Jump to content
Nytro

[C++/ASM]ClsAntiDebug Class

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1][C++/ASM]ClsAntiDebug Class[/h]Author: LordRNA

Hi. I'm here again. I bring you a special class that i made in my freetime to my community (H-Sec). The class is ClsAntiDebug. It's a class that have some methods to detect debuggers. I add a PEBDebug detection, a NTGlobal Detection, a Debugger Process Name Detection (Only Work With OllyDBG, W32DASM and IDA Pro) and a TimeStamp Debugger Detection. I put another class that use a random method from the first three Methods and a Function to call if a Debugger is Detected. The TimeStamp Debugger Recive a number, and a function to execute, if the diference beetwen the 2 TimeStamp is bigger than the number give it by the user the member Debugged inside the class change to true. To get the value of Debugged member we will use IsDebugged Method.

Sooo, It's time to put the code. I'll put the Header code, The Implementation Code and an example.

#ifndef __ClsAntiDebug__
#define __ClsAntiDebug__
#include <windows.h>
#include <tlhelp32.h>

class ClsAntiDebug
{
private:
        bool Debugged;
public:
        ClsAntiDebug();
        void __declspec() PEBDebug();
        void __declspec() NTGlobalDebug();
        void __declspec() DebuggerActive();
        void __declspec() TimeStamp(int time, void *func);
        void Protect(void *func);
        bool IsDebugged();
};
#endif

#include "AntiDebug.h"

ClsAntiDebug::ClsAntiDebug()
{
        this->Debugged=false;
}

bool ClsAntiDebug::IsDebugged()
{
        return this->Debugged;
}

void __declspec() ClsAntiDebug::PEBDebug()
{
__asm
        {
        _PEBLoop:
        push 500
        call dword ptr ds:[Sleep]
        xor edx, edx
        mov dl,0x30
        mov esi, fs:[edx]
        movzx eax, byte ptr[esi+2]
        dec eax
        jne _PEBLoop
        inc eax
        }
        this->Debugged = true;
}

void __declspec() ClsAntiDebug::NTGlobalDebug()
{
        __asm
        {
_NTLoop:
        push 500
        call dword ptr ds:[Sleep]
        xor edx, edx
        mov dl,0x30
        mov esi, fs:[edx]
        movzx eax, byte ptr[esi+0x68]
        and eax,eax
        je _NTLoop
        xor eax,eax
        inc eax
        }
        this->Debugged = true;
}

void __declspec() ClsAntiDebug::DebuggerActive()
{
        HANDLE hProcSnap;
        PROCESSENTRY32 pProcess;
        LPTSTR Exename;
        int strlength;
        int deb[3]={18416231/*IDA Pro*/,997340682/*W32DASM*/,1853255255/*OllyDbg*/};
        int i;
        do
        {
                hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
                pProcess.dwSize = sizeof(PROCESSENTRY32);
                Process32First(hProcSnap,&pProcess);
                do
                {
                        strlength = strlen(pProcess.szExeFile);
                        __asm
                        {
                                lea eax,[pProcess.szExeFile]
                                mov ecx,dword ptr[strlength]
                                xor edx,edx
                                xor edi, edi
                                push edi
gethash:
                                pop edi
                                xor dl, byte ptr[eax+edi]
                                rol edx,8
                                inc edi
                                push edi
                                xor edi,ecx
                                jne gethash
                                mov [strlength],edx/*We don't need strlength, so we recycle to get
                                                                     The Hash on Int Variable*/
                                pop edi
                                }
                for(i=0;i<3;i++)if (strlength==deb[i])
                {
                        this->Debugged = true;
                        __asm{jmp ___end}
                }
                }while(Process32Next(hProcSnap,&pProcess));
                Sleep(500);
        }while(1);
        __asm
        {___end:}
}
void __declspec() ClsAntiDebug::Protect(void *func)
{

        do
        {
                switch(GetTickCount()%4)
                {
                case 0:this->PEBDebug();break;
                case 1:this->NTGlobalDebug();break;
                case 2:this->DebuggerActive();break;
                };
                if (this->Debugged)
                {
                        __asm
                        {
                                call [func]
                        }
                }
                Sleep(500);
        }while(1);
}

void __declspec() ClsAntiDebug::TimeStamp(int time,void *func)
{
        __asm
        {
                rdtsc
                mov ebx,eax
                call [func]
                rdtsc
                sub eax, ebx
                cmp eax, [time]
                jna ___rtend
        }
        this->Debugged = true;
        __asm{___rtend: }
}

#pragma comment(linker,"/ENTRY:main")

#include "AntiDebug.h"
void CALLBACK HolaMundo()
{
        int i;
        i++;
        i++;
}

int __declspec() main()
{       

        ClsAntiDebug *Debugger=new(ClsAntiDebug);
        Debugger->TimeStamp(200,HolaMundo);
        if (Debugger->IsDebugged())MessageBox(0,"Hola","Mundo",0);
        Debugger->Protect(HolaMundo);
        return 0;
}

Sursa: http://www.hackhound.org/forum/index.php/topic/37401-srccasmclsantidebug-class/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...