OllyDbg RaiseException Anti-Debug Trick

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. //In OllyDbg, upon receiving an EXCEPTION_BREAKPOINT, it checks code in ExceptionAddress to ensure it is
4. //0xCC or similar. If it is not, the behavior depends on the OllyDbg version.
5. //In versions prior to 2.01, the exception is swallowed and the exception handler is not called.
6. //In version 2.01 (alpha 4), several error messages pop up and process terminates.
7. // Only version 2.01 (beta 2) handles it properly.
8. //The following is code that exploits this bug to detect the presence of OllyDbg.
9. #include "stdafx.h"
10. #include "windows.h"
11. #include "stdio.h"
12.  
13. int __cdecl Hhandler(EXCEPTION_RECORD* pRec,void*,unsigned char* pContext,void*)
14. {
15.     if(pRec->ExceptionCode==EXCEPTION_BREAKPOINT)
16.     {
17.         (*(unsigned long*)(pContext+0xB8))++;
18.         MessageBox(0,"Expected","waliedassar",0);
19.         ExitProcess(0);
20.     }
21.     return ExceptionContinueSearch;
22. }
23. void main()
24. {
25.     __asm
26.     {
27.         push offset Hhandler
28.         push dword ptr fs:[0x0]
29.         mov dword ptr fs:[0x0],esp
30.     }
31.     RaiseException(EXCEPTION_BREAKPOINT,0,1,0);
32.     __asm
33.     {
34.         pop dword ptr fs:[0x0]
35.         pop eax
36.     }
37.     MessageBox(0,"OllyDbg Detected","waliedassar",0);
38. }