Skip to content

【应用安全检测】简单增加一些反渗透功能:反调试、反DLL注入攻击

License

Notifications You must be signed in to change notification settings

zxffffffff/Detours-modified

 
 

Repository files navigation

【应用安全检测】已验证通过

增加:反DLL调试

#include "detours.h"

HOOK_IsDebugger([](HOOK_State state, LPCWSTR msg) {
  if (state == HOOK_Catch) {
    // 反调试触发,建议退出进程
    TerminateProcess(GetCurrentProcess(), 0);
  }
  else {
    // error -> msg
  }
});

增加:反DLL注入

#include "detours.h"

HOOK_VirtualAllocEx([](HOOK_State state, LPCWSTR msg) {
  if (state == HOOK_Catch) {
    // 反DLL注入触发,建议杀线程
    if (bypass)
        std::cout << "警告:部分 Win32 API 调用可能会误触发,已知的有 ShellExecuteEx,自行过滤即可";
    else
        TerminateThread(GetCurrentThread(), 0);
  }
  else {
    // error -> msg
  }
});

DLL注入防御效果:

image image

Microsoft Research Detours Package

Detours is a software package for monitoring and instrumenting API calls on Windows. Detours has been used by many ISVs and is also used by product teams at Microsoft. Detours is now available under a standard open source license (MIT). This simplifies licensing for programmers using Detours and allows the community to support Detours using open source tools and processes.

Detours is compatible with the Windows NT family of operating systems: Windows NT, Windows XP, Windows Server 2003, Windows 7, Windows 8, and Windows 10. It cannot be used by Windows Store apps because Detours requires APIs not available to those applications. This repo contains the source code for version 4.0.1 of Detours.

For technical documentation on Detours, see the Detours Wiki. For directions on how to build and run samples, see the samples README.txt file.

Contributing

The Detours repository is where development is done. Here are some ways you can participate in the project:

Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Issues, questions, and feedback

Mailing list for announcements

The detours-announce mailing list is a low-traffic email list for important announcements about the project, such as the availability of new versions of Detours. To join it, send an email to listserv@lists.research.microsoft.com with a message body containing only the text SUBSCRIBE DETOURS-ANNOUNCE. To leave it, send an email to listserv@lists.research.microsoft.com with a message body containing only the text UNSUBSCRIBE DETOURS-ANNOUNCE.

License

Copyright (c) Microsoft Corporation. All rights reserved.

Licensed under the MIT License.

About

【应用安全检测】简单增加一些反渗透功能:反调试、反DLL注入攻击

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 98.8%
  • Makefile 1.1%
  • C 0.1%