An anti-assessment example

This is an anti-assessment example. The disassembled code is the use of anti-assessment code in Bochs. Since the Bochs disassembled module is more independent, it can directly contain the disassembly module to the program, but in order to use this disassembly Code, you need to write a small piece of code to PE, this code is:

#include "stdafx.h" #include "windows.h" #include "disasm.h"

DWORD RVA2FILEOFFSET (PIMAGE_SECTION_HEADER NTHEAD, INT NSECTION, DWORD RVA);

INT Main (int Argc, char * argv []) {image_dos_header dos; image_nt_headers filehead; dword cbread; // printf ("Hello World! / N"); if (argc! = 2) {Printf ("UAGE:% s PE File Name, EX:% S A.EXE / R / N ", Argv [0], Argv [0]); Return 0; DISSEMBLER OBJ; Handle Hfile = CreateFile (Argv [1], Generic_Read, File_Share_read, Null , Open_existing, file_attribute_normal, null; if (hfile == invalid_handle_value) {Printf ("can not open file:% s", argv [1]); return 0;} printf ("Begin Reading File ... / r / n "); // read the file dos header readfile (hfile, & dos, sizeof (image_dos_header), & cbread, null; setfilepointer (hfile, dos.e_lfaNew, null, file_begin);

// read the file pe header ReadFile (hFile, & fileHeader, sizeof (IMAGE_NT_HEADERS), & cbRead, NULL); int nEntryAddress = fileHeader.OptionalHeader.AddressOfEntryPoint; int nSectionNumber = fileHeader.FileHeader.NumberOfSections; PIMAGE_SECTION_HEADER pSection = new IMAGE_SECTION_HEADER [nSectionNumber]; Readfile (HFile, Psection_Header * nsectionNumber, & Cbread, Null; Printf ("The Address of Entry IS:% .8X / R / N", NENTRYADDRESS; Printf ("The section Number IS:% D / r / n ", nsectionNumber;

int nEntryAddressOffFile = RVA2FileOffset (pSection, nSectionNumber, nEntryAddress); SetFilePointer (hFile, nEntryAddressOffFile, NULL, FILE_BEGIN); unsigned char szInBuf [1024]; char szoutBuf [4096]; ReadFile (hFile, szInBuf, 1024, & cbRead, NULL); unsigned Char * pstart = (unsigned char *) & szinbuf [0]; int NTOTALLEN = 0; for (int i = 0; NTOTALLEN <1024; i ) {int Nlen = Obj.disasm (True, FileHeader.OptionalHeader.Imagebase, NENTRYADDRESS, PSTART, (CHAR *) & SZOUTBUF [0]); pstart = Nlen; NTOTALLEN = Nlen; Printf (Szoutbuf); Printf ("/ r / n");} closehandle (hfile); return 0;} DWORD RVA2FileOffset (PIMAGE_SECTION_HEADER ntHead, int nSection, DWORD RVA) {PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER) ntHead; int nTotalSection = nSection; for (int i = 0; i VirtualAddress <= RVA) && (Psection-> VirtualAddress psection-> misc.virtualsize> = rva)) {Break;}} {return 0;} return 0;} return pSECTION-> PointertorawData RVA - Psection-> VirtualAddress;} Looks on the code, you will know that disassembler this class is not written by I. This class is an anti-assembly module from Bochs. The code of this module can be obtained from the source code of BOCHS.