DebugDetector v 0.1

Hmily

https://github.com/zer0fl4g/DebugDetector

DD - DebugDetectorNotes

• This tool should help to test if your debugger is invisible against the targets. Maybe some can learn something about the anti debug techniques while browsing the source. Of course the most things are easy to bypass but you should see what you need to fix in your debugger
• If you have some ideas, other techniques (no time related things currently) or other suggestions than feel free to contact me!
  
  
  • zer0fl4g[at]gmail[dot]com
    
  
  

Ideas & Techniques & collected Links

• CodeProject - an anti reverse engineering guide
• Veracode - whitepaper_antidebugging.pdf
• Spareclockycles - stack necromancy defeating debuggers by raising the dead
• Symantec - windows anti debug reference
• Tuts4You
  

ToDo

• Add more Plugins
• Add bad driver names
• Add custom window titel depending on detection
• fix x64 support
  

Changelog v0.2

• added color on detection
• added better error reporting on plugins
• added OSVersion parameter to plugins
• added NtYieldExecution plugin (by Aguila)
• added CheckHeapMemory plugin
• added some new windows to the FindBadWindow plugin
• fixed a Windows XP display problem
  

Features

• Plugin Interface
  
  • simple to use
  • error messages
    
• Show percentage of detection
• 18 Plugins
  
  • DebugObject
    
    • Using NtQueryInformationProcess to see if there are Debugging Objects for our process
      
  • CheckRemoteDebuggerPresent
    
    • simple api which checks if a debugger is present
      
  • HardwareBreakpoint
    
    • checking the current thread for breakpoints in CONTEXT.dr0 - .dr3
      
  • IsDebuggerPresent
    
    • simple api which checks if a debugger is present
      
  • MemoryBreakpoint
    
    • places a page guard and in case there is no exception we know that we are debugged
      
  • OpenCSRSS (doesn′t work anymore ?)
    
    • Opens a handle for csrss , should not be able to without DebuggingFlag
      
  • OutputDebugString
    
    • if eax == 1 we are in normal mode. else offset of string is found in eax
      
  • ParentProcess
    
    • normaly we run with explorer.exe as parent
      
  • ProcessDebugFlags
    
    • uses NtQueryInformationProcess to check if our process has debugflags
      
  • Unhandled Exception
    
    • raises a division by 0 exception and in case we are not debugged everything wents good since we capture the exception
      
  • PEB.BeingDebugged
    
    • Checks the Process Enviroment Block if the debugbit is set
      
  • PEB.GlobalFlags
    
    • checks if flag is set in PEB (FLG_HEAP_ENABLE_TAIL_CHECK && FLG_HEAP_ENABLE_FREE_CHECK && FLG_HEAP_VALIDATE_PARAMETERS)
      
  • PEB.ProcHeapFlag
    
    • checks if the ForceFlag is set in the PEB
      
  • FindBadProcesses
    
    • enums the process list and checks if given processes are running
      
  • FindBadWindows
    
    • enums the window list and checks if given windows are found
      
  • FindBadDrivers
    
    • enums the driver list and checks if given drivers are found
      
  • NtYieldExecution (by Aguila)
    
    • NtYieldExecution returns STATUS_NO_YIELD_PERFORMED if there is no other thread ( e.g debugger) but often fails if the system is overloaded and doesn′t allow a switch (not a good method)
      
  • CheckHeapMemory
    
    • allocs memory in the heap and checks if FEEEABABABABABABABAB (exists only on debug mode as overflow detection) is there
      
    
    
  
  

Sound

添加到OSVERSION参数插件

上班呢 先下载 晚上回去试试 Thanks 大黑

lyq_superior

Thanks Hmily ,You are a kind hearted man!

转身

完全看不懂了。。好像是什么调试器？

面面

崇拜Hmily好外语
发帖都用洋玩意
经过翻译才知道
可是调试探测器

a765058024

Hmily不一般，顶一下