OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Technique Name	Category	Analysis By	Download	Added On	Last Updated
OllyDbg OpenProcess() String Detection	Debugging	ap0x	OllyDBG-OpenProcess.zip	March 11 2006

Description:
; ######################################################################### .586 .model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\comdlg32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\comdlg32.lib ; ######################################################################### .data _psapi db "psapi.dll",0h _enumprocesses db "EnumProcesses",0h DbgNotFoundTitle db "Debugger status:",0h DbgFoundTitle db "Debugger status:",0h DbgNotFoundText db "Debugger not found!",0h DbgFoundText db "Debugger found!",0h .data? OllyFound db ? VAlloc dd ? OProc dd ? Rpm dd ? EProc dd ? pBuff dd ? dummy dd ? temp dd ? .code start: ; MASM32 antiRing3Debugger example ; coded by ap0x ; Reversing Labs: http://ap0x.headcoders.net ; This peace of code is used for simple process scanning. ; It tries to open every process and read-out a value from ; designated address 0x004B064B. On this address Olly stores ; one of OLLYDBG strings. If content of address 0x004B064B is ; 0x594C4C4F (OLLY) then debugger is detected. MOV [OllyFound],0 PUSH offset _psapi CALL LoadLibrary PUSH offset _enumprocesses PUSH EAX CALL GetProcAddress MOV [EProc],EAX MOV EDI,offset OpenProcess ADD EDI,2h MOV EDI,DWORD PTR[EDI] ;Read OpenProcess VA MOV EDI,DWORD PTR[EDI] ;Read OpenProcess VA ADD EDI,6h ; Check if HideDebugger plugin is present CMP BYTE PTR[EDI],0EAh JNE @OpenProcess_not_hooked MOV [OllyFound],1 PUSH 30h PUSH offset DbgFoundTitle PUSH offset DbgFoundText PUSH 0 CALL MessageBox @OpenProcess_not_hooked: ; Load all processes (thanks to deroko) PUSH PAGE_READWRITE PUSH MEM_COMMIT PUSH 1024h PUSH 0 CALL VirtualAlloc MOV [pBuff],EAX LEA ESI,[dummy] PUSH ESI PUSH 1024h PUSH EAX CALL [EProc] XOR EDX,EDX MOV ECX,4 MOV EAX,[dummy] DIV ECX MOV ECX,EAX __loop_processes: MOV EAX,[pBuff] MOV EAX,DWORD PTR[EAX+ECX*4] PUSH EAX PUSH ECX PUSH EAX PUSH 0 PUSH PROCESS_VM_READ CALL OpenProcess LEA ESI,[dummy] LEA EDI,[temp] ; Try to open every process and read-out OLLY marker PUSH EDI PUSH 4 PUSH ESI PUSH 004B064Bh PUSH EAX CALL ReadProcessMemory TEST EAX,EAX JE _could_not_read_or_Olly_not_found CMP DWORD PTR[ESI],594C4C4Fh ;Olly - string JNE _could_not_read_or_Olly_not_found MOV [OllyFound],1 PUSH 30h PUSH offset DbgFoundTitle PUSH offset DbgFoundText PUSH 0 CALL MessageBox _could_not_read_or_Olly_not_found: POP ECX POP EAX LOOPD __loop_processes CMP [OllyFound],1 JE _just_exit PUSH 40h PUSH offset DbgNotFoundTitle PUSH offset DbgNotFoundText PUSH 0 CALL MessageBox _just_exit: RET end start

There are 29,896 total registered users.

Recently Created Topics
Decompiling raw bina...	May/22
Incorrect bitness wh...	May/20
PaiMei stalker modul...	May/19
Attach to program us...	May/13
IDA PRO how to make ...	May/12
FACT: OpenRCE is dead.	May/08
Int 3 anti debug?	May/05
help needed - Beginn...	May/03
Attaching IDA Pro to...	Apr/27
File type	Apr/21

Recent Forum Posts
Ollydbg 2.0 - Plugin...	openrce...
IDA PRO how to make ...	codeinject
FACT: OpenRCE is dead.	codeinject
IDA Resource Viewer ...	r2x64
FACT: OpenRCE is dead.	djnemo
FACT: OpenRCE is dead.	codeinject
FACT: OpenRCE is dead.	pedram
help needed - Beginn...	araujo
Attaching IDA Pro to...	codeinject
Int 3 anti debug?	codeinject

Recent Blog Entries
	lowpriority	Apr/13
OllyMigrate Plugin for Olly...
	everdox	Mar/08
2 anti-trace mechanisms spe...
	everdox	Mar/07
Advanced debugging techniques
	everdox	Mar/06
Branch tracing and LBR acce...
	everdox	Mar/05
Using pre-paged in virtual ...
More ...

Recent Blog Comments
	clarisonic on:	Apr/03
New version of Ollydbg!
	clarisonic on:	Apr/03
New version of Ollydbg!
	trackerx90 on:	Mar/04
SuppressDebugMsg As Anti-De...
	coachfactory on:	Feb/25
Portable Executable Format ...
	coachfactory on:	Feb/25
A new Anti-Olly trick.
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit