Index
> Windows > Anti-Debugger |
| Author |
|
|
vid
db 0EBh
|
|||
14 Sep 2005, 19:17 |
|
|
forsaken
you could use IsDebuggerPresent, FindWindow & CreateFile to detect the common debuggers. SI with createFile.
|
|||
|
10 Oct 2005, 07:33 |
|
|
LocoDelAssembly
forsaken, I'm interested in how you detect a debugger through FindWindow & CreateFile. What do you do to detect a debugger with those functions?
Regards |
|||
|
10 Oct 2005, 13:26 |
|
|
forsaken
you can detect SoftICE with CreateFile, i cannot recall the filename which needs to be created in order to detect it but i do know that there's tons of information about SI detection so snoop around at google and im sure you will find more then enough info about the subject.
and as far as findWindow goes, this can be used to detect debuggers by class or window name, i do not think theres any way to detect a random debugger this way(?) well, anyways... check out IsDebuggerPresent and some of the SI detection tricks. |
|||
|
10 Oct 2005, 15:53 |
|
|
shism2
There is a way to detect a random bugger. I just came up with it.. right now
Make a thread which detects the foreground window. GetForeGroundWindow If your in a debugger... such as Ollydbg or whatnot. Once your window is initlized. Check foreground window . After compare the text to your programs text.... If it's not the same your program is running another program.... ;0.. |
|||
|
10 Oct 2005, 22:48 |
|
|
LocoDelAssembly
Ok, thanks to both for the data!!
|
|||
|
10 Oct 2005, 23:58 |
|
|
r22
On program start.
-Have it create a remote thread (in like explorer). -The remote thread will load the program again (but suspended) -Patch the memory of the suspended program to JMP over the RemoteThread stuff. -Terminate teh first instance of the program -The new instanceof the Program (not loaded by the debugger) It seems like it would work :\ |
|||
|
11 Oct 2005, 01:42 |
|
|
okasvi
r22, nice one
 already tested but didnt know how to patch the suspended program so i made remotethread to copy the first.exe to second.exe and then in both exe's(they are the same...) it checks if the filename is second.exe and if so it does skip remotethread... it is easy to get over just by debugging second.exe but its good to start with _________________ When We Ride On Our Enemies support reverse smileys |: |
|||
|
11 Oct 2005, 03:21 |
|
|
r22
just hit me, that patching a programs code section wouldn't be easy remotely while the process is suspended, so instead...
Just have the program check the command line that Created it and add an arguement if you want the program to skip its anti-debugger startup code. |
|||
|
11 Oct 2005, 04:43 |
|
|
shism2
You can also use suspend process after the debugger has been found
 ....and it will freeze the program which as loaded your exe |
|||
|
11 Oct 2005, 05:38 |
|
< Last Thread | Next Thread > |
Forum Rules:
|