{"id":1132,"date":"2015-06-06T08:28:24","date_gmt":"2015-06-06T08:28:24","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1132"},"modified":"2015-06-06T08:33:54","modified_gmt":"2015-06-06T08:33:54","slug":"anti-debugger-trick-quicky","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2015\/06\/anti-debugger-trick-quicky\/","title":{"rendered":"Anti-Debugger Trick Quicky"},"content":{"rendered":"

Howdy all!<\/p>\n

Long time no updates. Sorry about that, the life of the AV reverse engineer is a busy one, but busy is good right?<\/p>\n

Anywho, I come bearing gifts. An anti-debugger trick I learned (while coding skiddy AV tool). <\/p>\n

The way it works is simple – under normal circumstances, the working set (amount of memory a process needs at a given time) is never very big, however when being debugged, that working set size is huge. By checking the working set size, I was able to see if I was in a debugger. Neato.<\/p>\n

Oh right, the code:
\n<\/p>\n

\n
#include <windows.h><\/span>\r\n#include <Psapi.h><\/span>\r\nint<\/span> main<\/span>(<\/span>void<\/span>)<\/span>\r\n{<\/span>\r\nPROCESS_MEMORY_COUNTERS<\/span> pmc;<\/span>\r\nGetProcessMemoryInfo(GetCurrentProcess(),<\/span> &pmc,<\/span> sizeof<\/span>(pmc));<\/span>\r\n  if<\/span>(pmc.WorkingSetSize<=<\/span>3456789<\/span>)<\/span>\r\n  {<\/span>\r\n   MessageBox(GetDesktopWindow(),<\/span>"No Debugger Here"<\/span>,<\/span>"KEK"<\/span>,MB_OK);<\/span>\r\n  }<\/span>\r\n  else<\/span>\r\n  {<\/span>\r\n   MessageBox(GetDesktopWindow(),<\/span>"GTFO with that debugger"<\/span>,<\/span>"ICEBP FOR YOU"<\/span>,MB_OK);<\/span>\r\n\t__asm<\/span> \r\n\t{<\/span>\r\n\t _emit<\/span> 0xF1<\/span>\r\n\t}<\/span>\r\n  }<\/span>\r\nreturn<\/span> 0<\/span>;<\/span>\r\n}<\/span>\r\n<\/pre>\n<\/div>\n
Next week (or hell maybe even tomorrow), I’m gonna pop out a new longer better blog post on one of my more favorite topics – shellcode. <\/p>\n
Until then, happy hacking!<\/p>\n
\"1246927674442\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Howdy all! Long time no updates. Sorry about that, the life of the AV reverse engineer is a busy one, but busy is good right? Anywho, I come bearing gifts. An anti-debugger trick I learned (while coding skiddy AV tool). The way it works is simple – under normal circumstances, the working set (amount of […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[82],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1132"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1132"}],"version-history":[{"count":3,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1132\/revisions"}],"predecessor-version":[{"id":1136,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1132\/revisions\/1136"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}