Anti-Debug Library: Updated for Vista!

11Jul09

After some testing, I was able to figure out which anti-debug functions did not work on Vista, and marked them to be filtered out. Enjoy! 🙂

#include <windows.h>

#define WIN32_LEAN_AND_MEAN
#define VC_EXTRALEAN

bool DebugBit = TRUE;
int countExceptions = 0;

char GetBeingDebugged( )
{
	char BeingDebuggedBit;
	__asm {
		MOV EAX,DWORD PTR FS:[0x30]
		XOR EAX, 0x2
		SUB EBX, EBX
		XOR BL, [EAX]
		MOV BeingDebuggedBit, BL
	};
	return( BeingDebuggedBit );
}

char GetNtGlobalFlags( )
{
	char *NtGlobalFlags;
	__asm {
		MOV EAX, FS:[0x30] 
		MOV EAX, [EAX+0x68]
		MOV [NtGlobalFlags], EAX
	};
	return( ( char ) NtGlobalFlags );
}

char GetHeapFlags( )
{
	char *HeapFlags;
	__asm {
		MOV EAX, FS:[0x30]
		MOV EAX, [EAX+0x18]
		MOV EAX, [EAX+0x10]
		MOV [HeapFlags], EAX
	};
	return ( ( char ) HeapFlags );
}

LONG WINAPI suefDebugCheck( struct _EXCEPTION_POINTERS *excInfo ) {
	DebugBit = FALSE;
	countExceptions++;
	return( EXCEPTION_CONTINUE_EXECUTION );
}

void suefTrick( void )
{
	countExceptions = 1 / countExceptions;
}

void swapDebug( void )
{
	MessageBox( 0, "Debugger not found.", "Success?", MB_OK );
	DebugBit = FALSE;
}

void __inline antiDebug( void )
{
	DWORD beginTime = GetTickCount( );
	__try {
	__asm INT 0x2D
	} __except( true ) {
		DebugBit = FALSE;
	}
	if( DebugBit == TRUE )
		exit( 0x00000005 );

	if( ( int ) GetNtGlobalFlags( ) == 0x70 )
		exit( 0xFFFFFFFB );


// I think the fetch method I used needs to be checked
// for Vista support..
	/*
	if( ( int ) GetBeingDebugged( ) == TRUE )
		exit( 0x04012AD0 );

	if( ( int ) GetHeapFlags( ) != 0 )
		exit( 0xFFFFFFFF );
		*/

	if( IsDebuggerPresent( ) != 0 )
		exit( 0x21473361  );


// I don't even know about this one; doesn't work on Vista..
	/*
	CheckRemoteDebuggerPresent( GetCurrentProcess( ), ( PBOOL ) &DebugBit );
	if( DebugBit == TRUE )
		exit( 0xC0000005 );
		*/



// SetHandledExceptionFilter and OutputDebugString tricks
// need to be fixed for Vista..
	/*
	SetUnhandledExceptionFilter( suefDebugCheck );
	suefTrick( );
	if( DebugBit == TRUE )
		exit( 0x041A9C35 );

	SetLastError( 0xC0000005 );
	OutputDebugString( "" );
	if( GetLastError( ) == 0xC0000005 )
		exit( 0x9348134F );
		*/



	// Requires admin access
	typedef NTSTATUS ( NTAPI *NSIT )( HANDLE, UINT, PVOID, ULONG );
	NSIT NtSetInformationThread = ( NSIT )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtSetInformationThread" );
	NtSetInformationThread( GetCurrentProcess( ), 0x11, 0, 0 );
	// End

	__try {
		CloseHandle( ( HANDLE ) 0xFF );
	} __except( true ) {
		exit( 0x00000006 );
	}

	__try {
		__asm	INT 3;
	} __except( true ) {
		DebugBit = FALSE;
	}
	if( DebugBit == TRUE )
		exit( 0x0ADE0005 );

	if( GetTickCount( ) != beginTime )
		exit( 0xD000BE05 );


	typedef NTSTATUS ( WINAPI *NQIP )( HANDLE, LONG, PVOID, ULONG, PULONG );
	NQIP NtQueryInformationProcess = ( NQIP )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtQueryInformationProcess" );
	int returnValue = 0;
	NtQueryInformationProcess( GetCurrentProcess( ), 0x7, &returnValue, 4, 0 );
	if( returnValue != 0 )
		exit( 0xCCCCCCCC );

	__try {
		DebugBreak( );
	} __except( true ) {
		DebugBit = FALSE;
	}
	if( DebugBit == TRUE )
		exit( 0x9000000D );
}

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
	antiDebug( );

	if( DebugBit == TRUE )
		return( EXIT_FAILURE );

	MessageBox( 0, "Debugger not found.", "Success?", MB_OK );

	return( EXIT_SUCCESS );
}
Advertisements


No Responses Yet to “Anti-Debug Library: Updated for Vista!”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: