Code:
; debug api test
;================
mov eax,cs
cmp ax,0FFh
setg Is9x
.if Is9x
;; structures are documented by EliCZ
mov eax,fs:[20h];TIB.DebugContext
test eax,eax
setnz al
or Detected,al
mov ebx,fs:[30h];TIB.pParentPDB
mov eax,[ebx+20h];[ebx].PDB.flags
and eax,1;fDebugSingle equ 1
or Detected,al
mov eax,[ebx+54h];[ebx].PDB.DebuggeeCB :IsDebuggerPresent
test eax,eax
setnz al
or Detected,al
.else
;; ddk
mov eax,fs:[30h];TEB.pPEB ; pointer to PEB
movzx eax,byte ptr [eax+2];[eax].PEB.BeingDebugged :IsDebuggerPresent
or Detected,al
.endif
you can't patch DebugContext in 9x
while BeingDebugged you can (upb's 1st post)
debug api in 9x suck
for example try to trace (single step)
not esp
not esp
*crash*
forget about 9x, support only NT (it's only a unpacker, unpacked exe must work on both)