Jump to content
Tuts 4 You

How To Call Kernel32.isdebuggerpresent From Delphi?


ChupaChu

Recommended Posts

Posted

This is some code i found on Ap0x site, its a debuger detection algorithm.

	 .model flat, stdcall
option casemap :none ; case sensitive include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib .data
DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger not found!",0h
DbgFoundText db "Debugger found!",0h
.code start: LEA EAX,DWORD PTR[IsDebuggerPresent+2h]
MOV EAX,DWORD PTR[EAX]
MOV EAX,DWORD PTR[EAX] CMP BYTE PTR[EAX],64h
JNE @DebuggerDetected PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox JMP @exit
@DebuggerDetected: PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox @exit: PUSH 0
CALL ExitProcess end start

I would like to add this to my delpy project.

Please, can somebody explain it to me howto!?

I have tried for hours, without success.

Any help (or source code that works) will be greately apreciated!

Regards, ChupaChu!

Posted (edited)

Well, it's assembly language not delphi.

you need the masm32 package in order to use that code.

but if you want to transfer it to delphi, you just need one api.

The api is in kernel32.dll, and is called IsDebuggerPresent.

There is no setup for this api, and it returns True or False.

call IsDebuggerPresent

True = Debugger is Present.

Edited by Fungus
Posted
Well, it's assembly language not delphi.

you need the masm32 package in order to use that code.

but if you want to transfer it to delphi, you just need one api.

The api is in kernel32.dll, and is called IsDebuggerPresent.

There is no setup for this api, and it returns True or False.

call IsDebuggerPresent

True = Debugger is Present.

If i had searched 5 more minutes i would not need to post this post ;)

anyway this is the tay i found:

declare:

function IsDebuggerPresent : boolean; stdcall; external kernel32 name 'IsDebuggerPresent';

use:

if IsDebuggerPresent = true then
begin
asm
CALL ExitProcess
end;

And if works :)

Thanks for your help!

p.s

looking for anti dede tricks..

  • Like 1
Posted

Give these a shot! I hope it helps bro :)

program adebug;

uses

Windows,

untfunc in 'untfunc.pas';

var

lStartTime :Integer;

begin

lStartTime := GetTickCount;

If IsBPX(@IsDebuggerPresent) Then ExitProcess(0);

If IsBPX(@IsSICENTLoaded) Then ExitProcess(0);

If IsBPX(@IsODBGLoaded) Then ExitProcess(0);

If IsBPX(@FoolProcDump) Then ExitProcess(0);

If IsDebuggerPresent Then ExitProcess(0);

If IsSICENTLoaded Then ExitProcess(0);

If IsODBGLoaded Then ExitProcess(0);

FoolProcDump;

If ((GetTickCount - lStartTime) > 5000) Then ExitProcess(0);

MessageBox(0, 'Test', 'Test', MB_OK);

end.

unit untfunc;

interface

uses

Windows;

function IsSICENTLoaded: Boolean;

function IsBPX(address: pointer): boolean;

function IsODBGLoaded: Boolean;

procedure FoolProcDump;

function IsDebuggerPresent(): Boolean;

implementation

function IsDebuggerPresent(): Boolean;

type

TDebugProc = function(): Boolean; stdCall;

var

FMODULE: HMODULE;

Proc: TDebugProc;

begin

Result := False;

FMODULE := LoadLibrary('kernel32.dll');

if (FMODULE <> 0) then

begin

@Proc := GetProcAddress(FMODULE, 'IsDebuggerPresent');

if Assigned(Proc) then

Result := Proc();

FreeLibrary(FMODULE);

end;

end;

function IsSICENTLoaded: Boolean;

var

hFile :THandle;

begin

hFile := CreateFile('\\.\NTICE', GENERIC_READ or GENERIC_WRITE,

FILE_SHARE_READ or FILE_SHARE_WRITE, NIL,

OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);

If (hFile <> INVALID_HANDLE_VALUE) Then

Result := True

Else

Result := False;

End;

function IsODBGLoaded: Boolean;

var

caption :string;

label

normal_, out_;

begin

caption := 'DAEMON';

asm

push $00

push caption

mov eax, fs:[30h] // pointer to PEB

movzx eax, byte ptr[eax+$2]

or al,al

jz normal_

jmp out_

normal_:

xor eax, eax

leave

ret

out_:

mov eax, $1

leave

ret

end;

end;

function IsBPX(address: pointer): boolean;

label

BPXed, NOBPX;

begin

result := false;

asm

mov esi, address // load function address

mov al, [esi] // load the opcode

cmp al, $CC // check if the opcode is CCh

je BPXed // yes, there is a breakpoint

// jump to return true

xor eax, eax // false,

jmp NOBPX // no breakpoint

BPXed:

mov eax, 1 // breakpoint found

NOBPX:

end;

end;

procedure FoolProcDump;

asm

mov eax, fs:[$30]

mov eax, [eax+$C]

mov eax, [eax+$C]

add dword ptr [eax+$20], $2000

end;

end.

delphi_dbg.rar

Posted
p.s

looking for anti dede tricks..

Procedure   Anti_DeDe();
var
DeDeHandle:THandle;
i:integer;
begin
DeDeHandle:=FindWindow(nil,chr($64)+chr($65)+chr($64)+chr($65));
if DeDeHandle<>0 then
begin
For i:=1 to 4500 do
SendMessage(DeDeHandle,WM_CLOSE,0,0);
end;
end;

if you want anti loader, anti filemon/regmon etc have a look here (its a chinese blog, but its the code your after.

http://www.xwind.cn/blogview.asp?logID=296&cateID=2

Posted

Anti_DeDe procedure you wrote is interesting, but not good enough :)

The link is great, though!!!

Thanks for that!

Posted
Give these a shot! I hope it helps bro :)

Yes thank you, its helpfull, but it is rather outdated, almost all debugers pass it without problems :)

I have question conserning this code:

procedure FoolProcDump;
asm
mov eax, fs:[$30]
mov eax, [eax+$C]
mov eax, [eax+$C]
add dword ptr [eax+$20], $2000
end;

Can You or anyone explain to me, what it does!?

I am not very skilled in asm so maybe i am asking stupid things, hope You wont take that agains me :)

Regards ChupaChu!

Posted (edited)
procedure FoolProcDump;

asm

mov eax, fs:[$30]

mov eax, [eax+$C]

mov eax, [eax+$C]

add dword ptr [eax+$20], $2000

end;

ChupaChu

hey bud uh it's supposed to prevent the file from being dumped after its active inside debug. FoolProcDump dosnt work anymore as there are many ways around this.

Thats about all i can tell you. Sorry for the long awated reply ive been working on D1S1G trying to get 1.1 beta finished up.

s0me0ne

thanks for that AntiDeDe snippet i think im going to use this in my project ill be sure to thank you for posting it. :)

Edited by D1N

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...