Go Back   Exetools > General > Source Code


Thread Tools Display Modes
Old 06-19-2022, 21:34
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Join Date: Nov 2012
Posts: 232
Rept. Given: 64
Rept. Rcvd 144 Times in 50 Posts
Thanks Given: 200
Thanks Rcvd at 306 Times in 101 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
[C++] Simple Anti-Debug trick

Hello guys

I was working with ThunderSoft DRM a few days ago.

The interesting thing I found was a simple debugger identification technique (Not Directly) that I decided to implement in C++ programming language after analysis.

These steps are :
1- GetCommandLine (Retrieves the command-line)
2- Clean the GetCommandLine output
3- Pass the output to lpFileName in CreateFile
4- Use OPEN_EXISTING flag in dwCreationDisposition

So, if process was open in debugger, the handle of CreateFile is -1.
Attached Files
File Type: rar CreateFile-AntiDebug.rar (272.2 KB, 20 views)
Reply With Quote
The Following 3 Users Say Thank You to Mahmoudnia For This Useful Post:
niculaita (06-20-2022), NoneForce (07-19-2022)
Old 07-17-2022, 20:13
morgot morgot is offline
Join Date: Feb 2020
Posts: 21
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 9
Thanks Rcvd at 11 Times in 8 Posts
morgot Reputation: 0

In my system don't works.. I can't see attach, and re-write code:
call GetCommandLineA

mov ebx,eax ;save ptr cmdline 

xor ecx,ecx
push ecx ;hTemplateFile
push ecx ;dwFlagsAndAttributes
push OPEN_EXISTING ;dwCreationDisposition
push ecx
push ebx
call CreateFileA
Always return -1

But - if I remove quotes (insert after getcommandline call)
mov ebx,eax ;save ptr cmdline 
push eax
call lstrlenA
dec eax ;sub quote
mov byte ptr [ebx + eax],0 ;remove end quote
inc ebx ;remove start quote
it open file success under debuger.

x64dbg, win10.
Reply With Quote
The Following User Says Thank You to morgot For This Useful Post:
niculaita (07-19-2022)

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

All times are GMT +8. The time now is 13:54.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )