OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Technique Name	Category	Analysis By	Download	Added On	Last Updated
OllyDbg OpenProcess() String Detection	Debugging	ap0x	OllyDBG-OpenProcess.zip	March 11 2006

Description:
; ######################################################################### .586 .model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\comdlg32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\comdlg32.lib ; ######################################################################### .data _psapi db "psapi.dll",0h _enumprocesses db "EnumProcesses",0h DbgNotFoundTitle db "Debugger status:",0h DbgFoundTitle db "Debugger status:",0h DbgNotFoundText db "Debugger not found!",0h DbgFoundText db "Debugger found!",0h .data? OllyFound db ? VAlloc dd ? OProc dd ? Rpm dd ? EProc dd ? pBuff dd ? dummy dd ? temp dd ? .code start: ; MASM32 antiRing3Debugger example ; coded by ap0x ; Reversing Labs: http://ap0x.headcoders.net ; This peace of code is used for simple process scanning. ; It tries to open every process and read-out a value from ; designated address 0x004B064B. On this address Olly stores ; one of OLLYDBG strings. If content of address 0x004B064B is ; 0x594C4C4F (OLLY) then debugger is detected. MOV [OllyFound],0 PUSH offset _psapi CALL LoadLibrary PUSH offset _enumprocesses PUSH EAX CALL GetProcAddress MOV [EProc],EAX MOV EDI,offset OpenProcess ADD EDI,2h MOV EDI,DWORD PTR[EDI] ;Read OpenProcess VA MOV EDI,DWORD PTR[EDI] ;Read OpenProcess VA ADD EDI,6h ; Check if HideDebugger plugin is present CMP BYTE PTR[EDI],0EAh JNE @OpenProcess_not_hooked MOV [OllyFound],1 PUSH 30h PUSH offset DbgFoundTitle PUSH offset DbgFoundText PUSH 0 CALL MessageBox @OpenProcess_not_hooked: ; Load all processes (thanks to deroko) PUSH PAGE_READWRITE PUSH MEM_COMMIT PUSH 1024h PUSH 0 CALL VirtualAlloc MOV [pBuff],EAX LEA ESI,[dummy] PUSH ESI PUSH 1024h PUSH EAX CALL [EProc] XOR EDX,EDX MOV ECX,4 MOV EAX,[dummy] DIV ECX MOV ECX,EAX __loop_processes: MOV EAX,[pBuff] MOV EAX,DWORD PTR[EAX+ECX*4] PUSH EAX PUSH ECX PUSH EAX PUSH 0 PUSH PROCESS_VM_READ CALL OpenProcess LEA ESI,[dummy] LEA EDI,[temp] ; Try to open every process and read-out OLLY marker PUSH EDI PUSH 4 PUSH ESI PUSH 004B064Bh PUSH EAX CALL ReadProcessMemory TEST EAX,EAX JE _could_not_read_or_Olly_not_found CMP DWORD PTR[ESI],594C4C4Fh ;Olly - string JNE _could_not_read_or_Olly_not_found MOV [OllyFound],1 PUSH 30h PUSH offset DbgFoundTitle PUSH offset DbgFoundText PUSH 0 CALL MessageBox _could_not_read_or_Olly_not_found: POP ECX POP EAX LOOPD __loop_processes CMP [OllyFound],1 JE _just_exit PUSH 40h PUSH offset DbgNotFoundTitle PUSH offset DbgNotFoundText PUSH 0 CALL MessageBox _just_exit: RET end start

There are 31,320 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit