0

Found a nice code snippet (https://github.com/invictus1306/Anti-debugging-techniques/blob/master/anti-debugging.asm) for anti-debugging mechanism in asm. My question is about following snippet: 

 ;IsDebuggerPresent first - kernel32!IsDebuggerPresent
    call IsDebuggerPresent
    call @eip_manipulate ; change eip (point to next instruction)
    mov eax, 010h
    cmp eax, 1
    je @Detected

  [...]

      @eip_manipulate:
    add dword ptr [esp], 5
    ret

I don't get why I have to change this. Because if i call isDebuggerPresent, it will return 1 for debuggerIsPresent or a 0 for debuggerIsNotPresent. Tried this and it only works with the eip_manipulate call.

Schugar
  • 1
  • 1
  • I think the idea is that a debugger stepping *over* functions might set a breakpoint after the `call`, which would never be hit because `@eip_manipulate` doesn't return to the normal return-address. IDK if it's helpful for anything other than a minor trick against interactive debugging, though. – Peter Cordes Nov 29 '18 at 22:01
  • Obviously if you don't skip the `mov eax, 010h` (5 bytes long), then it will overwrite EAX so the `cmp` is always false, so you can't just remove the `call @eip_manipulate` – Peter Cordes Nov 29 '18 at 22:01
  • 1
    @Peter Cordes so i tried this now without calling *@eip_manipulate* and without *mov eax, 010 h* and it works fine with OllyDbg. As you said, this was obvious. Anyhow, thanks for your help. – Schugar Nov 30 '18 at 07:57

0 Answers0