API tools faq
paste
Advertisement
moveax41h

OdbgScript for anti-analysis

moveax41h
Jan 16th, 2018
422
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 1.03 KB | None | 0 0
raw download clone embed print report
  1. VAR remotedebugger
  2. VAR is_debugger_present
  3. VAR create_toolhelp
  4. VAR nt_query_info_process
  5.  
  6.  
  7. GPA "CheckRemoteDebuggerPresent", "kernel32"
  8. MOV remotedebugger, $RESULT
  9.  
  10.  
  11. GPA "IsDebuggerPresent", "kernel32"
  12. MOV is_debugger_present, $RESULT
  13.  
  14. GPA "CreateToolhelp32Snapshot", "kernel32"
  15. MOV create_toolhelp, $RESULT
  16.  
  17. GPA "NtQueryInformationProcess", "ntdll"
  18. MOV nt_query_info_process, $RESULT
  19.  
  20.  
  21. CMP remotedebugger, 0
  22. JE api_not_found
  23. BP remotedebugger
  24. CMT remotedebugger, "CheckRemoteDebuggerPresent"
  25.  
  26. CMP is_debugger_present, 0
  27. JE api_not_found
  28. BP is_debugger_present
  29. CMT is_debugger_present, "IsDebuggerPresent"
  30.  
  31. CMP create_toolhelp, 0
  32. JE api_not_found
  33. BP create_toolhelp
  34. CMT create_toolhelp, "CreateToolhelp32Snapshot"
  35.  
  36. CMP nt_query_info_process, 0
  37. JE api_not_found
  38. BP nt_query_info_process
  39. CMT nt_query_info_process, "NtQueryInformationProcess"
  40.  
  41. MSG "All APIs have been located and broken on"
  42.  
  43. JMP the_end
  44. api_not_found:
  45. MSG "There was a problem finding one or more APIs, check the breakpoint list"
  46.  
  47. the_end:
  48. RET
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!