Anti-Debugger Trick Quicky

Howdy all!

Long time no updates. Sorry about that, the life of the AV reverse engineer is a busy one, but busy is good right?

Anywho, I come bearing gifts. An anti-debugger trick I learned (while coding skiddy AV tool).

The way it works is simple – under normal circumstances, the working set (amount of memory a process needs at a given time) is never very big, however when being debugged, that working set size is huge. By checking the working set size, I was able to see if I was in a debugger. Neato.

Oh right, the code:

#include <windows.h>
#include <Psapi.h>
int main(void)
{
PROCESS_MEMORY_COUNTERS pmc;
GetProcessMemoryInfo(GetCurrentProcess(), &pmc, sizeof(pmc));
  if(pmc.WorkingSetSize<=3456789)
  {
   MessageBox(GetDesktopWindow(),"No Debugger Here","KEK",MB_OK);
  }
  else
  {
   MessageBox(GetDesktopWindow(),"GTFO with that debugger","ICEBP FOR YOU",MB_OK);
	__asm 
	{
	 _emit 0xF1
	}
  }
return 0;
}

Next week (or hell maybe even tomorrow), I’m gonna pop out a new longer better blog post on one of my more favorite topics – shellcode.

Until then, happy hacking!

1246927674442

5 thoughts on “Anti-Debugger Trick Quicky
  1. Thanks for sharing. Nice one!

    Is it intended to be used with VS2013 only? When I changed the target platform to VS2010 I got the following error when compiling:

    Error 1 error LNK2001: unresolved external symbol [email protected]

    Thanks,
    Paul

    1. I compiled using Pelles C compiler. The error you received means you’re missing a library reference – try adding PSAPI.lib to your linker options.

Leave a Reply to Rake Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.