• 37 Vote(s) - 2.65 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Title: ANTI-DEBUGGERS  Protection
Description: Protect your programs with Anti-Debuggers-Protection,and make the Crackers angry!!!
This example working with compiled EXE!!!

Source Code


Option Explicit

Public Const MEM_DECOMMIT = &H4000
Public Const MEM_RELEASE = &H8000
Public Const MEM_COMMIT = &H1000
Public Const MEM_RESERVE = &H2000
Public Const MEM_RESET = &H80000
Public Const MEM_TOP_DOWN = &H100000
Public Const PAGE_READONLY = &H2
Public Const PAGE_READWRITE = &H4
Public Const PAGE_EXECUTE = &H10
Public Const PAGE_EXECUTE_READ = &H20
Public Const PAGE_GUARD = &H100
Public Const PAGE_NOACCESS = &H1
Public Const PAGE_NOCACHE = &H200
Public Declare Function VirtualAlloc Lib "kernel32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Public Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)
Public Declare Function CreateThread Lib "kernel32" (lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long
Function InstallAntiDebugger() As Long
Dim ThreadID As Long
Dim ThreadEntryPoint As Long
Dim ThreadCode As String
Dim ThreadCodeByte() As Byte
Dim ModuleHandle As Long
Dim ProcIDPAddr As Long
Dim ProcGCPAddr As Long
Dim ProcTPAddr As Long
Dim ProcSPAddr As Long

'This is the assembler code to check when your application is beeing debugged
'00401FBC      BF B1F5577C   MOV EDI,KERNEL32.IsDebuggerPresent
'00401FC1      FFD7          CALL EDI
'00401FC3      83F8 01       CMP EAX,1
'00401FC6      75 0F         JNZ SHORT 00401FD7
'00401FC8      BF 2579597C   MOV EDI,KERNEL32.GetCurrentProcess
'00401FCD      FFD7          CALL EDI
'00401FCF      50            PUSH EAX
'00401FD0      BF 6D6A597C   MOV EDI,KERNEL32.TerminateProcess
'00401FD5      FFD7          CALL EDI
'00401FD7      BF 91A2597C   MOV EDI,KERNEL32.Sleep
'00401FDC      B8 10270000   MOV EAX,2710                           ;Sleep 10 seconds before check the debugger again
'00401FE1      50            PUSH EAX
'00401FE2      FFD7          CALL EDI
'00401FE4    ^ EB D6         JMP SHORT 00401FBC

'Get the module entry point for the kernel32.dll
ModuleHandle = LoadLibrary("Kernel32.dll")
If ModuleHandle = 0 Then
    InstallAntiDebugger = 0
    'Get the function address
    ProcIDPAddr = GetProcAddress(ModuleHandle, "IsDebuggerPresent")
    ProcGCPAddr = GetProcAddress(ModuleHandle, "GetCurrentProcess")
    ProcTPAddr = GetProcAddress(ModuleHandle, "TerminateProcess")
    ProcSPAddr = GetProcAddress(ModuleHandle, "Sleep")
    'Build the assembler code (opcodes)
    ThreadCode = "BF" & AlignDWORD(ProcIDPAddr) & _
                 "FFD7" & _
                 "83F801" & _
                 "750F" & _
                 "BF" & AlignDWORD(ProcGCPAddr) & _
                 "FFD7" & _
                 "50" & _
                 "BF" & AlignDWORD(ProcTPAddr) & _
                 "FFD7" & _
                 "BF" & AlignDWORD(ProcSPAddr) & _
                 "B810270000" & _
                 "50" & _
                 "FFD7" & _
    'Transform the string into a byte array
    ConvHEX2ByteArray ThreadCode, ThreadCodeByte
    'Allocate virtual memory to install our code
    ThreadEntryPoint = VirtualAlloc(0, UBound(ThreadCodeByte) - LBound(ThreadCodeByte) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
    If ThreadEntryPoint <> 0 Then
        'Copy the assembler codes from our array into the new allocated virtual memory
        CopyMemory ByVal ThreadEntryPoint, ByVal VarPtr(ThreadCodeByte(LBound(ThreadCodeByte))), ByVal UBound(ThreadCodeByte) - LBound(ThreadCodeByte) + 1
        'Start the new thread, using as entry point then start of allocated virtual memory
        CreateThread ByVal 0&, ByVal 0&, ByVal ThreadEntryPoint, ByVal 0&, ByVal 0&, ThreadID
        'Return the threadid for future uses on ur main program (like suspendthread, resumethread, etc)
        InstallAntiDebugger = ThreadID
        InstallAntiDebugger = 0
    End If

End If
End Function

Sub ConvHEX2ByteArray(pStr As String, pByte() As Byte)
Dim i As Long
Dim j As Long
ReDim pByte(1 To Len(pStr))
For i = 1 To Len(pStr) Step 2
    j = j + 1
    pByte(j) = CByte("&H" & Mid(pStr, i, 2))
End Sub

Function AlignDWORD(pParam As Long) As String
Dim HiW As Integer
Dim LoW As Integer

Dim HiBHiW As Byte
Dim HiBLoW As Byte

Dim LoBHiW As Byte
Dim LoBLoW As Byte

HiW = HiWord(pParam)
LoW = LoWord(pParam)

HiBHiW = HiByte(HiW)
HiBLoW = HiByte(LoW)

LoBHiW = LoByte(HiW)
LoBLoW = LoByte(LoW)

AlignDWORD = IIf(Len(Hex(LoBLoW)) = 1, "0" & Hex(LoBLoW), Hex(LoBLoW)) & _
         IIf(Len(Hex(HiBLoW)) = 1, "0" & Hex(HiBLoW), Hex(HiBLoW)) & _
         IIf(Len(Hex(LoBHiW)) = 1, "0" & Hex(LoBHiW), Hex(LoBHiW)) & _
         IIf(Len(Hex(HiBHiW)) = 1, "0" & Hex(HiBHiW), Hex(HiBHiW))

End Function

Public Function HiByte(ByVal wParam As Integer) As Byte

    HiByte = (wParam And &HFF00&) \ (&H100)

End Function

Function HiWord(DWord As Long) As Integer
   HiWord = (DWord And &HFFFF0000) \ &H10000
End Function

Public Function LoByte(ByVal wParam As Integer) As Byte

  LoByte = wParam And &HFF&

End Function

Function LoWord(DWord As Long) As Integer
   If DWord And &H8000& Then ' &H8000& = &H00008000
      LoWord = DWord Or &HFFFF0000
      LoWord = DWord And &HFFFF&
   End If
End Function


'Install AntiDebugger Thread
Private Sub Form_Load()
Dim ThreadID As Long

'For usefull test... compile this example and open the exe in some debugger (like ADA, OLLY, etc). Debug this code before install the "Antidebugger"... then debug again after install the "Antidebugger"
ThreadID = InstallAntiDebugger
If ThreadID <> 0 Then
    MsgBox "Anti Debugger installed in the thread Thanx www.ParsiCoders.Com " & ThreadID, vbInformation
    MsgBox "Error!", vbCritical
End If
End Sub
گروه دور همی پارسی کدرز

Possibly Related Threads...
Thread Author Replies Views Last Post
  [VB6]Anti Debug 4 ways Amin_Mansouri 3 4,201 01-12-2013، 04:22 PM
Last Post: one hacker alone
  Anti Vm, Sandboxie, Norman Amin_Mansouri 3 4,271 01-11-2013، 09:25 AM
Last Post: Amin_Mansouri
  VB6 - Anti CW Sandbox & Anubis Module Amin_Mansouri 0 2,973 10-20-2011، 05:19 PM
Last Post: Amin_Mansouri
  Anti Debug Amin_Mansouri 0 3,123 04-17-2011، 02:51 PM
Last Post: Amin_Mansouri

Forum Jump:

Users browsing this thread: 1 Guest(s)