igorsegallafa/AntiDebugger.cpp

## AntiDebugger.cpp
/**
 * An Anti-Reverse Engineering Guide, Joshua Tully
 * https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide
 */

bool FindDebugger1::HasDebugger()
{
    __try { __asm INT 0x2D }
    __except (EXCEPTION_EXECUTE_HANDLER){ return false; }

    return true;
}

bool FindDebugger2::HasDebugger()
{
    __try { __asm INT 0x03 }
    __except (EXCEPTION_EXECUTE_HANDLER){ return false; }

    return true;
}

bool FindDebugger3::HasDebugger()
{
    CONTEXT ctx = {0};
    ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;

    auto hThread = GetCurrentThread();

    if( GetThreadContext( hThread, &ctx ) == 0 )
    {
        return false;
    }

    //Debugger Found
    if( ctx.Dr0 != 0 || ctx.Dr1 != 0 || ctx.Dr2 != 0 || ctx.Dr3 != 0 )
        return true;

  return false;
}

bool FindDebugger4::HasDebugger()
{
    OutputDebugString( "" );

    //Debugger Found
    if( GetLastError() == 0 )
      return true;

  return false;
}

void FindDebugger5::Execute()
{
    //Crash OllyDBG v1.10
    OutputDebugString( "%s%s%s%s" );
}

bool FindDebugger6::HasDebugger()
{
    __try { RaiseException(DBG_RIPEXCEPTION, 0, 0, 0); }
    __except(EXCEPTION_EXECUTE_HANDLER){ return false; }

    //Debugger Found
    return true;
}

bool FindDebugger7::HasDebugger()
{
    std::vector<const char*> drivers = {
        AY_OBFUSCATE( "\\\\.\\EXTREM" ),
        AY_OBFUSCATE( "\\\\.\\ICEEXT" ),
        AY_OBFUSCATE( "\\\\.\\NDBGMSG.VXD" ),
        AY_OBFUSCATE( "\\\\.\\RING0" ),
        AY_OBFUSCATE( "\\\\.\\SIWVID" ),
        AY_OBFUSCATE( "\\\\.\\SYSER" ),
        AY_OBFUSCATE( "\\\\.\\TRW" ),
        AY_OBFUSCATE( "\\\\.\\SYSERBOOT" ) };

    for( const auto & driver : drivers )
    {
        auto h = CreateFileA( driver, 0, 0, 0, OPEN_EXISTING, 0, 0 );
        if( h != INVALID_HANDLE_VALUE )
        {
            CloseHandle( h );

            //Debugger Found
            return true;
        }
    }

    return false;
}

bool FindDebugger8::HasDebugger()
{
    HANDLE hDebugObject = NULL;

    //ProcessDebugObjectHandle
    if( NtQueryInformationProcess( GetCurrentProcess(), (PROCESSINFOCLASS)0x1E, &hDebugObject, 4, NULL ) != 0 )
    {
        return false;
    }

    //Debugger Found
    if( hDebugObject )
    {
        return true;
    }

    return false;
}

bool FindDebugger9::HasDebugger()
{
    unsigned char* pMem = nullptr;
    SYSTEM_INFO sysinfo = { 0 };
    DWORD OldProtect = 0;
    void* pAllocation = nullptr;

    GetSystemInfo( &sysinfo );
    pAllocation = VirtualAlloc( NULL, sysinfo.dwPageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );

    //Not Found
    if( pAllocation == NULL )
        return false;

    //Write a ret to the buffer (opcode 0xc3)
    pMem = (unsigned char*)pAllocation;
    *pMem = 0xc3;

    //Make the page a guard page
    if( VirtualProtect( pAllocation, sysinfo.dwPageSize, PAGE_EXECUTE_READWRITE | PAGE_GUARD, &OldProtect ) == 0 )
        return false;

    __try
    {
        __asm
        {
            mov eax, pAllocation
            //This is the address we'll return to if we're under a debugger
            push MemBpBeingDebugged
            jmp eax //Exception or execution, which shall it be :D?
        }
    }
    __except( EXCEPTION_EXECUTE_HANDLER )
    {
        //The exception occured and no debugger was detected
        VirtualFree( pAllocation, NULL, MEM_RELEASE );
        MARK_AS_EXECUTED;
        return false;
    }

    __asm {MemBpBeingDebugged:}
    VirtualFree( pAllocation, NULL, MEM_RELEASE );

    return true;
}

bool FindDebugger10::HasDebugger()
{
    __try
    {
        __asm __emit 0xF3 //0xF3 0x64 disassembles as PREFIX REP:
        __asm __emit 0x64
        __asm __emit 0xF1 //One byte INT 1
    }
    __except( EXCEPTION_EXECUTE_HANDLER )
    {
        return false;
    }

    return true;
}

bool FindDebugger11::HasDebugger()
{
    BOOL bFound = FALSE;
    _asm
    {
        xor eax, eax;           //clear eax
        mov eax, fs: [0x30] ;   //Reference start of the PEB
        mov eax, [eax + 0x68];  //PEB+0x68 points to NtGlobalFlags
        and eax, 0x00000070;    //check three flags
        mov bFound, eax;        //Copy result into 'found'
    }

    if( bFound )
    {
        return true;
    }

    return false;
}

bool FindDebugger12::HasDebugger()
{
    HANDLE hInvalid = (HANDLE)0xDEADBEEF; //An invalid handle
    BOOL bFound = FALSE;

    __try{ CloseHandle( hInvalid ); }
    __except( EXCEPTION_EXECUTE_HANDLER ){ return true; }

    return false;
}

void AntiDebugger()
{
    HMODULE h = LoadLibraryA( AY_OBFUSCATE("ntdll.dll") );
    if( h )
    {
        DWORD d = (DWORD)GetProcAddress( h, AY_OBFUSCATE("DbgUiRemoteBreakin") );
        if( d )
        {
            DWORD dold = 0;
            VirtualProtect( (void*)d, 8, PAGE_EXECUTE_READWRITE, &dold );
            ( *(DWORD*)d ) = 0x6A6A6A6A;
            VirtualProtect( (void*)d, 8, dold, NULL );
        }
    }
}
	/**
	* An Anti-Reverse Engineering Guide, Joshua Tully
	* https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide
	*/

	bool FindDebugger1::HasDebugger()
	{
	__try { __asm INT 0x2D }
	__except (EXCEPTION_EXECUTE_HANDLER){ return false; }

	return true;
	}

	bool FindDebugger2::HasDebugger()
	{
	__try { __asm INT 0x03 }
	__except (EXCEPTION_EXECUTE_HANDLER){ return false; }

	return true;
	}

	bool FindDebugger3::HasDebugger()
	{
	CONTEXT ctx = {0};
	ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;

	auto hThread = GetCurrentThread();

	if( GetThreadContext( hThread, &ctx ) == 0 )
	{
	return false;
	}

	//Debugger Found
	if( ctx.Dr0 != 0 \|\| ctx.Dr1 != 0 \|\| ctx.Dr2 != 0 \|\| ctx.Dr3 != 0 )
	return true;

	return false;
	}

	bool FindDebugger4::HasDebugger()
	{
	OutputDebugString( "" );

	//Debugger Found
	if( GetLastError() == 0 )
	return true;

	return false;
	}

	void FindDebugger5::Execute()
	{
	//Crash OllyDBG v1.10
	OutputDebugString( "%s%s%s%s" );
	}

	bool FindDebugger6::HasDebugger()
	{
	__try { RaiseException(DBG_RIPEXCEPTION, 0, 0, 0); }
	__except(EXCEPTION_EXECUTE_HANDLER){ return false; }

	//Debugger Found
	return true;
	}

	bool FindDebugger7::HasDebugger()
	{
	std::vector<const char*> drivers = {
	AY_OBFUSCATE( "\\\\.\\EXTREM" ),
	AY_OBFUSCATE( "\\\\.\\ICEEXT" ),
	AY_OBFUSCATE( "\\\\.\\NDBGMSG.VXD" ),
	AY_OBFUSCATE( "\\\\.\\RING0" ),
	AY_OBFUSCATE( "\\\\.\\SIWVID" ),
	AY_OBFUSCATE( "\\\\.\\SYSER" ),
	AY_OBFUSCATE( "\\\\.\\TRW" ),
	AY_OBFUSCATE( "\\\\.\\SYSERBOOT" ) };

	for( const auto & driver : drivers )
	{
	auto h = CreateFileA( driver, 0, 0, 0, OPEN_EXISTING, 0, 0 );
	if( h != INVALID_HANDLE_VALUE )
	{
	CloseHandle( h );

	//Debugger Found
	return true;
	}
	}

	return false;
	}

	bool FindDebugger8::HasDebugger()
	{
	HANDLE hDebugObject = NULL;

	//ProcessDebugObjectHandle
	if( NtQueryInformationProcess( GetCurrentProcess(), (PROCESSINFOCLASS)0x1E, &hDebugObject, 4, NULL ) != 0 )
	{
	return false;
	}

	//Debugger Found
	if( hDebugObject )
	{
	return true;
	}

	return false;
	}

	bool FindDebugger9::HasDebugger()
	{
	unsigned char* pMem = nullptr;
	SYSTEM_INFO sysinfo = { 0 };
	DWORD OldProtect = 0;
	void* pAllocation = nullptr;

	GetSystemInfo( &sysinfo );
	pAllocation = VirtualAlloc( NULL, sysinfo.dwPageSize, MEM_COMMIT \| MEM_RESERVE, PAGE_EXECUTE_READWRITE );

	//Not Found
	if( pAllocation == NULL )
	return false;

	//Write a ret to the buffer (opcode 0xc3)
	pMem = (unsigned char*)pAllocation;
	*pMem = 0xc3;

	//Make the page a guard page
	if( VirtualProtect( pAllocation, sysinfo.dwPageSize, PAGE_EXECUTE_READWRITE \| PAGE_GUARD, &OldProtect ) == 0 )
	return false;

	__try
	{
	__asm
	{
	mov eax, pAllocation
	//This is the address we'll return to if we're under a debugger
	push MemBpBeingDebugged
	jmp eax //Exception or execution, which shall it be :D?
	}
	}
	__except( EXCEPTION_EXECUTE_HANDLER )
	{
	//The exception occured and no debugger was detected
	VirtualFree( pAllocation, NULL, MEM_RELEASE );
	MARK_AS_EXECUTED;
	return false;
	}

	__asm {MemBpBeingDebugged:}
	VirtualFree( pAllocation, NULL, MEM_RELEASE );

	return true;
	}

	bool FindDebugger10::HasDebugger()
	{
	__try
	{
	__asm __emit 0xF3 //0xF3 0x64 disassembles as PREFIX REP:
	__asm __emit 0x64
	__asm __emit 0xF1 //One byte INT 1
	}
	__except( EXCEPTION_EXECUTE_HANDLER )
	{
	return false;
	}

	return true;
	}

	bool FindDebugger11::HasDebugger()
	{
	BOOL bFound = FALSE;
	_asm
	{
	xor eax, eax; //clear eax
	mov eax, fs: [0x30] ; //Reference start of the PEB
	mov eax, [eax + 0x68]; //PEB+0x68 points to NtGlobalFlags
	and eax, 0x00000070; //check three flags
	mov bFound, eax; //Copy result into 'found'
	}

	if( bFound )
	{
	return true;
	}

	return false;
	}

	bool FindDebugger12::HasDebugger()
	{
	HANDLE hInvalid = (HANDLE)0xDEADBEEF; //An invalid handle
	BOOL bFound = FALSE;

	__try{ CloseHandle( hInvalid ); }
	__except( EXCEPTION_EXECUTE_HANDLER ){ return true; }

	return false;
	}

	void AntiDebugger()
	{
	HMODULE h = LoadLibraryA( AY_OBFUSCATE("ntdll.dll") );
	if( h )
	{
	DWORD d = (DWORD)GetProcAddress( h, AY_OBFUSCATE("DbgUiRemoteBreakin") );
	if( d )
	{
	DWORD dold = 0;
	VirtualProtect( (void*)d, 8, PAGE_EXECUTE_READWRITE, &dold );
	( (DWORD)d ) = 0x6A6A6A6A;
	VirtualProtect( (void*)d, 8, dold, NULL );
	}
	}
	}