Title: Example of AntiDebugging
;This is example how you can implement the anti debugging technic using API functions "IsDebuggerPresent" and "CheckRemoteDebuggerPresent"
;Not a new idea but later on I will add more anti reversing/debugging feature soon...
;Name :lclee_vx
;Group:F-13 Labs
;Web  :http://www.f13-labs.net

.model flat, stdcall
option casemap:none


szTitle0 db "Access Denied - By lclee_vx", 0
szText0 db "Are You Trying To Debug Me??!! Sorry You Are Detected, Try Again :)!!", 0

szTitle1 db "Answer", 0
szText1 db ?

IsDebuggerAgain dd ?

;APIs function needed.
sMessageBoxA db "MessageBoxA", 0
aMessageBoxA dd 00000000h
sIsDebuggerPresent db "IsDebuggerPresent", 0
aIsDebuggerPresent dd 00000000h
sCheckRemoteDebuggerPresent db "CheckRemoteDebuggerPresent", 0
aCheckRemoteDebuggerPresent dd 00000000h

@@Namez label byte
sGetProcAddress db "GetProcAddress", 0
sLoadLibraryA db "LoadLibraryA", 0
sExitProcess db "ExitProcess", 0
db 0FFh

@@Offsetz label byte
aGetProcAddress dd 00000000h
aLoadLibraryA dd 00000000h
aExitProcess dd 00000000h

aKernel32 dd 00000000h
User32Dll db "User32.dll", 0 ;User32.dll
Kernel32Dll db "Kernel32.dll",0 ;Kernel32.dll

;Start The Code

call delta
pop ebp
sub ebp, offset delta

mov esi, [esp]
and esi, 0FFFF0000h
call GetK32
mov dword ptr [ebp+offset aKernel32], eax ;save kernel32.dll

;here we looking for APIs function
lea edi, [ebp+offset @@Offsetz]
lea esi, [ebp+offset @@Namez]
call GetApis

call CheckDebugger1
call Success1

call CheckDebugger2
call Success2

call NormalExitProcess

;Normal Exit
NormalExitProcess proc
push 0
mov eax, dword ptr [ebp+offset aExitProcess]
call eax
NormalExitProcess endp

;Exit Process Properly
ExitProcess proc

push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sMessageBoxA
call GetApi

push 0
push offset szTitle0
push offset szText0
push 0
call eax

push 0
mov eax, dword ptr [ebp+offset aExitProcess]
call eax
ExitProcess endp

Success2 proc
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "ED"

push 0
push offset szTitle1
push offset szText1
push 0
call eax

push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "3:"

push 0
push offset szTitle1
push offset szText1
push 0
call eax

push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "79"

push 0
push offset szTitle1
push offset szText1
push 0
call eax

push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "08"

push 0
push offset szTitle1
push offset szText1
push 0
call eax

Success2 endp

;Check Debugger 2
CheckDebugger2 proc
push offset Kernel32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sCheckRemoteDebuggerPresent
call GetApi

push offset IsDebuggerAgain
push -1
call eax

mov eax, dword ptr [IsDebuggerAgain]
test eax,eax
jne ExitProcess

CheckDebugger2 endp

;Success message 1
Success1 proc
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "OC"

push 0
push offset szTitle1
push offset szText1
push 0
call eax


Success1 endp

;Check the debugger 1
CheckDebugger1 proc
push offset Kernel32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sIsDebuggerPresent
call GetApi

call eax
or eax, eax
jnz ExitProcess

CheckDebugger1 endp

;Searching Kernel32.dll address

cmp word ptr [esi], "ZM"
je K32Found
sub esi, 1000h
jmp ScanK32

mov eax, esi

GetK32 endp

;Searching The APIs function
GetApis PROC
mov eax, dword ptr [ebp+aKernel32]
push esi
push edi
call GetApi
pop edi
pop esi

mov [edi], eax ;store API address in eax ----> edi
add edi, 4

inc esi
cmp byte ptr [esi], 0
jne @@3
inc esi
cmp byte ptr [esi], 0FFh ;ended?
jnz @@1
GetApis endp

mov ebx, [eax+3ch] ;ebx=offset PE header
add ebx, eax ;ebx=point to PE header
mov ebx, [ebx+78h] ;ebx=point to ExportDirectory Virtual Address
add ebx, eax ;normalize, ebx=point to ExportDirectory

xor edx, edx ;edx=0
mov ecx, [ebx+20h] ;ecx=point to AddressOfNames
add ecx, eax ;normalize
push esi ;save to stack
push edx ;save to stack

pop edx
pop esi
inc edx ;edx=the index into AddressOfOrdinals+1
mov edi, [ecx] ;edi=API function export by Kernel32.dll
add edi, eax ;normalize
add ecx, 4 ;point to next API function
push esi ;save to stack
push edx

mov dl, [edi] ;dl=API function export by Kernel32.dll
mov dh, [esi] ;dh=API function we looking for
cmp dl, dh ;match?
jne NextApi ;not match....ok...next API
inc edi ;if match, compare next byte
inc esi
cmp byte ptr [esi], 0 ;finish?
je GetAddr ;jmp to get the address of API function
jmp CompareApi

pop edx
pop esi
dec edx ;edx-1 (because edx=index point to zero -finish)
shl edx, 1 ;edx=edx*2

mov ecx, [ebx+24h]
add ecx, eax
add ecx, edx ;ecx=ordinals

xor edx,edx
mov dx, [ecx]
shl edx, 2 ;edx=edx*4
mov ecx, [ebx+1ch] ;ecx=RVA AddressOfFunctions
add ecx, eax ;normalize
add ecx, edx
add eax, [ecx] ;eax=address of API function we looking for

GetApi endp

End Main
