Parsi Coders
[VB6]Anti Debug 4 ways - نسخه قابل چاپ

+- Parsi Coders (http://parsicoders.com)
+-- انجمن: Cracking / Anti Crack (http://parsicoders.com/forumdisplay.php?fid=75)
+--- انجمن: Anti Debug (http://parsicoders.com/forumdisplay.php?fid=76)
+---- انجمن: Visual Basic 6 (http://parsicoders.com/forumdisplay.php?fid=77)
+---- موضوع: [VB6]Anti Debug 4 ways (/showthread.php?tid=1074)



[VB6]Anti Debug 4 ways - Amin_Mansouri - 10-16-2011

کد:
Private Declare Function NtSetInformationThread Lib "NTDLL" (ByVal hThread As Integer, ByVal ThreadInformationClass As Integer, ByVal ThreadInformation As Integer, ByVal ThreadInformationLength As Integer) As Integer
Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal ProcessHandle As Long, ByVal BaseAddress As Long, ByVal pBuffer As Long, ByVal NumberOfBytesToWrite As Long, ByRef NumberOfBytesWritten As Long) As Long
Private Declare Function CallWindowProcA Lib "USER32" (ByVal address As Any, Optional ByVal Param1 As Long, Optional ByVal Param2 As Long, Optional ByVal Param3 As Long, Optional ByVal Param4 As Long) As Long

Public Function DetectDebugger() As Boolean
    Dim pPeb            As Long
    Dim pHeap           As Long
    Dim pLdr            As Long
    Dim pModule         As Long
    Dim pBuff           As Long
    Dim IsBeingDebugged As Boolean
    Dim l               As Long
    Dim i               As Long
    Dim lCheck          As Long
    Dim b(6)            As Byte
    Dim GlobalFlag      As Long
    Dim sFile           As String
    
    b(0) = &H64 'MOV
    b(1) = &HA1 'EAX
    b(2) = &H18 '[FS:0x18]
    b(3) = &H0
    b(4) = &H0
    b(5) = &H0
    b(6) = &HC3 'RET
    
    Call NtSetInformationThread(-2, &H11, 0, 0)
    
    NtWriteVirtualMemory -1, VarPtr(pPeb), CallWindowProcA(VarPtr(b(0))) + &H30, 4, 0
    NtWriteVirtualMemory -1, VarPtr(pLdr), pPeb + &HC&, 4, 0
    NtWriteVirtualMemory -1, VarPtr(pModule), pLdr + &HC&, 4, 0
    NtWriteVirtualMemory -1, VarPtr(lCheck), pModule, 4, 0

    NtWriteVirtualMemory -1, VarPtr(IsBeingDebugged), pPeb + 2, 1, 0
    If IsBeingDebugged Then DetectDebugger = True

    NtWriteVirtualMemory -1, VarPtr(pHeap), pPeb + &H20, 4, 0
    NtWriteVirtualMemory -1, VarPtr(l), pHeap + &H10, 4, 0
    If l <> 0 Then DetectDebugger = True
    
    NtWriteVirtualMemory -1, VarPtr(GlobalFlag), pPeb + &H68, 1, 0
    If GlobalFlag <> 0 Then DetectDebugger = True
    
    Do
        sFile = vbNullString
        i = 0
        NtWriteVirtualMemory -1, VarPtr(pModule), pModule + 4, 4, 0
        NtWriteVirtualMemory -1, VarPtr(pBuff), pModule + 40, 4, 0
        NtWriteVirtualMemory -1, VarPtr(l), pBuff, 1, 0
        If l <> 0 Then
            Do While l <> 0
                sFile = sFile & Chr$(l)
                i = i + 1
                NtWriteVirtualMemory -1, VarPtr(l), pBuff + i * 2, 1, 0
            Loop
            If (Right(UCase(sFile), 11) = "SBIEDLL.DLL") Or (Right(UCase(sFile), 11) = "DBGHELP.DLL") Then DetectDebugger = True
        End If
        If pModule = lCheck Then Exit Do
    Loop
    
End Function



RE: [VB6]Anti Debug 4 ways - one hacker alone - 01-11-2013

میشه یه توضیح کلی در مورد این Anti ها بزنید که کارشون چیه و به چه صورت عمل میکنن و کجا بیشتر بکار میان و چجوری میشه عملکردشون رو بررسی کرد که واقعا خوب جواب میدن یا نه


RE: [VB6]Anti Debug 4 ways - Amin_Mansouri - 01-11-2013

درود

این انتی دیباگ هست.

در واقع وقتی ollydbg بخواد برنامه رو trace کنه به کارت میاد.


RE: [VB6]Anti Debug 4 ways - one hacker alone - 01-12-2013

در مورد مکانیزمش چیزی میدونید؟