News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Custom API

Started by Magnum, December 23, 2012, 12:23:21 AM

Previous topic - Next topic

Magnum

I think this has more code than is necessary for a custom IsDebPresent.

What isn't needed ?

Andy

;Custom I.D.P. api ??
08   Custom proc
09       PUSH EBP
10       MOV EBP,ESP
11       PUSH ECX
12       PUSH EAX
13       PUSH ECX
14       MOV EAX,DWORD PTR FS:[18]
15       MOV EAX,DWORD PTR DS:[EAX+30]
16       MOV ECX,DWORD PTR DS:[EAX]
17       MOV DWORD PTR SS:[EBP-4],ECX
18       POP ECX
19       POP EAX
20       MOV EAX,DWORD PTR SS:[EBP-4]
21       SHR EAX,10
22       AND EAX,1
23       MOV ESP,EBP
24       POP EBP
25       RET
26   Custom endp
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

no need to preserve ECX

LEAVE performs the same as both MOV ESP,EBP and POP EBP instructions
but, you don't need a stack frame at all

it gets the pointer to the TIB
from there, it gets the pointer to the PEB
from there, it gets the "BeingDebugged" value

i would think this code is essentially the same thing as IsDebuggerPresent

Tedd

MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOV EAX,DWORD PTR DS:[EAX]
SHR EAX,10
AND EAX,1
RET
Potato2

dedndave

 :P

        mov     eax,fs:[18]
        mov     eax,[eax+30]
        movzx   eax,byte ptr [eax+1]
        shr     eax,2
        and     al,1
        ret


no help - it's actually 1 byte longer - lol

tomato

Magnum

So who's right ?

Andy

pineapple
Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

either will work
here's how i'd do it...
        INVOKE  IsDebuggerPresent

same thing




apple

Magnum

It was supposed to be one of those anti-reverser things.

Andy

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

there are some tricks for that
but, they are all well-known by reversers

one that comes to mind is to use REP STOSB inside the code segment to over-write a byte of code to be executed
if the debugger is running, the over-written value is executed (let's say it's a NOP)
if the debugger is not running, the original value is executed because it has been pre-fetched (could be INC EAX)

it doesn't really tell you if the debugger is present, exactly
it will tell you if they are single-stepping through the code, though