well what you posted about fs:[20] was documented some where in wasm.ru
when i searched
here is a snippet from there i had saved
Code:
mov ecx,fs:[20h]
jecxz not_being_debugger
dunno never tried looking into it
as i love my w2k
the article is here
http://wasm.ru/article.php?article=1017001
also there was some mention of fs:[60] in a japanese page
��OllyDbg������ʾ���롸����Υ���`���Υ���`���`�ɤϡ�FS:[34]��(Win2k/XP)�ޤ��ϡ�FS:[60]��(Win9x/Me)���Ǥ��������������Υ���`���`�ɤ���GetLastError�v���Α��ꂎ��һ�¤��ʤ����`���⤢��ޤ����ؤ�Windows2000/XP�ǤΤ�GetLastError�v���ǥ���`���`�ɤ�ȡ�ÿ��ܤ�API�v����ע
some more storage of info here is an url to the code i pasted
if some one want to test it in 9x
http://www.powerbasic.com/support/forums/Forum6/HTML/004517.html
Code:
Function IsDebuggerAttached() as Long
Local vi As OSVERSIONINFO
Local IsWin9x As Long
Local Dw As Dword
Local i As Dword
vi.dwOsVersionInfoSize = SizeOf(vi)
GetVersionEx vi
IsWin9x = ((vi.dwPlatformId = %VER_PLATFORM_WIN32_WINDOWS) And (vi.dwMinorVersion = 0)) Or _
((vi.dwPlatformId = %VER_PLATFORM_WIN32_WINDOWS) And (vi.dwMinorVersion <> 0))
If IsWin9x Then
!push eax '// Preserve the registers
!mov eax, fs:[&h18] '// Get the TIB's linear address
!mov eax, dword ptr [eax + &h20] '// Debugger Contex for Win9x
!mov dword ptr dw, eax '// Save it
!pop eax '// Restore the registers
If Dw Then
Function = -1
Else
Function = 0
End If
Else
!push eax '// Preserve the registers
!push ecx
!mov eax, fs:[&h18] '// Get the TIB's linear address
!mov eax, dword ptr [eax + &h30]
!mov ecx, dword ptr [eax] '// Get the whole DWORD
!mov dword ptr dw, ecx '// Save it
!pop ecx '// Restore the registers
!pop eax
'// The 3rd byte is the byte we really need to check for the
'// presence of a debugger.
'// Check the 3rd byte
i= dw And &h00010000???
If i Then
Function = -1
Else
Function = 0
End If
End If