#2

Anti-Debug
- HWBP 감지
- IsDebuggerPresent 감지
- Hypervisor 감지

Anti-Library
- TLS 콜백 등록
TODO: TLS 콜백에서 DLL 감지, LDR 루프

Anti-Process:
TODO: 프로세스 감지

Code Integrity Check:
- 변조 체크

Core
TODO: Class initialization, Report 함수 만들기

Protector/AntiDebug.cpp

@@ -0,0 +1,52 @@
+#include <Windows.h>
+
+inline bool BasicDebugTriggered()
+{
+    if (IsDebuggerPresent())
+        return true;
+
+    return false;
+}
+inline bool HWBPDebugTriggered()
+{
+    CONTEXT ctx;
+    ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;
+    GetThreadContext(GetCurrentThread(), &ctx);
+
+    if (ctx.Dr0 != 0 || ctx.Dr1 != 0 || ctx.Dr2 != 0 || ctx.Dr3 != 0)
+        return true;
+
+    return false;
+}
+inline bool HypervisorDebugTriggered()
+{
+    __try
+    {
+        __asm
+        {
+            __emit 0xf3;
+            __emit 0x90;
+            __emit 0x00;
+        }
+    }
+    __except (EXCEPTION_EXECUTE_HANDLER)
+    {
+        return true;
+    }
+
+    return false;
+}
+
+inline bool AntiDebugTriggered()
+{
+    if (BasicDebugTriggered())
+        return true;
+
+    if (HWBPDebugTriggered())
+        return true;
+
+    if (HypervisorDebugTriggered())
+        return true;
+
+    return false;
+}

Protector/AntiLibrary.cpp

@@ -0,0 +1,18 @@
+#include <Windows.h>
+
+#pragma comment(linker, "/INCLUDE:_tls_used") //Use TLS
+
+void NTAPI TlsCallback(PVOID DllHandle, DWORD dwReason, PVOID Reserved)
+{
+    if (dwReason == DLL_PROCESS_ATTACH)
+    {
+        //Check if debugger is present
+        if (IsDebuggerPresent())
+            ExitProcess(0);
+    }
+}
+#pragma data_seg(".CRT$XLX")
+PIMAGE_TLS_CALLBACK p_thread_callback[] = { TlsCallback, 0 };
+#pragma data_seg()
+
+//TODO: PEB LDR -> Sign

Protector/CodeIntegrity.cpp

@@ -0,0 +1,49 @@
+#include <Windows.h>
+#include <string>
+#include <intrin.h>
+inline bool GetSectionHash(DWORD_PTR moduleBase, const std::string& sectionName, LPDWORD pHash)
+{
+    IMAGE_DOS_HEADER* pDosHeader = (IMAGE_DOS_HEADER*)moduleBase;
+    if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+        return false;
+    IMAGE_NT_HEADERS* pNtHeaders = (IMAGE_NT_HEADERS*)(moduleBase + pDosHeader->e_lfanew);
+    if (pNtHeaders->Signature != IMAGE_NT_SIGNATURE)
+        return false;
+    IMAGE_SECTION_HEADER* pSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders);
+
+    for (int i = 0; i < pNtHeaders->FileHeader.NumberOfSections; i++)
+    {
+        if (strcmp((char*)pSectionHeader->Name, sectionName.c_str()) == 0)
+        {
+            *pHash = 0xDEADBEEF;
+            for (int i = 0; i < pSectionHeader->SizeOfRawData; i += 4)
+            {
+                *pHash = _mm_crc32_u32(*pHash, *(DWORD*)(moduleBase + pSectionHeader->VirtualAddress + i));
+            }
+            return true;
+        }
+        pSectionHeader++;
+    }
+    return false;
+}
+class CodeIntegrityVerifier
+{
+private:
+    DWORD_PTR m_moduleBase;
+    DWORD_PTR m_moduleSize;
+    DWORD m_sectionHash;
+public:
+    CodeIntegrityVerifier(DWORD_PTR moduleBase, DWORD_PTR moduleSize)
+    {
+        m_moduleBase = moduleBase;
+        m_moduleSize = moduleSize;
+        GetSectionHash(moduleBase, ".text", &m_sectionHash);
+    }
+    bool Verify()
+    {
+        DWORD hash;
+        if (!GetSectionHash(m_moduleBase, ".text", &hash))
+            return false;
+        return hash == m_sectionHash;
+    }
+};

Protector/Protector.vcxproj

@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
@@ -17,7 +17,6 @@
       <Configuration>Release</Configuration>
       <Platform>x64</Platform>
     </ProjectConfiguration>
-
   </ItemGroup>
   <PropertyGroup Label="Globals">
     <VCProjectVersion>17.0</VCProjectVersion>
@@ -53,27 +52,24 @@
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
-
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
   </ImportGroup>
-  <ImportGroup Label="Shared" >
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
   </ImportGroup>
-    <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-      <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-    </ImportGroup>
-    <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-      <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-    </ImportGroup>
-    <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-      <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-    </ImportGroup>
-    <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-      <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-    </ImportGroup>
-
   <PropertyGroup Label="UserMacros" />
-
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
       <WarningLevel>Level3</WarningLevel>
@@ -130,9 +126,14 @@
       <GenerateDebugInformation>true</GenerateDebugInformation>
     </Link>
   </ItemDefinitionGroup>
-
-  <ItemGroup></ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="AntiDebug.cpp" />
+    <ClCompile Include="AntiLibrary.cpp" />
+    <ClCompile Include="AntiProcess.cpp" />
+    <ClCompile Include="CodeIntegrity.cpp" />
+    <ClCompile Include="Core.cpp" />
+  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>
-</Project>
+</Project>

Protector/Protector.vcxproj.filters

@@ -14,4 +14,21 @@
       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
     </Filter>
   </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="AntiDebug.cpp">
+      <Filter>소스 파일</Filter>
+    </ClCompile>
+    <ClCompile Include="AntiLibrary.cpp">
+      <Filter>소스 파일</Filter>
+    </ClCompile>
+    <ClCompile Include="AntiProcess.cpp">
+      <Filter>소스 파일</Filter>
+    </ClCompile>
+    <ClCompile Include="CodeIntegrity.cpp">
+      <Filter>소스 파일</Filter>
+    </ClCompile>
+    <ClCompile Include="Core.cpp">
+      <Filter>소스 파일</Filter>
+    </ClCompile>
+  </ItemGroup>
 </Project>