Flag: Tornado! Hurricane!

OpenRCE Anti Reverse Engineering Technique >> OllyDbg OpenProcess() String Detection

Technique Name Category Analysis By Download Added On Last Updated
OllyDbg OpenProcess() String Detection Debugging ap0x OllyDBG-OpenProcess.zip March 11 2006
Description:
; #########################################################################

      .586
      .model flat, stdcall
      option casemap :none   ; case sensitive

; #########################################################################

      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc
      include \masm32\include\comdlg32.inc
      
      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib
      includelib \masm32\lib\comdlg32.lib
      
; #########################################################################
    .data
_psapi db "psapi.dll",0h
_enumprocesses db "EnumProcesses",0h
        DbgNotFoundTitle db "Debugger status:",0h
        DbgFoundTitle db "Debugger status:",0h
        DbgNotFoundText db "Debugger not found!",0h
        DbgFoundText db "Debugger found!",0h
    .data?
OllyFound db ?
VAlloc dd ?
OProc dd ?
Rpm dd ?
EProc dd ?
pBuff dd ?
dummy dd ?
temp dd ?
    .code

start:

; MASM32 antiRing3Debugger example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

; This peace of code is used for simple process scanning.
; It tries to open every process and read-out a value from
; designated address 0x004B064B. On this address Olly stores
; one of OLLYDBG strings. If content of address 0x004B064B is
; 0x594C4C4F (OLLY) then debugger is detected.

MOV [OllyFound],0

PUSH offset _psapi
CALL LoadLibrary

PUSH offset _enumprocesses
PUSH EAX
CALL GetProcAddress

MOV [EProc],EAX

MOV EDI,offset OpenProcess
ADD EDI,2h
MOV EDI,DWORD PTR[EDI] ;Read OpenProcess VA
MOV EDI,DWORD PTR[EDI] ;Read OpenProcess VA
ADD EDI,6h

; Check if HideDebugger plugin is present

CMP BYTE PTR[EDI],0EAh
JNE @OpenProcess_not_hooked
MOV [OllyFound],1
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
@OpenProcess_not_hooked:

; Load all processes (thanks to deroko)

PUSH PAGE_READWRITE
PUSH MEM_COMMIT
PUSH 1024h
PUSH 0
CALL VirtualAlloc

MOV [pBuff],EAX

LEA ESI,[dummy]

PUSH ESI
PUSH 1024h
PUSH EAX
CALL [EProc]

XOR EDX,EDX
MOV ECX,4
MOV EAX,[dummy]
DIV ECX
MOV ECX,EAX

__loop_processes:
MOV EAX,[pBuff]
MOV EAX,DWORD PTR[EAX+ECX*4]

PUSH EAX
PUSH ECX

PUSH EAX
PUSH 0
PUSH PROCESS_VM_READ
CALL OpenProcess

LEA ESI,[dummy]
LEA EDI,[temp]

; Try to open every process and read-out OLLY marker

PUSH EDI
PUSH 4
PUSH ESI
PUSH 004B064Bh
PUSH EAX
CALL ReadProcessMemory
TEST EAX,EAX
JE _could_not_read_or_Olly_not_found
CMP DWORD PTR[ESI],594C4C4Fh ;Olly - string
JNE _could_not_read_or_Olly_not_found
MOV [OllyFound],1
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
_could_not_read_or_Olly_not_found:

POP ECX
POP EAX

LOOPD __loop_processes

CMP [OllyFound],1
JE _just_exit
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
_just_exit:
RET

end start

There are 31,133 total registered users.


Recently Created Topics
Information on the t...
Feb/08
Information on the m...
Feb/07
Order Finax, Fincar ...
Feb/07
Information on the m...
Feb/07
Order Proscar (Finas...
Feb/07
Order Proscar, Finax...
Feb/07
Order Finasteride, F...
Feb/07
How to view IDA Pro'...
Nov/02
reverse MC9S12DG128
Oct/07
Looking for an advan...
Mar/21


Recent Forum Posts
Looking for an advan...
tthtlc
Looking for an advan...
tthtlc
Looking for an advan...
clightning
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
ComPuer on:
May/14
Android Application Reversing

nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit