I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things I’ve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Here’s an example code:
[code language=”C”]
/*
* IsDebuggerPresent Example
* Author: Osanda Malith Jayathissa (@OsandaMalith)
* Website: http://osandamalith.wordpress.com
*/
#include <windows.h>
int main() {
MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);
}
[/code]
If we open in a debugger “Debugger Found” text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.
[code language=”C”]
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOVZX EAX,BYTE PTR DS:[EAX+2]
[/code]
(more…)
