IsDebuggerPresent API

I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things I’ve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Here’s an example code:

[code language=”C”]
/*
* IsDebuggerPresent Example
* Author: Osanda Malith Jayathissa (@OsandaMalith)
* Website: http://osandamalith.wordpress.com
*/

#include <windows.h>

int main() {
MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);
}
[/code]

If we open in a debugger “Debugger Found” text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.

View post on imgur.com


[code language=”C”]
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]
[/code]
(more…)

Magic Folder Hide

This is a application which I coded in last year but I have forgotten to make a blog post. Using this tool you can create a ‘..’ folder in Windows and store your data inside it. No one can access your files using the explorer since the path is not valid, they can only see the name 🙂

This trick can be used in pentesting and is widely used by malware for hiding other malicious files. I coded this tool just for fun 😀


(more…)