xv. Guard Pages
Guard pages can be used for a simple debugger
detection. An exception handler is registered, an
executable/writable page is allocated dynamically, a
"C3" opcode ("RET" instruction) is written to it, and
then the page protection is changed to PAGE_GUARD.
Then an attempt is made to execute the instruction. This
should result in an EXCEPTION_GUARD_PAGE
(0x80000001) exception being received by the exception
handler, but if a debugger is present, the debugger might
intercept the exception and allow the execution tocontinue. In fact, that's exactly what happens in
OllyDbg (see Anti-debugging:OllyDbg section below).
Example code looks like this:
xor ebx, ebx
push 40h ;PAGE_EXECUTE_READWRITE
push 1000h ;MEM_COMMIT
push 1
push ebx
call VirtualAlloc
mov b [eax], 0c3h
push eax
push esp
;PAGE_EXECUTE_READWRITE
;+ PAGE_GUARD
push 140h
push 1
push eax
xchg ebp, eax
call VirtualProtect
push offset l1
push dw fs:[ebx]
mov fs:[ebx], esp
push offset being_debugged
;executing ret will branch
;to being_debugged
jmp ebp
;an exception will reach here
l1: ...
This technique is used by PC Guard.