Anti-Debug Library

[Guy]

I was working on a little anti-debug library, which may be very useful when writing an anti-cheat:

http://majii.wordpress.com/2009/07/0...ug-techniques/

[MentaL]

[Demantor]

Nice, xD ...

[ThievingSix]

Ahh the formatting!

[Guy]

Ahh the formatting!

Undocumented and sloppy; just the way I like it.

[Team Lion]

Eeek. Are there no tabs available on WordPress or something?

Just kidding, like I care it's still readable. Nice contribution.

[Donald Duck]

Nice one. I'll change the formatting though.

[Tman151]

Bad formatting, nice code.
Thanks again.

[PaulBub]

That's nice, would be great in an anti-debug ( or an anti-hack ) class ;)

Your blog is really interesting!

[PaulBub]

That's nice, would be great in an anti-debug ( or an anti-hack ) class ;)

Your blog is really interesting!

[Guy]

Oops, I forgot to mention that WordPress strips the tabbing/spaces everyone; most IDE's will fix that, but just in case..

Code:

#include <windows.h>
#include <strsafe.h>
#include <tlhelp32.h>

#define WIN32_LEAN_AND_MEAN
#define VC_EXTRALEAN

bool DebugBit = TRUE;
int countExceptions = 0;

char GetBeingDebugged( )
{
	char BeingDebuggedBit;
	__asm {
		MOV EAX,DWORD PTR FS:[0x30]
		XOR EAX, 0x2
		SUB EBX, EBX
		XOR BL, [EAX]
		MOV BeingDebuggedBit, BL
	};
	return( BeingDebuggedBit );
}

char GetNtGlobalFlags( )
{
	char *NtGlobalFlags;
	__asm {
		MOV EAX, FS:[0x30] 
		MOV EAX, [EAX+0x68]
		MOV [NtGlobalFlags], EAX
	};
	return( ( char ) NtGlobalFlags );
}

char GetHeapFlags( )
{
	char *HeapFlags;
	__asm {
		MOV EAX, FS:[0x30]
		MOV EAX, [EAX+0x18]
		MOV EAX, [EAX+0x10]
		MOV [HeapFlags], EAX
	};
	return ( ( char ) HeapFlags );
}

LONG WINAPI suefDebugCheck( struct _EXCEPTION_POINTERS *excInfo ) {
	DebugBit = FALSE;
	countExceptions++;
	return( EXCEPTION_CONTINUE_EXECUTION );
}

void suefTrick( void )
{
	countExceptions = 1 / countExceptions;
}

void swapDebug( void )
{
	MessageBox( 0, "Debugger not found.", "Success?", MB_OK );
	DebugBit = FALSE;
}

void __inline antiDebug( void )
{
	DWORD beginTime = GetTickCount( );
	__try {
	__asm INT 0x2D
	} __except( true ) {
		DebugBit = FALSE;
	}
	if( DebugBit == TRUE )
		exit( 0x00000005 );

	if( ( int ) GetNtGlobalFlags( ) == 0x70 )
		exit( 0xFFFFFFFB );
// broken on vista sp1 x64
	if( ( int ) GetBeingDebugged( ) == TRUE )
		exit( 0x04012AD0 );
//end

	if( ( int ) GetHeapFlags( ) != 0 )
		exit( 0xFFFFFFFF );

	if( IsDebuggerPresent( ) != 0 )
		exit( 0x21473361  );

	CheckRemoteDebuggerPresent( GetCurrentProcess( ), ( PBOOL ) &DebugBit );
	if( DebugBit == TRUE )
		exit( 0xC0000005 );


// broken on vista sp1 x64
	SetUnhandledExceptionFilter( suefDebugCheck );
	suefTrick( );
	if( DebugBit == TRUE )
		exit( 0x041A9C35 );
//end

	SetLastError( 0xC0000005 );
	OutputDebugString( "" );
	if( GetLastError( ) == 0xC0000005 )
		exit( 0x9348134F );

	// Requires admin access
	typedef NTSTATUS ( NTAPI *NSIT )( HANDLE, UINT, PVOID, ULONG );
	NSIT NtSetInformationThread = ( NSIT )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtSetInformationThread" );
	NtSetInformationThread( GetCurrentProcess( ), 0x11, 0, 0 );
	// End

	__try {
		CloseHandle( ( HANDLE ) 0xFF );
	} __except( true ) {
		exit( 0x00000006 );
	}

	__try {
		__asm	INT 3;
	} __except( true ) {
		DebugBit = FALSE;
	}
	if( DebugBit == TRUE )
		exit( 0x0ADE0005 );

	if( GetTickCount( ) != beginTime )
		exit( 0xD000BE05 );


	typedef NTSTATUS ( WINAPI *NQIP )( HANDLE, LONG, PVOID, ULONG, PULONG );
	NQIP NtQueryInformationProcess = ( NQIP )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtQueryInformationProcess" );
	int returnValue = 0;
	NtQueryInformationProcess( GetCurrentProcess( ), 0x7, &returnValue, 4, 0 );
	if( returnValue != 0 )
		exit( 0xCCCCCCCC );

	__try {
		DebugBreak( );
	} __except( true ) {
		DebugBit = FALSE;
	}
	if( DebugBit == TRUE )
		exit( 0x9000000D );
}

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
	antiDebug( );
	if( DebugBit == TRUE )
		return( EXIT_FAILURE );

	MessageBox( 0, "Debugger not found.", "Success?", MB_OK );

	return( EXIT_SUCCESS );
}

Also, thanks to T6 for identifying some broken anti-debug features; I just setup a copy of Vista in my VM the other day, and I'll try to fix any problems ASAP.

[Guy]

Update: http://majii.wordpress.com/2009/07/1...ted-for-vista/

Temporary fix for Vista.

[Guy]

Final Vista revisions and many, many new techniques introduced: http://majii.wordpress.com/2009/07/1...sta-revisions/

Now there's three ways to check if the anti-debug code is not executed in entirety, compared to the original one.

[Guy]

x64-compatible, re-organization, and stability fixes: http://majii.wordpress.com/2009/07/1...64-compatible/

[Guy]

Reorganization, compatible w/x86 where intrinsics are not available: http://majii.wordpress.com/2009/07/1...vision-0-413b/