waliedassar

OllyDbg RaiseException Anti-Debug Trick

Nov 7th, 2012
720
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //In OllyDbg, upon receiving an EXCEPTION_BREAKPOINT, it checks code in ExceptionAddress to ensure it is
  4. //0xCC or similar. If it is not, the behavior depends on the OllyDbg version.
  5. //In versions prior to 2.01, the exception is swallowed and the exception handler is not called.
  6. //In version 2.01 (alpha 4), several error messages pop up and process terminates.
  7. // Only version 2.01 (beta 2) handles it properly.
  8. //The following is code that exploits this bug to detect the presence of OllyDbg.
  9. #include "stdafx.h"
  10. #include "windows.h"
  11. #include "stdio.h"
  12.  
  13. int __cdecl Hhandler(EXCEPTION_RECORD* pRec,void*,unsigned char* pContext,void*)
  14. {
  15.     if(pRec->ExceptionCode==EXCEPTION_BREAKPOINT)
  16.     {
  17.         (*(unsigned long*)(pContext+0xB8))++;
  18.         MessageBox(0,"Expected","waliedassar",0);
  19.         ExitProcess(0);
  20.     }
  21.     return ExceptionContinueSearch;
  22. }
  23. void main()
  24. {
  25.     __asm
  26.     {
  27.         push offset Hhandler
  28.         push dword ptr fs:[0x0]
  29.         mov dword ptr fs:[0x0],esp
  30.     }
  31.     RaiseException(EXCEPTION_BREAKPOINT,0,1,0);
  32.     __asm
  33.     {
  34.         pop dword ptr fs:[0x0]
  35.         pop eax
  36.     }
  37.     MessageBox(0,"OllyDbg Detected","waliedassar",0);
  38. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×