OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Technique Name	Category	Analysis By	Download	Added On	Last Updated
TLS-CallBack +IsDebuggerPresent() Debugger Detection	Debugging	ap0x	TLS-CallBack.zip	March 11 2006

Description:
; ######################################################################### .586 .model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\comdlg32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\comdlg32.lib ; ######################################################################### .data DbgNotFoundTitle db "Debugger status:",0h DbgFoundTitle db "Debugger status:",0h DbgNotFoundText db "Debugger not found!",0h DbgFoundText db "Debugger found!",0h ; TLS Structure {See PE Format info} dd offset Tls1 dd offset Tls2 dd offset Tls3 dd offset TlsCallBack dd 0 dd 0 Tls1 dd 0 Tls2 dd 0 Tls3 dd 0 TlsCallBack dd offset TLS dd 0 dd 0 .data? TLSCalled db ? .code start: ; MASM32 antiOllyDBG example ; coded by ap0x ; Reversing Labs: http://ap0x.headcoders.net ; This example combines IsDebuggerPresent API with TLS-CallBack. ; TLS-CallBack is a part of TLS Structure and it is used for ; calling code execution before and after main application code execution. ; Change TLS Table to 0x00003046, size 0x18 with LordPE or xPELister PUSH 0 CALL ExitProcess RET ; Code below is executed before .code section TLS: ; TLSCalled flag indicates that TLS is called only once on application ; initialization. It can be called on application exit again. This switch ; disables that. CMP BYTE PTR[TLSCalled],1 JE @exit MOV BYTE PTR[TLSCalled],1 CALL IsDebuggerPresent CMP EAX,1 JE @DebuggerDetected PUSH 40h PUSH offset DbgNotFoundTitle PUSH offset DbgNotFoundText PUSH 0 CALL MessageBox JMP @exit @DebuggerDetected: PUSH 30h PUSH offset DbgFoundTitle PUSH offset DbgFoundText PUSH 0 CALL MessageBox @exit: RET end start

There are 31,320 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit