Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Simple debugger detection in C++ with inline asm

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Nigtronix
Cheater
Reputation: 0

Joined: 18 May 2007
Posts: 45
PostPosted: Fri Aug 03, 2007 1:13 pm    Post subject: Simple debugger detection in C++ with inline asm Reply with quote
I was fooling around, and decided to practice some asm after reading about the TIB and PEB in a Windows internals book, and after seeing a couple posts here about breakpoint detection. This is a simple debugger detection method, but is easily defeated.

Code:


#include <windows.h>

/* This is a complete transparent Debugger checker
   No Windows API necessary :o

  Completely replaces The Windows API IsDebuggerPresent()
 
  This method of protection is easily overcome by overwriting   
IsDebuggerPresent in the PEB (which many debugger stealth plugins do



*/

char *title = "Debugger checker";
char *omg = "DEBUGGER DETECTED";
char *omg2 = "DEBUGGER NOT DETECTED";

int main(int argc, char *argv[])
{
   DWORD msgbox = (DWORD)GetProcAddress(LoadLibrary("User32.dll"), "MessageBoxA");
   DWORD exitfunc = (DWORD)GetProcAddress(LoadLibrary("kernel32.dll"), "ExitProcess");
   while(1)
   {
   __asm
   {
      mov EAX, FS:[0x18]; // fs:[0x18] is the TEB (thread environment block).
      mov EAX, DS:[EAX + 0x30]; // fs:[$30] is the PEB (Process Environment Block)
      MOVZX EAX, DS:[EAX + 0x2]; // jump to BOOL BeingDebugged; area in the block
// If EAX(BeingDebugged) is set high, (equal to one means debugger attached)
      CMP EAX,1;
      JE Detected;
      JNZ Not_Detected;

   Detected:

   push NULL;
        push title;
        push omg;
        push NULL;
        call msgbox;
        //exit
   push -1; // Exit Code
   call exitfunc;

   Not_Detected:

   push NULL;
        push title;
        push omg2;
        push NULL;
        call msgbox;

   }

   Sleep(1200);
   }

   return 0;
}



I have it in the shitty loop so I could attach a debugger to it for testing.

Now everything around this, is for testing and output and shit, the main detection code is really short:

Code:

   __asm
   {
      mov EAX, FS:[0x18]; // fs:[0x18] is the TEB (thread environment block).
      mov EAX, DS:[EAX + 0x30]; // fs:[$30] is the PEB (Process Environment Block)
      MOVZX EAX, DS:[EAX + 0x2]; // jump to BOOL BeingDebugged; area in the block
// If EAX(BeingDebugged) is set high, (equal to one means debugger attached)
      CMP EAX,1;
      JE Detected;
      JNZ Not_Detected;
   }


No header required if you use pure asm outputs like Service 0x09 in INT 21
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites