646F1877 |. 8B85 E0FCFFFF MOV EAX,DWORD PTR SS:[EBP-320] 646F187D |. C705 D0347E64>MOV DWORD PTR DS:[647E34D0],10001 646F1887 |. A1 88357E64 MOV EAX,DWORD PTR DS:[647E3588] 646F188C |. A3 84347E64 MOV DWORD PTR DS:[647E3484],EAX 646F1891 |. C705 78347E64>MOV DWORD PTR DS:[647E3478],C0000409 646F189B |. C705 7C347E64>MOV DWORD PTR DS:[647E347C],1 646F18A5 |. A1 48207C64 MOV EAX,DWORD PTR DS:[647C2048] 646F18AA |. 8985 D8FCFFFF MOV DWORD PTR SS:[EBP-328],EAX 646F18B0 |. A1 4C207C64 MOV EAX,DWORD PTR DS:[647C204C] 646F18B5 |. 8985 DCFCFFFF MOV DWORD PTR SS:[EBP-324],EAX 646F18BB |. FF15 ACF17364 CALL DWORD PTR DS:[<&KERNEL32.IsDebuggerPresent>] ; [IsDebuggerPresent 646F18C1 |. A3 C8347E64 MOV DWORD PTR DS:[647E34C8],EAX 646F18C6 |. 6A 01 PUSH 1 646F18C8 |. E8 3F030000 CALL <JMP.&MSVCR100._crt_debugger_hook> 646F18CD |. 59 POP ECX 646F18CE |. 6A 00 PUSH 0 ; /pTopLevelFilter = NULL 646F18D0 |. FF15 A8F17364 CALL DWORD PTR DS:[<&KERNEL32.SetUnhandledExceptionFilter>] ; \SetUnhandledExceptionFilter 646F18D6 |. 68 F4FC7364 PUSH AppBiz.6473FCF4 ; /pExceptionInfo = AppBiz.6473FCF4 646F18DB |. FF15 A4F17364 CALL DWORD PTR DS:[<&KERNEL32.UnhandledExceptionFilter>] ; \UnhandledExceptionFilter 646F18E1 |. 833D C8347E64>CMP DWORD PTR DS:[647E34C8],0 646F18E8 |. 75 08 JNZ SHORT AppBiz.646F18F2 646F18EA |. 6A 01 PUSH 1 646F18EC |. E8 1B030000 CALL <JMP.&MSVCR100._crt_debugger_hook> 646F18F1 |. 59 POP ECX 646F18F2 |> 68 090400C0 PUSH C0000409 ; /ExitCode = C0000409 (-1073740791.) 646F18F7 |. FF15 DCF07364 CALL DWORD PTR DS:[<&KERNEL32.GetCurrentProcess>] ; |[GetCurrentProcess 646F18FD |. 50 PUSH EAX ; |hProcess 646F18FE |. FF15 24F17364 CALL DWORD PTR DS:[<&KERNEL32.TerminateProcess>] ; \TerminateProcess 646F1904 |. C9 LEAVE 646F1905 \. C3 RETN 646F1906 $- FF25 20F47364 JMP DWORD PTR DS:[<&MSVCR100.?terminate@@YAXXZ>] ; MSVCR100.?terminate@@YAXXZ
SetUnhandledExceptionFilter这个函数解决了一切。
总结了下搜到的资料,这个函数的返回值有三种情况:
EXCEPTION_EXECUTE_HANDLER equ 1 表示我已经处理了异常,可以优雅地结束了
EXCEPTION_CONTINUE_SEARCH equ 0 表示我不处理,其他人来吧,于是windows调用默认的处理程序显示一个错误框,并结束 EXCEPTION_CONTINUE_EXECUTION equ -1 表示错误已经被修复,请从异常发生处继续执行
具体使用方法如下:
#include <windows.h>
long __stdcall callback(_EXCEPTION_POINTERS* excp) { MessageBox(0,"Error","error",MB_OK); printf("Error address %x/n",excp->ExceptionRecord->ExceptionAddress); printf("CPU register:/n"); printf("eax %x ebx %x ecx %x edx %x/n",excp->ContextRecord->Eax, excp->ContextRecord->Ebx,excp->ContextRecord->Ecx, excp->ContextRecord->Edx); return EXCEPTION_EXECUTE_HANDLER; } int main(int argc,char* argv[]) { SetUnhandledExceptionFilter(callback); _asm int 3 //只是为了让程序崩溃 return 0; } |
SetUnhandledExceptionFilter 反调试
猜你喜欢
转载自blog.csdn.net/yedehei_lt/article/details/80656890
今日推荐
周排行