|
|
|
|
#1
02-28-2005, 13:36
|
|||
|
|||
|
I was not read the tutor of Shub-Nigurrath yet, but with the above code, I have a wonder: this function will be called from: the loader or the victim process.
|
|
#2
02-28-2005, 20:00
|
||||
|
||||
|
IsDebuggerPresent is the most weak anti-debug check.
If you want to defeat it then I would propose the following: - modification of kernel32.dll (overwriting during the runtime) - hooking the API itself (if the protection is more sophisticated and computes the checksum of it then usually it checks only first few instructions, you should be still able to set the hook at one of the last instructions inside this API) - modification of IsDebuggerPresent return value in the code space of protected software (e.g. set a hardware breakpoint near the call offset) Regards. Last edited by dyn!o; 02-28-2005 at 20:02.
|
|
#3
02-28-2005, 21:59
|
||||
|
||||
|
Quote:
However with little to no modification this code or its equivalent could be used in combination with y0da's Force Library and thus IsDebuggerPresnt could be defeated via RemoteExec which enables you to execute code within the context of another process Regards...
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light. Last edited by D-Jester; 02-28-2005 at 22:02.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Beating a two session max! | abitofboth | General Discussion | 6 | 04-14-2005 09:07 |
Hybrid Mode
