Advertisement
waliedassar

Detect OllyDbg v1.10 (And many modified versions)

Aug 12th, 2012
486
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.84 KB | None | 0 0
  1. // http://waleedassar.blogspot.com - (@waleedassar)
  2. // A bizarre method used by Themida and ExeCryptor to detect OllyDbg, it reckons on that:
  3. //1) at 0x4b1c86 is the string "EBX+".
  4. //2) at 0x4c91a0 are some strings representing names of functions to be exported by plugin DLLs e.g. //_ODBG_Plugininit
  5. //I guess all that is for detecting modified versions of OllyDbg.
  6.  
  7.  
  8. #include "stdafx.h"
  9. #include "windows.h"
  10. #include "psapi.h"
  11.  
  12. int _tmain(int argc, _TCHAR* argv[])
  13. {
  14.     unsigned long sz=0x1000;  //one page
  15.     unsigned long req_sz=0;
  16.     unsigned long* pPIDs=(unsigned long*)LocalAlloc(LMEM_ZEROINIT,sz);
  17.     do
  18.     {
  19.          if(!EnumProcesses(pPIDs,sz,&req_sz))
  20.          {
  21.              LocalFree(pPIDs);
  22.              return 0;
  23.          }
  24.          else
  25.          {
  26.              if(sz==req_sz) //expand
  27.              {
  28.                  LocalFree(pPIDs);
  29.                  sz+=sz;  //double the sice
  30.                  pPIDs=(unsigned long*)LocalAlloc(LMEM_ZEROINIT,sz);
  31.              }
  32.              else break;
  33.          }
  34.     }while(1);
  35.     unsigned long i;
  36.     for(i=0;i<(req_sz/4);i++)
  37.     {
  38.        HANDLE h=OpenProcess(PROCESS_VM_READ,FALSE,pPIDs[i]);
  39.            if(h)
  40.        {
  41.          IMAGE_DOS_HEADER DOS={0};
  42.          if(ReadProcessMemory(h,(void*)0x400000,&DOS,sizeof(DOS),0))
  43.          {
  44.            char buf[4]={0};
  45.            if(ReadProcessMemory(h,(void*)0x4b1c86,&buf,0x4,0))
  46.            {
  47.             if(strncmp(buf,"EBX+",4)==0)
  48.             {
  49.                 MessageBox(0,L"Debugger detected",L"waliedassar",0);  //Or kill it.
  50.             }
  51.            }
  52.            char buffer[0x110]={0};
  53.            if(ReadProcessMemory(h,(void*)0x4c91a0,&buffer,0x100,0))
  54.            {
  55.             //this is similar to what is implemented, not an exact code.
  56.             int c;
  57.             for(c=0;c<0x100;c++)
  58.             {
  59.                           if(strncmp(&buffer[c],"_ODBG_Plugininit",0x10)==0)  //among other strings
  60.               {
  61.                          MessageBox(0,L"Debugger detected",L"waliedassar",0);  //Or kill it.
  62.               }
  63.             }
  64.             }
  65.             CloseHandle(h);
  66.           }
  67.            }
  68.     }
  69.     return 0;
  70. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement