Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // http://waleedassar.blogspot.com - (@waleedassar)
- // A bizarre method used by Themida and ExeCryptor to detect OllyDbg, it reckons on that:
- //1) at 0x4b1c86 is the string "EBX+".
- //2) at 0x4c91a0 are some strings representing names of functions to be exported by plugin DLLs e.g. //_ODBG_Plugininit
- //I guess all that is for detecting modified versions of OllyDbg.
- #include "stdafx.h"
- #include "windows.h"
- #include "psapi.h"
- int _tmain(int argc, _TCHAR* argv[])
- {
- unsigned long sz=0x1000; //one page
- unsigned long req_sz=0;
- unsigned long* pPIDs=(unsigned long*)LocalAlloc(LMEM_ZEROINIT,sz);
- do
- {
- if(!EnumProcesses(pPIDs,sz,&req_sz))
- {
- LocalFree(pPIDs);
- return 0;
- }
- else
- {
- if(sz==req_sz) //expand
- {
- LocalFree(pPIDs);
- sz+=sz; //double the sice
- pPIDs=(unsigned long*)LocalAlloc(LMEM_ZEROINIT,sz);
- }
- else break;
- }
- }while(1);
- unsigned long i;
- for(i=0;i<(req_sz/4);i++)
- {
- HANDLE h=OpenProcess(PROCESS_VM_READ,FALSE,pPIDs[i]);
- if(h)
- {
- IMAGE_DOS_HEADER DOS={0};
- if(ReadProcessMemory(h,(void*)0x400000,&DOS,sizeof(DOS),0))
- {
- char buf[4]={0};
- if(ReadProcessMemory(h,(void*)0x4b1c86,&buf,0x4,0))
- {
- if(strncmp(buf,"EBX+",4)==0)
- {
- MessageBox(0,L"Debugger detected",L"waliedassar",0); //Or kill it.
- }
- }
- char buffer[0x110]={0};
- if(ReadProcessMemory(h,(void*)0x4c91a0,&buffer,0x100,0))
- {
- //this is similar to what is implemented, not an exact code.
- int c;
- for(c=0;c<0x100;c++)
- {
- if(strncmp(&buffer[c],"_ODBG_Plugininit",0x10)==0) //among other strings
- {
- MessageBox(0,L"Debugger detected",L"waliedassar",0); //Or kill it.
- }
- }
- }
- CloseHandle(h);
- }
- }
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
