10-15-2011، 09:53 PM
کد:
|| Example of AntiDebugging ||
;This is example how you can implement the anti debugging technic using API functions "IsDebuggerPresent" and "CheckRemoteDebuggerPresent"
;Not a new idea but later on I will add more anti reversing/debugging feature soon...
;Name :lclee_vx
;Group:F-13 Labs
;Web :http://www.f13-labs.net
.386p
.model flat, stdcall
option casemap:none
.data
szTitle0 db "Access Denied - By lclee_vx", 0
szText0 db "Are You Trying To Debug Me??!! Sorry You Are Detected, Try Again :)!!", 0
szTitle1 db "Answer", 0
szText1 db ?
IsDebuggerAgain dd ?
;-----------------------------------------------------------------------------
;APIs function needed.
;-----------------------------------------------------------------------------
sMessageBoxA db "MessageBoxA", 0
aMessageBoxA dd 00000000h
sIsDebuggerPresent db "IsDebuggerPresent", 0
aIsDebuggerPresent dd 00000000h
sCheckRemoteDebuggerPresent db "CheckRemoteDebuggerPresent", 0
aCheckRemoteDebuggerPresent dd 00000000h
@@Namez label byte
sGetProcAddress db "GetProcAddress", 0
sLoadLibraryA db "LoadLibraryA", 0
sExitProcess db "ExitProcess", 0
db 0FFh
@@Offsetz label byte
aGetProcAddress dd 00000000h
aLoadLibraryA dd 00000000h
aExitProcess dd 00000000h
;------------------------------------------------------------------------------
;Parameters
;------------------------------------------------------------------------------
aKernel32 dd 00000000h
User32Dll db "User32.dll", 0 ;User32.dll
Kernel32Dll db "Kernel32.dll",0 ;Kernel32.dll
;------------------------------------------------------------------------------
;Start The Code
;------------------------------------------------------------------------------
.code
Main:
call delta
delta:
pop ebp
sub ebp, offset delta
mov esi, [esp]
and esi, 0FFFF0000h
call GetK32
mov dword ptr [ebp+offset aKernel32], eax ;save kernel32.dll
;-------------------------------------------------------------------------------
;here we looking for APIs function
;-------------------------------------------------------------------------------
lea edi, [ebp+offset @@Offsetz]
lea esi, [ebp+offset @@Namez]
call GetApis
call CheckDebugger1
call Success1
call CheckDebugger2
call Success2
call NormalExitProcess
;--------------------
;Normal Exit
;--------------------
NormalExitProcess proc
push 0
mov eax, dword ptr [ebp+offset aExitProcess]
call eax
ret
NormalExitProcess endp
;----------------------
;Exit Process Properly
;-----------------------
ExitProcess proc
OutOfMyCode:
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax
mov esi, offset sMessageBoxA
call GetApi
push 0
push offset szTitle0
push offset szText0
push 0
call eax
KillOut:
push 0
mov eax, dword ptr [ebp+offset aExitProcess]
call eax
ret
ExitProcess endp
;----------------
;Success2
;----------------
Success2 proc
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax
mov esi, offset sMessageBoxA
call GetApi
mov dword ptr[ebp+offset szText1], "ED"
push 0
push offset szTitle1
push offset szText1
push 0
call eax
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax
mov esi, offset sMessageBoxA
call GetApi
mov dword ptr[ebp+offset szText1], "3:"
push 0
push offset szTitle1
push offset szText1
push 0
call eax
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax
mov esi, offset sMessageBoxA
call GetApi
mov dword ptr[ebp+offset szText1], "79"
push 0
push offset szTitle1
push offset szText1
push 0
call eax
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax
mov esi, offset sMessageBoxA
call GetApi
mov dword ptr[ebp+offset szText1], "08"
push 0
push offset szTitle1
push offset szText1
push 0
call eax
ret
Success2 endp
;------------------
;Check Debugger 2
;-----------------
CheckDebugger2 proc
KillDebug2:
push offset Kernel32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax
mov esi, offset sCheckRemoteDebuggerPresent
call GetApi
push offset IsDebuggerAgain
push -1
call eax
mov eax, dword ptr [IsDebuggerAgain]
test eax,eax
jne ExitProcess
ret
CheckDebugger2 endp
;-------------------------------------------------------------------------------
;Success message 1
;-------------------------------------------------------------------------------
Success1 proc
mytest1:
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax
mov esi, offset sMessageBoxA
call GetApi
mov dword ptr[ebp+offset szText1], "OC"
push 0
push offset szTitle1
push offset szText1
push 0
call eax
ret
Success1 endp
;----------------------
;Check the debugger 1
;------------------------
CheckDebugger1 proc
KillDebug1:
push offset Kernel32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax
mov esi, offset sIsDebuggerPresent
call GetApi
call eax
or eax, eax
jnz ExitProcess
ret
CheckDebugger1 endp
;----------------------------------------------------------------------------------
;Searching Kernel32.dll address
;----------------------------------------------------------------------------------
GetK32 PROC
ScanK32:
cmp word ptr [esi], "ZM"
je K32Found
sub esi, 1000h
jmp ScanK32
K32Found:
mov eax, esi
ret
GetK32 endp
;------------------------------------------------------------------------------------
;Searching The APIs function
;------------------------------------------------------------------------------------
GetApis PROC
@@1:
mov eax, dword ptr [ebp+aKernel32]
push esi
push edi
call GetApi
pop edi
pop esi
mov [edi], eax ;store API address in eax ----> edi
add edi, 4
@@3:
inc esi
cmp byte ptr [esi], 0
jne @@3
inc esi
cmp byte ptr [esi], 0FFh ;ended?
jnz @@1
ret
GetApis endp
GetApi PROC
mov ebx, [eax+3ch] ;ebx=offset PE header
add ebx, eax ;ebx=point to PE header
mov ebx, [ebx+78h] ;ebx=point to ExportDirectory Virtual Address
add ebx, eax ;normalize, ebx=point to ExportDirectory
xor edx, edx ;edx=0
mov ecx, [ebx+20h] ;ecx=point to AddressOfNames
add ecx, eax ;normalize
push esi ;save to stack
push edx ;save to stack
NextApi:
pop edx
pop esi
inc edx ;edx=the index into AddressOfOrdinals+1
mov edi, [ecx] ;edi=API function export by Kernel32.dll
add edi, eax ;normalize
add ecx, 4 ;point to next API function
push esi ;save to stack
push edx
CompareApi:
mov dl, [edi] ;dl=API function export by Kernel32.dll
mov dh, [esi] ;dh=API function we looking for
cmp dl, dh ;match?
jne NextApi ;not match....ok...next API
inc edi ;if match, compare next byte
inc esi
cmp byte ptr [esi], 0 ;finish?
je GetAddr ;jmp to get the address of API function
jmp CompareApi
GetAddr:
pop edx
pop esi
dec edx ;edx-1 (because edx=index point to zero -finish)
shl edx, 1 ;edx=edx*2
mov ecx, [ebx+24h]
add ecx, eax
add ecx, edx ;ecx=ordinals
xor edx,edx
mov dx, [ecx]
shl edx, 2 ;edx=edx*4
mov ecx, [ebx+1ch] ;ecx=RVA AddressOfFunctions
add ecx, eax ;normalize
add ecx, edx
add eax, [ecx] ;eax=address of API function we looking for
ret
GetApi endp
End Main
گروه دور همی پارسی کدرز
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg