Flag: Tornado!
Hurricane!
|
|
OllyDbg NtQueryInformationProcess() OllyDbg Detection |
Debugging |
ap0x |
ZwQueryInformationProcess.zip |
March 11 2006 |
|
|
.386
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger not found!",0h
DbgFoundText db "Debugger found!",0h
ntdll db "ntdll.dll",0h
zwqip db "NtQueryInformationProcess",0h
.data?
NtAddr dd ?
MinusOne dd ?
.code
start:
; MASM32 antiOlly example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; This example can detect Olly by using NtQueryInformationProcess API.
MOV [MinusOne],0FFFFFFFFh
PUSH offset ntdll ;ntdll.dll
CALL LoadLibrary
PUSH offset zwqip ;NtQueryInformationProcess
PUSH EAX
CALL GetProcAddress
MOV [NtAddr],EAX
MOV EAX,offset MinusOne
PUSH EAX
MOV EBX,ESP
PUSH 0
PUSH 4
PUSH EBX
PUSH 7
PUSH DWORD PTR[EAX]
CALL [NtAddr]
POP EAX
TEST EAX,EAX
JNE @DebuggerDetected
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
JMP @exit
@DebuggerDetected:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
@exit:
PUSH 0
CALL ExitProcess
end start
|
|
|
|
There are 31,320 total registered users.
|
|