View Full Version : SuppressDebugMsg As Anti-Debug Trick
walied
November 24th, 2012, 20:35
My latest blog post where i explain a new anti-debug trick.
http://waleedassar.blogspot.com/2012/11/suppressdebugmsg-as-anti-debug-trick.html ("http://waleedassar.blogspot.com/2012/11/suppressdebugmsg-as-anti-debug-trick.html")
Have fun
Indy
January 12th, 2013, 17:58
Bypass trace. After closing the window(Int 0x2B).
http://s018.radikal.ru/i507/1301/5e/dae8d3f53926.png (http://www.radikal.ru)
rEip = ??
2701
Indy
January 19th, 2013, 03:47
src.
2704
mint77
January 19th, 2013, 19:38
Indy,
Thanks for the source.
I am very interested in anything Olly related.
What assembler did you use. I don't recognize the coding style.
I code using masm.
Indy
January 20th, 2013, 06:08
mint77
Quote:
| I don't recognize the coding style. |
Masm
How work around ?
Indy
January 23rd, 2013, 21:30
Code:
CR0_TS equ 1000B
CR0_MP equ 0010B
smsw eax
fnclex
smsw ecx
xor eax,ecx ; CR0_MP or CR0_TS
jz Trace
walied
January 23rd, 2013, 22:13
Quote:
[Originally Posted by Indy;94087]Code: CR0_TS equ 1000B
CR0_MP equ 0010B
smsw eax
fnclex
smsw ecx
xor eax,ecx ; CR0_MP or CR0_TS
jz Trace
|
On which architecture have you tested this code?
Indy
January 24th, 2013, 01:47
NT X86.
Code:
WAIT_NEXT_QUANTUM macro
fwait
@@:
smsw ax
test ax,CR0_TS
jz @b
endm
:P
Indy
January 26th, 2013, 14:37
walied
Few understand the NT T-processing
mint77
January 28th, 2013, 15:51
Are you using the newest version of Olly when you test ?
So far, I have found very few code samples that fool Olly.
walied
January 28th, 2013, 15:57
Quote:
[Originally Posted by mint77;94137]Are you using the newest version of Olly when you test ?
So far, I have found very few code samples that fool Olly. |
http://code.google.com/p/ollybugs/
https://twitter.com/waleedassar/status/287200835836985344
mint77
January 28th, 2013, 17:16
I understand that ZwSetInformationProcess returns random addresses, but have not been able to use that info to detect if it's been loaded by a debugger.
walied
January 28th, 2013, 17:29
Quote:
| [Originally Posted by mint77;94140]I understand that ZwSetInformationProcess returns random addresses, but have not been able to use that info to detect if it's been loaded by a debugger. |
I hope my code helps
http://pastebin.com/sArnNGBN
Indy
January 28th, 2013, 22:40
walied
Then it is better to use NtRemoveProcessDebug.
http://indy-vx.narod.ru/kt0d.zip ("http://indy-vx.narod.ru/kt0d.zip")
kt0d
walied
January 28th, 2013, 22:43
Quote:
[Originally Posted by Indy;94147]walied
Then it is better to use NtRemoveProcessDebug. |
The "NtRemoveProcessDebug" function is used by debuggers in calls to the kernel32 "DebugActiveProcessStop" function.
Indy
January 29th, 2013, 16:36
walied
ThreadHideFromDebugger used in CreateToolhelp32Snapshot
http://s018.radikal.ru/i515/1301/c1/32fc6290750b.png (http://www.radikal.ru)
mint77
January 29th, 2013, 17:03
What you showed does not make sense and is incomplete.
You gave some code that was partially in Russian.
I let some friends from Russia look at the code and they said it wasn't code but just comments.
Best regards.
Indy
January 29th, 2013, 22:34
mint77
Your young friends do not understand
NeOXOeN
February 18th, 2013, 07:58
to mint77: sometimes its better to shut up,, and just try to understand what ppl are try to say.. You probably don't even have slightest idea what Indy and walied are taking about. For your future posts, i would think twice before posting.. Try to use google as your primarly tool of finding things.. and so at least once.. stop posting as much "bs" as you can think off on this forum. I know you are trying to learn but from majority of your posts can be concluded that you lack off basic skills of reversing. Try to find tutorials which are suitable for your skills and try to push up from there. From posting rubish on forum first of all you won't learn anything, and secondly ppl with stop helping you. Don't consider this post as hostile but more or less as help of trying to put you into right path.
Bye NEO
mint77
February 18th, 2013, 09:27
I am sorry if I offended anyone.
Andy
Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.