flat assembler
Message board for the users of flat assembler.

Index > Windows > anti debugging code for 64 bit

Author
Thread Post new topic Reply to topic
patchariadog



Joined: 24 Mar 2013
Posts: 94
patchariadog 23 Oct 2013, 15:08
I have this code that checks for a debugger in 32 bit programs

Code:
;check for debugger
    
mov eax, [fs:30h]
mov eax, [eax+68h]
and eax, 0x70
test eax, eax
jne .debuggerfound
ret

    .debuggerfound:
    invoke ExitProcess,0
    


I tried to change all of the eax to rax and use it in a 64 bit program but it always thinks a debugger is running

How would I change this code to 64 bit

Thanks
Post 23 Oct 2013, 15:08
View user's profile Send private message Reply with quote
tthsqe



Joined: 20 May 2009
Posts: 767
tthsqe 23 Oct 2013, 15:16
I do not know, but I do know that
Code:
test eax,eax    

is not needed and redundant. Smile
Post 23 Oct 2013, 15:16
View user's profile Send private message Reply with quote
patchariadog



Joined: 24 Mar 2013
Posts: 94
patchariadog 23 Oct 2013, 15:42
Your right it still works with out that, thanks!
Post 23 Oct 2013, 15:42
View user's profile Send private message Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 23 Oct 2013, 17:33
Read TEB documentation or use WinDBG to describe it's fields or just disassemble function code (or just use google). I've posted the code for you in the other thread about debugging api.
Post 23 Oct 2013, 17:33
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.