Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
/**
* An Anti-Reverse Engineering Guide, Joshua Tully
* https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide
*/
bool FindDebugger1::HasDebugger()
{
__try { __asm INT 0x2D }
__except (EXCEPTION_EXECUTE_HANDLER){ return false; }
return true;
}
bool FindDebugger2::HasDebugger()
{
__try { __asm INT 0x03 }
__except (EXCEPTION_EXECUTE_HANDLER){ return false; }
return true;
}
bool FindDebugger3::HasDebugger()
{
CONTEXT ctx = {0};
ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;
auto hThread = GetCurrentThread();
if( GetThreadContext( hThread, &ctx ) == 0 )
{
return false;
}
//Debugger Found
if( ctx.Dr0 != 0 || ctx.Dr1 != 0 || ctx.Dr2 != 0 || ctx.Dr3 != 0 )
return true;
return false;
}
bool FindDebugger4::HasDebugger()
{
OutputDebugString( "" );
//Debugger Found
if( GetLastError() == 0 )
return true;
return false;
}
void FindDebugger5::Execute()
{
//Crash OllyDBG v1.10
OutputDebugString( "%s%s%s%s" );
}
bool FindDebugger6::HasDebugger()
{
__try { RaiseException(DBG_RIPEXCEPTION, 0, 0, 0); }
__except(EXCEPTION_EXECUTE_HANDLER){ return false; }
//Debugger Found
return true;
}
bool FindDebugger7::HasDebugger()
{
std::vector<const char*> drivers = {
AY_OBFUSCATE( "\\\\.\\EXTREM" ),
AY_OBFUSCATE( "\\\\.\\ICEEXT" ),
AY_OBFUSCATE( "\\\\.\\NDBGMSG.VXD" ),
AY_OBFUSCATE( "\\\\.\\RING0" ),
AY_OBFUSCATE( "\\\\.\\SIWVID" ),
AY_OBFUSCATE( "\\\\.\\SYSER" ),
AY_OBFUSCATE( "\\\\.\\TRW" ),
AY_OBFUSCATE( "\\\\.\\SYSERBOOT" ) };
for( const auto & driver : drivers )
{
auto h = CreateFileA( driver, 0, 0, 0, OPEN_EXISTING, 0, 0 );
if( h != INVALID_HANDLE_VALUE )
{
CloseHandle( h );
//Debugger Found
return true;
}
}
return false;
}
bool FindDebugger8::HasDebugger()
{
HANDLE hDebugObject = NULL;
//ProcessDebugObjectHandle
if( NtQueryInformationProcess( GetCurrentProcess(), (PROCESSINFOCLASS)0x1E, &hDebugObject, 4, NULL ) != 0 )
{
return false;
}
//Debugger Found
if( hDebugObject )
{
return true;
}
return false;
}
bool FindDebugger9::HasDebugger()
{
unsigned char* pMem = nullptr;
SYSTEM_INFO sysinfo = { 0 };
DWORD OldProtect = 0;
void* pAllocation = nullptr;
GetSystemInfo( &sysinfo );
pAllocation = VirtualAlloc( NULL, sysinfo.dwPageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
//Not Found
if( pAllocation == NULL )
return false;
//Write a ret to the buffer (opcode 0xc3)
pMem = (unsigned char*)pAllocation;
*pMem = 0xc3;
//Make the page a guard page
if( VirtualProtect( pAllocation, sysinfo.dwPageSize, PAGE_EXECUTE_READWRITE | PAGE_GUARD, &OldProtect ) == 0 )
return false;
__try
{
__asm
{
mov eax, pAllocation
//This is the address we'll return to if we're under a debugger
push MemBpBeingDebugged
jmp eax //Exception or execution, which shall it be :D?
}
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
//The exception occured and no debugger was detected
VirtualFree( pAllocation, NULL, MEM_RELEASE );
MARK_AS_EXECUTED;
return false;
}
__asm {MemBpBeingDebugged:}
VirtualFree( pAllocation, NULL, MEM_RELEASE );
return true;
}
bool FindDebugger10::HasDebugger()
{
__try
{
__asm __emit 0xF3 //0xF3 0x64 disassembles as PREFIX REP:
__asm __emit 0x64
__asm __emit 0xF1 //One byte INT 1
}
__except( EXCEPTION_EXECUTE_HANDLER )
{
return false;
}
return true;
}
bool FindDebugger11::HasDebugger()
{
BOOL bFound = FALSE;
_asm
{
xor eax, eax; //clear eax
mov eax, fs: [0x30] ; //Reference start of the PEB
mov eax, [eax + 0x68]; //PEB+0x68 points to NtGlobalFlags
and eax, 0x00000070; //check three flags
mov bFound, eax; //Copy result into 'found'
}
if( bFound )
{
return true;
}
return false;
}
bool FindDebugger12::HasDebugger()
{
HANDLE hInvalid = (HANDLE)0xDEADBEEF; //An invalid handle
BOOL bFound = FALSE;
__try{ CloseHandle( hInvalid ); }
__except( EXCEPTION_EXECUTE_HANDLER ){ return true; }
return false;
}
void AntiDebugger()
{
HMODULE h = LoadLibraryA( AY_OBFUSCATE("ntdll.dll") );
if( h )
{
DWORD d = (DWORD)GetProcAddress( h, AY_OBFUSCATE("DbgUiRemoteBreakin") );
if( d )
{
DWORD dold = 0;
VirtualProtect( (void*)d, 8, PAGE_EXECUTE_READWRITE, &dold );
( *(DWORD*)d ) = 0x6A6A6A6A;
VirtualProtect( (void*)d, 8, dold, NULL );
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment