Jump to content
Tuts 4 You
Amer

Anti-Debug Time Plugin for OllyDbg V.2

Rate this topic

Recommended Posts

Amer

Anti-Debug Time Plugin for OllyDbg V.2 General Information


Modern computer programs are more complex in writing and more difficult for reversing. Serious programs have various means of protection against debugging. It prevents application reversing. There are a number of various approaches, like Debug Blocker, Nanomites, others.


Measuring time to identify that an application is being debugged becomes the widespread practice lately. The OllyDbg has the «HideOD» and «Hide Debugger» anti-debug plugins, which have no possibility to hide actual time. This causes difficulties in application reversing.


Let’s consider the system of debugger identification. The debuggers are capable of making breakpoints in code. In this case the operation of the program is suspended. The program can detect such stopping by monitoring the system time. If there is a too long pause between the instructions – most likely the program has been stopped for analysis.


 


 


http://www.codeproject.com/Articles/614775/Anti-Debug-Time-Plugin-for-OllyDbg


AntiDebugTimePlugin.zip

Edited by Amer (see edit history)
  • Like 1

Share this post


Link to post
Share on other sites
mrexodia

great article! but strange it writes the registry for communication.. it could be easily done with mapped files for example.

  • Like 1

Share this post


Link to post
Share on other sites
Hellsp@wn

it's good, but for example look code GetTickCount:



75BF8FAC >/$ /EB 02 JMP SHORT KERNELBA.75BF8FB0
75BF8FAE |> |F3: /PREFIX REP:
75BF8FAF |. |90 |NOP
75BF8FB0 |> \8B0D 2403FE7F MOV ECX,DWORD PTR DS:[7FFE0324]
75BF8FB6 |. 8B15 2003FE7F |MOV EDX,DWORD PTR DS:[7FFE0320]
75BF8FBC |. A1 2803FE7F |MOV EAX,DWORD PTR DS:[7FFE0328]
75BF8FC1 |. 3BC8 |CMP ECX,EAX
75BF8FC3 |.^ 75 E9 \JNZ SHORT KERNELBA.75BF8FAE
...

we can manually read timer value :)


Share this post


Link to post
Share on other sites
aikuimail

Hello, thanks for your article , and how to create a frame window like cpu window in ollydbg 2.01?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...