I think this has more code than is necessary for a custom IsDebPresent.
What isn't needed ?
Andy
;Custom I.D.P. api ??
08 Custom proc
09 PUSH EBP
10 MOV EBP,ESP
11 PUSH ECX
12 PUSH EAX
13 PUSH ECX
14 MOV EAX,DWORD PTR FS:[18]
15 MOV EAX,DWORD PTR DS:[EAX+30]
16 MOV ECX,DWORD PTR DS:[EAX]
17 MOV DWORD PTR SS:[EBP-4],ECX
18 POP ECX
19 POP EAX
20 MOV EAX,DWORD PTR SS:[EBP-4]
21 SHR EAX,10
22 AND EAX,1
23 MOV ESP,EBP
24 POP EBP
25 RET
26 Custom endp
no need to preserve ECX
LEAVE performs the same as both MOV ESP,EBP and POP EBP instructions
but, you don't need a stack frame at all
it gets the pointer to the TIB
from there, it gets the pointer to the PEB
from there, it gets the "BeingDebugged" value
i would think this code is essentially the same thing as IsDebuggerPresent
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOV EAX,DWORD PTR DS:[EAX]
SHR EAX,10
AND EAX,1
RET
:P
mov eax,fs:[18]
mov eax,[eax+30]
movzx eax,byte ptr [eax+1]
shr eax,2
and al,1
ret
no help - it's actually 1 byte longer - lol
tomato
So who's right ?
Andy
pineapple
either will work
here's how i'd do it...
INVOKE IsDebuggerPresent
same thing
apple
It was supposed to be one of those anti-reverser things.
Andy
there are some tricks for that
but, they are all well-known by reversers
one that comes to mind is to use REP STOSB inside the code segment to over-write a byte of code to be executed
if the debugger is running, the over-written value is executed (let's say it's a NOP)
if the debugger is not running, the original value is executed because it has been pre-fetched (could be INC EAX)
it doesn't really tell you if the debugger is present, exactly
it will tell you if they are single-stepping through the code, though