#1
|
||||
|
||||
[C++] Simple Anti-Debug trick
Hello guys
I was working with ThunderSoft DRM a few days ago. The interesting thing I found was a simple debugger identification technique (Not Directly) that I decided to implement in C++ programming language after analysis. These steps are : 1- GetCommandLine (Retrieves the command-line) 2- Clean the GetCommandLine output 3- Pass the output to lpFileName in CreateFile 4- Use OPEN_EXISTING flag in dwCreationDisposition So, if process was open in debugger, the handle of CreateFile is -1. |
#2
|
|||
|
|||
In my system don't works.. I can't see attach, and re-write code:
Code:
call GetCommandLineA mov ebx,eax ;save ptr cmdline xor ecx,ecx push ecx ;hTemplateFile push ecx ;dwFlagsAndAttributes push OPEN_EXISTING ;dwCreationDisposition push ecx push FILE_SHARE_READ + FILE_SHARE_WRITE push GENERIC_READ push ebx call CreateFileA But - if I remove quotes (insert after getcommandline call) Code:
mov ebx,eax ;save ptr cmdline push eax call lstrlenA dec eax ;sub quote mov byte ptr [ebx + eax],0 ;remove end quote inc ebx ;remove start quote x64dbg, win10. |
The Following User Says Thank You to morgot For This Useful Post: | ||
niculaita (07-19-2022) |
Thread Tools | |
Display Modes | |
|
|