flat assembler
Message board for the users of flat assembler.

Index > Windows > Anti-Debugger

Author
Thread Post new topic Reply to topic
FrozenKnight



Joined: 24 Jun 2005
Posts: 128
FrozenKnight 14 Sep 2005, 19:08
i was trying to implement a simple anti debugger trick
Code:
db EBh, 01h, E8h    

which translates to
Code:
jmp 01
db  EBh ;(first byte of a call function which never gets called due to the jmp before)    

but for some reason this generates an error in the .code segiment i use can anyone help me here?
Post 14 Sep 2005, 19:08
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 14 Sep 2005, 19:17
db 0EBh
Post 14 Sep 2005, 19:17
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
forsaken



Joined: 29 Sep 2005
Posts: 17
forsaken 10 Oct 2005, 07:33
you could use IsDebuggerPresent, FindWindow & CreateFile to detect the common debuggers. SI with createFile.
Post 10 Oct 2005, 07:33
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 10 Oct 2005, 13:26
forsaken, I'm interested in how you detect a debugger through FindWindow & CreateFile. What do you do to detect a debugger with those functions?

Regards
Post 10 Oct 2005, 13:26
View user's profile Send private message Reply with quote
forsaken



Joined: 29 Sep 2005
Posts: 17
forsaken 10 Oct 2005, 15:53
you can detect SoftICE with CreateFile, i cannot recall the filename which needs to be created in order to detect it but i do know that there's tons of information about SI detection so snoop around at google and im sure you will find more then enough info about the subject.

and as far as findWindow goes, this can be used to detect debuggers by class or window name, i do not think theres any way to detect a random debugger this way(?)

well, anyways... check out IsDebuggerPresent and some of the SI detection tricks.
Post 10 Oct 2005, 15:53
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 10 Oct 2005, 22:48
There is a way to detect a random bugger. I just came up with it.. right now

Make a thread which detects the foreground window. GetForeGroundWindow

If your in a debugger... such as Ollydbg or whatnot.

Once your window is initlized. Check foreground window . After compare the text to your programs text.... If it's not the same your program is running another program.... ;0..
Post 10 Oct 2005, 22:48
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 10 Oct 2005, 23:58
Ok, thanks to both for the data!!
Post 10 Oct 2005, 23:58
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 11 Oct 2005, 01:42
On program start.
-Have it create a remote thread (in like explorer).
-The remote thread will load the program again (but suspended)
-Patch the memory of the suspended program to JMP over the RemoteThread stuff.
-Terminate teh first instance of the program
-The new instanceof the Program (not loaded by the debugger)

It seems like it would work :\
Post 11 Oct 2005, 01:42
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 11 Oct 2005, 03:21
r22, nice one Razz already tested but didnt know how to patch the suspended program so i made remotethread to copy the first.exe to second.exe and then in both exe's(they are the same...) it checks if the filename is second.exe and if so it does skip remotethread... it is easy to get over just by debugging second.exe but its good to start with Razz

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 11 Oct 2005, 03:21
View user's profile Send private message MSN Messenger Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 11 Oct 2005, 04:43
just hit me, that patching a programs code section wouldn't be easy remotely while the process is suspended, so instead...
Just have the program check the command line that Created it and add an arguement if you want the program to skip its anti-debugger startup code.
Post 11 Oct 2005, 04:43
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 11 Oct 2005, 05:38
You can also use suspend process after the debugger has been found Smile....and it will freeze the program which as loaded your exe
Post 11 Oct 2005, 05:38
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.