SHARE
TWEET

OllyDbg RaiseException Anti-Debug Trick

waliedassar Nov 7th, 2012 410 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //In OllyDbg, upon receiving an EXCEPTION_BREAKPOINT, it checks code in ExceptionAddress to ensure it is
  4. //0xCC or similar. If it is not, the behavior depends on the OllyDbg version.
  5. //In versions prior to 2.01, the exception is swallowed and the exception handler is not called.
  6. //In version 2.01 (alpha 4), several error messages pop up and process terminates.
  7. // Only version 2.01 (beta 2) handles it properly.
  8. //The following is code that exploits this bug to detect the presence of OllyDbg.
  9. #include "stdafx.h"
  10. #include "windows.h"
  11. #include "stdio.h"
  12.  
  13. int __cdecl Hhandler(EXCEPTION_RECORD* pRec,void*,unsigned char* pContext,void*)
  14. {
  15.         if(pRec->ExceptionCode==EXCEPTION_BREAKPOINT)
  16.         {
  17.                 (*(unsigned long*)(pContext+0xB8))++;
  18.                 MessageBox(0,"Expected","waliedassar",0);
  19.                 ExitProcess(0);
  20.         }
  21.         return ExceptionContinueSearch;
  22. }
  23. void main()
  24. {
  25.         __asm
  26.         {
  27.                 push offset Hhandler
  28.                 push dword ptr fs:[0x0]
  29.                 mov dword ptr fs:[0x0],esp
  30.         }
  31.         RaiseException(EXCEPTION_BREAKPOINT,0,1,0);
  32.         __asm
  33.         {
  34.                 pop dword ptr fs:[0x0]
  35.                 pop eax
  36.         }
  37.         MessageBox(0,"OllyDbg Detected","waliedassar",0);
  38. }
RAW Paste Data
Top