ChupaChu Posted September 5, 2007 Posted September 5, 2007 This is some code i found on Ap0x site, its a debuger detection algorithm. .model flat, stdcall option casemap :none ; case sensitive include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib .data DbgNotFoundTitle db "Debugger status:",0h DbgFoundTitle db "Debugger status:",0h DbgNotFoundText db "Debugger not found!",0h DbgFoundText db "Debugger found!",0h .code start: LEA EAX,DWORD PTR[IsDebuggerPresent+2h] MOV EAX,DWORD PTR[EAX] MOV EAX,DWORD PTR[EAX] CMP BYTE PTR[EAX],64h JNE @DebuggerDetected PUSH 40h PUSH offset DbgNotFoundTitle PUSH offset DbgNotFoundText PUSH 0 CALL MessageBox JMP @exit @DebuggerDetected: PUSH 30h PUSH offset DbgFoundTitle PUSH offset DbgFoundText PUSH 0 CALL MessageBox @exit: PUSH 0 CALL ExitProcess end startI would like to add this to my delpy project. Please, can somebody explain it to me howto!?I have tried for hours, without success.Any help (or source code that works) will be greately apreciated!Regards, ChupaChu!
Fungus Posted September 5, 2007 Posted September 5, 2007 (edited) Well, it's assembly language not delphi.you need the masm32 package in order to use that code.but if you want to transfer it to delphi, you just need one api.The api is in kernel32.dll, and is called IsDebuggerPresent.There is no setup for this api, and it returns True or False.call IsDebuggerPresentTrue = Debugger is Present. Edited September 5, 2007 by Fungus
ChupaChu Posted September 5, 2007 Author Posted September 5, 2007 Well, it's assembly language not delphi.you need the masm32 package in order to use that code. but if you want to transfer it to delphi, you just need one api. The api is in kernel32.dll, and is called IsDebuggerPresent. There is no setup for this api, and it returns True or False. call IsDebuggerPresent True = Debugger is Present. If i had searched 5 more minutes i would not need to post this post anyway this is the tay i found: declare: function IsDebuggerPresent : boolean; stdcall; external kernel32 name 'IsDebuggerPresent'; use: if IsDebuggerPresent = true then begin asm CALL ExitProcess end; And if works Thanks for your help! p.s looking for anti dede tricks.. 1
D1N Posted September 6, 2007 Posted September 6, 2007 Give these a shot! I hope it helps bro program adebug;uses Windows, untfunc in 'untfunc.pas'; var lStartTime :Integer; begin lStartTime := GetTickCount; If IsBPX(@IsDebuggerPresent) Then ExitProcess(0); If IsBPX(@IsSICENTLoaded) Then ExitProcess(0); If IsBPX(@IsODBGLoaded) Then ExitProcess(0); If IsBPX(@FoolProcDump) Then ExitProcess(0); If IsDebuggerPresent Then ExitProcess(0); If IsSICENTLoaded Then ExitProcess(0); If IsODBGLoaded Then ExitProcess(0); FoolProcDump; If ((GetTickCount - lStartTime) > 5000) Then ExitProcess(0); MessageBox(0, 'Test', 'Test', MB_OK); end. unit untfunc;interface uses Windows; function IsSICENTLoaded: Boolean; function IsBPX(address: pointer): boolean; function IsODBGLoaded: Boolean; procedure FoolProcDump; function IsDebuggerPresent(): Boolean; implementation function IsDebuggerPresent(): Boolean; type TDebugProc = function(): Boolean; stdCall; var FMODULE: HMODULE; Proc: TDebugProc; begin Result := False; FMODULE := LoadLibrary('kernel32.dll'); if (FMODULE <> 0) then begin @Proc := GetProcAddress(FMODULE, 'IsDebuggerPresent'); if Assigned(Proc) then Result := Proc(); FreeLibrary(FMODULE); end; end; function IsSICENTLoaded: Boolean; var hFile :THandle; begin hFile := CreateFile('\\.\NTICE', GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, NIL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); If (hFile <> INVALID_HANDLE_VALUE) Then Result := True Else Result := False; End; function IsODBGLoaded: Boolean; var caption :string; label normal_, out_; begin caption := 'DAEMON'; asm push $00 push caption mov eax, fs:[30h] // pointer to PEB movzx eax, byte ptr[eax+$2] or al,al jz normal_ jmp out_ normal_: xor eax, eax leave ret out_: mov eax, $1 leave ret end; end; function IsBPX(address: pointer): boolean; label BPXed, NOBPX; begin result := false; asm mov esi, address // load function address mov al, [esi] // load the opcode cmp al, $CC // check if the opcode is CCh je BPXed // yes, there is a breakpoint // jump to return true xor eax, eax // false, jmp NOBPX // no breakpoint BPXed: mov eax, 1 // breakpoint found NOBPX: end; end; procedure FoolProcDump; asm mov eax, fs:[$30] mov eax, [eax+$C] mov eax, [eax+$C] add dword ptr [eax+$20], $2000 end; end. delphi_dbg.rar
s0me0ne Posted September 6, 2007 Posted September 6, 2007 p.slooking for anti dede tricks..Procedure Anti_DeDe(); var DeDeHandle:THandle; i:integer; begin DeDeHandle:=FindWindow(nil,chr($64)+chr($65)+chr($64)+chr($65)); if DeDeHandle<>0 then begin For i:=1 to 4500 do SendMessage(DeDeHandle,WM_CLOSE,0,0); end; end;if you want anti loader, anti filemon/regmon etc have a look here (its a chinese blog, but its the code your after.http://www.xwind.cn/blogview.asp?logID=296&cateID=2
ChupaChu Posted September 6, 2007 Author Posted September 6, 2007 Anti_DeDe procedure you wrote is interesting, but not good enough The link is great, though!!! Thanks for that!
ChupaChu Posted September 11, 2007 Author Posted September 11, 2007 Give these a shot! I hope it helps bro Yes thank you, its helpfull, but it is rather outdated, almost all debugers pass it without problems I have question conserning this code: procedure FoolProcDump;asm mov eax, fs:[$30] mov eax, [eax+$C] mov eax, [eax+$C] add dword ptr [eax+$20], $2000end; Can You or anyone explain to me, what it does!? I am not very skilled in asm so maybe i am asking stupid things, hope You wont take that agains me Regards ChupaChu!
D1N Posted September 16, 2007 Posted September 16, 2007 (edited) procedure FoolProcDump;asm mov eax, fs:[$30] mov eax, [eax+$C] mov eax, [eax+$C] add dword ptr [eax+$20], $2000 end; ChupaChu hey bud uh it's supposed to prevent the file from being dumped after its active inside debug. FoolProcDump dosnt work anymore as there are many ways around this. Thats about all i can tell you. Sorry for the long awated reply ive been working on D1S1G trying to get 1.1 beta finished up. s0me0ne thanks for that AntiDeDe snippet i think im going to use this in my project ill be sure to thank you for posting it. Edited September 16, 2007 by D1N
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now