Anti-Debug Library

Results 1 to 14 of 14
  1. #1
    Account Upgraded | Title Enabled! Guy is offline
    MemberRank
    Apr 2009 Join Date
    919Posts

    Anti-Debug Library

    I was working on a little anti-debug library, which may be very useful when writing an anti-cheat:

    http://majii.wordpress.com/2009/07/0...ug-techniques/


  2. #2
    Sultan of Yolo Demantor is offline
    MemberRank
    May 2008 Join Date
    GermanyLocation
    1,266Posts

    Re: Anti-Debug Library

    Nice, xD ...

  3. #3
    Reverse Engineer ThievingSix is offline
    MemberRank
    Mar 2007 Join Date
    CaliforniaLocation
    901Posts

    Re: Anti-Debug Library

    Ahh the formatting!

  4. #4
    Account Upgraded | Title Enabled! Guy is offline
    MemberRank
    Apr 2009 Join Date
    919Posts

    Re: Anti-Debug Library

    Quote Originally Posted by ThievingSix View Post
    Ahh the formatting!
    Undocumented and sloppy; just the way I like it.

  5. #5
    Valued Member Team Lion is offline
    MemberRank
    Apr 2009 Join Date
    110Posts

    Re: Anti-Debug Library

    Eeek. Are there no tabs available on WordPress or something?

    Just kidding, like I care it's still readable. Nice contribution.

  6. #6
    Member Donald Duck is offline
    MemberRank
    Jun 2009 Join Date
    USA.Location
    95Posts

    Re: Anti-Debug Library

    Nice one. I'll change the formatting though.

  7. #7
    Account Upgraded | Title Enabled! Tman151 is offline
    MemberRank
    May 2009 Join Date
    CaliforniaLocation
    306Posts

    Re: Anti-Debug Library

    Bad formatting, nice code.
    Thanks again.

  8. #8
    Account Upgraded | Title Enabled! PaulBub is offline
    MemberRank
    Apr 2009 Join Date
    316Posts

    Re: Anti-Debug Library

    That's nice, would be great in an anti-debug ( or an anti-hack ) class ;)

    Your blog is really interesting!

  9. #9
    Account Upgraded | Title Enabled! PaulBub is offline
    MemberRank
    Apr 2009 Join Date
    316Posts

    Re: Anti-Debug Library

    That's nice, would be great in an anti-debug ( or an anti-hack ) class ;)

    Your blog is really interesting!

  10. #10
    Account Upgraded | Title Enabled! Guy is offline
    MemberRank
    Apr 2009 Join Date
    919Posts

    Re: Anti-Debug Library

    Oops, I forgot to mention that WordPress strips the tabbing/spaces everyone; most IDE's will fix that, but just in case..

    Code:
    #include <windows.h>
    #include <strsafe.h>
    #include <tlhelp32.h>
    
    #define WIN32_LEAN_AND_MEAN
    #define VC_EXTRALEAN
    
    bool DebugBit = TRUE;
    int countExceptions = 0;
    
    char GetBeingDebugged( )
    {
    	char BeingDebuggedBit;
    	__asm {
    		MOV EAX,DWORD PTR FS:[0x30]
    		XOR EAX, 0x2
    		SUB EBX, EBX
    		XOR BL, [EAX]
    		MOV BeingDebuggedBit, BL
    	};
    	return( BeingDebuggedBit );
    }
    
    char GetNtGlobalFlags( )
    {
    	char *NtGlobalFlags;
    	__asm {
    		MOV EAX, FS:[0x30] 
    		MOV EAX, [EAX+0x68]
    		MOV [NtGlobalFlags], EAX
    	};
    	return( ( char ) NtGlobalFlags );
    }
    
    char GetHeapFlags( )
    {
    	char *HeapFlags;
    	__asm {
    		MOV EAX, FS:[0x30]
    		MOV EAX, [EAX+0x18]
    		MOV EAX, [EAX+0x10]
    		MOV [HeapFlags], EAX
    	};
    	return ( ( char ) HeapFlags );
    }
    
    LONG WINAPI suefDebugCheck( struct _EXCEPTION_POINTERS *excInfo ) {
    	DebugBit = FALSE;
    	countExceptions++;
    	return( EXCEPTION_CONTINUE_EXECUTION );
    }
    
    void suefTrick( void )
    {
    	countExceptions = 1 / countExceptions;
    }
    
    void swapDebug( void )
    {
    	MessageBox( 0, "Debugger not found.", "Success?", MB_OK );
    	DebugBit = FALSE;
    }
    
    void __inline antiDebug( void )
    {
    	DWORD beginTime = GetTickCount( );
    	__try {
    	__asm INT 0x2D
    	} __except( true ) {
    		DebugBit = FALSE;
    	}
    	if( DebugBit == TRUE )
    		exit( 0x00000005 );
    
    	if( ( int ) GetNtGlobalFlags( ) == 0x70 )
    		exit( 0xFFFFFFFB );
    // broken on vista sp1 x64
    	if( ( int ) GetBeingDebugged( ) == TRUE )
    		exit( 0x04012AD0 );
    //end
    
    	if( ( int ) GetHeapFlags( ) != 0 )
    		exit( 0xFFFFFFFF );
    
    	if( IsDebuggerPresent( ) != 0 )
    		exit( 0x21473361  );
    
    	CheckRemoteDebuggerPresent( GetCurrentProcess( ), ( PBOOL ) &DebugBit );
    	if( DebugBit == TRUE )
    		exit( 0xC0000005 );
    
    
    // broken on vista sp1 x64
    	SetUnhandledExceptionFilter( suefDebugCheck );
    	suefTrick( );
    	if( DebugBit == TRUE )
    		exit( 0x041A9C35 );
    //end
    
    	SetLastError( 0xC0000005 );
    	OutputDebugString( "" );
    	if( GetLastError( ) == 0xC0000005 )
    		exit( 0x9348134F );
    
    	// Requires admin access
    	typedef NTSTATUS ( NTAPI *NSIT )( HANDLE, UINT, PVOID, ULONG );
    	NSIT NtSetInformationThread = ( NSIT )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtSetInformationThread" );
    	NtSetInformationThread( GetCurrentProcess( ), 0x11, 0, 0 );
    	// End
    
    	__try {
    		CloseHandle( ( HANDLE ) 0xFF );
    	} __except( true ) {
    		exit( 0x00000006 );
    	}
    
    	__try {
    		__asm	INT 3;
    	} __except( true ) {
    		DebugBit = FALSE;
    	}
    	if( DebugBit == TRUE )
    		exit( 0x0ADE0005 );
    
    	if( GetTickCount( ) != beginTime )
    		exit( 0xD000BE05 );
    
    
    	typedef NTSTATUS ( WINAPI *NQIP )( HANDLE, LONG, PVOID, ULONG, PULONG );
    	NQIP NtQueryInformationProcess = ( NQIP )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtQueryInformationProcess" );
    	int returnValue = 0;
    	NtQueryInformationProcess( GetCurrentProcess( ), 0x7, &returnValue, 4, 0 );
    	if( returnValue != 0 )
    		exit( 0xCCCCCCCC );
    
    	__try {
    		DebugBreak( );
    	} __except( true ) {
    		DebugBit = FALSE;
    	}
    	if( DebugBit == TRUE )
    		exit( 0x9000000D );
    }
    
    int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
    {
    	antiDebug( );
    	if( DebugBit == TRUE )
    		return( EXIT_FAILURE );
    
    	MessageBox( 0, "Debugger not found.", "Success?", MB_OK );
    
    	return( EXIT_SUCCESS );
    }
    Also, thanks to T6 for identifying some broken anti-debug features; I just setup a copy of Vista in my VM the other day, and I'll try to fix any problems ASAP.

  11. #11
    Account Upgraded | Title Enabled! Guy is offline
    MemberRank
    Apr 2009 Join Date
    919Posts

    Re: Anti-Debug Library


  12. #12
    Account Upgraded | Title Enabled! Guy is offline
    MemberRank
    Apr 2009 Join Date
    919Posts

    Re: Anti-Debug Library

    Final Vista revisions and many, many new techniques introduced: http://majii.wordpress.com/2009/07/1...sta-revisions/

    Now there's three ways to check if the anti-debug code is not executed in entirety, compared to the original one.

  13. #13
    Account Upgraded | Title Enabled! Guy is offline
    MemberRank
    Apr 2009 Join Date
    919Posts

    Re: Anti-Debug Library

    x64-compatible, re-organization, and stability fixes: http://majii.wordpress.com/2009/07/1...64-compatible/

  14. #14
    Account Upgraded | Title Enabled! Guy is offline
    MemberRank
    Apr 2009 Join Date
    919Posts

    Re: Anti-Debug Library

    Reorganization, compatible w/x86 where intrinsics are not available: http://majii.wordpress.com/2009/07/1...vision-0-413b/



Advertisement