WinAsm Studio, The Assembly IDE - Free Downloads, Source Code
Forum

  Reply to this topicStart new topicStart Poll

  Checking the BeingDebugged member of PEB structure, Anti-Debugging, Checking for Debugger

Track this topic | Email this topic | Print this topic
samjeba
Posted: Aug 28 2007, 09:59 AM
Quote Post


New Member
*

Group: Members
Posts: 8
Member No.: 5184
Joined: 9-June 07
I have just started code in assembly, this is a program to detect the presence of a debugger. Trying to compile it, i'm getting following error:

CODE

C:\test\isdbg.asm(27) : error A2206: missing operator in expression


Here is the code, basically it checks the is debugger byte in PEB Structure:

CODE

.data

DbgFndTitl � db "Debugger is Found",0
DbgFndTxt � �db "Exit",0
DbgntFndTitl db "Debugger not found",0
DbgntFndTxt �db "enter",0

.code
start:
ASSUME FS:nothing

MOV eax,DWORD PTR FS:[30h]

.if [eax+0x02]==1
�invoke MessageBox,NULL,DbgFndTxt,DbgFndTitl,MB_ICONEXCLAMATION
.else
�invoke MessageBox,NULL,DbgntFndTxt,DbgFndTitl,MB_ICONINFORMATION
.endif

invoke ExitProcess,NULL

end start
PMEmail Poster
Top
samael
Posted: Aug 28 2007, 10:19 AM
Quote Post


Extremely Active Member
******

Group: Admins
Posts: 176
Member No.: 5187
Joined: 10-June 07
Here, try this:

CODE
.DATA

szDbgFndTitl � � db "Debugger Found",0
szDbgFndTxt � � �db "Exit",0
szDbgntFndTitl � db "Debugger not found",0
szDbgntFndTxt � �db "Enter",0

.CODE

start:

� ASSUME FS:NOTHING

� MOV EAX,DWORD PTR FS:[30h]
� MOVZX EAX, BYTE PTR [EAX+2]

� .IF (EAX==TRUE)
� � �invoke MessageBox,NULL,addr szDbgFndTxt, addr szDbgFndTitl,MB_ICONEXCLAMATION
� .ELSE
� � �invoke MessageBox,NULL,addr szDbgntFndTxt, addr szDbgntFndTitl,MB_ICONINFORMATION
� .ENDIF

� invoke ExitProcess,NULL

end start


The error you were getting, was because you used the hexadecimal notation of C/C++ (where hexadecimal numbers are written such as 0x0AA) instead of ASM (where the same number would be written as 0AAh).

The error lies in the following line of the code you posted:

CODE
.if [eax+0x02]==1


Besides that, you were passing literal strings instead of pointers to strings in your MessageBox calls...
The ADDR keyword, denotes that a pointer to the string is passed to the function...
PM
Top
SeaFarer
Posted: Aug 28 2007, 10:54 AM
Quote Post


Extremely Active Member
******

Group: Admins
Posts: 722
Member No.: 1464
Joined: 2-September 05
This question does not pertain to WinAsm Studio.

In the future....

Please Post in the appropriate Forum.

EDIT

Thank you Samael. I would have moved the post but wanted to be certain Samjeba did not get confused.

I have also renamed this topic in accordance with new forum guidelines.
PMUsers Website
Top
samjeba
Posted: Aug 28 2007, 10:58 AM
Quote Post


New Member
*

Group: Members
Posts: 8
Member No.: 5184
Joined: 9-June 07
Sorry for wrong posting - SeaFarer

thanx for the help - samael
PMEmail Poster
Top
samael
Posted: Aug 28 2007, 11:21 AM
Quote Post


Extremely Active Member
******

Group: Admins
Posts: 176
Member No.: 5187
Joined: 10-June 07
samjeba,

You are welcome.

As for the post being in the wrong forum: Actually i didn't notice this, else i would have made a remark. You see, we are working hard to check all topics and reorganizing the site.
So, keeping posting in the appropriate forums, would really help... ;)
For the time, i moved the topic to the "Newbies" Forum.

Now, as far as this method of detecting if you are running under a debugger, don't rely heavily on it. It's already well known ; besides, a call to IsDebuggerPresent API, executes _exactly_ the same code.

Also, this method is OS - dependent, because the PEB structure is not published / documented by Microsoft.
I guess it works on NT-based systems, but this may change in the future.

Anyway, here is a link that describes the PEB structure members...

http://undocumented.ntinternals.net/UserMo...rocess/PEB.html

As you can see, the code we are using in this example, checks the third member of the PEB structure: the BOOLEAN (byte) sized BeingDebugged.



If you are interested into anti-debugging, there are numerous methods to detect the presence of a ring-3 debugger...
For more information on the subject, check this link here:

http://www.openrce.org/reference_library/anti_reversing

Happy studying!
PM
Top
samjeba
Posted: Aug 28 2007, 10:35 PM
Quote Post


New Member
*

Group: Members
Posts: 8
Member No.: 5184
Joined: 9-June 07
Thanks for the link, it's great!
PMEmail Poster
Top
Sponsors
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
« Next Oldest | Newbies | Next Newest »

Topic Options Reply to this topicStart new topicStart Poll