├── README.md
└── anti-debugging.asm


/README.md:
--------------------------------------------------------------------------------
 1 | # Anti-debugging-techniques
 2 |  Anti-Debugging detection and obufuscation techniques that involved the use of Win32 API functions.
 3 |  
 4 | This simple tool was written in Assembler x86 Win32 API and the Anti-Debugging method are:
 5 | - NtGlobalFlag - PEB!NtGlobalFlags
 6 | - IsDebuggerPresent - kernel32!IsDebuggerPresent
 7 | - IsDebuggerPresent - PEB!IsDebugged
 8 | - FindWindows for ollydbg
 9 | - Software breakpoint detection
10 | - Hardware breakpoint detection
11 | - Self-modifying code
12 | - Obfuscation
13 | 
14 | For example see follow code (first case):</br>
15 | ```assembly
16 | ;NtGlobalFlag - PEB!NtGlobalFlags
17 | xor eax, eax
18 | assume fs:nothing
19 | mov eax, fs:[eax+30h]
20 | mov eax, [eax+68h]
21 | and eax, 70h
22 | db 0ebh, 01h
23 | db 0ffh, 085h, 0C0h
24 | jne @Detected
25 | ```
26 | The NtGlobalFlag field exists at offset 0x68 in the Process Environment Block</br>
27 | We look at the individual instructions:</br>
28 | ```assembly
29 | mov eax, fs:[eax+30h] ; Process Environment Block</br>
30 | mov al, [eax+68h] ; NtGlobalFlag</br>
31 | and eax, 70h ; if value of eax is 70h</br>
32 | db 0ebh, 01h ; means jmp and skip 1 junk byte</br>
33 | db 0ffh, 085h, 0C0h ; Follows opcode "085h, 0C0h" matches with istruction test eax, eax</br>
34 | ```
35 | I have tested the executable on Win7 32 bit and 64 bit.</br>
36 | 


--------------------------------------------------------------------------------
/anti-debugging.asm:
--------------------------------------------------------------------------------
  1 | .386
  2 | .model flat,stdcall
  3 | option casemap:none
  4 | include \masm32\include\windows.inc
  5 | include \masm32\include\kernel32.inc
  6 | include \masm32\include\user32.inc
  7 | 
  8 | includelib \masm32\lib\user32.lib
  9 | includelib \masm32\lib\kernel32.lib
 10 | 
 11 | .data
 12 | AppName db "Anti debugging and obfuscation techniques - Andrea Sindoni @invictus1306"
 13 | 
 14 | MsgBoxText          db "Windows debugger detected!",0
 15 | MsgBoxTitle         db "Debugger detectd!",0
 16 | MsgBoxTextNot       db "Windows debugger not detected!",0
 17 | MsgBoxTitleNot      db "Perfect!",0
 18 | OllydbgFindWindow   db "OLLYDBG",0h
 19 | 
 20 | .data?
 21 | 
 22 | .code
 23 | start proc
 24 | 
 25 | JUNKBYTE MACRO
 26 | 	db	0cch, 0feh, 0ebh, 00h
 27 | ENDM
 28 | 
 29 | ;NtGlobalFlag - PEB!NtGlobalFlags
 30 | xor eax, eax
 31 | assume fs:nothing
 32 | mov eax, fs:[eax+30h]
 33 | mov eax, [eax+68h]
 34 | and eax, 70h
 35 | db 0ebh, 01h
 36 | db 0ffh, 085h, 0C0h ;junk byte - test eax, eax
 37 | jne @Detected
 38 | 
 39 | ;obfuscation
 40 | db 0ebh, 02h
 41 | JUNKBYTE
 42 | 
 43 | ;IsDebuggerPresent first - kernel32!IsDebuggerPresent
 44 | call IsDebuggerPresent
 45 | call @eip_manipulate ; change eip (point to next instruction)
 46 | mov eax, 010h
 47 | cmp eax, 1
 48 | je @Detected
 49 | 
 50 | ;IsDebuggerPresent second - PEB!IsDebugged
 51 | xor eax, eax
 52 | assume fs:nothing
 53 | mov eax, fs:[18h]
 54 | mov eax, DWORD PTR ds:[eax+30h]
 55 | movzx eax, BYTE PTR ds:[eax+2h]
 56 | test eax, eax
 57 | jne @Detected
 58 | 
 59 | ;FindWindows for ollydbg
 60 | push 0
 61 | push offset OllydbgFindWindow
 62 | call FindWindow
 63 | test eax, eax
 64 | jne @Detected
 65 | 
 66 | ;software breakpoint detection into MessageBox API
 67 | cld
 68 | mov edi, offset @Detected
 69 | mov ecx, 013h 
 70 | mov al,0cch
 71 | repne scasb
 72 | jz @Detected
 73 | 
 74 | ;hardware breakpoint detection
 75 | assume fs:nothing
 76 | push offset HwBpHandler
 77 | push fs:[0]
 78 | mov DWORD PTR fs:[0], esp
 79 | xor eax, eax
 80 | div eax
 81 | pop DWORD PTR fs:[0]
 82 | add esp, 4
 83 | test eax, eax
 84 | jnz @Detected
 85 | 
 86 | ;get write permissions for self-modifying code
 87 | xor esi, esi
 88 | xor ecx, ecx
 89 | mov esi, offset @encrypted_code
 90 | push esp
 91 | push PAGE_EXECUTE_READWRITE
 92 | push 04h
 93 | push esi
 94 | call VirtualProtect
 95 | 
 96 | ;self-modifying code
 97 | mov eax, 1234h   ;key
 98 | mov ecx, offset @encrypted_code
 99 | 
100 | @loop_decryption:
101 | xor [ecx], al ;very simple algorithm
102 | inc ecx
103 | cmp ecx, @encrypted_code + 04h
104 | jnz @loop_decryption
105 | 
106 | @encrypted_code:
107 | db 05eh, 04h  ;push 30h
108 | db 0dfh, 34h  ;jmp at next instruction 
109 | 
110 | push offset MsgBoxTitleNot
111 | push offset MsgBoxTextNot
112 | push 0
113 | call MessageBox
114 | jmp @Exit
115 | 
116 | @Detected:
117 | push 30h
118 | push offset MsgBoxTitle
119 | push offset MsgBoxText
120 | push 0
121 | call MessageBox
122 | jmp @Exit
123 | 
124 | @Exit:
125 | push 0
126 | call ExitProcess
127 | 
128 | @eip_manipulate:
129 | add dword ptr [esp], 5
130 | ret
131 | 
132 | start endp
133 | 
134 | HwBpHandler proc 
135 |      xor eax, eax
136 |      mov eax, [esp + 0ch]         ; This is a CONTEXT structure on the stack
137 |      cmp DWORD PTR [eax + 04h], 0 ; Dr0
138 |      jne bpFound
139 |      cmp DWORD PTR [eax + 08h], 0 ; Dr1
140 |      jne bpFound
141 |      cmp DWORD PTR [eax + 0ch], 0 ; Dr2
142 |      jne bpFound
143 |      cmp DWORD PTR [eax + 10h], 0 ; Dr3
144 |      jne bpFound
145 |      jmp retFromException
146 |      
147 | bpFound:
148 |     mov DWORD PTR [eax + 0b0h], 0ffffffffh ; HW bp found
149 | 
150 | retFromException:
151 |     add DWORD PTR [eax + 0b8h], 6
152 |     xor eax, eax
153 |     ret
154 | 
155 | HwBpHandler endp
156 | 
157 | end start
158 | 


--------------------------------------------------------------------------------