waliedassar

OllyDbg RaiseException Anti-Debug Trick

Nov 7th, 2012
774
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //In OllyDbg, upon receiving an EXCEPTION_BREAKPOINT, it checks code in ExceptionAddress to ensure it is
  4. //0xCC or similar. If it is not, the behavior depends on the OllyDbg version.
  5. //In versions prior to 2.01, the exception is swallowed and the exception handler is not called.
  6. //In version 2.01 (alpha 4), several error messages pop up and process terminates.
  7. // Only version 2.01 (beta 2) handles it properly.
  8. //The following is code that exploits this bug to detect the presence of OllyDbg.
  9. #include "stdafx.h"
  10. #include "windows.h"
  11. #include "stdio.h"
  12.  
  13. int __cdecl Hhandler(EXCEPTION_RECORD* pRec,void*,unsigned char* pContext,void*)
  14. {
  15.     if(pRec->ExceptionCode==EXCEPTION_BREAKPOINT)
  16.     {
  17.         (*(unsigned long*)(pContext+0xB8))++;
  18.         MessageBox(0,"Expected","waliedassar",0);
  19.         ExitProcess(0);
  20.     }
  21.     return ExceptionContinueSearch;
  22. }
  23. void main()
  24. {
  25.     __asm
  26.     {
  27.         push offset Hhandler
  28.         push dword ptr fs:[0x0]
  29.         mov dword ptr fs:[0x0],esp
  30.     }
  31.     RaiseException(EXCEPTION_BREAKPOINT,0,1,0);
  32.     __asm
  33.     {
  34.         pop dword ptr fs:[0x0]
  35.         pop eax
  36.     }
  37.     MessageBox(0,"OllyDbg Detected","waliedassar",0);
  38. }
RAW Paste Data