CheckFileName proc
invoke GetModuleFileName,0,offset filename,512
MOV ECX,offset filename
ADD ECX,EAX
@SeekFileName:
DEC ECX
CMP BYTE PTR[ECX],'\'
JNE @SeekFileName
MOV BYTE PTR[ECX],0
INC ECX
invoke lstrcmp,CTEXT("AntiDebug.exe"),ecx
TEST EAX,EAX
JNE @DebuggerDetected
JMP @exit
@DebuggerDetected:
;invoke MessageBox,0,CTEXT("Debugger found!"),CTEXT("Debugger status:"),MB_OK
invoke ExitProcess,0
@exit:
ret
CheckFileName endp
AnitGenOEP proc ;antiPeID
pushad
AntiGenOEP db 55h,8Bh,0ECh,6Ah,0FFh,68h,0F8h,40h,40h,00h,68h,0F4h ;Fake VC++ OEP code at 0x00401000
db 1Dh,40h,00h,64h,0A1h,00,00,00,00,50h,64h,89h,25h,00
db 00,00,00,83h,0ECh,58h,53h,56h,57h,89h,65h,0E8h,0FFh
db 15h,58h,40h,40h,00,33h,0D2h,8Ah,0D4h
popad
ret
AnitGenOEP endp
AntiICE proc
MOV ESI,9
MOV EDI,offset VICETOOLZ_1
@TryNext:
invoke CreateFileA,edi,FILE_FLAG_WRITE_THROUGH,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
; Small fix here!
CMP EAX,-1
JNE @ToolFound
; Here we search for the next vice tool string [name].
@find_next:
INC EDI
CMP BYTE PTR[EDI],0h
JNE @find_next
INC EDI
DEC ESI
JNE @TryNext
;invoke MessageBox,0,CTEXT("Debugger or other vice tool not found!"),CTEXT("Debugger status:"),MB_OK
@Exit:
ret
@ToolFound:
;invoke MessageBox,0,CTEXT("Debugger or other vice tool found!"),CTEXT("Debugger status:"),MB_OK
invoke ExitProcess,0
JMP @Exit
db 060h,0E8h,003h,000h,000h,000h,0E9h,0EBh,004h,05Dh,045h,055h,0C3h,0E8h,001h,000h,000h,000h
db 0EBh,05Dh,0BBh,0EDh,0FFh,0FFh,0FFh,003h,0DDh,081h,0EBh,000h,040h,000h,000h
POPAD
ret
AntiPeIDasASPack endp
AntiProcDump proc
PUSH offset OLDProtect
PUSH 40h
PUSH 00001000h
PUSH 00400000h
CALL VirtualProtect
; Read elfanew from PEHeader
MOV EBX,0040003Ch
MOV ECX,DWORD PTR[EBX]
ADD ECX,00400006h
XOR EBX,EBX
; BX is SectionNumber
MOV BX,WORD PTR[ECX]
PUSH ECX
; ECX is a pointer to PESections table
ADD ECX,0F2h
@clear_section:
; One section table item size
MOV EDX,28h
@clear_section_s:
; Clear byte
MOV BYTE PTR[ECX],0h
INC ECX
DEC EDX
JNE @clear_section_s
; Erase all sections
DEC EBX
JNE @clear_section
; Clear SectonNumber from PEHeader
POP ECX
MOV WORD PTR[ECX],BX
ret
AntiProcDump endp
CheckRemoteDebuggerPresent proc
invoke LoadLibrary,CTEXT("kernel32.dll")
invoke GetProcAddress,eax,CTEXT("CheckRemoteDebuggerPresent")
; IsItPresent variable will store the resault
PUSH offset IsItPresent
PUSH -1
CALL EAX
MOV EAX,DWORD PTR[IsItPresent]
TEST EAX,EAX
JNE @DebuggerDetected
;invoke MessageBox,0,CTEXT("Debugger not found!"),CTEXT("Debugger status:"),MB_OK
JMP @exit
@DebuggerDetected:
;invoke MessageBox,0,CTEXT("Debugger found!"),CTEXT("Debugger status:"),MB_OK
invoke ExitProcess,0
@exit:
ret
CheckRemoteDebuggerPresent endp
CsrGetProcessIdOllyInvisible proc
invoke LoadLibrary,CTEXT("ntdll.dll")
invoke GetProcAddress,eax,CTEXT("CsrGetProcessId")
CALL EAX
TEST EAX,EAX
JE @DebuggerDetected
;invoke MessageBox,0,CTEXT("Debugger not found!"),CTEXT("Debugger status:"),MB_OK
JMP @exit
@DebuggerDetected:
;invoke MessageBox,0,CTEXT("DebuggerDetected!"),CTEXT("Debugger status:"),MB_OK
invoke ExitProcess,0
@exit:
ret
CsrGetProcessIdOllyInvisible endp
DetectHBPX proc
MOV EAX,offset @Exit
MOV DWORD PTR[OrgEbp],EAX
MOV DWORD PTR[SaveEip],EBP
ASSUME FS : NOTHING
PUSH offset @DetectHardwareBPX
PUSH FS:[0]
MOV DWORD PTR[OrgEsp],ESP
MOV FS:[0], ESP
; Fire SEH!
XOR EAX,EAX
XCHG DWORD PTR DS:[EAX],EAX
@Exit:
POP FS:[0]
ADD ESP,4
ret
@DetectHardwareBPX:
PUSH EBP
MOV EBP,ESP
MOV EAX,DWORD PTR SS:[EBP+10h]
; Restore EBP,ESP and EIP
MOV EBX,DWORD PTR[OrgEbp]
MOV DWORD PTR DS:[EAX+0B8h],EBX
MOV EBX,DWORD PTR[OrgEsp]
MOV DWORD PTR DS:[EAX+0C4h],EBX
MOV EBX,DWORD PTR[SaveEip]
MOV DWORD PTR DS:[EAX+0B4h],EBX
; Check DRx registers!
CMP DWORD PTR DS:[EAX+4h],0
JNE @hardware_bpx_found
CMP DWORD PTR DS:[EAX+8h],0
JNE @hardware_bpx_found
CMP DWORD PTR DS:[EAX+0Ch],0
JNE @hardware_bpx_found
CMP DWORD PTR DS:[EAX+10h],0
JNE @hardware_bpx_found
;invoke MessageBox,0,CTEXT("Debugger not found!"),CTEXT("Debugger status:"),MB_OK
@hbpx_exit:
MOV EAX,0
LEAVE
RET
@hardware_bpx_found:
;invoke MessageBox,0,CTEXT("Debugger found!"),CTEXT("Debugger status:"),MB_OK
invoke ExitProcess,0
ret
DetectHBPX endp
hidedebuggerByFindWindow proc
invoke FindWindow,CTEXT("OLLYDBG"),0
TEST EAX,EAX
JNE @DebuggerDetected
;invoke MessageBox,0,CTEXT("Debugger not found!"),CTEXT("Debugger status:"),MB_OK
JMP @exit
@DebuggerDetected:
;invoke MessageBox,0,CTEXT("Debugger found!"),CTEXT("Debugger status:"),MB_OK
invoke ExitProcess,0
@exit:
ret
kernel32_modIsDebuggerPresent endp
LDR_MODULE_AntiDebug proc
ASSUME FS:NOTHING
PUSH offset _SehExit
PUSH DWORD PTR FS:[0]
MOV FS:[0],ESP
; Get NtGlobalFlag
MOV EAX,DWORD PTR FS:[30h]
; Get LDR_MODULE
MOV EAX,DWORD PTR[EAX+12]
; The trick is her ;) If ring3 debugger is present memory will be allocated
; and it will contain 0xFEEEFEEE bytes at the end of alloc. This will only
; happen if ring3 debugger is present!
; If there is no debugger SEH will fire and take control.
; Note: This code works only on NT systems!
_loop:
INC EAX
CMP DWORD PTR[EAX],0FEEEFEEEh
JNE _loop
DEC [Tries]
JNE _loop
;invoke ExitProcess,0
_Exit:
add esp,8
RET
_SehExit:
POP FS:[0]
ADD ESP,4
JMP _Exit
ret
RegistryOllyDBG2 endp
RegistryOllyDBG3 proc
MOV lpcbData,256h
INVOKE RegOpenKeyEx, HKEY_CLASSES_ROOT, CTEXT("dllfile\shell\Open with Olly&Dbg\command"), 0,KEY_WRITE or KEY_READ, addr hKey
PUSH offset lpcbData
PUSH offset szBuff
PUSH CTEXT("REG_SZ")
PUSH 0
PUSH offset szIsOllyKey
PUSH hKey
CALL RegQueryValueEx
OR EAX,EAX
JNE @DebuggerNotFound
MOV ECX,offset szBuff+1
@SeekQuote:
INC ECX
CMP BYTE PTR[ECX],'"'
JNE @SeekQuote
MOV BYTE PTR[ECX],0h
JMP @DebuggerDetected
@DebuggerNotFound:
;invoke MessageBox,0,CTEXT("No debugger detected!"),CTEXT("Execution status:"),MB_OK
JMP @exit
@DebuggerDetected:
;invoke MessageBox,0,CTEXT("Debugger detected!"),CTEXT("Execution status:"),MB_OK
invoke ExitProcess,0
@exit:
ret
RegistryOllyDBG3 endp
SigleStep_AntiDebug proc
ASSUME FS:NOTHING
PUSH offset _SehExit
PUSH DWORD PTR FS:[0]
MOV FS:[0],ESP
; Set Trap flag!
PUSHFD
XOR DWORD PTR[ESP],154h
POPFD
; If SEH doesn`t fire you are caught!
invoke MessageBox,0,CTEXT("Debugger detected!"),CTEXT("Execution status:"),MB_OK
RET
_Exit:
;invoke MessageBox,0,CTEXT("No debugger detected!"),CTEXT("Execution status:"),MB_OK
RET
_SehExit:
POP FS:[0]
ADD ESP,4
JMP _Exit
ret
SigleStep_AntiDebug endp
TLS_CallBack proc
; This example combines IsDebuggerPresent API with TLS-CallBack.
; TLS-CallBack is a part of TLS Structure and it is used for
; calling code execution before and after main application code execution.
; Change TLS Table to 0x00003046, size 0x18 with LordPE or xPELister
PUSH 0
CALL ExitProcess
RET
; Code below is executed before .code section
; TLSCalled flag indicates that TLS is called only once on application
; initialization. It can be called on application exit again. This switch
; disables that.
CMP BYTE PTR[TLSCalled],1
JE @exit
MOV BYTE PTR[TLSCalled],1
CALL IsDebuggerPresent
good work
