Anti-Debug Time Plugin for OllyDbg V.2 General Information

Modern computer programs are more complex in writing and more difficult for reversing. Serious programs have various means of protection against debugging. It prevents application reversing. There are a number of various approaches, like Debug Blocker, Nanomites, others.

Measuring time to identify that an application is being debugged becomes the widespread practice lately. The OllyDbg has the «HideOD» and «Hide Debugger» anti-debug plugins, which have no possibility to hide actual time. This causes difficulties in application reversing.

Let’s consider the system of debugger identification. The debuggers are capable of making breakpoints in code. In this case the operation of the program is suspended. The program can detect such stopping by monitoring the system time. If there is a too long pause between the instructions – most likely the program has been stopped for analysis.

 

 

http://www.codeproject.com/Articles/614775/Anti-Debug-Time-Plugin-for-OllyDbg

AntiDebugTimePlugin.zip

Edited September 15, 201311 yr by Amer

great article! but strange it writes the registry for communication.. it could be easily done with mapped files for example.

it's good, but for example look code GetTickCount:

75BF8FAC >/$ /EB 02              JMP SHORT KERNELBA.75BF8FB0

75BF8FAE  |> |F3:                /PREFIX REP:

75BF8FAF  |. |90                 |NOP

75BF8FB0  |> \8B0D 2403FE7F       MOV ECX,DWORD PTR DS:[7FFE0324]

75BF8FB6  |.  8B15 2003FE7F      |MOV EDX,DWORD PTR DS:[7FFE0320]                                

75BF8FBC  |.  A1 2803FE7F        |MOV EAX,DWORD PTR DS:[7FFE0328]

75BF8FC1  |.  3BC8               |CMP ECX,EAX

75BF8FC3  |.^ 75 E9              \JNZ SHORT KERNELBA.75BF8FAE

...

we can manually read timer value

Hello, thanks for your article , and how to create a frame window like cpu window in ollydbg 2.01?