رتبه موضوع:
  • 26 رای - 2.62 میانگین
  • 1
  • 2
  • 3
  • 4
  • 5
Example of AntiDebugging
#1
کد:
|| Example of AntiDebugging ||

;This is example how you can implement the anti debugging technic using API functions "IsDebuggerPresent" and "CheckRemoteDebuggerPresent"
;Not a new idea but later on I will add more anti reversing/debugging feature soon...
;Name :lclee_vx
;Group:F-13 Labs
;Web  :http://www.f13-labs.net

.386p
.model flat, stdcall
option casemap:none

.data

szTitle0 db "Access Denied - By lclee_vx", 0
szText0 db "Are You Trying To Debug Me??!! Sorry You Are Detected, Try Again :)!!", 0

szTitle1 db "Answer", 0
szText1 db ?

IsDebuggerAgain dd ?

;-----------------------------------------------------------------------------
;APIs function needed.
;-----------------------------------------------------------------------------
sMessageBoxA db "MessageBoxA", 0
aMessageBoxA dd 00000000h
sIsDebuggerPresent db "IsDebuggerPresent", 0
aIsDebuggerPresent dd 00000000h
sCheckRemoteDebuggerPresent db "CheckRemoteDebuggerPresent", 0
aCheckRemoteDebuggerPresent dd 00000000h

@@Namez label byte
sGetProcAddress db "GetProcAddress", 0
sLoadLibraryA db "LoadLibraryA", 0
sExitProcess db "ExitProcess", 0
db 0FFh

@@Offsetz label byte
aGetProcAddress dd 00000000h
aLoadLibraryA dd 00000000h
aExitProcess dd 00000000h

;------------------------------------------------------------------------------
;Parameters
;------------------------------------------------------------------------------
aKernel32 dd 00000000h
User32Dll db "User32.dll", 0 ;User32.dll
Kernel32Dll db "Kernel32.dll",0 ;Kernel32.dll

;------------------------------------------------------------------------------
;Start The Code
;------------------------------------------------------------------------------
.code

Main:
call delta
delta:
pop ebp
sub ebp, offset delta

mov esi, [esp]
and esi, 0FFFF0000h
call GetK32
mov dword ptr [ebp+offset aKernel32], eax ;save kernel32.dll

;-------------------------------------------------------------------------------
;here we looking for APIs function
;-------------------------------------------------------------------------------
lea edi, [ebp+offset @@Offsetz]
lea esi, [ebp+offset @@Namez]
call GetApis

call CheckDebugger1
call Success1

call CheckDebugger2
call Success2

call NormalExitProcess

;--------------------
;Normal Exit
;--------------------
NormalExitProcess proc
push 0
mov eax, dword ptr [ebp+offset aExitProcess]
call eax
ret
NormalExitProcess endp

;----------------------
;Exit Process Properly
;-----------------------
ExitProcess proc

OutOfMyCode:
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

push 0
push offset szTitle0
push offset szText0
push 0
call eax

KillOut:
push 0
mov eax, dword ptr [ebp+offset aExitProcess]
call eax
ret
ExitProcess endp

;----------------
;Success2
;----------------
Success2 proc
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "ED"


push 0
push offset szTitle1
push offset szText1
push 0
call eax

push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "3:"


push 0
push offset szTitle1
push offset szText1
push 0
call eax

push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "79"


push 0
push offset szTitle1
push offset szText1
push 0
call eax

push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "08"


push 0
push offset szTitle1
push offset szText1
push 0
call eax
ret

Success2 endp

;------------------
;Check Debugger 2
;-----------------
CheckDebugger2 proc
KillDebug2:
push offset Kernel32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sCheckRemoteDebuggerPresent
call GetApi

push offset IsDebuggerAgain
push -1
call eax

mov eax, dword ptr [IsDebuggerAgain]
test eax,eax
jne ExitProcess
ret

CheckDebugger2 endp


;-------------------------------------------------------------------------------
;Success message 1
;-------------------------------------------------------------------------------
Success1 proc
mytest1:
push offset User32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax


mov esi, offset sMessageBoxA
call GetApi

mov dword ptr[ebp+offset szText1], "OC"


push 0
push offset szTitle1
push offset szText1
push 0
call eax

ret

Success1 endp

;----------------------
;Check the debugger 1
;------------------------
CheckDebugger1 proc
KillDebug1:
push offset Kernel32Dll
mov eax, dword ptr [ebp+offset aLoadLibraryA]
call eax

mov esi, offset sIsDebuggerPresent
call GetApi

call eax
or eax, eax
jnz ExitProcess
ret

CheckDebugger1 endp

;----------------------------------------------------------------------------------
;Searching Kernel32.dll address
;----------------------------------------------------------------------------------
GetK32 PROC

ScanK32:
cmp word ptr [esi], "ZM"
je K32Found
sub esi, 1000h
jmp ScanK32

K32Found:
mov eax, esi
ret

GetK32 endp

;------------------------------------------------------------------------------------
;Searching The APIs function
;------------------------------------------------------------------------------------
GetApis PROC
@@1:
mov eax, dword ptr [ebp+aKernel32]
push esi
push edi
call GetApi
pop edi
pop esi

mov [edi], eax ;store API address in eax ----> edi
add edi, 4

@@3:
inc esi
cmp byte ptr [esi], 0
jne @@3
inc esi
cmp byte ptr [esi], 0FFh ;ended?
jnz @@1
ret
GetApis endp

GetApi PROC
mov ebx, [eax+3ch] ;ebx=offset PE header
add ebx, eax ;ebx=point to PE header
mov ebx, [ebx+78h] ;ebx=point to ExportDirectory Virtual Address
add ebx, eax ;normalize, ebx=point to ExportDirectory

xor edx, edx ;edx=0
mov ecx, [ebx+20h] ;ecx=point to AddressOfNames
add ecx, eax ;normalize
push esi ;save to stack
push edx ;save to stack

NextApi:
pop edx
pop esi
inc edx ;edx=the index into AddressOfOrdinals+1
mov edi, [ecx] ;edi=API function export by Kernel32.dll
add edi, eax ;normalize
add ecx, 4 ;point to next API function
push esi ;save to stack
push edx

CompareApi:
mov dl, [edi] ;dl=API function export by Kernel32.dll
mov dh, [esi] ;dh=API function we looking for
cmp dl, dh ;match?
jne NextApi ;not match....ok...next API
inc edi ;if match, compare next byte
inc esi
cmp byte ptr [esi], 0 ;finish?
je GetAddr ;jmp to get the address of API function
jmp CompareApi

GetAddr:
pop edx
pop esi
dec edx ;edx-1 (because edx=index point to zero -finish)
shl edx, 1 ;edx=edx*2

mov ecx, [ebx+24h]
add ecx, eax
add ecx, edx ;ecx=ordinals

xor edx,edx
mov dx, [ecx]
shl edx, 2 ;edx=edx*4
mov ecx, [ebx+1ch] ;ecx=RVA AddressOfFunctions
add ecx, eax ;normalize
add ecx, edx
add eax, [ecx] ;eax=address of API function we looking for
ret

GetApi endp

End Main

کسانی که دوست دارن در کانال فروشگاه ما و یا کانال انجمن عضو بشن یک پیامک در تلگرام برای من بفرستید که عضوشون میکنم.





ای ام شاپ را در اینستگرام دنبال کنید

ای ام شاپ رو در کانال تلگرام دنبال کنید



This forum uses Lukasz Tkacz MyBB addons.
پاسخ


پرش به انجمن:


کاربران در حال بازدید این موضوع: 1 مهمان
<------> <____> <<<<----------------->>>> <<<<--->>>>>
This forum uses Lukasz Tkacz MyBB addons.