10-18-2011، 01:25 AM
کد:
unit AntiDbg;
{
very simple AntiDebug Unit for Delphi
can detect most debuggers:
OllyDBG,Immunity Debugger,WinDbg,W32DAsm,IDA,....
SoftICE,Syser,TRW,TWX
Tested on Win9x-Me-2k-XP-2k3-Vista
Coded by: Magic_h2001
magic_h2001@yahoo.com
http://magic.shabgard.org
just for fun ;)
}
interface
uses Windows,SysUtils,TlHelp32;
function IsDBG:Boolean;
implementation
var
Found:Boolean=False;
hSnapmod: THANDLE;
ModInfo: MODULEENTRY32;
hSnap: THANDLE;
ProcessInfo: PROCESSENTRY32;
ProcID:DWORD;
Tm1,Tm2:Int64;
function IsDebuggerPresent():BOOL; stdcall;external 'kernel32.dll' name 'IsDebuggerPresent';
function GetSys:string;
var
Gsys : array[0..MAX_PATH] of Char;
begin
GetSystemDirectory(Gsys,MAX_PATH);
Result:=Gsys;
if length(Result)>0 then
if Result[length(Result)]<>'\' then Result:=Result+'\';
end;
function UpCaseStr(S:string):String;
var i:integer;
begin
Result:=s;
if s='' then exit;
for i:=1 to length(s) do
Result[i]:=upcase(Result[i]);
end;
function RDTSC: Int64; assembler;
asm
PUSH EDI
PUSH EDI
PUSH EDI
PUSH EDI
DB 0fh ,031h
POP EDI
POP EDI
POP EDI
POP EDI
end;
function IsRing0DBG(S:string): boolean;
var hFile: Thandle;
begin
Result := False;
hFile := CreateFileA(Pchar(S), GENERIC_READ or GENERIC_WRITE,
0, nil, OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL, 0);
if( hFile <> INVALID_HANDLE_VALUE ) then begin
CloseHandle(hFile);
Result := TRUE;
end;
end;
function IsDBG:Boolean;
var i: Integer;
begin
Tm1:=RDTSC;
for i:=0 to 255 do
OutputDebugStringA('kernel32.dll');
Tm2:=RDTSC-Tm1;
if Tm2<9999 then Found:=True;
if Tm2>299999999 then Found:=True;
hSnap:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
ProcessInfo.dwSize:=sizeof(PROCESSENTRY32);
Process32First(hSnap,ProcessInfo);
repeat
if Pos('OLLYDBG',UpCaseStr(ProcessInfo.szExeFile))<>0 then Found:=True;
if Pos('DBG',UpCaseStr(ProcessInfo.szExeFile))<>0 then Found:=True;
if Pos('DEBUG',UpCaseStr(ProcessInfo.szExeFile))<>0 then Found:=True;
if Pos('IDAG',UpCaseStr(ProcessInfo.szExeFile))<>0 then Found:=True;
if Pos('W32DSM',UpCaseStr(ProcessInfo.szExeFile))<>0 then Found:=True;
ProcID:=ProcessInfo.th32ProcessID;
hSnapMod:=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcID);
ModInfo.dwSize:=sizeof(MODULEENTRY32);
Module32First(hSnapMod,ModInfo);
repeat
if Pos('OLLYDBG',UpCaseStr(ModInfo.szExePath))<>0 then Found:=True;
if Pos('W32DSM',UpCaseStr(ModInfo.szExePath))<>0 then Found:=True;
until (not Module32Next(hSnapMod,ModInfo));
CloseHandle(hSnapMod);
until (not Process32Next(hSnap,ProcessInfo));
CloseHandle(hSnap);
if FileExists(GetSys+'drivers\sice.sys') then Found:=True;
if FileExists(GetSys+'drivers\ntice.sys') then Found:=True;
if FileExists(GetSys+'drivers\syser.sys') then Found:=True;
if FileExists(GetSys+'drivers\winice.sys') then Found:=True;
if FileExists(GetSys+'drivers\sice.vxd') then Found:=True;
if FileExists(GetSys+'drivers\winice.vxd') then Found:=True;
if FileExists(GetSys+'winice.vxd') then Found:=True;
if FileExists(GetSys+'vmm32\winice.vxd') then Found:=True;
if FileExists(GetSys+'sice.vxd') then Found:=True;
if FileExists(GetSys+'vmm32\sice.vxd') then Found:=True;
if IsDebuggerPresent then Found:=True;
if IsRing0DBG('\\.\SICE') then Found:=True;
if IsRing0DBG('\\.\SIWVID') then Found:=True;
if IsRing0DBG('\\.\NTICE') then Found:=True;
if IsRing0DBG('\\.\TRW') then Found:=True;
if IsRing0DBG('\\.\TWX') then Found:=True;
if IsRing0DBG('\\.\ICEEXT') then Found:=True;
if IsRing0DBG('\\.\SYSER') then Found:=True;
Result:=Found;
end;
end.
گروه دور همی پارسی کدرز
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg