GithubHelp home page GithubHelp logo

zzzzzzssssmmm9 / antidebugging Goto Github PK

View Code? Open in Web Editor NEW

This project forked from thomasthelen/anti-debugging

0.0 1.0 0.0 76.13 MB

A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.

License: MIT License

C++ 66.81% C 33.19%

antidebugging's Introduction

alt text Project Status: Active โ€“ The project has reached a stable, usable state and is being actively developed. license

Anti-debugging techniques are used when trying to thwart reverse engineering of software. Two common places where this is seen is in video games to prevent hackers from learning game mechanics and commercial software to stop people from writing key generators.

Repository Structure

IsDebuggerPresent

The most trivial way to check if a debugger is present is by calling IsDebuggerPresent. Internally, IsDebuggerPresent checks a flag in the Process Environment Block (PEB). The address of the PEB can be found in the Thread Information Block, which can be found in the FS register. Most softwares do not soley rely on this method as it can easily be bypassed by jumping over the cmp instruction.

MSDN Documentation

BOOL WINAPI IsDebuggerPresent(void);

CheckRemoteDebuggerPresent

When access to the program is limited, it cna be checked remotely with CheckRemoteDebuggerPresent. The function acts as a wrapper to NtQueryInformationProcess, which provides infomration about a specified process. One piece of infomration that can be extracted are the available debug ports. When the number is non-zero, a debugger is attached to the process. This again is easily bypassed and software rarely relies on it to stop reverse engineers.

MSDN Documentation

BOOL WINAPI CheckRemoteDebuggerPresent(
_In_    HANDLE hProcess,
_Inout_ PBOOL  pbDebuggerPresent
);

ReadTeb

Reads the BeingDebugged field in the Process Environment Block(PEB). One way to determine the address of the PEB is by reading offset 0x30 from the Thread Information Block(TIB), which is obtained from the FS segment register. This is how IsDebuggerPresent works internally. Instead of calling IsDebuggerPresent, some software will manually perform this check. It can be bypassed the same way a call to IsDebuggerPresent is.

OutputDebugString

The Windows API allows for printing debug statements out to a debugger, and will set an error if a debugger is not found. This is used by attempting to send a message to an attached debugger and checking for errors to determine if one is attached. MSDN Documentation

void WINAPI OutputDebugString( In_opt LPCTSTR lpOutputString );

FindWindow

Instead of using debug specific APIs, if the window name of the debugger is known it can be searched for via FindWindow. Software/malware can search for window titles such as OllyDbg, x64dbg, Soft Ice, etc. MSDN Documentation

HWND WINAPI FindWindow(
_In_opt_ LPCTSTR lpClassName,
_In_opt_ LPCTSTR lpWindowName
);

antidebugging's People

Contributors

thomasthelen avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.