Author Topic: Custom API  (Read 4294 times)

Magnum

  • Member
  • *****
  • Posts: 2367
Custom API
« on: December 23, 2012, 12:23:21 AM »
I think this has more code than is necessary for a custom IsDebPresent.

What isn't needed ?

Andy

;Custom I.D.P. api ??
08   Custom proc
09       PUSH EBP
10       MOV EBP,ESP
11       PUSH ECX
12       PUSH EAX
13       PUSH ECX
14       MOV EAX,DWORD PTR FS:[18]
15       MOV EAX,DWORD PTR DS:[EAX+30]
16       MOV ECX,DWORD PTR DS:[EAX]
17       MOV DWORD PTR SS:[EBP-4],ECX
18       POP ECX
19       POP EAX
20       MOV EAX,DWORD PTR SS:[EBP-4]
21       SHR EAX,10
22       AND EAX,1
23       MOV ESP,EBP
24       POP EBP
25       RET
26   Custom endp
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: Custom API
« Reply #1 on: December 23, 2012, 12:54:26 AM »
no need to preserve ECX

LEAVE performs the same as both MOV ESP,EBP and POP EBP instructions
but, you don't need a stack frame at all

it gets the pointer to the TIB
from there, it gets the pointer to the PEB
from there, it gets the "BeingDebugged" value

i would think this code is essentially the same thing as IsDebuggerPresent

Tedd

  • Member
  • ***
  • Posts: 377
  • Procrastinor Extraordinaire
Re: Custom API
« Reply #2 on: December 24, 2012, 05:01:14 AM »
Code: [Select]
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOV EAX,DWORD PTR DS:[EAX]
SHR EAX,10
AND EAX,1
RET
Potato2

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: Custom API
« Reply #3 on: December 24, 2012, 06:22:12 AM »
 :P

Code: [Select]
        mov     eax,fs:[18]
        mov     eax,[eax+30]
        movzx   eax,byte ptr [eax+1]
        shr     eax,2
        and     al,1
        ret

no help - it's actually 1 byte longer - lol

tomato

Magnum

  • Member
  • *****
  • Posts: 2367
Re: Custom API
« Reply #4 on: December 24, 2012, 06:26:12 AM »
So who's right ?

Andy

pineapple
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: Custom API
« Reply #5 on: December 24, 2012, 06:28:08 AM »
either will work
here's how i'd do it...
Code: [Select]
        INVOKE  IsDebuggerPresent
same thing




apple

Magnum

  • Member
  • *****
  • Posts: 2367
Re: Custom API
« Reply #6 on: December 24, 2012, 06:49:52 AM »
It was supposed to be one of those anti-reverser things.

Andy

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: Custom API
« Reply #7 on: December 24, 2012, 06:53:01 AM »
there are some tricks for that
but, they are all well-known by reversers

one that comes to mind is to use REP STOSB inside the code segment to over-write a byte of code to be executed
if the debugger is running, the over-written value is executed (let's say it's a NOP)
if the debugger is not running, the original value is executed because it has been pre-fetched (could be INC EAX)

it doesn't really tell you if the debugger is present, exactly
it will tell you if they are single-stepping through the code, though