Flag: Tornado! Hurricane!

OpenRCE Anti Reverse Engineering Technique >> OllyDbg OpenProcess() String Detection

Technique Name Category Analysis By Download Added On Last Updated
OllyDbg OpenProcess() String Detection Debugging ap0x OllyDBG-OpenProcess.zip March 11 2006
Description:
; #########################################################################

      .586
      .model flat, stdcall
      option casemap :none   ; case sensitive

; #########################################################################

      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc
      include \masm32\include\comdlg32.inc
      
      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib
      includelib \masm32\lib\comdlg32.lib
      
; #########################################################################
    .data
_psapi db "psapi.dll",0h
_enumprocesses db "EnumProcesses",0h
        DbgNotFoundTitle db "Debugger status:",0h
        DbgFoundTitle db "Debugger status:",0h
        DbgNotFoundText db "Debugger not found!",0h
        DbgFoundText db "Debugger found!",0h
    .data?
OllyFound db ?
VAlloc dd ?
OProc dd ?
Rpm dd ?
EProc dd ?
pBuff dd ?
dummy dd ?
temp dd ?
    .code

start:

; MASM32 antiRing3Debugger example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

; This peace of code is used for simple process scanning.
; It tries to open every process and read-out a value from
; designated address 0x004B064B. On this address Olly stores
; one of OLLYDBG strings. If content of address 0x004B064B is
; 0x594C4C4F (OLLY) then debugger is detected.

MOV [OllyFound],0

PUSH offset _psapi
CALL LoadLibrary

PUSH offset _enumprocesses
PUSH EAX
CALL GetProcAddress

MOV [EProc],EAX

MOV EDI,offset OpenProcess
ADD EDI,2h
MOV EDI,DWORD PTR[EDI] ;Read OpenProcess VA
MOV EDI,DWORD PTR[EDI] ;Read OpenProcess VA
ADD EDI,6h

; Check if HideDebugger plugin is present

CMP BYTE PTR[EDI],0EAh
JNE @OpenProcess_not_hooked
MOV [OllyFound],1
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
@OpenProcess_not_hooked:

; Load all processes (thanks to deroko)

PUSH PAGE_READWRITE
PUSH MEM_COMMIT
PUSH 1024h
PUSH 0
CALL VirtualAlloc

MOV [pBuff],EAX

LEA ESI,[dummy]

PUSH ESI
PUSH 1024h
PUSH EAX
CALL [EProc]

XOR EDX,EDX
MOV ECX,4
MOV EAX,[dummy]
DIV ECX
MOV ECX,EAX

__loop_processes:
MOV EAX,[pBuff]
MOV EAX,DWORD PTR[EAX+ECX*4]

PUSH EAX
PUSH ECX

PUSH EAX
PUSH 0
PUSH PROCESS_VM_READ
CALL OpenProcess

LEA ESI,[dummy]
LEA EDI,[temp]

; Try to open every process and read-out OLLY marker

PUSH EDI
PUSH 4
PUSH ESI
PUSH 004B064Bh
PUSH EAX
CALL ReadProcessMemory
TEST EAX,EAX
JE _could_not_read_or_Olly_not_found
CMP DWORD PTR[ESI],594C4C4Fh ;Olly - string
JNE _could_not_read_or_Olly_not_found
MOV [OllyFound],1
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
_could_not_read_or_Olly_not_found:

POP ECX
POP EAX

LOOPD __loop_processes

CMP [OllyFound],1
JE _just_exit
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
_just_exit:
RET

end start

There are 31,038 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit