Howdy all!
Long time no updates. Sorry about that, the life of the AV reverse engineer is a busy one, but busy is good right?
Anywho, I come bearing gifts. An anti-debugger trick I learned (while coding skiddy AV tool).
The way it works is simple – under normal circumstances, the working set (amount of memory a process needs at a given time) is never very big, however when being debugged, that working set size is huge. By checking the working set size, I was able to see if I was in a debugger. Neato.
Oh right, the code:
#include <windows.h> #include <Psapi.h> int main(void) { PROCESS_MEMORY_COUNTERS pmc; GetProcessMemoryInfo(GetCurrentProcess(), &pmc, sizeof(pmc)); if(pmc.WorkingSetSize<=3456789) { MessageBox(GetDesktopWindow(),"No Debugger Here","KEK",MB_OK); } else { MessageBox(GetDesktopWindow(),"GTFO with that debugger","ICEBP FOR YOU",MB_OK); __asm { _emit 0xF1 } } return 0; }
Next week (or hell maybe even tomorrow), I’m gonna pop out a new longer better blog post on one of my more favorite topics – shellcode.
Until then, happy hacking!