forked from invictus1306/Anti-debugging-techniques
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathanti-debugging.asm
157 lines (130 loc) · 2.86 KB
/
anti-debugging.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
AppName db "Anti debugging and obfuscation techniques - Andrea Sindoni @invictus1306"
MsgBoxText db "Windows debugger detected!",0
MsgBoxTitle db "Debugger detectd!",0
MsgBoxTextNot db "Windows debugger not detected!",0
MsgBoxTitleNot db "Perfect!",0
OllydbgFindWindow db "OLLYDBG",0h
.data?
.code
start proc
JUNKBYTE MACRO
db 0cch, 0feh, 0ebh, 00h
ENDM
;NtGlobalFlag - PEB!NtGlobalFlags
xor eax, eax
assume fs:nothing
mov eax, fs:[eax+30h]
mov eax, [eax+68h]
and eax, 70h
db 0ebh, 01h
db 0ffh, 085h, 0C0h ;junk byte - test eax, eax
jne @Detected
;obfuscation
db 0ebh, 02h
JUNKBYTE
;IsDebuggerPresent first - kernel32!IsDebuggerPresent
call IsDebuggerPresent
call @eip_manipulate ; change eip (point to next instruction)
mov eax, 010h
cmp eax, 1
je @Detected
;IsDebuggerPresent second - PEB!IsDebugged
xor eax, eax
assume fs:nothing
mov eax, fs:[18h]
mov eax, DWORD PTR ds:[eax+30h]
movzx eax, BYTE PTR ds:[eax+2h]
test eax, eax
jne @Detected
;FindWindows for ollydbg
push 0
push offset OllydbgFindWindow
call FindWindow
test eax, eax
jne @Detected
;software breakpoint detection into MessageBox API
cld
mov edi, offset @Detected
mov ecx, 013h
mov al,0cch
repne scasb
jz @Detected
;hardware breakpoint detection
assume fs:nothing
push offset HwBpHandler
push fs:[0]
mov DWORD PTR fs:[0], esp
xor eax, eax
div eax
pop DWORD PTR fs:[0]
add esp, 4
test eax, eax
jnz @Detected
;get write permissions for self-modifying code
xor esi, esi
xor ecx, ecx
mov esi, offset @encrypted_code
push esp
push PAGE_EXECUTE_READWRITE
push 04h
push esi
call VirtualProtect
;self-modifying code
mov eax, 1234h ;key
mov ecx, offset @encrypted_code
@loop_decryption:
xor [ecx], al ;very simple algorithm
inc ecx
cmp ecx, @encrypted_code + 04h
jnz @loop_decryption
@encrypted_code:
db 05eh, 04h ;push 30h
db 0dfh, 34h ;jmp at next instruction
push offset MsgBoxTitleNot
push offset MsgBoxTextNot
push 0
call MessageBox
jmp @Exit
@Detected:
push 30h
push offset MsgBoxTitle
push offset MsgBoxText
push 0
call MessageBox
jmp @Exit
@Exit:
push 0
call ExitProcess
@eip_manipulate:
add dword ptr [esp], 5
ret
start endp
HwBpHandler proc
xor eax, eax
mov eax, [esp + 0ch] ; This is a CONTEXT structure on the stack
cmp DWORD PTR [eax + 04h], 0 ; Dr0
jne bpFound
cmp DWORD PTR [eax + 08h], 0 ; Dr1
jne bpFound
cmp DWORD PTR [eax + 0ch], 0 ; Dr2
jne bpFound
cmp DWORD PTR [eax + 10h], 0 ; Dr3
jne bpFound
jmp retFromException
bpFound:
mov DWORD PTR [eax + 0b0h], 0ffffffffh ; HW bp found
retFromException:
add DWORD PTR [eax + 0b8h], 6
xor eax, eax
ret
HwBpHandler endp
end start