رتبه موضوع:
  • 26 رای - 2.62 میانگین
  • 1
  • 2
  • 3
  • 4
  • 5
Example of AntiDebugging
#1
کد:
|| Example of AntiDebugging ||

;This is example how you can implement the anti debugging technic using API functions "IsDebuggerPresent" and "CheckRemoteDebuggerPresent"
;Not a new idea but later on I will add more anti reversing/debugging feature soon...
;Name :lclee_vx
;Group:F-13 Labs
;Web  :http://www.f13-labs.net

.386p
.model flat, stdcall
option casemap:none

.data

szTitle0 db "Access Denied - By lclee_vx", 0
szText0 db "Are You Trying To Debug Me??!! Sorry You Are Detected, Try Again :)!!", 0

szTitle1 db "Answer", 0
szText1 db ?

IsDebuggerAgain dd ?

;-----------------------------------------------------------------------------
;APIs function needed.
;-----------------------------------------------------------------------------
sMessageBoxA db "MessageBoxA", 0
aMessageBoxA dd 00000000h
sIsDebuggerPresent db "IsDebuggerPresent", 0
aIsDebuggerPresent dd 00000000h
sCheckRemoteDebuggerPresent db "CheckRemoteDebuggerPresent", 0
aCheckRemoteDebuggerPresent dd 00000000h

@@Namez label byte
sGetProcAddress db "GetProcAddress", 0
sLoadLibraryA db "LoadLibraryA", 0
sExitProcess db "ExitProcess", 0
db 0FFh

@@Offsetz label byte
aGetProcAddress dd 00000000h
aLoadLibraryA dd 00000000h
aExitProcess dd 00000000h

;------------------------------------------------------------------------------
;Parameters
;------------------------------------------------------------------------------
aKernel32 dd 00000000h
User32Dll db "User32.dll", 0 ;User32.dll
Kernel32Dll db "Kernel32.dll",0 ;Kernel32.dll

;------------------------------------------------------------------------------
;Start The Code
;------------------------------------------------------------------------------
.code

Main:
call delta
delta:
pop ebp
sub ebp, offset delta

mov esi, [esp]
and esi, 0FFFF0000h
call GetK32
mov dword ptr [ebp+offset aKernel32], eax ;save kernel32.dll

;-------------------------------------------------------------------------------
;here we looking for APIs function
;-------------------------------------------------------------------------------
lea edi, [ebp+offset @@Offsetz]
lea esi, [ebp+offset @@Namez]
call GetApis

call CheckDebugger1
call Success1

call CheckDebugger2
call Success2

call NormalExitProcess

;--------------------
;Normal Exit
;--------------------
NormalExitProcess proc
push 0
mov eax, dword ptr [ebp+offset aExitProcess]
call eax
ret
NormalExitProcess endp

;----------------------
;Exit Process Properly
;-----------------------
ExitProcess proc

OutOfMyCode:
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

push 0
push offset szTitle0
push offset szText0
push 0
call eax

KillOut:
push 0
mov eax, dword ptr [ebp+offset aExitProcess]
call eax
ret
ExitProcess endp

;----------------
;Success2
;----------------
Success2 proc
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "ED"


push 0
push offset szTitle1
push offset szText1
push 0
call eax

push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "3:"


push 0
push offset szTitle1
push offset szText1
push 0
call eax

push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "79"


push 0
push offset szTitle1
push offset szText1
push 0
call eax

push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "08"


push 0
push offset szTitle1
push offset szText1
push 0
call eax
ret

Success2 endp

;------------------
;Check Debugger 2
;-----------------
CheckDebugger2 proc
KillDebug2:
push offset Kernel32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sCheckRemoteDebuggerPresent
call GetApi

push offset IsDebuggerAgain
push -1
call eax

mov eax, dword ptr [IsDebuggerAgain]
test eax,eax
jne ExitProcess
ret

CheckDebugger2 endp


;-------------------------------------------------------------------------------
;Success message 1
;-------------------------------------------------------------------------------
Success1 proc
mytest1:
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "OC"


push 0
push offset szTitle1
push offset szText1
push 0
call eax

ret

Success1 endp

;----------------------
;Check the debugger 1
;------------------------
CheckDebugger1 proc
KillDebug1:
push offset Kernel32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sIsDebuggerPresent
call GetApi

call eax
or eax, eax
jnz ExitProcess
ret

CheckDebugger1 endp

;----------------------------------------------------------------------------------
;Searching Kernel32.dll address
;----------------------------------------------------------------------------------
GetK32 PROC

ScanK32:
cmp word ptr [esi], "ZM"
je K32Found
sub esi, 1000h
jmp ScanK32

K32Found:
mov eax, esi
ret

GetK32 endp

;------------------------------------------------------------------------------------
;Searching The APIs function
;------------------------------------------------------------------------------------
GetApis PROC
@@1:
mov eax, dword ptr [ebp+aKernel32]
push esi
push edi
call GetApi
pop edi
pop esi

mov [edi], eax ;store API address in eax ----> edi
add edi, 4

@@3:
inc esi
cmp byte ptr [esi], 0
jne @@3
inc esi
cmp byte ptr [esi], 0FFh ;ended?
jnz @@1
ret
GetApis endp

GetApi PROC
mov ebx, [eax+3ch] ;ebx=offset PE header
add ebx, eax ;ebx=point to PE header
mov ebx, [ebx+78h] ;ebx=point to ExportDirectory Virtual Address
add ebx, eax ;normalize, ebx=point to ExportDirectory

xor edx, edx ;edx=0
mov ecx, [ebx+20h] ;ecx=point to AddressOfNames
add ecx, eax ;normalize
push esi ;save to stack
push edx ;save to stack

NextApi:
pop edx
pop esi
inc edx ;edx=the index into AddressOfOrdinals+1
mov edi, [ecx] ;edi=API function export by Kernel32.dll
add edi, eax ;normalize
add ecx, 4 ;point to next API function
push esi ;save to stack
push edx

CompareApi:
mov dl, [edi] ;dl=API function export by Kernel32.dll
mov dh, [esi] ;dh=API function we looking for
cmp dl, dh ;match?
jne NextApi ;not match....ok...next API
inc edi ;if match, compare next byte
inc esi
cmp byte ptr [esi], 0 ;finish?
je GetAddr ;jmp to get the address of API function
jmp CompareApi

GetAddr:
pop edx
pop esi
dec edx ;edx-1 (because edx=index point to zero -finish)
shl edx, 1 ;edx=edx*2

mov ecx, [ebx+24h]
add ecx, eax
add ecx, edx ;ecx=ordinals

xor edx,edx
mov dx, [ecx]
shl edx, 2 ;edx=edx*4
mov ecx, [ebx+1ch] ;ecx=RVA AddressOfFunctions
add ecx, eax ;normalize
add ecx, edx
add eax, [ecx] ;eax=address of API function we looking for
ret

GetApi endp

End Main
در صورتی که سوال دارید و سوالتون مختصر هست با شماره 09120642214 میتونید تماس بگیرید.
کسانی که دوست دارن در کانال فروشگاه ما و یا کانال انجمن عضو بشن یک پیامک در تلگرام برای من بفرستید که عضوشون میکنم.

ادرس فروشگاه :

http://www.amshop.ir



ای ام شاپ را در اینستگرام دنبال کنید

ای ام شاپ رو در کانال تلگرام دنبال کنید



This forum uses Lukasz Tkacz MyBB addons.
پاسخ


پرش به انجمن:


کاربران در حال بازدید این موضوع: 1 مهمان
<------> <____> <<<<----------------->>>> <<<<--->>>>>
This forum uses Lukasz Tkacz MyBB addons.