Announcement

Collapse

Forum Guidelines

This forum is for finished source code that is working properly. If you have questions about this or any other source code, please post it in one of the Discussion Forums, not here.
See more
See less

Inline IsDebuggerPresent

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Inline IsDebuggerPresent

    The code for the IsDebuggerPresent function has never changed - it is identical in Windows 2000, Windows XP, and even the latest Vista:
    Code:
    77E72740    64:A1 18000000     mov eax, dword ptr fs:[18]
77E72746    8B40 30            mov eax, dword ptr ds:[eax+30]
77E72749    0FB640 02          movzx eax, byte ptr ds:[eax+2]
77E7274D    C3                 retn
    So rather than calling IsDebuggerPresent we can just as easily use the code 'inline' in our own program. The advantage of this is that it will bypass any hooks/breakpoints on IsDebuggerPresent, but keep in mind it can still be defeated quite easily (you can see that IsDebuggerPresent simply returns a flag - that flag can be patched).

    Code:
    #COMPILE EXE
 
FUNCTION PBIsDebuggerPresent() AS LONG
#REGISTER NONE
 ! mov eax, dword ptr fs:[&h18]
 ! mov eax, dword ptr ds:[eax+&h30]
 ! movzx eax, byte ptr ds:[eax+2]
 ! mov FUNCTION, eax
END FUNCTION
 
FUNCTION PBMAIN() AS LONG
 IF PBIsDebuggerPresent = 1 THEN
    MSGBOX "Debugger detected"
 ELSE
    MSGBOX "No debugger detected"
 END IF
END FUNCTION
    -
    Tags: None
Previous template Next
Working...
X

We process personal data about users of our site, through the use of cookies and other technologies, to deliver our services, and to analyze site activity. For additional details, refer to our Privacy Policy.

By clicking "I AGREE" below, you agree to our Privacy Policy and our personal data processing and cookie practices as described therein. You also acknowledge that this forum may be hosted outside your country and you consent to the collection, storage, and processing of your data in the country where this forum is hosted.

I Agree