[C]Wondering why my code ain't working

Discussion in 'Mixed Languages' started by Pr3acher, Apr 25, 2013.

  1. Pr3acher

    Pr3acher MDL Member

    Aug 24, 2012
    142
    48
    10
    #1 Pr3acher, Apr 25, 2013
    Last edited by a moderator: Apr 20, 2017
    Hello MDL,
    i'm working on some anti-debug tricks and currently, i'm studying OutputDebugString(). I understood how it works etc. However, i can't get this trick to work properly. Here's my code. Thanks for help.

    Code:
    #include <Windows.h>
    #include <stdio.h>
    
    int main()
    {
    SetLastError(26); //Set any error, doesn't matter
    
    OutputDebugString("debug\n");// if(dbg) -> no error, if(!dbg) -> function returns error
    
    if(GetLastError()==26)
    printf("dbg detected\n");
    
    printf("no dbg detected\n");
    getch();
    
    return 0;
    }
    
     
  2. Calistoga

    Calistoga MDL Senior Member

    Jul 25, 2009
    420
    198
    10
    I think I may need an explanation on how it's supposed to work (I have no experience with anti-debugging) :)
    Why 26, and does OutputDebugString() even touch LastError?
     
  3. Pr3acher

    Pr3acher MDL Member

    Aug 24, 2012
    142
    48
    10
    #3 Pr3acher, Apr 25, 2013
    Last edited: Apr 25, 2013
    (OP)
    Hi,
    OutputDebugString() just output a string when ran under a debugger. In this case, the function succeed and don't set any error. If the prog isn't beeing debugged, then OutputDebugString() will fail and set an error. So we can use this to test if the prog is being ran under a debugger. We set las error to something (here it's 26, but it doesn't matter btw) to see if it changes. If the last error changes, then the function failed, and it means we're not being debugged, else the function succeeded and it means we're being debugged. Hope now it's clear.

    edit: Just thought about it, this may be due to my OS. I gotta try this under XP, think vista + OSs are patched.
     
  4. PAYMYRENT

    PAYMYRENT MDL Developer

    Jul 28, 2009
    1,460
    418
    60
    #4 PAYMYRENT, Apr 26, 2013
    Last edited by a moderator: Apr 20, 2017
    well I have been working on my server based applications and this is what i have been using to prevent debuggers in C# maybe it will be easy to convert to C\C++ or whatever

    Code:
      public static class AntiDebugSystem
        {
            [DllImport("ntdll.dll", SetLastError = true, CallingConvention = CallingConvention.StdCall)]
            private static extern int NtQueryInformationProcess(IntPtr ProcessHandle, int ProcessInformationClass, byte[] ProcessInformation, uint ProcessInformationLength, ref int ReturnLength);
            [DllImport("ntdll.dll", SetLastError = true, CallingConvention = CallingConvention.StdCall)]
            private static extern uint NtSetInformationProcess(IntPtr ProcessHandle, int ProcessInformationClass, byte[] ProcessInformation, uint ProcessInformationLength);
            [DllImport("kernel32.dll")]
            private static extern bool CloseHandle(IntPtr hObject);
            [DllImport("kernel32.dll")]
            private static extern bool IsDebuggerPresent();
            [DllImport("kernel32.dll")]
            private static extern int OutputDebugString(string str);
    
            public static int i = 0;
            private static void AntiDebug(object thread__1)
            {
                Thread th = thread__1 as Thread;
                if (th == null)
                {
                    th = new Thread(AntiDebug);
                    th.IsBackground = true;
                    th.Start(Thread.CurrentThread);
                    Thread.Sleep(500);
                }
                while (i == 0)
                {
                    //Managed
                    if (Debugger.IsAttached || Debugger.IsLogging())
                    {
                        Environment.FailFast("");
                    }
    
                    //IsDebuggerPresent
                    if (IsDebuggerPresent())
                    {
                        Environment.FailFast("");
                    }
    
                    //Open process
                    IntPtr ps = Process.GetCurrentProcess().Handle;
                    if (ps == IntPtr.Zero)
                    {
                        Environment.FailFast("");
                    }
    
                    //OutputDebugString
                    if (OutputDebugString("") > IntPtr.Size)
                    {
                        Environment.FailFast("");
                    }
    
                    //Close
                    try
                    {
                        CloseHandle(IntPtr.Zero);
                    }
                    catch
                    {
                        Environment.FailFast("");
                    }
    
                    //if (!th.IsAlive)
                    //{
                    //    Environment.FailFast("");
                    //}
    
                    Thread.Sleep(1000);
                }
            }
            internal static void LoadAntiDebugSubSystem()
            {
                Thread thr = new Thread(AntiDebug);
                thr.Start(Thread.CurrentThread);
            }
        }
    this code comes from the confuser project i think.
     
  5. Pr3acher

    Pr3acher MDL Member

    Aug 24, 2012
    142
    48
    10
    Hi,
    hm yes i know some of these tricks, but there's a line i can't understand in C# : what is IntPtr.Size (size of an int on a specific system ? ). Plus, i read somewhere that both CloseHandle() and OutputDebugString() techniques were not working on vista+ OS'. So i'll test this under XP sp3 shortly, and see if it works. Thanks anyway.
     
  6. PAYMYRENT

    PAYMYRENT MDL Developer

    Jul 28, 2009
    1,460
    418
    60
  7. Pr3acher

    Pr3acher MDL Member

    Aug 24, 2012
    142
    48
    10
    #7 Pr3acher, Apr 30, 2013
    Last edited: May 2, 2013
    (OP)
    Hey,
    hm i tried the OutputDebugString() on XP SP3 and it works. However, the CloseHandle() tip still doesn't work. But anyway, i think i have enough anti-debug techniques. Thx all.