calling two times GetProcAddress with same parameters and checking the base addresses of the APIs.If no application-level debugger present they should be equal
Causing intentional exceptions in a high rate (e.g in the WinMain loop) will cause a debugger to hang and the cracker to get busy for some time.. (Xacker has a Crackme that uses this)..
As we all know Turbo Debugger sets all general registers to 0. When we some perform operation like
xor cx, bp
... some code not affecting cx
cmp cx, 93Eh
jne TD_is_here
... no debuger here
This way we can easy escape from debugger
RDTSC is an asm instruction (ReaD from Time Stamp Counter). It reads a 64 bits value in the TSC register, and put in in the EAX/EDX registers.The TSC register is incremented at each CPU cycle.(if I remeber correctly EDX is the High DWORD and EAX is the Low Dword).
When you're in a debugger, it takes more time to execute each instruction (and sometimes you can break or step, so it takes more more time). If you place an RDTSC instruction beetween two block of code and compare each values, if the difference is too high, it means the code has been debugged.
Warning: You must put the CPUID instruction before using the RDTSC, otherwise it could lead to strange result. The CPUID instruction ensures that all instructions have been executed before (see intels manual for more explanations).
The CreateToolhelp32Snapshot API take a snapshot (as it name implied) of all the process running at a T time (in fact when the snapshot is taken). You can retrive many information with this API (use it in conjunction with Process32first and Process32Next). For example, if OllyDbg is running, you can know it, and then apply something (like exiting from your apps, killing OllyDbg, displaying a warning, etc.). It's up to you to do want you want...
