Debugger Detection Using NtGlobalFlag

This is another simple anti-reversing trick used to detect a debugger. As I have shown earlier in my post about the TEB structure and the PEB structure, NtGlobalFlag is located in the PEB Structure at offset PEB+104.

When the process is being debugged the NtGlobalFlag is set to 0x70.



IsDebuggerPresent API

I was interested in learning about the anti-reversing techniques in the world of reverse engineering. There are so many techniques out there and I thought of trying few techniques and understanding them from the lowest level. I thought of sharing the things I’ve been experimenting these days.
IsDebuggerPresent is a Windows API that can be used to detect a debugger. Here’s an example code:

 * IsDebuggerPresent Example
 * Author: Osanda Malith Jayathissa (@OsandaMalith)
 * Website:	

#include <windows.h>

int main() {	
	MessageBox(0, IsDebuggerPresent() ? "Debugger found" : "Debugger not found","Status",0x30);

If we open in a debugger “Debugger Found” text will get triggered in the MessageBox API. How this API works? Open the API in the debugger and you get the following piece of code.



Rootme No software breakpoints Cracking Challenge

Here is another very interesting challenge from Rootme. The title says ELF – no software breakpoints.

Let’s run the file command and see.

% file ch20.bin
ch20.bin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped

The executable seemed to be striped.
Next I examined the sections in file and the .text section starts at 0x08048080

This is the disassembly of the text section. I spent some time trying to understand the logic. Well let’s see what this is 🙂

How to Turn Your Switch into a Snitch

Warning: The author takes no responsibility for any damage you may cause to your device. This post is meant for educational purposes and strictly NOT for malicious purposes.

This post is all about modifying your existing router firmware to perform cool things.

Hardware and Tools Needed:

For the router, I am using a TP-Link MR3020. You may use whatever router you like but make sure you won’t brick your device after or while uploading the modified firmware. Also make sure your firmware can be reversed and dumped using the FMK (Firmware Mod Kit).

Download Firmware Mod Kit