├── .gitattributes ├── .gitignore ├── XAntiDebug ├── CMemPtr.h ├── XAntiDebug.cpp ├── XAntiDebug.h ├── crc32.cpp ├── crc32.h ├── internal.h ├── ldasm.cpp ├── ldasm.h ├── wow64ext.cpp └── wow64ext.h ├── example.cpp ├── example.sln ├── example.v12.suo ├── example.vcxproj ├── example.vcxproj.filters ├── readme.md ├── stdafx.cpp ├── stdafx.h └── targetver.h /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /XAntiDebug/CMemPtr.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * WOW64Ext Library 4 | * 5 | * Copyright (c) 2014 ReWolf 6 | * http://blog.rewolf.pl/ 7 | * 8 | * This program is free software: you can redistribute it and/or modify 9 | * it under the terms of the GNU Lesser General Public License as published 10 | * by the Free Software Foundation, either version 3 of the License, or 11 | * (at your option) any later version. 12 | * 13 | * This program is distributed in the hope that it will be useful, 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | * GNU Lesser General Public License for more details. 17 | * 18 | * You should have received a copy of the GNU Lesser General Public License 19 | * along with this program. If not, see . 20 | * 21 | */ 22 | #pragma once 23 | 24 | class CMemPtr 25 | { 26 | private: 27 | void** m_ptr; 28 | bool watchActive; 29 | 30 | public: 31 | CMemPtr(void** ptr) : m_ptr(ptr), watchActive(true) {} 32 | 33 | ~CMemPtr() 34 | { 35 | if (*m_ptr && watchActive) 36 | { 37 | free(*m_ptr); 38 | *m_ptr = 0; 39 | } 40 | } 41 | 42 | void disableWatch() { watchActive = false; } 43 | }; 44 | 45 | #define WATCH(ptr) \ 46 | CMemPtr watch_##ptr((void**)&ptr) 47 | 48 | #define DISABLE_WATCH(ptr) \ 49 | watch_##ptr.disableWatch() 50 | -------------------------------------------------------------------------------- /XAntiDebug/XAntiDebug.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/strivexjun/XAntiDebug/98dec38a69ca095c745400ad196c858721261959/XAntiDebug/XAntiDebug.cpp -------------------------------------------------------------------------------- /XAntiDebug/XAntiDebug.h: -------------------------------------------------------------------------------- 1 | //Author:Xjun 2 | 3 | #ifndef _XANTIDEBUG_H 4 | #define _XANTIDEBUG_H 5 | 6 | 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include "ldasm.h" 16 | #include "crc32.h" 17 | 18 | // 19 | // if it is a 64 bit program, this file does not need to include 20 | // 21 | #ifndef _WIN64 22 | #include "wow64ext.h" 23 | #endif 24 | 25 | #pragma comment(lib,"Shlwapi.lib") 26 | #pragma comment(lib,"ImageHlp.lib") 27 | #pragma comment(lib,"wintrust.lib") 28 | 29 | // 30 | // flags 31 | // 32 | #define FLAG_CHECKSUM_NTOSKRNL (0x0001) 33 | #define FLAG_CHECKSUM_CODESECTION (0x0002) 34 | #define FLAG_DETECT_DEBUGGER (0x0004) 35 | #define FLAG_DETECT_HARDWAREBREAKPOINT (0x0008) 36 | #define FLAG_FULLON (FLAG_CHECKSUM_NTOSKRNL | FLAG_CHECKSUM_CODESECTION | \ 37 | FLAG_DETECT_DEBUGGER | FLAG_DETECT_HARDWAREBREAKPOINT) 38 | // 39 | // error status 40 | // 41 | typedef enum _XAD_STATUS 42 | { 43 | XAD_OK, 44 | XAD_ERROR_OPENNTOS, 45 | XAD_ERROR_MODULEHANDLE, 46 | XAD_ERROR_OPENNTDLL, 47 | XAD_ERROR_NTAPI, 48 | XAD_ERROR_ALLOCMEM, 49 | XAD_ERROR_FILEOFFSET 50 | }XAD_STATUS; 51 | 52 | // 53 | // the system directly calls the function definition -> NtQueryInfomationProcess 54 | // 55 | typedef DWORD64(WINAPI* fn_SysCall64)( 56 | DWORD64 processHandle, 57 | DWORD64 processClass, 58 | PDWORD64 processInfo, 59 | DWORD64 length, 60 | PDWORD64 returnLength); 61 | 62 | typedef DWORD(WINAPI* fn_SysCall32)( 63 | DWORD processHandle, 64 | DWORD processClass, 65 | PDWORD processInfo, 66 | DWORD length, 67 | PDWORD returnLength); 68 | 69 | // 70 | // code section checksum struct 71 | // 72 | typedef struct _CODE_CRC32 73 | { 74 | PVOID m_va; 75 | DWORD m_size; 76 | DWORD m_crc32; 77 | }CODE_CRC32; 78 | 79 | // 80 | // implement class 81 | // 82 | class XAntiDebug 83 | { 84 | 85 | public: 86 | XAntiDebug(HMODULE moduleHandle, DWORD flags); 87 | ~XAntiDebug(); 88 | 89 | // 90 | // XAntiDebug initialize 91 | // 92 | XAD_STATUS XAD_Initialize(); 93 | 94 | // 95 | // execute detect 96 | // 97 | BOOL XAD_ExecuteDetect(); 98 | 99 | // 100 | //VEH need it 101 | // 102 | BOOL _isSetHWBP; 103 | BOOL _isLoadStrongOD; 104 | 105 | private: 106 | 107 | HMODULE _moduleHandle; 108 | DWORD _flags; 109 | 110 | BOOL _initialized; 111 | DWORD _major; 112 | DWORD _minor; 113 | BOOL _isArch64; 114 | BOOL _isWow64; 115 | BOOL _isWow64FsReDriectory; 116 | 117 | DWORD _pageSize; 118 | PVOID _pagePtr; 119 | DWORD _pageCrc32; 120 | 121 | CHAR _ntosPath[MAX_PATH]; 122 | std::vector _codeCrc32; 123 | 124 | DWORD64 _MyQueryInfomationProcess; 125 | DWORD _eax; 126 | fn_SysCall32 _pfnSyscall32; 127 | fn_SysCall64 _pfnSyscall64; 128 | }; 129 | 130 | #endif -------------------------------------------------------------------------------- /XAntiDebug/crc32.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "crc32.h" 3 | 4 | #define CRC32C(c,d) (c=(c>>8)^crc_c[(c^(d))&0xFF]) 5 | 6 | static const unsigned int crc_c[256] = { 7 | 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 8 | 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 9 | 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 10 | 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 11 | 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 12 | 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 13 | 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 14 | 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 15 | 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 16 | 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 17 | 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 18 | 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 19 | 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 20 | 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 21 | 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 22 | 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 23 | 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 24 | 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 25 | 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 26 | 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 27 | 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 28 | 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 29 | 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 30 | 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 31 | 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 32 | 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 33 | 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 34 | 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 35 | 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 36 | 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 37 | 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 38 | 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 39 | 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 40 | 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 41 | 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 42 | 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 43 | 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 44 | 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 45 | 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 46 | 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 47 | 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 48 | 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 49 | 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 50 | 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 51 | 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 52 | 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 53 | 0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 54 | 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 55 | 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 56 | 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 57 | 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 58 | 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 59 | 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 60 | 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 61 | 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 62 | 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 63 | 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 64 | 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 65 | 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 66 | 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 67 | 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 68 | 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 69 | 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 70 | 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d, 71 | }; 72 | 73 | 74 | unsigned int crc32(const void *buffer, unsigned int len) { 75 | unsigned int i; 76 | unsigned int crc32 = ~0L; 77 | 78 | for (i = 0; i < len; i++){ 79 | CRC32C(crc32, ((const unsigned char *)buffer)[i]); 80 | } 81 | return ~crc32; 82 | } 83 | 84 | BOOL CRC32File(LPCTSTR lpszFileName, unsigned char digest[16]) 85 | { 86 | BOOL bRet=FALSE; 87 | 88 | HANDLE hFile = CreateFile(lpszFileName, GENERIC_READ , 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 89 | if (hFile != INVALID_HANDLE_VALUE) 90 | { 91 | DWORD dwFileSizeHigh; 92 | DWORD dwFileSizeLow = GetFileSize(hFile, &dwFileSizeHigh); 93 | 94 | HANDLE hFileMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, dwFileSizeHigh, dwFileSizeLow, NULL); 95 | if (hFileMap) 96 | { 97 | LPBYTE lpbMapAddress = (LPBYTE)MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 0); 98 | 99 | if (lpbMapAddress) 100 | { 101 | bRet=crc32(lpbMapAddress, dwFileSizeLow); 102 | 103 | UnmapViewOfFile(lpbMapAddress); 104 | } 105 | CloseHandle(hFileMap); 106 | } 107 | 108 | CloseHandle(hFile); 109 | } 110 | 111 | return bRet; 112 | } 113 | -------------------------------------------------------------------------------- /XAntiDebug/crc32.h: -------------------------------------------------------------------------------- 1 | #if !defined(__crc32cr_table_h__) 2 | #define __crc32cr_table_h__ 3 | 4 | #if _MSC_VER > 1000 5 | #pragma once 6 | #endif // _MSC_VER > 1000 7 | 8 | 9 | unsigned int crc32(const void *buffer, unsigned int len); 10 | 11 | BOOL CRC32File(LPCTSTR lpszFileName, unsigned char digest[16]); 12 | 13 | #endif 14 | -------------------------------------------------------------------------------- /XAntiDebug/internal.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * WOW64Ext Library 4 | * 5 | * Copyright (c) 2014 ReWolf 6 | * http://blog.rewolf.pl/ 7 | * 8 | * This program is free software: you can redistribute it and/or modify 9 | * it under the terms of the GNU Lesser General Public License as published 10 | * by the Free Software Foundation, either version 3 of the License, or 11 | * (at your option) any later version. 12 | * 13 | * This program is distributed in the hope that it will be useful, 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | * GNU Lesser General Public License for more details. 17 | * 18 | * You should have received a copy of the GNU Lesser General Public License 19 | * along with this program. If not, see . 20 | * 21 | */ 22 | #pragma once 23 | 24 | #define EMIT(a) __asm __emit (a) 25 | 26 | #define X64_Start_with_CS(_cs) \ 27 | { \ 28 | EMIT(0x6A) EMIT(_cs) /* push _cs */ \ 29 | EMIT(0xE8) EMIT(0) EMIT(0) EMIT(0) EMIT(0) /* call $+5 */ \ 30 | EMIT(0x83) EMIT(4) EMIT(0x24) EMIT(5) /* add dword [esp], 5 */ \ 31 | EMIT(0xCB) /* retf */ \ 32 | } 33 | 34 | #define X64_End_with_CS(_cs) \ 35 | { \ 36 | EMIT(0xE8) EMIT(0) EMIT(0) EMIT(0) EMIT(0) /* call $+5 */ \ 37 | EMIT(0xC7) EMIT(0x44) EMIT(0x24) EMIT(4) EMIT(_cs) EMIT(0) EMIT(0) EMIT(0) /* mov dword [rsp + 4], _cs */ \ 38 | EMIT(0x83) EMIT(4) EMIT(0x24) EMIT(0xD) /* add dword [rsp], 0xD */ \ 39 | EMIT(0xCB) /* retf */ \ 40 | } 41 | 42 | #define X64_Start() X64_Start_with_CS(0x33) 43 | #define X64_End() X64_End_with_CS(0x23) 44 | 45 | #define _RAX 0 46 | #define _RCX 1 47 | #define _RDX 2 48 | #define _RBX 3 49 | #define _RSP 4 50 | #define _RBP 5 51 | #define _RSI 6 52 | #define _RDI 7 53 | #define _R8 8 54 | #define _R9 9 55 | #define _R10 10 56 | #define _R11 11 57 | #define _R12 12 58 | #define _R13 13 59 | #define _R14 14 60 | #define _R15 15 61 | 62 | #define X64_Push(r) EMIT(0x48 | ((r) >> 3)) EMIT(0x50 | ((r) & 7)) 63 | #define X64_Pop(r) EMIT(0x48 | ((r) >> 3)) EMIT(0x58 | ((r) & 7)) 64 | 65 | #define REX_W EMIT(0x48) __asm 66 | 67 | //to fool M$ inline asm compiler I'm using 2 DWORDs instead of DWORD64 68 | //use of DWORD64 will generate wrong 'pop word ptr[]' and it will break stack 69 | union reg64 70 | { 71 | DWORD64 v; 72 | DWORD dw[2]; 73 | }; 74 | -------------------------------------------------------------------------------- /XAntiDebug/ldasm.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (c) 2009-2010 4 | * vol4ok GPG key ID - 0x7A1C8BB4A0F34B67 5 | * 6 | 7 | This program is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU General Public License as published by 9 | the Free Software Foundation, either version 3 of the License, or 10 | (at your option) any later version. 11 | 12 | This program is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU General Public License for more details. 16 | 17 | You should have received a copy of the GNU General Public License 18 | along with this program. If not, see . 19 | 20 | */ 21 | 22 | 23 | #include "ldasm.h" 24 | 25 | /* 26 | Instruction format: 27 | 28 | | prefix | REX | opcode | modR/M | SIB | disp8/16/32 | imm8/16/32/64 | 29 | 30 | */ 31 | 32 | #define OP_NONE 0x00 33 | #define OP_INVALID 0x80 34 | 35 | #define OP_DATA_I8 0x01 36 | #define OP_DATA_I16 0x02 37 | #define OP_DATA_I16_I32 0x04 38 | #define OP_DATA_I16_I32_I64 0x08 39 | #define OP_EXTENDED 0x10 40 | #define OP_RELATIVE 0x20 41 | #define OP_MODRM 0x40 42 | #define OP_PREFIX 0x80 43 | 44 | 45 | static unsigned char flags_table[256] = 46 | { 47 | /* 00 */ OP_MODRM, 48 | /* 01 */ OP_MODRM, 49 | /* 02 */ OP_MODRM, 50 | /* 03 */ OP_MODRM, 51 | /* 04 */ OP_DATA_I8, 52 | /* 05 */ OP_DATA_I16_I32, 53 | /* 06 */ OP_NONE, 54 | /* 07 */ OP_NONE, 55 | /* 08 */ OP_MODRM, 56 | /* 09 */ OP_MODRM, 57 | /* 0A */ OP_MODRM, 58 | /* 0B */ OP_MODRM, 59 | /* 0C */ OP_DATA_I8, 60 | /* 0D */ OP_DATA_I16_I32, 61 | /* 0E */ OP_NONE, 62 | /* 0F */ OP_NONE, 63 | 64 | /* 10 */ OP_MODRM, 65 | /* 11 */ OP_MODRM, 66 | /* 12 */ OP_MODRM, 67 | /* 13 */ OP_MODRM, 68 | /* 14 */ OP_DATA_I8, 69 | /* 15 */ OP_DATA_I16_I32, 70 | /* 16 */ OP_NONE, 71 | /* 17 */ OP_NONE, 72 | /* 18 */ OP_MODRM, 73 | /* 19 */ OP_MODRM, 74 | /* 1A */ OP_MODRM, 75 | /* 1B */ OP_MODRM, 76 | /* 1C */ OP_DATA_I8, 77 | /* 1D */ OP_DATA_I16_I32, 78 | /* 1E */ OP_NONE, 79 | /* 1F */ OP_NONE, 80 | 81 | /* 20 */ OP_MODRM, 82 | /* 21 */ OP_MODRM, 83 | /* 22 */ OP_MODRM, 84 | /* 23 */ OP_MODRM, 85 | /* 24 */ OP_DATA_I8, 86 | /* 25 */ OP_DATA_I16_I32, 87 | /* 26 */ OP_PREFIX, 88 | /* 27 */ OP_NONE, 89 | /* 28 */ OP_MODRM, 90 | /* 29 */ OP_MODRM, 91 | /* 2A */ OP_MODRM, 92 | /* 2B */ OP_MODRM, 93 | /* 2C */ OP_DATA_I8, 94 | /* 2D */ OP_DATA_I16_I32, 95 | /* 2E */ OP_PREFIX, 96 | /* 2F */ OP_NONE, 97 | 98 | /* 30 */ OP_MODRM, 99 | /* 31 */ OP_MODRM, 100 | /* 32 */ OP_MODRM, 101 | /* 33 */ OP_MODRM, 102 | /* 34 */ OP_DATA_I8, 103 | /* 35 */ OP_DATA_I16_I32, 104 | /* 36 */ OP_PREFIX, 105 | /* 37 */ OP_NONE, 106 | /* 38 */ OP_MODRM, 107 | /* 39 */ OP_MODRM, 108 | /* 3A */ OP_MODRM, 109 | /* 3B */ OP_MODRM, 110 | /* 3C */ OP_DATA_I8, 111 | /* 3D */ OP_DATA_I16_I32, 112 | /* 3E */ OP_PREFIX, 113 | /* 3F */ OP_NONE, 114 | 115 | /* 40 */ OP_NONE, 116 | /* 41 */ OP_NONE, 117 | /* 42 */ OP_NONE, 118 | /* 43 */ OP_NONE, 119 | /* 44 */ OP_NONE, 120 | /* 45 */ OP_NONE, 121 | /* 46 */ OP_NONE, 122 | /* 47 */ OP_NONE, 123 | /* 48 */ OP_NONE, 124 | /* 49 */ OP_NONE, 125 | /* 4A */ OP_NONE, 126 | /* 4B */ OP_NONE, 127 | /* 4C */ OP_NONE, 128 | /* 4D */ OP_NONE, 129 | /* 4E */ OP_NONE, 130 | /* 4F */ OP_NONE, 131 | 132 | /* 50 */ OP_NONE, 133 | /* 51 */ OP_NONE, 134 | /* 52 */ OP_NONE, 135 | /* 53 */ OP_NONE, 136 | /* 54 */ OP_NONE, 137 | /* 55 */ OP_NONE, 138 | /* 56 */ OP_NONE, 139 | /* 57 */ OP_NONE, 140 | /* 58 */ OP_NONE, 141 | /* 59 */ OP_NONE, 142 | /* 5A */ OP_NONE, 143 | /* 5B */ OP_NONE, 144 | /* 5C */ OP_NONE, 145 | /* 5D */ OP_NONE, 146 | /* 5E */ OP_NONE, 147 | /* 5F */ OP_NONE, 148 | /* 60 */ OP_NONE, 149 | 150 | /* 61 */ OP_NONE, 151 | /* 62 */ OP_MODRM, 152 | /* 63 */ OP_MODRM, 153 | /* 64 */ OP_PREFIX, 154 | /* 65 */ OP_PREFIX, 155 | /* 66 */ OP_PREFIX, 156 | /* 67 */ OP_PREFIX, 157 | /* 68 */ OP_DATA_I16_I32, 158 | /* 69 */ OP_MODRM | OP_DATA_I16_I32, 159 | /* 6A */ OP_DATA_I8, 160 | /* 6B */ OP_MODRM | OP_DATA_I8, 161 | /* 6C */ OP_NONE, 162 | /* 6D */ OP_NONE, 163 | /* 6E */ OP_NONE, 164 | /* 6F */ OP_NONE, 165 | 166 | /* 70 */ OP_RELATIVE | OP_DATA_I8, 167 | /* 71 */ OP_RELATIVE | OP_DATA_I8, 168 | /* 72 */ OP_RELATIVE | OP_DATA_I8, 169 | /* 73 */ OP_RELATIVE | OP_DATA_I8, 170 | /* 74 */ OP_RELATIVE | OP_DATA_I8, 171 | /* 75 */ OP_RELATIVE | OP_DATA_I8, 172 | /* 76 */ OP_RELATIVE | OP_DATA_I8, 173 | /* 77 */ OP_RELATIVE | OP_DATA_I8, 174 | /* 78 */ OP_RELATIVE | OP_DATA_I8, 175 | /* 79 */ OP_RELATIVE | OP_DATA_I8, 176 | /* 7A */ OP_RELATIVE | OP_DATA_I8, 177 | /* 7B */ OP_RELATIVE | OP_DATA_I8, 178 | /* 7C */ OP_RELATIVE | OP_DATA_I8, 179 | /* 7D */ OP_RELATIVE | OP_DATA_I8, 180 | /* 7E */ OP_RELATIVE | OP_DATA_I8, 181 | /* 7F */ OP_RELATIVE | OP_DATA_I8, 182 | 183 | /* 80 */ OP_MODRM | OP_DATA_I8, 184 | /* 81 */ OP_MODRM | OP_DATA_I16_I32, 185 | /* 82 */ OP_MODRM | OP_DATA_I8, 186 | /* 83 */ OP_MODRM | OP_DATA_I8, 187 | /* 84 */ OP_MODRM, 188 | /* 85 */ OP_MODRM, 189 | /* 86 */ OP_MODRM, 190 | /* 87 */ OP_MODRM, 191 | /* 88 */ OP_MODRM, 192 | /* 89 */ OP_MODRM, 193 | /* 8A */ OP_MODRM, 194 | /* 8B */ OP_MODRM, 195 | /* 8C */ OP_MODRM, 196 | /* 8D */ OP_MODRM, 197 | /* 8E */ OP_MODRM, 198 | /* 8F */ OP_MODRM, 199 | 200 | /* 90 */ OP_NONE, 201 | /* 91 */ OP_NONE, 202 | /* 92 */ OP_NONE, 203 | /* 93 */ OP_NONE, 204 | /* 94 */ OP_NONE, 205 | /* 95 */ OP_NONE, 206 | /* 96 */ OP_NONE, 207 | /* 97 */ OP_NONE, 208 | /* 98 */ OP_NONE, 209 | /* 99 */ OP_NONE, 210 | /* 9A */ OP_DATA_I16 | OP_DATA_I16_I32, 211 | /* 9B */ OP_NONE, 212 | /* 9C */ OP_NONE, 213 | /* 9D */ OP_NONE, 214 | /* 9E */ OP_NONE, 215 | /* 9F */ OP_NONE, 216 | 217 | /* A0 */ OP_DATA_I8, 218 | /* A1 */ OP_DATA_I16_I32_I64, 219 | /* A2 */ OP_DATA_I8, 220 | /* A3 */ OP_DATA_I16_I32_I64, 221 | /* A4 */ OP_NONE, 222 | /* A5 */ OP_NONE, 223 | /* A6 */ OP_NONE, 224 | /* A7 */ OP_NONE, 225 | /* A8 */ OP_DATA_I8, 226 | /* A9 */ OP_DATA_I16_I32, 227 | /* AA */ OP_NONE, 228 | /* AB */ OP_NONE, 229 | /* AC */ OP_NONE, 230 | /* AD */ OP_NONE, 231 | /* AE */ OP_NONE, 232 | /* AF */ OP_NONE, 233 | 234 | /* B0 */ OP_DATA_I8, 235 | /* B1 */ OP_DATA_I8, 236 | /* B2 */ OP_DATA_I8, 237 | /* B3 */ OP_DATA_I8, 238 | /* B4 */ OP_DATA_I8, 239 | /* B5 */ OP_DATA_I8, 240 | /* B6 */ OP_DATA_I8, 241 | /* B7 */ OP_DATA_I8, 242 | /* B8 */ OP_DATA_I16_I32_I64, 243 | /* B9 */ OP_DATA_I16_I32_I64, 244 | /* BA */ OP_DATA_I16_I32_I64, 245 | /* BB */ OP_DATA_I16_I32_I64, 246 | /* BC */ OP_DATA_I16_I32_I64, 247 | /* BD */ OP_DATA_I16_I32_I64, 248 | /* BE */ OP_DATA_I16_I32_I64, 249 | /* BF */ OP_DATA_I16_I32_I64, 250 | 251 | /* C0 */ OP_MODRM | OP_DATA_I8, 252 | /* C1 */ OP_MODRM | OP_DATA_I8, 253 | /* C2 */ OP_DATA_I16, 254 | /* C3 */ OP_NONE, 255 | /* C4 */ OP_MODRM, 256 | /* C5 */ OP_MODRM, 257 | /* C6 */ OP_MODRM | OP_DATA_I8, 258 | /* C7 */ OP_MODRM | OP_DATA_I16_I32, 259 | /* C8 */ OP_DATA_I8 | OP_DATA_I16, 260 | /* C9 */ OP_NONE, 261 | /* CA */ OP_DATA_I16, 262 | /* CB */ OP_NONE, 263 | /* CC */ OP_NONE, 264 | /* CD */ OP_DATA_I8, 265 | /* CE */ OP_NONE, 266 | /* CF */ OP_NONE, 267 | 268 | /* D0 */ OP_MODRM, 269 | /* D1 */ OP_MODRM, 270 | /* D2 */ OP_MODRM, 271 | /* D3 */ OP_MODRM, 272 | /* D4 */ OP_DATA_I8, 273 | /* D5 */ OP_DATA_I8, 274 | /* D6 */ OP_NONE, 275 | /* D7 */ OP_NONE, 276 | /* D8 */ OP_MODRM, 277 | /* D9 */ OP_MODRM, 278 | /* DA */ OP_MODRM, 279 | /* DB */ OP_MODRM, 280 | /* DC */ OP_MODRM, 281 | /* DD */ OP_MODRM, 282 | /* DE */ OP_MODRM, 283 | /* DF */ OP_MODRM, 284 | 285 | /* E0 */ OP_RELATIVE | OP_DATA_I8, 286 | /* E1 */ OP_RELATIVE | OP_DATA_I8, 287 | /* E2 */ OP_RELATIVE | OP_DATA_I8, 288 | /* E3 */ OP_RELATIVE | OP_DATA_I8, 289 | /* E4 */ OP_DATA_I8, 290 | /* E5 */ OP_DATA_I8, 291 | /* E6 */ OP_DATA_I8, 292 | /* E7 */ OP_DATA_I8, 293 | /* E8 */ OP_RELATIVE | OP_DATA_I16_I32, 294 | /* E9 */ OP_RELATIVE | OP_DATA_I16_I32, 295 | /* EA */ OP_DATA_I16 | OP_DATA_I16_I32, 296 | /* EB */ OP_RELATIVE | OP_DATA_I8, 297 | /* EC */ OP_NONE, 298 | /* ED */ OP_NONE, 299 | /* EE */ OP_NONE, 300 | /* EF */ OP_NONE, 301 | 302 | /* F0 */ OP_PREFIX, 303 | /* F1 */ OP_NONE, 304 | /* F2 */ OP_PREFIX, 305 | /* F3 */ OP_PREFIX, 306 | /* F4 */ OP_NONE, 307 | /* F5 */ OP_NONE, 308 | /* F6 */ OP_MODRM, 309 | /* F7 */ OP_MODRM, 310 | /* F8 */ OP_NONE, 311 | /* F9 */ OP_NONE, 312 | /* FA */ OP_NONE, 313 | /* FB */ OP_NONE, 314 | /* FC */ OP_NONE, 315 | /* FD */ OP_NONE, 316 | /* FE */ OP_MODRM, 317 | /* FF */ OP_MODRM 318 | }; 319 | 320 | static unsigned char flags_table_ex[256] = 321 | { 322 | /* 0F00 */ OP_MODRM, 323 | /* 0F01 */ OP_MODRM, 324 | /* 0F02 */ OP_MODRM, 325 | /* 0F03 */ OP_MODRM, 326 | /* 0F04 */ OP_INVALID, 327 | /* 0F05 */ OP_NONE, 328 | /* 0F06 */ OP_NONE, 329 | /* 0F07 */ OP_NONE, 330 | /* 0F08 */ OP_NONE, 331 | /* 0F09 */ OP_NONE, 332 | /* 0F0A */ OP_INVALID, 333 | /* 0F0B */ OP_NONE, 334 | /* 0F0C */ OP_INVALID, 335 | /* 0F0D */ OP_MODRM, 336 | /* 0F0E */ OP_INVALID, 337 | /* 0F0F */ OP_MODRM | OP_DATA_I8, //3Dnow 338 | 339 | /* 0F10 */ OP_MODRM, 340 | /* 0F11 */ OP_MODRM, 341 | /* 0F12 */ OP_MODRM, 342 | /* 0F13 */ OP_MODRM, 343 | /* 0F14 */ OP_MODRM, 344 | /* 0F15 */ OP_MODRM, 345 | /* 0F16 */ OP_MODRM, 346 | /* 0F17 */ OP_MODRM, 347 | /* 0F18 */ OP_MODRM, 348 | /* 0F19 */ OP_INVALID, 349 | /* 0F1A */ OP_INVALID, 350 | /* 0F1B */ OP_INVALID, 351 | /* 0F1C */ OP_INVALID, 352 | /* 0F1D */ OP_INVALID, 353 | /* 0F1E */ OP_INVALID, 354 | /* 0F1F */ OP_NONE, 355 | 356 | /* 0F20 */ OP_MODRM, 357 | /* 0F21 */ OP_MODRM, 358 | /* 0F22 */ OP_MODRM, 359 | /* 0F23 */ OP_MODRM, 360 | /* 0F24 */ OP_MODRM | OP_EXTENDED, //SSE5 361 | /* 0F25 */ OP_INVALID, 362 | /* 0F26 */ OP_MODRM, 363 | /* 0F27 */ OP_INVALID, 364 | /* 0F28 */ OP_MODRM, 365 | /* 0F29 */ OP_MODRM, 366 | /* 0F2A */ OP_MODRM, 367 | /* 0F2B */ OP_MODRM, 368 | /* 0F2C */ OP_MODRM, 369 | /* 0F2D */ OP_MODRM, 370 | /* 0F2E */ OP_MODRM, 371 | /* 0F2F */ OP_MODRM, 372 | 373 | /* 0F30 */ OP_NONE, 374 | /* 0F31 */ OP_NONE, 375 | /* 0F32 */ OP_NONE, 376 | /* 0F33 */ OP_NONE, 377 | /* 0F34 */ OP_NONE, 378 | /* 0F35 */ OP_NONE, 379 | /* 0F36 */ OP_INVALID, 380 | /* 0F37 */ OP_NONE, 381 | /* 0F38 */ OP_MODRM | OP_EXTENDED, 382 | /* 0F39 */ OP_INVALID, 383 | /* 0F3A */ OP_MODRM | OP_EXTENDED | OP_DATA_I8, 384 | /* 0F3B */ OP_INVALID, 385 | /* 0F3C */ OP_INVALID, 386 | /* 0F3D */ OP_INVALID, 387 | /* 0F3E */ OP_INVALID, 388 | /* 0F3F */ OP_INVALID, 389 | 390 | /* 0F40 */ OP_MODRM, 391 | /* 0F41 */ OP_MODRM, 392 | /* 0F42 */ OP_MODRM, 393 | /* 0F43 */ OP_MODRM, 394 | /* 0F44 */ OP_MODRM, 395 | /* 0F45 */ OP_MODRM, 396 | /* 0F46 */ OP_MODRM, 397 | /* 0F47 */ OP_MODRM, 398 | /* 0F48 */ OP_MODRM, 399 | /* 0F49 */ OP_MODRM, 400 | /* 0F4A */ OP_MODRM, 401 | /* 0F4B */ OP_MODRM, 402 | /* 0F4C */ OP_MODRM, 403 | /* 0F4D */ OP_MODRM, 404 | /* 0F4E */ OP_MODRM, 405 | /* 0F4F */ OP_MODRM, 406 | 407 | /* 0F50 */ OP_MODRM, 408 | /* 0F51 */ OP_MODRM, 409 | /* 0F52 */ OP_MODRM, 410 | /* 0F53 */ OP_MODRM, 411 | /* 0F54 */ OP_MODRM, 412 | /* 0F55 */ OP_MODRM, 413 | /* 0F56 */ OP_MODRM, 414 | /* 0F57 */ OP_MODRM, 415 | /* 0F58 */ OP_MODRM, 416 | /* 0F59 */ OP_MODRM, 417 | /* 0F5A */ OP_MODRM, 418 | /* 0F5B */ OP_MODRM, 419 | /* 0F5C */ OP_MODRM, 420 | /* 0F5D */ OP_MODRM, 421 | /* 0F5E */ OP_MODRM, 422 | /* 0F5F */ OP_MODRM, 423 | 424 | /* 0F60 */ OP_MODRM, 425 | /* 0F61 */ OP_MODRM, 426 | /* 0F62 */ OP_MODRM, 427 | /* 0F63 */ OP_MODRM, 428 | /* 0F64 */ OP_MODRM, 429 | /* 0F65 */ OP_MODRM, 430 | /* 0F66 */ OP_MODRM, 431 | /* 0F67 */ OP_MODRM, 432 | /* 0F68 */ OP_MODRM, 433 | /* 0F69 */ OP_MODRM, 434 | /* 0F6A */ OP_MODRM, 435 | /* 0F6B */ OP_MODRM, 436 | /* 0F6C */ OP_MODRM, 437 | /* 0F6D */ OP_MODRM, 438 | /* 0F6E */ OP_MODRM, 439 | /* 0F6F */ OP_MODRM, 440 | 441 | /* 0F70 */ OP_MODRM | OP_DATA_I8, 442 | /* 0F71 */ OP_MODRM | OP_DATA_I8, 443 | /* 0F72 */ OP_MODRM | OP_DATA_I8, 444 | /* 0F73 */ OP_MODRM | OP_DATA_I8, 445 | /* 0F74 */ OP_MODRM, 446 | /* 0F75 */ OP_MODRM, 447 | /* 0F76 */ OP_MODRM, 448 | /* 0F77 */ OP_NONE, 449 | /* 0F78 */ OP_MODRM, 450 | /* 0F79 */ OP_MODRM, 451 | /* 0F7A */ OP_INVALID, 452 | /* 0F7B */ OP_INVALID, 453 | /* 0F7C */ OP_MODRM, 454 | /* 0F7D */ OP_MODRM, 455 | /* 0F7E */ OP_MODRM, 456 | /* 0F7F */ OP_MODRM, 457 | 458 | /* 0F80 */ OP_RELATIVE | OP_DATA_I16_I32, 459 | /* 0F81 */ OP_RELATIVE | OP_DATA_I16_I32, 460 | /* 0F82 */ OP_RELATIVE | OP_DATA_I16_I32, 461 | /* 0F83 */ OP_RELATIVE | OP_DATA_I16_I32, 462 | /* 0F84 */ OP_RELATIVE | OP_DATA_I16_I32, 463 | /* 0F85 */ OP_RELATIVE | OP_DATA_I16_I32, 464 | /* 0F86 */ OP_RELATIVE | OP_DATA_I16_I32, 465 | /* 0F87 */ OP_RELATIVE | OP_DATA_I16_I32, 466 | /* 0F88 */ OP_RELATIVE | OP_DATA_I16_I32, 467 | /* 0F89 */ OP_RELATIVE | OP_DATA_I16_I32, 468 | /* 0F8A */ OP_RELATIVE | OP_DATA_I16_I32, 469 | /* 0F8B */ OP_RELATIVE | OP_DATA_I16_I32, 470 | /* 0F8C */ OP_RELATIVE | OP_DATA_I16_I32, 471 | /* 0F8D */ OP_RELATIVE | OP_DATA_I16_I32, 472 | /* 0F8E */ OP_RELATIVE | OP_DATA_I16_I32, 473 | /* 0F8F */ OP_RELATIVE | OP_DATA_I16_I32, 474 | 475 | /* 0F90 */ OP_MODRM, 476 | /* 0F91 */ OP_MODRM, 477 | /* 0F92 */ OP_MODRM, 478 | /* 0F93 */ OP_MODRM, 479 | /* 0F94 */ OP_MODRM, 480 | /* 0F95 */ OP_MODRM, 481 | /* 0F96 */ OP_MODRM, 482 | /* 0F97 */ OP_MODRM, 483 | /* 0F98 */ OP_MODRM, 484 | /* 0F99 */ OP_MODRM, 485 | /* 0F9A */ OP_MODRM, 486 | /* 0F9B */ OP_MODRM, 487 | /* 0F9C */ OP_MODRM, 488 | /* 0F9D */ OP_MODRM, 489 | /* 0F9E */ OP_MODRM, 490 | /* 0F9F */ OP_MODRM, 491 | 492 | /* 0FA0 */ OP_NONE, 493 | /* 0FA1 */ OP_NONE, 494 | /* 0FA2 */ OP_NONE, 495 | /* 0FA3 */ OP_MODRM, 496 | /* 0FA4 */ OP_MODRM | OP_DATA_I8, 497 | /* 0FA5 */ OP_MODRM, 498 | /* 0FA6 */ OP_INVALID, 499 | /* 0FA7 */ OP_INVALID, 500 | /* 0FA8 */ OP_NONE, 501 | /* 0FA9 */ OP_NONE, 502 | /* 0FAA */ OP_NONE, 503 | /* 0FAB */ OP_MODRM, 504 | /* 0FAC */ OP_MODRM | OP_DATA_I8, 505 | /* 0FAD */ OP_MODRM, 506 | /* 0FAE */ OP_MODRM, 507 | /* 0FAF */ OP_MODRM, 508 | 509 | /* 0FB0 */ OP_MODRM, 510 | /* 0FB1 */ OP_MODRM, 511 | /* 0FB2 */ OP_MODRM, 512 | /* 0FB3 */ OP_MODRM, 513 | /* 0FB4 */ OP_MODRM, 514 | /* 0FB5 */ OP_MODRM, 515 | /* 0FB6 */ OP_MODRM, 516 | /* 0FB7 */ OP_MODRM, 517 | /* 0FB8 */ OP_MODRM, 518 | /* 0FB9 */ OP_MODRM, 519 | /* 0FBA */ OP_MODRM | OP_DATA_I8, 520 | /* 0FBB */ OP_MODRM, 521 | /* 0FBC */ OP_MODRM, 522 | /* 0FBD */ OP_MODRM, 523 | /* 0FBE */ OP_MODRM, 524 | /* 0FBF */ OP_MODRM, 525 | 526 | /* 0FC0 */ OP_MODRM, 527 | /* 0FC1 */ OP_MODRM, 528 | /* 0FC2 */ OP_MODRM | OP_DATA_I8, 529 | /* 0FC3 */ OP_MODRM, 530 | /* 0FC4 */ OP_MODRM | OP_DATA_I8, 531 | /* 0FC5 */ OP_MODRM | OP_DATA_I8, 532 | /* 0FC6 */ OP_MODRM | OP_DATA_I8, 533 | /* 0FC7 */ OP_MODRM, 534 | /* 0FC8 */ OP_NONE, 535 | /* 0FC9 */ OP_NONE, 536 | /* 0FCA */ OP_NONE, 537 | /* 0FCB */ OP_NONE, 538 | /* 0FCC */ OP_NONE, 539 | /* 0FCD */ OP_NONE, 540 | /* 0FCE */ OP_NONE, 541 | /* 0FCF */ OP_NONE, 542 | 543 | /* 0FD0 */ OP_MODRM, 544 | /* 0FD1 */ OP_MODRM, 545 | /* 0FD2 */ OP_MODRM, 546 | /* 0FD3 */ OP_MODRM, 547 | /* 0FD4 */ OP_MODRM, 548 | /* 0FD5 */ OP_MODRM, 549 | /* 0FD6 */ OP_MODRM, 550 | /* 0FD7 */ OP_MODRM, 551 | /* 0FD8 */ OP_MODRM, 552 | /* 0FD9 */ OP_MODRM, 553 | /* 0FDA */ OP_MODRM, 554 | /* 0FDB */ OP_MODRM, 555 | /* 0FDC */ OP_MODRM, 556 | /* 0FDD */ OP_MODRM, 557 | /* 0FDE */ OP_MODRM, 558 | /* 0FDF */ OP_MODRM, 559 | 560 | /* 0FE0 */ OP_MODRM, 561 | /* 0FE1 */ OP_MODRM, 562 | /* 0FE2 */ OP_MODRM, 563 | /* 0FE3 */ OP_MODRM, 564 | /* 0FE4 */ OP_MODRM, 565 | /* 0FE5 */ OP_MODRM, 566 | /* 0FE6 */ OP_MODRM, 567 | /* 0FE7 */ OP_MODRM, 568 | /* 0FE8 */ OP_MODRM, 569 | /* 0FE9 */ OP_MODRM, 570 | /* 0FEA */ OP_MODRM, 571 | /* 0FEB */ OP_MODRM, 572 | /* 0FEC */ OP_MODRM, 573 | /* 0FED */ OP_MODRM, 574 | /* 0FEE */ OP_MODRM, 575 | /* 0FEF */ OP_MODRM, 576 | 577 | /* 0FF0 */ OP_MODRM, 578 | /* 0FF1 */ OP_MODRM, 579 | /* 0FF2 */ OP_MODRM, 580 | /* 0FF3 */ OP_MODRM, 581 | /* 0FF4 */ OP_MODRM, 582 | /* 0FF5 */ OP_MODRM, 583 | /* 0FF6 */ OP_MODRM, 584 | /* 0FF7 */ OP_MODRM, 585 | /* 0FF8 */ OP_MODRM, 586 | /* 0FF9 */ OP_MODRM, 587 | /* 0FFA */ OP_MODRM, 588 | /* 0FFB */ OP_MODRM, 589 | /* 0FFC */ OP_MODRM, 590 | /* 0FFD */ OP_MODRM, 591 | /* 0FFE */ OP_MODRM, 592 | /* 0FFF */ OP_INVALID, 593 | }; 594 | 595 | unsigned char cflags(uint8_t op) 596 | { 597 | return flags_table[op]; 598 | } 599 | 600 | 601 | unsigned char cflags_ex(uint8_t op) 602 | { 603 | return flags_table_ex[op]; 604 | } 605 | 606 | unsigned int ldasm(void *code, ldasm_data *ld, uint32_t is64) 607 | /* 608 | Description: 609 | Disassemble one instruction 610 | 611 | Arguments: 612 | code - pointer to the code for disassemble 613 | ld - pointer to structure ldasm_data 614 | is64 - set this flag for 64-bit code, and clear for 32-bit 615 | 616 | Return: 617 | length of instruction 618 | */ 619 | { 620 | uint8_t *p = (uint8_t*)code; 621 | uint8_t s,op,f; 622 | uint8_t rexw,pr_66,pr_67; 623 | 624 | s = rexw = pr_66 = pr_67 = 0; 625 | 626 | /* dummy check */ 627 | if (!code || !ld) 628 | return 0; 629 | 630 | /* init output data */ 631 | memset(ld,0,sizeof(ldasm_data)); 632 | 633 | /* phase 1: parse prefixies */ 634 | while (cflags(*p) & OP_PREFIX) { 635 | if (*p == 0x66) 636 | pr_66 = 1; 637 | if (*p == 0x67) 638 | pr_67 = 1; 639 | p++; s++; 640 | ld->flags |= F_PREFIX; 641 | if (s == 15) { 642 | ld->flags |= F_INVALID; 643 | return s; 644 | } 645 | } 646 | 647 | /* parse REX prefix */ 648 | if (is64 && *p >> 4 == 4) { 649 | ld->rex = *p; 650 | rexw = (ld->rex >> 3) & 1; 651 | ld->flags |= F_REX; 652 | p++; s++; 653 | } 654 | 655 | /* can be only one REX prefix */ 656 | if (is64 && *p >> 4 == 4) { 657 | ld->flags |= F_INVALID; 658 | s++; 659 | return s; 660 | } 661 | 662 | /* phase 2: parse opcode */ 663 | ld->opcd_offset = (uint8_t)(p - (uint8_t*)code); 664 | ld->opcd_size = 1; 665 | op = *p++; s++; 666 | 667 | /* is 2 byte opcede? */ 668 | if (op == 0x0F) { 669 | op = *p++; s++; 670 | ld->opcd_size++; 671 | f = cflags_ex(op); 672 | if (f & OP_INVALID){ 673 | ld->flags |= F_INVALID; 674 | return s; 675 | } 676 | /* for SSE instructions */ 677 | if (f & OP_EXTENDED) { 678 | op = *p++; s++; 679 | ld->opcd_size++; 680 | } 681 | } else { 682 | f = cflags(op); 683 | /* pr_66 = pr_67 for opcodes A0-A3 */ 684 | if (op >= 0xA0 && op <= 0xA3) 685 | pr_66 = pr_67; 686 | } 687 | 688 | /* phase 3: parse ModR/M, SIB and DISP */ 689 | if (f & OP_MODRM) { 690 | uint8_t mod = (*p >> 6); 691 | uint8_t ro = (*p & 0x38) >> 3; 692 | uint8_t rm = (*p & 7); 693 | 694 | ld->modrm = *p++; s++; 695 | ld->flags |= F_MODRM; 696 | 697 | /* in F6,F7 opcodes immediate data present if R/O == 0 */ 698 | if (op == 0xF6 && (ro == 0 || ro == 1)) 699 | f |= OP_DATA_I8; 700 | if (op == 0xF7 && (ro == 0 || ro == 1)) 701 | f |= OP_DATA_I16_I32_I64; 702 | 703 | /* is SIB byte exist? */ 704 | if (mod != 3 && rm == 4 && !(!is64 && pr_67)) { 705 | ld->sib = *p++; s++; 706 | ld->flags |= F_SIB; 707 | 708 | /* if base == 5 and mod == 0 */ 709 | if ((ld->sib & 7) == 5 && mod == 0) { 710 | ld->disp_size = 4; 711 | } 712 | } 713 | 714 | switch (mod) { 715 | case 0: 716 | if (is64) { 717 | if (rm == 5) { 718 | ld->disp_size = 4; 719 | if (is64) 720 | ld->flags |= F_RELATIVE; 721 | } 722 | } else if (pr_67) { 723 | if (rm == 6) 724 | ld->disp_size = 2; 725 | } else { 726 | if (rm == 5) 727 | ld->disp_size = 4; 728 | } 729 | break; 730 | case 1: 731 | ld->disp_size = 1; 732 | break; 733 | case 2: 734 | if (is64) 735 | ld->disp_size = 4; 736 | else if (pr_67) 737 | ld->disp_size = 2; 738 | else 739 | ld->disp_size = 4; 740 | break; 741 | } 742 | 743 | if (ld->disp_size) { 744 | ld->disp_offset = (uint8_t)(p - (uint8_t *)code); 745 | p += ld->disp_size; 746 | s += ld->disp_size; 747 | ld->flags |= F_DISP; 748 | } 749 | } 750 | 751 | /* phase 4: parse immediate data */ 752 | if (rexw && f & OP_DATA_I16_I32_I64) 753 | ld->imm_size = 8; 754 | else if (f & OP_DATA_I16_I32 || f & OP_DATA_I16_I32_I64) 755 | ld->imm_size = 4 - (pr_66 << 1); 756 | 757 | /* if exist, add OP_DATA_I16 and OP_DATA_I8 size */ 758 | ld->imm_size += f & 3; 759 | 760 | if (ld->imm_size) { 761 | s += ld->imm_size; 762 | ld->imm_offset = (uint8_t)(p - (uint8_t *)code); 763 | ld->flags |= F_IMM; 764 | if (f & OP_RELATIVE) 765 | ld->flags |= F_RELATIVE; 766 | } 767 | 768 | /* instruction is too long */ 769 | if (s > 15) 770 | ld->flags |= F_INVALID; 771 | 772 | return s; 773 | } -------------------------------------------------------------------------------- /XAntiDebug/ldasm.h: -------------------------------------------------------------------------------- 1 | #ifndef _LDASM_ 2 | #define _LDASM_ 3 | 4 | #include 5 | #include 6 | 7 | #define F_INVALID 0x01 8 | #define F_PREFIX 0x02 9 | #define F_REX 0x04 10 | #define F_MODRM 0x08 11 | #define F_SIB 0x10 12 | #define F_DISP 0x20 13 | #define F_IMM 0x40 14 | #define F_RELATIVE 0x80 15 | 16 | 17 | typedef struct _ldasm_data{ 18 | uint8_t flags; 19 | uint8_t rex; 20 | uint8_t modrm; 21 | uint8_t sib; 22 | uint8_t opcd_offset; 23 | uint8_t opcd_size; 24 | uint8_t disp_offset; 25 | uint8_t disp_size; 26 | uint8_t imm_offset; 27 | uint8_t imm_size; 28 | } ldasm_data; 29 | 30 | unsigned int ldasm(void *code, ldasm_data *ld, uint32_t is64); 31 | 32 | #endif /* _LDASM_ */ 33 | -------------------------------------------------------------------------------- /XAntiDebug/wow64ext.cpp: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * WOW64Ext Library 4 | * 5 | * Copyright (c) 2014 ReWolf 6 | * http://blog.rewolf.pl/ 7 | * 8 | * This program is free software: you can redistribute it and/or modify 9 | * it under the terms of the GNU Lesser General Public License as published 10 | * by the Free Software Foundation, either version 3 of the License, or 11 | * (at your option) any later version. 12 | * 13 | * This program is distributed in the hope that it will be useful, 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | * GNU Lesser General Public License for more details. 17 | * 18 | * You should have received a copy of the GNU Lesser General Public License 19 | * along with this program. If not, see . 20 | * 21 | */ 22 | 23 | #include 24 | #include 25 | #include "internal.h" 26 | #include "wow64ext.h" 27 | #include "CMemPtr.h" 28 | 29 | HANDLE g_heap; 30 | BOOL g_isWow64; 31 | 32 | // void* malloc(size_t size) 33 | // { 34 | // return HeapAlloc(g_heap, 0, size); 35 | // } 36 | // 37 | // void free(void* ptr) 38 | // { 39 | // if (nullptr != ptr) 40 | // HeapFree(g_heap, 0, ptr); 41 | // } 42 | 43 | // int _wcsicmp(const wchar_t *string1, const wchar_t *string2) 44 | // { 45 | // wchar_t c1; 46 | // wchar_t c2; 47 | // int i = 0; 48 | // do 49 | // { 50 | // c1 = string1[i]; 51 | // if (c1 >= 'A' && c1 <= 'Z') 52 | // c1 += 0x20; 53 | // 54 | // c2 = string2[i]; 55 | // if (c2 >= 'A' && c2 <= 'Z') 56 | // c2 += 0x20; 57 | // 58 | // i++; 59 | // } while (c1 && c1 == c2); 60 | // return c1 - c2; 61 | // } 62 | 63 | BOOL InitWow64Ext() 64 | { 65 | 66 | IsWow64Process(GetCurrentProcess(), &g_isWow64); 67 | g_heap = GetProcessHeap(); 68 | 69 | return TRUE; 70 | } 71 | 72 | #pragma warning(push) 73 | #pragma warning(disable : 4409) 74 | DWORD64 __cdecl X64Call(DWORD64 func, int argC, ...) 75 | { 76 | if (!g_isWow64) 77 | return 0; 78 | 79 | va_list args; 80 | va_start(args, argC); 81 | reg64 _rcx = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 }; 82 | reg64 _rdx = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 }; 83 | reg64 _r8 = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 }; 84 | reg64 _r9 = { (argC > 0) ? argC--, va_arg(args, DWORD64) : 0 }; 85 | reg64 _rax = { 0 }; 86 | 87 | reg64 restArgs = { (DWORD64)&va_arg(args, DWORD64) }; 88 | 89 | // conversion to QWORD for easier use in inline assembly 90 | reg64 _argC = { (DWORD64)argC }; 91 | DWORD back_esp = 0; 92 | WORD back_fs = 0; 93 | 94 | __asm 95 | { 96 | ;// reset FS segment, to properly handle RFG 97 | mov back_fs, fs 98 | mov eax, 0x2B 99 | mov fs, ax 100 | 101 | ;// keep original esp in back_esp variable 102 | mov back_esp, esp 103 | 104 | ;// align esp to 0x10, without aligned stack some syscalls may return errors ! 105 | ;// (actually, for syscalls it is sufficient to align to 8, but SSE opcodes 106 | ;// requires 0x10 alignment), it will be further adjusted according to the 107 | ;// number of arguments above 4 108 | and esp, 0xFFFFFFF0 109 | 110 | X64_Start(); 111 | 112 | ;// below code is compiled as x86 inline asm, but it is executed as x64 code 113 | ;// that's why it need sometimes REX_W() macro, right column contains detailed 114 | ;// transcription how it will be interpreted by CPU 115 | 116 | ;// fill first four arguments 117 | REX_W mov ecx, _rcx.dw[0] ;// mov rcx, qword ptr [_rcx] 118 | REX_W mov edx, _rdx.dw[0] ;// mov rdx, qword ptr [_rdx] 119 | push _r8.v ;// push qword ptr [_r8] 120 | X64_Pop(_R8); ;// pop r8 121 | push _r9.v ;// push qword ptr [_r9] 122 | X64_Pop(_R9); ;// pop r9 123 | ;// 124 | REX_W mov eax, _argC.dw[0] ;// mov rax, qword ptr [_argC] 125 | ;// 126 | ;// final stack adjustment, according to the ;// 127 | ;// number of arguments above 4 ;// 128 | test al, 1 ;// test al, 1 129 | jnz _no_adjust ;// jnz _no_adjust 130 | sub esp, 8 ;// sub rsp, 8 131 | _no_adjust: ;// 132 | ;// 133 | push edi ;// push rdi 134 | REX_W mov edi, restArgs.dw[0] ;// mov rdi, qword ptr [restArgs] 135 | ;// 136 | ;// put rest of arguments on the stack ;// 137 | REX_W test eax, eax ;// test rax, rax 138 | jz _ls_e ;// je _ls_e 139 | REX_W lea edi, dword ptr [edi + 8*eax - 8] ;// lea rdi, [rdi + rax*8 - 8] 140 | ;// 141 | _ls: ;// 142 | REX_W test eax, eax ;// test rax, rax 143 | jz _ls_e ;// je _ls_e 144 | push dword ptr [edi] ;// push qword ptr [rdi] 145 | REX_W sub edi, 8 ;// sub rdi, 8 146 | REX_W sub eax, 1 ;// sub rax, 1 147 | jmp _ls ;// jmp _ls 148 | _ls_e: ;// 149 | ;// 150 | ;// create stack space for spilling registers ;// 151 | REX_W sub esp, 0x20 ;// sub rsp, 20h 152 | ;// 153 | call func ;// call qword ptr [func] 154 | ;// 155 | ;// cleanup stack ;// 156 | REX_W mov ecx, _argC.dw[0] ;// mov rcx, qword ptr [_argC] 157 | REX_W lea esp, dword ptr [esp + 8*ecx + 0x20] ;// lea rsp, [rsp + rcx*8 + 20h] 158 | ;// 159 | pop edi ;// pop rdi 160 | ;// 161 | // set return value ;// 162 | REX_W mov _rax.dw[0], eax ;// mov qword ptr [_rax], rax 163 | 164 | X64_End(); 165 | 166 | mov ax, ds 167 | mov ss, ax 168 | mov esp, back_esp 169 | 170 | ;// restore FS segment 171 | mov ax, back_fs 172 | mov fs, ax 173 | } 174 | return _rax.v; 175 | } 176 | #pragma warning(pop) 177 | 178 | void getMem64(void* dstMem, DWORD64 srcMem, size_t sz) 179 | { 180 | if ((nullptr == dstMem) || (0 == srcMem) || (0 == sz)) 181 | return; 182 | 183 | reg64 _src = { srcMem }; 184 | 185 | __asm 186 | { 187 | X64_Start(); 188 | 189 | ;// below code is compiled as x86 inline asm, but it is executed as x64 code 190 | ;// that's why it need sometimes REX_W() macro, right column contains detailed 191 | ;// transcription how it will be interpreted by CPU 192 | 193 | push edi ;// push rdi 194 | push esi ;// push rsi 195 | ;// 196 | mov edi, dstMem ;// mov edi, dword ptr [dstMem] ; high part of RDI is zeroed 197 | REX_W mov esi, _src.dw[0] ;// mov rsi, qword ptr [_src] 198 | mov ecx, sz ;// mov ecx, dword ptr [sz] ; high part of RCX is zeroed 199 | ;// 200 | mov eax, ecx ;// mov eax, ecx 201 | and eax, 3 ;// and eax, 3 202 | shr ecx, 2 ;// shr ecx, 2 203 | ;// 204 | rep movsd ;// rep movs dword ptr [rdi], dword ptr [rsi] 205 | ;// 206 | test eax, eax ;// test eax, eax 207 | je _move_0 ;// je _move_0 208 | cmp eax, 1 ;// cmp eax, 1 209 | je _move_1 ;// je _move_1 210 | ;// 211 | movsw ;// movs word ptr [rdi], word ptr [rsi] 212 | cmp eax, 2 ;// cmp eax, 2 213 | je _move_0 ;// je _move_0 214 | ;// 215 | _move_1: ;// 216 | movsb ;// movs byte ptr [rdi], byte ptr [rsi] 217 | ;// 218 | _move_0: ;// 219 | pop esi ;// pop rsi 220 | pop edi ;// pop rdi 221 | 222 | X64_End(); 223 | } 224 | } 225 | 226 | bool cmpMem64(void* dstMem, DWORD64 srcMem, size_t sz) 227 | { 228 | if ((nullptr == dstMem) || (0 == srcMem) || (0 == sz)) 229 | return false; 230 | 231 | bool result = false; 232 | reg64 _src = { srcMem }; 233 | __asm 234 | { 235 | X64_Start(); 236 | 237 | ;// below code is compiled as x86 inline asm, but it is executed as x64 code 238 | ;// that's why it need sometimes REX_W() macro, right column contains detailed 239 | ;// transcription how it will be interpreted by CPU 240 | 241 | push edi ;// push rdi 242 | push esi ;// push rsi 243 | ;// 244 | mov edi, dstMem ;// mov edi, dword ptr [dstMem] ; high part of RDI is zeroed 245 | REX_W mov esi, _src.dw[0] ;// mov rsi, qword ptr [_src] 246 | mov ecx, sz ;// mov ecx, dword ptr [sz] ; high part of RCX is zeroed 247 | ;// 248 | mov eax, ecx ;// mov eax, ecx 249 | and eax, 3 ;// and eax, 3 250 | shr ecx, 2 ;// shr ecx, 2 251 | ;// 252 | repe cmpsd ;// repe cmps dword ptr [rsi], dword ptr [rdi] 253 | jnz _ret_false ;// jnz _ret_false 254 | ;// 255 | test eax, eax ;// test eax, eax 256 | je _move_0 ;// je _move_0 257 | cmp eax, 1 ;// cmp eax, 1 258 | je _move_1 ;// je _move_1 259 | ;// 260 | cmpsw ;// cmps word ptr [rsi], word ptr [rdi] 261 | jnz _ret_false ;// jnz _ret_false 262 | cmp eax, 2 ;// cmp eax, 2 263 | je _move_0 ;// je _move_0 264 | ;// 265 | _move_1: ;// 266 | cmpsb ;// cmps byte ptr [rsi], byte ptr [rdi] 267 | jnz _ret_false ;// jnz _ret_false 268 | ;// 269 | _move_0: ;// 270 | mov result, 1 ;// mov byte ptr [result], 1 271 | ;// 272 | _ret_false: ;// 273 | pop esi ;// pop rsi 274 | pop edi ;// pop rdi 275 | 276 | X64_End(); 277 | } 278 | 279 | return result; 280 | } 281 | 282 | DWORD64 getTEB64() 283 | { 284 | reg64 reg; 285 | reg.v = 0; 286 | 287 | X64_Start(); 288 | // R12 register should always contain pointer to TEB64 in WoW64 processes 289 | X64_Push(_R12); 290 | // below pop will pop QWORD from stack, as we're in x64 mode now 291 | __asm pop reg.dw[0] 292 | X64_End(); 293 | 294 | return reg.v; 295 | } 296 | 297 | DWORD64 __cdecl GetModuleHandle64(wchar_t* lpModuleName) 298 | { 299 | if (!g_isWow64) 300 | return 0; 301 | 302 | TEB64 teb64; 303 | getMem64(&teb64, getTEB64(), sizeof(TEB64)); 304 | 305 | PEB64 peb64; 306 | getMem64(&peb64, teb64.ProcessEnvironmentBlock, sizeof(PEB64)); 307 | PEB_LDR_DATA64 ldr; 308 | getMem64(&ldr, peb64.Ldr, sizeof(PEB_LDR_DATA64)); 309 | 310 | DWORD64 LastEntry = peb64.Ldr + offsetof(PEB_LDR_DATA64, InLoadOrderModuleList); 311 | LDR_DATA_TABLE_ENTRY64 head; 312 | head.InLoadOrderLinks.Flink = ldr.InLoadOrderModuleList.Flink; 313 | do 314 | { 315 | getMem64(&head, head.InLoadOrderLinks.Flink, sizeof(LDR_DATA_TABLE_ENTRY64)); 316 | 317 | wchar_t* tempBuf = (wchar_t*)malloc(head.BaseDllName.MaximumLength); 318 | if (nullptr == tempBuf) 319 | return 0; 320 | WATCH(tempBuf); 321 | getMem64(tempBuf, head.BaseDllName.Buffer, head.BaseDllName.MaximumLength); 322 | 323 | if (0 == _wcsicmp(lpModuleName, tempBuf)) 324 | return head.DllBase; 325 | } 326 | while (head.InLoadOrderLinks.Flink != LastEntry); 327 | 328 | return 0; 329 | } 330 | 331 | DWORD64 getNTDLL64() 332 | { 333 | static DWORD64 ntdll64 = 0; 334 | if (0 != ntdll64) 335 | return ntdll64; 336 | 337 | ntdll64 = GetModuleHandle64(L"ntdll.dll"); 338 | return ntdll64; 339 | } 340 | 341 | DWORD64 getLdrGetProcedureAddress() 342 | { 343 | DWORD64 modBase = getNTDLL64(); 344 | if (0 == modBase) 345 | return 0; 346 | 347 | IMAGE_DOS_HEADER idh; 348 | getMem64(&idh, modBase, sizeof(idh)); 349 | 350 | IMAGE_NT_HEADERS64 inh; 351 | getMem64(&inh, modBase + idh.e_lfanew, sizeof(IMAGE_NT_HEADERS64)); 352 | 353 | IMAGE_DATA_DIRECTORY& idd = inh.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; 354 | 355 | if (0 == idd.VirtualAddress) 356 | return 0; 357 | 358 | IMAGE_EXPORT_DIRECTORY ied; 359 | getMem64(&ied, modBase + idd.VirtualAddress, sizeof(ied)); 360 | 361 | DWORD* rvaTable = (DWORD*)malloc(sizeof(DWORD)*ied.NumberOfFunctions); 362 | if (nullptr == rvaTable) 363 | return 0; 364 | WATCH(rvaTable); 365 | getMem64(rvaTable, modBase + ied.AddressOfFunctions, sizeof(DWORD)*ied.NumberOfFunctions); 366 | 367 | WORD* ordTable = (WORD*)malloc(sizeof(WORD)*ied.NumberOfFunctions); 368 | if (nullptr == ordTable) 369 | return 0; 370 | WATCH(ordTable); 371 | getMem64(ordTable, modBase + ied.AddressOfNameOrdinals, sizeof(WORD)*ied.NumberOfFunctions); 372 | 373 | DWORD* nameTable = (DWORD*)malloc(sizeof(DWORD)*ied.NumberOfNames); 374 | if (nullptr == nameTable) 375 | return 0; 376 | WATCH(nameTable); 377 | getMem64(nameTable, modBase + ied.AddressOfNames, sizeof(DWORD)*ied.NumberOfNames); 378 | 379 | // lazy search, there is no need to use binsearch for just one function 380 | for (DWORD i = 0; i < ied.NumberOfFunctions; i++) 381 | { 382 | if (!cmpMem64("LdrGetProcedureAddress", modBase + nameTable[i], sizeof("LdrGetProcedureAddress"))) 383 | continue; 384 | else 385 | return modBase + rvaTable[ordTable[i]]; 386 | } 387 | return 0; 388 | } 389 | 390 | VOID __cdecl SetLastErrorFromX64Call(DWORD64 status) 391 | { 392 | typedef ULONG (WINAPI *RtlNtStatusToDosError_t)(NTSTATUS Status); 393 | typedef ULONG (WINAPI *RtlSetLastWin32Error_t)(NTSTATUS Status); 394 | 395 | static RtlNtStatusToDosError_t RtlNtStatusToDosError = nullptr; 396 | static RtlSetLastWin32Error_t RtlSetLastWin32Error = nullptr; 397 | 398 | if ((nullptr == RtlNtStatusToDosError) || (nullptr == RtlSetLastWin32Error)) 399 | { 400 | HMODULE ntdll = GetModuleHandleW(L"ntdll.dll"); 401 | RtlNtStatusToDosError = (RtlNtStatusToDosError_t)GetProcAddress(ntdll, "RtlNtStatusToDosError"); 402 | RtlSetLastWin32Error = (RtlSetLastWin32Error_t)GetProcAddress(ntdll, "RtlSetLastWin32Error"); 403 | } 404 | 405 | if ((nullptr != RtlNtStatusToDosError) && (nullptr != RtlSetLastWin32Error)) 406 | { 407 | RtlSetLastWin32Error(RtlNtStatusToDosError((DWORD)status)); 408 | } 409 | } 410 | 411 | DWORD64 __cdecl GetProcAddress64(DWORD64 hModule, char* funcName) 412 | { 413 | static DWORD64 _LdrGetProcedureAddress = 0; 414 | if (0 == _LdrGetProcedureAddress) 415 | { 416 | _LdrGetProcedureAddress = getLdrGetProcedureAddress(); 417 | if (0 == _LdrGetProcedureAddress) 418 | return 0; 419 | } 420 | 421 | _UNICODE_STRING_T fName = { 0 }; 422 | fName.Buffer = (DWORD64)funcName; 423 | fName.Length = (WORD)strlen(funcName); 424 | fName.MaximumLength = fName.Length + 1; 425 | DWORD64 funcRet = 0; 426 | X64Call(_LdrGetProcedureAddress, 4, (DWORD64)hModule, (DWORD64)&fName, (DWORD64)0, (DWORD64)&funcRet); 427 | return funcRet; 428 | } 429 | 430 | SIZE_T __cdecl VirtualQueryEx64(HANDLE hProcess, DWORD64 lpAddress, MEMORY_BASIC_INFORMATION64* lpBuffer, SIZE_T dwLength) 431 | { 432 | static DWORD64 ntqvm = 0; 433 | if (0 == ntqvm) 434 | { 435 | ntqvm = GetProcAddress64(getNTDLL64(), "NtQueryVirtualMemory"); 436 | if (0 == ntqvm) 437 | return 0; 438 | } 439 | DWORD64 ret = 0; 440 | DWORD64 status = X64Call(ntqvm, 6, (DWORD64)hProcess, lpAddress, (DWORD64)0, (DWORD64)lpBuffer, (DWORD64)dwLength, (DWORD64)&ret); 441 | if (STATUS_SUCCESS != status) 442 | SetLastErrorFromX64Call(status); 443 | return (SIZE_T)ret; 444 | } 445 | 446 | DWORD64 __cdecl VirtualAllocEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) 447 | { 448 | static DWORD64 ntavm = 0; 449 | if (0 == ntavm) 450 | { 451 | ntavm = GetProcAddress64(getNTDLL64(), "NtAllocateVirtualMemory"); 452 | if (0 == ntavm) 453 | return 0; 454 | } 455 | 456 | DWORD64 tmpAddr = lpAddress; 457 | DWORD64 tmpSize = dwSize; 458 | DWORD64 ret = X64Call(ntavm, 6, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)0, (DWORD64)&tmpSize, (DWORD64)flAllocationType, (DWORD64)flProtect); 459 | if (STATUS_SUCCESS != ret) 460 | { 461 | SetLastErrorFromX64Call(ret); 462 | return FALSE; 463 | } 464 | else 465 | return tmpAddr; 466 | } 467 | 468 | BOOL __cdecl VirtualFreeEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD dwFreeType) 469 | { 470 | static DWORD64 ntfvm = 0; 471 | if (0 == ntfvm) 472 | { 473 | ntfvm = GetProcAddress64(getNTDLL64(), "NtFreeVirtualMemory"); 474 | if (0 == ntfvm) 475 | return 0; 476 | } 477 | 478 | DWORD64 tmpAddr = lpAddress; 479 | DWORD64 tmpSize = dwSize; 480 | DWORD64 ret = X64Call(ntfvm, 4, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)&tmpSize, (DWORD64)dwFreeType); 481 | if (STATUS_SUCCESS != ret) 482 | { 483 | SetLastErrorFromX64Call(ret); 484 | return FALSE; 485 | } 486 | else 487 | return TRUE; 488 | } 489 | 490 | BOOL __cdecl VirtualProtectEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flNewProtect, DWORD* lpflOldProtect) 491 | { 492 | static DWORD64 ntpvm = 0; 493 | if (0 == ntpvm) 494 | { 495 | ntpvm = GetProcAddress64(getNTDLL64(), "NtProtectVirtualMemory"); 496 | if (0 == ntpvm) 497 | return 0; 498 | } 499 | 500 | DWORD64 tmpAddr = lpAddress; 501 | DWORD64 tmpSize = dwSize; 502 | DWORD64 ret = X64Call(ntpvm, 5, (DWORD64)hProcess, (DWORD64)&tmpAddr, (DWORD64)&tmpSize, (DWORD64)flNewProtect, (DWORD64)lpflOldProtect); 503 | if (STATUS_SUCCESS != ret) 504 | { 505 | SetLastErrorFromX64Call(ret); 506 | return FALSE; 507 | } 508 | else 509 | return TRUE; 510 | } 511 | 512 | BOOL __cdecl ReadProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead) 513 | { 514 | static DWORD64 nrvm = 0; 515 | if (0 == nrvm) 516 | { 517 | nrvm = GetProcAddress64(getNTDLL64(), "NtReadVirtualMemory"); 518 | if (0 == nrvm) 519 | return 0; 520 | } 521 | DWORD64 numOfBytes = lpNumberOfBytesRead ? *lpNumberOfBytesRead : 0; 522 | DWORD64 ret = X64Call(nrvm, 5, (DWORD64)hProcess, lpBaseAddress, (DWORD64)lpBuffer, (DWORD64)nSize, (DWORD64)&numOfBytes); 523 | if (STATUS_SUCCESS != ret) 524 | { 525 | SetLastErrorFromX64Call(ret); 526 | return FALSE; 527 | } 528 | else 529 | { 530 | if (lpNumberOfBytesRead) 531 | *lpNumberOfBytesRead = (SIZE_T)numOfBytes; 532 | return TRUE; 533 | } 534 | } 535 | 536 | BOOL __cdecl WriteProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten) 537 | { 538 | static DWORD64 nrvm = 0; 539 | if (0 == nrvm) 540 | { 541 | nrvm = GetProcAddress64(getNTDLL64(), "NtWriteVirtualMemory"); 542 | if (0 == nrvm) 543 | return 0; 544 | } 545 | DWORD64 numOfBytes = lpNumberOfBytesWritten ? *lpNumberOfBytesWritten : 0; 546 | DWORD64 ret = X64Call(nrvm, 5, (DWORD64)hProcess, lpBaseAddress, (DWORD64)lpBuffer, (DWORD64)nSize, (DWORD64)&numOfBytes); 547 | if (STATUS_SUCCESS != ret) 548 | { 549 | SetLastErrorFromX64Call(ret); 550 | return FALSE; 551 | } 552 | else 553 | { 554 | if (lpNumberOfBytesWritten) 555 | *lpNumberOfBytesWritten = (SIZE_T)numOfBytes; 556 | return TRUE; 557 | } 558 | } 559 | 560 | BOOL __cdecl GetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext) 561 | { 562 | static DWORD64 gtc = 0; 563 | if (0 == gtc) 564 | { 565 | gtc = GetProcAddress64(getNTDLL64(), "NtGetContextThread"); 566 | if (0 == gtc) 567 | return 0; 568 | } 569 | DWORD64 ret = X64Call(gtc, 2, (DWORD64)hThread, (DWORD64)lpContext); 570 | if(STATUS_SUCCESS != ret) 571 | { 572 | SetLastErrorFromX64Call(ret); 573 | return FALSE; 574 | } 575 | else 576 | return TRUE; 577 | } 578 | 579 | BOOL __cdecl SetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext) 580 | { 581 | static DWORD64 stc = 0; 582 | if (0 == stc) 583 | { 584 | stc = GetProcAddress64(getNTDLL64(), "NtSetContextThread"); 585 | if (0 == stc) 586 | return 0; 587 | } 588 | DWORD64 ret = X64Call(stc, 2, (DWORD64)hThread, (DWORD64)lpContext); 589 | if (STATUS_SUCCESS != ret) 590 | { 591 | SetLastErrorFromX64Call(ret); 592 | return FALSE; 593 | } 594 | else 595 | return TRUE; 596 | } 597 | -------------------------------------------------------------------------------- /XAntiDebug/wow64ext.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * WOW64Ext Library 4 | * 5 | * Copyright (c) 2014 ReWolf 6 | * http://blog.rewolf.pl/ 7 | * 8 | * This program is free software: you can redistribute it and/or modify 9 | * it under the terms of the GNU Lesser General Public License as published 10 | * by the Free Software Foundation, either version 3 of the License, or 11 | * (at your option) any later version. 12 | * 13 | * This program is distributed in the hope that it will be useful, 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | * GNU Lesser General Public License for more details. 17 | * 18 | * You should have received a copy of the GNU Lesser General Public License 19 | * along with this program. If not, see . 20 | * 21 | */ 22 | #pragma once 23 | 24 | #include 25 | 26 | #ifndef STATUS_SUCCESS 27 | # define STATUS_SUCCESS 0 28 | #endif 29 | 30 | #pragma pack(push) 31 | #pragma pack(1) 32 | template 33 | struct _LIST_ENTRY_T 34 | { 35 | T Flink; 36 | T Blink; 37 | }; 38 | 39 | template 40 | struct _UNICODE_STRING_T 41 | { 42 | union 43 | { 44 | struct 45 | { 46 | WORD Length; 47 | WORD MaximumLength; 48 | }; 49 | T dummy; 50 | }; 51 | T Buffer; 52 | }; 53 | 54 | template 55 | struct _NT_TIB_T 56 | { 57 | T ExceptionList; 58 | T StackBase; 59 | T StackLimit; 60 | T SubSystemTib; 61 | T FiberData; 62 | T ArbitraryUserPointer; 63 | T Self; 64 | }; 65 | 66 | template 67 | struct _CLIENT_ID 68 | { 69 | T UniqueProcess; 70 | T UniqueThread; 71 | }; 72 | 73 | template 74 | struct _TEB_T_ 75 | { 76 | _NT_TIB_T NtTib; 77 | T EnvironmentPointer; 78 | _CLIENT_ID ClientId; 79 | T ActiveRpcHandle; 80 | T ThreadLocalStoragePointer; 81 | T ProcessEnvironmentBlock; 82 | DWORD LastErrorValue; 83 | DWORD CountOfOwnedCriticalSections; 84 | T CsrClientThread; 85 | T Win32ThreadInfo; 86 | DWORD User32Reserved[26]; 87 | //rest of the structure is not defined for now, as it is not needed 88 | }; 89 | 90 | template 91 | struct _LDR_DATA_TABLE_ENTRY_T 92 | { 93 | _LIST_ENTRY_T InLoadOrderLinks; 94 | _LIST_ENTRY_T InMemoryOrderLinks; 95 | _LIST_ENTRY_T InInitializationOrderLinks; 96 | T DllBase; 97 | T EntryPoint; 98 | union 99 | { 100 | DWORD SizeOfImage; 101 | T dummy01; 102 | }; 103 | _UNICODE_STRING_T FullDllName; 104 | _UNICODE_STRING_T BaseDllName; 105 | DWORD Flags; 106 | WORD LoadCount; 107 | WORD TlsIndex; 108 | union 109 | { 110 | _LIST_ENTRY_T HashLinks; 111 | struct 112 | { 113 | T SectionPointer; 114 | T CheckSum; 115 | }; 116 | }; 117 | union 118 | { 119 | T LoadedImports; 120 | DWORD TimeDateStamp; 121 | }; 122 | T EntryPointActivationContext; 123 | T PatchInformation; 124 | _LIST_ENTRY_T ForwarderLinks; 125 | _LIST_ENTRY_T ServiceTagLinks; 126 | _LIST_ENTRY_T StaticLinks; 127 | T ContextInformation; 128 | T OriginalBase; 129 | _LARGE_INTEGER LoadTime; 130 | }; 131 | 132 | template 133 | struct _PEB_LDR_DATA_T 134 | { 135 | DWORD Length; 136 | DWORD Initialized; 137 | T SsHandle; 138 | _LIST_ENTRY_T InLoadOrderModuleList; 139 | _LIST_ENTRY_T InMemoryOrderModuleList; 140 | _LIST_ENTRY_T InInitializationOrderModuleList; 141 | T EntryInProgress; 142 | DWORD ShutdownInProgress; 143 | T ShutdownThreadId; 144 | 145 | }; 146 | 147 | template 148 | struct _PEB_T 149 | { 150 | union 151 | { 152 | struct 153 | { 154 | BYTE InheritedAddressSpace; 155 | BYTE ReadImageFileExecOptions; 156 | BYTE BeingDebugged; 157 | BYTE BitField; 158 | }; 159 | T dummy01; 160 | }; 161 | T Mutant; 162 | T ImageBaseAddress; 163 | T Ldr; 164 | T ProcessParameters; 165 | T SubSystemData; 166 | T ProcessHeap; 167 | T FastPebLock; 168 | T AtlThunkSListPtr; 169 | T IFEOKey; 170 | T CrossProcessFlags; 171 | T UserSharedInfoPtr; 172 | DWORD SystemReserved; 173 | DWORD AtlThunkSListPtr32; 174 | T ApiSetMap; 175 | T TlsExpansionCounter; 176 | T TlsBitmap; 177 | DWORD TlsBitmapBits[2]; 178 | T ReadOnlySharedMemoryBase; 179 | T HotpatchInformation; 180 | T ReadOnlyStaticServerData; 181 | T AnsiCodePageData; 182 | T OemCodePageData; 183 | T UnicodeCaseTableData; 184 | DWORD NumberOfProcessors; 185 | union 186 | { 187 | DWORD NtGlobalFlag; 188 | NGF dummy02; 189 | }; 190 | LARGE_INTEGER CriticalSectionTimeout; 191 | T HeapSegmentReserve; 192 | T HeapSegmentCommit; 193 | T HeapDeCommitTotalFreeThreshold; 194 | T HeapDeCommitFreeBlockThreshold; 195 | DWORD NumberOfHeaps; 196 | DWORD MaximumNumberOfHeaps; 197 | T ProcessHeaps; 198 | T GdiSharedHandleTable; 199 | T ProcessStarterHelper; 200 | T GdiDCAttributeList; 201 | T LoaderLock; 202 | DWORD OSMajorVersion; 203 | DWORD OSMinorVersion; 204 | WORD OSBuildNumber; 205 | WORD OSCSDVersion; 206 | DWORD OSPlatformId; 207 | DWORD ImageSubsystem; 208 | DWORD ImageSubsystemMajorVersion; 209 | T ImageSubsystemMinorVersion; 210 | T ActiveProcessAffinityMask; 211 | T GdiHandleBuffer[A]; 212 | T PostProcessInitRoutine; 213 | T TlsExpansionBitmap; 214 | DWORD TlsExpansionBitmapBits[32]; 215 | T SessionId; 216 | ULARGE_INTEGER AppCompatFlags; 217 | ULARGE_INTEGER AppCompatFlagsUser; 218 | T pShimData; 219 | T AppCompatInfo; 220 | _UNICODE_STRING_T CSDVersion; 221 | T ActivationContextData; 222 | T ProcessAssemblyStorageMap; 223 | T SystemDefaultActivationContextData; 224 | T SystemAssemblyStorageMap; 225 | T MinimumStackCommit; 226 | T FlsCallback; 227 | _LIST_ENTRY_T FlsListHead; 228 | T FlsBitmap; 229 | DWORD FlsBitmapBits[4]; 230 | T FlsHighIndex; 231 | T WerRegistrationData; 232 | T WerShipAssertPtr; 233 | T pContextData; 234 | T pImageHeaderHash; 235 | T TracingFlags; 236 | }; 237 | 238 | typedef _LDR_DATA_TABLE_ENTRY_T LDR_DATA_TABLE_ENTRY32; 239 | typedef _LDR_DATA_TABLE_ENTRY_T LDR_DATA_TABLE_ENTRY64; 240 | 241 | typedef _TEB_T_ TEB32; 242 | typedef _TEB_T_ TEB64; 243 | 244 | typedef _PEB_LDR_DATA_T PEB_LDR_DATA32; 245 | typedef _PEB_LDR_DATA_T PEB_LDR_DATA64; 246 | 247 | typedef _PEB_T PEB32; 248 | typedef _PEB_T PEB64; 249 | 250 | struct _XSAVE_FORMAT64 251 | { 252 | WORD ControlWord; 253 | WORD StatusWord; 254 | BYTE TagWord; 255 | BYTE Reserved1; 256 | WORD ErrorOpcode; 257 | DWORD ErrorOffset; 258 | WORD ErrorSelector; 259 | WORD Reserved2; 260 | DWORD DataOffset; 261 | WORD DataSelector; 262 | WORD Reserved3; 263 | DWORD MxCsr; 264 | DWORD MxCsr_Mask; 265 | _M128A FloatRegisters[8]; 266 | _M128A XmmRegisters[16]; 267 | BYTE Reserved4[96]; 268 | }; 269 | 270 | struct _CONTEXT64 271 | { 272 | DWORD64 P1Home; 273 | DWORD64 P2Home; 274 | DWORD64 P3Home; 275 | DWORD64 P4Home; 276 | DWORD64 P5Home; 277 | DWORD64 P6Home; 278 | DWORD ContextFlags; 279 | DWORD MxCsr; 280 | WORD SegCs; 281 | WORD SegDs; 282 | WORD SegEs; 283 | WORD SegFs; 284 | WORD SegGs; 285 | WORD SegSs; 286 | DWORD EFlags; 287 | DWORD64 Dr0; 288 | DWORD64 Dr1; 289 | DWORD64 Dr2; 290 | DWORD64 Dr3; 291 | DWORD64 Dr6; 292 | DWORD64 Dr7; 293 | DWORD64 Rax; 294 | DWORD64 Rcx; 295 | DWORD64 Rdx; 296 | DWORD64 Rbx; 297 | DWORD64 Rsp; 298 | DWORD64 Rbp; 299 | DWORD64 Rsi; 300 | DWORD64 Rdi; 301 | DWORD64 R8; 302 | DWORD64 R9; 303 | DWORD64 R10; 304 | DWORD64 R11; 305 | DWORD64 R12; 306 | DWORD64 R13; 307 | DWORD64 R14; 308 | DWORD64 R15; 309 | DWORD64 Rip; 310 | _XSAVE_FORMAT64 FltSave; 311 | _M128A Header[2]; 312 | _M128A Legacy[8]; 313 | _M128A Xmm0; 314 | _M128A Xmm1; 315 | _M128A Xmm2; 316 | _M128A Xmm3; 317 | _M128A Xmm4; 318 | _M128A Xmm5; 319 | _M128A Xmm6; 320 | _M128A Xmm7; 321 | _M128A Xmm8; 322 | _M128A Xmm9; 323 | _M128A Xmm10; 324 | _M128A Xmm11; 325 | _M128A Xmm12; 326 | _M128A Xmm13; 327 | _M128A Xmm14; 328 | _M128A Xmm15; 329 | _M128A VectorRegister[26]; 330 | DWORD64 VectorControl; 331 | DWORD64 DebugControl; 332 | DWORD64 LastBranchToRip; 333 | DWORD64 LastBranchFromRip; 334 | DWORD64 LastExceptionToRip; 335 | DWORD64 LastExceptionFromRip; 336 | }; 337 | 338 | // Below defines for .ContextFlags field are taken from WinNT.h 339 | #ifndef CONTEXT_AMD64 340 | #define CONTEXT_AMD64 0x100000 341 | #endif 342 | 343 | #define CONTEXT64_CONTROL (CONTEXT_AMD64 | 0x1L) 344 | #define CONTEXT64_INTEGER (CONTEXT_AMD64 | 0x2L) 345 | #define CONTEXT64_SEGMENTS (CONTEXT_AMD64 | 0x4L) 346 | #define CONTEXT64_FLOATING_POINT (CONTEXT_AMD64 | 0x8L) 347 | #define CONTEXT64_DEBUG_REGISTERS (CONTEXT_AMD64 | 0x10L) 348 | #define CONTEXT64_FULL (CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_FLOATING_POINT) 349 | #define CONTEXT64_ALL (CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_SEGMENTS | CONTEXT64_FLOATING_POINT | CONTEXT64_DEBUG_REGISTERS) 350 | #define CONTEXT64_XSTATE (CONTEXT_AMD64 | 0x20L) 351 | 352 | #pragma pack(pop) 353 | 354 | #ifdef WOW64EXT_EXPORTS 355 | # define SPEC dllexport 356 | #else 357 | # define SPEC dllimport 358 | #endif 359 | 360 | extern "C" 361 | { 362 | DWORD64 __cdecl X64Call(DWORD64 func, int argC, ...); 363 | DWORD64 __cdecl GetModuleHandle64(wchar_t* lpModuleName); 364 | DWORD64 __cdecl GetProcAddress64(DWORD64 hModule, char* funcName); 365 | SIZE_T __cdecl VirtualQueryEx64(HANDLE hProcess, DWORD64 lpAddress, MEMORY_BASIC_INFORMATION64* lpBuffer, SIZE_T dwLength); 366 | DWORD64 __cdecl VirtualAllocEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); 367 | BOOL __cdecl VirtualFreeEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD dwFreeType); 368 | BOOL __cdecl VirtualProtectEx64(HANDLE hProcess, DWORD64 lpAddress, SIZE_T dwSize, DWORD flNewProtect, DWORD* lpflOldProtect); 369 | BOOL __cdecl ReadProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead); 370 | BOOL __cdecl WriteProcessMemory64(HANDLE hProcess, DWORD64 lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten); 371 | BOOL __cdecl GetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext); 372 | BOOL __cdecl SetThreadContext64(HANDLE hThread, _CONTEXT64* lpContext); 373 | VOID __cdecl SetLastErrorFromX64Call(DWORD64 status); 374 | BOOL InitWow64Ext(); 375 | void getMem64(void* dstMem, DWORD64 srcMem, size_t sz); 376 | } 377 | -------------------------------------------------------------------------------- /example.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/strivexjun/XAntiDebug/98dec38a69ca095c745400ad196c858721261959/example.cpp -------------------------------------------------------------------------------- /example.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | VisualStudioVersion = 12.0.40629.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "example", "example.vcxproj", "{53926413-FC4F-43FB-A54D-59BD187F4A0B}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Debug|x64 = Debug|x64 12 | Release|Win32 = Release|Win32 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {53926413-FC4F-43FB-A54D-59BD187F4A0B}.Debug|Win32.ActiveCfg = Debug|Win32 17 | {53926413-FC4F-43FB-A54D-59BD187F4A0B}.Debug|Win32.Build.0 = Debug|Win32 18 | {53926413-FC4F-43FB-A54D-59BD187F4A0B}.Debug|x64.ActiveCfg = Debug|x64 19 | {53926413-FC4F-43FB-A54D-59BD187F4A0B}.Debug|x64.Build.0 = Debug|x64 20 | {53926413-FC4F-43FB-A54D-59BD187F4A0B}.Release|Win32.ActiveCfg = Release|Win32 21 | {53926413-FC4F-43FB-A54D-59BD187F4A0B}.Release|Win32.Build.0 = Release|Win32 22 | {53926413-FC4F-43FB-A54D-59BD187F4A0B}.Release|x64.ActiveCfg = Release|x64 23 | {53926413-FC4F-43FB-A54D-59BD187F4A0B}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | EndGlobal 29 | -------------------------------------------------------------------------------- /example.v12.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/strivexjun/XAntiDebug/98dec38a69ca095c745400ad196c858721261959/example.v12.suo -------------------------------------------------------------------------------- /example.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {53926413-FC4F-43FB-A54D-59BD187F4A0B} 23 | Win32Proj 24 | example 25 | 10.0.17763.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v141 32 | Unicode 33 | 34 | 35 | Application 36 | true 37 | v141 38 | Unicode 39 | 40 | 41 | Application 42 | false 43 | v141 44 | true 45 | Unicode 46 | 47 | 48 | Application 49 | false 50 | v141 51 | true 52 | Unicode 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | true 72 | $(SolutionDir)\Temp\$(Configuration)\ 73 | $(SolutionDir)\bin\ 74 | $(ProjectName)_x86_d 75 | 76 | 77 | true 78 | $(SolutionDir)\bin\ 79 | $(SolutionDir)\Temp\$(Platform)\$(Configuration)\ 80 | $(ProjectName)_x64_d 81 | 82 | 83 | false 84 | $(SolutionDir)\Temp\$(Configuration)\ 85 | $(SolutionDir)\bin\ 86 | $(ProjectName)_x86 87 | 88 | 89 | false 90 | $(ProjectName)_x64 91 | $(SolutionDir)\bin\ 92 | $(SolutionDir)\Temp\$(Platform)\$(Configuration)\ 93 | 94 | 95 | 96 | 97 | 98 | Level3 99 | Disabled 100 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 101 | MultiThreadedDebug 102 | 103 | 104 | Console 105 | true 106 | 107 | 108 | 109 | 110 | 111 | 112 | Level3 113 | Disabled 114 | WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 115 | MultiThreadedDebug 116 | 117 | 118 | Console 119 | true 120 | 121 | 122 | 123 | 124 | Level3 125 | 126 | 127 | MaxSpeed 128 | true 129 | true 130 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 131 | MultiThreaded 132 | 133 | 134 | Console 135 | true 136 | true 137 | true 138 | 139 | 140 | 141 | 142 | Level3 143 | 144 | 145 | MaxSpeed 146 | true 147 | true 148 | WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions) 149 | MultiThreaded 150 | 151 | 152 | Console 153 | true 154 | true 155 | true 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | true 167 | true 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | true 178 | true 179 | 180 | 181 | 182 | 183 | 184 | 185 | -------------------------------------------------------------------------------- /example.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {f7a43d3a-90d2-49ab-a22e-359c4dab1657} 18 | 19 | 20 | 21 | 22 | 头文件 23 | 24 | 25 | 头文件 26 | 27 | 28 | XAntiDebug 29 | 30 | 31 | XAntiDebug 32 | 33 | 34 | XAntiDebug 35 | 36 | 37 | XAntiDebug 38 | 39 | 40 | XAntiDebug 41 | 42 | 43 | XAntiDebug 44 | 45 | 46 | 47 | 48 | 源文件 49 | 50 | 51 | 源文件 52 | 53 | 54 | XAntiDebug 55 | 56 | 57 | XAntiDebug 58 | 59 | 60 | XAntiDebug 61 | 62 | 63 | XAntiDebug 64 | 65 | 66 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | ## VMProtect 3.x Anti-debug Method Improved 3 | 4 | # Feature 5 | - Checksum ntoskrnl File 6 | - Checksum Code Section 7 | - Anti Debugger 8 | - Anti HardwareBreakpoint 9 | 10 | # How use 11 | > example.cpp 12 | ```cpp 13 | XAD_STATUS status; 14 | XAntiDebug antiDbg(GetModuleHandle(NULL), FLAG_FULLON); 15 | BOOL result; 16 | 17 | // 18 | // 在程序最早的时候初始化 如 WinMain 或 DllMain 19 | // 20 | status = antiDbg.XAD_Initialize(); 21 | if (status != XAD_OK) 22 | { 23 | printf("initialize error. %d\n", status); 24 | return 0; 25 | } 26 | 27 | // 28 | // 调用检测 29 | // 30 | 31 | for (;;) 32 | { 33 | result = antiDbg.XAD_ExecuteDetect(); 34 | printf("result = %s\n", result ? "true" : "false"); 35 | 36 | getchar(); 37 | } 38 | 39 | return 0; 40 | 41 | ``` 42 | 43 | # Support 44 | xp-win10 and x86/x64 -------------------------------------------------------------------------------- /stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/strivexjun/XAntiDebug/98dec38a69ca095c745400ad196c858721261959/stdafx.cpp -------------------------------------------------------------------------------- /stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/strivexjun/XAntiDebug/98dec38a69ca095c745400ad196c858721261959/stdafx.h -------------------------------------------------------------------------------- /targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/strivexjun/XAntiDebug/98dec38a69ca095c745400ad196c858721261959/targetver.h --------------------------------------------------------------------------------