you can use this method
Code: Select all
;IncludeFile "c:\dasm.pb"
DisableDebugger
EnableASM
Procedure anti_debugging()
;origin code https://github.com/invictus1306/Anti-debugging-techniques/blob/master/anti-debugging.asm
;NtGlobalFlag - PEB!NtGlobalFlags
XOR eax, eax
!MOV eax, [fs:eax+0x30]
MOV eax, [eax+0x68]
AND eax, 0x70
!DB 0xeb, 0x01
!DB 0xff, 0x85, 0xC0 ;junk byte - test eax, eax
JNE @Detected
;obfuscation
!DB 0xeb, 0x02
!DB 0xcc, 0xfe, 0xeb, 0x00
;IsDebuggerPresent first - kernel32!IsDebuggerPresent
IsDebuggerPresent_()
CALL @eip_manipulate ; change eip (point to next instruction)
MOV eax, 0x10
CMP eax, 1
JE @Detected
;IsDebuggerPresent second - PEB!IsDebugged
XOR eax, eax
!MOV eax, [fs:0x18]
!MOV eax, DWORD [ds:eax+0x30]
!MOVZX eax, BYTE [ds:eax+0x2]
TEST eax, eax
JNE @Detected
;FindWindows for ollydbg
FindWindow_("OLLYDBG",0)
TEST eax, eax
JNE @Detected
;software breakpoint detection into MessageBox API
CLD
MOV edi, @Detected
MOV ecx, 0x13
MOV al,0xcc
REPNE SCASB
JZ @Detected
;hardware breakpoint detection
PUSH HwBpHandler
!PUSH dword [fs:0]
!MOV DWORD [fs:0], esp
XOR eax, eax
DIV eax
!POP DWORD [fs:0]
NOP
NOP
NOP
ADD esp, 8
TEST eax, eax
JNE @Detected
;get write permissions for self-modifying code
XOR esi, esi
XOR ecx, ecx
MOV esi, @encrypted_code
PUSH esp
PUSH esp
PUSH #PAGE_EXECUTE_READWRITE
PUSH 0x4
PUSH esi
CALL _VirtualProtect@16
POP eax
;self-modifying code
MOV eax, 0x1234 ;key
MOV ecx, @encrypted_code
!@loop_decryption:
XOR [ecx], al ;very simple algorithm
INC ecx
CMP ecx, @encrypted_code + 0x4
JNE @loop_decryption
!@encrypted_code:
DB 0x5e, 0x4 ;push 30h
DB 0xdf, 0x34 ;jmp at next instruction
POP eax
JMP skiip
!@Detected:
MOV eax, 1
ProcedureReturn
!skiip:
XOR eax, eax
RET
!@eip_manipulate:
ADD dword [esp], 5
RET
!HwBpHandler:
XOR eax, eax
MOV eax, [esp + 0xc] ; This is a CONTEXT structure on the stack
CMP DWORD [eax + 0x4], 0 ; Dr0
JNE bpFound
CMP DWORD [eax + 0x8], 0 ; Dr1
JNE bpFound
CMP DWORD [eax + 0xc], 0 ; Dr2
JNE bpFound
CMP DWORD [eax + 0x10], 0 ; Dr3
JNE bpFound
JMP retFromException
!bpFound:
MOV DWORD [eax + 0xb0], -1 ; HW bp found
!retFromException:
ADD DWORD [eax + 0xb8], 6
XOR eax, eax
RET
;force the compiler to add this function
VirtualProtect_(0,0,0,0)
EndProcedure
EnableDebugger
DisableASM
If anti_debugging()
MessageRequester(":(","Debugger detectd!")
Else
MessageRequester(":)","Perfect!")
EndIf
but do not really protect your application
patch.1337
Code: Select all
>test22.exe
000010B1:0F->90
000010B2:85->90
000010B3:B0->90
000010B4:00->90
000010B5:00->90
000010B6:00->90
000010CF:0F->90
000010D0:84->90
000010D1:92->90
000010D2:00->90
000010D3:00->90
000010D4:00->90
000010E6:75->90
000010E7:7F->90
000010FA:75->90
000010FB:6B->90
interested in Cybersecurity..