Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   [C++] Simple Anti-Debug trick (https://forum.exetools.com/showthread.php?t=20180)

Mahmoudnia 06-19-2022 21:34

[C++] Simple Anti-Debug trick
1 Attachment(s)
Hello guys

I was working with ThunderSoft DRM a few days ago.

The interesting thing I found was a simple debugger identification technique (Not Directly) that I decided to implement in C++ programming language after analysis.

These steps are :
1- GetCommandLine (Retrieves the command-line)
2- Clean the GetCommandLine output
3- Pass the output to lpFileName in CreateFile
4- Use OPEN_EXISTING flag in dwCreationDisposition

So, if process was open in debugger, the handle of CreateFile is -1.

morgot 07-17-2022 20:13

In my system don't works.. I can't see attach, and re-write code:

call GetCommandLineA

mov ebx,eax ;save ptr cmdline

xor ecx,ecx
push ecx ;hTemplateFile
push ecx ;dwFlagsAndAttributes
push OPEN_EXISTING ;dwCreationDisposition
push ecx
push ebx
call CreateFileA

Always return -1

But - if I remove quotes (insert after getcommandline call)

mov ebx,eax ;save ptr cmdline
push eax
call lstrlenA
dec eax ;sub quote
mov byte ptr [ebx + eax],0 ;remove end quote
inc ebx ;remove start quote

it open file success under debuger.

x64dbg, win10.

All times are GMT +8. The time now is 00:50.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2022, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX