Delphi_od_ Code _ Debug _delphi anti-debugging technology (with OD as an example with core code)

1. program window [Chuang Kou] handle [Ju Bing] Detection
Principle: Use the FindWindow function [Han Shu] to find [Cha Zhao] window with the same window [Chuang Kou] class name and title [Chuang Kou], if found on the description [Shuo Ming] has od running [Yun Hang]
//********************************************
Detect ollydbg by finding the [Cha Zhao] window [Chuang Kou] class name
//********************************************
function Antiloader (): Boolean;
Const
Ollyname= ' ollydbg ';
Var
Hwnd:thandle;
Begin
Hwnd:=findwindow (Ollyname,nil);
If Hwnd<>0 Then
Result:=true
Else
Result:=false;
End
Procedure Tform1.formcreate (Sender:tobject);
Begin
If Antiloader Then
MessageBox (Handle, ' Find Debug [Tiao shi] device! ', ' Hint [ti shi] ', mb_ok+mb_iconinformation)
Else
MessageBox (Handle, ' failed to find debug [Tiao shi] device! ', ' Hint [ti shi] ', mb_ok+mb_iconinformation)
End

2. Using thread [Xian Cheng] environment block detection
Principle: The debug [Cheng Shi] will be debugged when [Xu][ke Shi] is debugged using the Ring3-level debug [Tiao-shi] device to perform [Zhi hang] program [zhi Hang Zhi Cheng-tiao tiao Xu] [tiao Shi] 's executable [zhi hang] program [zhi Hang Cheng Xu][ke zhi Hang Cheng Xu] as a sub-thread [Xian Cheng] for tracking [Gen Zong]. This is then debugged [Tiao shi] executable [zhi ha NG] program [zhi Hang Cheng Xu][ke zhi hang Cheng Xu] peb structure [Jie Gou] The value of 0x02 at offset beingdebugged is 1 if [Zhi hang] program [zhi Hang Cheng Xu] ][ke Zhi Hang Cheng Xu] is not debugged [Tiao Shi], the value is 0, so you can use this value to detect whether the program is under the ring3 level of debugging [Tiao shi] debugging [Tiao Shi]
//***************************************
Detecting ollydbg using the PEB structure [Jie Gou]
//***************************************
function Antiloader (): Boolean; Testing and debugging [Tiao Shi] device;
Var
Yint,nint:integer;
Begin
Asm
MOV eax,fs:[$30]
Gets the value of beingdebugged at PEB offset 2h
MOVZX Eax,byte Ptr[eax+$2]
or Al,al
JZ @No
JNZ @Yes
@No:
MOV nint,1
@Yes:
Mov yint,1
End
If Yint=1 Then
Result:=true;
If Nint=1 Then
Result:=false;
End
Procedure Tform1.formcreate (Sender:tobject);
Begin
If Antiloader Then
MessageBox (Handle, ' Discovery Debug [Tiao shi] device! ', ' Hint [ti shi] ', mb_ok+mb_iconinformation)
Else
MessageBox (Handle, ' not found debug [Tiao shi] device! ', ' Hint [ti shi] ', mb_ok+mb_iconinformation);
End
3. Using API functions [Han shu]isdebuggerpresent detection
Principle: Operating System [XI Tong][cao Zuo Xi Tong] will debug [Tiao Shi] object [DUI Xiang] set [she zhi] to run [Yun Hang] in a special environment, while the API function in Kernel32.dll [Han Shu] The function of the isdebuggerpresent is for [Yong Yu] to determine whether the process [Jin Cheng] is in the debug [Tiao Shi] environment, so that the API function [Han Shu] can be used to see if the process [Jin Cheng] is being debugged [ Execute [zhi hang] in Tiao Shi]
//****************************************
Detection of ollydbg using the Isdebuggerpresent function [Han Shu]
//****************************************
function Antiloader (): Boolean;
Var
IsDebuggerPresent:function:Boolean;
Addr:thandle;
Begin
ADDR: = LoadLibrary (' kernel32.dll ');
Isdebuggerpresent: = GetProcAddress (Addr, ' isdebuggerpresent ');
If Isdebuggerpresent Then
Result:=true
Else
Result:=false;
End
Procedure Tform1.formcreate (Sender:tobject);
Begin
If Antiloader Then
MessageBox (Handle, ' Discovery Debug [Tiao shi] device! ', ' Hint [ti shi] ', mb_ok+mb_iconinformation)
Else
MessageBox (Handle, ' not found hint [ti shi] device! ', ' Hint [ti shi] ', mb_ok+mb_iconinformation);
End

4. Inspection procedure [Jian Cha Cheng Xu] parent process [Jin Cheng]
Principle: The GUI of the Windows operating system [XI Tong][cao Zuo Xi Tong] executable [zhi hang] program [zhi Hang Cheng Xu][ke zhi Hang Cheng Xu] parent process [Jin Cheng] are expl Orer.exe (cui executable [zhi hang] program [zhi Hang Cheng Xu][ke zhi Hang Cheng Xu] parent process [Jin Cheng] is CMD.exe, System [XI Tong] service [Xi Tong Fu Wu] Parent process [Jin Cheng] is Service.exe, in actual use need to choose [Xuan Ze] parent process [Jin Cheng] to implement anti-tracking [Gen Zong] in accordance with their program type [Lei Xing], while being debugged [Tiao Shi] The parent process of the program od debug [Tiao shi] [Jin Cheng] is to debug [Tiao Shi] the execution [zhi hang] program [zhi Hang Cheng Xu]ollydbg.exe instead of the other. So you can use the check parent process [Jin Cheng] is the Explorer.exe method [Fang FA] to detect OD.
//***************************************************
Check the parent process [Jin Cheng] to detect ollydbg
//***************************************************
function Antiloader (): Boolean;
Const
Parentname= ' \explorer. EXE ';
Var
Hsnap,hprocess:thandle;
Szbuffer:array[0..max_path] of Char;
Filename:array[0..max_path] of Char;
process32:processentry32;
Loopflag:bool;
Begin
Get the list of all processes [Jin Cheng] [lie Biao] snapshot [Kuai Zhao]
Hsnap:=createtoolhelp32snapshot (th32cs_snapprocess, 0);
If Hsnap=invalid_handle_value Then
Begin
Result:=false;
Exit;
End
Process32.dwsize:=sizeof (PROCESSENTRY32);
Find [Cha Zhao] process [Jin Cheng]
Loopflag:=process32first (HSNAP,PROCESS32);
If Loopflag=false Then
Begin
CloseHandle (HSNAP);
Result:=false;
Exit;
End
While Integer (Loopflag) <>0 do
Begin
If Process32.th32processid=getcurrentprocessid () then
Begin
Hprocess:=openprocess (PROCESS_ALL_ACCESS,FALSE,PROCESS32.TH32PARENTPROCESSID);
If Hprocess<>0 Then
Begin
If Getmodulefilenameex (hprocess,0,filename,max_path) <>0 Then
Begin
Acquisition system [XI Tong] directory [Xi Tong Mu Lu]
GetWindowsDirectory (Szbuffer,max_path);
Merge system [Xi Tong] directory [Xi Tong Mu Lu] and \explorer. Exe
StrCat (Szbuffer,parentname);
convert [Zhuan Huan] to uppercase after comparing the current debug [Tiao shi] program [Tiao Shi Cheng Xu] process [Jin Cheng] is the parent process [Jin Cheng]
If uppercase (String (FileName)) <>uppercase (String (szbuffer)) Then
Result:=true
Else
Result:=false;
End
End
Else
Result:=false;
End
Loopflag:=process32next (HSNAP,PROCESS32);
End
CloseHandle (HSNAP);
End
Procedure Tform1.formcreate (Sender:tobject);
Begin
If Antiloader Then
MessageBox (Handle, ' Discovery Debug [Tiao shi] device! ', ' Hint [ti shi] ', mb_ok+mb_iconinformation)
Else
MessageBox (Handle, ' not found debug [Tiao shi] device! ', ' Hint [ti shi] ', mb_ok+mb_iconinformation)
End
5. Check the STARTUPINFO structure [Jie Gou]
Principle: The Explorer.exe creation process [Jin Cheng] in the Windows operating system [XI Tong][cao Zuo Xi Tong] will set the value of the STARTUPINFO structure [Jie Gou] to 0, Instead of Explorer.exe the creation process [Jin Cheng], the value in this structure [Jie Gou] is ignored, that is, the value in structure [Jie Gou] is not 0, so you can use this to determine if OD is debugging [Tiao shi] program [Tiao Shi] Cheng Xu].
/************************************************
Detection of ollydbg by detecting startupinfo structures [Jie Gou]
//************************************************
function Antiloader (): Boolean;
Var
Info:startupinfo;
Begin
Getstartupinfo (Info);
if (info.dwx<>0) or (info.dwy<>0) or (info.dwxcountchars<>0) or (info.dwycountchars<>0) or
(info.dwfillattribute<>0) or (info.dwxsize<>0) or (info.dwysize<>0) then
Result:=true
Else
Result:=false;
End
Procedure Tmainfrm.formcreate (Sender:tobject);
Begin
If Antiloader Then
MessageBox (Handle, ' Discovery Debug [Tiao shi] device! ', ' Hint [ti shi] ', MB_OK)
Else
MessageBox (Handle, ' not found debug [Tiao shi] device! ', ' Hint [ti shi] ', MB_OK);
End

Delphi_od_ Code _ Debug _delphi anti-debugging technology (with OD as an example with core original code) (GO)