Hello MDL, i'm working on some anti-debug tricks and currently, i'm studying OutputDebugString(). I understood how it works etc. However, i can't get this trick to work properly. Here's my code. Thanks for help. Code: #include <Windows.h> #include <stdio.h> int main() { SetLastError(26); //Set any error, doesn't matter OutputDebugString("debug\n");// if(dbg) -> no error, if(!dbg) -> function returns error if(GetLastError()==26) printf("dbg detected\n"); printf("no dbg detected\n"); getch(); return 0; }
I think I may need an explanation on how it's supposed to work (I have no experience with anti-debugging) Why 26, and does OutputDebugString() even touch LastError?
Hi, OutputDebugString() just output a string when ran under a debugger. In this case, the function succeed and don't set any error. If the prog isn't beeing debugged, then OutputDebugString() will fail and set an error. So we can use this to test if the prog is being ran under a debugger. We set las error to something (here it's 26, but it doesn't matter btw) to see if it changes. If the last error changes, then the function failed, and it means we're not being debugged, else the function succeeded and it means we're being debugged. Hope now it's clear. edit: Just thought about it, this may be due to my OS. I gotta try this under XP, think vista + OSs are patched.
well I have been working on my server based applications and this is what i have been using to prevent debuggers in C# maybe it will be easy to convert to C\C++ or whatever Code: public static class AntiDebugSystem { [DllImport("ntdll.dll", SetLastError = true, CallingConvention = CallingConvention.StdCall)] private static extern int NtQueryInformationProcess(IntPtr ProcessHandle, int ProcessInformationClass, byte[] ProcessInformation, uint ProcessInformationLength, ref int ReturnLength); [DllImport("ntdll.dll", SetLastError = true, CallingConvention = CallingConvention.StdCall)] private static extern uint NtSetInformationProcess(IntPtr ProcessHandle, int ProcessInformationClass, byte[] ProcessInformation, uint ProcessInformationLength); [DllImport("kernel32.dll")] private static extern bool CloseHandle(IntPtr hObject); [DllImport("kernel32.dll")] private static extern bool IsDebuggerPresent(); [DllImport("kernel32.dll")] private static extern int OutputDebugString(string str); public static int i = 0; private static void AntiDebug(object thread__1) { Thread th = thread__1 as Thread; if (th == null) { th = new Thread(AntiDebug); th.IsBackground = true; th.Start(Thread.CurrentThread); Thread.Sleep(500); } while (i == 0) { //Managed if (Debugger.IsAttached || Debugger.IsLogging()) { Environment.FailFast(""); } //IsDebuggerPresent if (IsDebuggerPresent()) { Environment.FailFast(""); } //Open process IntPtr ps = Process.GetCurrentProcess().Handle; if (ps == IntPtr.Zero) { Environment.FailFast(""); } //OutputDebugString if (OutputDebugString("") > IntPtr.Size) { Environment.FailFast(""); } //Close try { CloseHandle(IntPtr.Zero); } catch { Environment.FailFast(""); } //if (!th.IsAlive) //{ // Environment.FailFast(""); //} Thread.Sleep(1000); } } internal static void LoadAntiDebugSubSystem() { Thread thr = new Thread(AntiDebug); thr.Start(Thread.CurrentThread); } } this code comes from the confuser project i think.
Hi, hm yes i know some of these tricks, but there's a line i can't understand in C# : what is IntPtr.Size (size of an int on a specific system ? ). Plus, i read somewhere that both CloseHandle() and OutputDebugString() techniques were not working on vista+ OS'. So i'll test this under XP sp3 shortly, and see if it works. Thanks anyway.
intptr.size = 4 or 8 depending on the system and the way your exe\dll was compiled http://msdn.microsoft.com/en-us/library/system.intptr.size.aspx
Hey, hm i tried the OutputDebugString() on XP SP3 and it works. However, the CloseHandle() tip still doesn't work. But anyway, i think i have enough anti-debug techniques. Thx all.