Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

How To Call Kernel32.isdebuggerpresent From Delphi?

ChupaChu
ChupaChu
in Programming and Coding

Featured Replies

Posted

This is some code i found on Ap0x site, its a debuger detection algorithm.

	 .model flat, stdcall
	  option casemap :none  ; case sensitive	  include \masm32\include\windows.inc
	  include \masm32\include\user32.inc
	  include \masm32\include\kernel32.inc	  includelib \masm32\lib\user32.lib
	  includelib \masm32\lib\kernel32.lib	.data
	   DbgNotFoundTitle db "Debugger status:",0h
	   DbgFoundTitle db "Debugger status:",0h
	   DbgNotFoundText db "Debugger not found!",0h
	   DbgFoundText db "Debugger found!",0h
	.code start:	LEA EAX,DWORD PTR[IsDebuggerPresent+2h]
	MOV EAX,DWORD PTR[EAX]
	MOV EAX,DWORD PTR[EAX]	CMP BYTE PTR[EAX],64h
	JNE @DebuggerDetected	PUSH 40h
	PUSH offset DbgNotFoundTitle
	PUSH offset DbgNotFoundText
	PUSH 0
	CALL MessageBox	JMP @exit
  @DebuggerDetected:	PUSH 30h
	PUSH offset DbgFoundTitle
	PUSH offset DbgFoundText
	PUSH 0
	CALL MessageBox  @exit:	PUSH 0
	CALL ExitProcess end start

I would like to add this to my delpy project.

Please, can somebody explain it to me howto!?

I have tried for hours, without success.

Any help (or source code that works) will be greately apreciated!

Regards, ChupaChu!

Well, it's assembly language not delphi.

you need the masm32 package in order to use that code.

but if you want to transfer it to delphi, you just need one api.

The api is in kernel32.dll, and is called IsDebuggerPresent.

There is no setup for this api, and it returns True or False.

call IsDebuggerPresent

True = Debugger is Present.

Edited by Fungus

  • Author
Well, it's assembly language not delphi.

you need the masm32 package in order to use that code.

but if you want to transfer it to delphi, you just need one api.

The api is in kernel32.dll, and is called IsDebuggerPresent.

There is no setup for this api, and it returns True or False.

call IsDebuggerPresent

True = Debugger is Present.

If i had searched 5 more minutes i would not need to post this post ;)

anyway this is the tay i found:

declare:

function IsDebuggerPresent : boolean; stdcall; external kernel32 name 'IsDebuggerPresent';

use:

if IsDebuggerPresent = true then
 begin
   asm
	  CALL ExitProcess
  end;

And if works :)

Thanks for your help!

p.s

looking for anti dede tricks..

    •
    • Like 1

    Give these a shot! I hope it helps bro :)

    program adebug;

    uses

    Windows,

    untfunc in 'untfunc.pas';

    var

    lStartTime :Integer;

    begin

    lStartTime := GetTickCount;

    If IsBPX(@IsDebuggerPresent) Then ExitProcess(0);

    If IsBPX(@IsSICENTLoaded) Then ExitProcess(0);

    If IsBPX(@IsODBGLoaded) Then ExitProcess(0);

    If IsBPX(@FoolProcDump) Then ExitProcess(0);

    If IsDebuggerPresent Then ExitProcess(0);

    If IsSICENTLoaded Then ExitProcess(0);

    If IsODBGLoaded Then ExitProcess(0);

    FoolProcDump;

    If ((GetTickCount - lStartTime) > 5000) Then ExitProcess(0);

    MessageBox(0, 'Test', 'Test', MB_OK);

    end.

    unit untfunc;

    interface

    uses

    Windows;

    function IsSICENTLoaded: Boolean;

    function IsBPX(address: pointer): boolean;

    function IsODBGLoaded: Boolean;

    procedure FoolProcDump;

    function IsDebuggerPresent(): Boolean;

    implementation

    function IsDebuggerPresent(): Boolean;

    type

    TDebugProc = function(): Boolean; stdCall;

    var

    FMODULE: HMODULE;

    Proc: TDebugProc;

    begin

    Result := False;

    FMODULE := LoadLibrary('kernel32.dll');

    if (FMODULE <> 0) then

    begin

    @Proc := GetProcAddress(FMODULE, 'IsDebuggerPresent');

    if Assigned(Proc) then

    Result := Proc();

    FreeLibrary(FMODULE);

    end;

    end;

    function IsSICENTLoaded: Boolean;

    var

    hFile :THandle;

    begin

    hFile := CreateFile('\\.\NTICE', GENERIC_READ or GENERIC_WRITE,

    FILE_SHARE_READ or FILE_SHARE_WRITE, NIL,

    OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);

    If (hFile <> INVALID_HANDLE_VALUE) Then

    Result := True

    Else

    Result := False;

    End;

    function IsODBGLoaded: Boolean;

    var

    caption :string;

    label

    normal_, out_;

    begin

    caption := 'DAEMON';

    asm

    push $00

    push caption

    mov eax, fs:[30h] // pointer to PEB

    movzx eax, byte ptr[eax+$2]

    or al,al

    jz normal_

    jmp out_

    normal_:

    xor eax, eax

    leave

    ret

    out_:

    mov eax, $1

    leave

    ret

    end;

    end;

    function IsBPX(address: pointer): boolean;

    label

    BPXed, NOBPX;

    begin

    result := false;

    asm

    mov esi, address // load function address

    mov al, [esi] // load the opcode

    cmp al, $CC // check if the opcode is CCh

    je BPXed // yes, there is a breakpoint

    // jump to return true

    xor eax, eax // false,

    jmp NOBPX // no breakpoint

    BPXed:

    mov eax, 1 // breakpoint found

    NOBPX:

    end;

    end;

    procedure FoolProcDump;

    asm

    mov eax, fs:[$30]

    mov eax, [eax+$C]

    mov eax, [eax+$C]

    add dword ptr [eax+$20], $2000

    end;

    end.

    delphi_dbg.rar

    p.s

    looking for anti dede tricks..

    Procedure   Anti_DeDe();
      var
    	  DeDeHandle:THandle;
    	  i:integer;
      begin
    	  DeDeHandle:=FindWindow(nil,chr($64)+chr($65)+chr($64)+chr($65));
    	  if   DeDeHandle<>0   then
    		  begin
    			  For   i:=1   to   4500   do
    				  SendMessage(DeDeHandle,WM_CLOSE,0,0);
    		  end;
      end;

    if you want anti loader, anti filemon/regmon etc have a look here (its a chinese blog, but its the code your after.

    http://www.xwind.cn/blogview.asp?logID=296&cateID=2

    • Author

    Anti_DeDe procedure you wrote is interesting, but not good enough :)

    The link is great, though!!!

    Thanks for that!

    • Author
    Give these a shot! I hope it helps bro :)

    Yes thank you, its helpfull, but it is rather outdated, almost all debugers pass it without problems :)

    I have question conserning this code:

    procedure FoolProcDump;
    asm
      mov eax, fs:[$30]
      mov eax, [eax+$C]
      mov eax, [eax+$C]
      add dword ptr [eax+$20], $2000
    end;

    Can You or anyone explain to me, what it does!?

    I am not very skilled in asm so maybe i am asking stupid things, hope You wont take that agains me :)

    Regards ChupaChu!

    procedure FoolProcDump;

    asm

    mov eax, fs:[$30]

    mov eax, [eax+$C]

    mov eax, [eax+$C]

    add dword ptr [eax+$20], $2000

    end;

    ChupaChu

    hey bud uh it's supposed to prevent the file from being dumped after its active inside debug. FoolProcDump dosnt work anymore as there are many ways around this.

    Thats about all i can tell you. Sorry for the long awated reply ive been working on D1S1G trying to get 1.1 beta finished up.

    s0me0ne

    thanks for that AntiDeDe snippet i think im going to use this in my project ill be sure to thank you for posting it. :)

    Edited by D1N

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.