48 | const string NtGlobalFlag::name() 49 | { 50 | return "NtGlobalFlag"; 51 | } 52 | -------------------------------------------------------------------------------- /ProReversingLib/NtGlobalFlag.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "ProTechnique.h" 4 | 5 | 6 | class NtGlobalFlag: public ProTechnique 7 | { 8 | public: 9 | NtGlobalFlag(); 10 | ~NtGlobalFlag(); 11 | 12 | virtual bool enable(); 13 | virtual bool disable(); 14 | 15 | virtual bool isAntiTechniqueStillWorking(); 16 | virtual const string name(); 17 | 18 | private: 19 | ULONG32 originalData_; 20 | ULONG32* ntGlobalFlagPtr_; 21 | 22 | ULONG32* getNtGlobalFlagPtr(); 23 | 24 | }; 25 | -------------------------------------------------------------------------------- /ProReversingLib/PebBeingDebugged.cpp: -------------------------------------------------------------------------------- 1 | #include "PebBeingDebugged.h" 2 | #include "System.h" 3 | 4 | PebBeingDebugged::PebBeingDebugged(void) 5 | { 6 | } 7 | 8 | 9 | PebBeingDebugged::~PebBeingDebugged(void) 10 | { 11 | } 12 | 13 | bool PebBeingDebugged::enable() 14 | { 15 | BYTE* peb = System::getPeb(); 16 | originalData_ = peb[2]; // BeingDebugged flag at offset 2 for all windows versions 17 | peb[2] = FALSE; 18 | 19 | return true; 20 | } 21 | 22 | bool PebBeingDebugged::disable() 23 | { 24 | BYTE* peb = System::getPeb(); 25 | peb[2] = originalData_; 26 | 27 | return true; 28 | } 29 | 30 | 31 | bool PebBeingDebugged::isAntiTechniqueStillWorking() 32 | { 33 | return IsDebuggerPresent() ? true : false; 34 | } 35 | 36 | 37 | const string PebBeingDebugged::name() 38 | { 39 | return "PebBeingDebugged"; 40 | } 41 | -------------------------------------------------------------------------------- /ProReversingLib/PebBeingDebugged.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "ProTechnique.h" 4 | 5 | class PebBeingDebugged: public ProTechnique 6 | { 7 | public: 8 | PebBeingDebugged(); 9 | ~PebBeingDebugged(); 10 | 11 | virtual bool enable(); 12 | virtual bool disable(); 13 | 14 | virtual bool isAntiTechniqueStillWorking(); 15 | virtual const string name(); 16 | 17 | private: 18 | BYTE originalData_; 19 | }; 20 | -------------------------------------------------------------------------------- /ProReversingLib/PebHeapFlags.cpp: -------------------------------------------------------------------------------- 1 | #include "PebHeapFlags.h" 2 | 3 | using namespace System; 4 | 5 | PebHeapFlags::PebHeapFlags(void) 6 | :flagPtr_(getFlagPtr(System::getPebProcessHeap())), 7 | forceFlagPtr_(getForceFlagPtr(System::getPebProcessHeap())) 8 | {} 9 | 10 | 11 | PebHeapFlags::~PebHeapFlags(void) 12 | {} 13 | 14 | 15 | 16 | 17 | ULONG* PebHeapFlags::getForceFlagPtr(BYTE* heap) 18 | { 19 | 20 | #ifdef _WIN64 21 | if (!System::isAtleastVista()) 22 | throw exception("unsupported"); 23 | // return (ULONG*) (processHeap + 0x18); 24 | return (ULONG*) (heap + 0x74); 25 | #else 26 | if (System::isAtleastVista()) 27 | return (ULONG*) (heap + 0x44); 28 | else 29 | return (ULONG*) (heap + 0x10); 30 | #endif 31 | 32 | } 33 | 34 | 35 | ULONG* PebHeapFlags::getFlagPtr(BYTE* heap) 36 | { 37 | #ifdef _WIN64 38 | if (!System::isAtleastVista()) 39 | throw exception("unsupported"); 40 | // return (ULONG*) (processHeap + 0x14); 41 | return (ULONG*) (heap + 0x70); 42 | #else 43 | if (System::isAtleastVista()) 44 | return (ULONG*) (heap + 0x40); 45 | else 46 | return (ULONG*) (heap + 0x0c); 47 | #endif 48 | 49 | } 50 | 51 | 52 | bool PebHeapFlags::disable() 53 | { 54 | *flagPtr_ = originalFlagData_; 55 | *forceFlagPtr_ = originalForceFlagData_; 56 | 57 | return true; 58 | } 59 | 60 | 61 | bool PebHeapFlags::enable() 62 | { 63 | originalFlagData_ = *flagPtr_; 64 | originalForceFlagData_ = *forceFlagPtr_; 65 | 66 | *flagPtr_ &= HEAP_GROWABLE; 67 | *forceFlagPtr_ = 0; 68 | 69 | return true; 70 | } 71 | 72 | 73 | bool PebHeapFlags::isAntiTechniqueStillWorking() 74 | { 75 | HANDLE heap = HeapCreate(0, 0x10, 0x1000); 76 | 77 | ULONG* flags = getFlagPtr((BYTE*) heap); 78 | 79 | bool found = (*flags & (HEAP_GROWABLE)) != 0; 80 | 81 | ULONG* forceFlags = getForceFlagPtr((BYTE*) heap); 82 | 83 | found |= *forceFlags != 0; 84 | 85 | HeapDestroy(heap); 86 | 87 | return found; 88 | } 89 | 90 | 91 | const string PebHeapFlags::name() 92 | { 93 | return "PebHeapFlags"; 94 | } 95 | -------------------------------------------------------------------------------- /ProReversingLib/PebHeapFlags.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "ProTechnique.h" 3 | #include "System.h" 4 | 5 | class PebHeapFlags: public ProTechnique 6 | { 7 | public: 8 | PebHeapFlags(); 9 | ~PebHeapFlags(); 10 | 11 | virtual bool enable(); 12 | virtual bool disable(); 13 | 14 | virtual bool isAntiTechniqueStillWorking(); 15 | virtual const string name(); 16 | 17 | private: 18 | BYTE originalData_; 19 | ULONG* flagPtr_; 20 | ULONG* forceFlagPtr_; 21 | ULONG originalFlagData_; 22 | ULONG originalForceFlagData_; 23 | 24 | ULONG* getFlagPtr(BYTE* heap); 25 | ULONG* getForceFlagPtr(BYTE* heap); 26 | }; 27 | -------------------------------------------------------------------------------- /ProReversingLib/ProReversing.cpp: -------------------------------------------------------------------------------- 1 | /* ============================================================================ 2 | * Copyright (c) 2012, Sebastian Eschweiler analyst[at]gmail.com> 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are met: 7 | * * Redistributions of source code must retain the above copyright 8 | * notice, this list of conditions and the following disclaimer. 9 | * * Redistributions in binary form must reproduce the above copyright 10 | * notice, this list of conditions and the following disclaimer in the 11 | * documentation and/or other materials provided with the distribution. 12 | * * Neither the name of the nor the 13 | * names of its contributors may be used to endorse or promote products 14 | * derived from this software without specific prior written permission. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | * DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY 20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | * ============================================================================= 27 | */ 28 | 29 | #include "ProReversing.h" 30 | 31 | #include "PebBeingDebugged.h" 32 | #include "NtGlobalFlag.h" 33 | #include "PebHeapFlags.h" 34 | 35 | 36 | void ProReversing::enableProtection() 37 | { 38 | for (vector>::iterator i = techniques_.begin(); i != techniques_.end(); i++) 39 | { 40 | (*i)->enable(); 41 | } 42 | } 43 | 44 | 45 | void ProReversing::disableProtection() 46 | { 47 | for (vector>::iterator i = techniques_.begin(); i != techniques_.end(); i++) 48 | { 49 | (*i)->disable(); 50 | } 51 | } 52 | 53 | 54 | 55 | ProReversing::ProReversing() 56 | { 57 | techniques_.push_back(auto_ptr(new PebBeingDebugged)); 58 | techniques_.push_back(auto_ptr(new NtGlobalFlag)); 59 | techniques_.push_back(auto_ptr(new PebHeapFlags)); 60 | 61 | } 62 | 63 | 64 | ProReversing::~ProReversing() 65 | {} 66 | 67 | 68 | -------------------------------------------------------------------------------- /ProReversingLib/ProReversing.h: -------------------------------------------------------------------------------- 1 | /* ============================================================================ 2 | * Copyright (c) 2012, Sebastian Eschweiler analyst[at]gmail.com> 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are met: 7 | * * Redistributions of source code must retain the above copyright 8 | * notice, this list of conditions and the following disclaimer. 9 | * * Redistributions in binary form must reproduce the above copyright 10 | * notice, this list of conditions and the following disclaimer in the 11 | * documentation and/or other materials provided with the distribution. 12 | * * Neither the name of the nor the 13 | * names of its contributors may be used to endorse or promote products 14 | * derived from this software without specific prior written permission. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | * DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY 20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | * ============================================================================= 27 | */ 28 | 29 | #pragma once 30 | #include 31 | #include 32 | 33 | 34 | #include 35 | #include "ProTechnique.h" 36 | 37 | using namespace std; 38 | 39 | class ProReversing 40 | { 41 | public: 42 | 43 | ProReversing(); 44 | ~ProReversing(); 45 | 46 | void enableProtection(); 47 | void disableProtection(); 48 | 49 | private: 50 | vector> techniques_; 51 | 52 | }; 53 | 54 | 55 | 56 | 57 | -------------------------------------------------------------------------------- /ProReversingLib/ProReversingLib.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | true 44 | true 45 | 46 | 47 | Document 48 | true 49 | true 50 | 51 | 52 | 53 | {DFB5E6D6-6FFA-4365-B62D-CDB27796B4CB} 54 | Win32Proj 55 | ProReversingLib 56 | 57 | 58 | 59 | StaticLibrary 60 | true 61 | MultiByte 62 | 63 | 64 | StaticLibrary 65 | true 66 | MultiByte 67 | 68 | 69 | StaticLibrary 70 | false 71 | true 72 | MultiByte 73 | 74 | 75 | StaticLibrary 76 | false 77 | true 78 | MultiByte 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | ProReversing 99 | 100 | 101 | ProReversing 102 | 103 | 104 | ProReversing 105 | 106 | 107 | ProReversing 108 | 109 | 110 | 111 | 112 | 113 | Level3 114 | Disabled 115 | WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions) 116 | MultiThreadedDebug 117 | $(GTESTDIR)/include;$(BOOSTDIR)/include 118 | 119 | 120 | Windows 121 | true 122 | 123 | 124 | 125 | 126 | 127 | 128 | Level3 129 | Disabled 130 | WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions) 131 | MultiThreadedDebug 132 | $(GTESTDIR)/include;$(BOOSTDIR)/include 133 | 134 | 135 | Windows 136 | true 137 | 138 | 139 | 140 | 141 | Level3 142 | 143 | 144 | MaxSpeed 145 | true 146 | true 147 | WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions) 148 | MultiThreaded 149 | $(GTESTDIR)/include;$(BOOSTDIR)/include 150 | 151 | 152 | Windows 153 | true 154 | true 155 | true 156 | 157 | 158 | 159 | 160 | Level3 161 | 162 | 163 | MaxSpeed 164 | true 165 | true 166 | WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions) 167 | MultiThreaded 168 | $(GTESTDIR)/include;$(BOOSTDIR)/include 169 | 170 | 171 | Windows 172 | true 173 | true 174 | true 175 | 176 | 177 | 178 | 179 | 180 | 181 | -------------------------------------------------------------------------------- /ProReversingLib/ProReversingLib.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | ProTechniques 8 | 9 | 10 | ProTechniques 11 | 12 | 13 | ProTechniques 14 | 15 | 16 | ProTechniques 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | ProTechniques 25 | 26 | 27 | ProTechniques 28 | 29 | 30 | ProTechniques 31 | 32 | 33 | ProTechniques 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | {ac226c59-a60a-4588-977e-53042aa3a99a} 42 | 43 | 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /ProReversingLib/ProTechnique.cpp: -------------------------------------------------------------------------------- 1 | #include "ProTechnique.h" 2 | 3 | ProTechnique::ProTechnique(void) 4 | { 5 | } 6 | 7 | 8 | ProTechnique::~ProTechnique(void) 9 | { 10 | } 11 | -------------------------------------------------------------------------------- /ProReversingLib/ProTechnique.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | 4 | using namespace std; 5 | 6 | class ProTechnique 7 | { 8 | public: 9 | ProTechnique(); 10 | ~ProTechnique(); 11 | 12 | virtual bool enable() = 0; 13 | virtual bool disable() = 0; 14 | virtual bool isAntiTechniqueStillWorking() = 0; 15 | virtual const string name() = 0; 16 | }; 17 | -------------------------------------------------------------------------------- /ProReversingLib/SimpleCommunicator.cpp: -------------------------------------------------------------------------------- 1 | #include "SimpleCommunicator.h" 2 | 3 | 4 | 5 | string readStringWithNewline(tcp::socket& sock) 6 | { 7 | boost::asio::streambuf buffer; 8 | boost::system::error_code error; 9 | boost::asio::read_until(sock, buffer, '\n', error); 10 | if (error) 11 | return string(); 12 | 13 | istream is(&buffer); 14 | string s; 15 | getline(is, s); 16 | 17 | return s; 18 | 19 | } 20 | 21 | 22 | void writeStringWithNewline(tcp::socket& sock, const string& data) 23 | { 24 | 25 | boost::system::error_code error; 26 | 27 | string sendData = data + '\n'; 28 | 29 | boost::asio::write(sock, boost::asio::buffer(sendData.data(), sendData.length())); 30 | if (error) 31 | throw boost::system::system_error(error); 32 | 33 | } 34 | 35 | 36 | AsioServer::AsioServer( boost::asio::io_service& io_service, string (*message_handler) (const string&) ) 37 | :acceptor_(io_service, tcp::endpoint(tcp::v4(), atoi(PORT))) 38 | { 39 | 40 | for (;;) 41 | { 42 | sock_ = socket_ptr(new tcp::socket(acceptor_.get_io_service())); 43 | acceptor_.accept(*sock_); 44 | for(;;) 45 | { 46 | 47 | string cmd = readStringWithNewline(*sock_); 48 | 49 | if (cmd.empty()) 50 | break; 51 | 52 | if (cmd == "exit") 53 | { 54 | acceptor_.get_io_service().stop(); 55 | exit(0); 56 | } 57 | 58 | string res = message_handler(cmd); 59 | 60 | writeStringWithNewline(*sock_, res); 61 | } 62 | } 63 | } 64 | 65 | 66 | AsioClient::AsioClient( boost::asio::io_service& io_service ) 67 | :sock_(io_service) 68 | { 69 | 70 | 71 | tcp::resolver resolver(sock_.get_io_service()); 72 | tcp::resolver::query query(tcp::v4(), "localhost", PORT); 73 | tcp::resolver::iterator iterator = resolver.resolve(query); 74 | 75 | boost::asio::connect(sock_, iterator); 76 | 77 | } 78 | 79 | 80 | std::string AsioClient::remoteExecute( const string& data ) 81 | { 82 | writeStringWithNewline(sock_, data); 83 | return readStringWithNewline(sock_); 84 | } -------------------------------------------------------------------------------- /ProReversingLib/SimpleCommunicator.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef _WIN32_WINNT 4 | #define _WIN32_WINNT 0x0501 5 | #endif 6 | 7 | #include 8 | #include 9 | 10 | #define MQ_NAME "ProReversing" 11 | #define PORT "1245" 12 | 13 | //#include 14 | 15 | using namespace std; 16 | using boost::asio::ip::tcp; 17 | typedef boost::shared_ptr socket_ptr; 18 | 19 | 20 | class AsioServer 21 | { 22 | public: 23 | AsioServer(boost::asio::io_service& io_service, string (*message_handler) (const string&)); 24 | 25 | private: 26 | 27 | tcp::acceptor acceptor_; 28 | socket_ptr sock_; 29 | }; 30 | 31 | 32 | class AsioClient 33 | { 34 | 35 | public: 36 | AsioClient(boost::asio::io_service& io_service); 37 | 38 | 39 | 40 | string remoteExecute(const string& data); 41 | 42 | 43 | private: 44 | 45 | 46 | tcp::socket sock_; 47 | }; 48 | -------------------------------------------------------------------------------- /ProReversingLib/System.cpp: -------------------------------------------------------------------------------- 1 | #include "System.h" 2 | 3 | 4 | -------------------------------------------------------------------------------- /ProReversingLib/System.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef SYSTEM_H 3 | #define SYSTEM_H 4 | 5 | #include 6 | #include 7 | 8 | 9 | using namespace std; 10 | 11 | typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); 12 | 13 | namespace System 14 | { 15 | extern "C" BYTE* getPeb(); 16 | 17 | static bool isAtleastVista() 18 | { 19 | static bool isAtleastVista; 20 | static bool isSet; 21 | if (isSet) 22 | return isAtleastVista; 23 | 24 | OSVERSIONINFO versionInfo = {0}; 25 | versionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); 26 | 27 | GetVersionEx(&versionInfo); 28 | 29 | isAtleastVista = versionInfo.dwMajorVersion >= 6; 30 | isSet = true; 31 | 32 | return isAtleastVista; 33 | } 34 | 35 | static bool isWow64() 36 | { 37 | static LPFN_ISWOW64PROCESS isWow64Process; 38 | static BOOL isWow64; 39 | 40 | if (isWow64Process) 41 | return isWow64 == TRUE; 42 | 43 | isWow64Process = (LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle("kernel32"),"IsWow64Process"); 44 | 45 | isWow64 = FALSE; 46 | 47 | if (isWow64Process == NULL) return false; 48 | 49 | if (!isWow64Process(GetCurrentProcess(),&isWow64)) return false; 50 | 51 | return isWow64 == TRUE; 52 | } 53 | 54 | static BYTE* getPebProcessHeap() 55 | { 56 | static BYTE* pebProcessHeap; 57 | if (pebProcessHeap) 58 | return pebProcessHeap; 59 | 60 | BYTE* peb = System::getPeb(); 61 | # ifdef _WIN64 62 | if (!System::isAtleastVista()) 63 | throw exception("unsupported"); 64 | // vista_x64 65 | pebProcessHeap = (BYTE*) (*(void**) (peb + 0x30)); 66 | #else 67 | // valid for vista_x86, xp_x86 68 | pebProcessHeap = (BYTE*) (*(void**) (peb + 0x18)); 69 | #endif 70 | 71 | return pebProcessHeap; 72 | } 73 | }; 74 | 75 | 76 | /* 77 | 78 | constructor selects which os, which environment 79 | os >= vista? 80 | environment: 32 bits within 32 bit os, 32 bits within 64 bit os 81 | winxp.32 (winxp.64) 82 | winvista.32 winvista.64 83 | 84 | */ 85 | 86 | #endif -------------------------------------------------------------------------------- /ProReversingLib/Systemx64.asm: -------------------------------------------------------------------------------- 1 | .code 2 | 3 | getPeb proc 4 | mov rax, qword ptr gs:[60h] 5 | ret 6 | getPeb endp 7 | 8 | end -------------------------------------------------------------------------------- /ProReversingLib/Systemx86.asm: -------------------------------------------------------------------------------- 1 | .model flat 2 | .code 3 | 4 | assume fs:nothing 5 | 6 | _getPeb proc 7 | mov eax, fs:[30h] 8 | ret 9 | _getPeb endp 10 | 11 | end -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ProReversing Framework 2 | ============ 3 | 4 | This project gathers anti-anti-reversing techniques into an open library. The resulting DLL can be easily incorporated into all reverse engineering tools. It works under 5 | 6 | * Windows XP 32 bits 7 | * Windows Vista 32 bits 8 | * Windows 7 32 bits 9 | * Windows Vista 64 bits 10 | * Windows 7 64 bits 11 | 12 | For more information, see [my blog](http://malwaremuncher.blogspot.com/2012/11/towards-anti-anti-reversing-framework.html). 13 | 14 | Build Prerequisites 15 | -------------- 16 | 17 | * Install the [Boost](http://www.boost.org/) library. Make sure to install it with runtime-link=static! 18 | * Create an environment variable called BOOSTDIR and make it point to the installed Boost library. 19 | * In order to run the tests successfully, install the [Google C++ Testing Framework](http://code.google.com/p/googletest/). 20 | * Create an environment variable called GTESTDIR pointing to the googletest directory. 21 | * If you want to execute the injection test, you will have to download the Dll-Injector project. If not, comment it out. 22 | -------------------------------------------------------------------------------- /Release/ProReverse.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/killvxk/ProReversing/791f924360272097d4366078549660d5b8622a10/Release/ProReverse.dll -------------------------------------------------------------------------------- /Test/ProReversingTest.h: -------------------------------------------------------------------------------- 1 | /* ============================================================================ 2 | * Copyright (c) 2012, Sebastian Eschweiler analyst[at]gmail.com> 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are met: 7 | * * Redistributions of source code must retain the above copyright 8 | * notice, this list of conditions and the following disclaimer. 9 | * * Redistributions in binary form must reproduce the above copyright 10 | * notice, this list of conditions and the following disclaimer in the 11 | * documentation and/or other materials provided with the distribution. 12 | * * Neither the name of the nor the 13 | * names of its contributors may be used to endorse or promote products 14 | * derived from this software without specific prior written permission. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | * DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY 20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | * ============================================================================= 27 | */ 28 | 29 | #include 30 | #include 31 | #include 32 | #include 33 | #ifndef _WIN64 34 | #include 35 | #endif 36 | 37 | #include 38 | #include 39 | #include 40 | 41 | #include 42 | 43 | 44 | class ProReversingTest : public ::testing::Test 45 | { 46 | 47 | public: 48 | ProReversingTest() 49 | { 50 | techniques_.push_back(auto_ptr(new PebBeingDebugged)); 51 | techniques_.push_back(auto_ptr(new PebHeapFlags)); 52 | techniques_.push_back(auto_ptr(new NtGlobalFlag)); 53 | } 54 | 55 | virtual ~ProReversingTest() 56 | {} 57 | 58 | virtual void SetUp() 59 | {} 60 | 61 | virtual void TearDown() 62 | {} 63 | 64 | static vector> techniques_; 65 | static boost::asio::io_service ioService_; 66 | 67 | }; 68 | 69 | vector> ProReversingTest::techniques_; 70 | boost::asio::io_service ProReversingTest::ioService_; 71 | 72 | 73 | DWORD startServer(Debugger* dbg = NULL) 74 | { 75 | STARTUPINFO startupInfo; 76 | PROCESS_INFORMATION processInfo; 77 | ZeroMemory(&startupInfo, sizeof startupInfo); 78 | startupInfo.cb = sizeof(STARTUPINFO); 79 | 80 | if (!CreateProcess("AntiReversing.exe", NULL, NULL, NULL, FALSE, dbg ? DEBUG_ONLY_THIS_PROCESS : 0, NULL, NULL, &startupInfo, &processInfo)) 81 | { 82 | throw exception("Error: could not create TestApp\n"); 83 | } 84 | 85 | if (dbg) 86 | { 87 | dbg->setProcessInfo(processInfo); 88 | } 89 | 90 | return processInfo.dwProcessId; 91 | } 92 | 93 | DWORD pid; 94 | 95 | 96 | void executeTests(const string& expectedResult, const vector& prepend_commands = vector()) 97 | { 98 | AsioClient ac(ProReversingTest::ioService_); 99 | 100 | if (!prepend_commands.empty()) 101 | { 102 | for(vector::const_iterator i = prepend_commands.begin(); i != prepend_commands.end(); i++) 103 | ac.remoteExecute(*i); 104 | } 105 | 106 | for (vector>::iterator i = ProReversingTest::techniques_.begin(); i != ProReversingTest::techniques_.end(); i++) 107 | { 108 | string result = ac.remoteExecute((*i)->name()); 109 | 110 | cout << "checking " << (*i)->name() << ", asserting " << expectedResult << endl; 111 | ASSERT_EQ(result, expectedResult); 112 | } 113 | 114 | ac.remoteExecute("exit"); 115 | 116 | TerminateProcess(OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid), 0); 117 | 118 | } 119 | 120 | 121 | TEST_F(ProReversingTest, antiReversingCheckWithoutDebugger) 122 | { 123 | pid = startServer(); 124 | 125 | executeTests("false"); 126 | 127 | } 128 | 129 | 130 | 131 | void startDebugging() 132 | { 133 | Debugger dbg; 134 | pid = startServer(&dbg); 135 | 136 | dbg.debugLoop(); 137 | 138 | } 139 | 140 | 141 | TEST_F(ProReversingTest, antiReversingCheckWithDebugger) 142 | { 143 | boost::thread t(startDebugging); 144 | 145 | executeTests("true"); 146 | 147 | } 148 | 149 | 150 | TEST_F(ProReversingTest, antiReversingCheckWithProReversingEnabled) 151 | { 152 | boost::thread t(startDebugging); 153 | 154 | vector additionalCommands; 155 | additionalCommands.push_back("enable"); 156 | 157 | executeTests("false", additionalCommands); 158 | 159 | } 160 | 161 | 162 | TEST_F(ProReversingTest, antiReversingCheckWithProReversingEnabledThenDisabled) 163 | { 164 | boost::thread t(startDebugging); 165 | 166 | vector additionalCommands; 167 | additionalCommands.push_back("enable"); 168 | additionalCommands.push_back("disable"); 169 | 170 | executeTests("true", additionalCommands); 171 | 172 | } 173 | 174 | 175 | #ifndef _WIN64 // injection test currently works only with 32 bit code 176 | TEST_F(ProReversingTest, antiReversingCheckWithDllInjected) 177 | { 178 | boost::thread t(startDebugging); 179 | 180 | pid = startServer(false); 181 | 182 | Injector(pid, "ProReversing.dll"); 183 | 184 | executeTests("false"); 185 | } 186 | 187 | #endif 188 | 189 | 190 | TEST_F(ProReversingTest, checkPebHeapFlags) 191 | { 192 | PebHeapFlags p; 193 | p.enable(); 194 | 195 | p.isAntiTechniqueStillWorking(); 196 | } 197 | -------------------------------------------------------------------------------- /Test/SimpleCommunicatorTest.h: -------------------------------------------------------------------------------- 1 | /* ============================================================================ 2 | * Copyright (c) 2012, Sebastian Eschweiler analyst[at]gmail.com> 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are met: 7 | * * Redistributions of source code must retain the above copyright 8 | * notice, this list of conditions and the following disclaimer. 9 | * * Redistributions in binary form must reproduce the above copyright 10 | * notice, this list of conditions and the following disclaimer in the 11 | * documentation and/or other materials provided with the distribution. 12 | * * Neither the name of the nor the 13 | * names of its contributors may be used to endorse or promote products 14 | * derived from this software without specific prior written permission. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | * DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY 20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | * ============================================================================= 27 | */ 28 | 29 | #include 30 | 31 | #include 32 | #include 33 | 34 | 35 | boost::asio::io_service ioService_; 36 | 37 | 38 | class SimpleCommunicatorTest : public ::testing::Test 39 | { 40 | 41 | public: 42 | SimpleCommunicatorTest() 43 | { 44 | boost::thread t(&SimpleCommunicatorTest::startServer); 45 | } 46 | 47 | virtual ~SimpleCommunicatorTest() 48 | {} 49 | 50 | virtual void SetUp() 51 | {} 52 | 53 | virtual void TearDown() 54 | {} 55 | 56 | private: 57 | 58 | static string handler(const string& s) 59 | { 60 | string x = s; 61 | x += "x"; 62 | return x; 63 | } 64 | 65 | 66 | static void startServer() 67 | { 68 | AsioServer as(ioService_, SimpleCommunicatorTest::handler); 69 | } 70 | 71 | }; 72 | 73 | 74 | string genRandomString(size_t max_len) 75 | { 76 | size_t strLen = (rand() % max_len) + 1; 77 | string s; 78 | s.resize(strLen); 79 | 80 | for (string::iterator i = s.begin(); i != s.end(); i++) 81 | *i = 'a' + (rand() % 26); 82 | 83 | return s; 84 | 85 | } 86 | 87 | 88 | TEST_F(SimpleCommunicatorTest, simpleTestCommunication) 89 | { 90 | AsioClient ac(ioService_); 91 | string res = ac.remoteExecute("1234"); 92 | ASSERT_EQ(res, "1234x"); 93 | 94 | } 95 | 96 | 97 | TEST_F(SimpleCommunicatorTest, smokeTest) 98 | { 99 | 100 | AsioClient ac(ioService_); 101 | 102 | for (size_t i = 0; i < 0x100; i++) 103 | { 104 | string s = genRandomString(i + 1); 105 | string sAndX = ac.remoteExecute(s); 106 | ASSERT_EQ(s + "x", sAndX); 107 | } 108 | 109 | } 110 | -------------------------------------------------------------------------------- /Test/Test.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {39807440-F9D5-4378-A917-7424562A5286} 23 | Win32Proj 24 | Test 25 | Test 26 | 27 | 28 | 29 | Application 30 | true 31 | MultiByte 32 | 33 | 34 | Application 35 | true 36 | MultiByte 37 | 38 | 39 | Application 40 | false 41 | true 42 | MultiByte 43 | 44 | 45 | Application 46 | false 47 | true 48 | MultiByte 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | true 68 | $(VCInstallDir)lib;$(VCInstallDir)atlmfc\lib;$(WindowsSdkDir)lib;$(FrameworkSDKDir)\lib 69 | 70 | 71 | true 72 | $(VCInstallDir)lib\amd64;$(VCInstallDir)atlmfc\lib\amd64;$(WindowsSdkDir)lib\x64;$(FrameworkSDKDir)\lib 73 | 74 | 75 | false 76 | $(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSdkDir)include;$(FrameworkSDKDir)\include; 77 | $(VCInstallDir)lib;$(VCInstallDir)atlmfc\lib;$(WindowsSdkDir)lib;$(FrameworkSDKDir)\lib 78 | 79 | 80 | false 81 | $(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSdkDir)include;$(FrameworkSDKDir)\include; 82 | $(VCInstallDir)lib\amd64;$(VCInstallDir)atlmfc\lib\amd64;$(WindowsSdkDir)lib\x64;$(FrameworkSDKDir)\lib 83 | 84 | 85 | 86 | 87 | 88 | Level3 89 | Disabled 90 | __NT__;__IDP__;WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 91 | MultiThreadedDebug 92 | ../../DllInjector/DllInjector_lib;$(BOOSTDIR)/include;../ProReversingLib;$(GTESTDIR)/include;%(AdditionalIncludeDirectories) 93 | 94 | 95 | Console 96 | true 97 | DllInjector.lib;ProReversing.lib;gtestd.lib;gtest_maind.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 98 | 99 | 100 | ../../DllInjector/Debug;$(BOOSTDIR)/lib;$(OutDir);$(GTESTDIR)/msvc/x86/gtest/Debug 101 | 102 | 103 | rem $(TargetDir)$(TargetFileName) 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | Level3 115 | Disabled 116 | __NT__;__IDP__;WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 117 | MultiThreadedDebug 118 | ../../DllInjector/DllInjector_lib;$(BOOSTDIR)/include;../ProReversingLib;$(GTESTDIR)/include;%(AdditionalIncludeDirectories) 119 | 120 | 121 | Console 122 | true 123 | DllInjector.lib;ProReversing.lib;gtestd.lib;gtest_maind.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 124 | 125 | 126 | ../../DllInjector/Debug;$(BOOSTDIR)/lib64;$(OutDir);$(GTESTDIR)/msvc/x64/gtest/Debug 127 | 128 | 129 | rem $(TargetDir)$(TargetFileName) 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | Level3 139 | 140 | 141 | MaxSpeed 142 | true 143 | true 144 | __NT__;__IDP__;WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 145 | MultiThreaded 146 | ../../DllInjector/DllInjector_lib;$(BOOSTDIR)/include;../ProReversingLib;$(GTESTDIR)/include;%(AdditionalIncludeDirectories) 147 | 148 | 149 | Console 150 | true 151 | true 152 | true 153 | DllInjector.lib;ProReversing.lib;gtest.lib;gtest_main.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 154 | ../../DllInjector/Release;$(BOOSTDIR)/lib;$(OutDir);$(GTESTDIR)/msvc/x86/gtest/Release 155 | 156 | 157 | rem $(TargetDir)$(TargetFileName) 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | Level3 167 | 168 | 169 | MaxSpeed 170 | true 171 | true 172 | __NT__;__IDP__;WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 173 | MultiThreaded 174 | ../../DllInjector/DllInjector_lib;$(BOOSTDIR)/include;../ProReversingLib;$(GTESTDIR)/include;%(AdditionalIncludeDirectories) 175 | 176 | 177 | Console 178 | true 179 | true 180 | true 181 | ProReversing.lib;gtest.lib;gtest_main.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 182 | $(BOOSTDIR)/lib64;$(OutDir);$(GTESTDIR)/msvc/x64/gtest/Release 183 | 184 | 185 | rem $(TargetDir)$(TargetFileName) 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | -------------------------------------------------------------------------------- /Test/Test.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /Test/test.cpp: -------------------------------------------------------------------------------- 1 | /* ============================================================================ 2 | * Copyright (c) 2012, Sebastian Eschweiler analyst[at]gmail.com> 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are met: 7 | * * Redistributions of source code must retain the above copyright 8 | * notice, this list of conditions and the following disclaimer. 9 | * * Redistributions in binary form must reproduce the above copyright 10 | * notice, this list of conditions and the following disclaimer in the 11 | * documentation and/or other materials provided with the distribution. 12 | * * Neither the name of the nor the 13 | * names of its contributors may be used to endorse or promote products 14 | * derived from this software without specific prior written permission. 15 | * 16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | * DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY 20 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | * ============================================================================= 27 | */ 28 | 29 | #include "ProReversingTest.h" 30 | //#include "SimpleCommunicatorTest.h" -------------------------------------------------------------------------------- /x64/Release/ProReverse.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/killvxk/ProReversing/791f924360272097d4366078549660d5b8622a10/x64/Release/ProReverse.dll --------------------------------------------------------------------------------