I am thinking to a trick but i am not sure if it is possible, i need your point of view or your comment.
There are few antidebuging tricks the most known is of course IsDebuggerPresent. It is a very basic api exported from KERNEL32.DLL:
BOOL IsDebuggerPresent(VOID)
The function is called without any parameter and returns in EAX a nonzero value if the current process is running in the context of a debugger else it returns zero.
Most reverser can bypass this call easily.
But i am thinking to a strange trick: if t is possible for a process(with self memory inspecting technique, hooking or something related to threading) to catch/read the returned value (or any value) during the execution of the API before the return in our main program context, and save it somewhere in a the memory.
This way i can let the cracker modifies the return value in his debugger (the eax register) but i saved the correct value in memory and i can perform a manual check.
Of course i know where i have to read this value from the beginning of the API code (or beginning of the DLL?).
I am not searching the best anti debug trick in fact, but i want to know if it is possible to read value (register or memory ) from the DLL memory space, before the API returns to main.
i notice you that i am not trying to write virus technique, but i am studying in a context of a reverse malware engineering training, and i am really interessted by all thing related to memory, self modifying program, polymorphism/metamorphism, anti debug trick and all stuffs related to low.
--
Zarathustra
This is the simply debugger trick
many Olly plugins can hide this with a patch this result.
And now say this APi debugger not presents ::)
Unfortunately we can not know if your real interest is not for malware in disguise.
Because of this reversing topics are not allowed in here.