News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

anti debug trick

Started by zarathustra, January 21, 2012, 03:22:03 PM

Previous topic - Next topic

zarathustra

I am thinking to a trick but i am not sure if it is possible, i need your point of view or your comment.
There are few antidebuging tricks the most known is of course IsDebuggerPresent. It is a very basic api exported from KERNEL32.DLL:
BOOL IsDebuggerPresent(VOID)
The function is called without any parameter and returns in EAX a nonzero value if the current process is running in the context of a debugger else it returns zero.
Most reverser can bypass this call easily.
But i am thinking to a strange trick: if t is possible for a process(with self memory inspecting technique, hooking or something related to threading) to catch/read the returned value (or any value) during the execution of the API before the return in our main program context, and save it somewhere in a the memory.
This way i can let the cracker modifies the return value in his debugger (the eax register) but i saved the correct value in memory and i can perform a manual check.
Of course i know where i have to read this value from the beginning of the API code (or beginning of the DLL?).
I am not searching the best anti debug trick in fact, but i want to know if it is possible to read value (register or memory ) from the DLL memory space, before the API returns to main.
i notice you that i am not trying to write virus technique, but i am studying in a context of a reverse malware engineering training, and i am really interessted by all thing related to memory, self modifying program, polymorphism/metamorphism, anti debug trick and all stuffs related to low.

--
Zarathustra

ragdog

This is the simply debugger trick
many Olly plugins can hide this with a patch this result.

And now say this APi debugger not presents ::)


BogdanOntanu

Unfortunately we can not know if your real interest is not for malware in disguise.

Because of this reversing topics are not allowed in here.
Ambition is a lame excuse for the ones not brave enough to be lazy.
http://www.oby.ro