写这个的目的
现在的样本都会有反调试,反虚拟机,反沙箱,会给我们动态分析带来困难,如果遇到反调试,动态调试的过程中会异常退出,写这个的时候自己也是小白,会慢慢的把各种反调试的远离,检测,判断技巧写出来,大家也可以一起talk
GlobalMemoryStatusEx
这个函数主要用来获取系统内存信息,至于恶意软件怎么利用这个函数反调试,我还没研究明白
该函数使用如下,
// GlobalMemoryStatusEx Sample output:
// There is 51 percent of memory in use.
// There are 2029968 total KB of physical memory.
// There are 987388 free KB of physical memory.
// There are 3884620 total KB of paging file.
// There are 2799776 free KB of paging file.
// There are 2097024 total KB of virtual memory.
// There are 2084876 free KB of virtual memory.
// There are 0 free KB of extended memory.
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
// Use to convert bytes to KB
#define DIV 1024
// Specify the width of the field in which to print the numbers.
// The asterisk in the format specifier "%*I64d" takes an integer
// argument and uses it to pad and right justify the number.
#define WIDTH 7
void _tmain()
{
MEMORYSTATUSEX statex;
statex.dwLength = sizeof (statex);
GlobalMemoryStatusEx (&statex);
_tprintf (TEXT("There is %*ld percent of memory in use.\n"),
WIDTH, statex.dwMemoryLoad);
_tprintf (TEXT("There are %*I64d total KB of physical memory.\n"),
WIDTH, statex.ullTotalPhys/DIV);
_tprintf (TEXT("There are %*I64d free KB of physical memory.\n"),
WIDTH, statex.ullAvailPhys/DIV);
_tprintf (TEXT("There are %*I64d total KB of paging file.\n"),
WIDTH, statex.ullTotalPageFile/DIV);
_tprintf (TEXT("There are %*I64d free KB of paging file.\n"),
WIDTH, statex.ullAvailPageFile/DIV);
_tprintf (TEXT("There are %*I64d total KB of virtual memory.\n"),
WIDTH, statex.ullTotalVirtual/DIV);
_tprintf (TEXT("There are %*I64d free KB of virtual memory.\n"),
WIDTH, statex.ullAvailVirtual/DIV);
// Show the amount of extended memory available.
_tprintf (TEXT("There are %*I64d free KB of extended memory.\n"),
WIDTH, statex.ullAvailExtendedVirtual/DIV);
}
根据这个实例以及动态调试过程和结果没弄明白,究竟是怎么通过这个函数反调试的
对抗方法就是增大虚拟机内存,研究的时候可以开两个虚拟机,一个2G内存的虚拟机一个4G内存的虚拟机