.386
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger not found!",0h
DbgFoundText db "Debugger found!",0h
.code
start:
; MASM32 antiRing3Debugger example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; This example can detect all ring3 debuggers by accessing PEB!BeingDebuged.
; You can see this code in kernel32.dll!IsDebuggerPresent function.
ASSUME FS:NOTHING
MOV EAX,DWORD PTR FS:[18h]
MOV EAX,DWORD PTR DS:[EAX+30h]
MOVZX EAX,BYTE PTR DS:[EAX+2h]
CMP EAX,1
JE @DebuggerDetected
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
JMP @exit
@DebuggerDetected:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
@exit:
PUSH 0
CALL ExitProcess
end start
NtGlobalFlag Debugger Detection Debugging ap0x NtGlobalFlag.zip March 11 2006
.386
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger not found!",0h
DbgFoundText db "Debugger found!",0h
.code
start:
; MASM32 antiRing3Debugger example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; When ring3 debugger opens an .exe file, several switches are set.
; One of them is NtGlobalFlag which when debugger is present is set
; to 0x70.
; Example of using this antidebug feature can be seen in ExeCryptor.
ASSUME FS:NOTHING
MOV EAX,DWORD PTR FS:[30h]
ADD EAX,68h
MOV EAX,DWORD PTR DS:[EAX]
CMP EAX,70h
JE @DebuggerDetected
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
JMP @exit
@DebuggerDetected:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
@exit:
PUSH 0
CALL ExitProcess
end start
OllyDbg Registry Key Detection Debugging ap0x Registry-OllyDBG.zip March 11 2006
.386
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\advapi32.lib
.data
DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger not found!",0h
DbgFoundText db "Debugger found!",0h
szOllyKey db "SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug",0h
szIsOllyKey db "Debugger",0h
szREGSZ db "REG_SZ",0
.data?
szBuff db 256h dup(?)
lpcbData dd ?
lpdwDisp dd ?
hKey dd ?
.code
start:
; MASM32 antiOllyDBG example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; This example will read data from Windows Registry key szOllyKey.
; This key is set to the system debugger, if application crashes
; application at that key location will be called.
; For other examples, see the Registry-OllyDbg.zip archive.
MOV lpcbData,256h
INVOKE RegOpenKeyEx, HKEY_LOCAL_MACHINE, addr szOllyKey, 0,KEY_WRITE or KEY_READ, addr hKey
INVOKE RegQueryValueEx, hKey, addr szIsOllyKey, 0, addr szREGSZ, addr szBuff, addr lpcbData
OR EAX,EAX
JNE @DebuggerNotFound
MOV ECX,offset szBuff+1
@SeekQuote:
INC ECX
CMP BYTE PTR[ECX],'"'
JNE @SeekQuote
MOV BYTE PTR[ECX],0h
JMP @DebuggerDetected
@DebuggerNotFound:
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
JMP @exit
@DebuggerDetected:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset szBuff+1
PUSH 0
CALL MessageBox
@exit:
PUSH 0
CALL ExitProcess
end start
View Details RDTSC Instruction Debugger Latency Detection Debugging ap0x March 11 2006
; #########################################################################
.586
.model flat, stdcall
option casemap :none ; case sensitive
; #########################################################################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
; #########################################################################
.data
DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger stepping not found!",0h
DbgFoundText db "Debugger stepping found!",0h
.code
start:
; MASM32 antiRing3Debugger example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; This code calculates time of code execution betwean two RDTSC
; instructions. RDTSC stores time in EAX.
; If this time is greater than 0xFFF then debugger is present.
RDTSC
XOR ECX,ECX
ADD ECX,EAX
RDTSC
SUB EAX,ECX
CMP EAX,0FFFh
JNB @OllyDetected
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
RET
@OllyDetected:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
RET
end start
View Details
Ring3 Debugger Detection via LDR_MODULE Debugging ap0x March 17 2006 March 18 2006
; #########################################################################
.586
.model flat, stdcall
option casemap :none ; case sensitive
; #########################################################################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
; #########################################################################
.data
DbgFoundTitle db "Debugger found:",0h
DbgFoundText db "Debugger has been found!",0h
DbgNotFoundTitle db "Debugger not found:",0h
DbgNotFoundText db "Debugger not found!",0h
Tries db 30
Alloc dd ?
.code
start:
; MASM32 antiRing3Debugger example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
ASSUME FS:NOTHING
PUSH offset _SehExit
PUSH DWORD PTR FS:[0]
MOV FS:[0],ESP
; Get NtGlobalFlag
MOV EAX,DWORD PTR FS:[30h]
; Get LDR_MODULE
MOV EAX,DWORD PTR[EAX+12]
; The trick is here ;) If ring3 debugger is present memory will be allocated
; and it will contain 0xFEEEFEEE bytes at the end of alloc. This will only
; happen if ring3 debugger is present!
; If there is no debugger SEH will fire and take control.
; Note: This code works only on NT systems!
_loop:
INC EAX
CMP DWORD PTR[EAX],0FEEEFEEEh
JNE _loop
DEC [Tries]
JNE _loop
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
PUSH 0
CALL ExitProcess
RET
_Exit:
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
PUSH 0
CALL ExitProcess
RET
_SehExit:
POP FS:[0]
ADD ESP,4
JMP _Exit
end start
View Details TLS-CallBack +IsDebuggerPresent() Debugger Detection Debugging ap0x March 11 2006
; #########################################################################
.586
.model flat, stdcall
option casemap :none ; case sensitive
; #########################################################################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\comdlg32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\comdlg32.lib
; #########################################################################
.data
DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger not found!",0h
DbgFoundText db "Debugger found!",0h
; TLS Structure {See PE Format info}
dd offset Tls1
dd offset Tls2
dd offset Tls3
dd offset TlsCallBack
dd 0
dd 0
Tls1 dd 0
Tls2 dd 0
Tls3 dd 0
TlsCallBack dd offset TLS
dd 0
dd 0
.data?
TLSCalled db ?
.code
start:
; MASM32 antiOllyDBG example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; This example combines IsDebuggerPresent API with TLS-CallBack.
; TLS-CallBack is a part of TLS Structure and it is used for
; calling code execution before and after main application code execution.
; Change TLS Table to 0x00003046, size 0x18 with LordPE or xPELister
PUSH 0
CALL ExitProcess
RET
; Code below is executed before .code section
TLS:
; TLSCalled flag indicates that TLS is called only once on application
; initialization. It can be called on application exit again. This switch
; disables that.
CMP BYTE PTR[TLSCalled],1
JE @exit
MOV BYTE PTR[TLSCalled],1
CALL IsDebuggerPresent
CMP EAX,1
JE @DebuggerDetected
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
JMP @exit
@DebuggerDetected:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
@exit:
RET
end start
There are no comments on this page. [Add comment]