I use WinDbg 6, but hopefully there is some method that works for all.
I would like to be able to disable certain potentially destructive functions, such as diskfile writes and deletes, while debugging code that might use those functions.
Thanks, Robert
you could do it with conditional assembly :P
RalDebug = 1 ;set to 0 if debugging
;
;
;
.if RalDebug
INVOKE WriteFile......
.else
mov eax,TRUE
.endif
a more deluxified version - you could set the dwNumberOfBytesWritten value to whatever was in the 3rd parameter
maybe write a NotWrite function to do it for you
Commonly IsDebuggerPresent() (http://msdn.microsoft.com/en-us/library/windows/desktop/ms680345(v=vs.85).aspx) is used for such purpose.
Thanks to dedndave & qWord. Looks as if both conditional assembly & IsDebuggerPresent() would work.
Conditional assembly is obvious once you think of it and I should have. It will meet my need easily. dedndave, you answered the question I should have asked.
qWord, you answered the question I thought I was asking - for a runtime way to determine - and while I haven't gone into details, it looks as if that might be useful too.
Thank you, Robert
here is a simply macro for IsDebuggerPresent
DEBUG_VERSION equ 1
Debug MACRO
.if DEBUG_VERSION
pusha
invoke IsDebuggerPresent
test eax,eax
popa
jz @F;NoDebug
db 0CCh ;int3
@F:
.endif
ENDM
Debug ; <=== here run will stop and started debugging of this procedure
invoke wsprintf,addr @Result,addr szFrm,eax
invoke MessageBox,0,addr @Result,0,MB_OK
Quote from: shlomok on April 21, 2012, 09:02:09 PM
There is an official paper by Microsoft research
that is not true! Furthermore it's contented has nothing to do with raleeper's question.
Quote from: qWord on April 21, 2012, 09:17:26 PM
Quote from: shlomok on April 21, 2012, 09:02:09 PM
There is an official paper by Microsoft research
that is not true! Furthermore it's contented has nothing to do with raleeper's question.
Ok, I agree that might have been misleading , a better description would be a paper by a researcher at Microsoft.
Why doesn't it have nothing to do with his question??? Quote from the paper:
d. Special APIs
i. IsDebuggerPresent
The kernel32 IsDebuggerPresent() function was introduced in Windows 95. It returns TRUE if a debugger is present. Internally, it simply returns the value of the
PEB->BeingDebugged flag.
Example code looks like this:
call IsDebuggerPresent
test al, al
jne being_debugged
Some packers avoid using the kernel32 IsDebuggerPresent() function ...
Are you worried that he will read the rest of the paper? nothing is going to happen, on the contrary he will be more knowledgeable and a better programmer.
S.
QuoteANTI-UNPACKER TRICKS
that is not what he ask for ... but your right, the function is described.
Quote from: qWord on April 21, 2012, 09:44:58 PM
QuoteANTI-UNPACKER TRICKS
that is not what he ask for ... but your right, the function is described.
Now you are misleading.
Peter is the head of the Malware Research and Response at Microsoft and the paper describes
COUNTERMEASURES against "anti unpacker tricks".
Quote from: shlomok on April 21, 2012, 09:52:25 PMNow you are misleading.
Peter is the head of the Malware Research and Response at Microsoft and the paper describes COUNTERMEASURES against "anti unpacker tricks".
fantastic, but that is not what raleeper ask for!
Quote from: qWord on April 21, 2012, 10:00:34 PM
fantastic, but that is not what raleeper ask for!
qWord,
I have
THAT much respect for you, so, I agree again, this is not exactly what he asked for.
Quote from: shlomok on April 21, 2012, 10:06:30 PMI have THAT much respect for you, so, I agree again, this is not exactly what he asked for.
sorry for being so harsh.
The problem with your (and Zemtext's) post is, that they make a legitimate question dubious (IMO).
Quote from: zemtex on April 21, 2012, 08:37:43 PM
If you are the one who is going to debug your own program, it is enough to use IsDebuggerPresent but if you need to determine if another player has neutralized IsDebuggerPresent, you can debug your own application programmatically, when you debug it check if IsDebuggerPresent return 0, if it does then it is neutralized and is being debugged against your wish. It is very easy to neutralize it with VirtualAllocEx and CreateRemoteThread (or dll injection for that matter)
Useful related information. I am debugging my own program, and after dedndave reminded me of conditional assembly, I realize that I need to prevrent faulty code from corrupting files
whether or not I am running it in a debugger, and conditional assembly makes that easy.
IF AppName NE "lfwStable"... (have to look up exact syntax).
But I have filed your reply for future reference.
Thanks, Robert
It's @FileName:
ifidni @FileName, <lfwStable>
% echo @FileName is the stable one
.err
endif
shlomok and zemtex,
Please do not move the discussions into the grey area of unpacking and anti debugging tricks...
Quote from: jj2007 on April 22, 2012, 12:04:46 AM
It's @FileName:
ifidni @FileName, <lfwStable>
% echo @FileName is the stable one
.err
endif
Doesn't work for me because the filename is always "lfw.asm" regardless of version. I could change that, of course, but I can also do what dedndave first suggested:
RalDebug = 1 ;set to 0 if debuggingor as I will actually do:
StableVer = 1 ;for the stable version...
(etc.)Using different filenames might simplify keeping track of the different versions, but it would complicate the assembly (I'd have to have a separate batch file to assemble lfwStable).
Thanks, Robert