Advertisement

  • Anti-debugging

    Anti-debugging
    I thought this good for myself and maybe others who may find this stuff always difficult to remember. Here are some notables


    PEB Access check for Being Debugged flag

    mov eax, dword fs:[30h] ;location of PEB
    add eax, 2
    mov eax, [eax] ; is this even legal, pseudo :)
    cmp eax, 1

    NTGlobalFlag

    mov eax, dword fs:[30h] ;location of PEB
    add eax, 68 ; PEB + 68h
    mov eax, [eax]
    cmp eax, 70 ;70 is being debugged


    Some commonly used offsets include

    CreateFileA 0x7c801a24
    WriteFileA 0x7c810d87
    StartServiceA 0x77df3238
    WinExec 0x7c86136d
    CreateServiceA 0x77e37071
    CreateThread 0x7c810637
    CreateProcessA 0x7c802367
    CreateMutexA 0x7c80e93f
    ShellExecuteA 0x7ca40ec0

0 comments:

Leave a Reply

Subscribe to: Post Comments (Atom)

Featured Video

Photos